CAIQ V3 Updates

Cloud Security Alliance (CSA) would like to present the next version of the Consensus Assessments Initiative Questionnaire (CAIQ) v3.1.

The CAIQ offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM). Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.

CAIQ v3.1 represents a minor update to the previous CAIQ v3.0.1. In addition to improving the clarity and accuracy, it also supports better auditability of the CCM controls. The new updated version aims to not only correct errors but also appropriately align and improve the semantics of unclear questions for corresponding CCM v3.0.1 controls. In total, 49 new questions were added, and 25 existing ones were revised.

For this new CAIQ version, CSA took into account the combined comprehensive feedback that was collected over the years from its partners, the industry and the CCM working group.

What is a CASB and How Do You Even Say It?

Caleb Mast, Regional Sales Director, Bitglass

These are some of the questions that I asked as I went through the recruiting process with Bitglass. My goal was to understand the product completely before going out and pitching it to prospective clients. So, what exactly is a Cloud Access Security Broker (CASB)? By Gartner’s definition, CASBs (Cloud Access Security Brokers) are “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.

CASBs consolidate multiple types of security policy enforcement, just like a top rated college football program (such as Penn State) leverages skilled players at all positions to thwart the best efforts of competitors’ offenses (and as they’ll demonstrate against Ohio State on November 23 of this year).

Example CASB security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”* If you’re like me, even after reading the official definition, you may be slightly confused. My hope is that this article will give you a better understanding of how a CASB may benefit your corporate security strategy.

It’s pronounced caz-bee by the way.

At the broadest level, a CASB provides risk mitigation controls that help organizations protect data as they adopt cloud applications. There are four critical security gaps in cloud applications that CASBs defend against:

Data Protection Beyond the Firewall: Pop quiz – if someone on an unmanaged device connects to Office 365 via wifi from a coffee shop, which security product in your stack protects this session? If you’re at a loss, you aren’t alone.

In the pre-cloud world, your security stack offered insight, security controls, data loss prevention, and threat protection to the IT staff in order to fully monitor and secure corporate data. However, this is under the assumption that the information traversed through at least some part of your corporate network. With the introduction of cloud into our corporate environments, employees now access company data outside of the four walls of the office with applications like Office 365, GSuite, Box, Salesforce, and so on and so forth. CASBs are architected to ensure security for any application, anywhere.

Bring Your Own Device: Once employees discovered how easy it was to access their company information from the cloud, they began doing so from their own personal devices (laptops, smartphones, tablets, et cetera). While many organizations want to provide flexibility and allow employees to work from any device, they shudder at the idea of sensitive corporate data syncing to a totally unmanaged (and potentially insecure or compromised), personal device. Once the information is on the user’s device, it becomes very difficult to have any control – cue the CASB.

Unmanaged Applications: Also known as shadow IT, these are applications over which IT has no visibility. Though these applications may not be inherently bad, they allow files to be stored and shared in an uncontrolled environment. This is a massive compliance violation at best, and a nightmare to any CISO. How should your organization address this problem? You guessed it.

Malicious Users: Pre-CASB, a malicious user would have to get through the corporate security stack undetected in order to get company information. Now that information resides in cloud applications, all parties, good and bad, can knock at the front door authentication prompt. Additionally, cloud usage balloons quickly – once an organization becomes cloud friendly, their cloud footprint expands rapidly. As such, malicious users (whether they are disgruntled insiders or hackers with compromised credentials), can easily exfiltrate data via cloud apps when proper security is not in place.

Organizations that utilize CASBs find that they are able to store sensitive information in the cloud without compromising on security. CASBs enable malware detection and remediation, geofencing, data encryption, session management, and more. What are you doing to protect corporate data across your cloud footprint? I would love to hear your strategies.

CSA Issues Top 20 Critical Controls for Cloud Enterprise Resource Planning Customers

By Victor Chin, Research Analyst, Cloud Security Alliance

Top 20 Critical Controls for Cloud ERP Customers

Cloud technologies are being increasingly adopted by organizations, regardless of their size, location or industry. And it’s no different when it comes to business-critical applications, typically known as enterprise resource planning (ERP) applications. Most organizations are migrating business-critical applications to a hybrid architecture of ERP applications. To assist in this process, CSA has released the Top 20 Critical Controls for Cloud Enterprise Resource Planning (ERP) Customers, a report that assesses and prioritizes the most critical controls organizations need to consider when transitioning their business-critical applications to cloud environments.

This document provides 20 controls, grouped into domains for ease of consumption, that align with the existing CSA Cloud Control Matrix (CCM) v3 structure of controls and domains.

The document focuses on the following domains:

  • Cloud ERP Users: Thousands of different users with very different access requirements and authorizations extensively use cloud
    enterprise resource planning applications. This domain provides controls aimed to protect users and access to cloud enterprise resource planning.
  • Cloud ERP Application: An attribute associated with cloud ERP applications is the complexity of the technology and functionality provided to users. This domain provides controls that are aimed to protect the application itself.
  • Integrations: Cloud ERP applications are not isolated systems but instead tend to be extensively integrated and connected to other applications and data sources. This domain focuses on securing the integrations of cloud enterprise resource planning applications.
  • Cloud ERP Data: Cloud enterprise resource planning applications store highly sensitive and regulated data. This domain focuses on critical controls to protect access to this data.
  • Business Processes: Cloud enterprise resource planning applications support some of the most complex and critical business processes for organizations. This domain provides controls that mitigate risks to these processes.

While there are various ERP cloud service models such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—each with different security/service-level agreements and lines of responsibility—organizations are required to protect their own data, users and intellectual property (IP). As such, organizations that are either considering an ERP cloud migration or already have workloads in the cloud can use these control guidelines to build or bolster a strong foundational ERP security program.

By themselves, ERP applications utilize complex systems and, consequently, are challenging to secure. In the cloud, their complexity increases due to factors such as shared security models, varying cloud service models, and the intersection between IT and business controls. Nevertheless, due to cloud computing benefits, enterprise resource planning applications are increasingly migrating to the cloud.

Organizations should leverage this document as a guide to drive priorities around the most important controls that should be implemented while adopting Cloud ERP Applications. The CSA ERP Security Working Group will continue to keep this document updated and relevant. In the meantime, the group hopes readers find this document useful when migrating or securing enterprise resource planning applications in the cloud.

Download this free resource now.

Security Spotlight: G Suite User Passwords Stored in Plaintext

By Will Houcheime, Product Marketing Manager, Bitglass

Newspaper Icon with News Title - Red Arrow on a Grey Background. Mass Media Concept.

Here are the top cybersecurity stories of recent weeks:  

  • G Suite User Passwords Stored in Plaintext Since 2005
  • Contact Data of Millions of Instagram Influencers Exposed
  • Rogue Iframe Phishing Used to Steal Payment Card Information
  • London Commuters to be Tracked Through the Use of Wi-Fi Hotspots
  • Thousands of Tp-Link Routers at Risk of Hijack

G Suite User Passwords Stored in Plaintext Since 2005

Google has recently disclosed that a number of their enterprise G Suite customers had their passwords stored in plaintext. The discovery was announced this past Tuesday, but Google did not specify the exact amount of accounts that were affected. Passwords encrypted by the use of hashing algorithms, which hinder humans from reading them. Google was able to highlight the issue of plaintext copies of passwords for accounts by discarding the original passwords and recovery settings prior to G Suite in 2005. The affected accounts had their passwords reset, and Google claims that no additional data has been compromised.

Contact Data of Millions of Instagram Influencers Exposed

A database containing 49 million records belonging to Instagram influencers was recently breached. The Amazon Web Services hosted database was unprotected, leaving it accessible to anyone who knew how to find it. The personally identifiable information (PII) found on the database included names, locations, email addresses, and phone numbers. Anurag Sen, a security researcher, discovered the database and was able to trace it back to Chtrbox – a marketing team operating out of Mumbai. Chtrbox reported that the database was open for 72 hours, but that only 350,000 users were affected. The information has since been removed from Shodan – a search engine for exposed databases.

Rogue Iframe Phishing Used to Steal Payment Card Information

Iframe-based phishing systems have been increasingly implemented in the efforts to steal payment card industry (PCI) data. A security researcher has discovered that hackers are using a phishing system to swipe credit card numbers. Magecarts would previously insert JavaScript-based payment data skimmers into the codes of websites to steal information. Segura remarks that hackers are plaguing Magento checkout websites with the phishing script. Since then, shoppers have been warned to pay close attention to checkout phases as phishing scripts have left behind small red flags, such as redirecting them to different websites after placing an order.

London Commuters to be Tracked Through the Use of Wi-Fi Hotspots

Transport for London (TfL), a UK travel agency, is planning to enforce a system that would track commuters using Wi-Fi hotspots throughout London’s underground transportation. The agency has said this effort is being made in hopes of better understanding where and how commuters are traveling. According to TfL, only connection requests to hotspots are to be recorded, but not search history or any other activity on the passengers devices. TfL will be using the data to grasp where to invest in transportation budgeting and to provide improved customer services such as delay and congestion guidance. In a four-week trial test back in 2016, TfL recorded over 509 million pieces of data, giving the agency a massive amount of feedback on how journeys are completed across the network.

Thousands of Tp-Link Routers at Risk of Hijack

A bug which allows control through remote access has made thousands of Tp-Link routers susceptible to cyberattacks. The exposure has allowed any intruder to gain access to affected routers by simply using default passwords. Security researcher, Andrew Mabbitt, first disclosed the bug to Tp-Link in October 2017, but the router manufacturer took longer than a year to roll out patches to solve the issues. Modifications of certain router settings can have adverse effects on a network and could lead users to malicious websites.

To learn about cloud access security brokers (CASBs) and how they can protect your enterprise from data leakage, malware, and more, download the Top CASB Use Cases.

Roadmap to Earning Your Certificate in Cloud Security Knowledge (CCSK)

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

In this blog we’ll be taking a look at how to earn your Certificate of Cloud Security Knowledge (CCSK), from study materials, to how to prepare, to the details of the exam, including a module breakdown, passing rates, format etc. If you’re considering earning your CCSK, or just exploring the possibility this will give you a good idea of what to expect and resources to draw from as you prepare. At the end I’ve also added some recommendations for how to continue learning cloud security after you’ve earned your CCSK. First things first, lets cover what you’ll need to know in order to pass the exam successfully.

Step 1. What You’ll Need to Know

Recommended Experience

While there is no official work experience required, it can be helpful for attendees to have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity and access management.

Topics Covered

Cloud Computing Fundamentals

To start, you’ll need to know the fundamentals of cloud computing, including definitions, architectures, and the role of virtualization. Key topics you’ll need to be familiar with are cloud computing service models, delivery models, and the fundamental characteristics of cloud. You’ll also need to be familiar with the Shared Responsibilities Model.


Infrastructure Security for Cloud Computing

As far as infrastructure security goes, you’ll need to understand the details of securing the core infrastructure for cloud computing- including cloud components, networks, management interfaces, and administrator credentials. You’ll also need to understand virtual networking and workload security, including the basics of containers and serverless.


Managing Cloud Security and Risk

For this section you need to know the important considerations of managing security for cloud computing. That includes risk assessment and governance, as well as legal and compliance issues, such as discovery requirements in the cloud. You’ll also need to know how to use important CSA risk tools including the CAIQ, CCM, and STAR registry and how cloud impacts IT audits.


Data Security for Cloud Computing

One of the biggest issues in cloud security is protecting data, so you will need to understand how data is stored and secured in the cloud. You will also need to know how the data security lifecycle is impacted by cloud and how to apply security controls in a cloud environment. Other important topics include cloud storage models, data security issues with different delivery models, and managing encryption in and for the cloud, including customer managed keys (BYOK).


Application Security and Identity Management for Cloud Computing

Another important area you’ll be tested on is identity and access management and application security for cloud deployments. Topics you’ll need to learn include federated identity, different IAM applications, secure development, and managing application security in and for the cloud.


Cloud Security Operations

Lastly you’ll be tested on key considerations when evaluating, selecting, and managing cloud computing providers. Make sure you also understand the role of Security as a Service providers and the impact of cloud on incident response.


Step 2. How to Study

Get advice from peers…

I’d recommend checking out our Q&A blog series, CCSK Success Stories, where we asked individuals about their experience preparing for and taking the exam. Having prepared for and gone through the exam themselves, they are able to offer insight into what topics they found most challenging, and what you should focus on.

Choose How to Study

Self-study. I’d recommend taking this route if you have don’t have the time or budget to complete a training course, or already have experience in cloud security. You can study for the exam on your own by downloading our free CCSK prep-kit here.

Self-paced training online. If you want training but have a hard time fitting in a regular course and need something flexible enough for your schedule and budget then our self-paced training may be a good fit. You can complete CCSK training modules on-the-go, without any deadlines, at a pace that’s right for you. Preview the course for free here.

Online training with an instructor. For individuals who work best when they can ask questions, the online instructor-led training is a good fit. It may also be an option for companies with a tight travel budget, since it still offers you the ability to attend regularly scheduled class sessions.

In-person training. Of course, in-person training is always nice to have. You get the opportunity to interact with an instructor face to face, ask questions and learn in the same room with other students.

CCSK Plus Course with hands-on labs. This extended version of the CCSK course offers a more practical implementation of the material. It combines the knowledge covered in the regular CCSK Fundamentals Course with hands-on labs where you can practice applying what you learn in real-life scenarios.

Download Study Materials

CSA Security Guidance v.4. This guidance document provides guidance on how to keep your organization secure on the cloud. It is built on previous iterations of the security guidance, dedicated research, public participation from the CSA members, working groups, and the industry experts within our community. The latest version incorporates advances in cloud, security, and supporting technologies, reflects on real-world cloud security practices, integrates the latest CSA research projects, and offers guidance for related technologies. Most notably, this version now incorporates IoT, blockchain and DevSecOps into its guidelines.

The Cloud Controls Matrix. The CSA Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. It builds off of the Security Guidance v4 by giving a detailed understanding of security concepts and principles aligned to its 14 domains.

ENISA’s Cloud Computing Risk Assessment. This document was created by the European Union Agency for Network and Information Security (ENISA). It provides an in-depth and independent analysis outlining the information security benefits and key security risks of cloud computing.

The above study materials are included in the CCSK Prep-Kit. Along with the above documents, the prep-kit includes practice questions and other study resources to help you prepare for the exam. You can download it for free here.

Step 3. Review Exam Details

The Exam Format

The exam is open-book and held online. You can start an exam at any time that works for you. The timeline to complete it is 90 minutes, and you’ll be answering 60 questions selected randomly from the CCSK question pool. The minimum passing score is 80%.

Question Format

All the questions are multiple choice or true/false. If you’d like to preview a sample question from each module you can download the free CCSK Prep-Kit. For a more comprehensive practice test that covers multiple questions and material from all the modules you can try our online self-paced course.

Exam Difficulty

With and average passing rate of only 62%, the CCSK is a challenging exam to pass. For this reason, make sure you have read through all of the study materials and thoroughly understand the topics before attempting the test. Below is an approximate breakdown of the percentage of questions you could be asked from each domain.

Domains% of Questions
1. Cloud Computing Concepts10.00%
2. Governance & Enterprise Risk Management3.33%
3. Legal Issues: Contracts and Electronic Discovery5.00%
4. Compliance & Audit Management5.00%
5. Information Governance3.33%
6. Management Plane & Business Continuity6.67%
7. Infrastructure Security10.00%
8. Virtualization & Containers8.33%
9. Incident Response6.67%
10. Application Security10.00%
11. Data Security & Encryption10.00%
12. Identity Entitlement and Access Management5.00%
13. Security as a Service3.33%
14. Related Technologies1.67%
15. CCM 6.67%
16. ENISA5.00%

*The above percentages are estimates. Questions are selected at random from the CCSK question pool, so having a solid understanding of each domain and the CCM and ENISA documents is essential if you want to pass.

Step 4. Take the Exam

Register at the CCSK exam website

Whether you plan to purchase an exam token directly or will receive one as part of a training package, to attempt the exam,you will first need to create an account on the exam platform. If you plan to self-study and buy a token you can go directly to the link above. If you received an exam token with a training package you will get an email with instructions on how to register and claim your token.

Take the exam

Since the exam is taken online, once you have a test token you can take the test when and where you want. Make sure you have thoroughly studied the exam materials and reviewed your notes if you took a training course. And be sure you have a reliable internet connection and a full 90 minutes in which you will not be interrupted or distracted.

Step 5. Build on the knowledge from the CCSK…

After you’ve earned your CCSK a good way to continue learning about cloud security is following our CloudBytes webinar series or volunteering for a working group. Other ways you can build on your success…

Share Your Success on LinkedIn

Write a LinkedIn article or post summarizing the new knowledge you acquired and how this certificate can add value to you and organizations you work for going forward. Share on LinkedIn using the hashtags #CCSK #CCSKSuccess and tag CSA. You can use this blog template here to help get you started.

Read the latest CSA research

In general, I recommend being familiar with the Top Threats document series. This helps folks understand the threat landscape for cloud. I’d also take a look at the 12 Most Critical Risks for Serverless Applications.

Use the CCSK to satisfy CPE credits

The CCSK can be used to satisfy continuing professional education credits for several other IT credentials including the CCSP and CISSP.

Gain hands-on experience

Practice building in a cloud environment using management plane best practices and appropriate reference architectures for practice projects. Look at some of the cloud offerings in the market and consider the security implications for the consumer based on the shared responsibilities model.

Consider enrolling in more advanced training

Two courses to consider taking after the CCSK are the Cloud Governance and Compliance or CCSP course. Which one you take will depend on your current job role, and where you are heading career-wise. For those interested in cloud governance or auditing, the Cloud Governance & Compliance (CGC) course is a good path. For those interested in cloud security implementation, the CCSP course is a good path. There may also be vendor specific trainings you may be interested in based on the environment you work in.

Start learning more about cloud security today. Enroll in a free trial of the online, self-paced CCSK training here.

What Will Happen If Encryption Used to Protect Data in Corporations Can Be Broken?

By Edward Chiu, Emerging Cybersecurity Technologist, Chevron

Preparing Enterprises for the Quantum Computing Cybersecurity Threats

While the development of quantum computers is still at a nascent stage, its potential in solving problems not feasible with classical computers draws interest from many industries.

On one hand, Volkswagen is researching using quantum computers to help optimize traffic, and researchers at Roche are investigating the use of quantum computing in biomedical applications.

On the other, a quantum computer powerful enough to run Shor’s algorithm poses a severe threat to asymmetric encryption (also known as public key encryption), which in turn plays a vital role in data security. The use of asymmetric encryption is pervasive and transcends industries and companies, thus quantum computing’s impact is far reaching.

Preparing Enterprises for the Quantum Computing Cybersecurity Threats” is a new paper published by the CSA Quantum-Safe Security Working Group that provides an overview of the cybersecurity risks posed by quantum computing and encourages cybersecurity professionals and decisionmakers to begin planning now as the consequences of inaction are dire.

The paper illustrates the dark side of quantum computing and its impact to cryptography, how asymmetric encryption can be broken, and what practical steps enterprise decision-makers can take now to prepare for the emerging threat. Topics covered in the paper include:

  • What is quantum computing?
  • Impact of quantum computing on cryptography
  • The time to prepare is now
  • Preparation steps for a post-quantum era

Impact on asymmetric encryption

Asymmetric encryption is the cornerstone of data security on the Internet. Whenever someone uses a browser to log in to their bank account, asymmetric encryption known as RSA is being used. In 1994, MIT mathematicians formulated an algorithm that provides exponential speedup in the factorization of large prime numbers. A quantum computer powerful enough to run Shor’s algorithm and crack mainstream RSA cryptosystems poses catastrophic consequence to data security.

Hybrid cryptography

In recent years, cryptographers have been experimenting with the use of hybrid cryptography to mitigate quantum threats. Hybrid cryptography refers to the use of two or more cryptographic schemes, an example of which is a X.509 digital certificate that has two signatures—one classical and the other quantum-resistant. The goal is to provide resistance to both classical and quantum cryptanalytic attacks.

What should IT decision-makers do now?

What can we do now while waiting for the arrival of a quantum computer capable of breaking encryption, an event sometimes referred to as the year to quantum (Y2Q)? IT decision-makers should begin to lay out an actionable plan to prepare for the Y2Q now, using this paper as an actionable guideline.

Download the full paper now.

Financial Services: Counting on CASBs

By Will Houcheime, Product Marketing Manager, Bitglass

Financial institutions handle a great deal of sensitive data and are highly conscientious of where they store and process it. Nevertheless, they are aware of the many benefits that they can gain by using cloud applications. In order to embrace the cloud’s myriad advantages without compromising the security of their data, financial institutions have been turning to cloud access security brokers (CASBs). To find out why, check out our latest episode of Glass Class:

AWS Cloud: Proactive Security and Forensic Readiness – Part 5

By Neha Thethi, Information Security Analyst, BH Consulting

Part 5: Incident Response in AWS

In the event your organization suffers a data breach or a security incident, it’s crucial to be prepared and conduct timely investigations. Preparation involves having a plan or playbook at hand, along with pre-provisioned tools to effectively respond to and mitigate the potential impact of security incidents. These response measures are more effective when regularly tested, such as by running incident response simulation exercises.

This post relates to incident response in the AWS Cloud. It’s the last in a five-part series that provides a checklist for proactive security and forensic readiness in the AWS Cloud environment.

Incident response

NIST defines a security incident as “an occurrence that actually or potentially jeopardises the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies”. The figure below outlines the typical phases of an incident response lifecycle.

incident response lifecycle
Figure 1: Incident response life cycle. [Source: Computer Security Incident Handling Guide]

Incident response in AWS Cloud

Incident response in the cloud is not very different from in the traditional on-premise environment. In fact, there are several tools in the AWS cloud environment you can use to help the incident response process, such as AWS CloudTrail, Amazon CloudWatch, AWS Config, AWS CloudFormation, AWS Step Functions, etc. These tools enable you to track, monitor, analyse, and audit events.

Audit logs are treasure troves and are indispensable during investigations. AWS provides detailed audit logs that record important events such as file access and modification. Events can be automatically processed and trigger tools that automate responses through the use of AWS APIs. You can pre-provision tooling and a “clean room” which allows you to carry out forensics in a safe, isolated environment.

EC2 Auto Clean Room Forensics
Figure 2: EC2 Auto Clean Room Forensics using Lambda, Step Functions, Cloud Formation and SNS Topic. [Source: Automating Incident Response and Forensics in AWS – AWS Summit Sydney 2018]

The following list provides guidance on having an appropriate incident response strategy in place, estimating the impact of incidents in the AWS environment, AWS tools to prepare in advance for incident handling, responding to AWS abuse warnings, containing compromised EC2 instance and wiping information post investigation.

The checklist provides best practice for the following:

  1. How will you ensure that you have an appropriate incident response strategy in place?
  2. What AWS tools should you use to prepare in advance for incident handling?
  3. How will you respond to AWS abuse warnings?
  4. How will you isolate and restrict user access to a compromised Amazon EC2 instance?
  5. How will you ensure sensitive information is wiped post investigation?

Best-practice checklist

1. How will you ensure you have an appropriate incident response strategy in place?• Make sure the security team has the right tools pre-deployed into AWS so that the incident can be responded to in a timely manner.
• Pre-provision a ‘clean room’ for automated incident handling.
• Have a list of relevant contacts that may need to be notified.
• Decide on the medium of communication. If the compromised account contains personal data, you may be required to contact the Data Protection Commission (DPC) within 72 hours to comply with GDPR.
• Conduct incident response simulations regularly in the non-production and the production environments as well. Incorporate lessons learned into the architecture and operations.

Back to List
2. What AWS tools should you use to prepare in advance for incident handling?Tags in AWS allow you to proactively label resources with a data classification or a criticality attribute so you can quickly estimate the impact when the incident occurs.
AWS Organisations allows you to create separate accounts along business lines or mission areas which also limits the “blast radius” should a breach occur; for governance, you can apply policies to each of those sub accounts from the AWS master account.
IAM grants appropriate authorisation to incident response teams in advance.
Security Groups enables isolation of Amazon EC2 instances.
AWS Cloud Formation automates the creation of trusted environments for conducting deeper investigations.
AWS CloudTrail provides a history of AWS API calls that can assist in response and trigger automated detection and response systems.
VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
AWS Key Management Service (KMS) encrypts sensitive data at rest including logs aggregated and stored centrally.
Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorised behaviour.
Amazon CloudWatch Events triggers different automated actions from changes in AWS resources including CloudTrail.
Amazon S3 stores snapshots and related incident artefacts.
AWS Step Functions coordinates a sequence of steps to automate an incident response process.
APIs automate many of the routine tasks that need to be performed during incident handling. 

Back to List
3. How will you respond to AWS abuse warnings?• Set up a dedicated security communication email address.
• Do not ignore abuse warnings. Take action to stop the malicious activities, and prevent future re-occurrence.
• Open a case number with AWS Support for cross-validation.

Back to List
4. How will you isolate and restrict user access to a compromised Amazon EC2 instance?• When containing the instance manually, use IAM to restrict access permissions to compromised Amazon EC2 instance.
• Isolate the instance using restrictive ingress and egress security group rules or remove it from a load balancer.
• Tag the instance as appropriate to indicate isolation.
• Create snapshots of EBS volumes.
• Notify relevant contacts.
• Use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation.
• You can automate the above steps using Lambda, Step Functions, Cloud Formation and SNS Topic to prepare an EC2 auto clean room for containing the instance.
• You could also use aws-security-automation code on GitHub, which is a collection of scripts and resources for DevSecOps, Security Automation and Automated Incident Response Remediation. 

Back to List
5. How will you ensure sensitive information is wiped post investigation?• Secure wipe-files and delete any KMS data keys, if used.

Back to List

For more details, refer to the following AWS resources:

Go back to the introduction AWS Cloud: Proactive Security & Forensic Readiness five-part best practice
Read Part 1 – Identity and Access management in AWS: best-practice checklist
Read Part 2 – Infrastructure level protection in AWS: best-practice checklist
Read Part 3 – Data protection in AWS: best-practice checklist
Read Part 4 – Detective Controls in AWS: best-practice checklist

Let us know in the comments below if we have missed anything in our checklist!

DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only. For more information, or to request an in-depth security review of your cloud environment, please contact us.

CSA on This Millennium Alliance Podcast

By Cara Bernstein, Manager/Executive Education Partnerships, The Millennium Alliance

top threats interview image

This podcast episode features The Millennium Alliance partner, The Cloud Security Alliance. We sat down with Vince Campitelli, Enterprise Security Specialist, and Jon-Michael C. Brook, Principal, Guide Holdings, LLC, and co-chair of CSA’s Top Threats Working Group, to discuss the work of CSA, the top threats people need to be concerned about and how to best develop an expert cyber team.

Click here to listen and subscribe >>

CCSK Success Stories: From a Data Privacy Consultant

headshot of Satishkumar Tadapalli

By the CSA Education Team

This is the fourth part in a blog series on cloud security training, in which we will be interviewing Satishkumar Tadapalli a certified and seasoned information security and data privacy consultant. Tadapalli has 12+ years of multi-functional IT experience in pre-sales, consulting, risk advisory and business analysis. He has rich experience in information protection and data privacy, risk management, information security with various ISO 27001 implementation, audits and is currently working for a London-based bank as a risk advisor, looking after 3rd-party assurance and cloud risk assessments.

Satish holds several certifications including: CISM, CIPM, CIPT, CCSK, ISO27001 LA, CISRA, CPISI, and ITIL V3.

Can you describe your role?

In this diverse, cloud-connected, dynamic world, it’s not easy for me to describe a specific role as I’m required to wear multiple hats depending on the table at which I’m seated. Having said that, currently I’m performing a risk advisory role at one of the largest banks in the UK. This position keeps me challenged in performing contractual risk assurance, data privacy consultations and cloud risk assessment of 3rd-, 4th-, and 5th-party vendors, and governing the supplier risk-assurance activities to ensure that the consumer and providers are adhering to the privacy and security principles and keeping customer data safe and secure.

What got you into cloud security in the first place? What made you decide to earn your CCSK?

Cloud security is an interesting and evolving topic for me. I believe cloud adoption isn’t a choice for organizations in this era, now. For this reason, keeping myself updated on the must-have knowledge in cloud made me pay attention to cloud security. Once I’d decided to get my hands into cloud security, I felt CCSK was my go-to in order to get started with concepts as it covers the foundations of real-world, complex scenarios in cloud implementation, migration, issues in adoption, evaluation of cloud and many others.

… makes you not only think from the cloud deployment view, but also provides guidance for both cloud service provider and consumer views which is very uniquely appreciated and helps in real-world solutioning—especially when you wear multiple hats—of risks from vendor to consumers.”

Could you elaborate on how the materials covered in the exam specifically helped in that way?

Sure, as we all know CCSK isn’t a specific, cloud product-related exam. Rather, I think the intention of this exam is to evaluate how well the key elements or domains of cloud models/service(s) are understood by candidates. Hence, this exam expects you to be aware of key areas such as governance, legal challenges, incident response, compliance, and risk management, which are very essential and challenging in cloud adoption for both consumers and service providers of cloud.

How did you prepare for the CCSK exam?

I mainly followed the CCSK exam preparation kit available on CSA site, plus my limited experience in security and 3rd-party risk assessment helped to crack the CCSK exam.

If you could go back and take it again, how would you prepare differently?

As I mentioned earlier, cloud is a constantly changing world with new threats and challenges evolving almost every day. Hence, I would elevate my knowledge by looking at current study materials from CSA and explore the real challenges and solutions in industries for cloud implementation and adoption.

Were there any specific topics on the exam that you found trickier than others?

I felt that the legal and compliance management along with security incidents handling domains were quite interesting. Primarily, because these areas bring different challenges to cloud services, mainly in detailing the roles and responsibilities and limitations for both cloud consumers and cloud providers.

What is your advice to people considering earning their CCSK?

I strongly advise CCSK aspirants look at this exam as a foundational course and use it as a stepping stone in the vast cloud security journey. CCSK won’t just differentiate you from others by giving you a credential, it will also help you in a longer journey irrespective of your role (cloud consumer, provider or independent cloud risk advisor, etc.) due to its essential concepts, which aren’t specific to any cloud vendor/solution.

Lastly, what material from the CCSK has been the most relevant in your work and why?

It is a bit hard for me to point out one or any specific domain(s) as most of the domains and materials were and are relevant to my work as I’m required to play multiple roles given the nature of business we are in today. Specifically, I use the Security Guidance and the Cloud Controls Matrix the most as I deal with vendor risk management. These help to clarify key roles and responsibilities between the cloud provider and consumer. In addition, these documents act as a guide for me to reassure myself of cloud concepts.

Interested in learning more about cloud security training? Discover our free prep-kit, training courses, and resources to prepare to earn your Certificate of Cloud Security Knowledge here.

Invest in your future with CCSK training

Prying Eyes Inside the Enterprise: Bitglass’ Insider Threat Report

By Jacob Serpa, Product Marketing Manager, Bitglass

Threatbusters Insider Threat report cover

When words like cyberattack are used, they typically conjure up images of malicious, external threats. While hackers, malware, and other outside entities pose a risk to enterprise security, they are not the only threats that need to be remediated. 

Insider threats, which involve either malicious or careless insiders, are another significant threat to corporate data that must be addressed. Fortunately, Bitglass has the latest information on this topic. Read on to learn more.

In Threatbusters, Bitglass’ 2019 Insider Threat Report, Bitglass set out to learn about the state of insider attacks, as well as to uncover what organizations are doing to defend against them. This was accomplished by partnering with a cybersecurity community and surveying the IT professionals therein. A breadth of survey questions yielded a wealth of information, ranging from the tools that organizations are using to defend against threats, to how long it takes them to recover from these types of attacks. Two examples can be found below.

The frequency of attack

A staggering 73 percent of survey respondents claimed that insider threats are becoming a more common occurrence. In 2017, when Bitglass released its previous Insider Threat Report, this number was only 56 percent. Additionally, 59 percent of respondents revealed that their organization had experienced at least one insider attack within the last 12 months. For organizations to stay secure in today’s high-speed, cloud-first world where data is shared, accessed, and downloaded more rapidly and widely than ever before, appropriate security controls simply have to be put in place.

The damage done 

Eighty-seven percent of respondents said that it was either moderately difficult or very difficult to determine the damage done in the wake of an insider attack. This should not come as a surprise. Because insider attacks involve the use of legitimate credentials, distinguishing legitimate user activity from threatening user activity can be challenging (especially because said behavior can go unnoticed for extended periods of time if the proper tools are not in place). Naturally, this means that it can be difficult to ascertain the extent of the damage that these authorized users have done.

The above items are only a sample of what Bitglass was able to uncover in its most recent research. To learn more about insider attacks and how organizations are addressing them, download the full report.

CSA STAR – The Answer to Less Complexity, Higher Level of Compliance, Data Governance, Reduced Risk and More Cost-Effective Management of Your Security and Privacy System

By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance

STAR Registry: Security on the Cloud Verified

We just launched a major refresh of the CSA STAR (Security, Trust and Assurance Risk) program, and if you were at the CSA Summit at RSA, you got preview of what’s in store. So let me put things in a bit more context regarding the evolution of STAR.

The more complex systems become, the less secure they become, even though security technologies improve. There are many reasons for this, but it can all be traced back to the problem of complexity. Why? Because we give a lot of attention to technology, and we have increased silos of a plethora of regulations and standards. Therefore, we become fragmented and too complexed.

The adversary works in the world of the stack, and that complexity is where they thrive.

Ron Ross, Senior Scientist and Fellow at NIST

Complexed systems:

  • have more independent processes and that creates more security risks.
  • have more interfaces and interactions and create more security risks.
  • are harder to monitor and therefore, are more likely to have untested, unaudited portions.
  • are harder to develop and implement securely.
  • are harder for employees and stakeholders to understand and be trained on.

By using a single system for the ongoing management of compliance, regulatory, legal, and information security obligations, overlapping requirements can be identified, efficiencies leveraged, and greater visibility and assurance provided to the organization.

CSA STAR: Built to Support

To respond to these growing business concerns, the Cloud Security Alliance (CSA) created the Cloud Control Matrix (CCM). Developed in conjunction with an international industry working group, it specifies common controls which are relevant for cloud security and is the foundation on which the three pillars of CSA STAR are built.

In the same approach, we recently released the GDPR Code of Conduct (CoC). The GDPR CoC shows adherence to GDPR privacy requirements, streamlines contracting, accelerates sales cycles and provides assurance to the cloud customer of data privacy in conjunction with CSA STAR.

CSA STAR is being recognized as the international harmonized solution, leading the way of trust for cloud providers, users, and their stakeholders, by providing an integrated cost-effective solution that decreases complexity and increases trust and transparency while enabling organizations to secure their information, protect against cyber-threats, reduce risk, and strengthen their information governance. It creates trust and accountability in the cloud market with increasing levels of transparency and assurance. What’s more, it provides the solution to an increasingly complex and resource-demanding compliance landscape by providing technical standards, an integrated certification and attestation framework, and public registry of trusted data.

The STAR Registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions and also to manage their supply-chain. Additionally, it allows cloud service providers (CSPs) to benchmark themselves against like CSPs in their industry.

STARWatch can then be used for benchmarking and/or third-party risk management. STARWatch is a SaaS application to help organizations manage compliance with CSA STAR Registry requirements. STARWatch delivers the content of the CCM and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA best practices.

While it is understood that ISO/IEC 27001, the international management systems standard for information security, and SOC 2 are both widely recognized and respected, their requirements are more generic. As such, there can be a perception that they do not focus on certain areas of security that are critical for particular sectors, such as cloud security, in enough detail.

By adopting STAR as an extension of your ISO/IEC 27001 or SOC 2 System, you’ll be sending a clear message to existing and potential customers that your security systems are robust and have addressed the specific issues critical to cloud security.

STAR Certification can boost customer and stakeholder confidence, enhance your corporate reputation, and give your business a competitive advantage.

Take the STAR Challenge

Take the first step in evaluating how your organization stacks up against the CCM. Fill out the self-assessment using the CAIQ and the CCM. You can then upload your information into the STAR Registry, taking credit for your compliance efforts.

Additionally you can evaluate yourself against the GDPR Code of Conduct. Just fill out the self-assessment, which can then be uploaded to the STAR Registry, along with your Statement of Adherence . Our team of experts will evaluate your submission and either respond with questions or approve your submission for posting. Again, you’ll be making a major statement about your compliance posture.

Once you have completed this step (or along the way) you can make decisions on whether there is a business case to move into Level 2 (certification and/or attestation).

Contact us to find out more about CSA STAR and the opportunities available for you to contribute and have a voice in this growing area of increasing trust and transparency in the cloud.

Healthcare Breaches and the Rise of Hacking and IT Incidents

By Jacob Serpa, Product Marketing Manager, Bitglass

Healthcare breach report 2019

In the course of their day-to-day operations, healthcare organizations handle an extensive amount of highly sensitive data. From Social Security numbers to medical record numbers and beyond, it is imperative that these personal details are properly secured. 

Each year, Bitglass conducts an analysis and uncovers how well healthcare organizations are protecting their data. In 2019’s report, we detail the state of security in healthcare as well as shed light on recent breach trends in the vertical. Read on to learn more.

Bitglass’ 2019 Healthcare Breach Report analyzes data stored in the Department of Health and Human Services’ “Wall of Shame,” a database wherein details about healthcare breaches are stored. By scrutinizing this data set, Bitglass uncovered information related to the size of healthcare breaches, the causes of healthcare breaches, the states in which these breaches occur, and much more, over the last few years. A snapshot of some of this data is provided below.

The rise of hacking and IT incidents

Over the last few years, the threat landscape has been shifting in healthcare. It used to be that lost and stolen devices were the leading contributor to exposed data. However, each year since 2014, the number of breaches caused by lost and stolen devices has decreased. At the same time, hacking and IT incidents have enabled more and more breaches each year – in 2018, they were the leading cause of breaches in healthcare. 

The decreasing numbers of healthcare breaches

Despite the above, 2018 saw the number of healthcare breaches reach its lowest point in the last few years. Obviously, this is good news. While healthcare firms need to do something to address the growing number of hacking and IT incidents that are exposing their data, the fact that the overall breach number is down still bodes well for the industry’s progress in securing sensitive data. 

To learn more about the above findings as well as other interesting facts and figures, download the full 2019 Healthcare Breach Report.

12 Ways Cloud Upended IT Security (And What You Can Do About It)

This article was originally published on Fugue's blog here. 

By Andrew Wright, Co-founder & Vice President of Communications, Fugue

12 ways cloud upended IT security (and what you can do about it)

The cloud represents the most disruptive trend in enterprise IT over the past decade, and security teams have not escaped turmoil during the transition. It’s understandable for security professionals to feel like they’ve lost some control in the cloud and feel frustrated while attempting to get a handle on the cloud “chaos” in order to secure it from modern threats.

Here, we take a look at the ways cloud has disrupted security, with insights into how security teams can take advantage of these changes and succeed in their critical mission to keep data secure.

1. The cloud relieves security of some big responsibilities

Organizations liberate themselves from the burdens of acquiring and maintaining physical IT infrastructure when they adopt cloud, and this means security is no longer responsible for the security of physical infrastructure. The Shared Security Model of Cloud dictates that Cloud Service Providers (CSPs) such as AWS and Azure are responsible for the security of the physical infrastructure. CSP customers (that’s you!) are responsible for the secure use of cloud resources. There’s a lot of misunderstanding out there about the Shared Responsibility Model however, and that brings risk.

2. In the cloud, developers make their own infrastructure decisions

Cloud resources are available on-demand via Application Programming Interfaces (APIs). Because the cloud is self-service, developers move fast, sidestepping traditional security gatekeepers. When developers spin up cloud environments for their applications, they’re configuring the security of their infrastructure. And developers can make mistakes, including critical cloud resource misconfigurations and compliance policy violations.

3. And developers change those decisions constantly

Organizations can innovate faster in the cloud than they ever could in the datacenter. Continuous Integration and Continuous Deployment (CI/CD) means continuous change to cloud environments. And it’s easy for developers to change infrastructure configurations to perform tasks like getting logs from an instance or troubleshoot an issue. So, even if they got the security of their cloud infrastructure is correct on day one, a misconfiguration vulnerability may have been introduced on day two (or hour two).

4. The cloud is programmable and can be automated

Because cloud resources can be created, modified, and destroyed via APIs, developers have ditched web-based cloud “consoles” and taken to programming their cloud resources using infrastructure-as-code tools like AWS CloudFormation and Hashicorp Terraform. Massive cloud environments can be predefined, deployed on-demand, and updated at will–programmatically and with automation. These infrastructure configuration files include the security-related configurations for critical resources.

5. There’s more kinds of infrastructure in the cloud to secure

In certain respects, security in the datacenter is easier to manage. You have your network, firewalls, and servers on racks. The cloud has those too, in virtualized form. But the cloud also produced a flurry of new kinds of infrastructure resources, like serverless and containers. AWS alone has introduced hundreds of new kinds of services over the past few years. Even familiar things like networks and firewalls operate in unfamiliar ways in the cloud. All require new and different security postures.

6. There’s also more infrastructure in the cloud to secure

There’s simply more cloud infrastructure resources to track and secure, and due to the elastic nature of cloud, “more” varies by the minute. Teams operating at scale in the cloud may be managing a dozens of environments across multiple regions and accounts, and each may involve tens of thousands of resources that are individually configured and accessible via APIs. These resources interact with each other and require their own identity and access control (IAM) permissions. Microservice architectures compound this problem.

7. Cloud security is all about configuration—and misconfiguration

Cloud operations is all about the configuration of cloud resources, including security-sensitive resources such as networks, security groups, and access policies for databases and object storage. Without physical infrastructure to concern yourself with, security focus shifts to the configuration of cloud resources to make sure they’re correct on day one, and that they stay that way on day two and beyond.

8. Cloud security is also all about identity

In the cloud, many services connect to each other via API calls, requiring identity management for security rather than IP based network rules, firewalls, etc. For instance, a connection from a Lambda to an S3 bucket is accomplished using a policy attached to a role that the Lambda takes on—its service identity. Identity and Access Management (IAM) and similar services are complex and feature rich, and it’s easy to be overly permissive just to get things to work. And since these cloud services are created and managed with configuration, see #7.

9. The nature of threats to cloud are different

Bad actors use code and automation to find vulnerabilities in your cloud environment and exploit them, and automated threats will always outrun manual or semi-manual defenses. Your cloud security must be resilient against modern threats, which means they must cover all critical resources and policies, and recover from any misconfiguration of those resources automatically, without human involvement. The key metric here is Mean Time to Remediation (MTTR) for critical cloud misconfiguration. If yours is measured in hours, days, or (gasp!) weeks, you’ve got work to do.

10. Datacenter security doesn’t work in the cloud

By now, you’ve probably concluded that many of the security tools that worked in the datacenter aren’t of much use in the cloud. This doesn’t mean you need to ditch everything you’ve been using, but learn which still apply and which are obsolete. For instance, application security still matters, but network monitoring tools that rely on spans or taps to inspect traffic don’t because CSPs don’t provide direct network access. The primary security gap you need to fill is concerned with cloud resource configuration.

11. Security can be easier and more effective in the cloud

You’re probably ready for some good news. Because the cloud is programmable and can be automated, the security of your cloud is also programmable and can be automated. This means cloud security can be easier and more effective than it ever could be in the datacenter. In the midst of all this cloud chaos lies opportunity!

Monitoring for misconfiguration and drift from your provisioned baseline can be fully automated, and you can employ self-healing infrastructure for your critical resources to protect sensitive data. And before infrastructure is provisioned or updated, you can run automated tests to validate that infrastructure-as-code complies with your enterprise security policies, just like you do to secure your application code. This lets developers know earlier on if there are problems that need to be fixed, and it ultimately helps them move faster and keep innovating.

12. Compliance can also be easier and more effective in the cloud

There’s good news for compliance analysts as well. Traditional manual audits of cloud environments can be incredibly costly, error-prone, and time-consuming, and they’re usually obsolete before they’re completed. Because the cloud is programmable and can be automated, compliance scanning and reporting can be as well. It’s now possible to automate compliance audits and generate reports on a regular basis without investing a lot of time and resources. Because cloud environments change so frequently, a gap between audits that’s longer than a day is probably too long.

Where to start with cloud security

  1. Learn what your developers are doing
    What cloud environments are they using, and how are they separating concerns by account (i.e. dev, test, prod)? What provisioning and CI/CD tools are they using? Are they currently using any security tools? The answers to these questions will help you develop a cloud security roadmap and identify ideal areas to focus.
  2. Apply a compliance framework to an existing environment. 
    Identify violations and then work with your developers to bring it into compliance. If you aren’t subject to a compliance regime like HIPAA, GDPR, NIST 800-53, or PCI, then adopt the CIS Benchmark. Cloud providers like AWS and Azure have adapted it to their cloud platforms to help remove guesswork on how they apply to what your organization is doing.
  3. Identify critical resources and establish good configuration baselines.
    Don’t let the forest cause you to lose sight of the really important trees. Work with your developers to identify cloud resources that contain critical data, and establish secure configuration baselines for them (along with related resources like networks and security groups). Start detecting configuration drift for these and consider automated remediation solutions to prevent misconfiguration from leading to an incident.
  4. Help developers be more secure in their work. 
    Embrace a “Shift Left” mentality by working with developers to bake in security earlier in the software development lifecycle (SLDC). DevSecOps approaches such as automated policy checks during development exist to help keep innovation moving fast by eliminating slow, manual security and compliance processes.

The key to an effective and resilient cloud security posture is close collaboration with your development and operations teams to get everyone on the same page and talking the same language. In the cloud, security can’t operate as a stand-alone function.

Read more industry insights from the team at Fugue here!

Better Vulnerability Management: How to Master Container Security in Three Steps

By Nate Dyer, Product Marketing Director, Tenable

International Container Cargo ship in the ocean,

Application containers like Docker have exploded in popularity among IT and development teams across the world. Since its inception in 2013, Docker software has been downloaded 80 billion times and more than 3.5 million applications have been “dockerized” to run in containers.

With all the enthusiasm and near-mainstream adoption status, it’s important to understand the reasons why security continues to be the top challenge with container deployments. Let’s take a look.

Security is the top container management challenge

In study after study security comes up as the top container management challenge. In many ways, container security issues are no different than those impacting traditional IT. Poor cyber hygiene, such as developers using vulnerable versions of Kubernetes or misconfigured Docker services, creates a lot of turmoil in the container ecosystem. Security teams need to find vulnerabilities and prioritize their remediation based on actual cyber risk – just as they would for any other computing asset.

Containers create unique issues for security teams

But, in other ways, container security issues are rather unique. Modern application development today is largely focused on assembling existing software components, many of which are open-source code, instead of writing code from scratch.

For example, many developers turn to container image repositories like Docker Hub to construct their own container images quickly. Unfortunately, very few of these assembled components are actually analyzed by security teams to assess business risk.

And the risks are real: 17 Docker images were recently discovered and removed from Docker Hub because they had installed cryptocurrency miners on unwitting users’ servers. The question we all need to ask is: Do you know where your container images are coming from?

Traditional vulnerability management approaches don’t work for security containers

To make matters more difficult, traditional vulnerability management approaches don’t work for securing containers. The average lifespan of a container is often measured in hours, making it very challenging to discover running containers using large IP ranges in the scan configuration.

Then, if you come across a running container in a scan, it’s difficult to assess it due to its “just enough operation system” design principles. Many containers don’t have an IP address or SSH logins to run a credentialed scan.

Finally, if you happen to find a security issue in a container, you don’t just apply a patch to remediate the flaw. Rather, you have to shut down the container, fix the bug in the container image code and then redeploy as part of the new, immutable infrastructure mindset where IT infrastructure is treated as code.

Three steps to mastering container security

While Docker containers have turned traditional vulnerability management on its head, there is a path forward. You can master container security by following three steps:

  1. Discover and secure container infrastructure. This includes detecting Docker in your environment, patching host and orchestration infrastructure and hardening services based on industry best practices.
  2. Shift left with security controls. Focus your security testing, policy assurance and remediation workflows on the development process before software is shipped into production to prevent vulnerabilities.
  3. Incorporate containers into your holistic Cyber Exposure program. Rather than relying on a point solution to secure a new type of computing asset, make sure your vulnerability management approach supports containers alongside other assets across your attack surface.

Want to learn more how to master these three steps? Check out Container Security Best Practices: A How-to Guide to start reaping the benefits.

Continuous Auditing – STAR Continuous – Increasing Trust and Integrity

By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance

As a SixSigma Black Belt I was brought up over the years with the philosophy of continual monitoring and improvement, moving from a reactive state to a preventive state. Actually, I wrote a white paper a couple of years ago on how SixSigma is applied to security.

The basic premise is it emphasizes early detection and prevention of problems, rather than the correction of problems after they have occurred. It eliminates the point in time “inspection” by deploying continuous monitoring and auditing. This approach basically saved the automotive industry back in the 1980s.

This age-old and proven process is the best way I can describe what CSA has done with the launch of another step in the direction of increasing transparency and assurance … continuous auditing.

Continuous auditing focuses on testing for the occurrence of a risk and the on-going effectiveness of a control. A framework and detailed procedures, along with technology, are key to enabling such an approach. Continuous auditing offers an enhanced way to understand risks and controls and improve on sampling from periodic reviews to ongoing testing.

STAR Continuous is a component of the CSA STAR Program that gives cloud service providers (CSP) the opportunity to integrate their approach to cloud security compliance and certification with additional capabilities to validate their security posture on an ongoing basis. Continuous auditing empowers an organization to make precise statements on the compliance status at any time over the whole time span in which the continuous audit process is executed, achieving an “always up-to-date” compliance status by increasing the frequency of the auditing process. 

Continuous auditing is not intended to replace traditional auditing, but rather is to be used as a tool to enhance audit effectiveness and increase transparency to stakeholders and interested parties.

STAR Continuous contains three models for continuous monitoring. Each of the three models provides a different level of assurance by covering requirements of continuous auditing with various levels of scrutiny. The three models are defined as:

1. Continuous self-assessment
2. Extended certification with continuous self-assessment
3. Continuous certification

chart showing levels of auditing

Essentially, the proposed framework starts from a simple process of the timely submission of self- assessment compliance reports and moves up to a continuous certification of the fulfillment of control objectives.

How does it help you as a cloud service provider?

• Provides top management with greater visibility, so that they can evaluate the effectiveness of their management system in real-time in relation to expectations of internal, regulatory and the cloud security industry standards;

• Implements an audit that is designed to reflect how your organization’s objectives are aimed at optimizing the cloud services;

• Demonstrates progress and performance levels that go beyond the traditional “point in time” scenario; and

• For customers of cloud service providers, STAR Continuous will provide a greater understanding of the level of controls that are in place and their effectiveness.

CSA is committed to helping customers have a deeper understanding of their security postures. Since the STAR Registry was launched in 2011 as the first step in improving transparency and assurance in the cloud, it has evolved into a program that encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

CSA STAR is being recognized as the international harmonized solution leading the way of trust for cloud providers, users and their stakeholders by providing an integrated, cost-effective solution that decreases complexity and increases assurance and transparency. It simultaneously enables organizations to secure their information, protect themselves from cyber-threats, reduce risk and strengthen their information governance and privacy platform.

Want to find out more? Contact us at [email protected]

Are Cryptographic Keys Safe in the Cloud?

By Istvan Lam, CEO, Tresorit

encryption key inside the cloud

By migrating data to the cloud, businesses can enjoy scalability, ease of use, enhanced collaboration and mobility, together with significant cost savings. The cloud can be especially appealing to subject-matter experts as they no longer have to invest in building and maintaining their own infrastructure. However, the cloud also brings challenges when it comes to information security.

Given the cloud has a much higher density of data than a local storage, it gives a bigger surface to attack. The reward for getting into a cloud system is much higher than getting into a local file server. The cloud stores millions of companies’ data, while a local server hosts the data of one company only. This makes the cloud a much greater target for hackers.

Maintaining data integrity and security is, therefore, a significant challenge for cloud-based services and is one of the key reasons that holds companies back from moving to the cloud. That’s where encryption comes into the picture; it can play a key role in preserving the confidentiality and integrity of data stored in the cloud and significantly reduce the risk of a data breach.

Not all encryption is created equal

Most cloud providers offer some sort of data encryption and therefore claim that your data is safe in the cloud. However, it’s important to take a closer look at what exactly the provider is offering and how it stores the encryption keys. In order to ensure the confidentiality of your data, the system needs to be designed in a way that at no point can the cloud provider have access to it. This is called end-to-end encryption.

However, the vast majority of file sync and sharing services only use encryption in transit and at rest. In transit, or channel encryption, means that there is an encrypted channel between you and the server, but once the information gets out of the channel, it gets decrypted. Hence, once your data arrives at the server, it can be accessible to a hacker or a rogue employee. In this case, the encryption keys are shared between you and the server, which is good protection if, for example, you are using public Wi-Fi to upload data. However, when it comes to the security of your data on the server, there is a vulnerability and anyone who exploits it can get access to your information.

In the case of at-rest encryption, the cloud provider encrypts the file before storing it on its disks. However, the service provider also holds the encryption keys to your files. This means that their system administrators and anyone who manages to hack their servers or simply get hold of an administrator’s password can access and read your files. This has already happened to a mainstream cloud service provider; hackers got hold of and used an employee’s password to get into the provider’s corporate network and steal user credentials.

The confidentiality of your files can only be guaranteed if the cloud provider uses end-to-end encryption. With end-to-end encryption based on zero-knowledge authentication methods, all the encryption happens on your computer—neither your files nor your password leaves your device unencrypted. This means that the admins who run the cloud cannot access the content of your files. In addition, in case of a breach into the cloud provider’s servers, your data would still be safe, as there would be no means for hackers to decrypt them.

Therefore, to ensure the confidentiality of your files in the cloud, you should look for a cloud service provider which offers its customers the ability to manage key generation on the customer side. The right way to store the information in the cloud is by putting the client in control of both the key management and the encryption process. This is what ENISA, The European Union Agency for Network and Information Security, points out in its paper on Privacy and Security in Personal Data Clouds:

“To this end, the lack of implementation of client-side encryption is an additional security challenge, as this type of encryption is the only way to provide the user with true control over his/her data, while mitigating the risk of an unauthorised or unwanted assess by third parties (such as a rogue administrator or government mass surveillance programs).”

To conclude, even if data stored by a cloud storage provider is encrypted, the type of encryption and the key management methods are what matter. Not only your documents but your keys also have to be kept safe. Public key cryptography combined with strong symmetric encryption algorithms is a standard, proven way that allows you to share documents with others without the storage provider or any third-party having access to your files any time. Look for solutions that allow you to bring your own hardware keys or the ones that do not offer password reset functionality—a good sign that the provider does not have access to your keys. Only this way can you be reassured that your and your clients’ files are protected against data breaches.

Webinar: The Ever Changing Paradigm of Trust in the Cloud

By CSA Staff

abstract line connection on night city background implying cloud computing

The CSA closed its 10th annual Summit at RSA on Monday, and the consensus was that the cloud has come to dominate the technology landscape and revolutionize the market, creating a tectonic shift in accepted practice.

The advent of the cloud has been a huge advancement in technology. Today’s need for flexible access has led to an increase in business demand for cloud computing, bringing with it increased security and privacy concerns. How organizations evaluate Cloud Service Providers (CSPs) has become key to providing increased levels of assurance and transparency.

On Thursday, March 14 at 2 pm ET, John DiMaria, Cloud Security Alliance’s Assurance Investigatory Fellow and one of the key innovators in the evolution of CSA STAR, will share his insight on the:

  • current global landscape of cloud computing,
  • ongoing concerns regarding the cloud, and the
  • evolution of efforts to answer to the demand for higher transparency and assurance.

Join John DiMaria as he reviews the efforts being led by CSA to answer this call. You’ll walk away with a deeper understanding of how these efforts are aimed at helping organizations optimize processes, reduce costs, and decrease risk while simultaneously meeting the continuing rigorous international demands on cloud services allowing for the highest level of assurance and transparency.

Register today.

CSA Summit Recap Part 2: CSP & CISO Perspective

By Elisa Morrison, Marketing Intern, Cloud Security Alliance

When CSA was started in 2009, Uber was just a German word for ‘Super’ and all CSA stood for was Community Supported Agriculture. Now in 2019, spending on cloud infrastructure has finally exceeded on-premises, and CSA is celebrating its 10th anniversary. For those who missed the Summit, this is the CSA Summit Recap Part 2, and in this post we will be highlighting key takeaways from sessions geared towards CSPs and CISOs.

Can you trust your eyes? Context as the basis for “Zero Trust” systems – Jason Garbis

During this session, Jason Garbis identified three steps towards implementing Zero Trust: reducing attack surfaces, securing access, and neutralizing adversaries. He also addressed how to adopt modern security architecture to make intelligent actions for trust. In implementing Zero Trust, Garbis highlighted the need for:

  • Authentication. From passwords to biometric to tokens. That said, authentication alone is not sufficient for adequate security, as he warned it is too late in the process.
  • Network technology changes. Firewall technology is too restricted (e.g. IP addresses are shared across multiple people). The question in these cases is yes or no access. This not Zero Trust. Better security is based on the role or person and data definition. This has more alternatives and is based on many attributes, as well as the role and data definition.
  • Access control requirements. There is a need for requirements that dynamically adjust based on context. If possible, organizations need to find a unified solution via Software-Defined Perimeter.

Securing Your IT Transformation to the Cloud – Jay Chaudhry, Bob Varnadoe, and Tom Filip

Every CEO wants to embrace cloud, but how can you do it securely? The old world was network-centric, and the data center was the center of universe. We could build a moat around our network with firewalls and proxies. The new world is user-centric, and the network control is fluid. Not to mention, the network is decoupled from security, and we rely on policy-based access as depicted in the picture below.

Slide: Old World vs New World

In order to address this challenge, organizations need to view security with a clean slate. Applications and network must be decoupled. More traffic on the cloud is encrypted, but offers a way for malicious users to get in, so proxy and firewalls should be used for inspection of traffic.

Ten Years in the Cloud – PANEL

The responsibility to protect consumers and enterprise has expanded dramatically. Meanwhile, the role of the CISO is changing – responsibilities now include both users and the company. CISOs are faced with challenges as legacy tools don’t always translate to the cloud. Now there is also a need to tie the value of the security program to business, and the function of security has changed especially in support. In light of these changes, the panel unearthed the following five themes in their discussion of lessons learned in the past 10 years of cloud.

  1. Identity as the new perimeter. How do we identify people are who they say they are?
  2. DevOps as critical for security. DevOps allows security to be embedded into the app, but it is also a risk since there is faster implementation and more developers.
  3. Ensuring that security is truly embedded in the code. Iterations in real-time require codified security.
  4. Threat and data privacy regulations. This is on the legislative to-do list for many states; comparable to the interest that privacy has in financial services and health care information.
  5. Security industry as a whole is failing us all. It is not solving problems in real-time; as software becomes more complex it poses security problems. Tools are multiplying but they do not address the overall security environment. Because of this, there’s a need for an orchestrated set of tools.

Finally! Cloud Security for Unmanaged Devices… for All Apps – Nico Popp

Now we have entered the gateway wars …Web vs. CASB vs. SDP. Whoever wins, the problem of BYOD and unmanaged devices still remains. There is also the issue that we can’t secure endpoint users’ mobile devices. As is, the technologies of mirror gateway and forward proxy solve the sins of “reverse proxy” and have become indispensable blades. Forward proxy is the solution for all apps when you can manage the endpoint, and mirror gateway can be used for all users, all endpoints and all sanctioned apps.

Lessons from the Cloud -David Cass


Cloud is a means to an end … and the end requires organizations to truly transform. This is especially important as regulators expect a high level of control in a cloud environment. Below are the key takeaways presented:

  • Cloud impacts the strategy and governance from the strategy, to controls, to monitoring, measuring, and managing information all the way to external communications.
  • The enterprise cloud requires a programmatic approach with data as the center of the universe and native controls only get you so far. Cloud is a journey, not just a change in technology.
  • Developing a cloud security strategy requires taking into account service consumption, IaaS, PaaS, and SaaS. It is also important to keep in mind that cloud is not just an IT initiative.

Security Re-Defined – Jason Clark and Bob Schuetter

This session examined how Valvoline went to the cloud to transform its security program and accelerate its digital transformation. When Valvoline split as an IPO with two global multi-billion startup they had no datacenter for either. The data was flowing like water, there was complexity and control created friction, not to mention a lack of visibility.

Slide: Digital transformation

They viewed cloud as security’s new north star, and said the ‘The Fourth Industrial Revolution’ was moving to the cloud. So how did they get there? The following are the five lessons they shared:

  1. Stop technical debt
  2. Go where your data is going
  3. Think big, move fast, and start small
  4. Organizational structure, training, and mindset
  5. Use the power of new analytics

Blockchain Demo

Slide: A simple claim example

Inspired by the cryptocurrency model, OpenCPEs is a way to revolutionize how security professionals measure their professional development experiences.

OpenCPEs provides a method of validating experiences listed on your resume without maintaining or storing an individual’s personal data. Learn more about this project by downloading the presentation slides.

The full slides to the summit presentations are available for download.

CSA Summit Recap Part 1: Enterprise Perspective

By Elisa Morrison, Marketing Intern, Cloud Security Alliance

CSA’s 10th anniversary, coupled with the bestowal of the Decade of Excellence Awards gave a sense of accomplishment to this Summit that bodes well yet also challenges the CSA community to continue its pursuit of excellence.

The common theme was the ‘Journey to the Cloud’ and emphasized how organizations can not only go faster but also reduce costs during this journey. The Summit this year also touched on the future of privacy, disruptive technologies, and introduced CSA’s newest initiatives in Blockchain, IoT and the launch of the STAR Continuous auditing program. Part 1 of this CSA Summit Recap highlights sessions from the Summit geared toward the enterprise perspective.

Securing Your IT Transformation to the Cloud – Jay Chaudhry, Bob Varnadoe, and Tom Filip

Slide: Network security is becoming irrelevant

Every CEO wants to embrace cloud but how to do it securely? To answer this question this trio looked at the journeys other companies such as Kellogg and NRC took to the cloud. In Kellogg’s case they found that when it comes to your transformation the VMs of single-tenant won’t cut it. They also brought to light the question of  the ineffectiveness of services such as hybrid security. Why pay the tax for services not used?

For NCR, major themes were how to streamline connectivity and access to cloud service. The big question was how do end users access NCR data in a secure environment? They found that applications and network must be decoupled. And, while more traffic on the cloud is encrypted, it offers another way for malicious users to get in. Their solution was to use proxy and firewalls for inspection of traffic.

The Future of Privacy: Futile or Pretty Good? – Jon Callas

ACLU technology fellow Jon Callas brought to light the false dichotomy we see when discussing privacy. It is easy to be nihilistic about privacy, but positives are out there as well.

There is movement in the right direction that we can already see, examples include: GDPR, California Privacy Law, Illinois Biometric Privacy Law, and the Carpenter, Riley, and Oakland Magistrate decisions. There has also been a precedent set for laws with more privacy toward consumers. For organizations, privacy has also become the focus of competition and companies such as Apple, Google, and Microsoft all compete on privacy. Protocols such as TLS and DNS are also becoming a reality. Other positive trends include default encryption and that disasters are documented, reported on, and a concern.

Unfortunately, there has also been movement in the wrong direction. There is a balancing act between the design for security versus design for surveillance. The surveillance economy is increasing, and too many platforms and devices are now collecting data and selling it. Lastly, government arrogance and the overreach to legislate surveillance over security is an issue.

All in all, Callas summarized that the future is neither futile nor pretty good and it’s necessary to balance both moving forward.

From GDPR to California Privacy – Kevin Kiley

Slide: Steps to better vendor risk management

This session touched on third-party breaches, regulatory liability, the need for strong data processing paramount to scope and how to comply with GDPR and CCPA. Kiley identified a need for a holistic approach with more detailed vendor vetting requirements. He outlined five areas organizations should improve to better their vendor risk management.

  1. Onboarding. Who’s doing the work for procurement, privacy, or security?
  2. Populating & Triaging. Leverage templated vendor evaluation assessments and populate with granular details.
  3. Documentation and demonstration
  4. Monitoring vendors
  5. Offboarding

Building an Award-Winning Cloud Security Program – Pete Chronis and Keith Anderson

This session covered key lessons learned along the way as Turner built its award-winning cloud security program. One of the constant challenges Turner faced was the battle between the speed to market over security program. To improve their program, Turner enacted continuance compliance measurement by using open source for cloud plane assessment. They also ensured each user attestation was signed by both the executive and technical support. For accounts, they implemented intrusion prevention, detection, and security monitoring. They learned to define what good looks like, while also developing lexicon and definitions for security. It was emphasized that organizations should always be iterating from new > good > better. Lastly, when building your cloud security program they emphasized that not all things need to be secured the same and not all data needs the same level of security.

Case Study: Behind the Scenes of MGM Resorts’ Digital Transformation – Rajiv Gupta and Scott Howitt

MGM’s global user base meant they wanted to expand functions to guest services, check-in volume management and find a way of bringing new sites online faster. To accomplish this, MGM embarked on a cloud journey. Their journey was broken into business requirements (innovation velocity and M&A agility) along with necessary security requirements (dealing with sensitive data, the need to enable employees to move faster, and the ability to deploy a security platform).

Slide: Where is your sensitive data in the cloud?

As they described MGM’s digital transformation the question was raised, where is sensitive data stored in the cloud? An emerging issue that continues to come up is API management. Eighty-seven percent of companies permit employees to use unmanaged devices to access business apps, and the BYOD policy is often left unmanaged or unenforced. In addition, MGM found that on average number 14 misconfigured IaaS services are running at a given time in an average organization, and the average organization has 1527 DLP incidents in PaaS/IaaS in a month.

To address these challenges, organizations need to consider the relations between devices, network and the cloud. The session ended with three main points to keep in mind during your organization’s cloud journey. 1) Focus on your data. 2) Apply controls pertinent to your data. 3) Take a platform approach to your cloud security needs.

Taking Control of IoT – Hillary Baron

image of IoT connected devices overlayed on a cityscape

There is a gap in the security controls framework for IoT. With the landscape changing at a rapid pace and over 2020 billion IoT devices, the need is great. Added to that is the fact that IoT manufacturers typically do not build security into devices; hence the need for the security controls framework. You can learn more about the framework and its accompanying guidebook covered in this session here.

Panel – The Approaching Decade of Disruptive Technologies

While buzzwords can mean different things to different organizations, organizations should still implement processes among new and emerging technologies such as AI, Machine Learning, and Blockchain, and be conscious of what is implemented.

This session spent a lot of its time examining Zero Trust. The perimeter is in different locations for security, and it is challenging looking for the best place to establish the security perimeter. It can no longer be a fixed point, but must flex with the mobility of users, e.g. mobile phones require very flexible boundaries. Zero Trust can help address these issues, it’s BYOD-friendly. There are still challenges, but  Web Authentication helps as a standard for Zero Trust.

Cloud has revolutionized security in the past decade. With cloud, you inherit security and with it the idea of a simple system has gone out the window. One of the key questions that was asked was “Why are we not learning the security lessons from the cloud?” The answer? Because the number of developers grows exponentially among new technology.  

The key takeaway: Don’t assume your industry is different. Realize that others have faced these threats and have come up with successful treatment methodologies when approaching disruptive technologies.

CISO Guide to Surviving an Enterprise Cloud Journey – Andy Kirkland, Starbucks

Five years ago, the Director of  Information and Security for Starbucks, Andy Kirkland, recommended not going to the cloud for cautionary purposes. Since then, Starbucks migrated to the cloud and learned a lot on the way. Below is an outline of Starbucks’ survival tips for organizations wanting to survive a cloud journey:

  • Establish workload definitions to understand criteria
  • Utilize standardized controls across the enterprise
  • Provide security training for the technologist
  • Have a security incident triage tailored to your cloud provider
  • Establish visibility into cloud security control effectiveness
  • Define the security champion process to allow for security to scale

PANEL – CISO Counterpoint

In this keynote panel, leading CISOs discussed their cloud adoption experiences for enterprise applications. Jerry Archer, CSO for Sallie Mae, described their cloud adoption journey as “nibbling our way to success.” They started by putting things into the cloud that were small. By keeping up constant conversations with regulators, there were no surprises during the migration to the cloud. Now, they don’t have any physical supplies remaining. Other takeaways were that in 2019 containers have evolved and we now see: ember security, arbitrage workloads, and RAIN (Refracting Artificial Intelligence Networks).

Download the full summit presentation slides here.