The Internet of Insecure Things??

In this Digital Transformation era, enterprises need to know much better about their business ecosystem, customers and various internal & external environmental factors, so that they can transform their products, optimize operations, empower their employees and engage with customers.The Internet of Things

There’s a huge opportunity for enterprises today to leverage the Internet of Things (IoT) to Gain insight into customer usage and device performance to improve future products , to open new opportunity to monetize value added service around product usage , to get better insight into supply chain management & to get the ability to update products in the field to enhance capabilities and extend life-cycle.

The IoT market in India is poised to reach USD 15 billion by 2020 accounting for nearly 5% of total global market. Over USD 1 billion investment commitment is there from the Indian government on building 100 smart cities every year for the next 5 years.

IoT, where everything under the sun can be connected to the internet, the bright side is, we are now able to do things we never thought would be possible before. But there’s also a flip side to IoT: It has become an attractive target for cyber criminals.

The number of units under Internet of Things (IoT) is expected to grow exponentially to ~ 2 billion units in India by 2020. There will not be just one or two IoT devices in our lives, they are going to outnumber non-connected IoT weekend Saledevices soon.

This will open multiple doors for sharks to crawl through in the in the ocean of valuable data which poised a serious threat to the business inturn & hence Following 3 aspects are key to make sure that our IoT systems are immune to security breaches –

1. Simply keep the ground rule of security same here as well. i.e. IoT architecture design should have a live security model covering multiple attack surfaces. 3

2. Eco System: of IoT platform & security vendors, customers, auditors , IoT hardware manufacturer etc facilitating open standards & security programs.

3. Government regulations and policy recommendations: Build cross-disciplinary partnerships through public-private collaboration and interagency coordination to promote security principles and guidelines

Lets evaluate these 3 aspects one by one –

1. IoT Security model & architecture:

The IoT platform providers like Microsoft are not only enabling enterprises to leverage the business value of IoT but also embedding end to end security strategies with in the architecture, starting from Device protection, Threat resistance and data protection in motion & rest.

end to end security

a. Device Protection​ – Building secure devices is challenging. From observation of existing best-in-class devices, we argue it is more of a science than an art. If one adheres rigorously to well-understood principles and practices, building secure devices is repeatable. We have identified seven properties we assert must be shared by all highly secure, network-connected devices: a hardware-based root of trust, a small trusted computing base, defense in-depth, compartmentalization, certificate-based authentication, security renewal, and failure reporting.

 7 layers

Cloud platforms like MS Azure providers are working with standards organizations and major industry partners to employ latest in security best practices to deploy support for a wide variety of Hardware Secure Modules (HSM) to offer resistant and resilient hardware root of trust in IoT devices to offer a major defense layer to raise trust in authentication, integrity, confidentiality & privacy.

Proven technologies such as Trusted platform modules, secure boot, Bitlocker protect data at rest and provide a secure execution environment.

Device Health Attestation provides a way to verify the boot binaries, device configuration and runtime policies are enforced on the device and checks whether the device is in a healthy state. With Device Health Attestation the device that is not healthy won’t get access to critical resources for e.g. Azure IoT Hub. ​

​b. Threat resistance​ – With security tools set or windows like Device Guard, Windows Firewall and Windows Defender threat resistance is provided to a wide range of threats against execution of unauthorized code and scripts, network and malware attacks. ​

c.  Connection Security:

Secure ConnectionAll data transmitted between the IoT device and IoT platform should be confidential and tamper-proof. Internet connection between the IoT device and IoT plat form should be secured using standards like Transport Layer Security (TLS) standard.

d. Cloud / IoT platform security:

platform securityIoT platform like MS Azure IoT suite helps keep data secure by incorporating encrypted communications & also during processing of data in the cloud. It provides flexibility to implement additional encryption and management of security keys.

Azure IoT Suite uses Azure Active Directory (AAD) for user authentication and authorization to provide a policy-based authorization model for data in the cloud, enabling easy, auditable, reviewable access management.

All security keys used by the IoT infrastructure are stored in the cloud in secure storage, and data can be stored in DB formats that enable you define security levels. Azure also provides a way to monitor and audit any intrusion or unauthorized access to your data.

2. Eco System:

IoT platform & security vendors, customers, auditors, IoT hardware manufacturer etc should facilitate open standards & security programs to provide additional assurances to customer.

Microsoft ‘s security Program for Azure IoT brings together a curated set of best-in-class security auditors ( include Casaba Security LLC, CyberX, Praetorian, and Tech Mahindra and will expand as the program grows) which customers can choose from to perform a security audit on their IoT solutions to find issues and to get recommendations. 

ecosystemMicrosoft is working with these security auditing partners and standards organizations, such as the Industrial Internet Consortium (IIC), to establish industry protocols and best practices for security auditing. This is part of our commitment to establish a vibrant and safe IoT ecosystem.

Microsoft’s commitment to leadership in IoT security continues with Azure IoT’s improving the level of trust and confidence in securing IoT deployments.  Azure IoT now supports Device Identity Composition Engine (DICE) and many kinds of Hardware Security Modules (HSMs). DICE is an upcoming standard at Trusted Computing Group (TCG) for device identification and attestation which enables manufacturers to use silicon gates to create device identification based in hardware, making security hardware part of the DNA of new devices from the ground up.

3. Government regulations and policy recommendations:

Innovation velocity is outpacing regulations and standards. Typical standards can take 3~5 years from start to ratification. Government policy and regulations can take as long and can be region and country specific. This is hurting a nascent area such as IoT.

Governments have unique capabilities & can serve as catalyst for the development of good IoT security practices & to build cross-disciplinary partnerships through public-private collaboration and interagency coordination

Policy

Policy should Promote the development of secure, open, consensus-based standards E.g: The OPC Foundation developed the open-source OPC Unified Architecture (UA) to enable secure exchange of data in industrial settings, including many of the world’s largest industrial suppliers.

Raise awareness of best security practices and guidelines is another key aspect. E.g Government of Korea published a guide that identifies 15 security principles for the development of IoT devices.

Also, developing enhanced guidance for safety critical sectors is important. E.g Japan’s National Center of Incident Readiness and Strategy for Cybersecurity recommends measures against the physical consequences of IoT security compromises.

 Summary

The Internet of Things is an emerging topic of technical, social, and economic significance. Projections for the impact of IoT on the Internet and economy are impressive, with some anticipating as many as 100 billion connected IoT devices and a global economic impact of more than $11 trillion by 2025. Enterprises should incorporate end to end security strategies in the IoT architecture during implementation. Security model should be built covering devices, communication and IoT platforms. Ecosystem needs to be built to bring security in the center and also government can play a vital role in formalizing the policies and open standards.

Advertisements
Posted in Best Practices for Security, Cloud Security, Security Best Practices | Leave a comment

Being Chief Compliance Officer , are you empowered to find needle in haystack?

Go Digital_India Misison

Today, technology is playing a vital role in realizing the vision for India’s growth and is an enabler for the change that we all seek – be it in delivering better citizen services, efficient and productive functioning, or using technology to provide a new social security platform.

Information Explosion

As high-speed internet services & smart phones are becoming more accessible and easily affordable in both urban and rural areas, the Indian citizens have started experiencing new digital services like Digital Banking, electronic identity scheme (Aadhar) and many other Citizen services over the internet bidding good-bye to File -Babu culture.

Business leaders & organizations have also started to grasp the huge potential of this Digitization to drive competitive advantage. With the prevalence of socLitigationial media, online blogs, e-mail exchanges and cloud computing, while at one hand organizations are looking to extract valuable information from this data but on the other hand such large volume of data can pose a huge problem of Information Governance for the Chief Compliance & Risk Officer.

Regulatory expectations have risen globally like New EU General Data Protection Regulation (GDPR), placing tremendous pressure on organizations to take proactively steps for ensuring Personal Privacy, breach notification obligation, to formulate transparent policies around data processing & retention.

needle-haystackWithout Information Governance in place, if when an organization may become the target of litigation, regulatory request, Internal investigation like under employment law, compliance audit etc hiring attorneys to go through hundreds of thousands or even millions of emails & records for information relevant to a legal action can be hugely time-consuming and expensive. Hence now a day’s Chief compliance and Risk officers should start empowering themselves for Information Governance which is all about keeping your data around when you need it and getting rid of it when you don’t. i.e. They should know not only how much data their organizations have, what type, how old – till when to keep, when to delete but most notably how to find a needle in this haystack when legal team may require that.

ediscoveryInformation Governance policies and tools should be in place to automate the Classification of data depending upon the age, user, type, sensitivity and attributes like fingerprints etc. Compliance/Risk Officer should be able to apply intelligent policies and actions to preserve high value data in-place and purge what’s redundant, trivial or obsolete to reduce information discovery costs.

Advanced e-Discovery tools can streamline and speed up the process by Identifying redundant information with features like Near-duplicates detection and Email Thread analysis and the use of predictive coding technology can help to identify relevant documents and calculates the relevance of each document in the data set.

Summary

if you are a Compliance and Risk officer and because of poor Information governance control, its taking ages to find the right information on time in the middle of a legal or internal investigation, the impact can be very high to your organization. You should start empowering yourselves to find the needle in haystack…….

 

Posted in Governance , Risk and Compliance | Leave a comment

Do Windows 10 !! You have the Best Security Solution but Security Landscape has changed….

In My previous blogs , I have been emphasizing on implementing best practices around endpoint Security Compliance , Password Management, Information Protection and Cloud Security as these are the areas which need absolute attention as per the constantly evolving security threat landscape in enterprises or consumer world.

Endpoints - Systems and PeopleAlso, we all have seen that primarily, “endpoints” (Devices and People both) are targets or at least facilitator for a security breach as those are in the billions in numbers, have large and unfortunately ever-changing threat surface area. Since compromised endpoints can become multiple unsecured gateways for the attackers to enter in to the enterprise network making business & personal “information” vulnerable , it has been super critical always to “keep security evolving for the endpoints and information”.

windows 10With Windows 10 launch on June 29, it is really exciting to see how even client’s operating systems have started to deliver in this direction of protecting Information, Identities and System Integrity to make our world more secured and to empower every person and every organization on the planet to achieve more.

Windows 10 – Enterprise Data Protection 

Any Data protection is frame work should cover following scenarios –

While it resides on a deviceDisk and File Level encryption solutions have been available from Microsoft (Bitlocker) and from other vendors which protect system and data when device is lost or stolen

While it leaves from the DeviceRights Management service and Information Rights Management solutions have been available from Microsoft and from other vendors to protect data when shared with others, or shared outside of organizational devices and control.

Manual ControlsInformation Rights Management (IRM) and File level encryption typically require that a user should “manually” activate the protection. This leaves a gap, such that, if users either aren’t proactive or not intelligent enough, it’s relatively easy for them to accidentally leak corporate data.

Alternatively, there have been administrator level approaches where discovery and Data classification engines are run and appropriate IRM and encryption controls can be applied automatically.

corporate vs personalEnterprise Data Protection in Windows 10, addresses this problem by enabling automatic encryption of data if it arrives on the device from corporate apps and network locations. And if users create new original content, it helps users define which documents are corporate versus personal and companies can even designate all new content created on the device as corporate by policy.

It prevents unauthorized apps from accessing business data and Additional policies can also be enabled to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks.

Windows 10 – Device guard

There are 300K’s+ malware new threats per day and there is no way for anti-virus to keep up the battle. If for script and executable based malware, corresponding anti-virus signatures are not available then proactive protection mechanism is to define a white list of applications that should only run and everything else should get blocked.

Lock

AppLocker which is available since Windows 7 and similar Apps control solutions from other vendors do help on this front to some extent. But these technologies some times are subject to tampering by administrator itself or malware that have managed to gain full system privilege.

Device Guard in Windows 10 can help in two ways –

App must earn Trust before use i.e. first, it makes determination on whether that app is trustworthy, and notifies the user if it is not.

And 2nd, it uses hardware technology and virtualization to isolate that decision-making function from the rest of the Windows operating system so that if the Windows kernel is compromised, Device Guard is not.

TrustAnd hence provides better security against malware and zero days by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. You’re in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor.

In practice, Device Guard can be extremely helpful in combination with traditional Anti-Virus and app control technologies to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents. Using App control technologies, IT can ensure to provide a means for govern productivity and compliance.

Device Guard supports point-of-sale systems, ATM machines, and other Internet of Things-type devices running Windows.

 Microsoft Passport & Windows Hello in Windows 10

passwordSingle factor Identity options like password have been insufficient to provide a secured mechanism to access the application, websites and networks. Moreover for end users password management have been irritating and vulnerable.

On top of that Users credentials (Identities) are on threat always when breaches occurs in the data Centre and in today’s world of advanced persistent threats (APT), Next part is to protect the user access tokens that are generated once your users have been authenticated. Today, these access tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket, etc. Once an attacker has these tokens they can access resources by effectively impersonating the user’s identity without needing the user’s actual credentials.

PassportAlso, most of us are familiar with the concept of authenticating to a system using a combination of what we know and what we have, usually in the form of a smart card, and PIN or password. But traditionally smart cards have been the preserve of large corporates, not least because of the extra hardware required, but also the need to maintain a PKI, which can be complex to say the least

Windows 10 brings multi-factor security to a next level by building it right into the operating system and device itself, eliminating the need for additional hardware security peripherals and middleware as that has been there in current technologies like smart card.

Microsoft Passport in Windows 10 will ask you to verify that –

You have possession of “your (enrolled ) ” device before that authenticates on your behalf as a First factor

And with a PIN or Windows Hello (Finger Print, Iris and Face Detection) as 2nd factor.

HelloTo strengthen more, Windows 10 has an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised.

From a security standpoint, this means that an attacker would need to have a user’s physical device and access to the users PIN or biometric information which is stored locally in Trusted Platform Module.

Do Windows 10To Summarize , Windows 10 goes beyond just building bigger walls and delivers entirely new ways to help protect your identities, data, and devices.

Features like Device Guard, Enterprise Data Protection, Microsoft Passport and Windows Hello, can provide robust protection for enterprises and consumers.

So, Do Windows 10 ……………




Posted in Endpoint Security | 1 Comment

Time for a new password or still you feel if that has a funny side??

AnnoyedDuring my recent vacation while I was having a train journey along with my family members, interesting discussion got started in the coach on recent compromises on the well-known e-commerce, social networking and job websites. Most of the people were of different age groups, genders & work profiles, primarily from non-IT back ground who felt annoyed on continuous need of passwords management.

Interestingly some of them have not changed the passwords for many years or have those managed & stored so un-protected that even their pets in the home know that. Some funny inventions shared were like husband and wife both have same passwords for many portals and craziest invention was when someone said that they have even a “family” password for all the members.  

Since my spouse and son was also part of the audience who are very active on internet so I thought to put perspective in simplified way on some best practices around password management and online purchase.

credit cardsBefore landing to the topic of password management , the first precautionary method which I thought and thinking to implement for myself also that when we are getting so many calls from credit cards company to increase the credit limits we should seriously evaluate if our finance need in future will be really that high. Or should we also look to have a dedicated credit card with minimum required credit limit just for online purchase. Less credit limit should lead to less risk if card information may get compromised. 

Now back to the passwords, yes it annoying to manage them but they are often the first (and possibly only in consumer segment) defense for information we don’t want anyone and everyone to know … so at least 7 simple methods everyone should incorporate which can surely help life with passwords a little easier.

Dont's shareKids don’t share Toys then Why passwords are shared  ?  There is a saying that passwords are like tooth brushes and they are the best if kept fresh and not shared. My analogy to the Kids was that they should treat passwords like their toys which they normally don’t like to share with any one and also prefer a new one on any day. There was a loud laughter among kids…

policyP for Policy & Policy for Password: isn’t this easy to remember?  You should make a policy to make passwords stronger. Use combination of special characters, numbers instead of all numbers (111111) or characters (logmein). Don’t use simple dictionary word like “jackpot” else hackers may hit a “jackpot”. Also, don’t forget to make your username as secure as your password.

One of senior citizen asked an obvious question that what to do if Policy competes with Memory? Answer is password such as 60YrS@n%styll&LUVN^Lfe! is long and strong. But you are right is not memorable. But it can be, if you base it on a phrase that you privately choose, such as “60 years and still loving life!”

FrequentReward yourself & kids some Points for the word “frequent”: Some of us are very passionate about rewards points for frequent flyer and frequent shopping’s. Isn’t this be a great idea if we also reward our kids & other family members for changing the password frequently?
Sometimes it is interesting to weigh the likelihood of someone guessing a password because it is weak, vs. the likelihood of someone managing to steal…..

avoid PersonalLife is not always about “ME”: Don’t use easy-to-remember personal info like your name, names of family members, your address, phone number, birth dates, anniversaries, your car number plate or anything like that. Not only on password, almost all of us do choose personal questions while answering to web site questions. Right? 

recyclingWho said “Recycling is always “Right”? Don’t reuse the same password across multiple sites; recycling is especially dangerous for email, banking and social media accounts. Each site should have its own unique login. Can you imagine the chaos if a hacker got into one account, and then they got into ALL of your online accounts because they knew your PASSWORD to EVERYTHING. Isn’t even thinking about this making your stomach hurt?

delete saved passwords“Savings” are always not good!! Don’t save passwords or use “remember me” options especially on a public computer, shared computer as next user can access your account. Auto fill is handy for lots of things, passwords that keep important things safe is not one of them and can also put your money and personal information at risk if you are not careful.

shubhThe first step to safely storing a password is to not store the password at all: Never put it on a Post-It. Never store it online. An obscured hint might be okay, but never the actual password or even an encrypted version. A password cheat sheet is fine, as long as it’s not stored on your computer or smart phone; if your device is infected with malware, you’re doomed.

Summary:
Passwords are simpler and cheaper than other forms of authentication like special key cards, fingerprint ID machines, and retinal scanners. They provide a simple, direct means of protecting a system or account. While now a days debates are hot that passwords are off the rails, let’s keep following these simple steps in the mean while….end users and service providers both are responsible !!

 

Posted in Security Best Practices | Leave a comment

Stop, To Start differentiating between Social & Suicidal behavior!!

Picture 1In 1974, an Indian Bollywood Hindi-Language super hit Movie  was released – “Roti, Kapada aur Makaan”.  It was a block –buster which beautifully highlighted the bare necessities of life during that time.

The recent number of social media users in urban India is expected to reach 100 million in coming years and even has already crossed India’s Capital city population by multiple times.  So if there will be a re-make of this movie, and the intent is again to highlight the basic necessities then surely the title of the movie needs to accommodate the word “SOCIAL NETWORKING” and may be – Food, Drink and “Social”.

Puzzle of Social Networking:

puzzle on SocialApproximately 75% of Internet users in urban areas of India today, actively participate on social networking site through mutual acquaintances & common interests to reconnect with former friends, to network with new ‘friends of friends’ J , to maintain current & new personal relationship and also to promote a business or project.

Moreover, most interesting part is that our list of contacts may span across even 3 generations altogether.  

This Platform is a way for people to connect “online” and to share information, Successes, failures, grunts, frustrations, ideas and business.

 Face to face Vs. Socializing On-Line:

Face to Face ConversationsFace to Face you may share only a part of your life and may with much closed contacts. But, the very nature of online social networking platform encourages us to provide a certain amount of personal information and provide false sense of security and anonymity.

Hence we do forget to exercise caution on deciding how much and with whom when deciding how much. The most critical upside and downside of this online platform of modern socialization is that we can upload, comment from anywhere, from any device, instant and while you are in various situational moods.

Consequences and Impact when you leave your foot prints behind:

foot printsAccording to one of the surveys 32 percent of people who post on a social networking site regret later that they shared specific information so openly.  But by then not only impact is done already but also it may be too late to do undo the damages. Once information is online, there is no way to control who sees it, where it is redistributed, or what websites save it into their cache

Unlike to personal conversation, online posts, comments, likes, photos, tweets, links may become part of web-sites archives, someone may have shared further already, company may sell it or those may get exposed by security lapse and hence all these foot prints may remain for-ever.

Non - ErasableThat means it may be available to current or future employer, school administrator, friends, family, bank loan officers and others, putting your personal safety at risk and may impact badly your reputation which may remain non-erasable.

Some of the studies reveal that out approx. 20 % admissions and HR officers checks for candidates on social networking sites and approximate 40 % of the time, this leads to rejections.

 

Don’t challenge the reality of today – Un- intended information Disclosures:

online theftSocial networking sites have made life easier for many others in your neighborhood as potential downside of social networking sites is that they allow others to know a person’s contact information, interests, habits, and whereabouts.

Some once can use information provided about a person’s birthday, location, routine, hobbies, and interests to impersonate a trusted friend or convince the unsuspecting that they have the authority to access personal or financial data. They can even use such info to guess your account passwords—which is why you should never have a password that uses the name of your pet, favorite band, hobby, birthday, or something else easily known about you. And they will really appreciate your help if you post your daily routine and whereabouts online!

 Kick off, all those unnecessary 3rd party applications:

Fake AppsThird-party applications, including games and quizzes may not contain malicious code but it might access information in your profile without your knowledge. This information could then be used in a variety of ways, such as tailoring advertisements, performing market research, sending spam email, or accessing your contacts.

I was speaking to a teen and she shared that almost 100+ apps have permission to access her social networking website account ( helped to choose the topic for blog J ) .Unless you trust the source of the application, do not give it access to your social account.  Secondly, although a third party application may be legitimate but it may unknowingly contain security holes that open it up to being hacked by cyber criminals.

Sometimes, everyone needs to log off!!

log offOne of the survey revealed that nearly 30 percent of users routinely choose “Keep Me Logged In” when accessing their social media accounts, this can be open invitation to anyone accessing your computer without your permission.

When you choose Keep Me Logged In, the website stores a “cookie” on your computer. “Malware can harvest that cookie from you and send it to an attacker who can use it to impersonate you.

 

Summary:

Social media sites have millions of users, who are sharing a lot of information, which results in an enormous repository of potential victims and data and hence an attractive targets for attackers. We are too quick to tweet, post, pin and share practically everything with practically anyone.

So think before you share. You should only post information you are comfortable disclosing to a complete stranger.

Posted in Security Best Practices | Leave a comment

Evolving Information Protection in the Enterprise: Where ever I (Information) go, will take that (Protection) with me !!

Today is the time where we all agree that there is No need to debate on the “need” of Information protection in the enterprises. If solution vendors are still starting the discussions with slides on why Information protection and how many data security breaches have happened recently and you too are still reading analyst reports on secret and custodial then probably that’s wastage of every ones precious time. We don’t need now story tales indicting that – it is happening with our neighbors when we can see the smoke already in our houses and there is a clear increase in demand for safeguard the information assets from business owners, partners and regulators.

 Enterprises have crossed that stage of “why” and really at present are confused on “How” and “to what extent” when our sensitive information is always moving & transforming. On top of that so many buzz words are floating around that including Data Discovery & Classification Data Loss/Leakage Prevention (DLP), Information Rights Management [IRM], Digital Rights Management (DRM), Right Management System (RMS), Information Life Cycle Management, Data Protection in terms of Backup & Archiving, Data Degaussing and the this list is endless….

Are all these thought of separate problems or that’s not the way it has to be…should be integrated or should be initiated simultaneously in parallel or be prioritized in pieces? Or we need the answer to very first basic puzzle – from where to start?

Let’s explore more on these technologies one by one and today we are starting with the information usage control i.e. Where ever I (Information) go, will take that (Protection) with me !!

With respect to the first basic puzzle – from where to start? The answer lies within our houses and family itself. This Key Pillar in my every post also J i.e. – user awareness and Training. We must Educate and explain so that they can more clearly understand what their employer is trying to accomplish with these concrete rules as well as their own critical role where they can contribute to security breaches without knowing it. No technology tools can be successful unless we are making our employees a part of these information security solutions.

Information usage Control – What it is?

It has been associated with multiple names including – IRM (Information Rights Management), ERM (Enterprise Rights Management), E-DRM (Enterprise Digital Rights Management) and has also been called Document Usage Control … 

It is a technology where by you can have

 a.   Owner initiated or automatically (through the systems control as per pre-defined policies)

b.    granular control

c.    to provide access rights / usage  for  an information

d.    which can be different for various users & groups

e.    is persistent –  irrespective of the organization boundaries – “remotely  controlled”

f.     Along with secure transmission using Encryption

g.    And with Monitoring, reporting and auditing capabilities on the usage…

Usage control policies on information (e.g. can you print this? copy it to USB? email it? Forward? Reply all? ) travel together everywhere this is where it contrasts to a DLP solution where prime objective is to protect the information inside & to control access points including endpoints, ports, gateways and storage.

e.g if Pratham sends a document to Ayesha then normally she has pretty much complete control over that document after she receives it i.e. she can view it, print it, edit her copy, forward it to Richa as well as copy content from the document to another one.

But with usage control policies with IRM technology it is possible for Pratham to send the document to Ayesha but can also granular control before and after sending the document, whether Ayesha can only view, but print, edit, forward is not allowed. And For Richa even Read is also not allowed…This remain same irrespective of fact whether that document is inside or outside the organization boundaries.

Information usage Control – Why & Where I should use it?

It’s a world of collaboration and moreover we talk about doing this without boundaries i.e. irrespective of locationsJ. So to collaborate with you I need to share my information so that you can use it… (To remind you the mode of collaboration can include emails and document libraries/repositories)

So this is where I need a capability whereby I can share my information with you to use it but on the other hand needs a control and fine distinction so that it should not be misused.

          E.g Financial, research and development information in the form of process, physical & network drawings, test results etc. should be “used” by the internal employees but should not “misused” for the purpose of distribution to others or sent out to unauthorized users inside and outside organization boundaries.

           Another examples can be – Contractor teams working with the enterprise or a prospective acquirer during the process of an Merger or Acquisition transaction should be usage controlled i.e. Information should be “used” for the required purpose but not “misused” i.e. distributed or viewed after the contract or  due diligence period  is over.

           Or Information received from customers under an NDA should be “used” for the purpose of executing the project but not “misused” for the purpose of any another project or for further distribution otherwise.

           Sometimes document Libraries provide users with large facilities a central repository in order to share and work with arbitrary business data, this can sometimes lead to users sharing information that should otherwise not be shared.

 

          And finally we all know how many of us are in a situation where we are sending documents or emails with “internal only” or “do not forward” tags and assuming recipients are obedient. J Moreover what about the situations where every user is broadcasting with reply all with their individual comments on email? Aren’t those situations some times are not embarrassing along with the security & privacy breaches?

 Information usage Control – Compliance & framework?

 Most regulatory compliance frameworks like ISO – 27001, Sarbanes Oxley, HIPAA, GLBA, and PCI etc. have recommendations on specific controls that need to be put in place. Typical scenarios are:

           ISO 27001 mandates that “digital assets” are tracked for usage as they flow within and outside the organization and a complete audit trail is maintained of their access and usage.

           Sarbanes Oxley section 404 mandates implementation of internal controls which provide access to erroneous data to personnel. It also recommends protecting and tracking confidential data from unauthorized personnel.

           Mandates that oblige enterprises to be good custodians include contractual obligations like the  Payment Card Industry Data Security Standard (PCI-DSS) and data breach and privacy laws.

 Examples of custodial data include customer personally identifiable information (PII) attributes like name, address, Email, and phone number; government identifiers; payment card details like credit card numbers and Expiration date, medical records and government identifiers like passport number and Social Security Number.

 Summary

After this discussion, we are able to understand the objective, benefits, use cases and drivers of Information usage control solution and how it is different and actually can complement the DLP solutions.  

Having worked with both (IRM & DLP) solution providers; soon I will try to cover information protection from DLP angle as well. J

Hoping you did enjoy reading this…..Do provide your feedback using the ‘Like’ Button or share your comments!!

 

Posted in Data Protection | Leave a comment

Evolving Endpoint Security Compliance: 7 Keys to Demystify this Chakra-Vyuha (Spiral Ring Formation)

We all know that not only intellectual property, sensitive business information, customer data bases etc reside on the end points; it also includes user’s private information along with deepest darkest (and most valuable) secrets.

 Moreover we are in the era of IT Consumerization where a perimeter has become perimeter less and organizations are opening themselves up to interaction with external services on the Internet and access from mobile devices including laptops and smartphones.

There is very high probability that one clueless user may lose them or may bring back bad stuff from hotels, coffee shops and airports where compromised endpoint device gives the bad guys running the underground economy ,  an entry inside the organization  and enables them to compromise other systems and spread this love.

On top of this majority of current Threats are pretty sophisticated & don’t forget the deadly part…They are targeting these thousands of endpoints i.e. “individual gateways” silently. Threats are now designed such that they can infect, expand, and function and remain undetected by security components.

 This evolving threat environment has caused a corresponding shift where we must deal effectively with this Chakra-Vyuha threats that utilize these behaviors of elusion, secrecy, and aggression targeting infrastructure, information and user identities.

 So how to demystify this Chakra-Vyuha

 (Those all who are wondering what the meaning of Chakravyuha is – it has been taken from great epic tale of Mahabharata… It is made up of Chakra meaning circle or ring and Vyuha meaning formation. Chakravyuh is a formation consisting of 7 concentric circles of warriors rotating in unison…)

 So let’s understand the 7 Keys to exit successfully from this Chakravyuha. In this discussion we will take a closer look how endpoint security compliance approach is evolving on Protection Technologies, management, Policies and Processes to fight these tough Categories of threat which sometimes are known and sometimes situation is scarier with the unknown bad world.

 Key 1 :  PROTECT ( Evolution of Protection Technologies)

Proactive Protection from known and unknown Threats: In Today’s time, a protection technology needs to fight against the reduced exploit time of known and unknown vulnerabilities. Hackers start exploiting the vulnerabilities as soon as they are discovered.  Even if a patch is available for that vulnerability, organizations rarely can apply a system patch immediately it takes some time to test the patch and deploy it on all systems.  This is a big window of opportunity for hackers to target these vulnerable systems.

or you get a virus sample and create a static signature just to address malware sample…But after some time…another variant will come and you are gone….so this way now we can’t play and win this game…so how do we win?

Heuristic Detection & Network Vulnerability shielding Technology needs to gear up & should incorporate the heuristic/generic detection logic using emulated behavior or binary characteristics to mitigate multiple variant of threats to have a proactive approach for threat mitigation whereby inspecting network traffic based on the latest vulnerability signature.  This scenario is something like if central locking is not operational in your car; you are putting one guard to prevent tis theft before that actual issue of central locking gets fixed.

Behavioral monitoring On top of this, behavior monitoring capabilities can identify new threats and tracks behavior of unknown processes and known good processes which may have gone bad.

E.g if there is a process that we don’t have a signature for but dropping a file that antimalware is detecting, it may conclude that it is a new malware dropper that you should want to get a sample of.

Another example can be Kernel tampering – any process that’s hooking the kernel or making other modifications to it.  Technology should be able to detect this behaviour to have a closure look.

Emulation – Also, it is a good approach to Translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe). Translation helps to deal with malware volume – many are the same threat, just obfuscated differently. With polymorphic malware, what the code does may be the only common aspect of two samples so the emulation of the code helps to detect as well as prevent the malware from impacting the system

Signature from the Cloud – After suspicious detection using above approaches next logical step may be Query the file reputation data & behavior classifiers on “interesting” files. If it is a recently identified malware, a new signature is delivered dynamically to the requesting client in real time without waiting for the regular signature update process. It also minimizes the false positives on that threat detection.

Choose relevant protection component as per Risk Assessment: With so much proliferation of types of devices and multiple platforms, instead of just following a stereotype approach of asking protection technology support, You should do risk assessment against CIA value of the asset to consider relevant protection technologies like for HIDS/HIPS, Access Control, Host Firewall etc for different platforms and devices including the DC servers and Mobile devices.  Risk mitigation strategy should get related to risk & threats profiling like malware, intrusion, denial of service, buffer over flow attacks, un-authorized access, admin privilege abuse, Data & Identity theft etc

Maintain the Basic of defense in depth: On Top of antimalware engine, Host Firewall can block or filter inbound connections to listening services that may have exploitable vulnerabilities or are susceptible to brute force attack. It is particular effective in blocking targeted attacks, and worms which try to propagate automatically.  Further to this, proactive technologies explained above can be combined with browser-based protection mechanism where it tries to match a particular host or URL request to a known bad list, If it gets through that (e.g. a site hosting malicious threats is not yet classified), it further inspects the files for known malicious content as it is read and written from the file system.

Get Current…Stay Current:To some of you it may look very strange to put this strategy of “Get Current –Stay Current” under protection technologies. But it will be worthwhile to note that not only evolution on security technologies is happening but on top of that most positive change is that infrastructure solutions providers are realizing the need of providing integrated approach of security as compared to bolted down that security layer later on reducing the threat surface area itself.  In my view keeping the infrastructure components as current as possible it can play a vital role in enhancing security framework and hence it should be an important part of best practices.

 Key 2 :  MANAGE ( Better Management leads to More Security)

Integration of Security and Management:   Desktop management and security have traditionally existed as two separate disciplines, yet both play central roles in keeping users safe and productive.

Whereas Desktop Management ensures proper system configuration, deploys patches against vulnerabilities, and delivers necessary security updates. On the other hand Desktop Security provides critical threat detection, incident response, and remediation of system infection.

Most desktop vulnerabilities are a result of poor system configuration, and sometimes security personnel do not have ready access to inventory, patch level, and other desktop-specific configuration data. Combining the threat detection capabilities of a desktop security solution with Desktop management tool for remediating desktop security vulnerabilities organizations can get a unique, consolidated viewpoint into the health and protection status of their user systems

And also….In the case of a security event, IT administrators can do the Inventory of malicious applications , identify at-risk machines and take action to patch those vulnerable applications and systems and hence  block outbreaks, and initiate clean-up efforts using a single infrastructure. 

These efficiencies not only lower hardware, maintenance, and training costs, buy they also allow IT administrators to do their jobs more quickly and effectively— e.g it can reduce the helpdesk calls drastically… 

Lock Down:  On the proactive side,  leverage on technologies  where we can define a white list of files or folders or digitally signed content that we will accept to run – and block everything else. So even if we haven’t identified something as malware, it won’t run. Alternatively similar blacklisting approach can be incorporated. Also Organization should do risk assessment around peripheral ports of systems like USB, Bluetooth, firewire etc to control their use.

 Key 3 : VERIFY (Secure Access to Corporate Resources Based on Asset Classification, users Identities and &  threat Profiling of devices)

Compliance Validation: a framework should be incorporated where organization should be able to differentiate between corporate owned devices (e.g domain joined) & unmanaged machines ( Guest , Home , Kiosk PC etc) and also secure state of machines & users credentials can be validated against organization security policies at different entry points of network including LAN, gateway and depending upon this assessment result , restricted or full access to appropriate resources should be granted.

Please have a note that here most of the time secure state of the machine means that security components installed on the devices are running as intended i.e. are enabled and updated with and/or relationship with the patch status , application presence , registry settings etc. Some solutions may also include the malware and vulnerability scanners against the database mostly deployed inline.

Host based enforcement can ensure that compliance is being validated even when endpoints are not getting connected to corporate network entry points against last known good compliance policies. E.g ensures antimalware solution is always active while user is getting connected to the internet using personal DSL connection at home.

Automatic remediation also plays a major role here in reducing the administrative overheads.

Policies can be created in secure access solution for published portal Server, which will prevent uploading and downloading of documents when a machine is not trusted and/or does not comply with corporate security policies.  

the keyword scanning, file detection, and other mechanisms built into the platform help IT prevent content such as copyrighted documents (e.g., song and video files), objectionable materials (such as profanity or discrimination), or others from being stored or corporate systems—taking up not only valuable space and resources, but exposing your company to legal liability.

Audit and Vulnerability Assessment:  On auditing, basic example can be to know on how many endpoint antimalware solutions is deployed and running. Again here you may find to accomplish this in easier way if leveraging on integration of desktop management solution to run an inventory query for the same on all the endpoints across the network.

Depending upon the risk assessment organization may choose to include the coverage of client machines also while they normally run the vulnerability assessment on DC servers and network components.

Configuration Management:   Leverage on the Infrastructure solution provider guidance ,   security baseline and Best Practices to reduce the time required to harden your environment,
and to comply with specific regulations or company policies. Sometimes these baseline and packs can be imported into Desktop Management tool easily and gold images can be created for clients & Server OS, applications & databases, browser etc and assessment can be run at a regular interval where deviations can be identified against those gold images…

Out of the box and customized Reporting can also be a critical requirement for the Management.

 

Key 4 :  INFORMATION & IDENTITY PROTECTION (Ensure information is protected from malware infection, intentional and unintentional data leakage, asset loss and digital intrusion)

Other key areas where organization should focus to prevent data loss or leakage on the client endpoint apart from preventing it from malware are – user authentication, encryption, persistent access control and physical security. 

User Authentication: Requiring user authentication and maintaining an access control policy is your first line of defence. Assess your authentication requirements : is a password sufficient ? Do you need multiple factors , such as smart card and pin , or finger print and password ?

e.g smart card based authentication will be needed to approve an expense above specific amount threshold level.

Organizations should consider Identity management solution for credential and certificate management like user provisioning -deprovisioning , entitlements etc. criteria based group entitlement management like based upon manager , department , role – like permanent or FTE , can increase the efficiencies and accuracy of IT team to manage the identities and also helps to reduce helpdesk calls on password reset requests etc.

Most Customers find password sufficient but in that case while considering passwords , their complexity , length and frequency interval for changing the same should be considered.

 Encryption:  Data loss can occur from smaller mistakes like forgetting the laptop at the airport or in a taxi, leaving a USB drive full of confidential data in a restaurant or at a client site and not only from a cyber-attack on your desktops.

To protect against those look for Volume Encryption, that protects data on user’s desktop and laptops, so it cannot be extracted if the device is lost or stolen.

Also some solutions can be integrated with Hardware Trusted Platform Module that ensures that the data will not be readable on any other device but the corporate device even if the PIN is discovered. The hardware integration also ensures that changes to the boot process are stopped and that the data is also not readable if the OS has been tampered.

Same strategy can be implemented to protect removable drives, so users can continue using USB drives, but only if they type in a password to protect the drive. This allows sharing with authorized users and provides the productivity advantages of those USB devices, but reduces the risks of access by unauthorized users.

Persistent Access Control:  Organizations should consider persistent document-level encryption & Right Management  that goes wherever the document (or e-mail) does, no matter who accesses it or what device is used. Even if files are taken off-line, e-mailed to someone else, copied onto a USB drive/PDA, or accessed remotely, the use rights will endure and protect the information. And by federating these right management policies with outside organizations this secure collaboration can be extended to business partners and vendors.

Also, phrases that indicate confidentiality, and automatically apply access control templates to those documents using File classification techniques.

Key 5 :  RESPONSE (Build and follow a plan)

Submission of Malware Samples:   The goal should be that when new malware is released and is starting to spread, we can reduce the vulnerability window by not having to wait for computers to get the next signature update to be protected.

As the telemetry is sent on a file detected suspicious and for which a signature does not exist in its current signature set, if signature on the cloud is available, it is downloaded to the client in real-time, loaded and the appropriate action taken.

This kind of service can improve the quality of detection and remediation and collect samples for analysis and to create new signatures

Integration with Security Information & Event Management:  it will be helpful to identify and respond to the threats with a proper incident management plan where different events can be correlated for Incident conclusion.

Repair: Doing the repair of the effect of malware is also critical where if a threat is detected it should look in a number of other places for other signs of a threat rather than just dealing with one detection at a time.

Solution sometimes may not be able to deal with a specific root kit; in that case it should be able to tell you that you need to run the stand-alone system sweeper.

Reboot tracking kind of capabilities Provides awareness that the system is in the process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out the registry hive and configuring a temporary one to load a kernel-mode, boot time removal driver). If this were done while the user is using the system, changes could be lost and potentially destabilize the system.

Support: Solution provider security intelligence strength, support process & capabilities also play a vital role to get the quick and desired level of response during the virus out break situations.

 Key 6 : PERFORMANCE ( Another side of the coin – Users productivity is also critical)

Some of you may feel what performance factor is doing in endpoint security compliance? 

While we are discussing on defense in depth approach where multiple security components are getting installed on the endpoints, vulnerability shielding network inspection system is being incorporated in protection technology where it is scanning each and every packet flowing through the NIC card. But on the other hand we should always remember that security should act as a business enabler where user productivity should not get affected due to these security burdens.

Disabling signatures if relevant patch is present on the System:  So if once the system is patched and technology is intelligent enough to understand this and depending upon this assessment can also make the vulnerability shielding signature disabled automatically, It will a perfect scenario of achieving right balance between protection and performance as signatures are enabled only for the unpatched vulnerabilities.

Also, as we discussed, malware are increasing in numbers exponentially, there are more number of variants and hence to encounter this situation numbers of signatures are increasing.  These signatures along with the threats information need to be loaded in memory and hence due to this system performance gets degraded. If the additional info on threats etc can be stored offline it can increase the system performance drastically.

 Maintain a “context” which is used to determine depth of scanning: If Real Time Protection has been on the whole time, do we really need to rescan user-mode auto-start extensibility points (ASEPs) during quick scan? Similarly if we can determine evidence of kernel tampering, we may want scan should be much more aggressive. So adjust the scan depending upon the diagnose to balance out between security and performance.

Configurable parameters: CPU throttling while System is getting scanned , System Scan frequency & schedule , Update frequency and update , exclusions , network scanning , push / pull frequency , heart beat etc are various configurable parameters which can be considered to optimize the system performance.

Key 7 : AWARENESS (People make mistakes because they don’t know what they are doing is wrong)

Yes, in my view without help of users endpoint security compliance can never be achieved though we did discuss on the technologies like compliance validation where most of the control lies with the organization and control can be implemented centrally as per the security policies and internal regulation.

Also now days, we all are observing how getting connecting on social networking sites have multiplied specially in India. But since most of us access social network sites from the comfort and privacy of home or office, can be a part of false sense of anonymity. Additionally, the lack of physical contact on social network site can lower user’s natural defenses, leading individuals into disclosing information we would never think of revealing to a person we just met on road or at a dinner party.

On the other hand,  there is a high probability that  social network security and privacy lapses exist because of astronomical amounts of information the sites process each and every day that end up making it that much easier to exploit a single flaw in the system. Features that invite user participation — messages, invitations, photos, open platform applications, etc. — are often the avenues used to gain access to private information.

Don’t forget, there is the entire range of innocent family members on such networking sites including our grandmother to son. We need to educate them where not to click, not to accept some of the application notifications asking for the profile penetration.  

For the overall success we need to bring these end users being sitting in organizations or in our home , vacant training classes and share with them the current threat landscape, organization IT security policies , Do’s & Don’t while they are on social networking web sites , Alert and notification steps , computer & cyber-crime implications and Incident Management Plan. More importantly, describe what they can do to advance this effort… Of Demystify this Chakra-Vyuha!!

 summary

So I believe keeping these 7 keys handy with us, we can avoid the unfortunate situation which happened with the great warrior Abhimanyu in the Mahabharata where he was aware how to go inside the Chakra – Vyuha but did not know how to break and come out from that.

 

Hoping you enjoy reading this…..Do provide your feedback using the ‘Like’ Button or share your comments!!

Posted in Endpoint Security | 3 Comments

Evolving Security in the Cloud: 7 colors in my umbrella for this rainy Cloud..Should I still stay in House ?

The world is looking towards Cloud. For some of us , outside it is  bright, shiny and blue Sky with clear Clouds where we want to be the early  adopters of these new economics – of pay for what you use, reduced management –  with no hassles of patching, fault  tolerant architecture and increased productivity – with instant  self-provisioning, anywhere access of latest software.

And for others still there is a dark and rainy side of this as Security  has been the top concern while we decide going out in this Rainy Cloud and  accordingly need an umbrella to get protected and moreover how colorful that  umbrella should be so that its looks attractive and pleasant to use it and rest  can fall under Acceptable Risk.

Let’s figure out what are Top 7 Security Consideration &  Assurance, organizations should look for while they are stepping outward from  on-premise to Cloud Services?

1.  Start from your own Home: Prepare  your on-premise network  perimeter first for cloud.

As soon as the word cloud security  comes, organizations jump on to check what is lying with Cloud Service  Providers end. But we do forget that many critical assets and components are  still on premises like User Identities, Encryption Keys, and Client machines.  This may be the weakest link in this over all security framework, if broken may
compromise the security for the entire solution. Attackers know this and actively targeting end-users, client machines and on-premise Servers.

We should look for a risk-based,  multi-dimensional approach to safeguarding services and data to secure and  control all the way to cloud including  on- premise resources, internal server security, Edge Security and Remote  Client Security. So there is a need to go back for the basic of security –  Defense in Depth.

Design an Identity Federation to  authenticate user to authenticate using their on premise credential and create  a trust relationship between Identity and Resource Provider. Also use  two-factor authentication (such as smart cards or biometrics in addition to passwords) for maximum security. Regardless of how users sign in, connections established over the Internet to the service should be encrypted

Leverage Secure Web access proxies  to do URL filtering blocking phishing and malicious sites, HTTPS certificate validation,  malware inspection, Access Control rules and Network inspection.

It will be also critical to ensure  appropriate response time for end users while they access productivity tools on  cloud passing through secure web access gateway solutions at the perimeter  network. This may require proper capacity planning for these solutions.

You should do Equal Risk  Assessment for internal Threats and incorporate endpoint protection solution,  application control, Server Hardening and Patch Management.

Look for the seem less secure Direct  Access experience for the client machines which are outside the internal  boundaries for the organization but accessing the same productivity tools on  the cloud. Incorporate Malware protection, Drive encryption and endpoint policy
enforcement solution for these remote machines.

2.  Choose  the Cloud Service Provider who can help you in flying to meet your compliance  need.

Organizations  are ultimately responsible for ensuring you meet your compliance obligations.  Look for the Service provider certifications and audit reports to help you
design your compliance program.

Third party audits and certifications provide a trust on services that those are designed and operated with stringent safeguards.

If you are subject to industry or jurisdictional requirements, you will need to make  your own assessment of your ability to comply, but Customers in many industries
and geographies have found they can use Service Provider Services in a manner  that remains in compliance with applicable regulations, provided they utilize  the services in a manner appropriate to their particular circumstances.

Trusted  third-party certification provides a well-established mechanism for  demonstrating protection of customer data without giving excessive access to  teams of independent auditors that may threaten the integrity of the overall platform.  This also may reduce the need of Right to Audit clause over the time.

3.  Your  identity is your most valuable possession. Protect it, if anything goes wrong,  consequences can be me more dangerous in the cloud.

An organization’s current identity  management gaps extend to the cloud and become more complex: e.g Failure to  disable accounts in a timely manner when people’s employment is terminated or  Failure to adjust rights and permissions when people transfer to new roles.

Same Single Sign on experience as on premise requires Identity Synchronization e.g while migrating from on-premise email boxes to hosted environment.

Workflows and approvals should be  in place to do Provisioning / De- Provisioning to manage users and groups which  reduces high costs and risks associated with manual provisioning.

e.g ensures accounts are disabled  automatically based on several triggers – Change in status in HR database , Paternity  Leave, Short or Long Term Disability,  sabbatical , Promotion, conversion to FTE, or change of job title or  Cost Center , Resignation or termination of employment , Account inactivity , Failure  to change password in n days after expiration

Enhance  security by granting role based access for physical and virtual systems in Private cloud. E.g when Virtual machines are treated as a file on the file  system.  Across physical and virtual  environments, access to files can then be granted through user groups created
in Directory.  It also enables the  management of end-user rights for hardware, application, and presentation  virtualization and can also be used to manage which end-users or groups have  rights to access applications.

e.g if an employee joined in the  organization as a developer role then he/she gains automatic access to private  cloud , can order for new Test VM’s and Test VM’s are configured via  group policy to be separated from rest of  network.

4.  Data Security Life Cycle – should not that become more sensitive in cloud ?

As we know the 2nd   asset bucket in the cloud is “Data” apart from the “Application/Functions/Processes”.

Cloud attributes like  Multi-tenancy, Elasticity, Logical & Global Architecture requires that
Cloud Service provider should ensure a coherent, robust, and transparent  privacy policy emphasizing that you maintain ownership of your data. They  should tell you exactly how they handle and use data gathered. If you decide to  stop using service, do they provide, by default reduced functionality service  kind of thing, allowing you to export your data and should send multiple  notices prior to deletion of customer data.

To  mitigate Data inference & aggregation and to also ensure data discovery,  Data storage and processing should be logically segregated between customers  through specialized Directory technology engineered specifically for the  purpose. For organizations that want additional data isolation, an option  should be available that stores your data on dedicated hardware Protect Anywhere – Right  Management System can help in the battle to prevent data leakage and corporate  disclosure. Many incidents in the recent path have highlighted the growing need  for control of the data which is persistent regardless of the boundaries of  organization. E.g Hosted email service should support additional security  measures to protect sensitive information such as Secure/Multipurpose Internet Mail Extensions (S/MIME) for public key  encryption and digital signatures as well as Information Rights Management  protection for restricting who can access and perform specific actions on  documents, email, and even voicemail messages

5. All Ok…But what is the surety  during bad time – Double Check on Business Continuity and Disaster Recovery.

Hope for the best but be prepared for the worst. Organization  should check Cloud Service Provider’s highly available data centers  availability, strategically locations around the world. These facilities should  be built from the ground up to protect services and data from harm, whether  natural disaster or unauthorized access.

Physical security best practices should be maintained, including
state-of-the-art hardware, 24-hour secured access, redundant power supplies,  multiple fiber trunks, and other features.

Because of system redundancy, updates can generally be deployed to  the system without any downtime for your users. The system is protected at the  logical layer by robust data isolation, continuous monitoring, and a wide array  of other recognized practices and technologies.

All of the physical and logical security tasks should be taken  care of in the data center, which can drastically reduce the amount of time you  spend keeping your data and systems safe.

 6.   Find out more  information with the Cloud Service provider how they follow a clear, defined, and provable process to  integrate security and privacy in the service from the beginning and for the  whole lifecycle.

While a cloud operator can bring the benefit of consolidated  security expertise, it is also important to ensure that the provider’s  development and maintenance processes integrate security and privacy into each  phase of development.

The SDL addresses security threats throughout the development  process by means that include threat modeling during the design process;  following development best practices and code security standards during coding;  and requiring various tools for testing and verification before deployment.

These proactive checks during development make software less  vulnerable to potential threats after release, and the SDL provides a  structured and consistent methodology with which to apply them.

7.  Where ever you will go, your users  are most Vulnerable…….Security    Education and Awareness will ensure Governance.

Though you are still deciding to  go or not to go for cloud your users may be using some of the cloud services  since many years now and there to enroll they don’t require approval from IT.  You can try restricting use of these applications by blocking access from your
network, but sometimes it looks impractical or it’s likely that users will find  ways to bypass your security measures.

Start by establishing a security  policy that covers the use of external services , acceptable use policy,  implications of failing the follow the policy, what to don’t and what not and
who talk with if they have questions.

Summary:

After incorporating 7 colors to my  umbrella mentioned above to our go to cloud strategy, it can make the sky Bright,  Shiny and with Clear Cloud.

Are you ready to go ????

Posted in Cloud Security | 12 Comments