Security as a Strategy (SaaS)

Top 7 Threats to Cloud Computing – Part 2

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

Remediation

• Stricter initial registration and validation processes
• Enhanced credit card fraud monitoring and coordination
• Comprehensive introspection of customer network traffic
• Monitoring public blacklists for one's own network blocks

Threat #2: Insecure Interfaces and APIs

Remediation

• Analyze the security model of cloud provider interfaces
• Ensure strong authentication and access controls are implemented in concert with encrypted transmission
• Understand the dependency chain associated with the API (application program interface)

Threat #3: Malicious Insiders

Remediation

• Enforce strict supply chain management and conduct a comprehensive supplier assessment
• Specify human resource requirements as part of legal contracts
• Require transparency into overall information security and management practices, as well as compliance reporting
• Determine security breach notification processes

Threat #4: Shared Technology Issues

Remediation

• Implement security best practices for installation/configuration
• Monitor environment for unauthorized changes/activity
• Promote strong authentication and access control for administrative access and operations
• Enforce service level agreements for patching and vulnerability remediation
• Conduct vulnerability scanning and configuration audits

Threat #5: Data Loss or Leakage

Remediation

• Implement strong API access control
• Encrypt and protect integrity of data in transit
• Analyze data protection at both design and run time
• Implement strong key generation, storage and management, and destruction practices
• Contractually demand providers wipe persistent media before it is released into the pool
• Contractually specify provider backup and retention strategies

Threat #6: Account or Service Hijacking

Remediation

• Prohibit the sharing of account credentials between users and services
• Leverage strong two-factor authentication techniques where possible
• Employ proactive monitoring to detect unauthorized activity
• Understand cloud provider security policies and SLAs

Threat #7: Unknown Risk Profile

Remediation

• Disclosure of applicable logs and data
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
• Monitoring and alerting on necessary information

Obama’s Focus on Secure Collaboration

The failed attack on a U.S. airliner on December 25, 2009 prompted U.S. President Barack Obama to focus on the state of collaboration between U.S. intelligence and security agencies. President Obama stated, "The bottom line is this: the U.S. government had sufficient information to have uncovered this plot and potentially disrupt the Christmas Day attack. But our intelligence community failed to connect those dots, which would have placed the suspect on the no-fly list. In other words, this was not a failure to collect intelligence, it was a failure to integrate and understand the intelligence that we already had."

The President's ire has led to focus on an initiative by the Office of the Director of National Intelligence (ODNI) to create a "common trust environment" for collaboration and sharing of information within the U.S. intelligence community.

In the words of Director J.M. McConnell, "The information sharing strategy is focused on developing a ‘responsibility to provide' culture in which we unlock intelligence data from a fragmented information technology infrastructure spanning multiple intelligence agencies and make it readily discoverable and accessible from the earliest point at which an analyst can add value. "

"This new information sharing model will rely on attribute-based access and tagged data with security built-in to create a trusted environment for collaboration among intelligence professionals to share their expertise and knowledge."

Shift to role and policy-based network security

The foundation of this initiative is a shift from traditional firewall and identity-based security to role-based policy management of the network. Policy-based security can, on the fly, adjust security measures to allow the right users - to have the right access - to the right information - from the right place - at the right time.

We find policy-based security controls in Network Access Control solutions and flow-based network switches which give security managers granular control of the network. You can manage who has access to specific databases, at what time of day, from which location, from what department, what functional (role) responsibility and even from what type of device.

In a dynamic environment such as that found in government intelligence agencies, it is policy-based security that will enable true collaboration amongst disparate parties dealing with sensitive information.

Now intelligence analysts will be better able to "connect the dots" and go beyond the boundaries of traditional culture that led to silos that inhibited information sharing. These organizations had established their own security classification rules and procedures, resulting in inconsistent use and understanding of security markings.

ODNI's goals statement summarizes this concept:

• Define a uniform identity structure and uniform attributes to enable identity management, develop uniform standards and guidance for identity management, and support decentralized, agency-specific implementation
• Establish identity management standards for authentication, authorization, auditing, and cross-domain services
• Develop information security policies to support logical and physical data protection efforts
• Create a common classification guide for the Intelligence Community
• Establish a risk management approach that supports the common trust and information environment while still protecting sources and methods as well as sensitive information from disclosure

Organizations struggling with collaboration and the free flow of information across geographic boundaries, multiple trading partners and distributed business units may find an answer in role and policy-based network access solutions. If it works for the CIA, FBI and DHS it may just work for you.

Do We Still Need Employee Monitoring Software?

Several years ago software that monitored employee use of the Internet was big news. We heard how thousands of workers, on company time, visited pornographic sites, downloaded music and videos or just spent inordinate amounts of time surfing the web.

Sexual harassment cases and lawsuits came up when folks saw offensive materials on their co-workers computers. Bandwidth charges were going up and network performance going down. In addition, there were statistics that said over 87% of hacking and confidential data losses were from company insiders. Workers just couldn't be trusted.

The question is: "Has the situation evolved?" While there are more restrictions, guidelines and penalties for inappropriate use of company assets and handling of confidential materials, has employee behavior changed? And therefore, do we still need surveillance software for our employees? The answers are no and yes, respectively. Behavior hasn't changed and yes we still need monitoring software.

Recent surveys indicate a majority of employers monitor their employees. They are motivated by concern over litigation and the increasing role that electronic evidence plays in lawsuits and government agency investigations.

Internet monitoring software has now evolved into larger security and surveillance suites. You can monitor and trace employees' use of e-mails, the Internet, computer files, keystrokes, chats in all popular instant messengers, logins and logouts as well as "shadow copy" which allows network administers to create copies of files that are transferred to USB devices by workers.

Solutions include the following:

Record logging: record everything from key strokes, websites visited, FTP downloads, P2P downloads, and even screen captures of what is on a user's computer

Email Logging: emails sent and received as well as attachments and Instant Messenger discussions can be monitored and recorded

Internet Filters: block ports on your network servers normally accessed by certain Internet protocols, as well as specific websites, bulletin boards, P2P downloads, foreign languages, and content using keyword filters

Anti-spyware/anti-virus: block downloads which are identified as potentially harmful as well as viruses, worms, malware, spam, drive-by downloads and phishing attacks

While most transgressions in the workplace are committed by a few, the impact on the organization of a single breach of trust could be great. Therefore we continue to monitor, safeguarding the halls of our institutions.

How Einstein Protects Government Computer Networks

Ever wondered what the Department of Homeland Security (DHS) is doing to protect government networks and what you can do too? Government networks are some of the most highly targeted sites by cyber terrorists. They come under attack hundreds of times per year. To protect government assets DHS uses a network flow monitoring system called Einstein 1 and a system called Einstein 2 - an intrusion detection system.

DHS is in charge of monitoring the .gov domain for potential threats and works with several non-federal partners in various network security programs. While primarily focused on federal networks, DHS is now branching out to deploy Einstein on civilian and state networks in partnership programs under the auspices of DHS' U.S. Computer Emergency Readiness Team (CERT).

Philip Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, DHS, has said a third version of Einstein with more advanced technology is envisioned that would be an intrusion prevention system across civilian networks and systems. The additional surveillance and intrusion response capability would give the government better awareness to protect the public, according to Mr. Reitinger.

In addition to Einstein 3, DHS has a variety of other initiatives under way to enhance the cyber security of federal and civilian networks including:

• Consolidating agencies' external Internet connections to reduce the number of entry points for potential outside threats
• Developing a supply chain risk management framework to address security threats and vulnerabilities that could be introduced into hardware and software acquired by federal agencies
• Establishing the Industrial Control Systems Cyber Emergency Response Team facility, to synchronize incident response activities related to attacks on control systems operating the Nation's critical infrastructure
• Initiating an information-sharing pilot working with the Financial Services Information Sharing and Analysis Center to enhance threat information sharing with the financial services sector

So what we learn from the DHS programs is that a solid network security plan will include: (1) a network security system that monitors, detects and prevents intrusions; (2) a strategy of reducing access points (network nodes, connections, rogue devices, multiple software packages used by end users); and (3) collaboration with trusted security partners to share incident response and threat information.