Tag Archives: security policy

Cloud Control

Leave a reply

A survey recently carried out for IBM found that 77 per cent of respondents believe that?adopting?cloud ­computing makes protecting privacy more difficult, while 50 per cent are concerned about data breaches or loss.

Indeed, when it comes to security the question now is often framed in terms of: where will my data be, who will be able to access it and how can I be assured of this and know what is really happening?

When speaking of cloud security some talk in terms of the infrastructure, some of applications and some of the smartphones or other devices that people might use to access a cloud. In reality, security in the cloud is about all of these things and more. It is important to think of which model you are buying into and ensure the security is appropriate.

In many ways, the technology has moved from being a back-office function and enabler of cost reduction to a driver of growth and value. There are several models of cloud computing , and security has to be appropriate to the model being used.

A framework for questions

When asking questions about cloud ­security having a framework helps, as does thinking about what will be needed when moving to the cloud, such as shared ­infrastructure and applications.

Elements that should be considered for inclusion in this framework are governance, a focus on the protection of data, security policy and audit measures, management of problems, management of vulnerabilities, a focus on the authentication of users and the protection of physical assets and locations.

Taking this kind of proactive approach to security and risk management means ­staying one step ahead of vulnerabilities and being more secure and resilient.

At the same time, it is clear that a one-size-fits-all approach to security in the cloud will not work. It is about getting the ­appropriate security in place for the workload (or service) that is being considered.

The fundamental things apply

The fundamentals of security apply. ­Individuals and business still want to know where their information is, who is accessing it and how it is being used so they can ­manage and protect it.

Working out where and how to apply security is central to delivering it. Cloud security can be delivered either as part of the service or as a component that can be added. Depending on your provider, it may be that a combination of these approaches is necessary.

To?ensure?security?in?the?cloud ­organisations have to think strategically. Not all workloads are created equal so ­careful ­consideration must be given to each before determining its appropriateness for movement into the cloud.

Organisations must understand the ­governance and security requirements for each proposed workload and then validate whether these can be met within the cloud environment. It is only through this selective evaluation process that customers can avoid audit exposure and control the proliferation of data that may be subject to a variety of controls and residency requirements.

Roles model

There is also a need to establish clear roles and responsibilities. When adopting public and hybrid cloud solutions the relationship between consumer and provider closely resembles a traditional IT outsourcing arrangement. Therefore it is critical that each party has a clear understanding of their security obligations. For example, the responsibility for securing software as a service offering is largely that of the provider because the solution is consumed as a ­packaged static application. At the other end of the spectrum, infrastructure exposes users to a greater responsibility for securing individual virtual machines.

Call for backup

It is also essential to have a backup plan. Most public and private cloud solutions trade direct control for cost savings and efficiencies derived from the economies of scale. ­Transferring control of specific IT functions to another party does not obviate responsibility for the availability of key workloads.

Organisations must consider a provider’s disaster recovery and restoration plans in the context of their needs, keeping in mind requirements regarding service availability, data backup, data residency and so on.

Reputable cloud providers should offer a variety of service level agreements (SLAs) that include metrics such as availability, outage notification, service restoration, average time to resolve and notification of breaches. Providers should report on SLA compliance and deliver agreed remedies.

All too often organisations spend time and money developing security strategies that employ the latest – and most expensive – technical controls while turning a blind eye to the basics of risk assessment, policy ­development and the continuous validation of established and required controls.

Author: Nick Coleman
Source

Security Admins: Prepare for Tomorrow’s Tech Trend Today

26 Replies

Every year or two, we face a new unstoppable IT trend that threatens the way we handle network security . Think instant messaging, USB keys, social media sites, and mobile computing. There are more on the way, as I wrote about last week, including Web 2.0 and cloud computing.

Tracking these new computing trends is important for IT admins: They represent a potential swath of new opportunities for attackers to breach systems, steal data, and spread malware. Early recognition and management are essential to get a handle on the situation.

Just as there are five recognized stages of grief, I see a series of stages in the life of a security IT admin coming to terms with a new IT threat. Those stages are as follows: ignorance; peripheral awareness and recognition; denial or casual acceptance; strong opposition; and formal acceptance, followed by the creation of a solution or system to manage the potential threats the new trend creates.

When we first see a new trend emerging, we typically ignore it because it isn’t widespread enough to garner hacker attention. As it gains popularity, it usually becomes an avenue for exploitation and spreading malware, and we, as security professionals, have to take notice. In most cases, our natural tendency is to fight the new thing’s use. Typically, we feel there is already an existing, managed, “better way” for the same task to be accomplished.

For example, I still don’t see the big need for instant messaging over email. As an old fart, I’m still trying to come to grips with the societal importance of Facebook. Nevertheless, if a technology has infiltrated the organization, we need to accept it and come up with a defense strategy.

One security policy to rule them all

One strategy to ease adoption of new technologies is to build into our official standing policies a general process for embracing them, rather than examining each as a separate aberration and treating them as ad-hoc one-offs. For exxample, your policies pertaining to digitical communications should be written to cover such technologies in all forms, no matter where they exist, as opposed to specific brands of software or even types, such as email and IM. If users are allowed to install any software they want, they should understand the safeguarding of company assets and data no matter where they exist. That means if your entity has a policy that confidential business data and business-related communications (email, IM, and websites) must be encrypted, end-users should understand what that means and where they apply.

It reminds me of the time when my CEO asked me to add a new sentence to our existing email policy stating that it was illegal to sexually harass someone using email — which had just happened at the company. My reply: “Shouldn’t sexual harassment be illegal no matter how it happens? I mean if the harasser used a fax, would that be more acceptable?” It’s the message, not the medium.

Secure the message (data), and don’t let your policies get caught up in minutiae that lawyers love to argue about. Then make sure users are aware of their responsibility to protect data, no matter where it exists, using today’s and tomorrow’s technology.

Let HR define the penalties for ignoring the rules. I’m not a big believer in firing for most first-time offenses, ignoring the obvious felonious behaviors. People make mistakes, and I’m not just saying this because I was the first person written up under an email policy I drafted years ago (for the same CEO mentioned above) when I accidentally sent a dirty joke (intended for my future wife and close friends) to a senior executive VP (who was as close to a nun as you could get). I became a legend in that company for being the first person punished under my own policy. I still remember my boss restraining herself from outright giggling as the CEO handed down my punishment shaking his head.

Tailor your security policy to fit

Accept that new trends will occur and people will have legitimate needs — or, as I see them, strong wants — for new technology and products. Institute a policy-driven review process for any new technologies that start to invade the workplace. A standing committee can review the technology, rule upon its appropriateness in the workplace, and forbid its use or suggest controls. The decision should be signed off by senior management. This committee should understand that many of their decisions will be debated again, and requests should be allowed for resubmittal in future time periods.

For example, a year or so ago, Macs were outlawed in most corporate environments. Then the CEO and senior IT people were among the most prominent users. iPads showed up in general use in weeks. They went from being used as cute toys to displaying corporate data in a matter of weeks. Now many vendors are presenting iPad-only versions of their software.

IT security will be tasked with researching threats and risks, as well as presenting them to management or the approval committee. A position paper, with the requisite pretty charts and pictures, should be created and presented for senior management to review and sign off. Depending on the decision, the security team should next research and deploy defenses and controls.

The user experience and the security risk of the environment will improve quickly if you spot evolving trends and manage them as an expected part of normal business policy.

Source