Category Archives: cloud

New wave of affordable silicon leading to greater IoT project success

With up to 75 percent of remote device management projects deemed “not successful,” in 2020, IoT deployment has been limited in realizing its full potential. Path to IoT project success However, a new wave of affordable silicon that provides a wide array of features and functionality, in conjunction with the maturation of pre-packed software, will lead to a substantial increase in IoT project success in the upcoming year, predict experts at Sequitur Labs. According to … More

The post New wave of affordable silicon leading to greater IoT project success appeared first on Help Net Security.

84% of global decision makers accelerating digital transformation plans

Unit4 surveyed business and IT decision makers and users working in service industries in August and September 2020, to understand how well organizations are embracing innovation and adapting to the challenges of the pandemic. Growing people-centric innovation The study shows that 84% of global decision makers are accelerating their digital transformation plans, in response to growing demands from users, who want more flexibility to work remotely in the future. During COVID-19, global decision makers cited … More

The post 84% of global decision makers accelerating digital transformation plans appeared first on Help Net Security.

Configuración segura en la nube – Explicación de IaaS, PaaS y SaaS

Si le preguntara qué productos de seguridad tenía para administrar el riesgo dentro de su organización de TI hace 10 años, probablemente enumeraría media docena de herramientas diferentes y confianza mencionar que la mayor parte de su infraestructura estaba cubierta por un conjunto de productos clave como antivirus, DLP, firewalls, etc. Pero en un mundo […]… Read More

The post Configuración segura en la nube – Explicación de IaaS, PaaS y SaaS appeared first on The State of Security.

Top digital security worries when it comes to remote employees

26% of remote workers have experienced a cyber attack personally, while 45% of employers have asked their employees to use their personal devices for work since the start of the pandemic, according to a Microsoft research. The study surveyed 500 employees and 200 business decision makers in September 2020 about remote working, digital security behaviours, and the worries they now face. Retrofitting cybersecurity The accelerated transition to homeworking is placing pressure on organizations to support … More

The post Top digital security worries when it comes to remote employees appeared first on Help Net Security.

Emerging Public Cloud Security Challenges in 2020 and Beyond

According to last year’s Gartner forecast, public cloud services are anticipated to grow to $USD 266.4 billion by the end of this year, up from $USD 227.8 billion just a year ago. Clearly, cloud computing is making its way to cloud nine, (See what I did there?) leveraging the sweet fruits of being in the […]… Read More

The post Emerging Public Cloud Security Challenges in 2020 and Beyond appeared first on The State of Security.

SMBs eagerly adopting IaaS, 60% prefer resellers over providers

As the “as-a-service” cloud model revolutionizes the way businesses of all sizes use technology, a study released by AppDirect reveals that SMBs are eagerly adopting infrastructure as a service (IaaS) and that they prefer to purchase solutions from resellers. The report also found that 72% of SMBs already run most of their workloads in the cloud, and that eight out of 10 plan to increase their IaaS spend over the next three years. SMBs inceasingly … More

The post SMBs eagerly adopting IaaS, 60% prefer resellers over providers appeared first on Help Net Security.

Why most cloud journeys begin with application modernization

Security and compliance are always critical, but integrating across a hybrid cloud is a big hurdle for moving forward Canadian organizations encounter three common hurdles as they transition to cloud-based platforms, says IBM’s lead for hybrid multi-cloud services and Red Hat offerings. Speaking at a recent roundtable hosted by tech analyst IDC and sponsored by…

The post Why most cloud journeys begin with application modernization first appeared on IT World Canada.

Why payroll security should be handled by the cloud in the new normal

Companies have been hesitant to shift certain workloads to the cloud. Payroll, for instance, has largely been kept on-premises. Having your head in the cloud might not be a bad idea anymore.

The post Why payroll security should be handled by the cloud in the new normal first appeared on IT World Canada.

Home Trust quickly pivots during pandemic with IBM Cloud and VMware

The COVID-19 pandemic has been one of the greatest challenges that businesses have faced in their lifetime. But Home Trust — a financial services institution with about 1,000 employees — was ready for it, thanks to a cloud migration the previous year. “On Friday the 13th, the reality of COVID became apparent and we had…

The post Home Trust quickly pivots during pandemic with IBM Cloud and VMware first appeared on IT World Canada.

93% of businesses are worried about public cloud security

Bitglass released a report which uncovers whether organizations are properly equipped to defend themselves in the cloud. IT and security professionals were surveyed to understand their top security concerns and identify the actions that enterprises are taking to protect data in the cloud. Orgs struggling to use cloud-based resources safely 93% of respondents were moderately to extremely concerned about the security of the public cloud. The report’s findings suggest that organizations are struggling to use … More

The post 93% of businesses are worried about public cloud security appeared first on Help Net Security.

Hybrid environments driving positive business impact amid pandemic

Nutanix announced the findings of its survey and research report, which measures enterprise progress with adopting private, hybrid and public clouds. This year, survey respondents were also asked about the impact of the COVID-19 pandemic on current and future IT decisions and strategy. Hybrid cloud is still the frontrunner as the ideal IT infrastructure model (86% of respondents think so), and respondents running hybrid environments are more likely to plan to focus on strategic efforts … More

The post Hybrid environments driving positive business impact amid pandemic appeared first on Help Net Security.

Are you making zero progress on Zero Trust? Here’s how to get started

Organizations should press forward more urgently on adopting Zero Trust because traditional approaches to cybersecurity aren’t working anymore. It’s no longer enough to protect the perimeter, said Chris Ruetz, AVP and Country Manager for CyberArk, at a CanadianCIO Virtual Roundtable. “Perimeters are falling down now due to remote work and the cloud,” he said. “Zero…

The post Are you making zero progress on Zero Trust? Here’s how to get started first appeared on IT World Canada.

Network traffic and consumption trends in 2020

As COVID-19 lockdown measures were implemented in March-April 2020, consumer and business behavioral changes transformed the internet’s shape and how people use it virtually overnight. Many networks experienced a year’s worth of traffic growth (30-50%) in just a few weeks, Nokia reveals. By September, traffic had stabilized at 20-30% above pre-pandemic levels, with further seasonal growth to come. From February to September, there was a 30% increase in video subscribers, a 23% increase in VPN … More

The post Network traffic and consumption trends in 2020 appeared first on Help Net Security.

2021 predictions for the Everywhere Enterprise

As we near 2021, it seems that the changes to our working life that came about in 2020 are set to remain. Businesses are transforming as companies continue to embrace remote working practices to adhere to government guidelines. What does the next year hold for organizations as they continue to adapt in the age of the Everywhere Enterprise? We will see the rush to the cloud continue The pandemic saw more companies than ever move … More

The post 2021 predictions for the Everywhere Enterprise appeared first on Help Net Security.

How a move to the cloud can improve disaster recovery plans

COVID-19 and the subsequent global recession have thrown a wrench into IT spending. Many enterprises have placed new purchases on hold. Gartner recently projected that global spending on IT would drop 8% overall this year — and yet dollars allocated to cloud-based services are still expected to rise by approximately 19 percent, bucking that downward trend. Underscoring the relative health of the cloud market, IDC reported that all growth in traditional tech spending will be … More

The post How a move to the cloud can improve disaster recovery plans appeared first on Help Net Security.

Harry Rosen brings its personalized in-store experience online

Can a high-end retailer offer a digital customer experience that matches the personalized service it’s known for in-store? Can a decades-old company undergo digital transformation and stay true to who they are? Harry Rosen did just that, with the help of IBM Cloud and Kubernetes. Founded in 1954, the high-end Canadian men’s clothing retailer is…

The post Harry Rosen brings its personalized in-store experience online first appeared on IT World Canada.

Under Analytics

Back when network management was booming in the early 90’s, the whole idea seemed straightforward. System administrators would speak of endpoints on the network as being “under management” or conversely “unmanaged.” There seemed to be a place for everything and looking back now at those times, enterprises seemed so simple compared to today. Maybe simple is not the right term, maybe they just seemed more orderly compared to the modern network landscape.

At some point, hackers showed up and names like “under management” or “unmanaged network elements” made little difference to them. I remember security folks in the early days joking that SNMP (Simple Network Management Protocol) stood for “Security Not My Problem.” An insecure network meant that you had an insecure business! The experienced security architect knows that whether the system is under management, under someone else’s management, or completely unmanaged, if that system is part of the business, it is still their job to secure it. To put it another way, while management of systems can span certain, more specific information systems, security must always be as wide as the business.

I would like to suggest a new term and concept for our vocabulary and that is “under analytics.” I like to think of this as a conceptual means to discuss if areas of your digital business have enough visibility for continuous monitoring of its integrity. Why not just call it “under management?” Well, because more and more these days, you are NOT the one managing that area of the network. It might be the cloud service provider managing it, but it is still your problem if something gets hacked. You could even then speak of observable domains as having certain requirements that satisfy the type of analytics you would like to perform.

There are many types of observational domains to consider so let’s talk about some here. Back in the day, there was just your enterprise network. Then when folks connected to the internet, the concepts of internal and external and even the DMZ networks were referenced as observable network domains. These days, you have to deal with public cloud workloads, Kubernetes clusters, mobile devices, etc. Let’s just say that you can speak of having any amount of observable domains for which you require telemetry that will get you the visibility required to detect the most advanced threat actors in those domains.

For each of these observable domains, there will need to be telemetry. Telemetry is the data that represents changes in that domain that feeds your behavioral analytics outcomes. You could make a list of the competency questions you would want to answer from these analytical outcomes.

  • Are there any behaviors that suggest my systems have been compromised?
  • Are there any behaviors that suggest some credential has been compromised?
  • Are there any behaviors to suggest there is a threat actor performing recognizance?

My suggestion is that you begin with these questions and then hold security analytics to them to see if they are competent to answer them daily, weekly, monthly, etc.

From there, you can go one step further and start to consider and look into scenarios like the following:

  • We have a new partner network, is it “under analytics?”
  • We have a new SaaS service, is it “under analytics?”
  • This company has a new cloud deployment, do we know if it is “under analytics?”
  • What part of our digital busines is not “under analytics?”

How well do you know your digital business behavior when it is 100% without compromise? How would you even go about answering this? The truth is, you really do need to get to this level because if you don’t, threat actors will. Even if parts of the business use SaaS products, while parts of the network are using Infrastructure as a Service (IaaS), you can still set the requirements that there must be a sufficient amount of telemetry and analytics that help you understand the answers to these questions above. Your business must always remain “Under analytics” and only then will you be one step ahead of your attackers.

To learn more, visit the Cisco Secure Network Analytics webpage.

Making history: The pandemic, disaster recovery and data protection

It was an accomplishment for the ages: within just a couple of days, IT departments hurriedly provided millions of newly homebound employees online access to the data and apps they needed to remain productive. Some employees were handed laptops as they left the building, while others made do with their own machines. Most connected to their corporate services via VPNs. Other companies harnessed the cloud and software and infrastructure services (SaaS, IaaS). Bravo, IT! Not … More

The post Making history: The pandemic, disaster recovery and data protection appeared first on Help Net Security.

Enterprises embrace Kubernetes, but lack security tools to mitigate risk

Businesses increasingly embrace the moving of multiple applications to the cloud using containers and utilize Kubernetes for orchestration, according to Zettaset. However, findings also confirm that organizations are inadequately securing the data stored in these new cloud-native environments and continue to leverage existing legacy security technology as a solution. Businesses are faced with significant IT-related challenges as they strive to keep up with the demands of digital transformation. Now more than ever to maintain a … More

The post Enterprises embrace Kubernetes, but lack security tools to mitigate risk appeared first on Help Net Security.

3 Must-dos to Secure Your Applications

Applications can be thought of as living and evolving pieces of your organization. They are unique, constantly changing and running everywhere. From the time they are written by developers, to being tested, deployed and finally hitting runtime, the application journey leaves room for increased attack surface. Let’s explore how you can you keep yourself at lockstep with securing apps with these three must-dos:

1. Secure the workloads that apps run on

Protecting workloads is the most dynamic way to ensure security for applications and the environments that run them. Cisco Secure Workload protects your applications by generating app behavior- driven policies and enforces it across any multi-cloud environment.

2. Secure access to apps across all users and devices

This is critical for all organizations to guarantee integrity of all users and devices that access their applications.  Cisco’s Duo Beyond enables you to establish user-device trust and secure access to applications. This helps you identify corporate versus personal devices with easy certificate deployment, block untrusted endpoints, and give users secure access to internal applications without using VPN.

3. Monitor how apps perform, to detect and remediate anomalies

Take advantage of application performance monitoring tools to give your organization visibility to applications functions to manage any sudden anomalies at runtime. Cisco AppDynamics is a leading application performance monitoring solution providing deep insight into transaction behavior and metrics for applications running in public and private cloud environments. Having this insight will let you and your teams stay ahead of any unpredictable cases including potential security threats.

While there are many solutions out there to prevent threats at different points of your organization, securing applications requires new thinking and unique set of solutions that remain continuous as the applications evolve. Cisco App-First Security brings together a comprehensive set of proucts that help your developer and security teams deliver together. The best way to learn more about these products is to try their free trials, Duo and AppD are offering them now.

In addition, Cisco DevNet gives you plenty of help for your learning journey. The new DevNet learning track and accompanying DevNet Sandbox give you a hands-on, immersive experience. You can also find docs and other resources on the new Cisco Application-First Security website.

 

Building a Security Alliance with Your Cloud Partners

As more infrastructure is moved to the cloud, there are many opportunities to reconsider your security stance and relationships to build ever stronger and more secure IT solutions whilst reducing your security costs. In this post, I’m looking to explore some ways that you can build out your alliances to be better prepared and battle-worthy […]… Read More

The post Building a Security Alliance with Your Cloud Partners appeared first on The State of Security.

Happy Birthday TaoSecurity.com


Nineteen years ago this week I registered the domain taosecurity.com:

Creation Date: 2000-07-04T02:20:16Z

This was 2 1/2 years before I started blogging, so I don't have much information from that era. I did create the first taosecurity.com Web site shortly thereafter.

I first started hosting it on space provided by my then-ISP, Road Runner of San Antonio, TX. According to archive.org, it looked like this in February 2002.


That is some fine-looking vintage hand-crafted HTML. Because I lived in Texas I apparently reached for the desert theme with the light tan background. Unfortunately I didn't have the "under construction" gif working for me.

As I got deeper into the security scene, I decided to simplify and adopt a dark look. By this time I had left Texas and was in the DC area, working for Foundstone. According to archive.org, the site look like this in April 2003.


Notice I've replaced the oh-so-cool picture of me doing American Kenpo in the upper-left-hand corner with the classic Bruce Lee photo from the cover of The Tao of Jeet Kune Do. This version marks the first appearance of my classic TaoSecurity logo.

A little more than two years later, I decided to pursue TaoSecurity as an independent consultant. To launch my services, I painstakingly created more hand-written HTML and graphics to deliver this beauty. According to archive.org, the site looked like this in May 2005.


I mean, can you even believe how gorgeous that site is? Look at the subdued gray TaoSecurity logo, the red-highlighted menu boxes, etc. I should have kept that site forever.

We know that's not what happened, because that wonder of a Web site only lasted about a year. Still to this day not really understanding how to use CSS, I used a free online template by Andreas Viklund to create a new site. According to archive.org, the site appeared in this form in July 2006.


After four versions in four years, my primary Web site stayed that way... for thirteen years. Oh, I modified the content, SSH'ing into the server hosted by my friend Phil Hagen, manually editing the HTML using vi (and careful not to touch the CSS).

Then, I attended AWS re:inforce the last week in June, 2019. I decided that although I had tinkered with Amazon Web Services as early as 2010, and was keeping an eye on it as early as 2008, I had never hosted any meaningful workloads there. A migration of my primary Web site to AWS seemed like a good way to learn a bit more about AWS and an excuse to replace my teenage Web layout with something that rendered a bit better on a mobile device.

After working with Mobirise, AWS S3, AWS Cloudfront, AWS Certificate Manager, AWS Route 53, my previous domain name servers, and my domain registrar, I'm happy to say I have a new TaoSecurity.com Web site. The front page like this:


The background is an image of Milnet from the late 1990s. I apologize for the giant logo in the upper left. It should be replaced by a resized version later today when the AWS Cloudfront cache expires.

Scolling down provides information on my books, which I figured is what most people who visit the site care about.


For reference, I moved the content (which I haven't been updated) about news, press, and research to individual TaoSecurity Blog posts.

It's possible you will not see the site, if your DNS servers have the old IP addresses cached. That should all expire no later than tomorrow afternoon, I imagine.

Let's see if the new site lasts another thirteen years?

Thoughts on Cloud Security

Recently I've been reading about cloud security and security with respect to DevOps. I'll say more about the excellent book I'm reading, but I had a moment of déjà vu during one section.

The book described how cloud security is a big change from enterprise security because it relies less on IP-address-centric controls and more on users and groups. The book talked about creating security groups, and adding users to those groups in order to control their access and capabilities.

As I read that passage, it reminded me of a time long ago, in the late 1990s, when I was studying for the MCSE, then called the Microsoft Certified Systems Engineer. I read the book at left, Windows NT Security Handbook, published in 1996 by Tom Sheldon. It described the exact same security process of creating security groups and adding users. This was core to the new NT 4 role based access control (RBAC) implementation.

Now, fast forward a few years, or all the way to today, and consider the security challenges facing the majority of legacy enterprises: securing Windows assets and the data they store and access. How could this wonderful security model, based on decades of experience (from the 1960s and 1970s no less), have failed to work in operational environments?

There are many reasons one could cite, but I think the following are at least worthy of mention.

The systems enforcing the security model are exposed to intruders.

Furthermore:

Intruders are generally able to gain code execution on systems participating in the security model.

Finally:

Intruders have access to the network traffic which partially contains elements of the security model.

From these weaknesses, a large portion of the security countermeasures of the last two decades have been derived as compensating controls and visibility requirements.

The question then becomes:

Does this change with the cloud?

In brief, I believe the answer is largely "yes," thankfully. Generally, the systems upon which the security model is being enforced are not able to access the enforcement mechanism, thanks to the wonders of virtualization.

Should an intruder find a way to escape from their restricted cloud platform and gain hypervisor or management network access, then they find themselves in a situation similar to the average Windows domain network.

This realization puts a heavy burden on the cloud infrastructure operators. They major players are likely able to acquire and apply the expertise and resources to make their infrastructure far more resilient and survivable than their enterprise counterparts.

The weakness will likely be their personnel.

Once the compute and network components are sufficiently robust from externally sourced compromise, then internal threats become the next most cost-effective and return-producing vectors for dedicated intruders.

Is there anything users can do as they hand their compute and data assets to cloud operators?

I suggest four moves.

First, small- to mid-sized cloud infrastructure users will likely have to piggyback or free-ride on the initiatives and influence of the largest cloud customers, who have the clout and hopefully the expertise to hold the cloud operators responsible for the security of everyone's data.

Second, lawmakers may also need improved whistleblower protection for cloud employees who feel threatened by revealing material weaknesses they encounter while doing their jobs.

Third, government regulators will have to ensure no cloud provider assumes a monopoly, or no two providers assume a duopoloy. We may end up with the three major players and a smattering of smaller ones, as is the case with many mature industries.

Fourth, users should use every means at their disposal to select cloud operators not only on their compute features, but on their security and visibility features. The more logging and visibility exposed by the cloud provider, the better. I am excited by new features like the Azure network tap and hope to see equivalent features in other cloud infrastructure.

Remember that security has two main functions: planning/resistance, to try to stop bad things from happening, and detection/respond, to handle the failures that inevitably happen. "Prevention eventually fails" is one of my long-time mantras. We don't want prevention to fail silently in the cloud. We need ways to know that failure is happening so that we can plan and implement new resistance mechanisms, and then validate their effectiveness via detection and response.

Update: I forgot to mention that the material above assumed that the cloud users and operators made no unintentional configuration mistakes. If users or operators introduce exposures or vulnerabilities, then those will be the weaknesses that intruders exploit. We've already seen a lot of this happening and it appears to be the most common problem. Procedures and tools which constantly assess cloud configurations for exposures and vulnerabilities due to misconfiguration or poor practices are a fifth move which all involved should make.

A corollary is that complexity can drive problems. When the cloud infrastructure offers too many knobs to turn, then it's likely the users and operators will believe they are taking one action when in reality they are implementing another.