Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
The cloud presents all kinds of opportunities for today’s enterprise, from anywhere access to anything-as-a-service. Cloud computing imposes significant security risks on the corporation, network, IT and the day to day activities of the business. How do they maintain compliance, control and ownership of sensitive data as they move from the physical environment to a cloud world? The distribution of data onto devices may not be completely controlled by the data owner, and there is liability confusion as cloud service providers take on a larger role. As a result CIOs are looking at technologies and strategies to assure security while delivering the required services.
Fortunately, this model of enterprise computing doesn’t have to be the high-risk proposition. By thinking of security as an enabler, instead of an obstacle for cloud adoption, you can easily protect and maintain control of data across multi-cloud environments while maximizing the business potential of the cloud. During this webcast we will discuss ways to address the key security challenges you’re facing as you move to the cloud.
The Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing seeks to establish a stable, secure baseline for cloud operations. It acts as a practical, actionable roadmap to individuals looking to safely and securely adopt the cloud paradigm.
Since it’s last revision in 2011, the cloud landscape, tools and technologies have changed and so we want to reflect that in an updated version of the CSA Guidance (which would be version 4). A draft of Domain 1 is now available for review. Domain 1 covers Cloud Computing Concepts and Architecture and it provides the conceptual framework for the rest of CSA’s guidance. The domain describes and defines cloud computing, sets our baseline terminology and details the overall logical and architectural frameworks used in the rest of the document.
Experts are needed that can invest their time in providing feedback. Although we have a dedicated writing team, this is still a community project. All feedback and edits will be managed via GitHub so that all parts of the process are open and public.
Our Latest Research Reveals Opportunities and Threats As Business-Critical Data Moves to the Cloud
By Cameron Coles, Sr. Product Marketing Manager, Skyhigh Networks
Cloud services are now an integral part of corporate life. Companies use, on average, 1,154 cloud services ranging from enterprise-ready services procured by the IT department such as Office 365 to far lesser known and riskier services such as FreakShare. It’s not uncommon for sensitive corporate data to make its way to the cloud, with 15.8% of documents in file sharing services containing some form of sensitive content.
Our latest Cloud Adoption & Risk Report (download a copy here) examines the cloud usage of over 23 million users at companies spanning all major industries worldwide. Across more than 16,000 cloud services, they generate in excess of 2 billion events each day including logins, uploads, edits, shares, deletes, etc. We’ve analyzed this activity and distilled some important facts about how companies are using the cloud today. Here are 11 of the most interesting findings from the report.
15.8% of files in the cloud contain sensitive data
The most common type of sensitive content found in the cloud is confidential data (e.g. financial records, business plans, source code, trading algorithms, etc.) with 7.6% of documents in file sharing services containing this data. Next, 4.3% of documents contain personally identifiable information, 2.3% contain payment data such as credit card numbers, and 1.6% contain protected health information. Sensitive data uploaded to the cloud, in and of itself, is not necessarily a bad thing, but we’ve found that data can be placed at risk if it’s misused internally or shared externally outside of policy.
1,156 files contain the word “password” in the filename A common theme in recent data breaches is that cyber criminals use compromised passwords to execute attacks. In the Anthem breach, it’s been reported that passwords belonging to five IT employees were used to access sensitive patient data. While it’s recommended users store passwords in a safe place, such as a secure password vault, unencrypted Excel and Word documents uploaded to file sharing services are a poor place to store passwords.
1,753 Excel documents contain the word “salary” in the filename
Recent headline-making data breaches have also involved documents containing employee salaries, Social Security numbers, home addresses, and bank account numbers. Many of these files include the word “salary” or “salaries” in the filename, making it even easier for a cyber criminal to identify them. The average company has 6,097 files containing these keywords in the filename stored in cloud-based file sharing services, and 1,753 are Excel spreadsheets.
File sharing hit an all-time high this quarter
The percentage of files in cloud-based file sharing services that are shared hit an all-time high of 37.2% in Q3. Files can be shared with multiple users inside and outside the company. The most common type of collaboration is with internal users, with 71.6% of shared files shared with individual users within the company. Of shared files, 28.2% are shared with business partners, and 5.4% are visible to anyone with the link. Of the 37.2% of files shared, we’ve broken down who they are shared with here:
9.2% of files shared externally contain sensitive data
Of files in cloud-based file sharing services that are shared externally (with business partners, personal emails, or publicly on the web) 9.2% contain sensitive data, defined as confidential, personal, payment, or health data. While this number is lower than the overall average of all files that contain sensitive data (15.8%), which indicates that users are more selective with what they share externally, these sharing events can expose organizations to risk if data falls into the wrong hands.
File sharing services are a shadow code repo
Despite the popularity of code repositories such as GitHub and SourceForge, users also store files containing code in file sharing services and rely on these services to send large code files to other users. The most common programming languages found in file sharing services include JavaScript, Objective-C, and Python. The average organization has thousands of code-containing files stored in the cloud, and 14.8% of these files are shared externally.
Data is under siege by internal and external threats
Insider threats, which include both accidental and malicious high-risk user behaviors, occur at least once a month at 89.6% of companies, with the average company experiencing 9.3 incidents per month. On average, companies experience 2.8 privileged user threats per month, which include administrators accessing data they shouldn’t. And, organizations experience 5.1 incidents each month in which an unauthorized third party exploits stolen account credentials to gain access to corporate data stored in a cloud service. A breakdown of companies experiencing at least one insider threat, compromised account, and privileged user threat per month is shown here:
Cloud usage in Q3 grew 38.9% over the same period last year Cloud usage continues to grow exponentially. The average company in Q3, 2015 used 1,154 cloud services, including 174 distinct collaboration services, 61 file sharing services, 57 development services, and 45 content sharing services. The average user actively uses 30 cloud services. On average, organizations upload 14.7 TB of data to the cloud each month, but only 8.1% of cloud services offer enterprise-ready security controls, which is lower than the 9.5% this time last year.
iOS has more apps in use per device, Android users upload more data The average iOS device accesses 11.05 cloud services, compared with 9.96 for Android, and 6.82 for Windows Phone. Cloud usage on iOS is soaring, it’s now 88.1% higher than this same period last year. Across mobile platforms, cloud usage grew 62.9% in the last 12 months. However, users of Android devices upload over three times more data compared with the average iOS user.
Cloud usage is surging on Windows and stagnant on the Mac On average, Windows desktop users use a greater variety of cloud services than users of any other platform. The average Windows device accesses 18.3 cloud services, an increase of 47.6% in the last 12 months. Today, Windows devices on average access 77.7% more cloud services than Mac devices.
Enterprise cloud services account for 72.9% of cloud usage A common misconception among corporate IT departments is that the bulk of their cloud usage is made up of employees accessing consumer apps. However, we found the opposite is true. On average, 72.9% of the cloud services in use by a company are defined as enterprise cloud services and 71.8% of data uploaded to the cloud went to these services. Not all of these apps are approved, and companies can reduce their risk by migrating to enterprise-ready services. From a security standpoint, the top 20 enterprise cloud services are significantly more likely to have robust security controls than the average enterprise cloud service (85% vs 9.9%).
SFIA, the Skills Framework for the Information Age, has become the globally accepted common language for skills in the digital world. It provides descriptions of skills and responsibilities for professionals in and around information and communications technology.
SFIA is used in nearly 200 countries and is growing fast. It enables individuals to easily assess current skills and levels, identify skill goals and plan professional development, and match skills to roles and jobs.
SFIA Version 6, released in 2015, contains 97 skills, each described at one or more of 7 levels of responsibility. To aid navigation, SFIA structures the skills into 6 categories, each with a number of sub-categories. It also describes 7 generic levels of responsibility, in terms of Autonomy, Influence, Complexity, and Business Skills.
One of the areas that has grown since the publication of V5, and is therefore reflected in V6, is the area of cybersecurity. SFIA V5 contained three core skills for security professionals: Information assurance, Information security and security administration. All of these were updated in V6, including adding a level 7 description for Information security and level 1 and 2 descriptions for Security administration.
SFIA V5 also contained 10 skills which specifically included the word ‘security.’ Investigation identified another 22 SFIA skills which were regularly used to describe the roles of security professionals and were needed for security capabilities, but didn’t include the word ‘security’ anywhere. Apart from demonstrating the limitations of using word search to identify relevant skills—which sadly many users resort to—it highlighted how much coverage SFIA already had for this area.
Security references were specifically added to Solution architecture, Systems development management, Programming/software development, and Testing.
Digital forensics (DGFS), and Penetration testing (PENT) were also added to the skills list in V6.
SFIA works well with the various cybersecurity frameworks and information security standards. However, it covers a much wider scope, defining skills needed across the complete digital information and communications technology landscape.
With regard to digital forensics, cybersecurity and information security, SFIA is being used to help quantify and close the skill/capability gaps, providing a consistent model for all (ICT) professions.
It’s not just about determining the headcount gap regarding the number of cybersecurity professionals, but it assists in understandinghow organisations can build their own cybersecurity capability.
By understanding the unique skills required, organisations can determine if the gaps are in knowledge, role design and/or professional skills. It helps determine who needs upskilling, which roles may require a redesign, and identifying relevant training, mentoring, knowledge transfer and other development activities.
Of course, security is just one of the many ICT elements covered in SFIA. Organisations and governments around the world use SFIA in a multitude of different ways, from defining role profiles and job descriptions to recruitment and procurement. SFIA is also utilized in talent and skills management to quickly identify an individual’s skills, the skills they may be lacking, and recommendations for further education and training.
Note: Matthew Burrows is speaking on this topic at ISACA’s EuroCACS conference in Cophenhagen this month. Learn more about the conference.
Organizations around the world are quickly moving IT services to cloud computing platforms in an attempt to meet a wide range of business needs. From business organizations implementing a user-friendly and cost-effective SaaS platform for e-mail and calendaring to firms chasing wholesale adoption of infrastructure-as-a-service (IaaS), enterprise IT is clearly undergoing a radical transformation.
As services migrate to the cloud, there is high demand for security professionals experienced in adapting existing security controls to cloud environments. How can organizations gauge whether their existing security staff and potential hires have the knowledge required to operate effectively in a cloud-based environment?
(ISC)² and Cloud Security Alliance (CSA) recently joined forces in a unique partnership designed to address this problem for the entire industry. As the producer of the Certified Information Systems Security Professional (CISSP), the industry’s gold standard security certification, (ISC)² brings substantial certification expertise to the table. CSA, on the other hand, has a long background in developing and promoting cloud security standards. The product of their collaboration is the new Certified Cloud Security Professional (CCSP) credential.
Inside the CCSP Exam
The CCSP exam is computer-based and uses the standard multiple-choice format found on many IT certification exams. Candidates will face 125 multiple-choice questions containing four possible answer choices each. There are 100 actual exam questions, while the remaining 25 are research questions used to prepare future examination question pools. Passing the exam requires a scaled score of 700 out of 1,000 possible points from the scored exam questions.
CCSP candidates will not face simulation-based questions where they are asked to manipulate IT systems or perform configurations. The exam does, however, include scenario-based questions where the candidate is asked to read a detailed scenario and then answer several multiple-choice questions pertaining to that scenario. The questions in these sections follow the same four-option multiple choice style used on the remainder of the exam.
Candidates who successfully pass the examination must also demonstrate hands-on expertise in cloud security issues. Earning the CCSP requires at least five years of experience in information technology, three years of experience in information security, and a year of experience in one of the six CCSP domains.
Candidates who already hold CISSP certification automatically meet all three of the CCSP experience requirements. Candidates holding the CSA’s Certificate of Cloud Security Knowledge (CCSK) automatically meet the one year of CCSP domain-specific experience requirement, but must still demonstrate that they meet the remaining two requirements.
Exploring the Six Domains of Cloud Security
Cloud security is a specialization within the broader field of information security. IT professionals seeking a career in this area may wish to start with a general information security certification, such as CompTIA’s Security+, or (ISC)²’s own SSCP, before tackling a cloud security specialization. The six CCSP domains of knowledge focus on security issues specific to cloud computing and presume that the candidate is already familiar with the basics of information security. Let’s take a look at each of the six CCSP domains and the cloud-specific security issues they cover.
Domain 1: Architectural Concepts and Design Requirements focuses on the fundamental concepts of cloud computing. Candidates must have a working knowledge of cloud computing concepts and models, as well as the high-level security issues associated with the cloud, such as encryption, access control, hypervisor security and network security. This domain includes a focus on securing different cloud computing environments, including software, platform, and infrastructure services. Candidates must also demonstrate the ability to understand the principles of sound cloud security design and cloud service certification programs.
Domain 2: Cloud Data Security begins the certification’s deep dive into cloud-specific technical security issues. Candidates must be able to describe cloud-based data storage architectures and the controls commonly used to secure those environments, such as encryption, tokenization, data masking and data lifecycle management. This domain also includes coverage of data rights management (DRM) technology, retention, deletion and archiving policies and ensuring the auditability of cloud data events.
Domain 3: Cloud Platform and Infrastructure Security covers the physical and virtual security risks around cloud infrastructure. This includes the protection of virtualization platforms, communication between cloud services and implementation of audit mechanisms. CCSP candidates must be able to conduct cloud risk assessments and design appropriate security controls in response to identified risks. Finally, this domain also includes the development of appropriate business continuity and disaster recovery plans around the use of cloud services.
Domain 4: Cloud Application Security explores the application security issues found in cloud computing environments. Security professionals taking the exam will face questions relating to cloud software assurance, the software development lifecycle (SDLC) and the appropriate integration of identity and access management solutions with cloud-based computing services.
Domain 5: Operations dives into the new operational issues that arise from the use of cloud computing services. Many of the topics covered in this domain focus on the management of cloud infrastructure and are geared toward security professionals working for cloud service providers, rather than the customers of cloud services. Questions from this domain can be quite technical and explore the design, implementation and management of both physical and logical cloud infrastructure.
Domain 6: Legal and Compliance ensures that candidates grasp the complex legal and regulatory issues that emerge when organizations create and adopt cloud computing services. These include legal and privacy issues related to cloud computing, the impact of cloud computing on enterprise risk management programs and the auditing of cloud security controls. This domain also includes coverage of cloud contract design, security issues related to outsourcing arrangements and the management of cloud computing vendors.
The six CCSP domains cover a wide variety of topics but also dive deeply into technical security issues related to cloud computing. Candidates shouldn’t be surprised if they answer a high-level question about cloud security policies right before diving down into a detailed question on VLAN configurations that enable isolation between different IaaS customers. This exam is not for the faint of heart and should be attempted only by experienced security professionals who are quite familiar with cloud computing issues.
Will the CCSP Catch On?
The CCSP credential holds great promise, but faces some challenges to adoption. The unique partnership between (ISC)² and CSA provides good marketing clout, and (ISC)²’s deep experience in developing and marketing security certification programs strongly suggests that the CCSP credential will do well. That said, (ISC)² has tried to roll out specialized security certifications in the past with mixed success.
We’ll see some early indications of the CCSP’s viability based upon the number of candidates sitting for the exam over the next few months. (ISC)² aggressively marketed the credential to their strong existing base of CISSP credential holders and the waiver of the experience requirement is an alluring inducement for those individuals to sit for the exam if they are so inclined.
Basically, existing CISSPs only need to pay the $549 exam fee and pass the exam to earn the certification. If they adopt the certification in large numbers, that will help provide the critical mass necessary for the CCSP’s success. If CISSPs don’t get on board, then the challenge of building a strong contingent of CCSP holders becomes more problematic. In either case, (ISC)² will need to successfully identify and engage cloud professionals seeking security training if CCSP is to be more than a niche certification. Time will tell!
Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.
