Technology, including its byproducts, is most likely value-neutral. By itself, it seems unable to commit any wrongdoing. And yet, we find so many scenarios in which technology provides a breeding ground for nurturing a wrongful act, as if luring people to take advantage of it. Features offering anonymity, as in the case of e-currency, offer confidentiality assurance. But they could also mask illegitimate or illegal transactions. Bitcoin can neither prevent, nor should it promote, illegal use of its currency system. But then, once the system is open for everyone’s use, who would guard against morally or legally improper use of the system? Apparently, technology appears to be a weak partner in the process of prevention or detection of moral compromises, but this may change in the future.
Remoteness from the locus of impact of a transaction seems to embolden actors, even when they know that they are acting illegally. We know well how people abuse technology, but we do not have good insights as to why people would indulge in such acts. Broad answers include people’s greed, poor reward systems and attitude. These may or may not be the drivers of immorality, and even if they are, they do not offer a good understanding of why humans lean toward the abuse of technology.
And yet, there is some good news. Automated systems with direct interfaces to, for example, train travelers can be expected to diffuse bribery and generate more robust environment to nurture moral acts. Empowering people with technology may not be easy, but when done right, it is capable of producing significant behavioral change.
What do you think? I am particularly interested in known or possible reasons as to why technology seems to be the culprit in individual or organizational wrongdoing.
On April 5–6 in The Hague, the Dutch government hosted its International NCSC One Conference 2016, an annual cybersecurity event it has held since 2008. Nearly 1,000 people from government, industry, and academia attended the conference, including from across Europe, the United States, Russia, and Japan. The theme of this year’s One Conference, “Protecting Bits & Atoms,” was chosen to focus on the increasingly connected physical and digital worlds.
The Netherlands is aggressively focusing on cybersecurity. In fact, as European companies and governments have paid growing attention to cybersecurity in recent years, the Dutch are emerging as leaders on cybersecurity matters in the EU, lending their support to activities at the EU level, as well as globally.
The Dutch have made cybersecurity a priority for their EU Presidency, which runs from January through June 2016. The government expects the EU Network and Information Security (NIS) Directive, the text of which was preliminarily agreed to in December, to go into effect on its watch. As of this writing, the latest expectations are that the Directive will be adopted by the European Council in May and published in the Official Journal of the European Union in June. At that point, its implementation clock starts ticking. After three years of activity in Brussels to finalize the Directive, Member States, such as the Netherlands, now will take a larger role, working with European policymakers to make the Directive a reality through its implementation.
The Dutch are eager to help industry and governments prepare for the Directive. A full track of the One Conference was devoted to EU policies, providing the European Commission with a platform to explain the forthcoming requirements on industry – namely risk management, security, and incident notification. The Dutch National Cyber Security Centre (NCSC) pulled together Member State national Computer Security Incident Response Teams (CSIRTs) in a public “meet and greet” to share best practices and kickstart the CSIRT coordination network laid out in the NIS Directive. Although CSIRTs in Europe are not new, not all Member States currently have them, and the NIS Directive instructs Member States to set them up and for them to coordinate via a secretariat hosted by the European Union Agency for Network and Information Security (or, as it’s more commonly known, ENISA).
The Dutch also plan to pull their peers together in May, when the Ministry of Security and Justice will host a meeting on cybersecurity for high-level officials from the Member States, as well as industry, called “Enabling partnerships for a digitally secure future for EU.” The purpose of the meeting is to examine best practices in cybersecurity and to discuss future developments in terms of strengthening European cooperation. One of the meeting’s themes is public-private partnerships.
These efforts are not new; the Netherlands’ actions in cybersecurity have been building. In April 2015, the country held the Global Conference on Cyberspace, which defined global challenges and opportunities related to the Internet. Coming out of that conference, the Dutch launched the Global Forum on Cyber Expertise (GFCE), a forum for cyber capacity building. In the GFCE over 50 organizations and states work together on practical initiatives to strengthen cybersecurity, fight cybercrime, protect online data, and support e-governance.
Not only are the Dutch efforts welcome and important, but their approach is essential. The Netherlands views public-private partnerships as the path to more effective cybersecurity. Patricia Zorko, Deputy National Coordinator for Security and Counterterrorism in the Ministry of Security and Justice, appealed to One Conference attendees to share their expertise. She urged organizations to make cybersecurity a priority in their boardrooms, reflecting the Dutch government’s belief, and that of a growing number of organizations in Europe, that cybersecurity must be seen as much more than an IT issue.
The Dutch government points out that The Hague has a unique ability to play a pivotal role in cybersecurity. The city already is the “International City of Peace and Justice” (it is the United Nations’ second city, after New York), and the Dutch see themselves extending that mission into helping keep cyberspace resilient and facilitating a thriving global digital economy. Having witnessed and participated for years in discussions about cybersecurity public-private partnerships, it is inspiring when those partnerships begin to crystallize and result in concrete actions, such as the Global Forum on Cyber Expertise. Palo Alto Networks looks forward to supporting initiatives and policies in the Netherlands, and throughout the EU to increase our collective, global cyber resilience.
Today, the Cloud Security Alliance has released theCSA STAR Program & Open Certification Framework in 2016 and Beyond, an important new whitepaper that has been created to provide the security community with a description of some of the key security certification challenges and how the CSA intends to address them moving forward.
As background, launched in 2011, the CSA’s Security, Trust and Assurance Registry (STAR) program has become the industry’s leading trust mark for cloud security with the successful objective to improve trust in the cloud market by offering increased transparency and information security assurance. The Open Certification Framework, also developed by the CSA, is an industry initiative to allow global, accredited, trusted certification of cloud providers. It allows for flexible, incremental and multi-layered cloud service provider (CSP) certifications according to the CSA’s industry leading security guidance.
Together the OCF/STAR program comprises a global cloud computing assurance framework with a scope of capabilities, flexibility of execution, and completeness of vision that far exceeds the risk and compliance objectives of other security audit and certification programs.
Since the launch of STAR, the cloud market has evolved and matured, and so has the cloud audit and certification landscape with now more than fifteen options including national, regional and global, sector-specific, cloud-specific and generic certification schemes available. This proliferation has resulted, in among other things, a barrier to entry for CSPs that cannot afford to get certified by multiple countries and organizations.
Aside for the time and cost of pursuing and maintaining these numerous certifications, there are a number of other concerns including:
Lack of means to provide higher level of assurance and transparency
Privacy not adequately taken into account
Limited transparency
Lack of means to streamline GRC
To address these certification challenges, the CSA is proposing, through the OCF, to offer the cloud community with both a global recognition scheme for security and privacy certification, and a set of GRC tools and practices that address the many complex assurance and transparency requirements of cloud stakeholders.
The three core ideas behind the CSA suggested solutions are that an effective and efficient approach to trust and assurance has to:
delicately balance the need of nations and business sectors to develop their specific certification schemas with the need of CSPs to reduce compliance costs
avoid that humans (auditors) do activities that can be performed by machines (e.g. collecting data)
make sure that accurate and reliable evidences/information are provided to relevant people, in a timely fashion, leveraging as much as possible automatic means
The paper also outlines how a number of other frameworks and controls should play a part in this solution including:
Leveraging CCM and OCF/STAR as normalizing factors
Conducting continuous monitoring/auditing
Integrating privacy level agreements code of conduct into the STAR Program
The CSA is currently seeking validation for its proposed OCF-STAR program action plan and is seeking input and support from the CSA community. To download the full report or to become involved, visit the Open Certification Working Group.
Palo Alto Networks recently released PAN-OS 7.1 for our Next-Generation Security Platform. Many financial institutions will not immediately adopt a brand-new version of software, instead preferring to see how stable the new code is in other venues first. When the time is right, an effort to test and certify the new software will be launched to validate old and new features, interoperability and integration with network/systems management tools. Such is the life cycle of new software versions before they even get to the actual rollout phase.
With that being said, PAN-OS 7.1 does offer a number of key benefits to financial institutions:
1. Secure Any Cloud
Many financial institutions are pursuing private, public and hybrid cloud solutions to increase the agility, flexibility and scalability of their information technology (IT) environment. This has become necessary to meet unexpected business demands without the delays associated with provisioning a traditional IT infrastructure. Such capabilities are even more prominent in light of competition from FinTech startups, in addition to established competitors. Palo Alto Networks provides a holistic public and private cloud security solution that leverages our physical and virtual next-generation firewalls deployed across the extended network. This offers protection against sophisticated attacks, advanced persistent threats (APTs), and has visibility of applications and traffic sources, which is far beyond the native security capabilities offered by cloud service providers, such as Amazon Web Services (AWS) and Microsoft Azure.
2. Embrace SaaS
The use of SaaS applications (e.g., Salesforce, Box) continues to grow among financial institutions. To properly control such applications and minimize shadow IT, detailed visibility of the applications, their usage, and users, themselves, is needed. Palo Alto Networks Next-Generation Firewall was built to provide unparalleled visibility and control of all applications, as well as details about application usage across the network. In conjunction, Palo Alto Networks Aperture now enables safe usage of SaaS applications (e.g., Microsoft Office 365) with complete visibly and granular enforcement within the cloud. Ultimately, it boils down to limiting access to prevent data exposure risk and threat insertion while not disrupting business.
3. Accelerated Threat Intelligence
Financial institutions continue to be a favorite target for cyberattacks. The 2015 Verizon Data Breach Investigations Report ranked financial services as one of the top three industries for security incidents, confirmed data loss, and distributed denial of service, or DDoS, attacks. This has been the case in previous years as well. When truly unique and targeted attacks are found, financial institutions must accelerate analysis-and-response efforts with the right intelligence and threat context to maximize the effectiveness of their security operations professionals. With the new innovations across the Palo Alto Networks platform, we can provide threat visibility and remediation faster and more effectively then ever before. The new integration of Palo Alto Networks AutoFocus threat intelligence service with PAN-OS and Panorama centralized management brings advanced threat context to the entire organization − simplifying response efforts for the most critical attacks. This puts the largest collection of unknown malware data at the fingertips of the security operations center, allowing that team to automatically turn analysis efforts for unique, targeted attacks into proactive protections by blocking malicious domains, IP addresses and URLs with AutoFocus and PAN-OS dynamic block lists.
4. Prevent Breaches with Secure User Credentials
With Palo Alto Networks GlobalProtect mobile security service, users in financial institutions can be connected to the network at all times − eliminating the large and growing blind spot of users roaming off the enterprise network, where they and their credentials are more vulnerable. GlobalProtect works by connecting a user’s mobile device to the closest next-generation firewall so that full network security can be provided, regardless of the user’s physical location, such as a coffee shop or airport. With Palo Alto Networks VM-Series being consumable in public cloud services, such as AWS, the nearest next-generation firewall can be in close proximity to the user, wherever that person might be.
In addition to the key benefits above, PAN-OS 7.1 includes some features that will prove valuable for financial institutions:
Elliptical Curve Cryptography (ECC) and Perfect Forward Secrecy (PFS) for Decryption− A number of financial institutions are moving toward ECC-based key exchange algorithms. The preferred method for authentication of secure web browsing is becoming ECC, rather than Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A growing number of sites use ECC to provide PFS, which is essential for online privacy. PAN-OS 7.1 supports decryption, even when ECC and PFS are in effect, to maintain application visibility.
Bootstrapping Device Deployment – Financial institutions need to deploy firewalls at remote sites with minimal connectivity or in bulk for technology refresh projects. The new bootstrapping capability simplifies and automates the initial firewall-provisioning process. This allows for extremely low-touch, distributed deployments of hardware appliances.
Structured Threat Intelligence Exchange (STIX) Support – Many financial institutions are members of the Financial Services Information Sharing and Analysis Center (FS-ISAC). STIX is the preferred format for the import or export of threat data between parties. AutoFocus adds the ability to share threat intelligence via an application programming interface (API) with output in the STIX standard.
Bidirectional Forwarding Detection (BFD) – Some financial institutions use dynamic routing protocols with the Palo Alto Networks firewalls to establish paths for traffic flow through the network. Failure detection can be lengthy before a routing protocol re-convergence can even begin. BFD in PAN-OS 7.1 allows sub-second failure detection, which will immediately trigger re-convergence in routing protocols, such as Open Shorteath First (OSPF) and Border Gateway Protocol (BGP) to re-establish viable paths and traffic flow across the firewalls.
For further information about the new PAN-OS 7.1 release, please visit the following pages.
Big changes are ahead for Ignite 2017: Goodbye, Vegas, hello, Vancouver!
Save the date for Ignite 2017: June 12-15, 2017 in Vancouver, BC. We look forward to seeing you next year for what will be our greatest Ignite yet. Follow along @Ignite_Conf throughout the next few months for looks back at Ignite 2016 and information to plan for next year.
![SAVETHEDATEIGNITE_2017_600X150-01[1]](https://i0.wp.com/researchcenter.paloaltonetworks.com/wp-content/uploads/2016/04/SAVETHEDATEIGNITE_2017_600X150-011-500x125.png?resize=500%2C125)
