Collaborative Strategy Guild » Cloud Security

Post Virtualization Security

Diana Kelley — Tue, 24 Jan 2012 13:44:20 +0000

As the second law of thermodynamics tells us, all things trend toward chaos and this is no less true with a virtual environment. Sprawl can have a real security impact, and it takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue.

VVirtualization has been one of the most rapidly and widely adopted technologies in recent memory. It’s huge, and it’s here to stay.

And as security professionals know, setting up a virtual environment securely isn’t easy. Significant effort goes into tasks like evaluating off-premise service providers, ensuring regulatory compliance, and standing up technical controls like monitoring and encryption. But in the excitement to stand up the new environment and get security to an acceptable “target state,” organizations sometimes don’t address security hygiene long-term. In other words, security is in high gear while the environment spins up, but it doesn’t lay the groundwork for what happens once things are chugging along.

Read the rest of Ed’s article over at E-Commerce Times.

Moving Legacy Apps to the Cloud Securely

Diana Kelley — Thu, 12 May 2011 11:49:45 +0000

The editors of TechTarget SearchSecurity have a new site – SearchCloudSecurity and Ed’s a regular contributor.

His latest piece looks at legacy apps and what companies can do to secure them when moving to cloud computing.

Scratch the surface in any organization and you’ll find the legacy environment is one of the most challenging issues facing IT in that organization. No matter how well planned the IT strategy, how efficient the operations, or how disciplined IT processes, there will always be technology that can’t be replaced and that doesn’t meet current standards. Because of the way many legacy applications were built, their criticality, and the expense to modify them, many organizations become “locked in” to some painful maintenance and support scenarios.

For the rest of the piece, please click here.

Cloud Security: Understand the Risks Before You Make the Move

Diana Kelley — Mon, 25 Apr 2011 13:38:41 +0000

Dark Reading launched a new Cloud Security Tech Center this week and asked me and Ed to help kick it off with a Strategy Session research paper.

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In this Dark Reading Tech Center report, we explain the risks and guide you in setting appropriate cloud security policies, processes and controls. Plus: How to catch up when security is an afterthought to a cloud migration.

To read the full report, please visit Dark Reading. (Free registration may be required.)

Continue reading: Cloud Security: Understand the Risks Before You Make the Move

How to Handle PCI DSS Requirements for Log Management in the Cloud

Diana Kelley — Sat, 26 Feb 2011 14:00:22 +0000

Ed’s on a PCI cloud security roll! His latest tip looks at the good, bad, and ugly of log management in the cloud:

Everybody who’s been involved in the Payment Card Industry Data Security Standard (PCI DSS) compliance process realizes how hard getting and staying compliant can be. Organizations transitioning services to the cloud, particularly public cloud, can find themselves in the sticky situation of maintaining “joint custody” of technical controls between themselves and their service providers. This can happen either because organizations intentionally move aspects of the cardholder data environment (CDE) outside their perimeter or — or even more challenging — when companies discover after the fact that a cloud migration has already impacted the CDE.

Shout out to Security Warrior Dr. Anton Chuvakian for his insightful contributions to the piece:

Anton Chuvakin, principal at Security Warrior LLC, a consulting firm focused on logging and SEIM and author of a book on PCI compliance, summarized what he’s seen on the vendor side with respect to these requirements: “The state of affairs is pretty sad: Merchants are at the mercy of their cloud providers. I’ve seen cases from ‘no logs here — if you don’t like it, tough luck’ to infrastructure logs (OS) being dumped into a public directory on a Web server for sharing with merchants.”

Full article is available here.

Managing PCI DSS Requirements Compliance when Moving to the Cloud

Diana Kelley — Sat, 26 Feb 2011 13:48:39 +0000

Ed has a new cloud security tip at SearchCloudSecurity:

For those of us chartered with ensuring that our business stays compliant with Payment Card Industry Data Security Standard (PCI DSS) requirements, migration to the cloud can be a scary proposition. After all, depending on what’s moving, where it’s going, and how our business will make use of it, there can be some pretty major impacts to our overall compliance efforts.
It’s not that vendors aren’t trying to reduce the anxiety that end users have. After all, more and more cloud service vendors have started going through the process of becoming PCI compliant and certified. Most notably, Amazon Web Services announced in December that it achieved Level-1 PCI compliance and is now a validated PCI service provider, but customers still have anxiety when the cardholder data environment (CDE) and the off-premises environments intersect. It’s like asking our friend to look after our pet; sure we trust our friend, but we don’t quite trust them as much as we trust ourselves to do it right.
So how can compliance and security professionals reduce their anxiety? What can we do to get a handle on cloud computing — and the impact to our compliance efforts with PCI DSS requirements — to make sure we’re prepared for the migration to the cloud?

To read the rest of Ed’s tip, please click here.

Cloud Security: The Journey Is the Reward

Diana Kelley — Tue, 21 Dec 2010 13:48:02 +0000

For his article in eCommerce Times this month, Ed takes on the topic of Cloud Security:

Perhaps your company is among the many organizations that either has or will soon attempt a migration to some kind of cloud-based technology infrastructure. While this can mean a lot of work for an IT team, but it can also be an opportunity to reassess and reconfigure critical security controls, giving you a chance to address longstanding shortcomings.

Skills develop with practice and repetition. It’s true of anything, from playing the piano to driving a car. In any endeavor, the way to get better is to practice. Attempt the activity again and again, learning from mistakes made along the way.

“Practice makes perfect” — that’s not a way we usually think about information security; instead, we usually approach security tasks with a “measure twice, cut once” mindset. That’s not to say we wouldn’t get better at security activities with practice — it’s just that when deploying critical security controls or securing areas of our infrastructure, we usually get just one chance to get it right.

For the rest of the article, please click here to visit eCommerce Times.

The Latest Security Developments – Processor Magazine

Diana Kelley — Thu, 16 Dec 2010 22:03:07 +0000

Julie Knudsen has an article on security developments that focuses on internal threats, compliance, end-to-end encryption, and the ubiquitous cloud in the December 17th issue of Processor magazine.

Recognizing the risks posed by employees is sometimes difficult. As [Diana] Kelley puts it, “There’s a psychological barrier that many of us have that says, ‘You’re my employee and I trust you.’ And we really do unfortunately need to get over that. It is the insider that actually has the better access.”

I did the interview a few weeks ago – but the recent WikiLeaks incident is a good recent reminder of the kind of havoc that a trusted insider can wreak. For a nice round-up of lessons for Cyber Security from the leak, take a look at this post from Jon Oltsik at NetworkWorld.

For Julie’s full article from Processor magazine, please click here.

Cloud (in)Security: What kind of cloud is it?

Ed Moyle — Tue, 19 Oct 2010 04:55:59 +0000

I came across an article this morning over on Network World called “Cloud computing security skeptics abound.” It’s written by Ellen Messmer, so that alone would ordinarily make it worth the read. But in this case, the content is particularly astute – even going above Ellen’s already stratospheric standards for security industry coverage (did you see what I did there? That’s cloud pun #1).

Anyway, she puts some boundaries around the somewhat nebulous (#2… I’ll stop now before you get irritated…) reasons that practitioners ordinarily give for failing to adopt cloud technologies; citing an executive at a large FI, she recounts:

“I don’t feel I have good control of the data out in the cloud… Pfefferman says. The company retains its own data center with a staff of IT professionals, and a look at some of the possibilities in cloud computing has left the impression that it not only is not as much of a cost-savings as sometimes claimed, it raises risks substantially.”

Interesting. I understand this mindset, I really do. But honestly, I think it’s important that we question our initial visceral reaction when it comes to the risks associated with the security of our data. In other words, is security de facto better just because we are the ones responsible for it? It could be, but do we know it for a fact?

Consider a hosting provider like Cable & Wireless or AT&T. Would you say that their data centers have better or worse security controls than my basement? I’m in control of the physical security controls in the basement, but does that mean that it’s better than the hosted data center? No, right? The same is true of a cloud provider – maybe it’s better, maybe it isn’t. The key to understanding that starts with risk analysis, which as we know most firms are loathe to undertake and comparing that with an honest vetting and accounting of the security of the vendors we’re evaluating, not all of which will have the same posture and controls. So without those – risk analysis and vendor audit – how can we possible compare without at some level concluding that the devil we know is better than the data we don’t?

He goes on to talk about some specific areas of concern:

There are lingering questions about where data might be stored geographically, or what contractual arrangements are required in the event of a data breach, or how back-up is done, Pfefferman says. While Western & Southern Financial Group is making limited use of Google collaboration applications, the intention is to avoid inclusion of any sensitive information.

All good points. There are, of course, a few assumptions built into this. Specifically, the assumption is #1 that the approved applications – namely the Google applications he cites – are the only instances where data will be sent outside the firm. I’d argue that – most of the time – data is already being sent in a continuous river outside of corporate premises without the knowledge of the security organization. The question is whether or not we as the security organization know about it or not. So trying to stem the tide now seems somewhat… well… late.

Anyway, just some random musings on this topic. I’m not entirely convinced that security of a cloud provider is any worse than what organizations have been deploying in-house for years. Although I guess time will tell if the initial visceral avoidance that we all seem to have is actually merited.

The Fog of Cloud Computing

Karen Hobert — Fri, 27 Mar 2009 19:41:03 +0000

I spent a good part of the last hour following links to stories about security and privacy lapses in Google Docs. I started out with a TechCrunch article detailing additional security loopholes that a security expert had recently uncovered including:

Embedded images in protected documents that never go away and that get saved to an open server
The new diagram feature of Google Docs saves all previous versions of the diagram and makes them available to anyone who can read the doc, even if you’ve set the diagram to view only mode
Sometimes users still can access documents after their permissions have been revoked

These are pretty serious issues for customers who use Google Docs in a true collaborative fashion; where internal contributors create content, collaborate on it, and produce a final version that is shared with a new audience that is only intended to see the final product.

As I followed links in the post I found that earlier in March a Google Docs user uncovered a bug that was overzealous when setting document permissions on collections of documents. I can actually envision the flawed logic of the code behind that button. Burr. Google reacted and took steps to remedy the problem ultimately notifying customers that they created an automated fix that removed all permissions (except the authors) from the affected documents. Pretty dramatic, and having been through things like this before, not without its own risks of corruption and locking people out of documents for good; what would happen if the author is no longer available?

According to the account of the person who reported the bug, the two weeks that Google took to respond and remedy the problem was admirable, despite the fact that “ultra-secret” information was shared with people who should not have seen the information. Not only does this raise the question of how enterprise-ready Google Docs development is but also what customers come to expect of cloud service providers. I wonder if two weeks would have been admirable if this were Microsoft instead of Google. Not to harp on the customer. He was satisfied and the problem was remedied in part due to his own pro activeness.

Bottom line is the stakes are high when it comes to offering enterprise services in the cloud. Not only for the provider but also for the customer. I had considered using Google Docs for a recent project but decided against it because I did not know where the information was going to be stored. Since it was client information I was working with, and not my own, I opted for the much more cumbersome email approach to sharing files. I’m glad I did. The problems caused by posting embedded images to a separate, unprotected store that subsequently does not remove images when the document is deleted is a reminder that users of cloud services have no control over the architecture or infrastructure of the system (unlike an in-house system) and that they are trusting Google is doing the right thing. In this case Google isn’t doing the right thing; at least not right now.

To me this begs the question of whether or not Google’s developers really understand developing for enterprise requirements. Sharing and collaborating enterprise content is not new (I keep saying that around cloud services) and there are many developers who brought us products like Lotus Notes and Groove that understand the issues in creating systems to share and secure content. What is new, however, are vendors building sharing platforms in the cloud as if they were enterprise-deployed solutions. They are doomed to make the same mistakes that were made in the early days of collaborative systems if they do not tap into the knowledge that enterprise solution developers already know. And customers will fall into those traps if they aren’t careful. I recall a customer account of how an unprotected HR file that listed salaries of all employees made it into the company’s shared store only to be accidentally displayed in a searching demo to executives. Scary as it was, the problem was contained within the intranet. Imagine if that had been in the cloud?

Google Docs is a 2.5-year-old beta product, which should tip customers off to the fact that it’s all one big experiment still. It is one development model to continue to stumble along, make the same mistakes that companies like Lotus and Microsoft spent years learning, and to use its customers as guinea pigs. If the price point (free) is worth it, then customers of Google Docs can have little recourse when something goes terribly wrong. Customers need to consider all cloud services as carefully as they would consider in-house solutions. Checking out the technical facts as well as their risk tolerance before “buying” is likely to mitigate buyer’s remorse. Don’t count on users to be cautious once you bless the service. Users will not be concerned about how a system is implemented to ensure that the information they post is secure. If the tool makes their work easier you can be assured it will be used heavily. Therefore, it’s up to the people who understand IT to make sure that the cloud services that the company uses are satisfactorily implemented and is secure.

The recent Business Week article, Cloud Computing: Understand the Risks, chimes in the risks to consider when evaluating cloud services:

There are two kinds of risks in putting your data online. One is that you can never be quite sure who has access to your information once it has migrated beyond the hard drives and backup storage devices in your home. The other risk is that the information, and sometimes the applications you need to make use of it, may be available only when you are connected to the Internet and the service is up and running.

Get Shareaholic

Bringing Cloud Computing Security Down to Earth

collabstrategy — Fri, 20 Mar 2009 15:48:15 +0000

from an upcoming article series by Char Sample, Senior Scientist, BBN Technologies and Diana Kelley, Partner, SecurityCurve

Hi All – Char and I are working on a set of CC Security articles – here’s our current abstract. Comments on what you’d like to see in the article are welcome!

Cloud Computing is generating a lot of buzz right now – and for good reason. Cloud Computing promises seamlessly integrated services without the high costs traditionally associated with large integration efforts. Cloud computing and software-as-a-service transfers a large portion of the infrastructure set-up and on-going data center management costs from the end-user enterprise to the provider in the cloud. The providers can leverage economies of scale and robust high availability at their massive data centers, passing the savings on to customers.

Although this cloud does have a silver lining, enterprises need to understand the security and business implications of going into the cloud. Without proper assessments and requirement definitions, up front, organizations could find themselves caught in a “storm” of data exposure, uncertain liability, or costly fee structures.

In this multi-part series, Char Sample and Diana Kelley provide a down to earth de-mystification of security concerns and the Cloud phenomenon. Each article begins with an overview explanation of specific cloud security concerns and concludes with a short discussion of countermeasures.

In Part One, they cover infrastructure, management, and routing – with special focus on DNS spoofing and “evil twin” clouds. Part Two discusses host security concerns and data placement considerations. Part Three addresses whether or not enterprises should consider creating their own clouds and how reputational services can help increase overall cloud security.

Get Shareaholic