January 20, 2015 | Leave a Comment
By Christopher Hines, Product Marketing Manager, Bitglass
Encryption has gotten some much-needed attention over the past few weeks. With the release of a secret US security report unveiling the importance of encryption and how in 2009 private computers were vulnerable to attacks from cyber criminal gangs operating in Russia and China, plus David Cameron’s anti-encryption angle that he hopes to use to influence Obama, the topic is certainly worthy of discussion.
I know some of you may be looking at “2009” and thinking “Chris, it’s 2015 get with it” but the fact is, encryption is even more valuable and necessary than ever. Since 2009, cloud app usage (think Salesforce) and BYOD has expanded significantly. 60% of organizations now utilize cloud apps. Since data now resides outside of corporate firewalls, companies need ways of encrypting their data, making sure that the growing number of cyber-criminal gangs in Russia and China don’t get their hands on it. But what’s the truth about encryption? And how do you know if it truly is as strong as you might think?
Encryption has two main components. The first part is the Cipher. This is the piece that transforms human readable text to something unreadable (ciphertext). It’s the piece you probably think of the most i.e turning “Chris” into “WxoPNHz.” The second piece (the piece often overlooked) is called the Initialization Vector. This piece is an unpredictable random number that ensures that encrypting the same message repeatedly will yield different ciphertexts each time. To ensure sufficient randomness, the length of the Initialization Vector should be the same number of bits as the cipher.
To clarify, a lot of vendors promote AES-256 bit encryption, I am sure a lot of you are reading this now and saying “yes, this is exactly what my vendor says they provide” (think of the biggest vendors in the encryption space, I promise that by the end of this blog you’ll have some questions for them). For the less encryption inclined, AES-256 bit encryption is the de facto standard for strong encryption in the enterprise. It implies that there are billions of combinations that can be made for each piece of plain text (regular name, credit card number, SSN etc.) and that the chance of cyber criminals breaking the encryption is close to impossible. Which would be true, if it were actually what some of the world’s biggest encryption vendors provided. But, unfortunately, there’s a good chance that your cloud encryption vendor has you duped.
Remember how I mentioned before that the initialization vectors were crucial? In order to make data searchable once encrypted and placed in the cloud (think Salesforce encryption), vendors have actually begun cutting down on the number of initialization vectors used in their products. This means that instead of the billions of combinations companies think they are purchasing, they are actually only getting 1 million in some cases. This is a HUGE difference! 1 million combinations is insanely less secure than multiple billions of combinations. Put differently, that 256 bit encryption turns into 20 bits. And at 20 bits, you might as well keep your money in your pocket because it’s just as useful as having no encryption at all.
So that’s the truth. Don’t be fooled by vendors claiming to have true AES-256 bit encryption. Yes their cipher will be on point, but it’s the initialization vectors that are also crucial. Limiting the number of these vectors to preserve cloud app operations like search changes your 256 bit super encryption, into a puny 20 bit encryption. Reach out to your encryption vendor now and ask them about their vectors, and don’t be surprised if you hear something you don’t like.
January 12, 2015 | Leave a Comment
Security and Skills Gap Hold Back Cloud Projects While Shadow IT Grows
By Cameron Coles, Sr. Product Marketing Manager, Skyhigh
A recent Cloud Security Alliance & Skyhigh survey shows that while security and skills gaps remain significant barriers to corporate-sanctioned cloud projects, end users are pushing IT departments to provide more cloud applications, faster than ever. The survey of 212 IT and security professionals looked at the state of cloud adoption – both sanctioned and shadow IT – and asked respondents how their organizations approach security, spending on cloud versus on-premise technology, and governance of data. The results show that while 33% of companies have a “full steam ahead” attitude toward cloud adoption, security concerns continue to hold back formal cloud projects. And, the concern about security has reached well beyond IT to the executive suite and boardroom.
The top barrier to cloud projects continues to be the security of data, with 73% of respondents indicating it was holding back cloud projects. Another significant barrier is a lack of knowledge and experience on the part of IT and business managers. This cloud skills gap held back cloud projects for 37% of companies in Europe and 29% of companies in the Americas. One explanation is that IT personnel are also focused on maintaining legacy on-premise infrastructure, and don’t have room to invest in the skills and resources needed for the cloud era.
Of course, employees are adopting cloud services unknown to IT and are not necessarily worried about the security of company data. Skyhigh’s Cloud Adoption and Risk Report shows that the scope of shadow IT can be 10 times greater than what IT is aware of. For most companies today, shadow IT is unknown and unmanaged. The overwhelming majority of respondents – 72 percent – said they did not know the scope of shadow IT at their companies but wanted to know. At companies with more than 5,000 employees the number grows to 80 percent. That makes free offerings like Skyhigh’s Cloud Audit that discover all cloud apps in use across an organization and provide a risk assessment of these apps so valuable.
Perhaps due to the flood of recent high-profile data breaches, including the attack on Target that led to a 46 percent drop in the company’s quarterly profit and the resignation of it CIO and CEO, the security of company data has spread far beyond the IT department. Cloud security is now an executive-level and board-level concern for 61% of companies. That interest is driving increased oversight over how companies govern their data that will ultimately benefit everyone, although in the short term it means IT teams are looking for help with presenting their company’s security posture in terms that make sense to non-technical board members.
Despite, or perhaps because of, barriers to cloud projects, rank and file employees are taking an active role advocating for the cloud apps and devices they’ve come to expect in their personal lives. Among IT professionals, 79% receive requests for new cloud apps each month from end users. Highlighting the disconnect between sober IT departments and eager employees, 49% of IT professionals said they had felt pressured to approve an app they felt did not meet the company’s security requirements. The most requested categories of services include File Sharing and Collaboration (e.g. Box, Dropbox, Google Docs, OneDrive) followed by Communication (e.g. HipChat, Skype, WebEx, Yammer), and Social Media (e.g. Facebook LinkedIn, Twitter).
One of the most surprising findings is that companies that are best positioned to adopt the cloud securely – because they have more mature governance programs – are, somewhat paradoxically, slower to adopt the cloud. Companies with more than 5,000 employees are more likely to have a cloud governance committee (34.8% versus 12.0%), have a policy on acceptable cloud usage (60.9% versus 44.8%), and have a security awareness training program (26.1% versus 20.3%) compared to companies with fewer than 5,000 employees. However, only 36.2% of them spend more than 20% of the IT budget on cloud services, compared with 49.0% of companies with fewer than 5,000 employees.
When it comes to enforcing these cloud policies, such as which employees are allowed to access what cloud services and where sensitive data can be uploaded, companies across the board prefer to use their firewall and proxy infrastructure versus rolling out device agents to employee devices. For all companies, 65% prefer to use their firewalls and 63% prefer to use their proxy. For companies with more than 5,000 employees, a whopping 95% of companies prefer to use their firewall or proxy versus leveraging device agents.
To read all of the findings in the CSA Cloud Adoption Practices & Priorities survey, download the full report.
January 8, 2015 | Leave a Comment
By Krishna Narayanaswamy, Chief Scientist, Netskope
We are excited to announce the release of the January Netskope Cloud Report today. In it, we have our standard stuff – the latest cloud adoption numbers (this quarter, we report an average of 613 cloud apps per enterprise), as well as observed aggregate activities in our Active Platform, including which activities (such as “edit,” “share,” and “download”) constitute the highest number of policy violations and across what app categories.
Every quarter we focus more deploy on an area of cloud security, and this quarter we reveal early findings from research we have been conducting around compromised account credentials. We have noticed that a growing number of enterprise cloud users are logging into their cloud apps using login names and passwords that have been stolen as part of a data hack or exposure. Based on our research, we estimate that 15 percent of users have had their account credentials compromised.
Given that many people (as many as half, or even more in some reports) reuse their passwords for multiple accounts, and a high number of your enterprise users log into your popular cloud-based apps like Salesforce, Box, Dropbox, Concur, and WebEx, chances are your most business-critical apps are being accessed with compromised credentials. Even if you’re diligent about protecting those apps, you may not be able to detect the access.
There’s another related risk: While conscientious IT professionals have taken steps to protect their sanctioned corporate apps, many haven’t done anything to protect unsanctioned, departmental apps, some of which are highly used and important to the business. Based on our aggregated, anonymized data, we estimate that at least 13.5 percent of organizations’ apps are at the intersection of unsanctioned and business-critical. Those apps are usually not protected by single sign-on, nor is multi-factor authentication enforced in them, and they are at risk of being accessed by users with compromised credentials.
January 6, 2015 | Leave a Comment
By Krishna Narayanaswamy, Chief Scientist, Netskope
We are excited to announce the availability of “Cloud Security for Dummies,” a book that my co-founders and fellow chief architects and I collaborated on based on our interactions with the most forward-thinking CIOs, CISOs, and cloud architects from around the globe and virtually every industry. In the book, we compile the best recommendations and advice from this group of experts.
The book is full of advice ranging from how to think about cloud compliance to implementing a cloud policy to getting users on board with cloud security. Below is a summary of our must-haves for ensuring a safe transition to the cloud.
- Discover apps. Discover the apps in your environment and assess their risk — both inherent and in the context of how they’re used.
- Segment apps. Segment your apps by whether they’re sanctioned (managed by IT) or unsanctioned (brought in by departments or by individual users).
- Secure access. Secure access to your sanctioned and ideally unsanctioned business apps, with single sign-on (SSO).
- Audit activities. Understand user activity and its context. Who’s downloading from HR apps? Who’s sharing content outside the company, and with whom?
- Understand content. Understand and classify sensitive content residing in, or traveling to or from, your cloud apps.
- Detect anomalies. Monitor cloud apps for anomalous activity that could signal compromised credentials, security threats, noncompliant behavior, data theft or exposure, and even malware.
- Enforce granular policies. Define granular policies that are enforceable in real-time, across both sanctioned and unsanctioned apps, regardless of whether users are on-network or remote, and whether in a web-based or native cloud app.
- Protect data in context. Have a data protection strategy. For highly sensitive content that can’t be in the cloud at all, define policies that prevent it from being uploaded to any cloud app. For the next tier of content that can reside in the cloud, apply the appropriate level of security policy. This may include encrypting data before it reaches the cloud and/or limiting sharing options based on device, instance, or location.
- Ensure compliance. Ensure regulatory compliance with continuous cloud monitoring, maintenance and review of cloud audit trails, remediation, and reporting.
- Coach users. Coach users both through conversations and in an automated way. Let them know when they’ve done something that’s out of compliance (ideally in real-time, as the action is occurring), whether you block them, let them report a false positive, or let them bypass the policy with a justification.
You can get your complimentary copy of the book here. We hope you find it useful as you consider your safe cloud enablement strategy.
December 9, 2014 | Leave a Comment
By Mike Pav, VP of Engineering, Spanning by EMC
We all know cloud adoption is rampant, even though cloud security remains a big concern; a recent study from CloudEntr showed that 89% of IT pros said they were worried about cloud security. While IT admins are busy ensuring compliance for sanctioned IT, shadow IT runs rampant, causing headaches they don’t even know they have. Because of this, the word “audit” often brings to mind the onerous thudding of storm troopers marching in. A heavy weight settles into the stomach as blood pressure spikes with a sharp intake of breath.
But what if you could approach an audit with zen-like calm? Good news: it’s possible. It’s all about creating an audit-friendly culture within your company such that an auditor could walk in any time and you’d get a clean bill of health. Here’s how to do it:
- Understand the alphabet soup of regulations and frameworks. Which ones apply to your organization? What controls apply to you? The Cloud Security Alliance offers a Cloud Controls Matrix (CCM) that is a great place to get started.
- Embrace Shadow IT. Accept that shadow IT will exist whether you like it or not, and take the necessary steps to ensure that what you don’t know doesn’t hurt you the next time a compliance audit comes your way. First, you need to discover what rogue apps are being used to store or transmit company data. Then, you need to analyze each one for risk by evaluating the SaaS vendor using tools like the Cloud Controls Matrix or Skyhigh Networks’ risk assessment. Finally, you can either take the appropriate measures to secure these apps or find an alternative that satisfies the employees needs in terms of productivity and the company’s needs in terms of compliance.
- Build compliance into your company’s DNA. If we may modify the old saying a bit, live each day like it’s your last before the auditor arrives. Educate your entire staff about how using shadow IT might harm the well-being of the company, and build in audit-proofing as you create or revise processes.
- Move to the cloud – with your eyes wide open. Cloud providers have already done a lot of the security work for you, so they’ll have built-in protection better (and cheaper) than any you could build yourself in-house. But it’s important to understand what they have covered and what blanks are left for you to fill in. Before signing up for cloud services, put the provider through their paces in terms of security, and make sure that the security evaluation is SaaS-specific and not just reusing your on-premises checklist.
If you want to greet your next audit feeling calm and secure, we invite you to join CSA’s Jim Reavis, Harold Byun of Skyhigh Networks and me, Mike Pav of Spanning to explore these issues more in-depth at our upcoming webinar “Cloud Security: 3 Ways to Embrace and Ace Your Compliance Audits” on Thursday, December 11 at 10:00am CT. Click here to register now.
December 4, 2014 | Leave a Comment
By Jim Reavis, Executive Director CSA (Twittter @jimreavis); Brian Honan, President CSA Chapter Ireland (Twitter @BrianHonan); and Raj Samani, Chief Innovation Officer CSA & EMEA CTO Intel Security (Twitter @Raj_Samani)
We are pleased to announce the availability of “CSA Guide to Computing: Implementing Cloud Privacy and Security.” The first of its kind for the CSA, this book aims to incorporate as much of the excellent research conducted by the CSA community into one single publication. Not only does it incorporate research from within the CSA community but also the latest information across the industry relating to threats and measures that can be used to protect those using or considering using the cloud.
In 2014, we witnessed a number of attacks that led to headlines declaring that the cloud is not a safe platform to host data. The reality is that such a conclusion is not so binary; therefore, this publication aims to dispel some of these myths and provides real, practical information on how someone can leverage a Cloud Service Provider, whilst managing the risk to a level that they and their customers would be comfortable with.
So what does the book entail?
The following defines how the book is structured:
- Chapter One: We start with a view into what the cloud actually is, the various models, and also consider the benefits and role it plays within the internet economy.
- Chapter Two: A practical guide into how to select and engage with a Cloud Service Provider, this looks at the available mechanisms to measure the security deployed by prospective providers.
- Chapter Three: A view into the top threats to cloud computing that will include references to CSA research as well as third parties that have evaluated the threat landscape.
- Chapter Four: Analysis into the top threats associated with mobile computing for the cloud.
- Chapter Five: Building security into the cloud – Following two chapters considering the threats to cloud computing, we will turn our focus to the steps that end customers need to consider in order to make the move to the cloud.
- Chapter Six: Certification standards for cloud computing – Whilst the previous chapter presents the security controls to mitigate the threat, the reality is that for many end customers their ability to influence the security measures will be limited. Indeed, even the level of transparency into the controls deployed will be limited. This is why cloud certifications will be so important, they are used more and more as the vehicle to provide assurance regarding the security deployed by providers to potential customers.
- Chapter Seven: The Privacy imperative – The discussion about privacy associated within the cloud is one of the most contentious issues within technology. This chapter will consider the overall debate, and provide mechanisms for both providers, and end customers to address many of these concerns.
- Chapter Eight: CSA Research topics – As mentioned earlier, our intention is to provide a singular reference for all CSA research. This chapter will provide the reader with an overview of the various working groups within the CSA, and details of their current findings.
- Chapter Nine: Dark Clouds, managing security incidents in the cloud – With corporate resources now stored, and managed (to some extent) by third parties, the need to have a strong security incident management policy is imperative. This chapter will recommend the steps required to address the fundamental question; what happens when something does go wrong?
- Chapter Ten: The Future Cloud – Cloud computing is evolving, and this chapter considers its role within critical national infrastructure, as well what will be required to secure such critical assets. It is intended to provide a view into the components required to secure the cloud of tomorrow.
We hope you enjoy the book and find the information contained as useful in your journey into the cloud.
The CSA Guide to Cloud Computing is available in Paperback and Kindle versions and can be found here on Amazon.
December 2, 2014 | Leave a Comment
Update: The final document regarding the right to be forgotten has been published. A new article, which goes more in depth, and analyzes the details of the Guidelines published by the Article 29 Working Party is available here: http://itlawgroup.com/resources/articles/237-right-to-be-forgotten-guidelines-casting-a-wider-net
The following blog excerpt on “Right to Be Forgotten: Guidelines from WP29” was written by the external legal counsel of the CSA, Ms. Francoise Gilbert of the IT Law Group. We repost it here with her permission. It can be viewed in its original form at: http://www.francoisegilbert.com/2014/11/right-to-be-forgotten-guidelines-from-wp29/
The Article 29 Working Party (WP29) has adopted Right to Be Forgotten Guidelines, to help Data Protection Authorities in the implementation of the May 13, 2014 judgment of the Court of Justice of European Union (CJEU) in the case Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez (C-131/12) (“Google Spain”). The WP 29 Guidelines provide the WP29’s view on the interpretation of the CJEU’s ruling, and identify the criteria that will be used by the data protection authorities when addressing complaints.
November 26, 2014 | Leave a Comment
By Yorgen Edholm, CEO, Accellion
The mobile revolution, while firmly embedded in the consumer world, is now beginning to hit its stride in the enterprise world. This can be seen in the recent announcement from Apple and IBM, whose strategic alliance to develop joint solutions leveraging Apple devices and IBM software is an important next step for how enterprises consider mobile technology.
Ginni Rometty, IBM’s CEO, described the partnership as combining two complementary sets of assets, stating that IBM has the big data, the analytics capabilities, the integration work, and the cloud. On the other hand she mentions that Apple has the devices, the development environment, and the focus on usability. The combination of these elements is what will make a truly groundbreaking enterprise experience on mobile devices.
So what can we conclude from the Apple/IBM alliance?
- iPhones and iPads, are clearly ready for enterprise-grade computing. Whatever skepticism businesses had about the iPhone back in 2007 and 2008 has largely dissipated, so much so that IBM is willing to bet major R&D and sales initiatives on iOS devices.
- Enterprises like iOS devices, but they’re also looking for a mature software platform with proven capabilities in the areas of security, scalability, and control.
- IBM and Apple see the opportunity to bridge the gap between consumer mobile devices and enterprise-grade solutions for data access, data management, and communication.
We agree – the enterprise is ready to seriously take on the mobile revolution. At Accellion we have already begun bridging the enterprise mobile gap by enabling secure file sharing, synchronization and collaboration on mobile devices. The kiteworks solution enables business users with iPhones, iPads, Android devices and Windows Phones to have access to their enterprise content wherever it is stored inside or outside the firewall to be able to share and collaborate on those files securely. The kiteworks platform provides rigorous security features such as 256-bit encryption, built-in AV scanning, and rule-based access controls, along with critical enterprise features, such as LDAP support, Data Loss Prevention (DLP) support, and essential enterprise content connectors for integrating mobile solutions with existing enterprise infrastructure and enterprise content systems.
I’m looking forward to see what kind of enterprise solutions for analytics, cloud services, and mobility Apple and IBM create through their best-of-breed partnership. There should be interesting opportunities for combining our enterprise mobile technologies to unleash the productivity gains of a mobile workforce.
November 25, 2014 | Leave a Comment
By Alexander Anoufriev, CISO, ThousandEyes
Shared Responsibilities for Security in the Cloud continues…
Infrastructure Protection Services
This domain uses a traditional defense in depth approach to make sure that the data containers and communications channels are secure. For infrastructure protection services, all server, network, and application-related processes are fully owned by the service provider (see Figure 5).
End-point security remains an independent object on both sides of the responsibility matrix. The service provider is responsible for securing the end-points used by its workers, while the service consumers ensure the security of their own desktops, laptops, and other end-user computing devices.
This domain is really the most central to information security, since data is the asset we protect. Data protection needs to cover all data lifecycle stages, data types, and data states. Data stages include creation, storage, access, roaming, sharing, and retention. Data types include unstructured data such as word processing documents, structured data such as data within databases, and semi-structured data such as emails.
As is to be expected, this is one of the most involved areas of information security for both parties. See Figure 6 for detailed information on the responsibilities of these two parties. Data lifecycle management is a process driven by the asset owner. Often, the customer of the service is also the owner. At ThousandEyes, this is always the case. Other processes/services have their own implementations on both sides.
Policies and Standards
Security policies and standards are derived from risk-based business requirements. They include Information Technology security (infrastructure and applications), physical security, business security, and human resources security. Security policies are statements that capture requirements specifying what type of security and how much should be applied to protect the business. Figure 7 provides details on responsibility relating to policies and standards.
As we can see, in the cloud era, the provider owns the operational security baseline (the consumer still owns their part, which is minimal for the scope of provided services and represents end-point and connectivity parts). Job aid guidelines traverse both parties, and the data owner (consumer) defines data classification. All other processes/services exist in their scope at both sides.
In a shared security model it is really important to understand who is responsible for what. This must be defined in associated security level agreements. Ask your CSP what you should do to ensure that security is implemented end-to-end and your data stays secure despite changing operational responsibilities.
Security and Risk Management TCI Domain.
November 24, 2014 | Leave a Comment
By Alexander Anoufriev, CISO, ThousandEyes
Introduction: Security Responsibilities in the Cloud Era
When businesses owned their applications and all underlying infrastructure, they also owned their security. Now this is changing with a shift in ownership and operational responsibilities over many applications as they are moving to the Cloud. In the cloud era, security is not owned solely by the cloud service provider (CSP) or consumer. Cloud security is a shared responsibility.
To illustrate this model of shared responsibility I will be using:
- ThousandEyes SaaS Platform as an example of a cloud application which is owned and operated by ThousandEyes
- Cloud Security Alliance (CSA) Trusted Cloud Initiative (TCI) reference architecture
We’ll need to understand the high level architecture of this specific solution. The ThousandEyes solution consists of three major components (see Figure 1):
- SaaS Platform, which is installed and operated in the ThousandEyes data center
- Enterprise Agent, which is installed in the customer’s network
- Cloud Agent, which is installed in hosting providers’ networks and managed by ThousandEyes
We monitor the performance of networks and applications inside of an enterprise, on the internet and in the cloud. As a part of our service, we process and store the following data elements:
- User accounts (name, email)
- Hashes of passwords (only if local authentication is in place; in Web SSO with SAML scenario this is not applicable)
- Definitions of network performance tests
- Results of the tests (measurements)
- Support tickets
Responsibilities by TCI Domain
Governance, Risk and Compliance
Figure 2 illustrates responsibility for the governance, risk and compliance (GRC) domain of TCI architecture. This domain is responsible for the identification and implementation of the appropriate organizational structures, processes, and controls to maintain effective information security governance, risk management and compliance. Both parties, the service provider (ThousandEyes in this example) and the consumer, are independently responsible for all of the listed processes.
Responsibility for specific processes will differ between provider and consumer, for example: the service provider manages compliance with its internal policies, control standards and procedures, while it designs, develops, deploys and operates the service. The customers manage compliance while they use the service.
Privilege Management Infrastructure
Privilege Management Infrastructure ensures that users have the access and privileges required to execute their duties and responsibilities with Identity and Access Management (IAM) functions. Figure 3 illustrates shared responsibilities in IAM.
In our example, the identity management process extends from a service provider to a service consumer while other related processes and services exist independently in both entities. With the ThousandEyes SaaS Platform, customers are able to take advantage of their own web single sign on (SSO) technologies. In this case, they become responsible for authentication, authorization, and privilege management. Alternatively, they can use ThousandEyes-supplied identity information.
Threat and Vulnerability Management
This domain provides core IT security service and processes. Figure 4 demonstrates how responsibilities are allocated between the service provider and consumer.
Here we can see that some of the security processes/services are fully shifted to the service provider. All infrastructure-related compliance testing, vulnerability management and penetration testing are operated by the service provider, while threat management exists on both sides and often covers different threats. Due to this, they are two different processes.
(Part 2 of this post will run tomorrow.)