Basic Security for Personal Cloud Storage

Avoid using Personal Cloud Storage for confidential/sensitive data

Dropbox and other file-storage and sharing applications like it are incredibly helpful to business travelers. Not having to lug along a laptop or risk misplacing a thumb drive certainly add to the enjoyment of time away from the office.

However, these applications do come with some risks. This is especially true when users generate links to share information with others. Several basic flaws within Box and Dropbox specifically allow the shared documents to be viewed by third parties.

It comes down to this: Many people do not take basic security steps, even when communicating highly sensitive information. Worse, they may even mix their personal communications and information with confidential workplace data.

For its part, Dropbox disabled all access to public links and created a patch to keep shared links from becoming public. However, this is the third security breach for Dropbox in as many years, so diligence on the site and others like it has to be considered among users.

When considering a file-sharing service site, follow these rules of thumb:

1. Use a strong password.
2. Encrypt files in storage ("files at rest").
3. Encrypt files sent to and obtained from the site ("files in motion").
4. Look for a third-party security and privacy audit or some other validation that the site truly is secure.
5. Do an online search to see if the service has been breached in the past year or two.
6. Make sure that you can completely remove all files from the site when you stop using it.

How secure is "Dropbox"?

Basic Overview and Awareness to Secure Your DropBox Account!

What's Dropbox?

Dropbox is a free and extremely easy-to-use tool for sharing files, photos, and videos, and syncing them among your devices. You can also use Dropbox to back up files and access them from other computers and devices (including smartphones and tablets), with dedicated apps for each device you own running Android, Mac Linux, Blackberry or iOS platform.

Dropbox is especially good for backing up your files online, although the biggest barriers to this are the size of your backups. You get 2GB free with Dropbox, or you can choose 100GB, 200GB, or 500GB with a monthly fee. There are also business plans that start at 1TB for five users. You’ll just have to make sure that the files you want backed up live in the Dropbox folder.

Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.

Is Dropbox "Safe" to use?

The move on hosted services like Dropbox storage site raises questions about what cloud users can and should do to keep their information and data secure and compliant.

Cloud security drew attention in 2012 with Dropbox’s admission that usernames and passwords stolen from other websites had been used to sign into a small number of its accounts.

A Dropbox employee had used the same password for all his accounts, including his work account with access to sensitive data. When that password was stolen elsewhere, the attacker discovered that it could be used against Dropbox.

This was a powerful reminder that users should rely on different passwords for each secure site and service.

Also, VentureBeat reported that the Dropbox iOS app was storing user login credentials in unencrypted text files—where they would be visible to anyone who had physical access to the phone.

What Encryption does Dropbox use?

Dropbox claims:

At Dropbox, the security of your data is our highest priority. We have a dedicated security team using the best tools and engineering practices available to build and maintain Dropbox, and you can rest assured that we’ve implemented multiple levels of security to protect and back up your files. You can also take advantage of two-step verification, a login authentication feature which you can enable to add another layer of security to your account.

When it comes to encryption methods Dropbox use, they state that:

• Dropbox uses modern encryption methods to both transfer and store your data.
• Secure Sockets Layer (SSL) and AES-256 bit encryption.
• Dropbox website and client software are constantly being hardened to enhance security and protect against attacks.
• Two-step verification is available for an extra layer of security at login. You can choose to receive security codes by text message or via any Time-Based One-Time Password (TOTP) apps, such as those listed here.
• Public files are only viewable by people who have a link to the file(s).

Dropbox uses Amazon’s Simple Storage Service (S3) for storage, which has a robust security policy of its own. You can find more information on Amazon’s data security from the S3 site or, read more about how Dropbox and Amazon securely stores data.

How to Secure your Dropbox account?

Popular cloud storage service Dropbox, had a history of security problems, ranging from compromised accounts to allowing access to every Dropbox account without requiring password.

When and if you decide to use cloud services like Dropbox, the following three basic steps can help you protect your data:

• Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits.
  
• Use application controls to block or allow particular applications, either for the entire company or for specific group.
  
• Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronised, you have full control of the safety of your data.You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else . Should your web key go missing for some reason—maybe the user simply forgot the password—the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.

How to secure your Dropbox account?

• Enable Two-Step Verification - With two-step verification enabled, you’ll have to enter both your password and a security code from your mobile phone whenever you sign into the Dropbox website or add a new device to your account. Even if someone else knows your Dropbox password, they won’t be able to log In without the time-sensitive code from your phone.
  
• Unlink devices you don’t use and view web sessions.
  
• Get email notifications - Ensure email notifications are enabled so you’ll receive emails when new devices and apps connect to your account.
  
• Manage linked Applications – Third-party apps often require full access to your Dropbox account, and the app retains access even if you stop using it. If the app itself is compromised or starts behaving maliciously in the future, it will be able to do damage.
  
• Don’t reuse your passwords – You should use a unique password for your Dropbox account, one that you haven’t used for any other services.
  
• Encrypt your Dropbox files – To protect yourself and ensure your sensitive files remain secure, you can encrypt the files you store in your Dropbox account. To access the encrypted files, you’ll need to know the encryption password – anyone without the encryption key will only see random, jumbled nonsense data.

Information Security Forum (ISF) Identifies 6 Major Threats for 2014

ISF report states top six security threats global business will face in 2014 include the cloud, "BYO" trends and cyber-crime

A nonprofit group founded in 1989, the ISF performs research on topics dictated by its 350-plus global member organizations. Only recently has it begun making its findings public.

The six threats identified as major concerns headed into 2014, ISF emphasized the need for companies to find trusted partners and talk about cyber-security—a topic that's often treated as private.

Six: BYO

Trends Topping the ISF's list is BYO, and it's no mistake that the "D" is missing. Workers bring their email accounts, their cloud storage and more. As the trend of employees bringing mobile devices in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

Five: Data Privacy In the Cloud

The cloud presented no danger, as long as one could tick off a list of items, including knowing how many clouds a company has; what other companies' data are being stored on the same servers; whether one's storage services are being subcontracted; and if there's a clear plan for what happens when a contract with a cloud provider is terminated. While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications.

Organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.

Four: Reputational Damage

There are two types of companies—those that have been hacked and those that are going to be. What would a hack mean to your marketing manager, to your head of investor services, to your PR team that needs to put out that statement?. When the situation is something that could send stock prices plummeting, the reality of it sets in.

Three: Privacy and Regulation

Organizations need to treat privacy as both a compliance and a business risk, according to the ISF. "Furthermore," the report added, "we are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification, particularly across the European Union. Expect this to continue and develop further, imposing an overhead [cost] in regulatory management above and beyond the security function and necessarily including legal, HR and board level input."

Two: Cyber-Crime

ISF emphasized how shockingly excellent criminals are at coordinating and working together toward a cause. The Syrian Electronic Army's hack into The New York Times was offered as an example. The bad guys are really great at collaboration, because there's a lot in it for them.

Cyber-crime, hacktivism—hacking for a cause—and the rising costs of compliance, to deal with the uptick in regulatory compliance issues, can create a perfect storm of sorts,. "Organizations that identify what the business relies on most will be well-placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.

One: The Internet of Things 

High-speed networks and the Internet of Things will create scenarios like the ability for a car to detect a traffic jam ahead and understand that its driver won't make it to the airport in time for his flight—and so contact the airport to change the flight. That level of information, in the wrong hands, is concerning.

Businesses can't avoid every serious incident, and few have a "mature, structured approach for analyzing what went wrong.

By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately." 

Cybersecurity is a never-ending Tom and Jerry cartoon

The Coming Wave of Security Startups

The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants. Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved.

The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete. As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups.

Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing.

According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars. Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years. Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date.

Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks. The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products.

Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source. These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.

Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices. Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage.

Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.

Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups.

For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks. Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.

The Risk of Data on Mobile Devices & in the Cloud

Ponemon Institute research finds that 69% of respondents listed mobile devices as posing the greatest risk

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud, sponsored by WatchDox, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services.

The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others.

The study concluded that “[t]he greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Some other key findings include:

• Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”
  
• Only 19% said their organization knew how much regulated data was on mobile devices.
  
• Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”
  
• 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”
  
• Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.
  
• In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.

What are the risks?

1. Unsafe Security Practices: With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.
   
2. Choice of Cloud Service Provider: There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.
   
3. Regulatory Troubles: If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.
   
4. The Ease of Sharing: Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.
   
5. The Ease of Losing: If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”

What should be done?

1. Educate the Cs: The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
   
2. Develop Policies: The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
   
3. Educate the Workforce: Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
   
4. Instill Some Fear: The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.

The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress.

The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.

NIST Publishes Draft Cloud Computing Security Document for Comment

NIST Cloud Computing Security Reference Architecture provides a security overlay to the NIST Cloud Computing Reference Architecture published in 2011

The National Institute of Standards and Technology (NIST) has published a draft document on security for cloud computing as used in the federal government. The public comment period runs through July 12, 2013.

The 2011 NIST Cloud Computing Reference Architecture provided a template and vocabulary for federal cloud adopters to follow for a consistent implementation of cloud-based applications across the government.

This new addition, the NIST Cloud Computing Security Reference Architecture, contributes a comprehensive security model that supplements the NIST Cloud Computing Reference Architecture.

Using this model and an associated set of security components derived from the capabilities identified by the Cloud Security Alliance in its Trusted Cloud Initiative Reference Architecture, the NIST Cloud Computing Security Reference Architecture introduces a cloud-adapted Risk Management Framework for applications and/or services migrated to the cloud.

The NIST Cloud Computing Security Reference Architecture provides a case study that walks readers through steps an agency follows using the cloud-adapted Risk Management Framework while deploying a typical application to the cloud—migrating existing email, calendar and document-sharing systems as a unified, cloud-based messaging system.

Deadline for comments is July 12, 2013. Please use the template for comments and mail to Michaela Iorga at Michaela.iorga@nist.gov with the subject line "Comments SP 500-299."

The Department of Defense Cloud Computing Strategy

Goals presented “consolidate and share commodity IT functions resulting in a more efficient use of resources.”


The Department of Defense needs to accomplish its critical global missions despite a decreasing budget and rising cybersecurity threat. To that end, the Chief Information Officer of the DoD, Teri Takai, released its Cloud Computing Strategy, which outlines its goals to accelerate the adoption of cloud computing throughout the department.


In the strategy, the Office of the CIO explains why it wants to move to the cloud, its goals, the challenges that stand in its way and methods to mitigate them, and the coming steps the Defense Department plans to take to get there. The strategy uses the National Institute of Standards and Technology’s definition of cloud computing for their strategy.


NIST defines cloud computing as: “A model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”


DoD likes this definition because it includes Software as a Service, Platform as a Service, and Infrastructure as a Service. According to the CIO, the DoD currently has a “duplicative, cumbersome, and costly set of application silos” that can benefit from more cloud computing. The goals presented in the Cloud Computing Strategy is to “consolidate and share commodity IT functions resulting in a more efficient use of resources.”


The DoD hopes to provide device and location independent on-demand secure global access to mission data and enterprise services. They also hope to enable rapid application development and reuse of applications by other organizations. This means both sharing and adopting the most secure commercially available cloud services.


The Cloud Computing Strategy also lays out four steps for implementing the Department of Defense Cloud Environment. The first will be to “Foster Adoption of Cloud Computing” by establishing a joint governance structure to drive the transition and an Enterprise First approach while reforming DoD IT finance, acquisition, and contracting and increasing cloud outreach and awareness.


The next step is to “Optimize Data Center Consolidation” by consolidating and virtualizing legacy applications and data. The third step is to “Establish the DoD Enterprise Cloud Infrastructure” so that it’s agile, consolidated, and secure.


The last step will be to “Deliver Cloud Services” using existing DoD cloud services and external providers. The CIO will provide oversight for component implementation of these steps.


Please refer here to download the strategy.

The Risks Of Cloud Computing in Plain English

Know the Risks Before You Head to the Cloud


A "cloud" solution is generally typified by remote access to computing resources and software functionality and frequently involves the storage and maintenance of related data. Today, cloud computing facilitates applications, e-mail, peer-to-peer communication, content sharing, and electronic transactions or storage for nonprofits. 


In many respects, the “cloud” has become a synonym for the “Internet” as cloud computing now encompasses nearly all available computing services and resources. Cloud offerings utlilized by nonprofits tend to come in three flavors. Infrastructure as a Service (IaaS) offerings deliver information technology infrastructure assets, such as additional computing power or storage. 


Platform as a Service (PaaS) offerings provide a computing platform with capabilities, such as database management, security, and workflow management, to enable end users to develop and execute their own applications. And, Software as a Service (SaaS) offerings provide software applications on a remotely accessible basis. SaaS offerings are probably the most commonly understood type of "cloud" solution.


These benefits create flexibility and potentially lower costs for the cloud customer. It is therefore not surprising that this type of computing solution has rapidly become a key component to the operation of many nonprofit organizations. Despite these potential benefits, cloud computing doesn't come without risk.


Below is a list of legal risks and issues for a nonprofit to consider when procuring or using a cloud solution. These risks and issues can appear as either a contractual or an implementation issue. 


Take It or Leave It: Many cloud solution agreements are non-negotiable or more favorable to the provider than the end user, which places a greater emphasis on pre-negotiation analysis in order to work around inflexible contracts.


All Services, All the Time: All computing and software providers are morphing into service providers, and this change may impact the fee structure, term length, and available warranties.


Law Is Behind the Times; Contracts Even More Important: Existing laws and governance models have not kept pace with technological development, and this may leave the contract as the only means for dispute resolution.


It's All Online: Privacy and information security concerns will only increase with cloud usage.


Less Control of Subcontractors: Cloud providers tend to use subcontractors for hosting, storage, and other related services, and these subcontractors may not be readily known or otherwise liable or responsible for performance under the agreement.


Some Things May Not Be Worth the Risk: The inherent risks associated with cloud computing may make its utilization inappropriate for mission-critical I.T. services or resources.


Not Everybody is on the Same Page: Different cloud solutions on different hardware may increase the possibility of incompatibility with outside software or network systems, i.e., compatibility will be dictated by the provider and not by the customer.


Know Your SLAs: Service level agreements (SLAs) vary and may be inadequate and unchangeable.


General Outages May Be Likelier: Shared resources may increase susceptibility to a single-point of failure. 


Only What You Need: The terms of a license agreement may not fit the service being offered, e.g., cloud providers may grant themselves a greater right to use a customer’s data or materials than necessary to provide the cloud solution.


Own Your Data: It will be more imperative than ever to hold on to the ownership and secrecy of data and materials used with the cloud solution in order to retain rights and ensure confidential treatment.


Don't Allow a Vendor to Have Zero Responsibility: Be wary of excessive disclaimers and limits and seek the implementation of a credit or refund structure to address outages and downtime.


Am I Covered? Check available insurance policies and consider the insurance policy of the cloud provider to determine if it covers business interruption caused by vendor failure. Know the Exits. Know how to terminate a relationship with a cloud provider and plan for how such termination will unfold in order to minimize disruption caused by transitioning to a new service provider.


Where's Your Data? Understand where a copy of all stored data is physically located.


Seek Jurisdictional Clarity: Data transfer is easy and can create jurisdictional issues because the sites where data is located or transferred and where the related services are performed or received can and will typically be different.


You Need Access to Your Data: Know how to access, audit, hold, and retrieve all data or understand the limits on such data access because regulations and e-discovery rules may mandate particular data storage, protection, and transfer protocols.


Don't Forget Compliance with Law: Regulatory compliance may extend to the cloud provider, particularly, for health, financial, educational, or children’s data, and laws and regulations governing privacy and information security.


Rules Are Different Overseas: The United States has more permissive data and database rules than many other countries, particularly by comparison to Europe, where greater restrictions and rights exist.


Will It Still Be There When Disaster Strikes? Understand the cloud providers' business continuity and disaster recovery practices.


Incorporate Overall Risk Management Strategies: Cloud computing risks may expand the notion of risk from I.T. management to operational management or regulatory compliance.


Everybody Is a Renter: Limited-term software licenses will become the norm with customers not having any ownership rights in the software copy being licensed.

Summary


Courts, governmental authorities, and industry standard-setting bodies may address some of the foregoing concerns. But, until then, organisations considering cloud computing solutions will need to look to their written contracts as the primary vehicle to protect their rights and ensure performance.


Moreover, careful due diligence of cloud providers becomes key. Organisations therefore should consider multiple providers and should not make decisions based purely on cost. Instead, organisations should seek references and involve their key decision-makers and outside advisors to assist with the procurement process in order to ensure a thorough evaluation of the potential risks and issues with cloud computing.   

6 Principles for Effective Cloud Computing

ISACA Guide Aims to Minimize Cloud Computing Risks

The cloud, in the long run, should make enterprise computing more efficient and, yes, more secure. In the meantime, those charged with executing their organization's cloud services face a series of tough decisions.

Among the latest experts to offer advice come from ISACA, the professional association focused on IT governance. ISACA counsels that organizations adopting cloud computing should adhere to six principles. Doing so will help enterprises avoid the perils of transferring IT decision making away from technology specialists to business unit leaders.

The six principles - detailed in the recently published ISACA publication Guiding Principles for Cloud Computing Adoption and Use - include enablement, cost/benefit, enterprise risk, capability, accountability and trust. Here's how ISACA defines each of those principles:

1. Enablement: Plan for cloud computing as a strategic enabler, rather than as an outsourcing arrangement or technical platform.
   
   
2. Cost/benefit: Evaluate the benefits of cloud acquisition based on a full understanding of the costs of cloud compared with the costs of other technology platform business solutions.
   
   
3. Enterprise risk: Take an enterprise risk management perspective to manage the adoption and use of cloud.
   
   
4. Capability: Integrate the full extent of capabilities that cloud providers offer with internal resources to provide a comprehensive technical support and delivery solution.
   
   
5. Accountability: Manage accountabilities by clearly defining internal and provider responsibilities.
   
   
6. Trust: Make trust an essential part of cloud solutions, building trust into all business processes that depend on cloud computing.

Gartner: 2012 Information Technology Predictions and Trends

Gartner has issued a full report titled "Gartner's Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away"

Gartner, Inc. issued a press release announcing it’s 2012 list of top predictions and trends for IT organizations and users. Highlighted are key trends like Cloud Computing, Social Business, Big Data, Security, and Mobile. The predictions and trends made by Gartner align closely with the research I am conducting for my HorizonWatching 2012 Trends report due out in early January.

The eleven predictions from Gartner are as follows

Cloud Services: By 2015, low-cost cloud services will cannibalize up to 15 percent of top outsourcing players' revenue.

Social & Collaboration Platforms: In 2013, the investment bubble will burst for consumer social networks, and for enterprise social software companies in 2014.

Enterprise Email: By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client.

Mobile Apps: By 2015, mobile application development projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4-to-1.

Cloud Security: By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service.

Public Clouds: At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud.

IT Budget Management: By 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the IT department's budget.

Asia Sourcing: By 2014, 20 percent of Asia-sourced finished goods and assemblies consumed in the U.S. will shift to the Americas.

Cybercrime: Through 2016, the financial impact of cybercrime will grow 10 percent per year, due to the continuing discovery of new vulnerabilities.

Cloud & Sustainability: By 2015, the prices for 80 percent of cloud services will include a global energy surcharge.

Big Data: Through 2015, more than 85 percent of Fortune 500 organizations will fail to effectively exploit big data for competitive advantage.

Gartner has issued a full report titled "Gartner's Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away," which is available on Gartner's website at www.gartner.com/predicts. The report apparently has links to more than 70 Gartner ‘predicts’ reports broken out by topics, industries and markets.

Free Webinar and Virtual Summit on various Information Security Issues

Mobiles, PCI, that big old cloud – what’s your poison?

I know there are so many resources out there in our profession, making it hard to know where to go for the really worthwhile insights on key issues like personal devices in the workplace, PCI, cloud security etc.

As such I have spoken to a few folk to give you a list of the 3 upcoming online events in these areas that have had the most sign-ups from people like you and have pasted details below. Take a look and see what you think….

1. Webcast: PCI DSS Demystified for SMEs

Streamed live to your desk on 17th November 2011 | 3pm GMT or 10am EST

Why is everything in Info Security always aimed at the big guys? No longer, thanks to this SC magazine webcast which was inspired by the spate of smaller companies being caught out recently by PCI loopholes and incurring massive reputational and financial damage as a result.

Ensure you don’t join the list by tuning in to the Barclaycard and Dell speakers at http://www.scwebcasts.tv/?btcommid=36601 .

2. Virtual Summit: Tackling the Big 3 - Cloud Security, Personal Devices and the Human Factor

Join CISOs from Skype, Vodafone, Canon, Travelex, HSBC and more in SC’s first truly Virtual World, which has set the information security world alight. Network with hundreds of other IS professionals (or avatars!), access whitepapers and tune into the sessions to give you everything you need to know to stay safe in 2012.

View the demo and create your own avatar now by visiting (it’s great fun!)
http://www.scvirtualsummit.com .

Or if you are a vendor interested in enquiring about speaking opportunities you can drop nicola.fulker@haymarket.com a line.

3. Webcast: Mobile Device Management - Locking down the mobile front

Streamed live to your desk on 23rd November at 3pm GMT or 10am EST

It is the big issue that many people are still wrestling with – what should we do as iPads, Smartphones and their friends continue to proliferate the workplace. Tune in to this SC webcast to hear realistic and practical advice to keep the mobile front secure, without hamstringing your productivity.

Take a look and secure your place at http://www.scwebcasts.tv/?btcommid=35629

……………………………………………..

I hope these are of relevance to you and your team! SC’s stuff tends to be very good because they take time to research the content and ensure that vendor involvement is always to the benefit of their audience (not just the vendor in question’s back pocket!).

5 Essential Characteristics of Cloud Computing

The NIST Definition of Cloud Computing

To employ new technologies effectively, such as cloud computing, organizations must understand what exactly they're getting. With this in mind, the National Institute of Standards and Technology has issued its 16th and final version of The NIST Definition of Cloud Computing.

"When agencies or companies use this definition, they have a tool to determine the extent to which the information technology implementations they are considering meet the cloud characteristics and models," says Peter Mell, a NIST computer scientist who coauthored the report, also known as Special Publication 800-145.

"This is important because by adopting an authentic cloud, they are more likely to reap the promised benefits of cloud: cost savings, energy savings, rapid deployment and customer empowerment," Mell says. "And, matching an implementation to the cloud definition can assist in evaluating the security properties of the cloud."

The special publication includes the five essential characteristics of cloud computing:

On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops and workstations).

Resource pooling: The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state or datacenter). Examples of resources include storage, processing, memory and network bandwidth.

Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for the provider and consumer.

SP 800-145 also defines four deployment models - private, community, public and hybrid - that together categorize ways to deliver cloud services.

NIST says the definitions are intended to serve as a means for broad comparisons of cloud services and deployment strategies, and to provide a baseline for discussion from what is cloud computing to how to best use cloud computing.

How to mitigate the major threats and fully secure both private and public cloud?

Cloud Security Summit | Free Online Event

The adoption of cloud-based solutions has become a necessity for most enterprises. While a growing number of companies enjoy the agility and flexibility achieved through the cloud, security experts emphasize a number of risks and vulnerabilities related to this trending technology.

Attend this summit to hear from world-class thought leaders, analysts and experienced end-users on how to mitigate the major threats and fully secure both private and public cloud.

Sign up to attend the live interactive webcasts or view them afterward on demand here: http://www.brighttalk.com/r/D9v .

Presentations include:

‘Application Security for Cloud-Based Companies’
Jim Manico, VP Security Architecture, WhiteHat Security

‘Privacy in Public: How Organizations are Securely Managing Sensitive Assets in Cloud’
Imam Sheikh, SafeNet

‘Effectively Communicating the Value of Cloud Security’
Michael Santarcangelo, The Security Catalyst

‘Is Your Data Safe in the Cloud?’
Eran Feigenbaum, Director of Security, Google Enterprise

‘Distributed Denial of Service — War Stories from the Cloud Front’
Michael Smith, Security Evangelist & John Buten, Senior Manager Enterprise Marketing, Akamai

‘The Missing "S" in Cloud’
Professor John Walker, CEO and Founder, Secure-Bastion

You can view the full lineup and sign up to attend any or all presentations at http://www.brighttalk.com/r/D9v .

This summit is part of the ongoing series of thought leadership events presented on BrightTALK(TM). I hope you are able to attend.

10 Domains of Cloud Security Services

Computer Security Alliance Foresees Security as a Service

Security poses a major challenge to the widespread adoption of cloud computing, yet an association of cloud users and vendors sees the cloud as a provider of information security services.

The Security-as-a-Service Working Group of the Cloud Security Alliance, a not-for-profit association formed by cloud-computing stakeholders, issued a report Monday that defines 10 categories of security services that can be offered over the cloud.

The alliance said its report is aimed at providing cloud users and providers greater clarity on security as a service in order to ease its adoption while limiting the financial burden security presents to organizations. The 10 security-as-a-service categories are:

1. Identity and Access Management should provide controls for assured identities and access management. Identity and access management includes people, processes and systems that are used to manage access to enterprise resources by assuring the identity of an entity is verified and is granted the correct level of access based on this assured identity.
   
   Audit logs of activity such as successful and failed authentication and access attempts should be kept by the application/solution.
   
   
2. Data Loss Prevention is the monitoring, protecting and verifying the security of data at rest, in motion and in use in the cloud and on-premises. Data loss prevention services offer protection of data usually by running as some sort of client on desktops/servers and running rules around what can be done.
   
   Within the cloud, data loss prevention services could be offered as something that is provided as part of the build, such that all servers built for that client get the data loss prevention software installed with an agreed set of rules deployed.
   
   
3. Web Security is real-time protection offered either on-premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the cloud provider.
   
   This provides an added layer of protection on top of things like AV to prevent malware from entering the enterprise via activities such as web browsing. Policy rules around the types of web access and the times this is acceptable also can be enforced via these web security technologies.
   
   
4. E-mail Security should provide control over inbound and outbound e-mail, thereby protecting the organization from phishing and malicious attachments, enforcing corporate policies such as acceptable use and spam and providing business continuity options.
   
   The solution should allow for policy-based encryption of e-mails as well as integrating with various e-mail server offerings. Digital signatures enabling identification and non-repudiation are features of many cloud e-mail security solutions.
   
   
5. Security Assessments are third-party audits of cloud services or assessments of on-premises systems based on industry standards. Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model.
   
   In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant elasticity, negligible setup time, low administration overhead and pay-per-use with low initial investments.
   
   
6. Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop/prevent an intrusion.
   
   The methods of intrusion detection, prevention and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments.
   
   
7. Security Information and Event Management systems accept log and event information. This information is then correlated and analyzed to provide real-time reporting and alerting on incidents/events that may require intervention.
   
   The logs are likely to be kept in a manner that prevents tampering to enable their use as evidence in any investigations.
   
   
8. Encryption systems typically consist of algorithms that are computationally difficult or infeasible to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal and key exchange.
   
   
9. Business Continuity and Disaster Recovery are the measures designed and implemented to ensure operational resiliency in the event of any service interruptions.
   
   Business continuity and disaster recovery provides flexible and reliable failover for required services in the event of any service interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-centric business continuity and disaster recovery makes use of the cloud's flexibility to minimize cost and maximize benefits.
   
   
10. Network Security consists of security services that allocate access, distribute, monitor and protect the underlying resource services. Architecturally, network security provides services that address security controls at the network in aggregate or specifically addressed at the individual network of each underlying resource.
    
    In a cloud/virtual environment, network security is likely to be provided by virtual devices alongside traditional physical devices.

Threat Management Summit

Free Online Event

An effective and up-to-date threat management solution is crucial as cyber attacks are becoming increasingly sophisticated and pervasive. From next generation firewalls to unified threat management, leading experts from the information security industry will share tools, strategies, and solutions to eliminate threats, minimize risks and reduce costs during this two-day online summit.

WHEN: Wednesday, September 14 – Thursday, September 15, 2011 (All webcasts will be immediately recorded and viewable on demand)

WHERE: Sign up to attend the live interactive webcasts, or view them afterward on demand here: http://www.brighttalk.com/r/Nmv .

PRESENTATIONS INCLUDE:

“Adapt or Die: Threats, Vulnerabilities and Your Networks and Data”
Derek E. Brink, Aberdeen Group; Michael Stute, Global DataGuard; Dwayne Melancon, Tripwire; Gary Golomb, RSA NetWitness

“Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing”
John Rowell, CTO, OpSource & Paul Sathis, Director of Cloud Computing, Intel

“War Texting: Weaponizing Machine 2 Machine”
Don Bailey, Security Consultant, iSEC Partners

“Insiders: What Motivates Them and How to Protect Sensitive Data”
Raphael Reich, Director of Product Marketing, Imperva

“Real Security is Dirty”
J.J. Thompson, CEO, Rook Consulting

“How to Ensure Real-Time Threat Detection”
Frost & Sullivan along with ESET Researcher

You can view the full lineup and sign up to attend any or all presentations at http://www.brighttalk.com/r/Nmv . This summit is part of the ongoing series of thought leadership events presented on BrightTALK(TM). I hope you are able to attend.

Tackling the Big 3: Personal Devices, Cloud Security & Human Factor

SC's first ever virtual Information Security Event

So how secure are the personal devices in your workplace and just how often do your staff open the door to cybercriminals?

On 3rd November, SC magazine are launching a virtual summit which will offer; avatar networking with your peers, exhibition stands and hard-hitting sessions on “tackling the big 3” – personal devices at work, cloud security and the insider threat.

You can create your own avatar and view the programme at the below link:

http://www.scvirtualsummit.com

VIRTUAL SUMMIT; TACKLING THE BIG 3 – YOUR 2012 SURVIVAL GUIDE

Step into our virtual world on Thursday 3rd November 2011

http://www.scvirtualsummit.com

Hear from the likes of:

• - Bryan Littlefair, Chief Information Security Officer, Vodafone
• - Adrian Asher, Chief Information Security Officer, Skype
• - Bob Rodger, Group ISR Head of Infrastructure Security, HSBC
• - Spencer Mott, Vice President and Chief Information Security Officer, Electronic Arts
• - Plus more...

Network virtually, visit stands and listen-in on sessions on the following areas:

• from iPads to personal PC’s learn how to mitigate the enormous risk of personal devices in your workplace
• with users entering the cloud from here, there and everywhere – understand how to stay secure
• you can have the most watertight security in place but your staff can always let you down, hear how to stop this, now

I hope that you can attend this landmark information security event.

Cloud computing guide to help enterprise increase value and manage risk

ISACA issued a new guide for implementing controls and governance

For all the talk of Cloud computing, the governance issue remains, for many enterprises, the great unknown. Cloud computing inevitably impacts business processes, making governance vital to managing risk and adapting to take advantage of new opportunities.

According to a survey of ISACA’s Australian members, less than half — 42 per cent — currently include Cloud computing strategies within their enterprise. And 80 per cent of these organisations limit Cloud computing to low-risk, non-mission-critical IT services.

Due diligence around the proposed service provider and appropriate controls must also be in place, she said, to ensure corporate information, is protected from loss, theft, tampering and loss of jurisdictional control.

Key questions for Cloud governance

ISACA’s guidance recommends enterprises ask the following key questions:

• What is the enterprise’s expected availability?
• How are identity and access managed in the Cloud?
• Where will the enterprise’s data be located?
• What are the Cloud service provider’s disaster recovery capabilities?
• How is the security of the enterprise’s data managed?
• How is the whole system protected from internet threats?
• How are activities monitored and audited?
• What type of certification or assurances can the enterprise expect from the provider?

ISACA will hold its Oceania CACS2011 conference to be held in Brisbane from 18-23 September, which will explore issues such as control, risk management, data loss prevention and assurance for Cloud strategies.

The KNOS Project: Secure Internet for Network & Cloud Clients

KNOS is a solution for the protection of internet-connected

KNOS provides a unique operating system and comprehensive application environment which CANNOT be infected or exploited and protects privacy as well as security. KNOS is a fully locked-down client system based upon BSD, the foundation of Macintosh OSX, secure military systems and secure servers in use by major entities.

KNOS provides a "secure lockdown" because nothing can ever be written to its read-only memory filesystem. KNOS leaves the existing computer hard disk completely untouched and fully protected because the existing hard disk is no longer connected to the network. KNOS is perfect for use on unsecured networks, by untrusted users including children or on public computers or networks. It provides military quality "high side" trust because it cannot be infected. Ever. With KNOS there is no need for internet "security" software which has failed to protect valuable machines and their content against the ever-increasing security risks on the internet.

KNOS also provides significant cost savings by eliminating the costs associated with cleanup and maintenance of infected machines in addition to significantly reduced software licensing costs. KNOS is the perfect answer for strained IT budgets and staffing levels and with its full complement of applications, client computers can be run solely on KNOS at even greater savings.

KNOS is intended for distribution by ISP's, IT Departments for their own users, and other situations where a mass distribution of our disks with specific application sets and portals is desired. KNOS is an excellent front end for "cloud" computing, remote access to institutional sites, portable computers in secure environments, as well as individuals who wish to protect their security and privacy in a world of ever increasing "zero day attacks" from "trusted sources."

Refer here for more details and here for demo about KNOS. You can get KNOS from here.

Join the Cloud Security Summit

Free Online Event on June 16

The adoption of cloud computing is no luxury, and compliance and privacy concerns are now more pertinent than ever. Attend this summit to hear from key thought leaders and end users as they provide an in-depth look into the new world for cloud security and privacy.

Presenters will discuss ways to fully classify, analyze and mitigate both the legal and compliance risks associated.

Sign up to attend the live interactive webcasts on June 16, 2011, or view them afterward on demand here: http://www.brighttalk.com/r/mxX .

Presentations include:

‘Getting PCI to the Cloud: Amazon Web Services and SafeNet’
Mr. Dean Ocampo, CISSP, Dir. of Product Marketing, SafeNet, & Mr. Tom Stickle, Sr. Solution Architect, Amazon Web Services

‘Audit Considerations in a Cloud Computing Environment’
Jason Wood, Assistant Professor, Jack Welch Management Institute & Chancellor University and President of WoodCPA Plus P.C.

‘Trusting Cloud Services with Intel® Trusted Execution Technology’
Iddo Kadim, Director of Data Center Virtualization Technologies, Intel

‘Storm Clouds on the Horizon: Can I Trust My Data in the Cloud?’
Michael Sutton, Zscaler; Randy Barr, ServiceSource; Eran Feigenbaum, Google Apps; Matt Broda, Microsoft

‘The Evolution of IAM to Enable Security in The Cloud’
Tim Dunn, Vice President of Strategy, CA Technologies Security Europe

‘Cloud Computing & the Law: How to Protect Your Data’
Jonathan Armstrong, Technology Lawyer Partner, Duane Morris LLP

‘Vetting a Cloud Service Provider’
Emma Webb-Hobson, Information Assurance Consultant, QinetiQ

‘Cloudonomics or Risky Business? How to Architect your Services’
Gregor Petri ; Advisor on Lean IT and Cloud Computing, CA Technologies

‘Cloud Storage Security Introduction’
Glyn Bowden, SNIA & Storage Infrastructure Architect

‘Update: Cloud Computing and Data Protection’
Ibrahim Hasan, Director and Solicitor, Act Now Training LTD

You can view the full lineup and sign up to attend any or all presentations at http://www.brighttalk.com/r/mxX .

This summit is part of the ongoing series of thought leadership events presented on BrightTALKTM. I hope you are able to attend.

2011 Information Security Virtual Conference

Free conference worth attending

The conference sessions cover a wide variety of topics, including:

Building Trust in the Cloud – This session will look at how to turn the concept of a trusted cloud into reality.

Smart phones, apps, and crowd sourcing – This session will look at crowd sourcing, application security, and just what employees are – and should – be using their work smart phones for.

Malware: The Bad, the Ugly, and the Uglier – It has been predicted by industry experts for some time now that malware – botnet-type malware, in particular – will continue to become more sophisticated and more threatening. The word 'stuxnet' proves this to be true. In this session you will discover the anatomy of the virus and its attacks, and learn how to put defenses in place to stop a breach. This session will also take a look at what malware has in store for us in 2011.

How to educate your workforce – It is time to update awareness campaigns and make educational programs interesting, and dare we say it, enjoyable. This session will tell you how!

Getting Ready for Cyberwar: Protecting the CNI – This session hopes to answer these big, and very important, questions.

Forensic Analysis in the Cloud – This session will examine the questions you need to ask, and the agreements that should be in place, before you hand your infrastructure, platforms, and/or data over to a cloud provider.

Preventing Insider Data Leak - This session will offer advice on how to plug those holes which could lead to the loss of company data.

The death of endpoint security? – This session will examine exactly what a data-centric approach to security entails, and what the future holds for end point device security.

Full conference programme available here.