For your eye's only

“Celebs in nude photo scandal’ make it to the top of our news feed today and who’s clicking on the link. I have to say for 1 ‘not me’.

I’m sure Jennifer Lawrence has a lovely figure but I don’t need to see it and the photos were never intended for the public, they are private photos stored on a private cloud account. The only reason why the likes of you and I are aware of them is because someone stole them! Yes, stole, ‘to take without permission or right, especially secretly or by force’. It took for someone to hack into her and the accounts of others and copy and exploit their private images online for all to see and continue to use what they have to blackmail others this is a criminal act.

I was pretty shocked and disappointed seeing comments made on social media about the images and requests for links to the images, if you really need to see it there are sites already available with similar content by consenting adults rather than exploiting someone who hasn't. Celebs may be famous and making a living by providing the world with entertainment but what they do in their own time in their own homes is private, and everyone is entitled to their own privacy. In general we have all been brought up to respect others, to use a level of discretion and these values should be remembered, and simply by not clicking on that link begins to remove and sense of credibility the hacker would feel from performing such a deed.

Although there has been no official comment of how the hack was made or specifically where the photos were taken from iCloud or Photostream (and likely we won’t hear about it either) I’m sure that this has raised many questions around the Apple offices this week.

The moral of that story is if you’re using a cloud based photo storing service maybe a little cautious of what you store, having an eternal hard drive works just as well, as for what Jen Law is up to, if this is really important to you maybe you need a hobby…

Sarah Taylor

www.cqr.com

Securing Cloud Services Part 3

Practical tips

Through our many risk assessments of cloud services there a few practical tips which you may find useful in selecting the right cloud services.

        I.        Do the risk assessment early. On a number of occasions a cloud service has advanced to pilot stage prior to a risk assessment. The assessment identifies some key risks which require remediation or mitigation. The result is either a severe impact on the rollout plan or the project is abandoned.

       II.        Data classification. Make sure the business understands the need to classify the data and/or business process to ensure the appropriate security controls are understood and implemented by the cloud provider

      III.        Service availability. Ensure the cloud provider’s service recovery plan aligns with business expectations. It might be nice that a cloud provider offers a fee credit for an outage but this may be irrelevant compared to a focus on service restoration within a time period.

     IV.        Incident management. The company’s information security policies and procedures define the responsibilities, actions and reporting requirements in the event of an incident. The shift to the Cloud sees a blurring of responsibilities between the company and the cloud provider.  The service level agreement needs to reflect a clear understanding of who is responsible for taking actions in relation to a security incident and the reporting protocols.

      V.        IaaS preferred providers.  Perform a risk assessment on a select group of IaaS providers. Initially this can be achieved by a self-assessment questionnaire, security review, or confirming their compliance to industry standards or a risk management framework. Once assessed, the company then has a baseline rating for providers to recommend to business units depending on the technical controls and mapping to data integrity, availability and confidentiality needs.

     VI.        Compliance requirements. The business unit considering a cloud deployment must clearly understand the company’s own security compliance requirements and risk appetite. This needs to be conveyed to the cloud provider so it can comply with the appropriate levels of risk assessments and audits.  There can be considerable reluctance on the part of the cloud provider after deployment for testing of the provider’s applications and infrastructure if this has not been agreed upfront.

    VII.        PaaS and SaaS services. Make sure data integrity, availability and confidentiality requirements are agreed. Where possible have these services deployed on one of the IaaS preferred suppliers platforms.

   VIII.        Impact of an Outage. The increased interdependence of cloud and on premises data should not be underestimated. The impact an incident or outage of a cloud service would have on the company’s overall operation needs to be quantified and reflected in the corporate risk register.

     IX.        Cloud assessment document. Develop a cloud computing security assessment document based on the ASD document “Cloud Computing Security Considerations” and apply appropriate risk ratings. This assessment document can be completed by potential cloud providers early in a project lifecycle to avoid any unnecessary waste of time or resources on a solution which is not going to match the company’s risk profile.

Greg Starkey
Business Development Manager, Government & Commercial
www.cqr.com

Securing Cloud Services Part 2

Cloud Security Fundamentals

Numerous surveys have found CIOs citing “security” as their main concern in adopting cloud computing technology. The Cloud is seen as an environment that is outside of the CIOs control, and from the perspective of accountability and compliance this seems to represent a risk. Security and control go hand-in-hand, and few security-conscious CIOs would be willing to cede control over core business systems until the benefits far outweigh the risks.

To convince organisations that risks have been addressed cloud vendors need to provide to their clients details on their information security management program. A number of vendors have obtained ISO27001certification for their service offerings. Moving forward this is something that will no doubt become the benchmark for serious Cloud providers. Certification, of course, does not guarantee security but at least provides an independent verification that information is governed by an international standard.

Due diligence is the key for selecting a provider. Customers should demand transparency and ask tough questions regarding risk management and technical security controls. The vendor must be able to provide assurance that any information will be adequately protected and that technical controls and security processes are subjected to regular testing. The customer should dictate the level of assurance detail provided.

So what is a good starting point for an organisation considering cloud computing solutions?  A   very concise and plain speaking document is the Australian Government ASD guide “Cloud Computing Security Considerations”. It contains a practical checklist of security considerations to maintain availability and business functionality in the Cloud. http://www.asd.gov.au/infosec/cloudsecurity.htm

For more detailed guidance and implementing the appropriate information security controls, the Cloud Security Alliance website offers much valuable information to assist organisations make the right decisions. https://cloudsecurityalliance.org/

There are some unique security considerations when it comes to cloud services which are not encountered when compared to an organisation’s on-premises operations. 

The key ones are:

·         The problem of multi-tenancy

Multi-tenancy is a term used to describe the shared use of a cloud computing resource by multiple customers.  An example of multi-tenancy might be a large database server running multiple secured databases for numerous users, or a virtual machine server running multiple instances of an operating system.

The issue with multi-tenancy in the Cloud is that a customer’s instance may be running on the same physical hardware as an attacker.  The attacker may be able to compromise shared physical resources or escape the virtual machine to execute arbitrary code on the physical host. Several VM escape vulnerabilities have been identified by security researchers. As more customers take up virtualized Cloud computing services, these technologies will come under increased hacker scrutiny and more vulnerabilities are likely to appear.

·         The chain of third parties

Cloud providers tend to work with a number of third parties. A hosted application may be on another cloud provider’s hosted infrastructure however your service level agreement is with the hosted application provider.  In the event of an incident affecting the infrastructure provider that results in loss of access to the application it may be unclear as to each provider’s responsibilities and commitments for service recovery. An organisation needs to identify with their frontline cloud provider any potential third parties involved in managing their data and ensure they answer the same key questions on information security.

·         Data security and backup

One of the first questions asked of cloud providers is - where on the global map is my data stored? The more important questions are around responsibilities for data security:

               I.        Is the provider responsible for data backups?

              II.        If a contract is terminated is there a provision for the cloud provider to       supply an export of the application data?

             III.       Does the organisation have the capability to meaningful use exported data?

             IV.       Is the provider obliged to report incidents & data breaches to the client?

Often Cloud service level agreements do not have much detail regarding backup arrangements, nor do they specify what would happen in the event of data loss or a security breach. The onus of risk for data security and backup is more than likely pushed back on the customer.

Below is an extract from a cloud provider service level agreement that CQR recently reviewed:

"Customer remains solely and fully responsible for any data, material or other content posted, hosted, stored… using the cloud provider Network or Services. Cloud provider has no responsibility for any data, material or other content created on or accessible using the cloud provider Network or Services”

·         The Virtual System Administrator

A company’s system administrator has clear responsibilities and functions for controlling user and data access. He or she abides by the company’s code of conduct and their job performance can be reviewed and subject to consequences in relation to negligent actions.  When the employee moves on the HR process kicks in to revoke their access and ensure any privileged account passwords are changed.

In the Cloud depending on the time of day and/or your location your services could be administered by one of perhaps three global teams or a provider’s helpdesk with dozens of privileged users. A request to change a user’s access or application rights may be done by email which is acted upon by one of these virtual administrators.

 

The level of risk these virtual administrators posed to the company needs to be understood. It is not unreasonable to request the cloud service to provide evidence of how they manage privileged user accounts in your environment and what are the processes to grant and revoke such privileges given inevitable staff changes.

Part 3 following tomorrow...

Greg Starkey
Business Development Manager, Government & Commercial
www.cqr.com

Securing Cloud Services Part 1

Introduction

The use of the word “Cloud” to describe hosted IT services is somewhat of a misnomer. Even though its origin is from a diagram on paper it still conjures a vision of this floating entity over which you have no control and it may not be there in the morning.  However it is a very pervasive marketing term and has strong acceptance.   

Cloud is not so much a technology as a convergence of multiple streams of technology into a new service layer. It is categorised into three major service offerings which require different security considerations:

Infrastructure As A Service (IaaS) is the delivery of computer infrastructure (typically a platform virtualization environment) as a service. Rather than purchasing servers, software, data centre space or network equipment, clients instead buy those resources as a fully outsourced service. The service is typically billed on a utility computing basis and amount of resources consumed (and therefore the cost) will typically reflect the level of activity. Storage as a Service (remote backup) is often cited as a subset of IaaS.

Platform As A Service (PaaS) provides all of the facilities required to support the complete life cycle of building and delivering web applications and web services with no software downloads or installation for developers, IT managers or end-users.

Software As A Service (SaaS) is a model of software deployment whereby a provider licenses an application to customers for use as a service on demand. SaaS software vendors may host the application on their own web servers or download the application to the consumer device, disabling it after use or after the on-demand contract expires.

For SaaS and PaaS the primary security focus is around data integrity, availability and confidentiality whilst with IaaS the focus is on technical controls.

The Move to Cloud

Every day more organisations are moving their data into the Cloud, with increasing reliance on web applications and hosted services as core components of their business operations. 

More often than not the move to cloud services is driven by business divisions identifying a new solution they want now which is not dependant on internal IT resourcing or constraints. Unfortunately at times the value of the data or the issues around integration of cloud and on-premises data is overlooked. This can result in much post-implementation ad-hoc activities that can compromise data and system security.

Just as important the risks cannot be entirely outsourced. Servers go down, hardware fails, and networks lose connectivity. Underlying all these potential issues is the general risk of a business losing control over their own data and not being able to account for it if things go wrong.

 

Look out for Part 2...

 

Greg Starkey

Business Development Manager, Government & Commercial

www.cqr.com

The Perils of Cloud Analogies

Moving your operations to the cloud is like... a dream for those who love analogies.  All sorts of things have been claimed, but there is only one reality.  It's like outsourcing, because that's exactly what it is.

The biggest business risk with outsourcing is that you replace technical controls with contracts, and while a move from tactical operation to strategic management looks excellent in a business plan, it can fail badly when interacting with the real world.  The claim that "insert-vendor-here" should be better at running the infrastructure because they developed it, is much more an article of faith than a well-reasoned position.

Consider the failure of the Windows Azure platform over the last weekend.  I noticed it when I couldn't play Halo 4.  As a gamer it didn't occur to me that there was anything deeper than the Halo servers weren't working, but it turns out they were hosted on a cloud infrastructure.  And the cloud had failed.  Completely.  The reason: "Storage is currently experiencing a worldwide outage impacting HTTPS operations due to an expired certificate."  In 2013.

Information security is a people business, and the people failed.

As Sony previously discovered, the total failure of their game platform is a pain, but it isn't going to threaten the company.  To Microsoft's credit they had it all restored in about 8 hours.

But Windows Azure doesn't just host games - it hosts businesses.  And the same failure happening in the middle of the week would mean that businesses that had fully moved to the Microsoft cloud could do nothing.  No backup.  No failover.  No disaster recovery.  Because all the availability controls were outsourced.  And it is very unlikely that the clients using the service are big enough to make any contractual claim for loss.

This isn't just a Microsoft problem, Amazon had the same sort of outage last year.  Every cloud hosting provider will have these problems.

So here's my cloud analogy: it's like putting all your eggs in one basket - a basket you've never seen and can't locate - along with everyone else's eggs, and having faith that this will be managed well by the fox.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com