Cloud Security: Who’s Responsible for What?

The typical journey to the cloud is based on a partnership between the cloud vendor and an enterprise or business, so the next logical question becomes: who is responsible for what, when it comes to securing cloud applications and the very important data within?

Solely relying on the cloud provider for security is not a viable approach. Rather, cloud security is a shared responsibility between the provider and the tenant that should be meticulously defined and understood by both parties. Only then can they work together to prevent successful cyberbreaches.

Responsibility Breakdown

There are two ways to think about this responsibility divide. The cloud provider is typically responsible for security “of” the cloud, meaning the cloud infrastructure, typically including security at the storage, compute and network service layers. The enterprise assumes responsibility for security “in” the cloud. This includes applications, data, and services that operate within their managed cloud environment.  However, depending on the cloud infrastructure – private, public or SaaS – responsibility varies between the cloud vendor and organization:

Private – In private clouds, enterprises are responsible for all aspects of security for the cloud because it is hosted within their own data centers. This includes the physical network, infrastructure, hypervisor, virtual network, operating systems, firewalls, service configuration, identity and access management, etc. The enterprise also owns the data and the security of the data.

Public – In public clouds, like AWS or Microsoft Azure, the cloud vendor owns the infrastructure, physical network and hypervisor. The enterprise owns the workloads, apps, virtual network, access to their tenant environment/account, and the data.

SaaS – SaaS vendors are primarily responsible for the security of their platform, which includes physical security, infrastructure and application security. These vendors do not own the customer data nor assume responsibility for how customers use the applications. As such, the enterprise is responsible for security that would prevent and minimize the risk of malicious data exfiltration, accidental exposure or malware insertion.

While responsibility for securing data, apps and infrastructure falls more into the hands of the cloud vendor as businesses transition from private cloud to public cloud or SaaS, it’s important to note that ensuring the security of its own data is always the responsibility of the enterprise.

Security Measures – Vendor & Enterprise

Because of security and privacy concerns with moving data to the cloud, many cloud and SaaS vendors have focused on ensuring the security of the organization’s infrastructure and data. SaaS vendors invest significantly in building a strong defense for their own infrastructure, and they sometimes extend this security to the customer data with basic policy controls. However, these are typically not sufficient and organizations are forced to look for a more complete SaaS security solution.

The security gaps not addressed by SaaS vendors include: preventing data exposure through improper sharing and preventing threat insertion and distribution. It is here that the SaaS vendors’ responsibility ends and the IT team’s responsibility begins: to employ effective security measures to fill these security gaps and protect the organization’s data.

To compensate for what cloud vendors do not secure, an organization must have the right tools in place to effectively manage and secure risks to keep data secure. These tools must provide visibility into activity within the SaaS application, detailed analytics on usage to prevent data risk and compliance violations, context-aware policy controls to drive enforcement and quarantine if a violation occurs, real-time threat intelligence on known threats, and the ability to detect unknown threats to prevent new malware insertion points. For additional information, learn more about Aperture or check out the “Safely Enable Your SaaS Applications” tech brief.

[Palo Alto Networks Research Center]

Tech Docs: Traps 3.4.2 Documentation Now Available

Technical Documentation for the recent Traps 3.4.2 release is now available!

  • Read about the latest in Traps advanced endpoint protection on the Technical Documentation site. Highlight: You can now install Traps on Windows Server 2016 Standard (Server with Desktop Experience) with this release.

  • Download the software from the Support portal by selecting Software Updates and then filtering by one of the Endpoint categories.

Happy reading!

Your friendly Technical Documentation team

Have a question? Email us at: documentation@paloaltonetworks.com

[Palo Alto Networks Research Center]

Three Ways to Make Information Security a Habit During Project Management

With eyeballs rolling, they mumble, “Why do security people insist on stopping our projects?”

As information security (IS) professionals, we have seen this response from project managers (PM), developers, and fill-in-your-favorite-role here, when we have derailed a project due to an unplanned InfoSec issue.

What is an InfoSec Professional to Do?
Police chiefs don’t lock our car doors, nor do CISOs read application teams’ code. Because InfoSec is a lifestyle, not an event, we need a security culture. It takes a village. After reading this post you will have three tips for infusing security habits into a village of project managers.

1. Make it easy. According to BJ Fogg, Ph.D., founder of Persuasive Tech Lab at Stanford University, we are basically lazy. Want to make IS easy (or at least easier) for non-InfoSec professionals? Think like Jeopardy!’s Alex Trebek and get the participants to “ask the question.”

Start with your written InfoSec policies and standards. Summarize one or two into a question and work with your Project Management Office (PMO) to include the questions in a new project checklist to provide guidance.

Examples:

  • Building a mobile app? Refer to “Vulnerability Scan Standard.”;
  • Outsourcing or working with third parties? Refer to “Outsourcing and Third Party Policy.”

2. Make it simple. Did you know that InfoSec training and experiences may yield Continuing Education Units (CEU) for certified project managers? For example, certified Project Management Professionals (PMP®s) may be eligible to earn CEUs if the InfoSec training meets the Project Management Institute’s criteria. Risk management is a knowledge and skills area for the institute, and PMPs need to recertify every three years. If you help PMP®s make that connection, it may mean reduced training costs and time, enhanced careers, and stronger InfoSec advocates; all factors in creating habits and a culture of village security.

3. Make it rewarding. Have a “Village Citizen of the Year” recognize her. Does a PM role model a good InfoSec practice? Take five minutes to recognize the specific behavior (example – uses PMO “New Project” checklist to identify new mobile apps that require vulnerability scans). Fogg identifies “pleasure” (think: positive recognition email to boss) as a core motivator for changing behaviors.

What Next? Start Small. It is as Easy as 1…2…3

  1. Ask your PMO or individual PMs if a Jeopardy! approach would reduce project derailments and make InfoSec adoption easier. Then start with one question for the most frequently overlooked InfoSec standard or policy.
  2. Have an upcoming InfoSec event or activity where InfoSec learning may occur? Include in your invite:  “Did you know that some InfoSec training may serve as CEU for certified or wannabe-certified project managers? Click PMI certifications to learn more.”
  3. Add a five-minute invite to your calendar to “Recognize PM once a month.” Example: To: Boss, cc: PM; “Just wanted to recognize PM for role modeling fill-in-the-blank InfoSec practice or attitude! Our organization, teams, and customers are better because of it. Great job, PM!”

Sources: BJ Fogg, Ph.D.; PMI

Luanne Spiros, CISM, PMP

[ISACA Now Blog]

Cyber Insurance Against Phishing? There’s a Catch

If one of your employees gets duped into transferring money or securities in a phishing scam, don’t expect your cyber insurance policy to cover it. And even your crime policy won’t cover it unless you purchase a specific social engineering endorsement. Many companies have learned the hard way and tried to sue their insurance carriers, with little luck.

Aqua Star, a New York seafood importer, expected to be covered after a spoofed email from a supplier drove an employee to change the supplier’s bank account, causing Aqua Star to wire more than $700,000 to a hacker instead of the supplier. Aqua Star has a crime policy through Travelers, which includes Computer Fraud coverage that applies to loss caused by the fraudulent entry of electronic data into any computer system owned, leased or operated by the insured. But when Aqua Star filed the claim, Travelers pointed out an exclusion if the data was entered by an authorized user. Aqua Star then sued Travelers, but the court agreed with Travelers, ruling that the employee was clearly an authorized user.

A similar phishing scam resulted in Apache Corp., an oil and gas producer, wiring $2.4 million to cybercriminals. It’s insurance company, Great American, denied the payout, so Apache went to district court and won. However, Great American appealed to a higher court, which reversed the decision, saying the bogus email didn’t directly cause the loss.

What commercial cyber insurance policies do cover
Cyber insurance policies cover losses that result from unauthorized data breaches or system failures. But they vary greatly in the details and exceptions. Most will cover forensic investigation fees, monetary losses caused by network downtime, data loss recovery fees, costs to notify affected parties and manage a crisis, legal expenses, and regulatory fines.

When it comes to ransomware, you need to look closely at the policy’s Cyber Extortion coverage. If it offers only third-party coverage, then ransomware isn’t covered.

Crime insurance policies cover losses that result from theft, fraud or deception. But as the Aqua Star and Apache examples illustrate, insurers typically deny coverage for social engineering fraud, claiming that the loss didn’t result from “direct” fraud. Insurers contend that the crime policy applies only if a cybercriminal penetrates the company’s computer system and illegally takes money out of company coffers.

Some crime policies also contain a “voluntary parting” exclusion that specifically bars social engineering claims by barring coverage for losses that arise out of anyone acting with authority who voluntarily gives up title to, or possession of, company property.

Fishing for a solution? Add an endorsement
Many insurance companies offer a social engineering fraud endorsement, like this one from Chubb. It’s offered under a crime policy for a nominal additional premium. The coverage, sometimes referred to as an impersonation fraud or fraudulent instruction endorsement, is typically up to $250,000 per occurrence, with no annual aggregate, but higher limits are available for a higher premium.

The net lesson: a phishing endorsement is an easy fix to a potentially costly oversight.

Jeremy Zoss, Managing Editor, Code42

[Cloud Security Alliance Blog]

English
Exit mobile version