Cloud Security Alliance Launches Crowdfunded Cloud Security Management Solution

STARWatch SaaS Application Empowers Organizations to Manage Compliance & Risks Using CSA Standards and Best Practices

SAN FRANCISCO – November 15, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the launch of its new STARWatch application, a Software as a Service (SaaS) application designed to help organizations manage compliance with CSA requirements. STARWatch delivers the content of CSA’s Cloud Control Matrix (CCM) and CSA’s Consensus Assessments Initiative Questionnaire v3.0.1 (CAIQ) in a database format, enabling users to manage compliance of cloud services with the CSA best practices. CSA is delivering STARWatch using an innovative and heavily discounted crowdfunded model to make this solution accessible to the broadest spectrum of customers.

STARWatch is designed to provide cloud users, cloud providers, cloud auditors and security providers assurance on demand. STARWatch provides users the ability to:

  • Manage all cloud service providers and their own private clouds to assure a consistent security baseline is maintained
  • Build and maintain a CSA Security Trust and Assurance Registry (STAR) entry and provide customers with rapid responses to their compliance questions
  • Perform audits and assessments of cloud provider security
  • Leverage the STARWatch solution database format and technical specifications to integrate its capabilities within their own solutions

During the current open beta period, customers may now purchase a STARWatch license with a discount of up to 70%. The discount will expire at the time of the official STARWatch release on February 13, 2017 at the CSA Summit at the RSA Conference. At that time, STARWatch open beta licenses will convert to a full year license. By acting now, customers will receive 15 months of access to STARWatch at a fraction of the one year license price. More information can be found at https://cloudsecurityalliance.org/star/watch.

“Compliance and assurance are becoming complex matters, but they are critical in building the best cloud computing practices and a trusted cloud ecosystem,” said Daniele Catteddu, CTO for the Cloud Security Alliance. “We created the STARWatch application to assist organizations in managing their compliance with CSA requirements. We’re providing a higher level of assurance and transparency and streamlining the entire compliance process.”

The CSA STAR program is the industry’s most powerful program for security assurance in the cloud and encompasses the key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring. Currently there are 228 Cloud Service Providers in the STAR program including STAR Self Assessment, STAR Certification, STAR Attestation and C-STAR Assessment.

For more information on the STARWatch application, please visit https://cloudsecurityalliance.org/star/watch.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunictions.com

[Cloud Security Alliance Research News]

Augmented Reality has Arrived: Time to Embrace the Opportunities

Whether the business community is ready or not, augmented reality (AR) has arrived, and it only will grow more prominent in the near future.

Consumers – mindful of this year’s Pokémon Go phenomenon – are recognizing AR’s potential benefits, a surefire indicator that the marketplace will respond quickly.

In ISACA’s annual IT Risk/Reward Barometer—a two-pronged survey that examines both consumer and IT/business perspectives—the majority of consumers see clear benefits of AR-enhanced devices in everyday life and work. For now, though, a disconnect exists, as only 21 percent of global business and technology professionals are convinced that the benefits of AR outweigh the risks.

The hesitance of many professionals to embrace AR – technology that superimposes a computer-generated overlay on a user’s view of the real world – is both understandable and predictable since it is still in the early stages. With the emergence of any new technology, the attack surface increases. AR-related privacy and security concerns are legitimate, especially when factoring in a proliferation of Internet of Things (IoT) devices. Concerted attention from device manufacturers and security professionals is a must.

Yet this natural caution must not keep enterprises from keeping up with the competitive landscape. Of critical importance, one in four enterprises has a way to detect pictures, posts and videos tagged or geotagged to their business locations and advertisements. That means there are best practices to learn from as enterprises look to move forward securely while incorporating components of AR.

While the resounding popularity of Pokémon Go alerted consumers and enterprises to the buzz that AR can generate, the potential applications of AR in the workplace are numerous. Adoption figures to be especially swift from a marketing standpoint as organizations learn to leverage AR for signage, social media and other purposes.

Enterprises can realize the benefits of AR and overcome potential barriers through some of the following steps:

  • Extend social media monitoring to AR platforms. Leverage and extend current social media policies and monitoring to augmented reality platforms. Social media is a key source of information for many augmented viewing apps.
  • Consider how AR can improve your business. Training, diagnostics and marketing are three areas with particularly strong potential.
  • Review your governance framework and update your policies. Incorporate use of AR as part of the business into organizational policies and procedures—including BYOD (bring your own device) and privacy policies. 63% of organizations do not have a policy to address AR in the workpalace.
  • Build security into every part of the process. Security is a crucial component of AR initiatives that helps ensure confidence in the data.

While AR is a new concept for many, some industries have drawn upon aspects of it for years, such as the airline industry’s use of flight simulators to train pilots on new equipment. As AR becomes more popular and more affordable, it is inevitable that more industries invest in the technology. Since today’s smartphones are capable of running AR apps, adoption could be swift and even viral, as Pokémon Go demonstrated. According to Slice Intelligence, millennials accounted for more than half the paying population of Pokémon Go during launch week, but now are only 44 percent of buyers as other age groups also gain interest.

Business and technology professionals will become more comfortable with that reality the more that they explore AR. On that front, there is much progress to be made. The IT Risk/Reward Barometer shows that only 3 percent of professionals have used AR applications for business use within the past year and only 16 percent have done so for personal purposes.

The business community will be well-served to accelerate their exposure because consumers have spoken – AR is in demand. Now it is up to security professionals to address the risks so that consumers and enterprises alike can benefit from this promising technology.

Rob Clyde, CISM, ISACA Board Director and Executive Advisor at BullGuard Software

[ISACA Now Blog]

Note to Customers Regarding BlackNurse Report

On Thursday, November 10, 2016, TDC Security Operations Center in Denmark published a report stating they had noticed several low-volume ICMP attacks in their customers’ networks. TDC named this type of attack BlackNurse.

The security of our customers is our top priority. We have conducted an investigation into this issue and to date have found that Palo Alto Networks Next-Generation Firewall customers can only be affected in very specific, non-default scenarios that contravene best practices.

Attack details

A traditional ICMP flood attack sends ICMP requests to the target in a large volume. BlackNurse, on the other hand, is an ICMP attack that sends a low volume of ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests to the target. BlackNurse is a form of Denial-of-Service (DoS) attack and the TDC report claims that it has the potential to disrupt the target organization’s operations.

Impact

1) Palo Alto Networks Next-Generation Firewalls drop ICMP requests by default, so unless you have explicitly allowed ICMP in a security policy, your organization is not affected and no action is required.

2) If you have explicitly allowed ICMP in a security policy and have implemented our best practices for flood protection, your organization is not affected and no action is required.

3) If you have explicitly allowed ICMP in a security policy and have not implemented our best practices for flood protection, your organization’s firewalls may experience higher CPU and memory usage, which may slow down the firewall’s response. Please refer to the best practices listed below.

Recommendations

For protection against BlackNurse, we recommend that customers implement the following best practices. Specifically, please follow the below steps from the page Configure DoS Protection Against Flooding of New Sessions in the PAN-OS 7.1 Administrator’s Guide:

  • Configure a DoS Protection profile for flood protection. Because flood attacks can occur over multiple protocols, the recommended best practice is to activate protection for all flood types in the DoS Protection profile. However, to protect against BlackNurse, the following types of flood protection are required:
    • ICMP Flood
    • ICMPv6 Flood
  • Configure a DoS protection policy rule that specifies the criteria for matching the incoming traffic.
  • Commit the configuration.

For more, please refer to the step-by-step instructions listed on the Configure DoS Protection Against Flooding of New Sessions page in the PAN-OS 7.1 Administrator’s Guide.

For customers using a version of PAN-OS prior to 6.1, please see the PAN-OS Administrator’s Guide for your organization’s software version listed on our Technical Documentation page and refer to the steps listed under the section ‘Threat Prevention’ > About Security Profiles > DoS Protection.

Note that firewall DoS protection is included as part of PAN-OS and does not require any software subscriptions.

Should you have any questions or need assistance with implementing these best practices, please don’t hesitate to contact our support team at support.paloaltonetworks.com.

[Palo Alto Networks Research Center]

CSX Europe Illuminates Key Cyber Security Insights and Advancements

ISACA’s inaugural CSX Europe conference convened last week in London, and I had the privilege of serving as emcee. During a panel discussion on the second day of the conference, Mark Sayers of the UK’s Cabinet Office discussed the announcement that morning of the UK Government’s £1.9bn investment in a national cybersecurity strategy—a strategy that makes clear the UK’s preparedness for cyber attacks and will include a cyber security skills strategy. Sayers made it clear that organizations like ISACA are extremely important to further the initiative.

The cyber security event left a strong impression on attendees, including several critical takeaways:

•  Collaboration is critical. Intel’s Raj Samani emphasized collaboration and communication to best contend with today’s threat landscape. Professionals on the more technical side need to be able to communicate with business decision-makers and other stakeholders to effectively solve problems. As speaker Aviram Zrahia notes, “one company’s detection become another’s protection.”
•  Internet of Things devices pose new security challenges. Security professionals are capable of preventing attacks, but consumers need to understand that connected devices have security vulnerabilities. Justine Bone, director and CEO, MedSec, presented the findings of ISACA’s new firmware security report, highlighting how easy it is for security to be overlooked when creating IoT devices.
•  New solutions are needed. In closing the conference, technology futurist Simon Moores observed that organisations will no longer be able to handle the scale of cyber threats alone. In many cases, automated, cloud-based solutions involving artificial intelligence (AI) will be part of the solution, though there is no substitute for developing a highly skilled workforce.

The conference also provided another valuable networking opportunity through ISACA’s Connecting Women Leaders in Technologyprogram, which is helping to advance female leadership within the global technology workforce.

Editor’s note: Additional insights from global security experts will be on display at CSX 2016 Asia Pacific, set to make its debut 14-16 November in Singapore. Next year’s CSX Europe conference will take place in London on 30 October-1 November 2017.

Richard Hollis, CISM, CRISC, CPP, PCI, QSA, Chief Executive Officer for Risk Factory Ltd and emcee of CSX 2016 Europe

[ISACA Now Blog]

English
Exit mobile version