IT Assurance in the Cloud–A Journey Between Trust and Obligation

There is no question that there are significant opportunities available in the cloud business. Many organizations are looking at cloud computing to increase the effectiveness of IT initiatives, reduce in-house operations cost, increase operational flexibility and generate a competitive advantage. However, like most technology changes, cloud computing presents its share of risks and challenges.

As the risks are better understood, businesses rely less on trust and put information security obligations on their cloud providers. Where security had been one of the main obstacles for cloud adoption in the past, vendors now understand the security and privacy concerns of their global customers and have adopted a business model built on enhanced security features such as encryption, and identity and access management, to name two examples. The result:  cloud services are heading to the next level of maturity.

A 2015 cloud survey  conducted by ISACA Germany and PwC (in German) found about one-third of organizations expected to achieve a better security risk profile by adopting cloud computing.

Whether we are security practitioners at the first line of defense, risk management professionals at the second line or information systems auditors at the third line, the challenges that come with cloud remain the same:  How do we achieve adequate assurance over our crown jewels in the cloud? There is no single answer, of course. In fact, we are all on a journey from trust to obligation!

Here are the five pillars of cloud security:

  • Organization
  • Technology
  • Security and data protection
  • Governance, compliance, legal and audit
  • Service management

Auditors, security or risk professionals will look at some of what these areas cover naturally. Other factors might be overlooked but are critical to successful cloud migrations and should be given special attention.

Organization
The organizational aspects of cloud computing start with the organization’s strategy for cloud adoption (e.g., what benefits does my organization expect from cloud computing?) and include human resource planning (e.g., What roles do I need to create to manage relationships with a cloud provider? Do I need to re-think my team size by shifting some of the workload to the cloud?).

This task typically comes with organizational change management activities and review of business processes (e.g., How do I need to adapt my organizational structure and business processes to maximize benefits from the cloud?).

Technology
Technology is obviously the backbone of cloud computing that challenges us on numerous aspects and should be given due consideration around interoperability and compatibility of new cloud technology with existing (legacy) systems.

Looking at the cloud holistically, it requires us to re-think the application architecture, the supporting infrastructure capability, as well as a different application development and support model.

Security and Data Protection
In most cases cloud computing entails company data leaving the trusted perimeter of the organization. This brings multiple information security and data protection challenges into the game that we need to manage.

Namely, these are internal or external cybersecurity threats that require joint attention by the cloud service provider, but the organization that promotes data to the cloud has its role to play. This is particularly true for encryption of sensitive data and preventing data loss or leakage.

By nature, cloud resources are shared resources. In consequence, identity and access management becomes very critical and many questions should be asked, such as “How are my data segregated from other customers’ data?” or “Who has access to my data?” With cloud computing typically comes considerations about the geolocation of data. This has a direct legal impact on data protection.

In addition, we should consider business continuity management as part of security to reduce the impact of a negative event on our business.

Governance, Compliance, Legal and Audit
Vendors need to be actively managed. This is particularly true for cloud service providers. It puts additional governance, risk and compliance factors onto the agenda. First of all, this includes the legal requirements of having the right contracts, service levels and data protection specifications implemented. This typically depends on the industry and jurisdiction of the consumer of cloud computing.

Secondly, the right structures need to be in place to enable efficient governance that is a shared responsibility between the service provider and the customer of the services.

From a risk perspective, it is important to cover terms for sub-cascading outsourcing to another third party as well as the ability to audit the cloud service provider from end to end.

Service Management
Finally, we talk about outsourcing of services. Therefore, an ongoing effort to actively manage contracts and service levels are key. A cloud service provider should be assessed based on its ability to integrate service management with the consumer to manage availability of the service including seamless incident/problem management processes.

Successful service management also includes capacity management to handle the load of multiple customers on a shared environment.

Kraft will present IT Assurance in the Cloud – A Journey Between Trust and Obligation at EuroCACS in Dublin 30 May-June 1 2016.

Matthias Kraft, CISA, CISM, CGEIT, CRISC

[ISACA Now Blog]

VM-Series for AWS GovCloud: Securely Enabling “Cloud First” for Government Agencies

“Cloud first” is rapidly becoming a key initiative for organizations and agencies in both the public and private sector. As far back as 2010, cloud first was included as part of a comprehensive effort to increase the operational efficiency of federal technology assets, as outlined in the U.S. Chief Information Officer’s “25-Point Implementation Plan to Reform Federal IT Management.”Since the release of that 2010 initiative, numerous other federal governments have followed suit, adopting a ‘cloud first’ approach, including the U.K. and Australia.

In this case, the U.S. CIO’s Cloud First policy means that federal agencies must (1) implement cloud-based solutions whenever a secure, reliable and cost-effective cloud option exists; and (2) begin reevaluating and modifying their individual IT budget strategies to include cloud computing.

However, there are a range of challenges facing agencies as they make this shift. For example, some agency CIOs have stated that, in spite of the stated security advantages of cloud computing, they are, in fact, concerned about moving their data from their data centers – which they manage and control – to outsourced cloud services. Additional questions around where the data actually resides in the cloud – is it in the U.S. or elsewhere? – are sometimes difficult to answer. These, and other concerns, must be addressed in order to build an agency culture that trusts the cloud.

The combination of the VM-Series virtualized next-generation firewall deployed in AWS GovCloud (US) can help address some of the concerns around the security and location of data for the U.S. federal market. AWS GovCloud (US) is an isolated AWS region designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. AWS GovCloud (US) differs from standard AWS regions in many ways, which Amazon has highlighted. With the availability of our VM-Series next-generation firewall for AWS GovCloud (US), agencies can now apply to their AWS deployments the same threat prevention and application policy controls used in the physical data centers.

Taking the Hybrid Approach

With full support for standards-based IPsec VPN connectivity, our VM-Series enables you to quickly create a hybrid architecture that extends your existing data center into AWS via an encrypted tunnel. This enables you to get started with small projects to learn and then expand. More complex projects can be protected using segmentation principles and whitelisting to maintain compliance and prevent cyberattacks from moving laterally from VPC-to-VPC and subnet-to-subnet.

A full suite of native management features automates the firewall deployment and policy updates, while Panorama (purchased separately) allows the VM-Series to be managed centrally alongside our firewall appliances to maintain security policy consistency. The VM-Series for AWS GovCloud (US) (Login Required) is available as a Bring Your Own License (BYOL), which allows you to choose the VM-Series next-generation firewall license, the related Subscriptions (Threat Prevention (includes IPS, AV, malware prevention), WildFire, URL Filtering (PAN-DB), GlobalProtect – and annual support programs that are appropriate for your needs.

Learn more about the VM-Series for AWS here.

[Palo Alto Networks Research Center]

Get Your Copy of “Network Security Management for Dummies”

Palo Alto Networks is happy to announce the availability of a new “Network Security Management for Dummies” book. It is the latest addition to a series of books that explain the ins and outs of network and cyber security – and it’s available to you for free.

Our new book focuses on the importance of deploying a network security management solution when managing multiple firewalls, multiple security vendors, or both.

In easy-to-read language the book explains market changes leading to the need for network security management, the requirements a good network security management product should meet, and profiles the security and operational benefits that can be derived from network security management.

On the highest level, today’s enterprise security deployments require a network security management solution that provides:

  • Centralized administration with automated and streamlined management and configuration processes.
  • Greater network visibility with comprehensive reporting across the entire network security environment.
  • Prioritization of critical threats to enable faster, more effective incident response.

Download your copy of Network Security Management for Dummies here.

[Palo Alto Networks Research Center]

Hot Cybersecurity Topics for Financial Institutions from the FS-ISAC Summit

Earlier this month, the Financial Services Information Sharing and Analysis Center (FS-ISAC) held its annual summit in Miami. Attended by over 1,100 individuals, this was a highly concentrated gathering of information security and information technology (IT) professionals from the financial services industry. At the FS-ISAC Summit, I had the opportunity to attend some sessions, speak with a number of attendees, and get a sense of what’s top of mind. In this post, I’ll touch on a few topics that cropped up on multiple occasions during my travels through the summit.

Public Cloud

At an Amazon Web Services (AWS) session, nearly half the audience raised their hands during an informal poll to see who was already using public cloud services. AWS stated that they have more than 1,000 customers from the financial services industry. In contrast, at a PriceWaterhouseCooopers (PwC) session, only a handful put their hands up in response to a question about whether the public cloud is more secure. So clearly, the financial services industry remains cautious about adopting the public cloud, but at the same time realizes that the benefits are too great to ignore.

The flexibility, near infinite scalability, and cost advantages of public cloud computing continue to resonate with CIOs as a means to provide IT services without the traditional delays and up-front capital investment required in private data centers. Ultimately, this translates into enabling the business to pursue competitive advantages in a timely fashion. This echoes my own experience in meeting with financial institutions. Many are conducting proofs of concepts with public cloud service providers to better understand the security implications and to sort out the processes and technologies required to safely use these services. However, other institutions remain on the sidelines with a “wait and see” attitude. Ultimately, the path forward for the financial services industry will entail migrating less sensitive workloads to the public cloud initially, but still with appropriate security controls in place.

Know Your Data

At the end of the day, your business critical data is the asset that needs to be protected. Consequently, an awareness of where it resides, who has access to it, and how it travels through your network is necessary. Unfortunately, knowledge of one’s own traffic and network is generally limited. In most cases, applications and their associated data traffic just spontaneously appear on the network. There’s generally no governance process for introducing new or modified data flows across the network. Besides being a problem for network capacity planning, the lack of visibility to new application traffic limits the ability to secure the environment.

To protect data, encryption at rest has become the new norm. However, that’s not sufficient. Visibility into how and where it flows during the course of normal business is critical. Armed with this knowledge, deviations from the baseline can be detected and even stopped with appropriate network segmentation. Of course, a process to govern new or changed application traffic flows will then be necessary to effect corresponding controls across the network. This approach enables the necessary business workflows, but would constrain unexpected traffic that is the hallmark of malicious actors. By limiting lateral movement within the network, the attack lifecycle of advanced threats is severely hampered, and further attacks can be prevented.

Post-Breach Plans

Several sessions mentioned the value of pre-defined plans to maintain business during a cybersecurity crisis, to coordinate response/remediation efforts, and to ensure appropriate, timely communication with the regulators, customers, employees, and the public. There is certainly an element of business continuity involved here, but the plans may also include having cyber breach attorneys and cyber forensic teams on retainer as supplemental resources. The post-breach plan would also need to be exercised periodically to ensure all parties understand their roles and any inter-dependencies between them. No one can argue against the wisdom of being prepared in the aftermath of a breach. However, taking measures up front to prevent the likelihood of a successful breach is at least as important. Although he surely wasn’t speaking about data breaches, Benjamin Franklin’s quote about an ounce of prevention can readily be applied here. By adopting a philosophy of prevention, institutions can improve their overall cybersecurity posture and reduce the likelihood of invoking their post-breach plans for an actual event. A balanced approach, to prevent, detect, and respond, would best serve the organization.

Palo Alto Networks Next-Generation Security Platform can protect financial institutions by preventing both known and unknown attacks. To learn more about how we secure the public cloud, how to apply network segmentation, and how to prevent successful breaches, please visit the following resources:

[Palo Alto Networks Research Center]

Best Practices: Preventing Ransomware in Government Networks

Governments globally, like their commercial counterparts, are currently grappling with ransomware. The FBI receives calls from U.S. state and local governments, especially law enforcement, many of whom are apparently paying the ransom, to report the attacks. In the U.S., some victims have paid over $24 million in 2015 according to IC3 statistics. The U.S. Department of Homeland Security (DHS) reports that 29 agencies have noted over 300 ransomware-related incidents in the last 9 months. In those cases, luckily the attacks were unsuccessful, but in some cases, attackers are using government as the purported source of emails to lure unsuspecting users to click on the malicious links. Businesses in Australia have received ransomware emails that look like they are from the Australian Federal Police and Australia Post.

The good news is that there are numerous best practices that can help prepare your network and endpoints for a potential ransomware attack that targets your unwitting employees and/or contractors to gain access to your assets.

The basics: Ransomware is malware that encrypts your files and uses that encryption to restrict access to your (or any other victim’s) files or systems until the victim pays the ransom for the key to decrypt those files.

How does it get delivered: Like all of those other phishing emails you’ve been training your employees to delete, ransomware relies on the same social engineering technique to fool your users into opening them and downloading what’s inside. Often, the link itself is encrypted so if you’re not decrypting suspicious links within your email, it can often get right through your defenses that way. In other cases, the malware is hosted on the legitimate website of an unsuspecting host just waiting for your employees to use it. Since government is naturally a high profile target, the attackers may intentionally look for websites they know your employees will use in order to host their malware. It’s up to website administrators to maintain their own security best practices to prevent infections of their sites.

Why it’s harder to detect and prevent than other malware: Because the malware changes rapidly (usually every few hours), it often fools network defenses. And even best-in-class remediation processes are often too late to save your assets – they’ve already been encrypted.

Without going through an exhaustive security best practices list, below is a summary of some best practice “reminders” in light of this evolving and growing threat to our networks:

  • People and Process:
    • Refresh your existing and ongoing training to advise your employees and contractors about these threats and what to watch for, as well as how to report anything suspicious. The more realistic you can make this training, the more likely it is to stick with your employees. Theoretical examples are only interesting to a point.
    • Use red teaming types of exercises to keep your employees alert to these phishing emails. It’s easy to become de-sensitized or oblivious to them.
    • Run hourly backups on your critical systems and daily backups for all others. Have a reasonable backup plan, for your particular environment, to address data on end user systems.
    • Establish as swift of a patching process as possible. Recall that many exploits damage your networks because they can. Government, in particular, is often too slow in patch cycles – do whatever you can to change your process and improve these patching times.
    • Disable Flash altogether if possible.
    • Restrict mounted file shares as much as possible. It’s no surprise that this is an oft-forgotten vector and has the potential to wreak the most damage in an enterprise environment.
  • Technology – on the Network:
    • Whitelist applications at your gateway.  If you do no other whitelisting, at minimum block the following:
      • Unknown TCP/UDP applications
      • High risk applications that you do not need
      • All file-sharing applications, e.g. Dropbox, Box, which can be a common delivery mechanism -, unless you are using Aperture to ensure file-sharing environments are secured and the right users have permissions to the applications.
    • Whitelist applications at your Data Center. Given that this is a controlled environment, you can be more restrictive at this critical point in the attack life cycle.
    • Block known bad URLs (in the Palo Alto Networks platform, it’s the malware category)
    • Block unknown URLs, or put a ‘continue’ page to warn users and to break automated downloads/droppers
    • Enable all threat prevention capabilities, on our platform, on all traffic all the time (IPS, AV, Spyware). Newer IPS rules have been added such as those that block javascript files sent via email that are used as droppers.
    • Block specific file types depending on delivery app.
      • eg, block PE’s and other unwanted file types over web/email.
    • Block file downloads from unknown URLs sites altogether.
    • Enable SSL decryption – remember that the payload can be delivered by SSL
  • Technology – on the Endpoint
    • Enable exploit prevention on all of your critical assets using Traps
    • Don’t allow unknown executables to run. If you are a Palo Alto Networks customer, disable until WildFire returns a verdict on the file.
    • Don’t allow .exe’s to run from risky locations, e.g. a tmp directory.

Use the global surge in ransomware as an opportunity to revisit your security practices, regardless of which framework (ISO 27000-series, NIST Cyber Security Framework, etc.) you use.

For more on ransomware trends and best practices for prevention, download “Ransomware: Unlocking the Lucrative Criminal Business Model” from Unit 42, the Palo Alto Networks threat intelligence team.

and

[Palo Alto Networks Research Center]

English
Exit mobile version