Month: April 2016

My COBIT journey began in 1995 when the draft executive summary of COBIT 1st Edition was published in the ISACA Journal. I had passed the CISA exam and had decided to focus on IT audit as my new career. My first reading of the summary made me realize that this was the one-stop shop reference guide for me. After two decades, I can still say with a firm conviction that COBIT has empowered me to remain relevant and add value in all my assignments. Back to the story…

As I used and adapted COBIT’s control objectives, for multiple assignments and clients (small, medium or large), COBIT became the best collection of practices and approaches to use to remain ahead of the technology curve. The next release of COBIT, with the management guidelines, provided a new perspective for managing performance of IT through the key goal indicators and key performance indicators.

The release of COBIT Control Practices added the next layer of best practice and expanded the scope of application to a more detailed level. The fourth edition of COBIT included an IT governance framework. This became immensely popular, as it met both management and regulatory requirements. It aligned IT with business goals. As technology became all-pervasive, there was a compelling need for a holistic approach to implement controls, not just from management but also from a governance perspective.COBIT 5 met this need as the umbrella framework with its tightly knit governance and management framework. The goals cascade linked enterprise goals with IT goals with relevant processes, procedures and practices.

COBIT can be complex or simple, depending on the perspective from which it is read, understood and implemented. The best approach is to consider COBIT as codified common sense that is presented in a structured, systematic way. COBIT can be customized and adapted to enterprise requirements, as it is a framework and not a standard.

The value of COBIT is in what it brings through its effective implementation. Over the years I have realized the key challenge is not whether COBIT is relevant and useful but whether the enterprise has the right skill-sets to customize COBIT to derive value from implementation. The key to successful implementation is the skills of COBIT-trained professionals who can adapt it as required based on their domain expertise.

For a new user, COBIT initially looks quite vast in its coverage and intimidating in its complexity. However, as the reader understands the core principles, uniform structure in which contents are presented and the systematic approach for implementation, the philosophy and practical relevance of COBIT gets demystified. Further, as they start implementing COBIT, COBIT becomes easier to understand.

COBIT’s contents are quite dense and the extent to which they can be expanded by integrating with other frameworks depends on the skill-sets of the user. COBIT can be used only to the extent required. It is not necessary to understand every word of COBIT to implement it. The more one reads and applies COBIT, the easier it becomes.

In the past two decades, COBIT has evolved to become an effective enabler that harnesses and leverages the power of technology to meet enterprise goals. We have witnessed the information revolution aided by the transformation ushered by technology. COBIT has always kept ahead of this technology race by transforming from an audit-oriented framework to a governance-oriented framework. This has helped COBIT maintain its relevance.

The COBIT mantra is “IT is complicated; IT governance doesn’t have to be.”  COBIT is the de facto framework of choice for both professionals and enterprises to remain relevant and add value. The knowledge repository of best practices of COBIT 5, coupled with its holistic approach to governance and management of enterprise IT, provide the right blend of processes and practices to seamlessly integrate technology infrastructure into the business process fabric.

Even after being a student of COBIT for two decades, the COBIT journey is still unfolding for me, leading to new discoveries of how I can leverage my skill-sets using the knowledge repository of COBIT. I invite readers who have not read COBIT to drop apprehensions and start the journey. And for those who think they know COBIT, I suggest that they read it again to get new meaning, insights and practical perspectives of application. Please begin or restart your journey of understanding and implementing COBIT. There are definitely exciting times ahead. COBIT helps enterprises and professionals to be better prepared to meet dynamic challenges of digital age!

Abdul Rafeq, CISA, CGEIT, Managing Director, WINCER Infotech Limited

[ISACA Now Blog]

Recently, Spanning – an EMC company and provider of backup and recovery for SaaS applications –announced the results of a survey* of over 1,000 IT professionals across the U.S. and the U.K. about trends in SaaS data protection. It turns out that IT pros across the pond have the same concerns as here in the U.S., as the survey found that security is the top concern when moving critical applications to cloud. Specifically, 44 percent of U.S. and U.K. IT pros cited external hacking/data breaches as their top concerns, ahead of insider attacks and user error.

But that’s not the most interesting finding, as the survey found that perceived concerns differ from reality when it comes to actual data loss. In total, nearly 80 percent of respondents have experienced data loss in their organizations’ SaaS deployments. Accidental deletion of information was the leading cause of data loss from SaaS applications (43 percent in U.S., 41 percent in U.K.), ahead of data loss caused by malicious insiders and hackers.

While organizations in both the U.S. and U.K. have experienced data loss due to accidental deletions, migration errors (33 percent in U.S., 31 percent in U.K.), and accidental overwrites (27 percent in U.S., 26 percent in U.K.) also led external and insider attacks as top causes of data loss.

How SaaS Backup and Recovery Helps
As a case in point, consider one serious user error – clicking a malicious link or file and triggering a ransomware attack. If an organization uses cloud-based collaboration tools like Office 365 One Drive for Business or Google Drive, the impact from a ransomware attack is multiplied at compute speed. How? An infected laptop contains files that automatically sync to the cloud (via Google Drive, or OneDrive for Business). Those newly-infected files sync, then infect and encrypt other files in every connected system – including those of business partners or customers, whose files and collaboration tools will be similarly compromised.

This is where backup and recovery enters the picture. Nearly half of respondents in the U.S. not already using a cloud-to-cloud backup and recovery solution said that they trust their SaaS providers with managing backup, while the other half rely on manual solutions. In most cases, SaaS providers are not in a position to recover lost or deleted data due to user error, and cannot blunt the impact of a ransomware attack on their customers. Further, with many organizations relying both on manual backups and an assumption that none of the admins in charge are malicious, the opportunity for accidental neglect or oversight is too big to ignore. The industry would seem to agree. Roughly a third of organizations in the U.S. (37 percent) are already using or plan to use a cloud-to-cloud backup provider for backup and recovery of their SaaS applications within the next 12 months.

Since the survey included U.K. respondents, it also gauged sentiment around the rapidly changing data privacy regulations in the EU, specifically in regards to the “E.U.-U.S. Privacy Shield.” The vast majority of IT professionals surveyed agree (66 percent in the U.K., 72 percent in the U.S.) that storing data in a primary cloud provider’s EU data center will ensure 100 percent compliance with data and privacy regulations.

These results paint a picture of an industry that is as unsure as they are underprepared; while security is a top concern when moving critical applications to the cloud, most organizations trust the inherent protection of their SaaS applications to keep their data safe, even though the leading cause of data loss is user error, which is not normally covered under native SaaS application backup. The results also show that the concerns influencing cloud adoption have little to do with the real cause of everyday data loss and more with a fear of data breaches or hackers.

The takeaway from these survey results: more IT pros need an increased awareness and understanding about where, when, and how critical data can be lost to reduce their cloud adoption concerns; and, more IT pros need to learn how to minimize the true sources of SaaS data loss risk. To learn more, download the full survey report, or view an infographic outlining the major findings of the survey.

*Survey Methodology
Spanning by EMC commissioned the online survey, which was completed by 1,037 respondents in December 2015. Of the respondents, 537 (52 percent) were based in the United Kingdom, and 500 in the United States (48 percent). A full 100 percent of the respondents “have influence or decision making authority on spending in the IT department” of their organization.

Respondents were asked to select between two specific roles: “IT Function with Oversight for SaaS Applications” (75 percent U.S., 78 percent U.K., 77 percent overall); “Line of Business/SaaS application owner” (39 percent U.S., 43 percent U.K., 41 percent overall); the remaining identified as “other.”

Melanie Sommer, Director of Marketing, Spanning by EMC

[Cloud Security Alliance Blog]

Many frequently asked questions related to cloud security have included concerns about compliance and insider threats. But lately, a primary question is whether cloud services are falling victim to the same level of external attack as the data center. With Software as a Service (SaaS) becoming the new normal for the corporate workforce, and Infrastructure as a Service (IaaS) on the rise, cloud services now hold mission-critical enterprise data, intellectual property, and other valuable assets. As a result, the cloud is coming under attack, and it’s happening from both inside and outside the organization.

On February 29, the CSA Top Threats Working Group clarified the nature of cloud service attacks in areport titled, “The Treacherous 12: Cloud Computing Top Threats in 2016.” In this report the CSA concludes that although cloud services deliver business-supporting technology more efficiently than ever before, they also bring significant risk.

The CSA suggests that these risks occur in part because enterprise business units often acquire cloud services independently of the IT department, and often without regard for security. In addition, regardless of whether the IT department sanctions new cloud services, the door is wide open for the Treacherous 12.

Because all cloud services (sanctioned or not) present risks, the CSA points out that businesses need to take security policies, processes, and best practices into account. That makes sense, but is it enough?

Gartner predicts that through 2020, 95 percent of cloud security failures will be the customer’s fault. This does not necessarily mean that customers lack security expertise. What it does mean, though, is that it’s no longer sufficient to know how to make decisions about risk mitigation in the cloud. To reliably address cloud security, automation will be key.

Cloud security automation is where Cloud Access Security Brokers (CASBs) come into play. A CASB can help automate visibility, compliance, data security, and threat protection for cloud services. We thought it would be interesting to take a look at how well CASBs in general would fare at helping enterprises survive the treacherous 12.

The good news is that CASBs clearly address nine of the treacherous 12 (along with many other risks not mentioned in the report). These include:

#1 Data breach
#2 Weak ID, credential, and access management
#3 Insecure APIs
#4 System and application vulnerabilities
#5 Account hijacking
#6 Malicious insiders
#7 Advanced persistent threats
#10 Abuse and nefarious use of cloud services
#12 Shared technology issues

There are countless examples of why being protected against the treacherous 12 is important. Some of the more high profile ones:

• Data breach: In the 2015 Anthem breach, hackers used a third-party cloud service to steal over 80M customer credentials.
• Insecure APIs: The mid-2015 IRS breach exposed over 300K records. While that’s a big number, the more interesting one is that it only took 1 vulnerable API to allow the breach to happen.
• Malicious Insiders: Uber reported that their main database was improperly accessed. The unauthorized individual downloaded 50K names and numbers to a cloud service. Was it their former employee, the current Lyft CTO? That was Uber’s opinion. The DOJ disagreed and a lawsuit ensued.

In each of these cases a CASB could have helped. A CASB can help detect data breaches by monitoring privileged users, encryption policies, and movement of sensitive data. A CASB can also detect unusual activity within cloud services that originate from API calls, and support risk scoring of external APIs and applications based on the activity. And a CASB can spot malicious insiders by monitoring for overly-privileged user accounts as well as user profiles, roles, and privileges that drift from compliant baselines. Finally, a CASB can detect malicious user activity through user behavior analytics.

What about the three threats that aren’t covered by a CASB? Those include:

#8 Data loss
#9 Insufficient due diligence
#11 Denial of services

The cost of data loss (#8, above) is huge. A now-defunct company named Code Spaces had to close down when their corporate assets were destroyed, because it did not follow best practices for business continuity and disaster recovery. Data loss prevention is a primary corporate responsibility, and a CASB can’t detect whether it is in place. Insufficient due diligence (#9) is the responsibility of the organization leveraging the cloud service, not the service provider. Executives need a good roadmap and checklist for due diligence. A CASB can provide advice, but they don’t automate the process. Finally, denial of service (DoS, #11, above) attacks are intended to take the provider down. It is the provider’s responsibility to take precautions to mitigate DoS attacks.

For a quick reference guide to the question, “Can a CASB protect you from the 2016 treacherous 12?,” download this infographic.

To learn more, join Palerra CTO Ganesh Kirti and CSA Executive VP of Research J.R. Santos as they discuss “CASBs and the Treacherous 12 Top Cloud Threats” on April 25, 2-3pm EDT. Register for the webinar now.

Ganesh Kirti, Founder and CTO, Palerra

[Cloud Security Alliance Blog]

Leaders from Intel, Microsoft, Forrester Research and NIST Among Presenters at Upcoming Premiere European Cloud Security Event

DUBLIN, IRELAND – April 25, 2016 – The Cloud Security Alliance (CSA), in collaboration withFraunhofer FOKUS and ENISA, today announced the presentations and speaker line up for the upcoming SecureCloud conference. The SecureCloud 2016 conference is scheduled for May 24 – 25 at Aviva Stadium in Dublin, Ireland. SecureCloud is the only European conference focused exclusively on cloud security and aims to provide an opportunity for government experts, industry experts, and corporate decision makers to discuss and exchange ideas about how to shape the future of cloud computing security.

“Even with all the awareness of the benefits of cloud technology, an overwhelming number of companies still have concerns about security, privacy and data management in the cloud and conferences such as this one are an important forum to address, discuss and resolve these concerns,” said Daniele Catteddu, Chief Technology Officer of the CSA. “SecureCloud will bring together some of the cloud industry’s top experts and thought leaders and we expect that it will draw substantial interest from the industry. We anticipate that this year’s event will further grow this body of knowledge and help us achieve a more trusted and secure cloud environment.”

An initial line up of featured speakers include:

• “Securing the Cloud of Tomorrow” by Raj Samani, VP and CTO for Intel Security
• “Privacy & Security in the Cloud: Customer Rights and Governments’ Lawful Access to Data” by John Frank, Vice President, EU Government Affairs at Microsoft
• “Understanding the Crux – Abuse of Cloud Storage Services for Targeted Cyber Attacks” by Aditya K. Sood, Director of Security and Cloud Threat Labs at Elastica.
• “Flying Through a Cloudy Sky” by Michaela Iorga, Senior Security Technical Lead for Cloud Computing at NIST.

Additional featured presentations will also be given by Laura Koetzle, Vice President and General Manager‬, Forrester Research; Vinay Patel, Global Head of Information Security Risk Management at Citi Technology Infrastructure; Dr. Kuan Hon, Senior Researcher at QML, Nathaly Rey, EMEA Trust Manager, Google for Work, EMC and Jim Reavis, Co-founder and CEO of the CSA.

This year’s event will also include a number of key panel presentations focused on some of the most emerging trends and issues in cloud computing including:

• “Cloud Computing Compliance Controls Catalog (C5)” by Information Security Expert Patrick Grete, Clemens Doubrava of Bristish Standards Institute (BSI) and Charles Schulz of Agence nationale de sécurité des systèmes d’information (ANSSI)
• “Financial Services in the Cloud” by Craig Balding of Barclays, Mario Maawad of Caixa Bank and Douglas Taylor of Citi

For more information on SecureCloud 2016, including registration details and schedule, please visithttps://csacongress.org/event/securecloud-2016/

Media Contact

Kari Walker for the CSA
kari@zagcommunications.com
703.928.9996

[Cloud Security Alliance Research News]