Cloud Security: Embracing Change Requires a Mindset Shift

When meeting with organizations across EMEA, I often hear them cite concerns about putting security in the cloud. However, in the following discussions, they typically admit that doing just that is inevitable. There’s a mindset change here that needs to be embraced on all sides of the cybersecurity equation.

I’ve worked previously with companies operating on the mantra that change is the only constant, yet cybersecurity experts often perceive change as a loss of control that they have to regain. This is perhaps why 70 percent of cybersecurity professionals across Europe and the Middle East say a rush to the cloud is not taking full account of the security risks, according to a recent survey conducted by Palo Alto Networks[1].

At the same time, there is increasing pressure from regulation, such as GDPR, to be mindful of what data (specifically PII) is put into the cloud. Unlike databases or other IT systems, the concern is typically around how PII data can be accidentally captured by security tools being used.

With all this in mind, it’s not surprising that the initial idea of moving cybersecurity to the cloud makes many security leaders anxious, just as IT leaders felt when it came to moving their applications.

 

The Benefits of Agility

Perhaps the biggest cybersecurity challenge today relates to our ability to normalise and process the increasing volume of artefacts we gather through security tools and turn them into intelligence we can act on in a timely manner to prevent business impact. With many businesses now processing millions of artefacts per month, the key challenge is the time required to achieve this. How much is your business processing today, and what are the growth predictions for the next three years? The cloud effectively gives unlimited compute power with no big Capex investments, so the same rationale for moving applications and data to the cloud surely applies to cybersecurity. Indeed, our research highlighted that 75 percent of cybersecurity professionals agree embracing the cloud could be a method of enhancing cybersecurity capabilities in their organizations.

 

Inevitability

As more applications and data move to the cloud, the cybersecurity tools that gather all these artefacts are themselves having to move to the cloud. This must be natively integrated to detect the artefacts and understand the environment in order to effectivity secure it. However, the natural tendency of cybersecurity professionals is to haul this data back into their own organizations for analysis.

 

Human Emotions

It is a typical human emotional response to want to keep precious things close at hand, and information that pertains to potential breaches is precious. However, if you look at traditional endpoint security, most security point products today share information about attacks against you with the security provider via the cloud, with the aim being to better detect and understand attack trends. Other organizations have already gone much further and send their security logs to managed security service providers to analyse and act upon.

Taking this into account, why are some cybersecurity teams more open to sharing than others? And what’s different between sharing in this way and storing artefacts or indicators in a private cloud?

In certain circles, data classification means that “no information leaves the building; where data is confidential or top secret”, yet for most, that’s not the limiting factor. All too often, regulation may be the justification, but it may not actually be the case. Security vendors and partners don’t want your PII, so they work hard to filter it out and give you control over what is shared. Likewise, regulations such as GDPR recognise the value of cybersecurity tools when it comes to helping protect PII, and this should allow for a little more leniency should personal data mistakenly get caught up in the process.[2]

 

Trust

Not so long ago, people would bury treasures or hide their money under the bed, yet today, such prized items would typically be kept in a bank. This is because we recognize and trust that banks can better protect valuables, and there is incremental value – in terms of interest – in putting them there.  Did you known Monzo bank was launched in April 2017 in the UK as one of the first cloud based banks utilised through an app.  Banks are shifting to the cloud!

Now, consider cybersecurity. Security professionals apply it themselves as they trust in their own capabilities. This is absolutely valid, yet cloud services typically have more budget and resource to protect security data, and – most importantly – have the incremental value of agility, in terms of elastic compute power, to process it. The matter at hand therefore becomes how each business builds trust in storing its security data in the cloud. I would suggest that this starts with transparency and control: where and what is gathered, how it is stored and used, who has access to it and why. More and more cloud security services are sharing this information to ensure you can have trust in their capabilities.  Likewise, there is also a growth in 3rd party tools that provide governance of your cloud services based on this growing need.  Palo Alto Networks has recently acquired Evident.IO[3]

 

You Can’t Stop It, Even If You Want To

Not so long ago, many held the same concerns for any use of the cloud, yet cloud-first strategies are commonplace today. I believe the same applies for cybersecurity, as most companies are now leveraging the cloud to enable or apply some level of their cybersecurity capabilities. However, at some point, each security professional will go through his or her own mindset shift, where concerns about the risk of putting security information in the cloud will be overtaken by the value of leveraging the elastic compute power to apply the latest smart AI algorithms against security artefacts, or by the growing need for security to be natively applied in the cloud to protect the business processes that have moved there.

The important things, at this point, are knowing when that mindset shift will occur in your business, and being clear and confident on what you and your business require to embrace it. Typically, business leaders are pushing IT teams to transform faster, which can potentially lead to bigger lag with cybersecurity teams. What’s clear is that business isn’t going to wait, so the longer it takes to make that mindset shift, the more catching up there will be to do.

 

[1] https://www.paloaltonetworks.com/company/press/2018/cloud-research

[2] The processing of personal data by public authorities, computer emergency response teams, computer security incident response teams, providers of electronic communications networks and services, and providers of security technologies and services – to the extent strictly necessary and proportionate to ensure network and information security – constitutes a legitimate interest of the data controller concerned. This could include, for example, preventing unauthorised access to electronic communications networks and malicious code distribution as well as stopping “denial of service” attacks and damage to computer and electronic communication systems.

[3] https://evident.io

[Palo Alto Networks Research Center]

GDPR Can’t Fix Stupid

GDPR, the much-discussed General Data Privacy Regulation from the European Union, will not be a cure-all for the world’s data privacy problems simply because the GDPR, like every law, is subject to the bureaucracy out of which it was born. This bureaucracy can be compared to a super tanker and those who would violate the law to speedboats. While the super tanker takes miles to make a simple course adjustment, speed boats can dance around the super tank with little fear of a collision.

Sure, there will be times when a speedboat captain makes a mistake and collides with the super tanker resulting in the organization being penalized, but my current expectation is that the organizations that will ultimately pay the potential fine of 4 percent of global turnover will be few and far between. I say this because the GDPR, for all its good intentions, was created by humans, and lawyers will quickly find the loopholes, unintentionally created by the humans, to keep their customers from paying significant fines. Moreover, I simply do not believe that many of the organizations charged with enforcing the GDPR currently have the required manpower and skills to successfully enforce the law. Add to this the fact that Working Party 29 continues to provide guidance on what different sections of the law mean and, at least in the short term, we have a construct that may be difficult to enforce.

That said, I think the GDPR could have a very positive effect on the events we have recently seen involving Facebook, Cambridge Analytica and the political decisions they are claimed to have influenced. GDPR clearly lays out individual’s rights and a primary focus of data privacy and information security professionals should be training colleagues, family, and friends about those rights under this law and the threats that attempt to undermine their rights. The key to success is education, for it is only education that can fix stupid. We, the world, must add critical thinking to educational programs at all levels. An educated population, with solid critical thinking skills, will significantly improve our ability to reduce the effectiveness of fake news and to take back our democracies from the forces that would use our data and opinions against us.

Despite these observations, don’t despair. GDPR is a well-intended regulation that has the potential to change the way the world views data privacy. This value will be derived, however, through education rather than through fines. We must all understand that we do not have to accept our employers, governments or, perhaps worst of all, non-governmental organizations that attempt to sway public opinion on crucial political decisions, misusing our data. We have options. We can inform ourselves using multiple accredited sources. We must demand that our rights are respected.  We should confront those who spread fake news, both in the internet but also at our own dinner table. Most importantly, we can vote, with a few mouse clicks, and can close our accounts on those social media platforms which exploit our data for their gain. We must all understand that data privacy is a universal right and thinking critically about what those with access to our data will do with it is the ultimate safeguard for our data, our privacy and ultimately for our democracies.

Author’s note: The author’s views are his own and do not necessarily reflect the views of his employer.

Scott Rosenmeier, Senior Manager Information Security, CISA, CISM, CRISC, CGEIT, CISSP-ISSMP/ISSAP TUEV SUED certified DPO (Germany)

[ISACA Now Blog]

Automating Cloud Security with Ansible and Palo Alto Networks

History has shown that using automation to perform repetitive tasks without human assistance can result in labor and production cost reductions as well as improvements to quality, accuracy and precision.

In the ongoing effort to protect applications and data from bad actors, automating repetitive security tasks allows you to achieve the same benefits of accuracy, precision and precious labor savings. However, the most significant benefit that security automation brings is that it allows you to enforce a strong, consistent and repeatable security posture.

For the past several years, Palo Alto Networks and Ansible have collaborated on a set of Ansible modules that automate a variety of configuration settings which can be used on our physical and virtualized next-generation firewalls. In the public cloud, these collaboration efforts have become invaluable to our customers as they adopt more rapid and iterative application development methodologies (i.e., DevOps, CI/CD) on AWS, Azure and Google Cloud.

The Ansible modules for PAN-OS, our security operating system, allow our customers to embed security into the application development lifecycle, eliminating the bottleneck that change control security best practices can introduce.

To learn more about how Ansible can enable you to automate security in the cloud, please register for our joint webinaron April 25 at 11:00 AM PST/2:00 PM EDT. This informative event will cover the following topics:

  • New Ansible modules, updates and enhancements for cloud deployments
  • How Palo Alto Networks protects organizations from threats and data exfiltration, from the network to the cloud
  • Using Ansible modules to deploy and configure Palo Alto Networks VM-Series firewalls on AWS, Azure and Google Cloud

The webinar will wrap up with a brief deployment demonstration and technical Q&A with our solution architects.

Register for “Automating Cloud Security with Ansible and Palo Alto Networks

[Palo Alto Networks Research Center]

Should CISOs Expand Their Portfolios?

CISOs have traditionally focused on the triad of “Confidentiality, Integrity and Availability.” Recently, emphasis has been placed on confidentiality, hackers and zero-day attacks. However, industry trends now require that focus to broaden to all business information risks within organizations.

Since information is a key part of almost all business transactions, information risks are becoming pervasive. The trends I want to highlight include increased need for Security departments to partner with business colleagues to understand risks from their point of view, and increased importance of integrity and availability.

Integrity
In my mind, integrity issues go back to the ChoicePoint data breach in 2005. This breach did not result from a zero-day attack. It was carried out by fraudulent customers using fake accounts. This falls under the “data integrity” mandate. At the time, many would have thought that this breach was outside of the scope of information security. But this needs to change today.

Such incidents have taken off in recent years. Fake news incidents have regularly made headlines. The potential effects of fake information on SEO results also have been highlighted. Consider the reports of identity “theft” using synthetic identities. Or the recent scandal at Kobe Steel over the internal falsification of quality data.

After the Yahoo breaches cost that company US $300M, cybersecurity assessments have become a more important part of M&A transactions. This type of assessment has to mitigate business risk. Is the firm’s risk posture what it says it is? Class action lawsuitsin the state of Michigan for faulty software algorithms bring up another information business risk. Software development errors may have real human life consequences as well as business consequences.

Availability
In the recent volatile financial market, several investment firms suffered outages, even in our era of scalable, virtualized application architectures. Ransomware attacks last year led to real money being lost from victims, not from ransoms, but from outages. The largest ever DDoS attack recently was reported. These attacks are likely to continue to be common.

Confidentiality
This is still an important issue, but the diversity of incidents is increasing. An ex-Expedia employee pleaded guilty to stealingcompany information to facilitate his insider trading of company stock. Better keyless entry systems now facilitate faster theft by car thieves, not just theft of information. In 2016, steelmaker ThyssenKrupp lost trade secrets to cyber criminals. A large retailer recently was hit with a $27 million fine for stealing a small contractor’s intellectual property. Instead of just stealing IDs, criminals are now stealing whole systems and the intellectual property that goes along with those systems.

These incidents highlight newer ways to misuse information resources and adversely affect a business. More longstanding hacker attacks using technology are not going away; traditional technology controls are still needed to mitigate these risks and significant progress has been made in doing so. But these newer incidents highlight threats in which the misuse case and consequences are highly entwined with the business. To find these risks, CISOs will need, more than ever, to understand the business they are protecting and the risks that are seen by senior management. Security controls will need to be more integrated in business operations to be effective.

A recent presentation by Facebook CISO Alex Stamos also highlighted these issues. In his talk, Stamos distinguishes between two components of technology risk: traditional InfoSec and “abuse.” He defines abuse as “technically correct use of a technology to cause harm.” In his view, the abuse category of risk is much broader than the traditional InfoSec concerns. Some of his solutions to better manage the abuse category of risk include broadening the focus of security practitioners and increasing empathy toward business users and leaders.

My own conclusion is: if the issue involves company information, and misuse can affect the company’s risk posture, then CISOs need to play an active role in mitigating that risk.

Frederick Scholl, Ph.D., CISM

[ISACA Now Blog]

CCSK obtains course mapping approval under IMDA’s CITREP+ Programme

SINGAPORE – March 21, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, is pleased to announce that its Certificate of Cloud Security Knowledge (CCSK) course has successfully completed course mapping under CITREP+

Through this recognition, attendees who are Singapore citizens and permanent residents can attend the 3-day CCSK training course at subsidised costs under the Critical Infocomm Technology Resource Programme Plus (CITREP+) as a part of TechSkills Accelerator (TeSA), a programme which supports local professionals and working professionals to continuously reskill and stay abreast of the latest in-demand technical skills, to remain valued and competitive in Singapore. Singaporeans and permanent residents are also eligible for CITREP+ funding to take the CCSK examination.

“We look forward to seeing greater awareness, as well as deeper knowledge and understanding of cloud security in Singapore,” said Dr. Hing-Yan Lee, Executive Vice-President of CSA APAC. “With it, we expect increased cloud adoption towards achieving Singapore’s cloud vision of sharpening its overall competitiveness, as well as enhancing the vibrancy and growth of Singapore’s ICT sector through the development of a cloud ecosystem.”

There are several authorized CCSK training providers in Singapore. One of these is HP Education (HPE). Another authorized CCSK training provider is NTUC Leaning Hub Pte Ltd (LHUB) & RapidStart Pte Ltd. CSA plans to appoint more training providers to conduct CCSK training in Singapore.

Mr. Kwek Kok Kwong, CEO of LHUB shared, “Singapore is one of the most connected nations in the world. Digital technology is evolving everywhere, and it is becoming increasingly important to adopt measures that ensures security in the cyberspace. Time and again, we see cyber-attacks and it is crucial that we step up awareness of security amongst cloud users. We are therefore happy to partner with CSA to equip and deepen the necessary skillsets for individuals, in a bid to provide organisations with broader security capabilities when adopting cloud computing solutions for their businesses.”

“We are excited to announce our partnership with CSA which will continue to broaden our offerings in Cloud Computing Technology. There’s no doubt about the growing demand for skills and expertise in Cloud Computing and this partnership will enable us to join forces and collaborate with CSA together to address local industry needs”, said Dr Anton Ravindran CEO of Rapidstart Pte Ltd.”

Going forward, CSA will map CCSK to the Skills Framework for ICT, which is a guide for individuals, employers and training providers to promote ICT skills mastery and lifelong learning. The Skills Framework for ICT is also part of TeSA, an initiative of SkillsFuture. The framework can be used by employers to develop career maps and articulate job requirements, used by individuals to guide their skills identification and development to stay relevant, and used by training providers to devise ICT courses. Some critical skill areas include network and infrastructure, software development and engineering, data and analytics, cyber-security.

Since CSA first released CCSK in 2010, thousands of IT and security professionals have taken the opportunity to upgrade their skill sets and enhance their careers by obtaining the CCSK. Certification Magazine has listed CCSK at #1 on the Average Salary Survey 2016. CIO.com, Top Ten Cloud Computing Certifications, says: “This is the mother of all cloud computing security certifications. The Certificate of Cloud Security Knowledge certification is vendor-neutral, and certifies competency in key cloud security areas.”

In addition to the CCSK, CSA together with (ISC)2 has developed the Certified Cloud Security Professional (CSSP), which recognizes IT and information security leaders who have the knowledge and competency to apply best practices to cloud security architecture, design, operations and service orchestration.

About TechSkills Accelerator (TeSA)

The TechSkills Accelerator (TeSA) is a tripartite initiative between the government, industry and the National Trades Union Congress (NTUC), to build and develop a skilled Information and Communications Technology (ICT) workforce for the Singapore economy, and to enhance employability outcomes for individuals.

The Infocomm Media Development Authority (IMDA), which drives TeSA for ICT professional development, takes an integrated approach to ICT skills acquisition and practitioner training – in core ICT skills and in sector-specific ICT skills – and enhance employability outcomes through place and train programmes, and career advisory services. As of November 2017, TeSA has enabled more than 21,000 ICT professionals to upskill and reskill themselves.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

English
Exit mobile version