Cloud Computing …Why Not? (week 5)

I believe most technically savvy individuals are aware of Amazon Web Services (AWS), Microsoft Azure, Salesforce or even Google Cloud (part of Alphabet). A commonality with all these companies, apart from the fact that they are in almost every aspect of our lives, is their cloud services. If you love to binge on Netflix shows like I do (please watch Narcos or House of Cards if you haven’t…Netflix original classics), then you should know that all those shows you love have to be stored on someone’s servers and when you ‘demand’ them, they will need to be 'served up' to you without any interruptions. Well, the ‘cloud’ makes all this possible. We will define the cloud as simply assets (i.e. infrastructure, platform, software) on someone else’s servers and premises other than yours. For this blog, I won’t talk about how wonderful the cloud is but we will approach it from this point of view:

-- Its late Friday afternoon (of course 😠), your boss walks over to your cube and anoints you the devil’s advocate. “John Doe, your weekend assignment is to come up with reasons why we should not join the cloud bandwagon. And at that, please remember to enjoy your weekend!”

No need for panic, this blogger has your back …read on

These 7 reasons should be enough to get your boss thinking

Security (cloud security) – this barrier is one of the top concerns for most businesses. Some questions to ask are: How do I secure my data in the cloud? What security measures are in place? Depending on the sensitivity and value of the data to be stored in the cloud, some businesses may not be comfortable adopting cloud computing. In-house computing ensures you have total control of all your data, whether that data is safe(er), is a story for another day; focus here is on total control of your data.

Privacy (Trusting the cloud) – with the ever-growing competitive business-world, no business wants to expose their ‘secret sauce’ to their competitors. With cloud computing, if due diligence is not done, a business may end up with a cloud provider who’s not very reliable when it comes to privacy concerns.

Independence from CSPs – most Cloud Service Providers (CSPs) prefer to lock in their customers through contracts and if there’s a need to move services to another provider, the exercise is sometimes stressful, especially with inter-operability issues amongst cloud providers.

Economic Values (Return on investment) – this in my opinion is the most heavily weighted barrier of all from a business standpoint. All businesses regardless of size, type or location are in it to make money (excluding the not-for-profit ones which actually still make money). Before migrating to the cloud, a business needs to ask whether it makes economic sense. Is the venture going to save the business money or add extra costs? The return on investments need to be analyzed and presented to the decision makers. Most business will only adopt cloud computing if it makes economic sense.

Inter-operability – most cloud infrastructure and applications are current and advanced but this is not always the case for businesses that want to integrate their infrastructure with the cloud. When you have inter-operability issues, this may mean adopting other services for example IaaS, PaaS, and SaaS even though the initial intent was to only buy one service model. You should ask yourself, is my business compatible with the cloud provider’s?

IT Governance – IT governance determines the direction that the business will take. If cloud computing is not part of the governance plan, then cloud migration may be hindered.

Political issues Due to Global Boundaries – For cloud computing to be successful, there needs to be no borders or jurisdictions. The goal for cloud computing is to enable fast and easy access to resources regardless of the user’s location. Some businesses may be reluctant to adopt cloud computing especially if the provider is geographically located in different countries. A European company for example may be skeptical or fearful of subscribing to Amazon given it operates under U.S. jurisdiction. Also, some European laws may dictate that certain data or information should not be transmitted across its borders. So, the question here is, what laws or regulation requirements bind you as a company?

And there you have it. I hope this information made your task easier. Go forth and conquer now and thank you for reading. 

References

Arellano, N. E. (2015, March 6). Top 5 cloud barriers for most businesses.
     Retrieved June 24, 2016, from IT World Canada website:
     http://www.itworldcanada.com/article/top-5-cloud-barriers-for-most-businesses/
     177871 

Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud security and privacy.
     Beijing: O'Reilly. 

Rodrigues, T. (2012, October 1). Unseen barriers to cloud adoption. Retrieved
     June 24, 2016, from TechRepublic website: http://www.techrepublic.com/blog/
     the-enterprise-cloud/unseen-barriers-to-cloud-adoption/ 

U.S Privacy Breach Laws (week 4)

Having worked for an MSSP (Managed Security Services Provider), I had the privilege of interacting and working with many different clients from different industrial sectors. Each organization depending on the sector they fell under had different reasons for signing up with the MSSP. Even within the same sectors, the different organizations had different drives as to why they needed an information security company to partner with them. We would get the security focused kind to the ‘check-box’ kind, but what was common across board was that for most, the decision was somehow beyond their control and due to regulation, they had to have some security controls in place to avoid being in violation of whatever regulation they fell under. Currently, I work for a financial institution and I now understand how powerful the audit team within the company is. The financial sector is one of the most heavily regulated industry with healthcare being the other ‘unlucky’ candidate and seeing first-hand the pull or push regulators have, I now have a new-found appreciation of why audit is so much revered or avoided depending on when the project deadline is due.

That said, for this week I would like to talk about U.S. privacy breach laws.

You may be wondering how this relates to cybersecurity. You may be asking yourself “…I thought as a cybersecurity professional, the focus would be catching the bad guys?” Well, for one, both IT security and audit teams within an organization need to be aware of their State’s data privacy breach laws in order to avoid any nonconformity to compliance requirements which may mean financial penalties and other legal ramifications. When the business gets impacted (negatively), all business units feel the pain, and this includes IT and Information security. Another thing to also note, is that IT or cybersecurity strategy should always align with the business strategy so if regulators ask the business to abide by some rules and regulations, the IT team should be also mapping out ways of meeting those requirements.

Back to U.S. Privacy Breach Laws

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information) ("SECURITY BREACH," 2016). Companies should therefore review their data privacy, data security and incident response policies and procedures to not only keep up with requirements, but also any changes that may be made to the State laws. Some of the laws may require a company to be compliant even when not located within the confines of the State. A good example is with third-party service providers who may handle PII data on behalf of their client. This means those vendors are required to adhere to the laws regardless of where they are located. The organization needs to ensure the vendor also implements security measures appropriate to the size, scope, industry and purpose of use of the information collected are implemented and maintained (Halpert & Anderson, 2015).

Another example of how different laws change is with HIPAA and ePHI. Due to the technological advancements under HIPAA, we have ePHI (electronic Protected Health Information) which covers “individually identifiable” “protected health information” sent or stored electronically. Doctors now are using mobile devices and electronic devices to review patient records and even share this information with other medical providers. ePHI dictates how this information can be handled. The HIPAA Ombibus rule defines this transitive chain of possession such that all businesses that may come into contact with ePHI are made responsible for the privacy and security of that information.  This includes many companies that previously had no idea they had to be HIPAA compliant. This shows that all businesses need to be aware of what laws or regulations apply to them even if not directly. The HIPAA Omnibus rule is one such rule that traverses supporting companies and has far reaching consequences if the 3^rd party providers do not abide by those mandates.

In conclusion

Due to the rampant data breaches that have occurred over the years attributable to the advancements in technology, in the period between 2006 and 2009, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information (PII). The three States that do not have security breach laws are Alabama, New Mexico and South Dakota. It is important for us, as security professionals, to be conversant on what legal requirements bind our industries based on the areas of operation. We may be called upon one day by senior leadership to explain some of these requirements and staying ahead of the curve can come in handy when that time comes.

References

Halpert, J., & Anderson, M. J. (2015, July 20). Data Protection, Privacy and

     Security Alert (US). Retrieved September 9, 2016, from DLA Piper website:

     https://www.dlapiper.com/en/us/insights/publications/2015/07/

     state-breach-notification-laws/

SECURITY BREACH NOTIFICATION LAWS. (2016, January 4). Retrieved September 9,

     2016, from National Conference of State Legislatures website:

     http://www.ncsl.org/research/telecommunications-and-information-technology/

     security-breach-notification-laws.aspx

Internet of Things Overload (week 3)

The Spanish-born American philosopher, George Santayana wrote in his book titled “The Life of Reason”, 1905 that those who cannot remember the past are condemned to repeat it. Time and time again we have seen this school of thought proven true. If we look at it from a social perspective, pick fashion for example; how many times have we ‘brought back’ a style that was the ‘in thing’ back in the days? Plenty of times, I would say. While this is not necessarily a bad thing, it just shows that humans are somehow wired to repeat things. Apply this human nature to computing and information security and we see the same type of threats being resurrected from the ‘dark web cemetery’ and lo and behold! We always get a ‘Gotcha moment’.

Last year, right about this time, I wrote a blog about Botnets and the Internet of Things. The post talked about Conficker and how its logic had a mechanism for seeking out new domains on a daily basis; by mid-2009, Conficker spread to over 10 million computers (Singer, 2011). Fast forward to October, 2016; a DDoS attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. Researchers pegged the blame on hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders (Krebs, 2016). This massive DDoS attack was attributed to a malware dubbed ‘Mirai’ (Japanese for ‘the future’), a name that seems to suit the MO of the malware; locate and compromise IoT devices to further grow the botnet and launch DDoS attacks. Mirai scanned the Internet for devices that were not secured; those that still used default user names and passwords and by employing a dictionary attack against those devices with a pre-configured list of default username/password combinations, was able to compromise and take over those devices (Herzberg, Bekerman, & Zeifman, 2016). 

Image Courtesy of ReadWrite.com

We can now see the trend and why George Santayana’s statement is true even for computing and information security. We’ve all seen those pesky reminders setup by IT to change our passwords every so often. Do we receive those messages with joy or view them as just another nuisance from those IT fellas? I bet most of us hope they would stop reminding us about those damn passwords. 

Most issues we observe in today’s cyber world are simply reincarnations of old threats that were existent before and the same mistakes or vulnerabilities that propagated those threats are the same ones, although slightly modified, plaguing us again. An attack could be different in that there is a variant but the core of the attack or what makes it possible most of the time remains the same. Case in point, use of default passwords in devices making it easy for a malware code to perform a brute-force attack against the device successfully.

Question therefore is, why then would IoT manufacturers not step up their game and secure their appliances?

The answer of course is the good ol’ connectivity vs security battle. IoT manufacturers are focused on getting products to market as fast as possible with their priority being connectivity and not security. Market demand and profits associated with these demands are driving decisions and the manufactures are okay with dealing with security implications down the line rather than incorporating the measures at project kick-off.  The IoT realm being relatively new also makes the decision fall on the manufacturers as there are no set standards of what the security landscape should look like for those devices. We have a situation where the product manufacturers determine the appropriate trade-offs for themselves without any best-practice references.

My take on this lack of, or poor IoT security configuration, is that eventually the market and possibly regulators will arm twist the manufacturers into incorporating more solid plans that ensure their products are somewhat secure and the public is not victimized due to negligence on their end, as observed in the case of the Mirai related DDoS attacks. We all love our smart products and the luxury they afford us but if it means compromising our privacy and security, some consumers may opt to roll back to the stone age days where we wrote down our grocery lists on paper instead of the refrigerator sending us a text. I guess the devices aren't as smart as they purport to be after all :)   

References

Denning, T., Tadayoshi, K., & Levy, H. M. (2013). Computer Security and the Modern Home. Communications Of The ACM, 56(1), 94-103. doi:10.1145/2398356.2398377

Herzberg, B., Bekerman, D., & Zeifman, I. (2016, October 26). Breaking Down
     Mirai: An IoT DDoS Botnet Analysis [Blog post]. Retrieved from Imperva
     Incapsula website: https://www.incapsula.com/blog/
     malware-analysis-mirai-ddos-botnet.html

Krebs, B. (2016, October 21). Hacked Cameras, DVRs Powered Today’s Massive
     Internet Outage [Blog post]. Retrieved from KrebsonSecurity website:
     https://krebsonsecurity.com/2016/10/
     hacked-cameras-dvrs-powered-todays-massive-internet-outage/ 

Singer, P. W. (2011, October 21). Mark Bowden’s “Worm: The First Digital
     World War”. Retrieved February 7, 2016, from https://www.washingtonpost.com/
     entertainment/books/mark-bowdens-worm-the-first-digital-world-war/2011/08/30/
     gIQAwcKO4L_story.html