Posted on Thu, May 20, 2010 @ 01:48 PM
The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.
Threat #1: Abuse and Nefarious Use of Cloud Computing
Remediation
- Stricter initial registration and validation processes
- Enhanced credit card fraud monitoring and coordination
- Comprehensive introspection of customer network traffic
- Monitoring public blacklists for one's own network blocks
Threat #2: Insecure Interfaces and APIs
Remediation
- Analyze the security model of cloud provider interfaces
- Ensure strong authentication and access controls are implemented in concert with encrypted transmission
- Understand the dependency chain associated with the API (application program interface)
Threat #3: Malicious Insiders
Remediation
- Enforce strict supply chain management and conduct a comprehensive supplier assessment
- Specify human resource requirements as part of legal contracts
- Require transparency into overall information security and management practices, as well as compliance reporting
- Determine security breach notification processes
Threat #4: Shared Technology Issues
Remediation
- Implement security best practices for installation/configuration
- Monitor environment for unauthorized changes/activity
- Promote strong authentication and access control for administrative access and operations
- Enforce service level agreements for patching and vulnerability remediation
- Conduct vulnerability scanning and configuration audits
Threat #5: Data Loss or Leakage
Remediation
- Implement strong API access control
- Encrypt and protect integrity of data in transit
- Analyze data protection at both design and run time
- Implement strong key generation, storage and management, and destruction practices
- Contractually demand providers wipe persistent media before it is released into the pool
- Contractually specify provider backup and retention strategies
Threat #6: Account or Service Hijacking
Remediation
- Prohibit the sharing of account credentials between users and services
- Leverage strong two-factor authentication techniques where possible
- Employ proactive monitoring to detect unauthorized activity
- Understand cloud provider security policies and SLAs
Threat #7: Unknown Risk Profile
Remediation
- Disclosure of applicable logs and data
- Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
- Monitoring and alerting on necessary information
Posted on Mon, Jan 25, 2010 @ 02:15 PM
Over 234 million consumer credit card records with sensitive information have been breached since January 2005, according to Privacy Rights Clearinghouse.org. The seriousness of this problem begs us to examine the gap between meeting industry compliance requirements and the securing of confidential data.
A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk: 81% store payment card numbers; 73% store payment card expiration dates; 71% store payment card verification codes; 57% store customer data from the payment card magnetic stripe; 16% store other personal data. Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)
As a result of this behavior by merchants, vulnerabilities were created in the card-processing ecosystem. Information security breaches occurred in point-of-sale devices; personal computers or servers; wireless hotspots, ecommerce applications; paper-based storage systems; and unsecured transmission of cardholder data to service providers.
To combat this trend, a PCI Data Security Standard (DSS) was created by the PCI Security Council whose founding members include: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. To any security manager, these standards are very familiar as they mirror corporate best practices for network security. Here are the 12 requirements for PCI DSS.
Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Change your passwords often.
Requirement 3: Protect stored cardholder data. Anything stored should be encrypted and cardholder data should not be retained or if retained then only for a limited time period.
Requirement 4: Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols such as SSL/TLS or IPSEC.
Requirement 5: Use and regularly update anti-virus software or programs. Many vulnerabilities and malicious viruses enter the network via employees' e-mail and other online activities.
Requirement 6: Develop and maintain secure systems and applications. Security vulnerabilities in systems and applications may allow criminals to access cardholder account numbers and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches.
Requirement 7: Restrict access to cardholder data by business need-to-know. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Role-based authentication is helpful here.
Requirement 8: Assign a unique ID to each person with computer access. Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Requirement 9: Restrict physical access to cardholder data. Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.
Requirement 10: Track and monitor all access to network resources and cardholder data. Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management.
Requirement 11: Regularly test security systems and processes. Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time.
Requirement 12: Maintain a policy that addresses information security for employees and contractors. A strong security policy sets the tone for security affecting an organization's entire company, and it informs employees of their expected duties related to security.
Posted on Thu, Nov 19, 2009 @ 02:58 PM
Effective December 1, 2009 the FTC ruling, "
Guides Concerning the Use of Endorsements and Testimonials in Advertising" takes effect. Essentially this ruling was directed towards online media and specifically blogging and aims to provide the same type of consumer protection found in traditional advertising media.
If a company or its advertising agency provides a blogger or other online commenter with incentives in the hopes of getting a favorable review or positive buzz for its products, the online comments will be treated legally as endorsements.
The ruling requires full disclosure by bloggers, on their blog post, when they are either receiving compensation or free product by organizations whose products or services are discussed in said blog. By having full disclosure, readers can make a decision on whether a blogger discussing a particular product, service or company may have been incentivized and thus influenced by that company.
The potential impact on corporations and their legal departments is this. For vendors or suppliers, if you provide incentives (freebies) to a community of "preferred users" who blog about your product, you may be liable for any misleading statements (exaggerations, unsubstantiated claims) made by that blogger.
For customer organizations, if you have an employee who receives an evaluation sample and maybe free tickets to a vendor event, and the vendor asks your employee to evaluate the sample product and post a blog about his findings, and the employee is positioned as representative of your organization, you may be liable for any statements (positive or negative) made by that employee.
Blogging therefore has now fallen under the content filtering and compliance monitoring activity required of corporate legal departments. The FTC states "...the extent that consumers' willingness to trust social media depends on the ability of those media to retain their credibility as reliable sources of information..." "Nonetheless, if the advertiser initiated the process that led to these endorsements being made - e.g., by providing products to well-known bloggers or to endorsers enrolled in word of mouth marketing programs - it potentially is liable for misleading statements made by those consumers."
Andrew Baer, a lawyer handling technology issues gives this recommendation:
"It's now a best practice to treat company-initiated social media and blog posts as official corporate communications that require consideration of regulatory, securities, litigation and reputational risk issues, and possibly prior legal or regulatory review. The possibility that third-party posts may now be deemed company-initiated endorsements makes it vital to bring all social media marketing activities under one comprehensive policy."
The FTC rules impose compliance regulations in what was previously considered an unregulated area of communications on the web. Thus we increasingly see life on the information highway means you can't travel safely without considering the costs for security, risk management, compliance monitoring, content and communications filtering. Collectively we can call all of these things a security and risk policy. And as one famous commercial use to say: "don't leave home without it."