Month: May 2016

Posted on

Cloud Computing: A Little Less Cloudy

Today, consumers have an increasing interest in implementing cloud solutions to process and store their data. They are looking to take advantage of the benefits provided by cloud computing, including flexibility, cost savings, and availability. Fortunately, there are many cloud solutions available to consumers, touting cloud computing features such as multi-tenancy, virtualization, or increased collaboration. But is it really a cloud service?

With the rapid growth of these types of solutions, consumers and other interested organizations want to identify whether a service is actually a cloud service.

In actuality, there is such thing as a cloud service. It has a definition and we have seen federal agencies require cloud service providers to justify why their service is considered a cloud service.

The five essential cloud characteristics are based on the National Institute of Standards and Technology’s (NIST) definition of cloud computing in Special Publication (SP) 800-145. Here,NIST defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

According to NIST SP 800-145, a cloud service employs all of the following five characteristics:

  1. On-demand self-service – A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
  2. Broad network access – Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
  3. Resource pooling – The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
  4. Rapid elasticity – Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
  5. Measured service – Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Whether you are a cloud service provider, consumer, or other interested party, it is important to identify how the cloud service offering meets each of the five essential characteristics. For example, cloud service providers in the FedRAMP authorization process usually document how their service meets each of the five essential cloud computing characteristics in their System Security Plan (SSP).

It goes without saying that regardless of whether or not a service meets the definition of a cloud service, the cloud service provider and consumer must always plan and prepare for the security risks associated with providing or using a the cloud service and the types of data the cloud service will consume. The cloud service provider is responsible for selecting a security program framework to implement security controls specific for cloud environments and the data protection requirements of their customers. Equally, the consumer must be fully aware of the data they plan to process and/or store with the cloud service and their responsibilities to protect that data.

Christina McGhee, Manager/FedRAMP Technical Lead, Schellman

[Cloud Security Alliance Blog]

Posted on

Cloud Security Alliance Asia Pacific Hosts Its 5th Annual CSA APAC Summit

SINGAPORE – May 11, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, announced today that it hosted its 5th annual CSA APAC Summit in Singapore, beginning May 3rd. The weeklong event was attended by thought leaders, policy and decision makers representing key industry organizations, cloud customers, and the R&D community. Attendees represented both end-user and industry viewpoints and provided networking and business opportunities. The event was a curtain raiser for IDA’s CloudAsia 2016, which occurred May 3-5 also in Singapore.

The keynote presentations this year featured:

  • Khoong Hock Yun, Assistant Chief Executive Officer (Development) and Chief Data Officer of Infocomm Development Authority of Singapore (IDA)
  • Daniele Cattedde, Chief Technology Officer of Cloud Security Alliance
  • David Shearer, CEO of (ISC)2
  • Dr. Meng-Chow Kang, Chief Information Security Officer, APJC Region of Cisco Systems, Inc.
  • Evan Dumas, Head, Emerging Technologies APAC, Middle East, & Africa of Check Point
  • Martin Leo, Executive Director, Morgan Stanley Investment Management
  • Todd Partridge, Director of Product Marketing of Intralinks Holdings, Inc
  • Wally Lee, Cybersecurity Architect, Cybersecurity Global Practice of Microsoft

A complete agenda for CSA’s APAC Summit can be found here.

This year’s event also included a number of key panel presentations focused on emerging trends and issues in cloud computing:

  • “Overcoming the Top Threats to Cloud Computing” by Eric T. Ashdown of Cyber Security Managing Partner of Ridge Partners LLC, Kawin Boonyapredee of Qualys, Mandar Bale of FireEye & Benildus Nadar of Deep Identity chaired by Luciano “J.R.” Santos, Executive Vice President of Research of Cloud Security Alliance
  • “Cloud and the Enterprise 2016” chaired by Jimmy Sng, Partner, of PricewaterhouseCoopers with panelists across Information Security Manager of Waikato District Health Board, Audit Director for Technology of Australia and New Zealand Banking Group, Technical Advisor of Asia Pacific of (ISC)2 & Security Consultant at Hewlett-Packard Enterprise

The theme of this year’s summit centered on how the future of information security lies in the cloud. An earlier CSA survey conducted identified mobile security as an area of concern. CSA’s Mobile Application Security Testing (MAST) working group, which strives to create a more secured cloud ecosystem to protect mobile applications, will be releasing the Mobile Application Security Testing (MAST) whitepaper after going through 4 months of public review process. Co-chair Keng Lee discussed this whitepaper during the summit. The whitepaper will also be used in the development of a new certification scheme, CSA STAR Mobile that will test and certify mobile applications. There may be additional scope of work that will address application store security issues among others.

CSA also hosted its 4th annual APAC Chapter Leadership Workshop on May 4, an annual event that provides a platform to report Chapter activities and progress and work plan for the year. 25 Chapters out of 31 across Asia Pacific participated in this workshop to discuss the Chapter strategies moving forward for this year.

On May 5, CSA hosted its 1st in-person CSA STAR Certification Summit. This Summit brought Certification Bodies and representatives from Governments from Asia Pacific, Europe and Americas together to discuss the future of cloud computing certification and assurance, while also addressing current challenges on cloud computing security and privacy assurance and compliance. This invitation only event focused on building strategies on CSA National Certification approach and roadmap.

The CSA CXO luncheon also occurred on May 5. Senior government officials and corporate decision makers participated in the quarterly lunch, which is theme based and facilitated by a research analyst. The takeaways received from the luncheon create continuous touch points until the next luncheon.

For more information on the CSA APAC Summit and other line of events, please contact csa-apac-info@cloudsecurityalliance.org.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Posted on

Regulatory Management and Measurement Rules

The ISO 31000:2009, Basel III recommendations, the EU Capital Requirement Directives and the Own Risk and Solvency Assessment (ORSA)/Forward Looking Assessment of Own Risk (FLAOR) processes of Solvency II Directives profoundly affect the financing and the insurance of companies in all business sectors and local authorities.

US companies use US National Association of Insurance Commissioners (NAIC) recommendations based on the fundamental principles of ORSA; EU firms refer to FLAOR recommendations; and companies in other countries (e.g., Canada, Japan, China) refer to Solvency II as an international best practice.

This regulatory change began in June 2008 when the American International Group (AIG) faced a financial disaster. The risk maps and risk registers in place, usually under Basel II, were designed to capture incident data to calculate the relative value at risk (VaR) using a stochastic approach (statistics and probability). In this approach, VaR equals unexpected loss. Following the subprime mortgage crisis in 2008, clause 5 of ISO 31000:2009 recommended risk treatment from the point of view of the corporate manager and not from the point of view of the stochastic engineer. It is the cost accounting process of the absolute VaR (VaR = expected loss + unexpected loss) taking into account the risk appetite tolerance threshold.

In March 2012, as part of the NAIC Solvency Modernization Initiative (SMI), the NAIC voted to adopt a significant new addition to US insurance regulation:  ORSA. The manner of the calculations used in an ORSA report was left to the discretion of each insurer. This led to variations in the measurement techniques of ORSA among companies. The insurers were concerned because a hard and fast, one-size-fits-all solution does not exist. The output was specific to the company, and a set of documents should demonstrate the results of the self-assessment and understanding of own-risks.

The Information Technology-Investor Relationship Management (IT-IRM) proposes a standardized, logical process to the ORSA measurement. Our recent Journal article covers how this IT application makes ORSA a logical assessment based on real-time data, making risk controllable and assessable using the same base criteria for economic capital and the same indicators, factors or the causes as the determinants of operational risk.

Read Simon Grima, Robert W. Klein, Ronald Zhao, Frank Bezzina and Pascal Lélé’s recent Journal article:
Strengthening Value and Risk Culture Using a Real-time Logical Tool,” ISACA Journal, volume 3, 2016.

[ISACA Journal Author Blog]

Posted on

Palo Alto Networks Honored in CRN’s 2016 Women of the Channel and Power 100 Lists

Congratulations to our own Kandyce Tripp, Global Head of Channel Operations, and Melissa Nacerino, Director, Americas Channel Marketing, for making the 2016 Women of the Channel list and the Power 100 list.

CRN’s “Women Of The Channel” project recognizes influential women leaders with extraordinary expertise and vision.

CRN’s Power 100 is a subset of the CRN Women of the Channel who have earned a special distinction based on their exemplary record of success and their level of influence in the channel. 

Here at Palo Alto Networks, we are proud of our dedication to women’s empowerment principles. We recently established a Women’s Networking Community to connect and empower our female workforce. This Community spearheads development workshops, meetings and networking mixers; providing a valuable platform to learn and grow.  We also debuted a Women in IT event series, starting with two events in Canada that we are now replicating in multiple regions. The goal is to bring business leaders, channel partners and Palo Alto Networks executives together to engage on the top issues impacting women in business, and to celebrate the impact women have made on the workplace.

[Palo Alto Networks Research Center]

Posted on

6 Key Challenges in Securing SaaS Applications

SaaS applications pose a significant security challenge. You do not necessarily want to clamp down on their use because they have become a valuable tool for many of your company’s employees. Using cloud storage applications such as Box to upload a few files or using collaboration tools such as Microsoft Office 365 to create documents is an important part of their everyday routine. On the other hand, you cannot allow them to proliferate without control because they will expose your organization to potentially disastrous security and compliance risks, including data leakage and the insertion and distribution of malware.

So, how do you gain control of SaaS usage in your organization? Start by understanding where you may be exposed. Then you can deploy technologies to fix your vulnerabilities and protect the gaps. To help you get started, we’ve identified six of the biggest SaaS security challenges you must address—sooner rather than later. Here they are:

Challenge No. 1—SaaS Usage Visibility and Control

Once data has left the network perimeter, you will have a hard time getting visibility into SaaS applications and controlling their use. So you want to take preventative action. Start by identifying which SaaS applications should be used and which behaviors you will allow within each of those applications. Make a clear delineation between sanctioned and unsanctioned applications. If you want to safely enable “tolerated” applications that can’t be sanctioned, make sure your security products give you the flexibility to exert granular control and policy management.

Challenge No. 2—Data Exposure Visibility

With SaaS usage defined and controlled with granular policy, data will be moving to applications that your organization has sanctioned. However, when the data reaches a cloud service it resides within the SaaS application and is no longer visible to your network perimeter. This is a potential blind spot. You need products that give you additional visibility without being in-line for a deep understanding of users, the data they have shared and how they have shared it.

Challenge No. 3—Contextual Control of Data Exposure

Data in the cloud can be either structured or unstructured. Both types of data can put you at risk. To properly protect data in the cloud and ensure regulatory compliance for sensitive data, you need security tools that enable you to define granular, context-aware policy controls. Make sure you can drive enforcement and quarantine users and data before a violation occurs.

Challenge No. 4—Threat Prevention

Many SaaS applications automatically synchronize files with users. Also, many employees may use SaaS applications to share data with individuals outside your organization’s control. These behaviors create new insertion points for malware. To prevent these threats, you need a security solution that protects your sanctioned SaaS applications from known and unknown malware threats and exploits—regardless of the source of the malicious file.

Challenge No. 5—Risk Prevention (Not Just Response)

Threat and data exposure protections should not be an in-line function only looking at future events (i.e. like a traditional firewall). Instead, you need to be able to look back at all previous data and shares in your sanctioned SaaS applications. You need to capture events that took place even before the policy was put in place. This way, data exposure and threat risks are caught no matter when the occurred.

Challenge No. 6—Preserving Performance

SaaS applications are popular because they are convenient, easy to use and fast. If your security solution diminishes the user experience, you run the risk of driving users to an unsanctioned application. You don’t want to affect latency or bandwidth requirements for sanctioned SaaS applications. Look for a cloud-based security solution that doesn’t require network configuration changes or inline deployment. Make sure you can also support native applications on mobile devices so users are not limited to only using Web-based access on their devices.

As we talk to customers, we’re finding that getting SaaS applications under control is one of the most important security concerns of the cloud era. You need the right set of products to gain constant visibility, control and protection of your applications and data at all times. The Palo Alto Networks Next-Generation Security Platform was designed specifically to meet these challenges. You can identify SaaS applications with the Next-Generation Firewall; extend protection into the cloud with Aperture, and protect against known and unknown threats with the WildFire threat intelligence service.

For more information on how you can find, control and protect SaaS usage in your organization, download a free copy of our new book, Securing SaaS for Dummies.

[Palo Alto Networks Research Center]

English
English
Exit mobile version