Month: February 2017

Worldwide, organizations are concerned about cybercrime – but not necessarily for the reasons most would think. While many organizations worry about the technical issues that are posed by a cybercrime attack, such as ransomware locking up entire swaths of servers – bringing business operations to its knees – most are even more concerned about their public perception and loss of clientele.

In fact, while an attack or exploitation by a cybercriminal may be technically damaging to an organization, the fallout over the attack’s handling may be even worse, revealing some of the companies’ true fears.

Understanding the technical implications of an attack are incredibly important. That’s why many organizations employ incident response teams. Analysis of an attack and restoring business operations is key to ensuring that organizations do not fall prey to the same attack or, ideally, the same attacker.  However, with a proper incident response and disaster recovery element, technically recovering from an attack simply becomes a matter of restoring services and implementing the appropriate cybersecurity controls to protect an exploited organization.

What takes much longer to restore is public brand perception and customer retention. Companies have shown their fear of customer loss in the past by implementing rather dramatic controls in an effort to keep their customers. For example, after Yahoo revealed its most recent breach in 2016, it immediately disabled the automatic email forwarding feature.¹ While this was a small change on the behalf of Yahoo, it was a huge change for its customers, who may have wanted to change their email provider to another service while ensuring that they did not miss anything pivotal sent to their old address. Thus, users had a much harder time making the switch over to another email provider out of fear of potentially missing an important email. It goes without saying that users, and the media, reacted adversely.

In comparison to Yahoo, the University of Maryland, which suffered from the theft of student personally identifiable information (PII) in 2013, pivoted dramatically by announcing the attack and its response in the same week. Each student with compromised information was provided five years of credit monitoring. Additionally, public presentations were made that explained the attack as well as the types of controls placed to deter future attacks. Thus, the situation was quickly relegated to memory and barely discussed beyond the ensuing weeks.

The Yahoo and University of Maryland examples are just two that illustrate the real damage that can occur from cybercrime attacks, reputational damage and loss of consumer confidence. Those working in cyber security should keep this in mind during an incident response or disaster recovery – though the technical impact to an organization may be damaging, the reputational damage could be leagues worse.

Editor’s note: Through its Cybersecurity Nexus (CSX), ISACA has issued new guidance providing insights on some of the top emerging cyberthreats and the methods through which enterprises can defend themselves.

¹ https://techcrunch.com/2016/10/10/yahoo-makes-it-difficult-to-leave-its-service-by-disabling-email-forwarding

Frank Downs, Senior Manager, Cyber/Information Security, ISACA

[ISACA Now Blog]

As increasing numbers of enterprises begin the move to the cloud in earnest, there has simultaneously developed a host of third-party consultancy firms, offering guidance on cloud technology best practices and implementation. Recognizing that there is a genuine need for a trusted network, where organizations and professionals can be relied on to provide high-quality cloud security consultancy services based on CSA best practices, we are launching a new initiative–the CSA Consultancy Program (CSA-CP) that will go live in mid-2017 with Optiv as the first certified provider.

The overreaching goal of the CSA-CP is to support organizations looking to improve their cloud security posture and implement high standards of compliance and assurance. This new program will provide a registry–the CSA Consultancy Services Registry (CSA-CSR)–a web repository similar to the CSA STAR Registry and in doing so will simplify the research for trusted consultancy services and speed the adoption of effective, secure cloud implementations.

Grounded with CSA’s best practices, the program will be offered from a highly-vetted, trusted network of organizations and professionals, and we couldn’t be more pleased to count Optiv as our first provider.

“As a long-time supporter of CSA’s best practices, certifications and guidance, we look forward to helping organizations better understand how to implement an effective cloud security posture and ensure compliance and assurance standards are met,” said JD Sherry, Vice President, GM, Cloud Security & Strategy, Optiv, Inc. “The consultancy program will serve an excellent purpose in this regard and we are proud that Optiv is part of what we expect to be a valuable program in the future.”

The qualifications that must be met are rigorous. In order to be listed as a CSA Qualified Consultancy Service Provider, organizations must demonstrate they have completed and passed the:

• Certificate of Cloud Security Knowledge (CCSK) examination,
• CSA CCM training course,
• CSA STAR Certification Qualified Auditor designation and/or Consultant designation, and
• Certified Cloud Security Professional (CCSP) current year exam completion.

With the widespread adoption of CSA best practices, we see an opportunity and need for a repository of qualified and trusted cloud security experts. Securing the cloud continues to be our top priority, and the CSA-CP will help achieve this.

Daniele Catteddu, Chief Technology Officer, CSA

[Cloud Security Alliance Blog]

On behalf of the Cloud Security Alliance, I’m pleased to announce the publication of our newest security research from the Software Defined Perimeter (SDP) Working Group, exploring how the SDP can be applied to Infrastructure-as-a-Service environments. Thanks to all the people who commented and contributed to this research over the past 10 months, especially Puneet Thapliyal from Trusted Passage.

Cloud adoption has soared over the past few years, and yet recent surveys indicate that security is still a concern. In one Cloud Security Alliance survey, over 67% of respondents indicated that an inability to enforce corporate security standards represents a barrier to cloud adoption, while 61% noted that compliance concerns pose a barrier.

It’s quickly becoming widely understood that SDP is the preferred new way to securely deploy services. Leading analyst firms are recommending that public-facing services be protected with a new security approach, and are talking about SDP as a strong alternative to traditional network security solutions.

Enterprises have recognized that SDP can address their concerns about adopting cloud, but the Software-Defined Perimeter approach is still relatively unknown to many (here is a quick primer on SDP if you need a refresh). Security architects and IT leaders are eager to learn more about how to best design and deploy SDP-based systems.

As a vendor that offers an SDP solution, and as a leader of the SDP Working Group, we’re happy to share our knowledge and experience. This is why we’ve spent the time and effort, in partnership with other SDP practitioners, to create this new security research outlining how Software-Defined Perimeter applies to IaaS environments.

Security for IaaS is particularly interesting, because it’s a responsibility that’s shared between enterprises and cloud providers, and because IaaS has different (and in some ways more challenging) user access and security requirements than traditional on-premises systems. Our new research focuses on how SDP can be applied to Infrastructure-as-a-Service environments, and explores the following use cases:

• Secure Access by Developers into IaaS Environment
• Secure Business User Access to Internal Corporate Application Services
• Secure Admin Access To Public Facing Services
• Updating User Access When New Server Instances Are Created
• Hardware Management Plane Access for Service Provider
• Controlling Access Across Multiple Enterprise Accounts

This research is now available here – and we look forward to getting your feedback. Please join the SDP Working Group to collaborate.

Finally, now that this research has been published, we’re just beginning work to outline more architectures and new applications of the protocol in version 2 of the SDP specification. Please join us if you’re interesting in contributing or learning more about that project as well.

Jason Garbis, Vice President of Products, Cryptzone

[Cloud Security Alliance Blog]

Compliance, assurance and vendor management are becoming more and more complex and resource-intensive issues, so we created STARWatch, a Software as a Service (SaaS) application designed to provide organizations a centralized way to manage and maintain the integrity of the vendor review and assessment process. Today, we’re excited to announce its official launch. Even more exciting is that we are emerging from Beta with more than 250 active licenses activated.

STARWatch delivers the content of the CSA’s de facto standards Cloud Control Matrix (CCM) and CSA’s Consensus Assessments Initiative Questionnaire v3.0.1 (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA best practices. It was designed to provide cloud users, providers, auditors and security providers with assurance and compliance on-demand. Additionally, it provides users the ability to:

• manage all cloud service providers and their own private clouds to assure a consistent security baseline is maintained;
• build and maintain a CSA Security Trust and Assurance Registry (STAR) entry and provide customers with rapid responses to their compliance questions;
• perform audits and assessments of cloud services/provider security;
• have a clear reference between CCM controls and the corresponding controls in other industry standards;
• leverage the STARWatch solution database format and technical specifications for integration within an organization’s cloud environment; and
• enabling sharing and peer reviewing of cloud services security assessments.

CSA STARWatch is free to CSA corporate members. Non-members may purchase licenses starting at $3,000 annually for an Expert license and $5,000 annually for Enterprise licenses. Learn more about CSA STARWatch.

STARWatch is part of the larger CSA STAR program, the industry’s most powerful program for security assurance in the cloud, which encompasses the key principles of transparency, rigorous auditing and harmonization of standards, with continuous monitoring. Currently there are 230 Cloud Service Providers in the STAR program, which includes STAR Self-Assessment, STAR Certification, STAR Attestation and C-STAR Assessment.

Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance

[Cloud Security Alliance Blog]