Month: June 2016

ISACA Now recently sat down with Theresa Payton, Former White House chief information officer (CIO), cybersecurity authority and expert on identity theft and the Internet of Things, for a Q&A on the future of cybersecurity, her days in the White House, and how women (and men) can break into the cybersecurity profession. Payton will present Big Data and the Internet of Things: Boon or Bust for Your Cybersecurity Efforts? in General Session 1 at the 2016 Governance, Risk and Control (GRC) Conference, 22-24 August, Fort Lauderdale, Florida.

ISACA NOW:  With cybersecurity often looking like a chaotic collection of pitched battles between the good guys and the bad guys, do you envision a future where the good guys actually win? If so, how can that happen? If not, how do you envision the future state of cybersecurity? Payton:  As the headlines grow in stature, so does people’s awareness, and that is why I am optimistic about the state of cybersecurity. Now, more than ever, as companies see how unrelenting and crafty hackers can be to get what they want (for example, infiltrating Target via an HVAC vendor) they know it CAN happen to them. Words that were foreign to consumers are now very familiar such as “phishing.” When you learn what these things are, how easily you can be manipulated, then you know not to be complacent because we are sure of one thing:  hackers aren’t going anywhere. It is too lucrative for them.
Knowledge is power!

ISACA NOW:  What was the most challenging cybersecurity-related issue  during your time at the White House? Why?
Payton:  As former White House CIO, my team knew security at the White House came down to people. We knew we had to address the complexity of our systems and technology. We also had to win over the hearts and minds of the staff if we wanted to protect their privacy and security. Our security protocols were meaningless if we made them too difficult for people to do their jobs.

Of course, everything at the White House was considered “critical” and “sensitive” data, but we knew we couldn’t protect every asset the same way. Just as the United States Secret Service has a clear focus:  to physically protect the President and Vice President. We followed that same principle of a clear focus in the CIO’s office.

The CIO’s office was there for protection and to keep all assets safe. However, with a limited time frame and resources, we always had a laser beam focus on the top two most critical assets.

The first example of how we took this approach might remind you of Downton Abbey. Many people may not realize that the Usher’s Office has a long and rich history of providing elegant service, and it follows strict protocols steeped in a rich history. Yet, modern times are evident in the Usher’s office. For example, every chicken breast and every flower stem has to be barcoded. This inventory system enables the White House to know when they need to order more and which budget pays for it. Obviously, we wanted to protect the inventory of food and flowers that came into the White House but those digital assets did not have the same prioritization for protection as the President’s schedule.

ISACA NOW:  You are a woman who has made it to the top of a male-dominated profession. What advice do you have for women who are either just starting out or at the mid-point in a technology career?
Payton:  I have spent my entire career in the field of cyber security. When I stuck my toe into the water, I did not see many women in the field, and today I take heart that this predicament is slowly changing. However, if we were in a race car, now would be the perfect time to step on the gas and go full throttle. We need all hands on deck to defeat our cyber foes and prepare for the future. If you have any inkling to enter this field, here are some tips that helped me along the way:

Volunteer time at FBI InfraGard, which is a partnership between the FBI and the private sector. This is an amazing collaboration between people who represent businesses, academic institutions, state and local law enforcement agencies, all dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

Take online or community college classes to see what you like and dislike about the field. Now that the field of cyber security is growing at such a fast rate, colleges and universities have to catch up. Consequently, they are offering all sorts of classes. To that end, you can also attend a cybersecurity workshop or seminar in your community. Even if you ultimately do not choose this as a career path it surely helps to know the best ways to keep your own data safer!

Talk to people in the field. Find out more about the roles they play and what helped them get started, or even shadow a cybersecurity professional at work. This is what really clinched it for me. The more people I met in the field, the more I knew I wanted to be a part of it. That holds true to this day. The field of cyber security is ever-changing and even more rewarding.

For more on the 2016 GRC and Payton’s appearance, click here.

Theresa Payton, President & CEO, Fortalice Solutions

[ISACA Now Blog]

Industry analyst firm Gartner predicts that the infrastructure as a service (IaaS) market will grow 38.4% in 2016 to reach $22.4 billion by the end of the year. A new report from the Cloud Security Alliance (download a free copy here) finds that Microsoft is quickly catching up with industry leader Amazon in the race to tap this growing market. Amazon, Google, and Microsoft collectively own 82.0% of the IaaS market today. Even at companies that have a strict “no cloud” philosophy, IT leaders admit that nearly one fifth of their computing workloads will be in the public cloud this year versus their own data centers.

Amazon remains the dominant IaaS provider but Microsoft is closing their gap in market share. IT professionals at 37.1% of companies indicated that Amazon AWS is the primary IaaS platform at their organization. Microsoft Azure is a close second, at 28.4% followed by Google Cloud Platform at 16.5%. Enterprises using public cloud benefit in many ways including greater agility, lower cost of ownership, and faster time to market. IaaS providers, meanwhile, are also benefitting. In April 2016, Amazon reported that AWS is its most profitable division and is growing 64% annually.

 

IaaS adoption trends
Enterprises are increasingly relying on public cloud infrastructure providers such as Amazon, Microsoft, and Google for their computing resources, rather than managing their own data centers. A plurality of organizations (45.1%) have a “hybrid cloud” philosophy, another 25.1% prefer private cloud, and 21.5% take a predominantly public cloud approach. Just 8.2% of enterprises have a “no cloud” philosophy. Today, 31.2% of an enterprise’s computing resources come from infrastructure as a service (IaaS) providers. IT professionals expect that number to rapidly grow to 41.0% of computing workloads in the next 12 months.

Not surprisingly, companies with a “public cloud” philosophy have more computing in the public cloud. At these companies, nearly one half (47.8%) of computing resides in the public cloud today and IT professionals at these organizations expect a majority of their computing (56.5%) will reside in the public cloud 12 months from now. Even companies with a “no cloud” philosophy estimate that 14.6% of their computing nevertheless resides in the public cloud, and they expect that number will grow to 18.8% in the next 12 months. There is a sizable amount of computing in public cloud IaaS even for organizations that are philosophically opposed to cloud.

There is a clear correlation between company size and IaaS adoption. Companies with fewer employees rely on public IaaS platforms for more of their computing today. Companies with 1-1,000 employees have the largest share of computing workloads in the public cloud (37.1%) versus companies with more than 10,000 employees (22.3%). However, in the next 12 months, companies with more than 10,000 employees are anticipating growing their use of IaaS to 32.9%, which would eclipse companies with 5,000-10,000 employees and would put them roughly on par with companies with just 1,000-5,000 employees. Public IaaS appears to be reaching an inflection point in the enterprise.

Barriers to IaaS projects
Despite the rapid growth of public cloud infrastructure, there are still barriers holding back IaaS adoption. The most common barrier reported by IT professionals is concern about the security of the IaaS platform itself (62.1% of respondents). The next most common roadblock is also security related – 40.5% of respondents indicated that concern about the ability to secure applications deployed on IaaS platforms is a barrier to adoption. The third most common barrier, reported by 37.9% of respondents, is the inability to store data within their country to comply with data privacy laws (e.g. EU General Data Protection Regulation).

Despite concerns, overall confidence in cloud
Despite concerns about security, an overwhelming 61.6% of IT leaders believe that, generally speaking, custom applications they deploy on IaaS platforms are as secure, if not more secure, than applications they deploy in their own datacenter. That may be due in part to the significant investments cloud providers have made in their own security, and in achieving compliance certifications such as ISO 27001 and 27018 to demonstrate their investments. It could also be due to a growing sentiment that cloud companies such as Amazon, Microsoft, and Google can dedicate far more resources to IT security than the average company where IT is not their core business.

Cameron Coles, Director of Product Marketing, Skyhigh Networks

[Cloud Security Alliance Blog]

The Cloud Security Alliance (CSA) today announced the availability of a new research brief from the Quantum-Safe Security (QSS) Working Group titled Quantum Random Number Generators, a whitepaper that looks to detail the impact of randomness on security in an effort to develop the building blocks for effective encryption.

Quantum computing, which involves joining the power of atoms and molecules to perform memory and processing tasks, has the potential to perform certain calculations significantly faster than any silicon-based computer. When fully realized, quantum computing will have a far greater capability than today’s modern day supercomputer with performance gains in the billion-fold realm and beyond. With its advent, there is a growing area of concern and attention for businesses and security professionals.

A random number is generated by a process whose outcome is unpredictable, and which cannot be reliably reproduced. Random numbers are foundational to information security and are the building blocks of encryption, authentication, signing, key wrapping, one-time codes, nonces, and other cryptographic applications. The performance and characteristics of random number generators have a strong impact on security. Attackers do not usually attempt to crack encryption, they simply steal or guess keys. Poor quality or insufficient quantity of random numbers make it that much easier, reducing security well below its designed level and making the overall system vulnerable.

Headed up by co-chairs, Bruno Huttner of ID Quantique and Jane Melia of QuintessenceLabs, the QSS – Working Group is focused on stimulating the understanding, adoption, use and widespread application of quantum-safe cryptography to commercial institutions, policy makers, and all relevant government bodies. Using quantum random numbers is one of the strategies recommended by the QSS – WG to protect and future proof data against improvements to computer power, new attack strategies, weak random number generators, and the emergence of quantum computers.

To access the full report visit: https://cloudsecurityalliance.org/download/quantum-random-number-generators/

[Cloud Security Alliance Research News]