Category: #IT/CYBER/TECHNOLOGY

The Cloud Security Alliance is launching the Application Containers and Microservices (ACM) Working Group. The CSA ACM Working Group previously work with the National Institute of Standards and Technology (NIST) ACM Working Group to provide research, guidance, and best practices for the secure use of application containers and microservices.

CSA is currently looking for volunteers interested in researching the security of application containers and microservices. The first meeting will be Jan 31 at 9am PT. Interested parties should register at https://cloudsecurityalliance.org/group/containerization/#_join.

Thank you in advance for your time and contributions.

[Cloud Security Alliance Research News]

Maintaining a data center is a huge responsibility. While you certainly have systems in place for dealing with cyberthreats, are you giving enough attention to physical security? This is still a very important aspect of the security equation.

Five Tips for Keeping Data Centers Secure
The objective of physical data center security is pretty straightforward: keep out unauthorized people while closely monitoring those who do have access. That being said, the actual process of securing a data center isn’t nearly as simple. You have to be meticulous and comprehensive in your approach. The following tips should prove helpful:

1. Be strategic about the location. The location of your data center is paramount. You want to make sure it’s hidden away and outside of floodplains and situated in an area that can be easily secured. Ideally, the plat of land should be away from main roads and highly trafficked areas, but you also don’t want it in such a discreet location that unwanted behavior goes undetected.

2. Redundant utilities. Every little detail of your data centers matters – including access to utilities. Inadequate access could compromise the entire operation. “Data centers need two sources for utilities, such as electricity, water, voice and data,” Sarah Scalet writes for CSO. “Trace electricity sources back to two separate substations and water back to two different main lines. Lines should be underground and should come into different areas of the building, with water separate from other utilities.”

3. Install security cameras. It’s important that you install security cameras for a number of reasons. Security cameras can serve as effective deterrents. When criminals (or even employees) see a camera, they’re suddenly less interested in doing whatever it was they were planning on doing. Cameras have a way of preventing crime before it ever starts. In addition, security cameras allow you to go back and see who or what caused a specific outcome. This can be invaluable when a security issue does occur. Fortunately, today’s security cameras are more practical and cost-effective than ever. Cameras with high weatherproof ratings can withstand substantial amounts of rain, snow and dust, while still providing clear and responsive audio, video and power. And because today’s cameras are typically available at modest price points, you can afford to install as many as you need to get total coverage both inside and outside the data center.

4. Maintain a low-key appearance. Data centers are best unnoticed. In an ideal world, even your closest neighbors wouldn’t know that a data center is on the property. This means you need to nix the signage and keep the building as unassuming as possible. If you’re really serious about security, consider putting up decoy signage for a faux business.

5. Layer security. A data center should have multiple layers of security so it’s impossible for someone to gain access by bypassing just one mechanism. For example, it’s a good idea to have a combination of exterior gates, biometric checkpoints, access codes and secured cages around specific hardware. While this may initially feel excessive, you’ll never regret a multi-layered approach.

Make an investment in security
It makes no sense to build out a data center and then skimp on security – whether of the physical or cyber variety. A data center comes with massive amounts of responsibility, and organizations must do what it takes to protect their investment. By no means are these tips a comprehensive security strategy, but they do provide a nice starting point. Are you prepared? Now’s the time to take action.

Anna Johannson, Writer

[ISACA Now]

When it comes to evaluating new vendors, it can be challenging to know how best to communicate the requirements of your vendor assessment process and ultimately select the right partner to help your business move forward — while at the same time avoiding the risk of a third-party security incident. After all, 63 percent of data breaches are linked to third parties in some way. In fact, we all recently learned about how an Equifax vendor was serving up malicious code on their website in a newly discovered security incident.

The Whistic team has done thorough research on what a good vendor assessment process looks like and how to keep your organization safe from third party security threats. In the following article, we’ll outline a few of these best practices that your organization can follow in order to improve your chances of a successful vendor review. Of course, there will still be situations that you must address in which a vendor is either not prepared to respond to your request or isn’t willing to comply with your process. However, we’ll share some tips for how to best respond to these situations, too.

But before we get started, keep these three keys in mind:

1. Time your assessments: The timing of the assessment will be the single greatest leverage you have in getting a vendor to respond. Keep in mind that aligning your review with a new purchase or contract renewal is key.
2. Alert the vendor ASAP: The sooner a vendor is aware of a review the better. Plan ahead and engage early and get executive buy-in from your team to hold vendors accountable to your policy. If your business units understand that you have a policy requirement to review every new vendor, they can help set expectations during the procurement process and eliminate last-minute reviews.
3. Don’t overwhelm your vendors: Unnecessary questions or requests for irrelevant documentation can slow the process down significantly. Be sure to revisit your questionnaire periodically and identify new ways to customize questions based on vendor feedback. You may find that after conducting several security reviews that there may be ways to improve the experience for both parties.

Personalize the Communication
At Whistic, we’ve had a front row seat to the security review processes of companies all across the world and a wide range of use cases. We’ve seen firsthand how much of a difference personalized communication can make in creating a more seamless process for all involved, especially third party vendors who are or hope to be trusted partners to your business.

With this in mind, we strongly recommend sending a personalized email to each vendor when initiating a new questionnaire request to supplement the email communication that they will receive from any software you utilize. This can help alleviate concerns the vendor may have about the assessment process and should help to improve turnaround times on completed questionnaires. Even with the automated communication support from a third party security platform, the best motivator for your vendor to complete your request may be a friendly reminder from you or the buyer that the sales process is on hold until they complete the assessment.

Deliver Expectations Early
Assuming that your vendor already understands that you are going to need to complete a security review on them, the best time to help them understand your expectations is either right before or right after you initiate a request via your third party security platform.

When doing so, keep the following in mind as you have a phone call or draft an email to your vendor to introduce the vendor assessment request:

• Set The Stage: Let your vendor know about the third party security platform that your organization uses and that it is required method for completing your security review process.
• Give Clear Direction: Specify a clear deadline and any specific instructions for completing the entire security review — not just the questionnaire.
• Provide Resources: Provide information for the best point of contact who can answer questions they may have throughout the process. It’s also a good idea to let them know that your third party security platform may reach out if they aren’t making progress on their vendor assessment.

Utilize an Email Template
Whether you use a customized template created by your team or a predefined template (such as the one Whistic provides to its customers), it’s worth spending a few minutes upfront to standardize the communication process. This will save you time in the long-run and allow you to deliver a consistent message to each of your vendors.

Respond to Vendor Concerns
It isn’t uncommon for vendors, particularly account executives, to try and deflect a security review as they know it has the potential to delay the sales/renewal process. They may also have questions about sharing information through a third party security platform as opposed to emailing that information to you. We know from experience how frustrating this can be for all involved, so below are a two tips for handling pushback:

• Preparation: If you are getting repeated pushback from vendors, review the “Keys to Success” outlined at the beginning of this article and explore additional ways to adopt those best practices.
• Complexity, Relevance, and Length: These items can be among the reasons why vendors complain about your security review process. Consider periodically revisiting your questionnaire and consider adding additional filter logic to limit the number of questions asked of each vendor or make the question sets more relevant to vendor that is responding.

These are just a few things to consider as you look to assess your next cloud vendor. What else have you found helpful as you have approached this responsibility at your company?

Nick Sorensen, President & COO, Whistic

[Cloud Security Alliance Blog]

Edinburgh, Scotland – November 21, 2017 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released the CSA Code of Conduct for GDPR Compliance, which provides cloud service providers (CSPs), cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the European General Data Protection Regulation (GDPR). As part of this release, the CSA has also launched the CSA GDPR Resource Center, a new, community-driven website with tools and resources to help educate cloud service providers and enterprises on the new European data protection regulation.

“Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection. The Privacy Level Agreement (PLA) Working Group realized it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation,” said Francoise Gilbert, CSA Lead Outside Counsel and PLA Working Group co-chair.

“With the introduction of GDPR, data protection compliance becomes increasingly risk-based. Data controllers and processors are accountable for determining and implementing within their organizations appropriate protection levels for the personal data they process,” noted Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group. “In this scenario, the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs.”

The CSA Code of Conduct for GDPR Compliance is designed to meet both actual, mandatory EU legal personal data protection requirements (i.e., Directive 95/46/EC and its implementations in the EU member states) and the forthcoming requirements of the GDPR.

• Fair and transparent processing of personal data;
• Information provided to the public and to data subjects (as defined in Article 4 (1) GDPR);
• Exercise of data subjects’ rights;
• Measures and procedures referred to in Articles 24 and 25 GDPR and the measures to ensure security of processing referred to in Article 32 GDPR;
• Notification of personal data breaches to supervisory authorities (as defined in Article 4 (21) GDPR) and the communication of such personal data breaches to data subjects; and
• Transfer of personal data to third countries.

Additionally, the CSA Code of Conduct for GDPR Compliance contains mechanisms that enable the body referred to in Article 41 (1) GDPR to carry out mandatory compliance monitoring by the controllers or processors who undertake to apply it, without prejudice to the tasks and powers of competent supervisory authorities pursuant to Article 55 or 56 of GDPR.

“The CSA Code of Conduct for GDPR Compliance offers cloud customers a tool to evaluate the level of personal data protection offered by different CSPs and make informed decisions on how they will secure that data,” said Daniele Catteddu, Chief Technology Officer, CSA. “We are extremely proud of the work that went into this latest iteration.”

The CSA PLA Working Group was formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection Regulators’ recommendations on cloud computing into an easy-to-use outline for CSPs to follow when disclosing personal data-handling practices. The scope and objective of the PLA initiative was previously presented to the European Parliament as part of discussions on the potential effect of the proposed General Data Protection Regulation on cloud computing. Since then, the PLA Working Group has been engaged in defining a structured method for communicating the level of privacy that a CSP agrees to maintain.

The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities.

The CSA Code of Conduct for GDPR Compliance is free and available at: https://gdpr.cloudsecurityalliance.org/resource/csa-code-of-conduct-for-gdpr-compliance/.

For access to the CSA GDPR Resource Center, visit https://gdpr.cloudsecurityalliance.org/

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research Center]