Embed Size (px)
Citation preview
THOUGHTS FROM THE CLOUD A selection of Cloud-Security Articles from the CloudAccess Blog Vol2
AUTHOR’S NOTE
“Thoughts from the Cloud” is a weekly blog written by Kevin Nikkhoo, CEO of
CloudAccess. It looks to discuss, dissect and debate the many pressing issues
surrounding cloud computing with a special focus on cloud-based security
and security-as-a-service. You can read all the blog entries at:
http://cloudaccesssecurity.wordpress.com/
In this Volume you will find:
Storming the Castle
A Job for Man or Machine
Shooting from the HIPAA: Compliance in the Cloud
The Challenge of BYOD
If a tree falls in your network, does anybody hear?
STORMING THE CASTLE
One of the true benefits of the cloud is
the ability to reconfigure and create a
stronger, more active asset protection
strategy than you might be able to
otherwise afford. But let’s look beyond
the cost factor for a moment and
analyze a true best practice that gives an organization a true advantage
within the cloud and an overall strategic deployment of security resources.
And to look at the future of security configuration we have to look back
500 years into the mists of history to see a model that worked well
Presented by:
CloudAccess:
CloudAccess provides comprehensive
security-as-a-service from the
cloud. Our suite of robust and scalable
solutions eliminates the challenges of
deploying enterprise-class security
solutions including costs, risks,
resources, time-to-market, and
administration. By providing such
integral services as SIEM, Identity
Management, Log Management, Single
Sign On, Web SSO, Access
Management, Cloud Access offers cost-
effective, high-performance
solutions controlled and managed from
the cloud that meet compliance
requirements, diverse business needs
and ensure the necessary protection of
IT assets.
www.CloudAccess.com
877-550-2568
CloudAccess, Inc 12121 Wilshire Blvd
Suite 1111 Los Angeles, CA 90025
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
then…and works just as well today. I’m talking specifically of the castle. In
terms of a current strategic deployment let’s call it the layered prevention
model. In its day the castle was a state of the art defense strategy. In the
center you have the king (and the king’s most precious possessions).
Surrounding the king are his elite and trusted guards armed and armored.
Beyond the guards there are a variety of buildings in which the ministers
and other important assets are stored. Go a bit further and you have the
castle walls. In fact, some of the greatest medieval castles had an inner wall
(called a curtain wall) to ensure if the perimeter is breached, there was
another strong line of defense. Now along the tall, imposing and
impregnable walls, archers line the battlements and parapets scanning the
horizon for any intruders. More guards protect the gate monitoring
everyone coming in. Beyond the castle wall, there is typically a moat
containing nasty beasts ready to chomp on a leg of anyone trying to bypass
the drawbridge and sneak across. Now in the medieval world, protection
extended beyond the castle. There were miles and miles of land surrounding
the castle held by vassals promising fealty and soldiers to the king.
Pretty imposing, right? These castles created multiple layers of defense and
kept themselves safe from attack. And it is also the best strategy to protect
your IT environment.
Ah, you say, there are always castles being attacked and overrun despite
these impressive defenses. But like any defensive strategy, you are only as
safe as your weakest link. If endpoints are left exposed, (a guard sleeping
on duty, a blight kills the man-eating fish in you moat, the slighted and
scurrilous minister gives a key to an assassin) the castle can fall. There is no
perfect system, but if you are not vigilant and are not watching every flank,
even the most layered defense is helpless. And the smartest of enemies is
not looking to knock on the front door, they are going to find and exploit
the entrance not being watched.
If you equate anti-virus software to your archers and your firewall to one
castle wall, there are still too many endpoints exposed to consider your
situation secure. What about log monitoring? What about SIEM, SSO and
other access management strategies, identity management? These are the
tools that build the double walls, arm the soldiers, lock the jewels in the
sub-dungeon.
SECURITY IN THE CLOUD
VERSUS SECURITY FROM THE
CLOUD…
Security IN the cloud frames the
overarching issue. It is the problems
often discussed by IT professionals
today. They range from questions
about the safety of data held within a
virtualized environment to that of
cyber hactivism or why do my users
keep insisting on using their
smartphones to access the network?
Security FROM the cloud is the
means to protect IT assets without
having the heavy investments in
servers, software and a variety of
other related costs. For some it is the
holistic application of best practices,
real time visibility and best of breed
solutions. “From” the cloud is
providing a scalable layer of security
that was typically reserved for trillion
dollar companies easily deployed for
any company of any size .Security
FROM the cloud answers the
questions posed by security IN the
cloud.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
There are many organizations out there that only build a single perimeter
and hope it is sufficient. In today’s corporate world, that is simply not
enough. It would be the equivalent of having the king sitting in the middle
of a little wooden cottage all by himself.
But there’s a cost to all these layers; in terms of solutions, licenses,
resources and the manpower to truly monitor and guard the castle gates.
Many companies need to sacrifice portions of security based on their
perceived risk assessments. And that’s where the cloud comes in!
Security-as-a-service allows companies with more modest budgets and/or
limited in-house resources to add layers of protection without adding
equivalent in-house costs. But more importantly, it provides a 24/7 layer
of monitoring, correlating, alerting escalating and remediating. It not only
scans the horizon watching for the horde of enemies, but more importantly
monitors the back door where the serfs deliver the wheat. It allows you to
add any combination of SIEM, SSO, log management , identity
management depending on the need. There are so many intrusions from
so many different corners of the network in so many different guises that it
is highly unlikely one person or even one department could spot them
unless these being specifically looked for. And if found, would it be
recognized as friend or foe? If all of a sudden a MAC address, does anyone
notice or know why it changed? It could be harmless, but it could also be
symptomatic of a larger issue. If a dormant network account suddenly gets
repeated pings at 2:30am, is it a problem? Cloud-based security gives you
enterprise-class tools and expertise to cover these bases and better
understand the flow of data in and out of your network. And it gives you
the bandwidth to deal directly with only the issues that truly pose threats
to your network.
Bottom line is that cloud-managed security allows you the freedom to run
the kingdom because you know that the all the nooks and crannies of the
castle are being watched and protected. So, when you think of the cloud,
don’t think of a vaporous mass that ruins sunny days, but a complex of
layers that can help support and drive a strong security initiative.
REACT: A UNIFIED SECURITY
PLATFORM…
REACT or Realtime Event and Access
Correlation Technology is a unified
security strategy that leverages the
cooperative functionality of key
toolsets and/or deployed solutions. It
creates a unique holistic approach to
security management and asset
protection by broadening the reach
and scope of enterprise monitoring,
strengthening access authentication
and centralizing control.
As part of the Unified Security
(UniSec) category, REACT enhances
and promotes 360o enterprise
visibility into an enterprise to see
who is doing what, when and where
to any part of the monitored IT
landscape. The key is that the data is
continuously monitored and
correlates in real time. This allows for
a higher, more responsive degree of
proactivity through security
administration and faster reactivity
to any actionable event. And as a
collective and comprehensive
forensic analytic, REACT provides the
level of automated reporting
(combining SIEM and Identity/Access
Management activity) required by
compliance agencies (HIPAA, PCI,
FFIEC, CIP, GLBA, etc…) as well as
internal proactive defense planning.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
A JOB FOR MAN OR MACHINE?
A Chief Technology Officer for a Midwest banking
holding company made a very interesting
observation earlier this week. In commenting about
the needed increase in fraud fighting resources, he
warned about the perils of overemphasizing
technology while ignoring training staff in using
manual fraud-detection processes.
Most of what he says is spot on in terms of ensuring the proper
prioritization, risk analysis and the blind reliance on technology to identify
and neutralize threats and breaches. In fact, as an officer in a technology
company, I happen to agree with him on almost everything he said.
He also noted that to prevent fraud, financial institutions need to go beyond
adopting the latest technologies and ensure they have trained staff to
identify fraud, such as by reviewing reports or spotting unusual activity
This is exactly the type of engagement I have been preaching for several
years. Now the key is how to cost effectively apply those resources, train
those departments in the latest detection protocols and remediation,
implement new layers of detection and correlation. Even for the largest
corporation, this has the earmarks of an expensive (but obviously
important) initiative. And I am certain the answer can be found (yes, you
guessed it) in the cloud.
It wasn’t too long ago that financial institutions were extraordinarily
skittish about capital expenditures. Yes, the belts have loosened just a bit,
but if an organization can find an equivalent alternative that saves 50% of
the costs, it would be in their best interests to investigate a bit deeper.
But here is the case for the cloud in this situation. This article did not say
anything about hiring additional help (with the incurred costs of hiring,
training, ramping, salary and benefits), it posited that the staffs need to
implement a protocol that included more manual review and action. I ask,
with what time? There are only still 24 hours in a day, only so many balls a
talented IT professional can keep in the air (especially considering the
resources needed for banking compliance including the new FFIEC
DOES SINGLE SIGN ON
IMPROVE OPERATIONS?
In a recent brand-agnostic survey by
the independent research firm
Ponemon Instituteregarding the
benefits and efficiencies of single
sign, the question was asked whether
SSO improved operations and in
what ways:
88% of surveyed CTOs believe SSO
improves the efficiency of
operations
82% note that access to key business
applications is improved
73% believe it improves the
effectiveness of administrative
activities (including help desk)
71% record that it improves
adoption of new applications and
technologies
More than 14.5 minutes per day are
saved by EACH user because of SSO
The bottom line is that SSO it
increases employee productivity,
reduces helpdesk calls, and
strengthens security.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
guidelines!) and most notably there is no such thing as 110%. IT
professionals, especially in the banking forum, are already being asked to
wear many hats. And the pressures to adapt to new complex guidelines,
threats and initiatives will only grow over time. So with what bandwidth
will this additional vigilance arise? Or more likely, what new vulnerability
gaps will occur because focus is diverted or further fragmented?
Make no mistake; I am still saying that the best way to combat fraud is more
manual oversight of the security environment. But, you can only ask so much
out of a staff without adding more human resources at the problem.
HOWEVER, the cloud allows you to use ready trained expert analysts to
monitor, review, escalate and remediate various channels in real time while
your on-premise staff attends to more significant priorities. The best part is
that this security initiative can usually be deployed at half the cost of doing
the same thing in-house. You not only gain the benefit of the latest
technologies, updates and advances of enterprise-class security solutions
(SIEM, Log Management, Identity and Access Management, SSO, etc…), but
you get the intellectual resources working on your specific needs…AND there
is no huge sea change (or additional architecture investment) because with
security-as-a-service, you can pick and choose which solution works for your
situation thereby leveraging your existing infrastructure.
"Technology has to evolve as the threats evolve, and technology will
always have to follow the evolution of those risks, because we don't know
what to expect next," the CTO said.
The idea that security-as-a-service is only a “set-it-and-forget-it”
automated gap-filler is selling the concept completely short. Just like all
technologies it provides a great deal of powerful automation options, but
cloud-security is considerably more that its technology; it is the integration
of additional manpower and cutting edge knowledge provided by virtual
team of professionals.
When considering cloud-managed security (public, private or hybrid), it is
important to look past the cost savings, the zero-day deployment and the
other general benefits of a SaaS-like solution, but look at the gained
expertise, the increased resources, the best-of-breed technologies, and
most important, the ability to evolve with the constantly changing
landscape of your security needs.
WHEN CONSIDERING AN IAM
STRATEGY, YOU MUST
CONSIDER…
• The risks associated with IAM and how they are addressed.
• The needs of the organization.
• How to start looking at IAM within the organization and what an effective IAM process looks like.
• The process for identifying users and the number of users present within the organization.
• The process for authenticating users.
• The access permissions that are granted to users.
• Whether users are inappropriately accessing IT resources.
• The process for tracking and
recording user activity.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
SHOOTING FROM THE HIPAA: COMPLIANCE IN THE CLOUD
As an IT professional, what visuals are
conjured when you hear the phrase
“HIPAA compliance;” Is it Sisyphus
having to push a heavy boulder up a
mountain only to have it roll back down?
Is it some hapless character from a Kafka
novel caught in some endless
bureaucratic labyrinth of requirements? Or is it just a giant hippopotamus
sitting on your lap?
Compliance is the necessary evil of any IT strategy. It has the best of
intentions, and in many cases, it ensures the right steps are followed to
protect sensitive data like patient records. However, that doesn’t mean the
multiple levels of auditing and reporting isn’t a drain on resources. And it
doesn’t mean approving wheel recreation just to satisfy one area of
administration.
Even HIPAA says it can be complex: “While the general concept of HIPAA
Compliance is very simple—protecting the privacy of each individual—
creating standard operating procedures that follow HIPAA requirements
can be rather complex and implementation of compliance procedures can
vary greatly from one covered entity to the next depending on the type of
business conducted at each entity.”
But the issue of whether or not to comply is moot. In fact we know that
you are dedicated to ensuring the privacy of patient records (PHI) and to
safeguard the integrity of your enterprise’s IT assets. The issue is how to
best comply. And with all the drags on your time and resources, the cloud
makes a sensible case to support the compliance efforts of the enterprise.
I’m not going to cover generalities such as what is required and what is a
covered entity... I figure you already know that. Let’s spend time on how
the cloud can make compliance a lesser burden while ensuring the privacy
of patients, customers, their transactions and personal data.
For this entry, let’s focus only on the technical assets (not the
administrative or physical control policies and procedures). In that respect,
THREAT VERSUS RISK…
In its simplest of terms, risk the probability or frequency of doing harm while threat is the actual or attempted infliction of that harm. Splitting hairs? It’s all about keeping your IT assets protected, right?
Although related, they are two different beasts altogether. Risk includes variables. It overviews vulnerabilities, weighs challenges and opportunities to come up with an outcome. And there is risk in every action you take; some of it is so low that it poses no challenge to your architectures.
And if you add “vulnerability” into the mix it creates a third dimension when assessing risk--vulnerability is a state of being--a weakness or gap in your security. A threat can exploit (intentionally or unintentionally) a vulnerability that is determined by a risk assessment.. Then of course you add likelihood. How realistic is this event to actually happen?
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
HIPAA focuses on three areas: Access Control, Audit Control and
Transmission Security.
The greatest benefit of managing identity and access from the cloud is the
ease of administration of EPHI (Electronic Protected Health Information).
And with HIPAA, this means sharing and securing information with other
user repositories (such as referral networks, insurance, payment
processors and the patients/customers) as well as maintaining safeguards
across various applications, devices and systems. In most cases in the
health industry security breaches comes from roles and their cross
hierarchical access. Valid users usually get access to data that shouldn’t
and that just opens the door for data leakage. The key the cloud provides is
not just the ability to provision and deprovision on demand or the ability to
create enterprise-wide access rules based on roles or responsibilities, but
the capacity to enforce those rights across an entire enterprise and beyond
in real time.
What the cloud truly brings to the party is the ability to scale up and down
as needs dictate and the cost-efficiencies built in to the fast deployment,
and lack of hardware and software to maintain. But most important is the
best-of-breed enterprise-class solutions you can use to track process and
improve performance across all the compliance requirements. Just the
savings alone towards password management self-service saves hundreds
of man hours per year.
There are several cloud-based solutions that can manage your identity
security, but HIPAA compliance is more than just IAM/IDM. There is the
matter of data correlation: the ability to determine when and whether any
event is a potential threat or simply authorized access. But today, even
authorized access is not so simple. What happens if a correct password is
applied against a dormant account? Are you notified? Is the account
immediately frozen? Certainly it could be a friendly error, but if the IP
address is traced back to Bulgaria are you concerned? What if it happens in
the middle of the night…or tries multiple times to modify records that go
beyond its original rights? How or when are you alerted? This is something
typically beyond the scope of IDM and the call for a SIEM and Log
Monitoring solution is needed. HIPAA requires this and the cloud delivers.
CYBER CRIME FACTS…
From the Ponemon Institute.
Cyber crimes are costly. The median
annualized cost of the 45
organizations in the study is $3.8
million per year, but can range from
$1 million to $52 million per year per
company.
The most costly cyber crimes are
those caused by web attacks,
malicious code and malicious
insiders. These account for more
than 90 percent of all cyber crime
costs per organization on an annual
basis. Mitigation of such attacks
requires enabling technologies such
as SIEM and enterprise threat and
risk management solutions.
SIEM is a strong deterrent
Companies that had deployed a SIEM
system achieved a 24 percent cost
savings when dealing with cyber
attacks versus those that had not.
Cyber Crimes are Intrusive and
Frequent
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
Between audits, access, transmission and breach prevention, the cloud
integrates a risk mitigation program designed to meet not just HIPAA, but
Sarbanes Oxley, PCI and others. But the cloud is simply the platform. It is
the solutions that work on that cloud that create conditions for easier
compliance. It is the great equalizer in terms of affordability and
functionality. Ten years ago there were those that said a cloud-based ERP
application was foolhardy. Tell that to salesforce.com. They created a big
picture solution that allowed modest companies an opportunity to use
enterprise-class tools. The cloud has now evolved to the point where
security-as-a-service offers proven solutions that meet the strictest
federal and industry requirements.
To those on the fence, let’s say that the cloud-based solution has an
equivalent level of security features and control as those of any on premise
solution. Let’s also concede that those features meet or exceed HIPAA
requirements as well. What is left? Why go cloud? Benefits like scalability,
cost efficiencies, federated interoperability make for a perfectly rational
ROI argument and look good to those paying the bills. However, the usage
of a virtual security environment it makes a complex process simpler. There
are solutions in which the administration is done for you and for others the
cloud creates a consistent, concentrated platform to control all aspects of
compliance security.
HIPAA requirements are only going to become stricter as the evolution of
data access and transmission evolves. In the past two years, we have
already seen amendments and additions to the law making compliance
account for a larger percentage of your valuable time. The cloud allows for
you to safely divest some of the tasks through a combination of risk
intelligence correlation, automations, integrated processes, proven self-
service protocols and centralized management tools.
SEVEN SECURITY
VULNERABILITIES…
There are many different aspects to securing your IT infrastructure, and because of the complexity, over 70% of organizations are still not adequately securing their critical systems (according to the 2012 Echelon One Survey).
The following are seven of the “deadliest sins”…or holes inside or beyond your network perimeter:
1. Inaccurate access permissions
2. Reliance on password vaulting
3. Unprotected Windows Administrator accounts
4. Thinking that Identity Management alone will secure access to systems
5. Lack of centralization to SSH keys
6. Point solutions for access control
7. Lack of continuous monitoring
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
THE CHALLENGE OF BYOD
“Don’t care how…I want it now!” -Veruca Salt (Willy Wonka and the Chocolate Factory)
We live and work in a world of
immediate gratification. In the name of
greater productivity if you need to check
inventory from a supplier’s
warehouse…click there it is. Share a file
on Dropbox, no problem. Add detail
about a meeting in the sales database… click! Update your Facebook or
LinkedIn status. Email a white paper to a potential client...click, click. Want
to see that flying pig meme…well, you get the picture.
Now that’s not necessarily a bad thing…unless you’re an IT professional
and the those accessing and storing your network assets use
unsecured/unauthorized devices while potentially bypassing security
protocols. But unlike Veruca Salt quoted above, it isn’t the user who falls
into the garbage chute—the risk is to the security of the network. And it's
happening more often than you think.
Many organizations are now allowing employees to use their personally-
owned devices for work purposes with the goal of achieving improved
employee satisfaction and productivity. However, this comes at an IT price.
Users love the mobility and the immediacy of smart phones and tablets,
but forget these devices are just hand-held computers prone to the same
intrusions, attacks, viruses and risks as the computers used in the office.
The larger problem is many users don’t see that, so every time they sign on
to your network or download an app, it creates a wider and wider
vulnerability gap for the enterprise network.
This issue is not unique to a company of any particular size or one vertical
market, however the solution, whereas not simple, is clear. There are
several moving parts that require elements of identity management, access
management, SIEM, WebSSO and SaaS SSO. It incorporates a suite of
integrated answers that together can let you rest a little better at night.
The idea that if you build a strong perimeter or have users install anti-virus
on their devices, the problem goes away. It simply puts the finger in the
REDUCED COMPLEXITY AND
COST
With CloudAccess SIEM there’s no maintenance or management overhead, and minimal administration. As a true security-as-a-service solution, the impact on IT resources is truly limited. This allows you to redeploy your focus on other priorities. When managed from the cloud, many of these time-consuming, resource-draining activities are taken care of automatically. There is a definitive cost savings realized without sacrificing any of capabilities, compliance requirements, scope or strength of your IT security strategies.
As realized with cloud-based applications, migrating centralized control of the security features to the cloud realizes an equivalent savings. The cost reductions can be staggering. Just the implementation costs alone (a 2:1 or 3:1--sometimes higher-- of professional services costs to software licenses in traditional physical deployments) are cost prohibitive for many organizations. Cloud-based security can be the great equalizer. With no hardware burdens or software licensing issues, any-sized company can enjoy the same degree of protection as the largest enterprise.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
dyke, and the overriding issue still exists. Your proprietary assets are still
exposed.
First off, regardless of whether you approach the solution from the cloud
or more terrestrial confines, you need to rethink the risk, revise the policy
and enforce the rules. You have to consider how best to maintain
compliance (PCI, HIPAA, and/or Sarbanes-Oxley), and you need to
incorporate the answer holistically. To this end you need new protocols to
authenticate and credential users, define authorization rules based on
very specific rights and profiles and monitor traffic patterns to identify,
alert and act on any unusual activity.
This takes time, money and manpower. All of which are typically in short
supply for new IT initiatives. That is why I advocate security-as-a-service.
BYOD is a threat that will only grow exponentially and the longer you wait
to address the issue head on, the greater the vulnerability gap. However,
by taking advantage of the integrated solutions managed from the cloud,
organizations gain the benefit of cost-effective, seamless, on-demand,
scalable coverage. If you already have a strong SSO, then you don’t add it.
If all you require is additional resources to improve intrusion detection
and/or password management, the cloud solution exists to leverage your
existing architecture. Essentially cloud-based security fills the vulnerability
gap with proven and tested solutions monitored 7/24/365.
Managing security in the cloud provides the resource bandwidth to create
the rules, easily provision or deprovision devices, automate the alerts and
incorporate a more comprehensive and layered protection strategy that
includes the BYOD crowd.
But whatever your decision, you need to address the issue sooner than
later, becasue if you don’t take charge, your employees will self-serve
based on their own needs. There’s a prescient blog by Joe Onisick of
Network Computing who said:
“If you don’t support a particular device, employees will begin to find ways
to self-support it. They will bypass corporate IT and, with that, bypass
security, compliance, change management and audit logging. It’s a
problem that will continue to get worse, and, as with any problem, an
ounce of prevention is worth a pound of cure.”
THE TEN COMMANDMENTS OF
BYOD
Developed by Fiberlink
The rapid proliferation of mobile
devices entering the workplace is
undeniable. This raises the inevitable
question: how will you support
workforce desire to use personal
apps and devices while allowing
them to be productive in a secure
environment that protects corporate
data?
1. Create Thy Policy Before Procuring Technology 2. Seek The Flocks’ Devices 3. Enrollment Shall Be Simple 4. Thou Shalt Configure Devices Over the Air 5. Thy Users Demand Self-Service 6. Hold Sacred Personal Information 7. Part the Seas of Corporate and Personal Data 8. Monitor Thy Flock—Herd Automatically 9. Manage Thy Data Usage 10. Drink from the Fountain of ROI
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
IF A TREE FALLS IN YOUR NETWORK, DOES ANYBODY HEAR?
When I started scribbling notes as to what
to write about this week, my first thought
was to address some of the claims that
cloud wasn’t “ready for prime time,” by a
some survey done by Wisegate. Everyone
is entitled to an opinion, and those who
wish to turn a blind eye to the maturation
of the cloud do so at their own risk. Before I move on to the subject at
hand, I will simply remind doubters that these same voices were shouting
the same thing from the rooftops about SaaS 10 years ago. Now these
same doubters incorporate many SaaS solutions into their architecture. It’s
okay to be skeptical, and in terms of security, it’s necessary to be cautious.
However, once you cut through the hype that the cloud is some kind of
“silver bullet,” and the myopia of the status quo, you will see that the cloud
is the latest step in the evolution of IT asset protection.
If you claim that the cloud is too risky, then one also must equally consider
that adequate security of an existing on-premise network, or lack thereof,
could also be a root cause. If lack of compliance is the issue, then do some
more homework…compliance in the cloud is real. Again, not wishing to
impose my obvious bias regarding the cloud on any doubter, but just like any
product in any industry, you need to judge solutions on their independent
merits. I am sure there are less-than-stellar cloud-based products, but to
label the whole movement as risky is much like saying all cars are gas-
guzzling rolling death traps or all online banking is playing financial Russian
Roulette. What is it they say about babies and bath water???
Alright, I am stepping down from the soapbox to respond to another, less
inflammatory, yet as business critical, article regarding the difficulty of
separating log data from actionable events. The issue at hand is a network
is pinged potentially millions of times a day. Most of it innocuous-the
legitimate log on and off of employees, genuine transactions of data, etc…
But what gets lost amidst all this “white noise,” are the red flags that
indicate breaches or worse malicious activities.
It can be overwhelming. In fact, the article Struggling to Make Sense of Log
Data, points out a study by the SANS Institute that the biggest critical
THE PARADIGM CHANGE IS
HAPPENING NOW
According to Forrester Research, it is
estimated that the managed cloud
services security (MSS) market stands
at $4.5 billion.
Gartner, the nationally respected IT
research firm predicted that the total
worth of the cloud computing market
will rise to more than $150 billion by
2013.
In 2015, public cloud services will
account for 46% of net new growth
in overall IT spending.
Morgan Stanley estimates that by
2015, the mobile web will be bigger
than desktop internet. With user
expectations about where and how
they access information changing
dramatically, there'll be growing
pressure on IT to make enterprise
applications available in similar ways.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
concern for security is the ability to discern usable and actionable data
from log files.
How Important is Collecting Logs?
I asked a top notch engineer developing in the cloud and he wryly quipped
if a tree falls in the forest, does it make a sound? He added, just because
you set intrusion detections software system to find malware and the like,
you still require the human intelligence to review/interpret the logs and
create the baseline of normalcy. So I said, that is the problem…there’s just
so much to review. To which he reminded me about the concept of
situational awareness. He posits the idea that a singular event might be
seen as generally low-level and harmless, but when it is put into context
and correlated against various rules and diverse enterprise silos, a very
different picture emerges. For instance, your network logs an access
attempt from Bangladesh. Is this normal? Do you have customers,
suppliers and employees who originate there? If so, is it happening during
regular business hours? Is it following “normal” traffic patterns? If so, are
they using dormant passwords or bypassing any protocols? If so, is the
accessible data through this breach?
The study author Jerry Shenk said, "Even when we look at the 22 percent of
respondents who are using SIEM (security information and event management
systems) for collecting logs and processing them, nearly the same percentage
say it is difficult to prevent incidents and detect advanced threats."
But the most disconcerting statistic is (according to the study): "With or
without tools, many organizations don't spend much time analyzing logs.
35% of respondents said their organizations allot no time to less than one
day a week on log analysis. The smaller the organization, the less likely
EMPLOYEE CARELESSNESS
CAN PUT YOUR COMPANY
AT RISK
A company’s greatest asset—its employees—can also be its weakest link, especially in an era wherein mobility and accessibility play a huge role in enhancing productivity.
The top reasons cited for data loss were SMB employees’ tendency to open attachments to or click links embedded in spam, to leave their systems unattended, to not frequently change their passwords, and to visit restricted sites. This negligence puts critical business data at risk from data-stealing cybercriminals and malicious insiders.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
they would spend on log data analysis. Many companies recognize that
SIEM is part of the answer, however 58% of the companies in the survey
noted they are "not anywhere close to that level of automation."
This alone is a perfect situation to incorporate security-as-a-service to help
manage monitoring. Instead of once per week (if at all), monitoring occurs
7/24/365. Instead of catching just the most obvious threats, the
automations combined with the sourced human analysis significantly
shrink the vulnerability gap. Instead of looking at a singular network, it
links, correlates, analyzes all the aspects of the enterprise. And cloud-based
security does it at a fraction of the on-premise cost. The cloud allows
organizations to expand their resources and therefore solidify its coverage.
Attacks, intrusions and abnormalities are issues aren’t solved by ostriches.
Putting heads in the sand isn’t the answer. Neither is throwing your hands
up saying so what can I do about it? And if you are one of those people
who, at the top of this blog, consider the cloud too risky of a proposition,
how much riskier is the status quo? To be effective, you need to have all
the facts in order to formulate a stronger prevention plan. I can’t stress
enough how important it is to understand regular traffic patterns in order
to recognize when something requires greater attention or action. And to
do that you need to review logs. However, with so many other priorities
sometimes it is a considerable challenge to be proactive.
Trees will continue to fall in the forest. However, if you look down from the
cloud, you are better attuned to hear it, and if necessary, act.
So how does this intersect with the cloud? It all goes back to resources. Do
you have the technology, the budget, and/or the manpower to analyze every
blip or define/escalate every event? Security–as-a-service helps lift that
burden by employing 24/7/365 monitoring and using your applying your risk
assessments to best defend your IT assets in real time. Once you define what
events that pose the greatest threats, you can prioritize response and take
appropriate action without impacting your departmental staff.
In short, even the best risk assessment and mitigation measures leave a
certain amount of residual risk, either because one can’t mitigate totally
against all the risks or because of the element of chance. But, by better
understanding the difference between ‘threat’ and ‘risk’ can help you make
decisions that will keep your systems safer and avoid unnecessary costs.
DID YOU KNOW…
What are your employees
doing?!!!!
Well over half of consumers - 58
percent - using smart mobile
devices employ location-based
apps despite concerns about
safety and third-party use of their
personal information, according
to ISACA. Forty-three percent say
they don't read agreements when
downloading mobile apps; 25
percent respond that the
agreement language is unclear. A
mere 8 percent of respondents
say they don't download apps.
www.CloudAccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
MENTION THIS WHITE PAPER AND WE WILL EXTEND A FREE MONTH OF SERVICE WHEN YOU SIGN UP FOR A YEAR OR MORE PAY-AS-YOU-GO SUBSCRIPTION
CONTACT CLOUDACCESS FOR A
LIVE ONLINE DEMONSTRATION OF OUR SIEM AND LOG MANAGEMENT SOLUTIONS DELIVERED AND MANAGED FROM THE CLOUD.
MORE INFORMATION:
CONTACT: 877-550-2568
Read Our Blog: http://cloudaccesssecurity.wordpress.com/
LIKE Us on Facebook Follow Us On Twitter Join us on LinkedIn
The sky is no longer the limit
with secure, affordable cloud
security solutions from
CloudAccess.
WANT TO LEARN
MORE ABOUT
COMPLIANCE?
www.CloudAccess.com
