Category Archives: Cloud Security

Adoption rates of basic cloud security tools and practices still far too low

As organizations migrate more of their data and operations to the cloud, they must maintain a robust cybersecurity posture, a Bitglass report reveals. Each year, Bitglass conducts research on the state of enterprise cloud security in order to identify key trends and common vulnerabilities. This year’s report found that 75 percent of organizations leverage multiple cloud solutions, but only 20 percent have visibility over cross-app anomalous behavior. With more and more organizations storing sensitive information … More

The post Adoption rates of basic cloud security tools and practices still far too low appeared first on Help Net Security.

New Azure Marketplace Pay-As-You-Go Billing for Trend Micro Deep Security as a Service

Cloud adoption continues to rise as organizations reduce their data center footprint, look to cloud native technologies to improve their application design and output, and strive to improve scalability and management of resources and systems.

In a recent survey conducted by analyst firm ESG, 87% of respondents indicated that they currently run production applications and workloads on a public cloud infrastructure-as-a-service platform. However only 10% of respondents run more than half of their workloads in the cloud.  This means that while cloud adoption is on the rise, businesses are still heavily vested in on-premises and hybrid-cloud environments.

With all this change comes the task of understanding how best to secure new cloud technologies and environments, while maintaining protection for traditional server platforms against threats and risks which present both technical and cost challenges.

So, what options does your business have to tackle this?

Trend Micro is excited to announce pay-as-you-go billing with its leading cloud solution, Deep Security as a Service (DSaaS) on the Microsoft Azure Marketplace. As a launch partner for pay-as-you-go billing at Microsoft’s Inspire 2019 conference, Trend Micro’s offering enables organizations to combine the benefits of security software-as-a-service (SaaS) with the convenience of usage-based metered pricing and consolidated cloud billing.

“Providing Trend Micro’s Deep Security as a Service offering through Azure Marketplace gives customers more ways to enable, automate, and orchestrate cloud security,” said Jeana Jorgensen, GM, Cloud and AI for Microsoft. “Customers can pay for only what they use with Trend Micro’s flexible, metered pricing or negotiate more a more traditional enterprise agreement using private offers while enjoying a consolidated bill for software and cloud infrastructure.”

Trend Micro Deep Security as a Service is purpose built to deliver a multi-layered automated approach to protect hybrid cloud workloads and container environments against known and unknown threats. Deep Security’s capabilities include network controls such as a host firewall and Intrusion Prevention/Detection (IPS) to shield servers and web applications from vulnerabilities and exploits. Deep Security also has system security capabilities such as log inspection, application control to detect and lockdown unauthorized executables, and real-time integrity monitoring to alert the security team of any suspicious or unexpected changes to registry values, registry keys, services, processes, installed software, ports, or files.

Additionally, Deep Security provides this same complete protection for your containers, with real-time malware protection, container vulnerability shielding, full traffic inspection for both North-South and East-West traffic between containers, as well as network and system controls, extending protection to the container and Kubernetes platforms. This also helps to meet compliance obligations across major regulations and industry guidelines, like PCI DSS, HIPAA, NIST, GDPR and more from within one trusted security solution.

Microsoft’s new Azure Marketplace offerings and billing methods allow IT and developers a means to quickly identify what software-as-a-service offerings they need and pay only for what is consumed with no additional costs. This makes purchasing easy for customers, with one transaction and a single invoice helping to remove friction across budget planning, capacity, and scaling.

“Our priority is to make cloud security as effortless as possible, which starts by meeting IT users and developers where they are and then offering comfortable usage and pricing options,” said Sanjay Mehta, SVP, Business Development & Strategic Alliances at Trend Micro. “Trend Micro is proud to continue our close relationship with Microsoft Azure as one of its top global security partners. Being part of their consumption-based billing launch for SaaS offerings helps customers looking to secure workloads and containers through their Azure instances.”

Trend Micro’s Deep Security as a Service will provide Microsoft Azure customers a fully hosted security management experience, starting at only $0.01 per workload per hour.

Learn more visit https://www.trendmicro.com/azure/

 

 

The post New Azure Marketplace Pay-As-You-Go Billing for Trend Micro Deep Security as a Service appeared first on .

As cyber attacks increase, the cloud-based database security market grows

The cloud-based database security market is expected to register a CAGR of 19.5% over the forecast period 2019-2024, according to ResearchAndMarkets. With the increasing adoption of Big Data platforms and relational databases becoming the prime target for data thieves, the demand for cloud-based database security is expected to gain traction. Key highlights There has been increasing volumes of data being generated from information-escalated applications like storage and mining of huge or commercial data. These applications … More

The post As cyber attacks increase, the cloud-based database security market grows appeared first on Help Net Security.

The importance of IT asset management within digital transformation processes

In this Help Net Security podcast, Marco Rottigni, Chief Technical Security Officer for Qualys across EMEA, talks about the importance of IT asset management within digital transformation processes. He illustrates why it’s crucially important to understand what you have, and how to build security in versus bolting it on. Here’s a transcript of the podcast for your convenience. Hello, my name is Marco Rottigni and I work for Qualys as a Chief Technical Security Officer … More

The post The importance of IT asset management within digital transformation processes appeared first on Help Net Security.

Migrating Network Protection to the Cloud with Confidence

For modern organizations, speed and agility is the key to success – built on enhanced IT efficiency and performance driven by the cloud. Anything less could see your business outpaced by the competition. As always, security must be a priority when migrating to the cloud, but network teams are being let down by existing tools. Overwhelmed by this challenge, our TippingPoint customers came to us asking for an equivalent product for their AWS environments. So we went away and built one.

Cloud Network Protection is the first transparent, in-line network security offering for AWS customers: simple to deploy and manage, cloud-ready and leveraging our industry leading expertise in network threat protection.

Let down by legacy

According to the cloud’s shared responsibility model, network security teams are increasingly being tasked with extending security into the cloud. But current offerings in the market simply aren’t capable of supporting their requirements. They’re complex, expensive and introduce extra friction.

Our TippingPoint customers came to us with a range of gripes. They felt existing network security solutions are simply not engineered with cloud environments in mind. In fact, some need to be rearchitected to function at all in the cloud. Often, these incompatibilities lead to business disruption: by causing app and network downtime while network security is deployed and/or slowing down the speed of DevOps on an ongoing basis. In many cases, customers complained of having to use multiple tools to manage security for different networks in the hybrid cloud – adding extra cost and complexity and creating potential security gaps through misconfigured solutions.

These challenges impair their ability to meet key compliance requirements like HIPAA and GDPR. Responding to internal and external audit requests also became more difficult. At the same time as these strategic challenges, network security teams wanted to meet day-to-day requirements such as blocking requests to specific domains.

A new approach

Taking all this on board, we set about designing a network-based solution to handle the scale and performance demands of the cloud, without introducing extra friction to operations. We did this by tapping the power of the AWS Transit Gateway, a service that enables customers to connect all their Virtual Private Clouds (VPCs) and on-premises networks via a single, centralized gateway.

The resulting Cloud Network Protection solution is deployed transparently into the network fabric, providing visibility and control where network security teams need it most whilst avoiding application disruption and the need to rearchitect. By extending our TippingPoint capabilities into the cloud, we offer organizations multiple benefits including:

Consistent network security: Allowing teams to use existing TippingPoint security profiles in the cloud and on-premises.

Centralized SMS management: Complete visibility and control using the familiar Security Management System (SMS).

Simplified deployment: Minimizes friction by sliding seamlessly into the cloud network fabric.

Industry leading security: Including network-based virtual patching, and zero-day protection backed by the Zero Day Initiative bug bounty program. All whilst avoiding business disruption.

Nearly three-quarters (73%) of organizations had at least one application in the cloud as of last year – with a further 17% planning to do so within the next 12 months, according to IDG. As they migrate these business-critical apps, network security teams are demanding effective, cloud-ready tools that offer maximum protection without impacting performance. Fortunately, now they have one.

The post Migrating Network Protection to the Cloud with Confidence appeared first on .

Getting Started with Cloud Governance

Governing cloud security and privacy in the enterprise is hard, but it’s also critical: As recently noted in a blog by Cloud Transformation Specialist Brooke Noelke, security and complexity remain the two most significant obstacles to achieving enterprise cloud goals. Accelerating cloud purchases and tying them together without critical governance has resulted in many of today’s enterprise security executives losing sleep, as minimally secured cloud provider estates run production workloads, and organizations only begin to tackle outstanding SaaS (Software as a Service) footprints.

For security professionals and leaders, the on-premise (or co-location) data center seems simple by comparison: Want to protect applications in the data center? By virtue of the fact that it has a network connection in the data center, there are certain boundaries and processes that already apply. Business unit leaders aren’t exactly standing by with a credit card, trying to load tens of thousands of dollars of 4U Servers, storage racks, and a couple of SAN heads and then trying to expense it. In other words, for a workload in the data center, certain procurement controls must be completed, an IT review established, and implementation steps forced before the servers “light up”—and networking gates must be established for connectivity and publishing.

When it comes to the cloud, however, we’re being asked to fulfill new roles, while continuing to serve as protector of all the organization’s infrastructure, both new and existing. Be the rule setter. Contribute to development practice. Be the enforcer. And do all of this while at the same time making sure all the other projects you already had planned for the next 18 months get accomplished, as well …

Without appropriate controls and expectation-setting, development teams could use a credit card and publish a pre-built workload—from registration to world-accessibility—in hours! Sadly, that’s the reality at many organizations today, in a world where as much as 11% of a company’s published sensitive data is likely to be present in custom/engineered cloud applications.

Simplify Governance – Be Transparent

One of the biggest challenges for today’s businesses is understanding what the “sanctioned” path to cloud looks like: Who do they reach out to? Why should they engage the security team and other IT partners when the software vendor is willing to take credit cards directly? At many of today’s enterprises, “Security Awareness” initiatives mean some emails and a couple training sessions a year on “building block” security measures, with a particular focus on detecting phishing emails. While these measures have their place, security teams should also establish regular partnership meetings at the business unit level to “advertise” available services to “accelerate” capabilities into the cloud.

However, instead of communicating what the business will receive or explaining the steps the security team requires in order to complete the process, the emphasis should be on what departments receive by engaging the security team early: Faster funding and procurement approvals. Proactive scheduling of scarce resources for application review. Accelerated provisioning. And ultimately, faster spend and change times, with less risk and hopefully with minimal schedule impact.

The security team also needs to help the business understand that, while they may not see it reflected in direct line items today, there is a cost per application that they are generating for existing/legacy applications. If the perception is that today’s applications are “free,” but the team needs a line item to be created in new projects for cloud security deployments, it encourages people to exit the process or to avoid things that add to the price—or, at least, to fight an internal battle to push back on each line-item add. Our job is to help the organization understand that today’s security spend is around 7% of infrastructure or application spend, and to set the expectation that whatever the next-generation project budget is, an associated investment should be expected—in both technology and people—to secure the platform.

Establish a Goal and Discuss It

Does your business understand what the “goal line” looks like when it comes to putting something into the cloud? Would they know where to go to find the diagram(s) or list(s) that define that? What level of cloud competency and security understanding does someone in the business need in order to consume what your team has published?

If the answer to one or more of these questions is a shrug—or demands a master’s level understanding of technical knowledge—how can we as the leaders of the security space expect the business to readily partner with us in a process they don’t understand?

Published policy with accompanying detailed standards is a start. But the security team has an opportunity to go a step further with very basic conceptual “block” diagrams, which set “minimum viable protection” that the business’ “minimum viable product” must have to go into security.

The easiest way to do this is to take a minimum control set, and then create a few versions of the diagram—in other words, one for the smallest footprint and one or more at larger scale—to explain to the organization how the requirements “flex” according to the size and traffic volume of what has been deployed.

Cloud Governance is Possible

Governance is the initial building block for cloud security. Being successful in protecting cloud applications requires effective technical controls, like MVISION Cloud’s product risk assessment and protection for enterprise data through unified policy. For the organization to mature and further reduce risk, governance must become as much about consulting with businesses regarding cloud consumption as it has been historically about risk meetings and change reviews. With a few simple adjustments and intentional internal marketing investments, your team can start the journey.

The post Getting Started with Cloud Governance appeared first on McAfee Blogs.

Is Cloud Service Provider-Native Security ‘Good Enough’ For Your Cloud Transformation Program’s Goals?

Several times lately, CIOs and CISOs have asked me why the security toolset they get for “free” from their cloud service providers isn’t enough. Sure, it might not be the best … but isn’t it good enough for the program’s success?

It’s true that we don’t often need the Cadillac. But cloud programs are failing at high rates, and the number-one listed reason is security challenges. Teams are trying to use that SaaS or IaaS/PaaS cloud service provider-native security and finding after initial designs that it’s full of holes, or that it’s very difficult to operate across the enterprise. And trying to bolt on additional security to highly automated cloud deployments is not nearly as easy as it was in steadier-state traditional data center configurations. We as solution engineers are failing our development, business and security teams by not addressing the number-one factor in cloud transformation failure with tools that will better support their success in delivering secure cloud implementations.

Figure 1: Percent of respondents with major cloud programs reporting they have “fully achieved” their expected cloud outcomes

Figure 2:  Top concerns perceived to impact that lack of full program goal attainment

The CSPs and enterprise software providers just aren’t considering full architectural requirements for security, at a time when architecture overall—and security architecture in particular—is more important than ever. And they don’t have that perspective: Operating a complete end-to-end security architecture and program isn’t the perspective of these software companies’ product teams. Enterprise security is still needed, but new perspectives, more flexibility and support for automated architectures are also needed. Cloud deployments move so fast that we get to the point of “hard to add budget and redesign for efficiency” faster than ever before. We’re asking our development teams to walk a high wire, creating new technologies that enable business using new cloud technologies … but we’re assuming that those new cloud technologies are coming with their own security safety nets. And the market experience is that they don’t.

A better approach is to ENSURE a practical, agile security architecture starting with Cloud Access Security Broker (CASB) basics in place as a foundation of any major cloud transformation program. This gives us detective—and quickly available preventative—controls to ensure that while valuable risks are taken by our development and business teams who build fast in SaaS or IaaS/PaaS cloud, we are protecting them and the enterprise from egregious configuration errors and other easy mistakes up on that high wire.

When I’m developing services, I want to work with market-proven tools—they create an environment for my success.  

What do you think? Are SaaS or IaaS/PaaS “built-in” security controls sufficient, or is a considered enterprise security architecture still necessary? Should we design that security architecture as base to programs or after giving CSPs’ own controls a chance to fail? Always interested in your feedback.

Next month, we’ll look at the highest-priority components of a complete cloud security architecture.

The post Is Cloud Service Provider-Native Security ‘Good Enough’ For Your Cloud Transformation Program’s Goals? appeared first on McAfee Blogs.

AWS re:Inforce 2019 re:Cap

A wide angle shot of the conference registration desk for AWS re:Inforce with an endcap wall in a slight teal blue saying, "Welcome to AWS re:Inforce"

The inaugural AWS Cloud security conference—AWS re:Inforce—was held in Boston this week. Well over 8,000 attendees descended on the Boston Convention and Exhibition Center for two days jammed packed with security education and cloud content.

This was a very interesting conference because the dynamics of the attendees felt very different from typical AWS events. Usually at an AWS event, security teams are the odd people out. Making up a small portion of the attendees. At re:Inforce, the script flips and it seemed that the majority of attendees are in primarily security roles.

That’s great news for the show and for the community in general. Everyone in attendance and online was eager to learn about AWS Security Services, offers from AWS APN Partners, and what works—and what doesn’t—when it comes to securing cloud deployments.

https://www.youtube.com/watch?v=FKphJNfpWk8

Announcements

As with any AWS event, there were a number of announcements that covered new features and functionality. We didn’t get any new services but the size of these features makes up for that. Here’s my quick take on each of the major announcements and how it might be useful for you.

AWS Security Hub Goes GA

AWS Security Hub was first announced as a preview at AWS re:Invent 2018. This tool helps consolidate security information into one place. Data from various AWS Security Services (like Amazon GuardDuty, Amazon Macie, and Amazon Inspector) and from various AWS APN Partners feeds into Security Hub in order to highlight compliance issue and various security findings.

That term is key. A finding isn’t a log entry or an event or even an incident (as defined in infosec). A finding is generated by one of the security tools and is likely to start a security or compliance incident.

The goal of Security Hub is to make security data more visibility and actionable. It is not a replacement for a SIEM or a team of analysts. It is a fantastic tool to help highlight security issues with other teams.

Read more from Brandon West over on the AWS Blog.

AWS Control Tower Comes Out Of Preview

This service helps you to create strong, well-architected baselines for new AWS accounts within your organization. Control tower works with landing zones a concept first brought to the forefront at AWS re:Invent 2018.

Multi-account strategies are common within larger organizations and there are a number of security benefits to the approach if is well managed. The challenge is standardizing settings, configuration, and policy across accounts.

This is where AWS Control Tower comes into the picture. Working with AWS Organizations, AWS IAM, AWS Config, AWS CloudTrail, and AWS Service Catalog, you can configure what every new account within your organization should look it. This helps ensure that all of your teams are setup for success.

Read more from Jeff Barr.

VPC Traffic Mirroring

Up until now, you’ve only been able to glimpse at what’s going on with the network traffic in your VPC using AWS native features. The VPC Flow Log functionality provides the basics of source, destination, and size of traffic but actual packet analysis requires a better source of flow data.

VPC mirroring does exactly as promised, leveraging the AWS network layer to mirroring specific targets, sessions, or filters in order to analyze that traffic in another tool.

This can be helpful in network forensic analysis, troubleshooting, or operational analysis.

Jeff Barr has a walk through of the feature on the AWS Blog.

AWS Incident Response Whitepaper

Though published a few weeks before the event, AWS is highlighting the new AWS Security Incident Response Whitepaper. This paper helps security teams understand how traditional incident response maps to the AWS Cloud.

It’s a well-written, practical paper that can help teams understand how a process they are familiar with, changes in a new environment like the AWS Cloud.

Get an overview from Joshua Du Lac over on the AWS Security Blog.

AWS Marketplace Procurement System Integration

During the AWS re:Inforce keynote, Stephen Schmidt announced a new AWS Marketplace integration for existing procurement systems. On first blush, this seems like an odd feature to call out at a security conference.

But security is always a critical question in any enterprise sales engagement and procurement headaches abound. The AWS Marketplace can address some of those headaches.

This new integration (initially with Coupa and others via cXML) will make it easier for some enterprises to test and acquire new technologies, reducing the barrier to acquire new security tools.

Read more in the AWS Marketplace documentation.

What’s Next

At the end of the keynote, Stephen Schmidt announced that AWS re:Inforce will be held again next year, this time in Houston. That’s fantastic news as shows that AWS acknowledges that security is a critical pillar of well-built cloud deployments and that the community is strong enough to support events of this size dedicated to the topic.

The breakouts sessions from the show were recorded and are being posted to the AWS YouTube channel, the day 1 keynote by AWS CISO Stephen Schmidt has already been posted so you can start catching up now.

I did a take over on the Trend Micro LinkedIn page and went live twice during the show. Check that out for a bit of an insiders view and—as always—ping me on Twitter, where I’m @marknca to talk more about this and cloud security in general.

The post AWS re:Inforce 2019 re:Cap appeared first on .

Are Virtual Cybersecurity Labs the Future of Cybersecurity Education?

Cybercrime affecting businesses has become so widespread that IT and network security professionals are always thinking about that next breach and the costs of recovering from it. This increased risk has also raised the demand for better virtual defenses to prevent the loss of sensitive organizational data such as personal consumer details and internal communications.

There is a substantial need for cybersecurity training. It’s something that many businesses are interested in, but implementing the right system isn’t easy. Physical labs are expensive, require significant time and resources, and aligning everyone’s schedules is often impossible.

Virtual labs are a great way for you to provide your customers and partners with access to the latest cybersecurity product demos and training. These labs are accessible from anywhere, customers can engage with them on their terms, they cost less, and increase the overall quality of the training.

What’s the Appeal of Virtual Cybersecurity Labs?

In the corporate sphere, there has been a trend in recent years of organizations shifting away from traditional instructor-led courses towards virtual cybersecurity training labs. The transition is due to the high demand for meticulous cybersecurity education that offers first-hand experience to participants while keeping costs low.

Cloud-based training environments are appealing because they offer a scenario-based approach. Since the field of cybersecurity requires analytical and critical thinking in real-world circumstances, the controlled environment of a virtual lab is often cited as the best method for teaching network security. Learners will encounter real-world scenarios, work through them, and engage with essential hands-on material that provides more engagement than a traditional slideshow or lecture.

What Are The Primary Benefits of a Virtual Cybersecurity Lab?

  • These classes offer training and simulations that are run through cloud-based virtual machines that are accessible from any of the major browsers. Participants can engage with the material, request help, and engage in team exercises from anywhere in the world.
  • A virtual lab removes the need for travel costs or high-end hardware on the client side since training is conducted primarily through an Internet browser on the employee’s terminal. The simulation is centralized and accessible from anywhere at any time with nothing but an Internet connection.
  • Because the host hardware is centralized, upgrading the lab in response to continually evolving technologies and security trends can be done inexpensively and quickly.
  • A single lab can be expanded to accommodate additional employees or partners at little to no cost. You can add additional RAM, user slots, and other specs as needed. This has helped make virtual labs a popular choice for growing businesses.
  • Feedback between instructors and participants is instant and convenient. Instructors can step in at any point and offer help, track user participation, and other relevant analytics.

What Should You Look for in a Virtual Cybersecurity Environment Provider?

There is no shortage of virtual lab providers on the market. Cloud-based cybersecurity courses are in huge demand because of the added customization that they offer. The process for developing a suitable training lab differs depending on your organization’s needs and preferences. However, here are a few things to consider:

  • Networking devices, including switches, routers, and firewalls. Remember that you want to support multiple instances of virtualization for the networking scenarios used in the course. While you want the reliability of enterprise-grade equipment, consider looking into the refurbished market if your business needs to keep costs low.
  • Find a reputable virtual lab provider. There are many virtual IT labs on the market. Find one that offers the right mix of features, analytics, and the ability to scale as you grow.
  • Have the right IT team in place. Your IT team will need to create the environments for any material that you want to teach within the cloud. Getting started isn’t hard, but it will require an IT professional that knows how to prepare the needed virtual environments.

The goal of this process is to build a successful hands-on virtual cybersecurity lab that is scalable to all participants and teaches essential cybersecurity skills in real-world environments to your customers and business partners.

Are Virtual Cybersecurity Labs Really the Future?

It’s safe to say that cloud technology isn’t going anywhere at this point. We are still feeling the effects of the innovation wave that was caused by the invention of cloud technology.

Everything we do today is tied to the cloud in some way.

  • The most popular software offered by Adobe and Microsoft is all cloud-based.
  • That CRM your business relies on is powered by the cloud.
  • Your favorite Spotify playlist is stored in the cloud.

B2B training is changing. The advancements in virtual labs have accelerated the obsolescence of traditional labs. Agile companies that want to stay competitive will need to accept this and transition their cybersecurity, IT, and product demos to the cloud.

New technologies are frightening to businesses with established processes. But if we’ve learned anything from the failures of Kodak, Nokia, Xerox, Blockbuster, and other large corporations, it’s that failing to stay in line with innovation can (and will) lead to disastrous results in the long-term.

The post Are Virtual Cybersecurity Labs the Future of Cybersecurity Education? appeared first on CyberDB.

Are Your Employees Using Your Data in the Shadows?

You have superstar employees who run your business like it’s their own. They use new apps to collaborate with coworkers, vendors, and customers to get work done when it needs to get done. They’re moving your business closer and closer to the cloud. Sounds fantastic! Let them do their thing! But what information is being shared? What apps are they using? Are they secure? Are partners or customers receiving sensitive data that’s not encrypted? Here are a few things to keep in mind as your business accelerates to the cloud.

Businesses Are Adopting Cloud Services Faster Than They Are Being Secured

Employees seeking new cloud services can help you transform the way business is done and improve engagement with customers, partners, and other employees. Most employees are first adopters who are trying new apps to do their jobs in the most efficient way possible. But before you know it, your IT department could become overwhelmed with cloud adoption. This means your organization will inevitably deal with shadow IT as your employees begin using unsanctioned cloud services.

Data Could Be Leaked, Leading to Financial, Reputational, IO, and Compliance Exposure

Do you know what your employees are doing with your business’s data? This is where shadow IT becomes a factor. Not all security controls used today were built with the cloud in mind, especially when it comes to BYOD and IoT. On-premises security products alone can’t provide effective visibility and protection in a hybrid IT world. In a recent McAfee survey, we found that the average organization thinks they use 30 cloud services, but in reality they use 1,935. This disparity is shadow IT—and it’s expanding your attack surface. This leaves your company more exposed to cyberthreats through the use of potentially high-risk cloud services without complete IT visibility or control. Don’t let the risk of shadow IT disrupt your business. Visibility into your organization’s cloud adoption and the devices that connect to these services is a critical step for mitigating the risk of data breaches, non-compliance, and loss of reputation due to shadow IT.

Move at the Speed of Business Without Compromising Security

The future of your company depends on growth and flexibility. Don’t pause on innovation and progress. Let your employees use the devices and apps they have and gain peace of mind knowing that your valuable information is secure. You can place security’s architectural control points on the places where employees work—from device to cloud and in between. You can allow restricted usage of services through application control and still prevent data exfiltration. A cloud access security broker (CASB) can help detect and block instances of sensitive data being uploaded to these shadow IT services.

You can accelerate your transformation to the cloud with IT security as a business enabler. Use security operations—with threat intelligence, management, analytics, automation, and orchestration— as the glue to identify the most advanced threats and crossover attacks. A CASB can be integrated seamlessly into IaaS, PaaS, and SaaS environments to secure cloud services as they are being adopted. Let your employees shine and take your business to the next level backed by an IT department tooled with industry-leading visibility and control provided by our CASB solution, McAfee MVISION Cloud.

Watch our video to understand how using McAfee can enable you to accelerate your business, reducing the risk of transformative technologies like the cloud and all the devices employees use to access data.

The post Are Your Employees Using Your Data in the Shadows? appeared first on McAfee Blogs.

Cloud 101: Navigating the Top 5 Cloud Management Challenges

Cloud management is a critical topic that organizations are looking at to simplify operations, increase IT efficiency, and reduce costs. Although cloud adoption has risen in the past few years, some organizations aren’t seeing the results they’d envisioned. That’s why we’re sharing a few of the top cloud management challenges enterprises need to be cautious of and how to overcome them.

Cloud Management Challenge #1: Security

Given the overall trend toward migrating resources to the cloud, a rise in security threats shouldn’t be surprising. Per our latest Cloud Risk and Adoption Report, the average enterprise organization experiences 31.3 cloud related security threats each month—a 27.7% increase over the same period last year. Broken down by category, these include insider threats (both accidental and malicious), privileged user threats, and threats arising from potentially compromised accounts.

To mitigate these types of cloud threats and risks, we have a few recommendations to better protect your business. Start with auditing your Amazon Web Services, Microsoft Azure, Google Cloud Platform, or other IaaS/PaaS configurations to get ahead of misconfigurations before they open a hole in the integrity of your security posture. Second, it’s important to understand which cloud services hold most of your sensitive data. Once that’s determined, extend data loss prevention (DLP) policies to those services, or build them in the cloud if you don’t already have a DLP practice. Right along with controlling the data itself goes controlling who the data can go to, so lock down sharing where your sensitive data lives.

Cloud Management Challenge #2: Governance

Many companies deploy cloud systems without an adequate governance plan, which increases the risk of security breaches and inefficiency. Lack of data governance may result in a serious financial loss, and failing to protect sensitive data could result in a data breach.

Cloud management and cloud governance are often interlinked. Keeping track of your cloud infrastructure is essential. Governance and infrastructure planning can help mitigate certain infrastructure risks, therefore, automated cloud discovery and governance tools will help your business safeguard operations.

Cloud Management Challenge #3: Proficiency

You may also be faced with the challenge of ensuring that IT employees have the proper expertise to manage their services in a cloud environment. You may need to decide to either hire a new team that is already familiar with cloud environments or train your existing staff.

In the end, training your existing staff is less expensive, scalable, and faster. Knowledge is key when transforming your business and shifting your operational model to the cloud. Accept the challenge and train your employees, give them hands-on time, and get them properly certified. For security professionals, the Cloud Security Alliance is a great place to start for training programs.

Cloud Management Challenge #4: Performance

Enterprises are continually looking for ways to improve their application performance, and internal/external SLAs. However, even in the cloud, they may not immediately achieve these benefits. Cloud performance is complex and if you’re having performance issues it’s important to look at a variety of issues that could be occurring in your environment.

How should you approach finding and fixing the root causes of cloud performance issues? Check your infrastructure and the applications themselves. Examine the applications you ported over from on-premises data centers, and evaluate whether newer, cloud technologies such as containers or serverless computing could replace some of your application components and improve performance. Also, evaluate multiple cloud providers for your application or infrastructure needs, as each have their own offerings and geographic distribution.

Cloud Management Challenge #5: Cost

Managing cloud costs can be a challenge, but in general, migrating to the cloud offers companies enormous savings. We see organizations investing more dollars in the cloud to bring greater flexibility to their enterprise, allowing them to quickly and efficiently react to the changing market conditions. Organizations are moving more of their services to the cloud, which is resulting in higher spend with cloud service providers.

Shifting IT cost from on-premises to the cloud on its own is not the challenge – it is the unmonitored sprawl of cloud resources that typically spikes cost for organizations. Managing your cloud costs can be simple if you effectively monitor use. With visibility into unsanctioned, “Shadow” cloud use, your organization can find the areas where there is unnecessary waste of resources. By auditing your cloud usage, you may even determine new ways to manage cost, such as re-architecting your workloads using a PaaS architecture, which may be more cost-effective.

Final Thoughts

Migrating to the cloud is a challenge but can bring a wide range of benefits to your organization with a reduction in costs, unlimited scalability, improved security, and overall a faster business model. These days, everyone is in the cloud but that doesn’t mean your business’s success should be hindered by the common challenges of cloud management.

For more on how to secure your cloud environment, check out McAfee MVISION Cloud, a cloud access security broker (CASB) that protects data where it lives with a solution that was built natively in the cloud, for the cloud.

 

The post Cloud 101: Navigating the Top 5 Cloud Management Challenges appeared first on McAfee Blogs.

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

Test Your Knowledge on Cloud Adoption and Risks

Our data lives in the cloud, and nearly a quarter of it requires protection to limit our risk. You won’t be able to get far in your transformation to the cloud without learning the sources of cloud data risk and how to circumnavigate them.

In our latest Cloud Adoption and Risk Report, we analyze the types of sensitive data in the cloud and how it’s shared, examine IaaS security and adoption trends, and review common threats in the cloud. Test your knowledge on the latest cloud trends and see if your enterprise understands the basics of cloud-related risks.

Not prepared? Lucky for you this is an “open-book” test. Find some cheat sheets and study guides below.

Report: Cloud Adoption and Risk Report 2019

Blog: Cloud Security Risks – It’s not black and white

MVISION Cloud Data Sheet

MVISION Cloud

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post Test Your Knowledge on Cloud Adoption and Risks appeared first on McAfee Blogs.

Our PaaS App Sprung a Leak

Many breaches start with an “own goal,” an easily preventable misconfiguration or oversight that scores a goal for the opponents rather than for your team. In platform-as-a-service (PaaS) applications, the risk profile of the application can lure organizations into a false sense of security. While overall risk to the organization can be lowered, and new capabilities otherwise unavailable can be unlocked, developing a PaaS application requires careful consideration to avoid leaking your data and making the task of your opponent easier.

PaaS integrated applications are nearly always multistep service architectures, leaving behind the simplicity of yesterday’s three-tier presentation/business/data logic applications and basic model-view-controller architectures. While many of these functional patterns are carried forward into modern applications—like separating presentation functions from the modeled representation of a data object—the PaaS application is nearly always a combination of linear and non-linear chains of data, transformation, and handoffs.

As a simple example, consider a user request to generate a snapshot of some kind of data, like a website. They make the request through a simple portal. The request would start a serverless application, which applies basic logic, completes information validation, and builds the request. The work goes into a queue—another PaaS component. A serverless application figures out the full list of work that needs to be completed and puts those actions in a list. Each of these gets picked up and completed to build the data package, which is finally captured by another serverless application to an output file, with another handoff to the publishing location(s), like a storage bucket.

Planning data interactions and the exposure at each step in the passing process is critical to the application’s integrity. The complexity of PaaS is that the team must consider threats both for each script/step at a basic level individually as well as holistically for the data stores in the application. What if I could find an exploit in one of the steps to arbitrarily start dumping data? What if I found a way to simply output more data unexpectedly than it was designed to do? What if I found a way to inject data instead, corrupting and harming rather than stealing?

The familiar threats of web applications are present, and yet our defensive posture is shaped by which elements of the applications we can see and which we cannot. Traditional edge and infrastructure indicators are replaced by a focus on how we constructed the application and how to use cloud service provider (CSP) logging together with our instrumentation to gain a more holistic picture.

In development of the overall application, the process architecture is as important as the integrity of individual technical components. The team leadership of the application development should consider insider, CSP, and external threats, and consider questions like:

  • Who can modify the configuration?
  • How is it audited? Logged? Who monitors?
  • How do you discover rogue elements?
  • How are we separating development and production?
  • Do we have a strategy to manage exposure for updates through blue/green deployment?
  • Have we considered the larger CSP environment configuration to eliminate public management endpoints?
  • Should I use third-party tools to protect access to the cloud development and production environment’s management plane, such as a cloud access broker, together with cloud environmental tools to enumerate accounts and scan for common errors?

In the PaaS application construction, the integrity of basic code quality is magnified. The APIs and/or the initiation processes of serverless steps are the gateway to the data and other functions in the code. Development operations (DevOps) security should use available sources and tools to help protect the environment as new code is developed and deployed. These are a few ways to get your DevOps team started:

  • Use the OWASP REST Security Cheat Sheet for APIs and code making calls to other services directly.
  • Consider deploying tools from your CSP, such as the AWS Well-Architected Tool on a regular basis.
  • Use wrappers and tie-ins to the CSP’s PaaS application, such as AWS Lambda Layers to identify critical operational steps and use them to implement key security checks.
  • Use integrated automated fuzzing/static test tools to discover common missteps in code configuration early and address them as part of code updates.
  • Consider accountability expectations for your development team. How are team members encouraged to remain owners of code quality? What checks are necessary to reduce your risk before considering a user story or a specific implementation complete?

The data retained, managed, and created by PaaS applications has a critical value—without it, few PaaS applications would exist. Development teams need to work with larger security functions to consider the privacy requirements and security implications and to make decisions on things like data classification and potential threats. These threats can be managed, but the specific countermeasures often require a coordinated implementation between the code to access data stores, the data store configuration itself, and the dedicated development of separate data integrity functions, as well as a disaster recovery strategy.

Based on the identified risks, your team may want to consider:

  • Using data management steps to reduce the threat of data leakage (such as limiting the amount of data or records which can be returned in a given application request).
  • Looking at counters, code instrumentation, and account-based controls to detect and limit abuse.
  • Associating requests to specific accounts/application users in your logging mechanisms to create a trail for troubleshooting and investigation.
  • Recording data access logging to a hardened data store, and if the sensitivity/risk of the data store requires, transition logs to an isolated account or repository.
  • Asking your development team what the business impact of corrupting the value of your analysis, or the integrity of the data set itself might be, for example, by an otherwise authorized user injecting trash?

PaaS applications offer compelling value, economies of scale, new capabilities, and access to advanced processing otherwise out of reach for many organizations in traditional infrastructure. These services require careful planning, coordination of security operations and development teams, and a commitment to architecture in both technical development and managing risk through organizational process. Failing to consider and invest in these areas while rushing headlong into new PaaS tools might lead your team to discover that your app has sprung a leak!

The post Our PaaS App Sprung a Leak appeared first on McAfee Blogs.

Third Party Security Risks to Consider and Manage

Guest article by Josh Lefkowitz, CEO of Flashpoint
 
Acceptable business risks must be managed, and none more so than those associated with external vendors who often have intimate access to infrastructure or business data. As we’ve seen with numerous breaches where attackers were able to leverage a weaknesses a contractor or service provider, third-party risk must be assessed and mitigated during the early stages of such a partnership, as well as throughout the relationship.
 
The following tips can help security decision makers more effectively address the risks posed by relationships with technology vendors.
 
Do Your Homework
Conducting thorough due diligence on a prospective vendor is essential. Organisations could evaluate technical and regulatory risk through due diligence questionnaires, for example, or even on-site visits if necessary. The point is to evaluate not only a third party’s information security risk, but compliance with regulations such as GDPR for privacy and PCI DSS for payment card security, for example. An organisation may also want to evaluate a third party’s adherence to industry standards such as NIST or ISO in certain security- and privacy-related areas.
 
Next, consider what this compliance information doesn’t tell you. What do you still need to learn about the vendor’s security posture before deciding whether you’re comfortable with it? Think about what questions you still have and, if possible, seek answers from the vendor’s appropriate security contact. Here are some questions to pose: 
When was your last penetration test? Is your remediation on schedule?
  • Have you documented security incidents? How did you remediate those incidents?
  • Do you have the result of your last business continuity test? If yes, can you share it?
  • What security controls exist for your users? Do they use multifactor authentication, etc.?
  • How are you maturing your security program?
  • Are you ISO, SOC 1/SOC 2, and NIST Compliant, and is there documentation to support this? 
Additional Security: It’s All in the Controls
If you’re unsatisfied with the answers from a potential partner regarding their security, it’s OK to walk away, especially if you make the determination that working with the vendor may not be critical to your business.  

That’s not always the case, however. If you must partner with a particular third party and if no other reputable vendors offer anything comparable, you will likely need to implement additional technical and/or policy controls to mitigate the security risks associated with your business’s use of the offering, such as:
 
Technical
These are typically restrictions on the access and/or technical integrations of vendor offerings. For example, if a product is web-based but unencrypted, consider blocking users on your network from accessing its website; provided the proper authentication is in place, use its API instead. In most cases, there are two options, remediation or compensating controls:
  • Remediation: Can you work with the vendor to remediate the technical risk?
  • Compensating controls: If you cannot remediate the risks entirely, can you establish technical compensating controls to minimise or deflect the risk?
Policy
These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely. Some typical policy scenarios include:
  • Regulatory compliance: For example, a vendor’s non-compliance could mandate you walk away from a third-party relationship.
  • Contractual obligations: Are there contractual obligations in place with your existing clients that prevent you from working vendors who don’t meet certain security and privacy standards?
  • Security best practices: Ensure your policies around risk are enforced and determine whether they may conflict with your vendors’ policies.
Asset Inventory is a Must
There are several reasons why it’s imperative to know which of your business’s assets the vendor will be able to store and/or access. For one, this knowledge can help identify and shape any additional security controls. Second, having this knowledge on hand is crucial should the vendor suffer a breach. Knowing exactly what assets were impacted, as well as who is doing what with your inventory, can expedite your response and identify and mitigate any exposure efficiently and effectively.
 
Response Plans Must Include Partners
Before finalising a vendor relationship, it’s crucial to use all the information gathered during your due diligence process to construct a response plan in preparation for any future incidents the vendor might experience. Tracking the assets to which your vendor has access is one component of an effective response plan. Others include courses of action to mitigate exposure, disclosure and notification procedures, external communications strategies, and plans to re-evaluate the vendor’s security and remediation following an incident.
 
The most effective way to manage vendor risk is not to work with any external vendors in the first place, which isn’t a feasible strategy. The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.
Josh Lefkowitz, CEO of Flashpoint

McAfee Web Security offers a more flexible approach to Data Privacy

Post GDPR, there is still a lot of complexity in data privacy and data residency requirements. Depending on where they are located, what industry they are in, and how diverse their customer base is, companies are requiring a high degree of flexibility in the tools they use for web security. While most web security products in the market today simply document their data handling practices as a part of GDPR compliance, McAfee strives to give customers more flexibility to implement the level of data privacy appropriate for their business.  Most of our McAfee Web Protection customers use our technologies to manage employee web traffic, which requires careful handling when it comes to processing Personal Data.

Our latest update to the McAfee Web Gateway Cloud Service introduced two key features for customers to implement their data privacy policies:

  • Concealment of Personal Data in internal reporting: We enable you to conceal or pseudonymize certain fields in our access logs. You can still report on the data but Personal Data is obfuscated. As an example, you can report on how much your Top Web Users surfed the Internet, but administrators cannot identify who that top user is.

 

 

 

 

 

 

 

  • Full control of data residency: Especially in heavily regulated industries, many of our customers have asked for the ability to control where their log data goes so that they have control over data residency. We give you that control. For example, you can currently select between the EU and US as data storage points for users connecting in each geographical region. Additional finer control can be achieved by configuring client proxy settings, or through Hybrid policy. And, in conjunction with Content Security Reporter 2.6, customers can centrally report on all the data, while providing access control on the generated reports.

 

 

 

 

 

 

As a globally dispersed organization, there are of course still limits to what we can offer – our support and engineering teams, for instance, might need to access data for troubleshooting purposes from other geographies.  Telemetry and other data required to operate the service would still be global.  But to the extent that we can, with the access logs that contain PII, customers want more control.

McAfee Web Gateway Cloud Service is built for the enterprise, and many organizations will gain a higher level of performance than they currently experience on premises. As your security team continues to manage highly sophisticated malware and targeted attacks that evade traditional defences, McAfee Web Gateway Cloud Service allows you to go beyond basic protection, with behaviour emulation that prevents zero-day malware in milliseconds as traffic is processed.

The post McAfee Web Security offers a more flexible approach to Data Privacy appeared first on McAfee Blogs.

How to Safeguard Your Family Against A Medical Data Breach

Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

Breaches on the Rise

Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

The IoT Factor

Medical Data Breach

Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

The Dark Web

The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

Medical Data Breach

Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

Ways to Safeguard Medical Data

Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

How to Protect IoT Devices

Medical Data Breach

According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

  • Change default usernames and passwords
  • Isolate IoT devices on their protected networks
  • Configure network firewalls to inhibit traffic from unauthorized IP addresses
  • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
  • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
  • Ensure devices and their associated security patches are up-to-date
  • Apply cybersecurity best practices when connecting devices to a wireless network
  • Invest in a secure router with appropriate security and authentication practices

The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.

e-Crime & Cybersecurity Congress: Cloud Security Fundamentals

I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.

There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.

Cloud Security should not be an afterthought

It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.

Cloud does not absolve the business of their security responsibilities

All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
  • Cloud Service Provider Owned
  • Business Owned
  • Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.

Regardless of the cloud model, data is always the responsibility of the business.


A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.

Cyber Security Roundup for February 2019

The perceived threat posed by Huawei to the UK national infrastructure continued to make the headlines throughout February, as politicians, UK government agencies and the Chinese telecoms giant continued to play out their rather public spat in the media. See my post Is Huawei a Threat to UK National Security? for further details. And also, why DDoS might be the greater threat to 5G than Huawei supplied network devices.

February was a rather quiet month for hacks and data breaches in the UK, Mumsnet reported a minor data breach following a botched upgrade, and that was about it. The month was a busy one for security updates, with Microsoft, Adobe and Cisco all releasing high numbers of patches to fix various security vulnerabilities, including several released outside of their scheduled monthly patch release cycles.

A survey by PCI Pal concluded the consequences of a data breach had a greater impact in the UK than the United States, in that UK customers were more likely to abandon a company when let down by a data breach. The business reputational impact should always be taken into consideration when risk assessing security.


Another survey of interest was conducted by Nominet, who polled 408 Chief Information Security Officers (CISOs) at midsize and large organisations in the UK and the United States. A whopping 91% of the respondents admitted to experiencing high to moderate levels of stress, with 26% saying the stress had led to mental and physical health issues, and 17% said they had turned to alcohol. The contributing factors for this stress were job security, inadequate budget and resources, and a lack of support from the board and senior management. A CISO role can certainly can be a poisoned-chalice, so its really no surprise most CISOs don't stay put for long.

A Netscout Threat Landscape Report declared in the second half of 2018, cyber attacks against IoT devices and DDoS attacks had both rose dramatically. Fuelled by the compromise of high numbers of IoT devices, the number of DDoS attacks in the 100GBps to 200GBps range increased 169%, while those in the 200GBps to 300GBps range exploded 2,500%. The report concluded cybercriminals had built and used cheaper, easier-to-deploy and more persistent malware, and cyber gangs had implemented this higher level of efficiency by adopting the same principles used by legitimate businesses. These improvements has helped malicious actors greatly increase the number of medium-size DDoS attacks while infiltrating IoT devices even quicker.

In a rare speech, Jeremy Fleming, the head of GCHQ warned the internet could deteriorate into "an even less governed space" if the international community doesn't come together to establish a common set of principles. He said "China, Iran, Russia and North Korea" had broken international law through cyber attacks, and made the case for when "offensive cyber activities" were good, saying "their use must always meet the three tests of legality, necessity and proportionality. Their use, in particular to cause disruption or damage - must be in extremis".  Clearly international law wasn't developed with cyber space in mind, so it looks like GCGQ are attempting to raise awareness to remedy that.

I will be speaking at the e-crime Cyber Security Congress in London on 6th March 2019, on cloud security, new business metrics, future risks and priorities for 2019 and beyond.

Finally, completely out of the blue, I was informed by 4D that this blog had been picked by a team of their technical engineers and Directors as one of the best Cyber Security Blogs in the UK. The 6 Best Cyber Security Blogs - A Data Centre's Perspective Truly humbled and in great company to be on that list.

BLOG
NEWS 
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS