The proliferation of Internet of Things devices is well-documented, with the potential for more than 20 billion connected things by 2020. Installations of connected devices are spanning virtually all industries and cover just about any use case that can be imagined.
With such an enormous volume of connected devices and minimal regulation, it comes as little surprise that many of them have been programmed incorrectly and are supplying users with false or misleading information.
“So, how do you look at scenarios like that?,” said ISACA board director R.V. Raghu during Wednesday’s session on IoT audits at EuroCACS in Edinburgh, Scotland. “It can become very dangerous.”
IoT audits should align with enterprise needs and ensure a compliance approach is factored in from the outset. Auditing IoT can help address a wide array of important questions, including each of the following:
How will the device be used from a business perspective, and what business value is expected?
What threats are anticipated, and how will they be mitigated?
Who will have access to the device, and how will their identities be established and proven?
What is the process for updating the device in the event of an attack or vulnerability?
Who is responsible for monitoring new attacks or vulnerabilities pertaining to the device?
With whom will the data be shared?
In the case of IoT, the answers to these questions can have urgent implications. Raghu used a nuclear plant as an example, saying that the capacity to interpret accurate data in timely fashion can guard against potentially damaging irregularities at the plant.
“We want to be able to pick up the data at the right point and then tell you, this is what we need to do,” Raghu said.
Privacy considerations need to be taken into account by IoT device manufacturers, given the enormous capacity to gather data. Encryption might need to be built into devices to protect potentially sensitive information, such as with medical devices used by hospitals.
“Do we need to get greedy and collect everything that is possible, or do we only collect the data that makes sense to us?” Raghu said. “And, in the post-GDPR world, that is a very important question to ask.”
Raghu also expressed concern that regulation of IoT devices is lagging behind the surging usage, meaning there is little standardization on the IoT landscape.
That puts even more of a premium on strong risk management and robust controls. Among the baseline controls that should be put in place for IoT devices are identity and access management, malware protection, transmission confidentiality and time-stamping. Raghu also highlighted “Level 2” controls, such as patching, vulnerability management and log management, saying many organizations do a subpar job with their log management.
“People don’t want to do the log analysis, and if you don’t do the log analysis, you don’t understand how the device is behaving, and you could have a serious problem on your hands at some point,” Raghu said.
Whether affecting security in homes, in hospitals, in cities’ critical infrastructure or just about any other setting of today’s society, the ramifications of insufficient IoT security can be serious. Raghu said IoT audits should emphasize the importance of continuous monitoring, as prescribing fixes months after the fact can be far too late.
“You don’t have that kind of luxury here,” Raghu said. “You might need to fix it on an ongoing basis, on the fly, so it becomes very important you have a real-time status on this.”
Information technology is transforming manufacturing by digitizing virtually every step of the modern manufacturing process – a trend referred to as “smart manufacturing” in the United States and “Industry 4.0” in Europe.
Cloud computing, together with technologies such as 5G wireless, smart sensors, high-performance computing (HPC), computer-aided design, engineering and the industrial internet of things, is essential to the smart manufacturing revolution.
Applications in the cloud will impact virtually every aspect of modern manufacturing. At the enterprise level, cloud computing will impact how companies manage their operations, from enterprise resource planning (ERP) and financial management to data analytics and workforce training. The cloud will also prove integral to how manufacturers integrate themselves into industrial supply chains. At the manufactured-product level, cloud computing has begun to transform everything from how products themselves are researched, designed and developed to how they are fabricated and manufactured, and finally, how they are used by customers in the field.
However, as with any change in working practices, there are also some associated risks that must not be ignored.
With smart manufacturing, terminals will be embedded with IoT, which ultimately means that they will be vulnerable to cyberattacks. While this added connectivity helps improve productivity, it is also a weak point in the network which cybercriminals can take advantage of.
Cybercriminals understand the sensitivity of these networks and are also fully aware of the destructive consequences a successful attack can have – lost revenues/profit, brand damage, or a devastating threat to people and assets.
It is therefore imperative that the manufacturing industry take steps to improve security and ensure it is not exposing its systems to cybercriminals.
One of the key challenges with cybersecurity within manufacturing is that attacks are extremely difficult to identify in operational technology (OT) environments. Consider a plant where, for an unknown reason, a certain SCADA component suddenly stops working. Chances are that “malicious activity is going on,” would not be the first consideration when trying to work out what has gone wrong. In 9 out of 10 cases, the root cause is likely to be benign. But what about that one time when there is a more suspicious root cause?
Monitoring services exist for OT environments, but they have limited visibility and offer only correlated, contextual information due to the necessity for network zones, or segmentation. This means that sensors need to be placed at several different layers within the network to monitor end-to-end activity. Another contributing factor is complexity, even if network traffic is being captured. When systems go down, many organizations are completely focused on getting them up and running again rather than mining big data sets to determine categorically what went wrong.
Despite the many nuances about the new General Data Protection Regulation (GDPR) and questions about how it will be enforced, panelists at Tuesday’s GDPR panel during ISACA’s EuroCACS conference provided some straightforward guidance to organizations – if you don’t need the data, don’t collect it.
Operating within that basic framework can prevent many of the GDPR-related headaches organizations are facing, panelists in Edinburgh, Scotland, said. The panel, moderated by ISACA board chair Theresa Grafenstine, included ISACA board directors Mike Hughes, RV Raghu and Jo Stewart-Rattray, along with Andrew Neal, president, Forensic Technology & Consulting, TransPerfect Legal Solutions, and Ken Macdonald, head of ICO Regions, Information Commissioner’s Office.
Several of the panelists noted that the more stringent data privacy regulation brought on by GDPR must cause enterprises to re-evaluate what data is truly essential to gather and protect.
“It’s just amazing how organizations, just sort of by habit, ask for things that are highly risky to ask for that have nothing to do with the business process for which they’re asking, but they just got in the habit of doing that,” Grafenstine said.
Macdonald brought a regulator’s perspective to the discussion, saying the immediate aftermath of the 25 May compliance deadline has been relatively quiet, although a holiday weekend surely factored in.
“But we will soon be seeing a surge, probably from organizations needing a bit of clarity on the implications of the new act, but also individuals who are starting to enforce their new [privacy] rights,” said Macdonald, who noted that regulators will be more apt to look favorably upon organizations that are making a clear effort to comply, even if they have not yet achieved full compliance.
While there is widespread curiosity about how GDPR penalties might be enforced, Neal said organizations should not expect to get by with lax compliance efforts.
“Governments have a significant amount of coercive power they can bring to bear, and we don’t know what that’s going to look like. … I would recommend against saying ‘I dare you’ to a government,” Neal said.
While the EU has been the epicenter of the wave of GDPR publicity over the past couple years, organizations in other parts of the world that do business in the EU also need to comply. Stewart-Rattray, from Australia, said more awareness about the regulation still needs to be created outside Europe, and called on boards of directors to set a leadership tone at their organizations for more responsible data privacy policies.
Neal said organizations with strong governance programs will be best equipped to thrive in the GDPR era.
“Make no mistake – most of what’s going on with GDPR is a governance problem,” Neal said. “It’s managing your data to be in line with the company’s or organization’s best interests. The ability and the incentive to reduce your data footprint while increasing your data relevancy, and the importance and the utility of that data, I think is a very positive direction.”
Citing recent ISACA data on the challenges of cross-departmental collaboration, Raghu said all stakeholders within organizations need to have more dialogue about the risks and rewards of collecting data, and potentially make changes to their business processes based on those insights.
As the panel concluded, an audience member questioned Grafenstine on whether, given the potential pitfalls of GDPR, the emphasis on big data is becoming a double-edged sword. Grafenstine said she does not view valuing data and valuing privacy to be an either-or scenario.
“I still believe that data is going to be perceived as the air that we breathe because it is absolutely what is going to fuel innovation and move society to the next level,” Grafenstine said. “We just need to make sure that we’re mindful and deliberate in how we do that.”
Editor’s note: For more of ISACA’s resources on GDPR, visit www.isaca.org/GDPR.
I was recently asked about CCSK certification vs AWS certification and which one should be pursued by someone looking to getting into cloud security. This post tries to address the question “which cloud certification is right for you.” I’ll give you a lay of the land for both certifications, available training, the exams, and then conclude with thoughts on which certification is right for you.
Certificate of Cloud Security Knowledge (CCSK)
The Certificate of Cloud Security Knowledge (CCSK) is from a research organization called the Cloud Security Alliance (CSA). The CSA has created guidance for securing cloud services and released a recently updated version of this guidance (CSA Guidance v4). The guidance is about 150 pages and covers most of the knowledge required to successfully pass the CCSK exam (more about the exam down below).
In a nutshell, the goal of the CCSK is a vendor-neutral look at all cloud security issues that covers the three following areas of knowledge:
Cloud Computing Concepts and Architectures
It begins with answering the question “what is cloud computing,” moves on to the differences between, and other fundamental cloud knowledge.
Definitions
Service Models (SaaS, PaaS, IaaS)
Deployment Models (e.g. Public Cloud, Private Cloud)
Reference Architectures
Cloud Security Models
Governing in the Cloud
Like everything else, cloud security doesn’t (shouldn’t?) operate in a silo. The CCSK addresses how cloud changes governance, risk management and compliance. Other aspects of governing in the cloud include:
Contracts
Audit management
Information governance
Business continuity
Jurisdictional issues
Legal concerns
This information should be known by all individuals who are responsible for governing (and operating) cloud services, regardless of the service models being consumed in your organization.
Operating in the Cloud
Moving forward, the CCSK covers the technical components of cloud systems such as:
Virtualization (e.g. hypervisors, Software Defined Networks (SDN), VLAN
Containers
Incident Response
Application Security
Data Security and Encryption
Identity, Entitlement and Access Management
Security as a Service
Related Technologies (e.g. DevOps, Immutable Infrastructure, IoT, etc)
CCSK Training
Should you take the training or self-study for the CCSK certification exam? That’s your call. Personally, I’m always a fan of doing training because it allows me to get away from the office and completely immerse myself in the subject at hand. I also get the opportunity to learn how things work in the “real world.”
If you prefer the self-study route, you have all the documentation you need listed below to take the exam.
If you are looking at the training route for yourself or your company, you can check out our offerings here. We offer the official and authorized CCSK in on-demand, on-line and in-person settings. We can also offer on-site training that is modified to your corporate requirements. (If you are looking for more info, a lot of these details about the CCSK can be found on Cloud Security Alliance’s website.)
All course registrants also get access to our exclusive CCSK exam prep kit that includes:
Immediate access to on-demand CCSK v4 course
CCSK exam v4 prep videos
Hundreds of CCSK v4 pre-test questions
Pre-paid token for the actual CCSK v4 exam
Note: Unfortunately, we are prohibited from offering the exam prep package as a stand-alone product.
CCSK Certification Exam
In addition to the CSA Guidance, you’ll need to read and understand CSA’s Cloud Controls Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), and finally the ENISA Cloud Computing Risk Assessment document. All documents are available from the following download links.
The exam itself is taken online any time you wish. There are 60 questions, and you are given 90 minutes to finish. It is an open-book exam, but don’t let that fool you – it’s a pretty tough exam, and I have seen people from various backgrounds fail.
My belief on the reason people fail the exam is because of the diverse nature of the CCSK exam itself. You’re looking at an exam that addresses both cloud operations and cloud governance. Most people will be strong in one or the other, but rarely is someone well-versed in both areas. If you’re in a technical position at work, you’ll need to focus on governance and vice versa, of course.
We have published some pre-test practice questions for exam candidates who are looking to see what they might be up against before taking the actual test. All the questions are based on the new v4 version of the CCSK exam.
For convenience, I’m including the roadmap graphic that was on the AWS certification site below:
As you can see, there’s more to the question “CCSK or AWS Certification.” AWS has multiple streams available, but I’m going under the assumption that most people mean the AWS Certified Solutions Architect designation.
Regardless of the track or specialty, let’s make one thing extremely clear: AWS is a vendor and the complete focus will be on HOW things are done in AWS, specifically. Amazon says so themselves in their certification descriptions: “technical role-based certification.”
AWS Certified Solutions Architect – Associate
Below is the list of recommended knowledge you should have before even considering the AWS Architect – Associate exam. I have done this exam (yes, I passed) and I wrote about my thoughts on that exam here.
One year of hands-on experience designing available, cost-efficient, fault-tolerant, and scalable distributed systems on AWS
Hands-on experience using compute, networking, storage, and database AWS services
Hands-on experience with AWS deployment and management services
Ability to identify and define technical requirements for an AWS-based application
Ability to identify which AWS services meet a given technical requirement
Knowledge of recommended best practices for building secure and reliable applications on the AWS platform
An understanding of the basic architectural principles of building on the AWS Cloud
An understanding of the AWS global infrastructure
An understanding of network technologies as they relate to AWS
An understanding of security features and tools that AWS provides and how they relate to traditional services
More information about the associate level certification from Amazon can be found here.
AWS Certified Solutions Architect – Professional
I have not taken this exam. That said, I have worked with many people who have taken and passed the professional exam. These people really know their AWS stuff. I think it is fair to say there aren’t many people who have the professional designation who just know the theory of things, but rather have years of practical hands-on experience in AWS.
In order to take the professional-level exam you must have the associate-level certification already.
Here is the list of knowledge AWS expects their professional architect holders to have:
Designing and deploying dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
Selecting appropriate AWS services to design and deploy an application based on given requirements
Migrating complex, multi-tier applications on AWS
Designing and deploying enterprise-wide scalable operations on AWS
Implementing cost-control strategies
In my view, you’re expected to be able to take everything you know from the associate level and apply it to enterprise scale.
More information about the professional level certification from Amazon can be found here.
AWS Training
For the AWS Architect – Associate certification, you can either take the self-study approach or attend an actual training session. Bottom line here is this is not a theory-based exam. You will need to have actually spun up server instances and have worked with AWS services before taking the actual exam.
Amazon has excellent learning collateral in their whitepapers that you should study if you are going solo. The resources they recommend are:
A word to the wise. Passing the AWS Architect is all about two things:
Hands-on experience, and
Knowing what is covered in the exam.
As I mention in my thoughts on the AWS exam piece, buy the practice exam. Don’t even think about cheaping out on this one. Seriously. Doubly seriously if you’re doing the self-study approach.
AWS Exam Details
The AWS exam is a scaled score exam. In other words, not all questions have the same value. Easy questions are worth less than harder ones. I’m not alone when I say I hate these types of exams as you have no idea how you’re actually doing as you go through the questions. And an added bonus, Amazon states you need a “720” (out of 1,000) to pass the test, which does not mean 72 percent because the questions all have different values.
As we covered, the two certifications are not similar at all. The CCSK is relevant to both governance and operational security of cloud services. It is written by an independent body and is completely vendor agnostic. The AWS certifications are 100-percent technical and are specific to AWS implementations.
CCSK certification addresses the “what” of cloud security
AWS certification addresses the “how” of AWS implementations
If you are looking to understand cloud security challenges, the CCSK is right for you. If you are in management and need to understand the impact cloud services will have on your organization, the CCSK is for you. If you work in operations and need to better understand the security challenges associated with cloud in general, the CCSK is for you.
If you are working in a dedicated AWS technical position, the AWS Certified Architect is the certification you should go with. If you are working with AWS in a security capacity, you should do the CCSK first, then follow up with the vendor-specific AWS training.
From a corporate perspective, everyone involved with information technology, ranging from procurement through risk management and operations should attend the CCSK session, even if it is an accelerated 1-day “awareness” session.
About the author Graham Thompson is a cloud security architect and delivers both CCSK and CCSP official courses as an authorized trainer for Intrinsec Security. You can reach Graham on LinkedIn or by old fashioned e-mail.
