promoting public cloud workload security: why risk ... · 33 securing the cloud by barettè mort...
TRANSCRIPT
January 2016Volume 14 Issue 1
Promoting Public Cloud Workload Security: Legal and Technical Aspects
Gaining Confidence in the CloudWhy Risk Management Is Hard
Securing the Cloud
SECURING THE CLOUD
Promoting Public Cloud Workload Security: Legal and Technical Aspects
ISSA INC.12100 Sunset Hills Road, Suite 130Reston, Virginia 20190
PRSRT STDU.S. POSTAGE
PAIDCOLUMBUS, WIPERMIT NO. 73
Table of ContentsDEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
©2016 Information Systems Security Association, Inc. (ISSA)
The ISSA Journal (1949-0550) is published monthly by the Information Systems Security Association, 12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190.
Articles22 Gaining Confidence in the Cloud
By Phillip Griffin – ISSA Fellow, Raleigh Chapter and Jeff Stapleton – ISSA member, Fort Worth ChapterIn cloud deployments organizations remain responsible for ensuring the security of their data. Can cloud-based technologies, such as the blockchain, play a role in providing cloud subscribers assurance their data is being properly managed and that their cloud service provider is in compliance with established security policies and practices?
27 Why Risk Management Is HardBy Luther Martin – ISSA member, Silicon Valley Chapter and Amy VostersRisk management is harder than we would like it to be because people do not think rationally. Our built-in irrational biases affect all of the decisions that we make, and this includes how we choose to manage risks. Fortunately, we now understand how our biases work, so we can account for them and avoid making some of the bad decisions that they might lead us to make.
33 Securing the CloudBy Barettè Mort – ISSA member, North Texas ChapterThis article discusses cloud environments and focuses on security issues in the areas of availability, privacy, and reliability.
Also in this Issue3 From the President4 From the Editorial Board5 Sabett’s Brief
Cloud Security for a New Year
6 Herding CatsBring Your Own Solution
7 Security AwarenessThe Security Advice Magic Quadrant
8 Security in the News9 Perspective: Women in Security SIG
Oh Baby - The IoT and Security
10 Open ForumYour CISSP Is Worthless – Take Two
11 Ethics and PrivacyThe Increasing Significance of Ethics in IT Security
12 Association News
Feature16 Promoting Public Cloud Workload Security: Legal and Technical Aspects
By Jason Paul KazarianAs workloads are moved from privately owned, on-premises infrastructure to public cloud computing platforms, an organization must rely more on external legal and technical aspects (compared with internal policies, procedures, and tools) for managing security. This article reviews such aspects from a security perspective.
2 – ISSA Journal | January 2016
From the President
January 2016 | ISSA Journal – 3
International Board OfficersPresident
Andrea C. Hoy, CISM, CISSP, MBA, Distinguished Fellow
Vice PresidentJustin White
Secretary/Director of OperationsAnne M. Rogers
CISSP, Fellow
Treasurer/Chief Financial OfficerPamela Fusco
Distinguished Fellow
Board of DirectorsFrances “Candy” Alexander, CISSP,
CISM, Distinguished FellowDebbie Christofferson, CISM, CISSP,
CIPP/IT, Distinguished FellowMary Ann Davidson Distinguished Fellow
Rhonda Farrell, FellowGarrett D. Felix, M.S., CISSP, Fellow
Geoff Harris, CISSP, ITPC, BSc, DipEE, CEng, CLAS, Fellow
Alex Wood, Senior MemberKeyaan Williams
Stefano Zanero, PhD, Fellow
Hello ISSA MembersAndrea Hoy, International President
The Information Systems Security Asso-ciation, Inc. (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publica-tions and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security pro-fessionals. Members include practitioners at all levels of the security field in a broad range of industries, such as communica-tions, education, healthcare, manufactur-ing, financial, and government.The ISSA international board consists of some of the most influential people in the security industry. With an internation-al communications network developed throughout the industry, the ISSA is fo-cused on maintaining its position as the preeminent trusted global information se-curity community.The primary goal of the ISSA is to pro-mote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved.
The year 2016 will be a year of growth for ISSA as we focus on our commitment to drive
financial decisions to ensure they will positively affect and give back to the chapters and membership. The Special Interest Groups—Security Education Awareness, Women in Se-curity, Healthcare, and Financial—are providing networking oppor-tunities with the communities that interest our members, and there are other areas in our community where we can expand in 2016.
The Cyber Security Career Lifecycle (CSCL) is providing both members and non-members, who might de-cide to become members, visibility into the personal career path some of our members are sharing in video clips. There is now structure to the CSCL career levels and much more to come in 2016.
The topic this month is about secur-ing the Cloud. If you think about it, the success of ISSA is dependent upon what happens in a different cloud. ISSA could not and cannot be sustained without all the work our member volunteers do at both the chapter and international levels, providing leadership and visibility in the cybersecurity community and beyond. I have met many members
over the past few months and hope to meet more of you this year.
I would be remiss if I did not take this opportunity to recognize and thank all of you—and you know who you are—for the time you serve and volunteer to make ISSA relevant in your local communities and be-yond: speaking at schools/colleges, community gatherings, conferences, summits, webinars; writing books, blogs, papers, articles—especially for the Journal—and more; training, teaching, donating your time, shar-ing your passion, serving as a leader at a chapter, and serving on or lead-ing a committee. We are fortunate to be in a professional association where it is easy to support and give back to our community.
ISSA is great because of the network-ing between its members and what you, the members, do to make and keep it relevant with your feedback.
Here is to a successful 2016!
Thank you! And I hope to meet and hear from more of you all in this new year!
Moving forward,
Happy New Year!
The information and articles in this magazine have not been subjected to any formal test-ing by Information Systems Security Association, Inc. The implementation, use and/or se-lection of software, hardware, or procedures presented within this publication and the results obtained from such selection or implementation, is the respon-sibility of the reader.Articles and information will be presented as technically correct as possible, to the best knowl-
edge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Techni-cal inaccuracies may arise from printing errors, new develop-ments in the industry, and/or changes/enhancements to hard-ware or software components.The opinions expressed by the authors who contribute to the ISSA Journal are their own and do not necessarily reflect the
official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of information systems security, and should be a subject of interest to the mem-bers and based on the author’s experience. Please call or write for more information. Upon publication, all letters, stories, and articles become the proper-ty of ISSA and may be distrib-uted to, and used by, all of its members.ISSA is a not-for-profit, inde-
pendent corporation and is not owned in whole or in part by any manufacturer of software or hardware. All corporate infor-mation security professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see www.issa.org.All product names and visual representations published in this magazine are the trade-marks/registered trademarks of their respective manufacturers.
4 – ISSA Journal | January 2016
From the Editorial Board
Editor: Thom Barrie [email protected]
Advertising: [email protected] 349 5818 +1 206 388 4584
Editorial Advisory BoardPhillip Griffin, Fellow
Michael Grimaila, FellowJohn Jordan, Senior Member
Mollie Krehnke, FellowJoe Malec, Fellow
Donn Parker, Distinguished FellowKris Tanaka
Joel Weise – Chairman, Distinguished Fellow
Branden Williams, Distinguished Fellow
Services DirectoryWebsite
[email protected] 349 5818 +1 206 388 4584
Chapter [email protected]
866 349 5818 +1 206 388 4584
Member [email protected]
866 349 5818 +1 206 388 4584
Executive [email protected]
866 349 5818 +1 206 388 4584
Vendor [email protected]
866 349 5818 +1 206 388 4584
Joel M. Weise – ISSA Distinguished Fellow and Editorial Advisory Board Chairman
I would like to close out 2015 with a thank
you to our interna-tional board, and Andrea Hoy and Can-dy Alexander in particular, for some amazing support in a year that saw many changes to our association. Like-wise, a thank you to all of the members of the Journal’s editorial board for their tremendous efforts to ensure we pub-lish an industry-respected information security journal—thank you, Phillip Griffin, Michael Grimaila, John Jordan, Mollie Krehnke, Joe Malec, Donn Park-er, Kris Tanaka, and Branden Williams.I would also like to thank the authors of the 49 articles, 11 columns and 10 edito-rials for their contributions—69 authors altogether. Without their efforts there would be no Journal.Lastly, the Journal could never be put together and published without the in-credible efforts of Thom Barrie, our edi-tor. A huge thank you to Thom.Although this year we bid farewell to two long-time columnists, toolsmith’s Russ McRee and Risk Radar’s Ken Dun-
Information Systems Security Association 12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190
703-234-4082 (direct) • +1 866 349 5818 (USA toll-free) • +1 206 388 4584 (International)
Thank you for a great 2015 – looking forward to an even greater 2016.
ham, we were lucky enough to introduce two new columns that have been well re-ceived: the Women in Security SIG’s Per-spective: Women in Security, which com-pliments the monthly webinars, and the Open Forum, which is an editorial soap-box for any information security subject by anyone with an opinion.We have also introduced new recogni-tions for authors, one of those being for the best article of the year. Our first re-cipient of the Best ISSA Journal Article of the Year is “Troubling Trends of Es-pionage” by Ken Dunham. Congratula-tions, Ken.I have but a single request to the mem-bers of our association. Putting togeth-er the Journal is a significant effort and requires authors willing to be published. We need more members to participate as authors. Please review the editorial cal-endar, pick a subject you would like to write about, and submit it to the Journal. I can’t think of a better way to promote one’s career than getting published in the Journal. – Joel Weise
frequently used by large entities. Over the past couple of years, however, the number of SMB customers has steadily increased. Various predictions have this trend continuing throughout 2016.Basic blocking and tackling. Despite clear advances in the security posture of many organizations, the continuing pa-rade of data breaches and information spills often can be traced back to very basic information security lapses. These often have nothing to do with cloud implementation or cloud security, but instead involve relatively well-known infosec issues.Well, that’s about it for this month’s discussion of the cloud. As you can see, security will continue to be a prevalent issue for cloud deployments over the foreseeable future. As with any other technology, however, attention to se-curity basics will go a long way toward securing the cloud. Speaking of which—I’m off now to sign up Pepper, Zoe, Jake, and Bert for their new cloud creden-tials…and we’re not going to reveal that they are dogs…
About the AuthorRandy V. Sabett, J.D., CISSP, is Vice Chair of the Privacy & Data Protection practice group at Cooley LLP (www.cool-ey.com/privacy), and a member of the Boards of Directors of ISSA NOVA and the Georgetown Cybersecurity Law Insti-tute. He was a member of the Commis-sion on Cybersecurity for the 44th Pres-idency, named the ISSA Professional of the Year for 2013, chosen as a Best Cyber-security Lawyer by Washingtonian Mag-azine for 2015-2016, and can be reached at [email protected].
As I sat down to write this month’s column on cloud se-curity, I thought to myself, “it’s
now 2016—what could possibly be new in cloud security?” Well, for one thing, we are getting better at telling whether or not someone is a dog. Of course, it goes without saying that my four dogs are not very happy about this. In any event, liability concerns around cloud security will continue to be a prominent issue this year.When examining the issue of liability involving cloud security, I am reminded of a client that I had several years ago. This was back in the day when securi-ty was not a top-of-mind issue for many companies. For many entities, provi-sioning cloud services was done at your own risk, and a risky business it was. My client was, at that time, one of the only cloud service providers that was offering a complete suite of security protections out-of-the-box. When you signed up for their services, you knew you were getting top-of-the-line security. Not surprisingly, you would also have been paying higher rates, but such is the price of security. During the same period, I also worked with clients who were consuming cloud resources. For these clients, I often found myself counseling them on how to structure their contracts with cloud service providers. I and my colleagues had come up with a list of 14 different items that required, at least to some ex-tent, slightly different treatment when provisioning cloud services. While many of those older concerns are now being addressed by a majority of cloud service providers, there are several con-siderations that will likely be relevant in 2016. Here are a few:
Public versus private. An ongoing de-bate with liability implications involves whether to implement a public cloud or a private cloud. Many commentators ap-pear to believe that a private cloud strat-egy can make compliance with regula-tory or contractual requirements easier (e.g., HIPAA privacy and security rules or PCI DSS), but rarely are such simple rules as straightforward as they would seem. True security depends more on the strategy employed by an organiza-tion toward cloud security as opposed to where that cloud is deployed.Increase in hybrid cloud deployment. In light of the preceding issue and in or-der to address certain security concerns, a number of organizations have opted to use a hybrid cloud approach. This trend is likely to continue throughout 2016.Mobile intersects with cloud. The Cloud Security Alliance recently re-leased a white paper that incorporates various components from the NIST 800 series to address security issues that may arise when mobile applications utilize cloud services. As mobile technology and mobile deployments become more and more ubiquitous, the use of cloud resources by those mobile technologies will continue to increase dramatically. Appropriate thought must be given to such deployments.Cloud decision-making process. The research firm Insight released findings from a recent cloud survey that showed almost 60 percent of decisions involving cloud deployment are made by the CIO of an organization, with input from the CFO and/or chief security officer.Overall increase in cloud usage. Ac-cording to a number of commentators, historically cloud deployment was most
Sabett’s Brief
By Randy V. Sabett – ISSA Senior Member, Northern Virginia Chapter
Cloud Security for a New Year
January 2016 | ISSA Journal – 5
Like many of you, I work for a compa-
ny that has a quite oppressive informa-
tion technology policy for good reason. While it does quite a bit to keep rogue or unknown bits of software out of the cor-porate environment, it creates an inter-esting dynamic whereby we can be more efficient in our personal lives than in our work lives. I often find that my ability to be efficient is hindered by a missing tool, app, or access to some resource. Let’s ex-plore an example.During my academic career I had to manage a massive list of sources and ref-erences to materials that I used in vari-ous work products. Course work aside, I was having to keep track of over 160 different artifacts, the physical paper or book in most cases, and the reference materials needed to keep it all together. Add course work to the mix and that number goes up by well over 400 addi-tional sources. Not only did I need to search through this information on a regular basis to ensure I was supporting my arguments correctly, but I continue to use it today when I am at work. It’s my own personal library that I contin-ue to maintain (both adding, updating, and culling) as needed. With that many references, there is no way that I could manage it through flat files and an excel spreadsheet (yes, I tried that). Instead, I keep this going through a library man-agement tool (I use Mendeley now) with everything synchronized to Dropbox so I could access my materials from any-where. My last two companies didn’t have an issue with Dropbox, but my cur-rent one does. With BYOD, I have a halfway solution. Essentially, I can use my iPad or iPhone to search through my reference materi-
als and then find a way to email any rel-evant artifacts over. In doing that, I lose time fumbling with devices and messing with corporate email.The discussion related to cloud and per-sonal devices isn’t really limited to the device anymore. It’s really a Bring Your Own Technology, or Bring Your Own Solution discussion. The cloud has per-meated into everything we do, and when things are not synchronized, we end up
fighting with our devices. Now you can see why we can be so much more effi-cient in our personal lives than we can at work. Given the amount of corporate dollars spent on information technolo-gy, that should infuriate you.There are good reasons why you don’t want certain applications, services, and devices around your networks and data. There are also great reasons why you want to improve your security posture in a way that allows for many of these technologies to be used by employees. Over the seven plus years that you all have indulged me by not using this col-umn only as kindling, we’ve discussed things like layered security approaches, actively hunting our adversaries, and embracing the technologies that are out there to understand how to safely incor-porate them into the user experience so they don’t create shadow IT. You can’t stop there, however. There is quite a bit of user education that every-
one who is bringing his own solution should complete. Everyone using these technologies must understand the an-swers to questions like what’s OK to put in Evernote and what’s not? As a secu-rity professional, you the must ask what tools do you need to make sure that you can back the user training up with solid controls that prevent an accident—your multi-layered approach.Even though this issue is dedicated to securing the cloud, I wanted to explore the benefits of the cloud for the indi-vidual worker and how we can leverage those safely. I would be surprised if there are people reading this that have not used some sort of cloud service by now (perhaps unwillingly) and thought that it could help solve some other problem they deal with professionally. The prob-lem may be more accurately described as securing ourselves to enable the power of the cloud for our users.So as you kick off your activities for 2016, let’s spend some time focusing on enabling our users. If you took my challenge to live life as a regular user last month, you probably have a short list of things that you can start work-ing on now that will make you a hero in your users eyes. Let’s see if we can find ways to make our users more productive while keeping the goals of securing the enterprise intact.
About the AuthorBranden R. Williams, DBA, CISSP, CISM is the CTO, Cyber Security Solutions at First Data, a seasoned security executive, ISSA Distinguished Fellow, and regu-larly assists top global firms with their information security and technology ini-tiatives. Read his blog, buy his book, or reach him directly at http://www.brand-enwilliams.com/.
Bring Your Own SolutionBy Branden R. Williams – ISSA Distinguished Fellow, North Texas Chapter
Herding Cats
Given the amount of corporate dollars spent on information
technology, that should infuriate you.
6 – ISSA Journal | January 2016
The challenge of how we struc-ture, analyze, and select the se-curity advice we deliver to end
users has been a recurring topic in this column. We can’t provide unlimited advice to unlimited people, so we need to prioritize. Costs need to be under-stood. We need to consider not just the displacement of productive activities for employees sent on training but also at-tention spans that are part of a finite economy. Train-ing people on X reduces their tolerance to absorb Y. Everyone has his limits no matter how interesting or important we think our in-formation is.When selecting which secu-rity advice to prioritize, it’s important to consider two aspects. Firstly, will the ad-vice you’re giving be valid in the longer term? Or, is the advice likely to become ob-solete as threats and attack techniques rapidly evolve? Secondly, to what degree is the advice we’re giving likely to be effective? Will it only be valid in very specif-ic circumstances, or will it be a reliable rule-of-thumb or universal truth that can be widely applied? The holy grail of advice, therefore, should be to focus on the long-term advice that addresses the widest set of risks possible. Sounds simple, but arguably much of our advice has historically been short term and sit-uation specific.For example, consider how our an-ti-phishing security awareness advice has changed over the years. Much of it was short term in nature that quick-ly became obsolete as threats quick-ly evolved. We told people to avoid .ru
links so attackers moved to different addresses. We told people to watch out for spelling mistakes and poor grammar so attackers improved their English. We told people to use https connections so attackers made sure to get a certificate for their phishing sites and use SSL. Our advice now remains as a useless evolu-tionary awareness appendage or worse. There are people that conclude an email
is safe just because it is grammatical-ly correct and the embedded links use https. It would be easy to say that us-ers have misunderstood the difference between transaction privacy and entity authentication, but I suspect we haven’t made it any easier for them. In contrast, the advice to avoid open-ing attachments or links in emails that you’re not expecting remains as potent as ever. It’s a universal truth that is like-ly to remain true in the future as well. With the benefit of hindsight, our se-curity advice needs to be strategically focused as much as possible to focus on
these long-term, universal “truisms” rather than short-term tactical fixes. If you’re about to issue advice to users, consider where it fits. In some cases perhaps it could be tweaked to lift out some specific detail that would limit the longevity of the ad-vice and make it a universal truth that
would fit into the “strategic” box. What do you think of the Security Awareness Ad-vice Magic Quadrant? Does it help to provide structure and a way to classify our communications? Do get in touch with your views. In other news, the Austra-lian government has issued “advice” encouraging peo-ple to switch off two-factor authentication when trav-eling overseas.1 Apparently, two-factor authentication isn’t really all that import-ant when using wireless Internet from strangers or connecting from an Inter-net café. Unbelievable. This kind of awareness pollu-
tion2 makes our job much harder.
About the AuthorGeordie Stewart, MSc, CISSP, is the Principle Security Consultant at Risk Intelligence and is a regular speaker and writer on the topic of security awareness. His blog is available at www.risk-intelli-gence.co.uk/blog, and he may be reached at [email protected].
1 http://www.theregister.co.uk/2015/12/22/australian_government_twofactor_auth/.
2 http://www.risk-intelligence.co.uk/issa-security-awareness-column-march-2013-lowering-security-awareness/.
By Geordie Stewart – ISSA member, UK Chapter
The Security Advice Magic Quadrant
Security Awareness
Security Awareness Advice Magic Quadrant
EvolvingShort-term mitigation
for a wide rangeof threats
StrategicLong-term mitigation
for a wide rangeof threats
TacticalShort-term mitigation
for speci�c threats
EnduringLong-term mitigation
for speci�c threats
Deg
ree
of T
hrea
t Miti
gatio
ns
Duration of E�ectiveness
January 2016 | ISSA Journal – 7
Security in the NewsNews That You Can Use…Compiled by Joel Weise – ISSA Journal Editorial Board Chairman, ISSA Distinguished Fellow, Vancouver, Canada Chapter and Kris Tanaka – ISSA member, Portland Chapter
Data Encryption in Sharp Focus after Deadly Attackswww.securityweek.com/data-encryption-sharp-focus-after-deadly-attacks
It seems that recent terrorist attacks have yet again sparked the battle over the use of encryption. We’ve heard this before. Remember the Clipper chip and the LEAF back door? Restricting the use of encryption is simply not the answer. As Bruce Schneier often points out, getting the bad guys is all about plain old, every day, good police work. Furthermore, I, for one, am not willing to give up my privacy by allowing back doors to exist as I think in the long run, it makes us all less secure.
Silent Circle’s Encrypted Phone App Cleared for US Government Usewww.zdnet.com/article/silent-circle-phone-app-cleared-for-us-government-use/
This sums it up as far as I’m concerned. “Analysis: The question shouldn’t be if encryption should have back doors, but why intelligence agencies have begun shifting the blame onto those who push for privacy.” Silent Cir-cle looks like the STU-III phones for the Millennials. In fact, I can’t wait to try it out.
Brazen North American Cyber Underground Offers DIY Criminal Wares for Cheapwww.darkreading.com/endpoint/brazen-north-american-cyber-underground-offers-diy-criminal-wares-for-cheap/d/d-id/1323449
If there was any doubt as to how easy it is to set up a cybercrime enterprise, read this article. It is a great primer on how simple it is to obtain malware and crimeware kits. I did notice one odd thing. Why is a fake US passport only going for $30 while a fake driver’s license costs $145?
Biggest Data Breaches of 2015www.networkworld.com/article/3011103/security/biggest-data-breaches-of-2015.html
It seems like every year is worse than the last—health care, government, financial services, social media, you name it. The only problem I see is that the average attention span of most business people is about three min-utes, and thus they fail to make real and lasting changes in their information-security posture.
80 Percent of Companies Had a Security Incident in 2015www.infosecurity-magazine.com/news/80-companies-had-a-security/
Are we worrying too much? Fifty-three percent of IT professionals surveyed reported that they were concerned about ransomware in 2016; however, only 20 percent of organizations experienced a ransomware incident in 2015. In addition, 39 percent and 37 percent of IT professionals also worry about data theft and password breaches, respectively; but only five percent of organizations had an incident of data theft in 2015, and only 12 percent experienced a password breach. On the other hand, perhaps worry is a good thing since 71 percent of IT profes-sionals expect their organizations to be more secure in 2016 thanks to new investments in more advanced security solutions and end-user trainings.
Cloud in 2015: Year of Shake-up, Consolidation, Advancewww.informationweek.com/cloud/infrastructure-as-a-service/cloud-in-2015-year-of-shake-up-consolidation-advance/d/d-id/1323376
This is a good review of current state of cloud computing. Amazon Web Services has quickly taken the lead in the industry, but its competitors are scrambling to change their strategies in an attempt to rebalance the cloud power scale. Who will win? That remains to be seen. But it will be exciting to see what technological break-throughs will occur, thanks to this quest for cloud dominance.
Where We’ve Been. Where We’re Going.www.csoonline.com/article/3015379/security/where-we-ve-been-where-we-re-going.html
In general, I agree with most of what the article says about the world of information security. Some points, how-ever, are overplayed. Sure, we had a lot of high-profile attacks, but I really don’t think they create the positive impact needed to improve data security. The one item that should give us all some pause is the re-emergence of shadow IT. The last thing most CISOs want is some wayward department opening back doors into the organization.
Apple Pay and Other Mobile Payments: Why We Still Don’t Use Themhttp://venturebeat.com/2015/12/13/apple-pay-and-other-mobile-payments-why-we-still-dont-use-them/?utm_con-tent=buffer1cc8f&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer
As one involved in the development of EMV, I am always curious as to what the latest and greatest is in mobile payments. All told, if this is accurate, Apple has a long way to go before people will adopt this financial ser-vice tool. Unfortunately, I know their pain—it’s only taken close to 20 years for the US to embrace chip cards.
Cybersecurity Predictions for 2016After the holiday chaos settles down for a long winter’s nap, people tend to pull out their crystal balls in an attempt to forecast what’s ahead for cybersecurity. Here are a few prediction articles for your reading pleasure. Note: You might want to tuck them away and pull them out again at the end of the year to see just how accurate these prognosticators actually were. Happy New Year!Top 15 Security Predictions for 2016www.csoonline.com/article/3013060/security/top-15-security-predictions-for-2016.htmlA Few Cybersecurity Predictions for 2016www.networkworld.com/article/3015442/security/a-few-cybersecurity-predictions-for-2016.htmlCybersecurity Predictions for 2016: Choosing Leadership over Luckwww.forbes.com/sites/forbestechcouncil/2015/12/10/cybersecurity-predictions-2016-choosing-leadership-over-luck/Industry Experts Predict the Top Cybersecurity Trends for 2016www.esecurityplanet.com/network-security/industry-experts-predict-the-top-cyber-security-trends-for-2016.html
8 – ISSA Journal | January 2016
By Avani Desai – ISSA WIS SIG member
Oh Baby - The IoT and Security
Perspective: Women in Security SIG
A mother was woken on hearing a strange voice shouting “wake up baby.” Looking around,
there was nobody in the house, but she was using a baby monitor that streamed video of her sleeping baby to her cell-phone. On investigation she found that someone had hacked into her baby mon-itor, was watching her baby sleeping and was trying to wake the baby by shouting through the monitor to “wake up!” This is a chilling story and one which every parent would find frightening.The advent of the Internet brought with it new ways in which cybercrime could be committed. We have seen this borne out by the increasing number of web-based threats and the exposure that email has brought with it—phishing being one of the most successful vec-tors for malware infection and data ex-filtration. The Internet of Things (IoT), whereby the most domestic of devices like a fridge or a baby monitor is web en-abled, is now taking these threat levels to a new extreme; and the worry is that the manufacturers of IoT devices are not keeping up with the threat potential.The problem stems from the speed at which IoT has swept upon the technolo-gy landscape. IoT devices are often con-nected up to web applications like email accounts, Google calendars, and other data-rich applications. Cybercriminals are after the data, not the device; the de-vice is simply the conduit. McAfee and Intel predicted that by 2020 there would be 31 billion IoT devices worldwide, and they are now saying this is an underes-timate. This opens up a massive exploit base for cybercrime, making security by design an integral part of IoT devices.
Protecting our infantsOne of the areas where we are seeing IoT device innovation is in the field of parenting. There is a small explosion of
devices that are now connected to other devices such as mobile phones and via the Internet that are designed to help in “bringing up baby.” Health apps are a critical focus area. Devices such as the Pacif-I, which tracks your baby’s body temperature through a pacifier connect-ed to a mobile app, is a typical example. The already mentioned video baby mon-itor lets you connect to a camera through a mobile app to monitor your sleeping baby. There are even baby onesies that monitor your baby’s temperature, sleep-ing position, and breathing patterns and send the data to a mobile app. This is creating large quantities of highly personal information about your baby. It is our duty as parents and as a society to protect them and prevent exposure of their personally identifying information.Some areas are of concern regarding the security of the devices we are using to try and monitor and protect our chil-dren. Here are three areas that make these monitors insecure:Poor implementation of Internet secu-rity protocols. VTech just announced that a database including names, birth dates, and genders of 5 million cus-tomers and their children was stolen by hackers. However, this isn’t an area just confined to baby monitor vulnerabili-ties; other IoT devices like the Samsung smart fridge have been found to have serious flaws because of poorly imple-mented Internet security protocols (i.e., SSL/TSL), allowing cybercriminals to steal login credentials and data. Regard-ing a video monitor, a cybercriminal could exploit this vulnerability, poten-tially accessing unencrypted streamed video, or steal authentication creden-tials, which could then be used to login and take control of the device.Back-door accounts. Often baby moni-tors (and other IoT devices) have factory
set default usernames and passwords so, for example, you can login and control the device using user-name “Admin” and password “Admin.” These are, of course, guessable, and brute force attacks can then give a hacker access to the device. In the case of a baby monitor, for exam-ple, the cybercriminal could add new accounts to the device creating their own “baby show”—horrifying stuff.Authentication bypasses. Any system that allows new users to be added with-out an authentication check at the time of account creation is highly vulnerable to abuse. Certain baby monitors have been shown to allow new users to be added without asking for a password or other authentication credential. Hackers can simply add new users, at will, to any of the vulnerable systems using a very simple URL hack.
Forcing the Web to grow upThis level of security vulnerability is extremely alarming. The rush to get Internet-enabled devices out to market seems to have come at the cost of secu-rity and privacy. The protection of our privacy and personal data is one thing, but the thought of our most precious little people being exploited in this way is a step too far. The Internet of Things has opened up some innovative ways in which to keep our children safe, but more thought and work needs to go into making sure those safety nets are safe.
About the AuthorAvani Desai, first and foremost a mom, is an Executive Vice President at Bright-Line. She has been helping clients with their compliance services for over 13 years. She may be reached at [email protected].
January 2016 | ISSA Journal – 9
Dave Shackl-eford’s col-umn in the
October 2015 issue got me thinking. Is the CISSP certifica-
tion worthless? What accomplishments do have value for an information se-curity professional? Over the past 10 years I have divided my time between managing security within a Fortune 50 organization, consulting, and teaching information security at two universities. I have helped dozens of professionals move up the security career ladder or into new security careers. Have certifi-cations helped them toward career suc-cess?First of all, there is no magic bullet certi-fication. A CISSP certification is a piece of paper that does not grant you the right to enter the field. Other experience and skills you will need include on-the-job experience, communication skills, collaboration skills, and just plain en-thusiasm. A CISSP cert does show that you have obtained a test-based, broad security knowledge and have been a practitioner for at least four to five years. But that is only the start.A CISSP will then have to obtain an average of 60 CPEs per year. This con-tinuous improvement is one of the re-quirements that can add great value to certs like CISSP, GIAC, or CISM. I am always looking for ways to grab more CPE. There’s no need to be satisfied with the minimum required. Are you OK with the minimum security compliance requirements in your organization? The practice of security itself is one of con-tinuous improvement. Certs that do not require CPEs truly are worth no more than the cost of the entrance exam. The other value in certs such as CISSP, GIAC, and CISM is that they all require affirmation of a code of ethics. Isn’t this
a critical asset to have in today’s uncer-tain world?From a purely financial point of view, today’s certs seem to offer a good “re-turn on investment.” The better known certs add 10-14 percent on top of annu-al salary, at least for employers who ac-knowledge certifications. Overall, for a basket of 72 security certifications, the pay premium has increased by +4 per-cent over the last 12 months.1
College degrees and certs often get ques-tioned in the same conversations about security. What is the value of a degree? Programs that I am personally familiar with require hands-on training, group project collaboration, and internships with industry. The mythical “ivory tow-er” has disappeared from many security education programs, as it should have. Good college-level degree programs can help provide not only security technical skills, but soft skills and business man-agement skills that security leaders say they need.Looking at the numbers again, pay pre-miums for a BS degree over no degree have been reported to be around 60 per-cent; add another 33 percent for Master’s degree over BS degree.2 These figures are for all fields, not just IT security. Should we make professional certs more hands on? I see some purely technical security jobs disappearing, victims of automated tools and cloud computing. In addition, hands-on security certs are already provided by vendors such as Cis-co, Red Hat, and Checkpoint to name only a few.What about other ways of improving ex-isting certifications? What do employers say they want? According to the 2015
1 David Foote, Foote Partners, www.footepartners.com: http://bit.ly/1lXmAbU.
2 “The College Wage Premium,” Federal Reserve Bank of Cleveland, 2012.
(ISC)2 survey,3 respondents say “broad understanding of the security field and communications skills are the top two factors contributing to a successful se-curity professional.” When I pose the question “what do you really need” to hiring managers, I hear the same thing, with the addition of “enthusiasm.” This is in spite of the usual job listings that we all read. ISACA and SANS have both re-sponded with security management-ori-ented certification programs. How else can we improve? We need to raise the bar for our certifications, not just add more specializations. We need to make our certifications meaningful to business leadership. The timing is right for this. According to the 2016 SIM IT Trends Survey,4 information security is the #1 worry for CIOs and senior IT leaders. If we are going to get a perma-nent seat at the table, we need certifi-cations that are understood and valued by the business leadership. What per-cent of your CXOs have heard of CISSP, CISM, or GSLC? How many have heard of CPA certification? Compare any se-curity certification exam with the CPA exams that include 14 hours of multiple choice questions, simulation questions, and written questions. We are not there yet. By aligning our certifications with business needs we can help build brand awareness and assure long-term career paths for all of us.
About the AuthorDr. Frederick Scholl, CISSP, CISM, is president of Monarch Information Net-works, LLC. He also teaches Risk Mitiga-tion at Lipscomb University and Network Security at Vanderbilt University. He may be reached at [email protected].
3 www.isc2cares.org: http://bit.ly/1GMoD5x.4 “IT Trends Survey, 2016” www.simnet.org: http://bit.
ly/1OdtHYi.
By Frederick Scholl – ISSA Senior Member, Middle Tennessee Chapter
Your CISSP Is Worthless – Take Two
Open ForumThe Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies,
legislation, standards, and other topics of interest to the ISSA community. The views expressed in this column are the author’s and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.
10 – ISSA Journal | January 2016
reimbursed theft” to “substantial risk.”6 The above examples are post-facto mechanisms and reme-dies. Of course, preventive is preferred, but the control technology totally lags and will continue to fall behind, and the gap is growing at an increasing rate.This article is a call to action.We ISSA members are key to our sus-tainable culture of ethics that tran-scends international boundaries, spe-cifically in the area of IT security and resulting privacy. Our individual histo-ries, skills, and approaches are critical to shaping our collective future. Continue and invigorate each person’s commit-ment to meeting and hopefully exceed-ing the highest professional standards. Anytime there is a situation, even just a simple question to tossing a few ideas around, consider circling up with your ISSA colleagues that *may* have crossed the same river before.This new year make it your personal goal to make one positive ethical impact in your sphere of influence when it is crucial to the situation. With 10,000 of us across the globe, we can make a tre-mendous impact.
About the AuthorBetty Pierce, GSLC, is a program manag-er with a civilian US government agency and high-tech startup junkie with over 34 years in IT, the most recent 15 years spe-cializing in information security. She is the corresponding secretary for the ISSA Professional Ethics Committee, past president of the Denver ISSA Chapter. She may be reached at [email protected].
6 http://blogs.wsj.com/cio/2015/07/23/appeals-court-revives-neiman-marcus-data-breach-suit/.
Professional ethics in the IT secu-rity realm is an underpinning to membership in the ISSA, which
every member affirms initially and re-affirms upon renewing membership annually. The ISSA Code of Ethics is a time-tested set of standards for behav-ior and helps each of us decide which course of action is best, given a range of situations and especially the “gray area” between law/regulations and morality. Both law and ethics deal with questions of how we should live together with others, and ethics is sometimes also thought to apply to how individuals act even when others are not involved.1 The character of a person is comprised of all dimensions of his or her life behavior as a trust anchor and carries forward throughout personal and professional realms.The importance of professional ethics in the IT security realm is increasing as the gap between law/regulations and the dual nature of advanced technologies is growing. It is widely acknowledged that there is an increased ability to per-form undetected surveillance and mon-itoring in both the cyber and physical realms combined, which is exacerbat-ed by the increasing interconnectivity of the environments. Certainly there is a heightened awareness of attempts to bypass and infiltrate/takedown im-plementations of even the most legiti-mate of cryptography and anonymity solutions for online communications. Simultaneously, the technology that enables exploiting the theft of informa-tion and posting of information meant to embarrass or extort has increased in availability, and adequate controls do
1 http://www.brown.edu/academics/science-and-technology-studies/sites/brown.edu.academics.science-and-technology-studies/files/uploads/Framework.pdf.
not yet exist. Moreover, newly-emerg-ing issues surrounding the Internet’s record of everything and the inability to erase incorrect, inappropriate, or even unflattering content,2 especially when the subject is an underage child, poses a paradox as to which version of the truth becomes a reality over time—the origi-nal or the redacted.In January 2013, the European Commis-sioner for Justice, Fundamental Rights, and Citizenship announced the Euro-pean Commission’s proposal to create a sweeping new privacy right—the “right to be forgotten.”3 The right to be forgot-ten enables an individual to have cer-tain data deleted including information, photos, and videos about themselves from certain Internet records so that they cannot be found by search engines. Many international jurisdictions have now passed “Revenge Porn’” laws that criminalized the use of intimate photos or videos of significant others in order to humiliate them and have successful-ly enforced the law.4 Pre-nuptial agree-ments for celebrities now may contain restrictions on social media postings,5 and most people would agree that at minimum a serious discussion and a resulting meeting of the minds as a re-lationship forms would be well-advised with respect to personal information shared online. Case law is beginning to recognize the degree to which customers can hold companies and their executives liable for loss of sensitive information in recognition of the previous “actual un-
2 http://www.nytimes.com/2014/05/30/business/international/on-the-internet-the-right-to-forget-vs-the-right-to-know.html?_r=0.
3 http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten.
4 http://www.cnn.com/2013/10/03/tech/web/revenge-porn-law-california/index.html.
5 http://abcnews.go.com/Lifestyle/love-perfect-watch-facebook-social-media-prenups/story?id=23977608.
By Betty Pierce – ISSA Fellow, Colorado Springs Chapter
The Increasing Significance of Ethics in IT Security
Ethics and PrivacyISSA PROFESSIONAL ETHICS COMMITTEE – [email protected]
January 2016 | ISSA Journal – 11
Association News
Upcoming CISO Virtual Mentoring Presentations
Learn from the experts. If you’re pursuing a career in cybersecurity and seeking support on the path to be-coming a CISO, check out this upcoming presentation:
• January 14, 2016, 1:00 pm – 2:00 pm EST: Speaker: Deme-trios Lazarikos (Laz), CISO, vArmour.
• February 11, 2016, 1:00 pm – 2:00 pm EST: Title and Speaker to be announced.
Visit www.issa.org => Learn => Web Events => CISO Virtual Mentoring Series to register.
Save the dates for the 2016 CISO Forums:• February 27-28, 2016: San Francisco, CA
Theme: Innovation and Technology Current Sponsors: Prosoft Systerms, Zscaler, Verodin
• May 19-20, 2016: Charlotte, NC Theme: Infosec and Legal Collaboration Current Sponsors: Zscaler, Illumio, Proofpoint
• July 31-August 1, 2016: Las Vegas, NV Theme: Effective Applications of Security Convergence and Analytics Current Sponsors: Illumio, Proofpoint
• November 3-4, 2016: Dallas, TX Theme: Think Big Current Sponsors: Illumio, Proofpoint
Do You Qualify?The CISO Executive Forums are peer-to-peer events. The unique strength of these events is that members are free to share concerns, successes, and feedback in a peer-only envi-ronment.Membership is by invitation only and subject to approval. Membership criteria act as guidelines for approval. If you feel you may qualify to become an ISSA CISO Executive Mem-ber, visit www.issa.org => Learn => CISO Executive Forum for more information.
Pre-Professional Virtual Meet-Ups
Thinking about working in cybersecurity? Are you doing everything you can to get started? ISSA Pre-Professional Virtual Meet-Ups
can provide you with guidance and advice. Our next Meet Ups include the following:• January 25, 2016, 9:00 am, 10:30 am EST: Internships: Do
They Really Work?• February 29, 2016, 6:00 pm – 7:30 pm EST: What Should
Your Toolbox Look Like? Visit www.issa.org => Learn => Web Events => CSCL Meet Ups for current or archived session links.
12 – ISSA Journal | January 2016
HYATT REGENCY | DALLAS, TEXAS NOVEMBER 2-3, 2016
SAVE THE DATEFEATURING:* 800+ Attendees Expected60 Sessions | 7 Tracks | CPEsUp to 100 ExhibitsCareer Counseling & Networking CenterCyber Defense CenterInternational AwardsISSA Party in the Sky CISO Executive Forum
*Subject to change.
Information Systems Security Association | www.issa.org | 866 349 5818 USA toll-free | +1 206 388 4584 International
Association News
Learn about ISSA’s Special Interest Groups? Join free at www.issa.org => Learn => Special Interest Groups!
Women in Security SIGJanuary 11, 2016: 4:00 pm – 5:00 pm EST
Security Education and Awareness SIGJanuary 27, 2016: 9:00 am – 10:00 am EST
2015 Security Review & Predictions for 20162-Hour Live Event: Tuesday, January 26, 20169:00 am US-Pacific/12:00 pm US-Eastern/5:00 pm LondonYes, once again some brave (or foolish?) folks will volun-teer their insights and make predictions for the 2016 infosec challenges. To a degree, changes in legislation and technol-ogy are easy meat to predict in a 12-month time frame. But, who could have predicted last year. What is likely to be the next cataclysmic event to rock the industry? Will the winds of change continue to blow security in the ”cloud?” Join us, make notes, and then check back in a year to see how we did!Moderator: Michael F. Angelo, CRISC, CISSP, Chief Security Architect, NetIQ Corporation, ISSA Web Conference Com-mittee Chair To register, visit www.issa.org => Learn => International Web Conferences.
Get the Recognition You Deserve in 2016
Do you qualify to become a Senior Member, Fellow, or Distinguished Fellow? The ISSA Fellow Program recognizes sustained membership in ISSA and out-
standing contributions to the profession. Senior Member sta-tus is the first step toward fellowship and requires at least five years of membership. Fellow status is limited to a maximum of two percent of the membership. Distinguished Fellow sta-tus is limited to no more than one percent of members at any given time. Nominations and applications are accepted on an annual cy-cle. Applications are being accepted until Monday, August 1, 2016, 5:00 pm EDT. Apply today www.issa.org => Advance => Fellow Program.
Have You Submitted Your Article Proposal for 2016?
The ISSA Journal Editorial Advisory Board is looking for articles for 2016.Why Should You Write for the ISSA Journal?
• Advance your career• Gain chapter, national, and global recognition for what
you know• Help others benefit from your expertise• Showcase your organization• Receive invitations to speak around the country• Improve your chance to present on an ISSA International
Web Conference• Improve your chance to speak at ISSA’s 2016 International
Conference
Set a personal goalCheck the editorial calendar for themes, and set a personal goal to submit an article. Submit your questions and articles to [email protected]. For reference and to get you started, re-view theme descriptions and editorial guidelines at www.issa.org => Learn => Journal.
Career OpportunitiesVisit www.issa.org => Advance => Career Center
For Cybersecurity Job SeekersIf you are looking to get started or advance in your cyberse-curity career, check out the ISSA Career Center. The center offers several hundred available jobs and allows you to post a searchable or confidential resume, increasing the odds that you will find an ideal match.
For Employers If you’re an employer seeking to fill new or vacant security positions, the Career Center offers an effective, low-cost tool to achieve your HR objectives quickly and simply.
Highlighted Pick of the Litter – Job of the MonthChief Information Security Officer, Augusta University – Augusta, GAThe Chief Information Security Officer provides enter-prise-wide leadership in the enhancement of information se-curity for Augusta University and the Health System.
More jobs you will find on the ISSA Career Center:• Director of Information Security and New Initiatives,
Duquesne University, Pittsburgh, PA• Senior Information Security Analyst, Sodexo, Williams-
ville, NY• Senior Data Management Analyst, Arapahoe County
Colorado (Government), Littleton, CO• Chief Information Security Officer, TMF Health Quality
Institute, Austin, TX
January 2016 | ISSA Journal – 13
HYATT REGENCY | DALLAS, TEXAS NOVEMBER 2-3, 2016
SAVE THE DATEFEATURING:* 800+ Attendees Expected60 Sessions | 7 Tracks | CPEsUp to 100 ExhibitsCareer Counseling & Networking CenterCyber Defense CenterInternational AwardsISSA Party in the Sky CISO Executive Forum
*Subject to change.
Information Systems Security Association | www.issa.org | 866 349 5818 USA toll-free | +1 206 388 4584 International
Association News
One of the highlights of the annual conference is rec-ognizing members, individuals, and organizations that exemplify the spirit of ISSA, the commitment
of its members, and the contributions of the information se-curity community around the world. As volunteerism is so crucial and central to our association, let’s shine the spotlight on this year’s ISSA Volunteer of the Year.
ISSA Volunteer of the YearDavid Vaughn, Raleigh ChapterMark Hahn, Awards Committee mem-ber, introduced David with a few words submitted by Craig Cunningham who nominated David for this award: “David
Vaughn is constantly working to provide additional educa-tional content for existing events such as ISSA meetings and helping to support new events such as BSides Raleigh. He has been a volunteer for ISSA, BSides, (ISC)2, InfraGard, Blackhat 2014, Defcon 22, and many others. David does the job of shar-ing what he knows personally but also searches for experts in diverse fields to teach what he cannot. He has acted not only as a teaching fisherman but also the gatherer of fishermen so that each participant will be prepared even on distant shoals.”David Vaughn accepting the award:I want to thank the international board for the recognition and you, Craig, for those kind words. This really goes back to two people who are near and dear to my heart and probably mentors to us all: the late Shon Harris and Jennifer Minella, a local in the Raleigh area and on the (ISC)2 board of directors.Yesterday I found out the Shon Harris Scholarship Founda-tion was just shy of its goal by a $1,000. I asked the Women in Security SIG if I could champion that effort, and all morning long I’ve been buzzing [I have bees on my tie] around asking
people to support the scholarship. I’m happy to report that we have met that goal and exceeded it by $500.Volunteerism is near and dear to my heart; it’s how I tithe and give back to the community. And it’s not something that will stop here. I’ve asked the international board if they would consider me for a chair or something to contribute the educa-tional stuff that I bring—so you haven’t heard the last of me. Thank you.
We caught up with David after the conference and asked if he wanted share his thought on our in-dustry.
What do you consider to be your most significant accomplishment as an information security professional?I’ve been blessed to enjoy many accomplishments, but what has had the most profound impact on my life, both personal and professional, has been learning to embrace my failures just as much as any accomplishment. While I have certainly not mastered this, the ability to embrace those failures would be my most significant accomplishment. For example, I had prepared for my CISSP certification while I was deployed to Iraq in 2009-2010. I had thirteen months of study and prepa-ration time while deployed. I felt extremely confident that I was going to ace this test when I returned. Not only did I fail by five points, I failed the second attempt by five points as well. It was then that I met and became friends with the late Shon Harris. After working more closely with her to under-stand some of the more complex concepts, she told me that she too had failed her first attempt at the exam. It was this failure that drove her to become one our industry’s best-sell-ing trainers/authors. I couldn’t believe it; I was so grateful for her taking time to mentor me. Another accomplishment that has been significant in my life is the time I’ve spent serving
our country in the military. December 1, 2015 marked my 18th year of military ser-vice in the United States Army Reserves; without a doubt, signing up has been the most impactful decision in my life. As a Warrant Officer in the cyber community, I am afforded the opportunity to do the things I love every single time I put on the uniform.
What is the most important issue facing the industry and how would you like to see it addressed?There are many issues that face our indus-try, but as a father of little girl and as one whose greatest mentors have been females, the ratio of men to women in information security needs a lot of work. I’ve been in leadership roles with groups like AFCEA
[l-r] International President Andrea Hoy, Volunteer of the Year David Vaughn, Awards Committee member Mark Hahn, and International Conference Chair and Director Stephano Zanero.
2015 International Awards Ceremony, Chicago Conference
14 – ISSA Journal | January 2016
Association News
Industry Webinar
Did you miss the fourth webinar in the “Digital Identity In-sights” educational webinar series focused on digital identi-ty security, presented in partnership with Thales e-Security?
Digital Certificates – A Critical Line of Defense against CybercrimeAccess the Dec. 16, 2015, recorded presentation at www.issa.org => Learn => Web Events => Industry Webinars.Digital certificates are a critical line of defense against cybercrime. From authenticating traditional user end-points to enabling trusted e-commerce purchases, digital certificates and the public key infrastructure (PKI) that issues them create a high-assurance foundation for digital security when implemented correctly. Partnering to provide best-in-class PKI solutions, Certi-fied Security Solutions (CSS) and Thales e-Security invite you to this recorded live webinar discussing digital cer-tificate use cases, the security threat landscape, and res-olutions to dangerous enterprise problems putting your company at risk for costly outages and data breaches.
code 16UISSAFCD to save $175 off a full pass. Use compli-mentary expo code 16UISSAXPO for an expo pass.
Dubai – February 29-March 3, 2016MIS Training Institute warmly invites ISSA members to the 8th Annual Chief Information Security Officer Middle East Summit & Roundtable, February 29-March 3, 2016, Habtoor Grand Hotel, Dubai. The four-day summit brings together global companies and governments in the Middle East and GCC region with peers internationally to share insights on recent projects, deployments, transformations and achieve-ments. Receive 20-percent discount as an ISSA member. Use code ISSA2016 on the online registration system to redeem your discount, or contact Joleen Sibley, Head of Delegate Re-lations, [email protected]. To register, please visit www.ci-so-summit.com/ciso-middle-east.html.
Turkey – May 17-18, 2016ENITSE Enterprise IT Security Conference & Exhibition will be held May 17-18, 2016, in Istanbul, Turkey. ENITSE is one of the most important events in EMEA in its category. The con-ference speeches will be either in Turkish or English and si-multaneously will be translated to Turkish or English. When registering, indicate you are a member of ISSA to obtain a 10-percent delegate discount. For more information about ENITSE Conference, please visit event website www.enitse.com or contact [email protected].
Copenhagen – May 10-13, 201613th Annual CISO Europe Summit & Roundtable 2016 in Copenhagen, May 10-13. Europe’s favorite event for CISOs will reconvene at the Copenhagen Marriott Hotel. Early bird discount ends soon; register before 12/31/2015 to save £600 and get a free signed book. Receive 20-percent discount as an ISSA member. Use code ISSA2016 on the online registra-tion system to redeem your discount or contact Joleen Sibley, Head of Delegate Relations, [email protected]. To register, please visit www.cisoeurope.misti.com/registration-details.
International that promote STEM2, (ISC)2 that offers Safe and Secure Online, Microsoft’s DigiGirlz, and now the ISSA Women in Security Special Interest Group. According to a re-cent story I read on CNN, “Each year the number of women studying and pursuing careers in technology goes down by 0.5 percent; thus by 2043 at the current trend less than one percent of the global tech workforce will be female.” Contrib-uting to the groups trying to provide and promote outreach to all professionals, male or female, it’s a start in the right di-rection. My daughter, who just turned eight, has already ex-pressed a keen interest in my line of work, which certainly makes the time invested seem far more worthwhile. We enjoy working on projects together like Barcode Shmarcode, a con-test that our project won last year. Her interest isn’t motivated by being a female; it’s motivated because she has fun doing
Affiliated EventsISSA Special RSA Conference 2016 DiscountSecure your seat at RSA® Conference 2016, February 29–March 4, in San Francisco. Register today for your five-day full-conference pass, and gain access to two halls of 500+ ex-hibitors, 400+ expert-led sessions, unprecedented network-ing, and not-to-be-missed keynote speakers. Use discount
these things. For me, I think that this is a way to address the gender gap, by being involved with organizations that foster and promote fun opportunities for all.
What would you like to say to your peers?To my fellow members of ISSA, (ISC)2, AFCEA, InfraGard, and the other volunteer organizations and events that I enjoy being a part of—please understand that my personal gain has always been the ability to learn from those experiences and to apply them to all aspects within my life. To those peers who do not belong to any of these organizations, I would encour-age you to take the leap! Network and contribute back to our community! It takes all of us working together to identify and mitigate the issues that create the various challenges we all face. — David Vaughn, Volunteer of the Year
January 2016 | ISSA Journal – 15
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Promoting Public Cloud Workload Security: Legal and Technical Aspects Promoting Public Cloud
Workload Security: Legal and Technical Aspects
16 – ISSA Journal | January 2016
AbstractAs an organization moves its workloads from privately owned, on-premises infrastructure to public cloud comput-ing platforms, the organization’s Chief Information Security Officer (CISO) is tasked with maintaining information secu-rity. This requires a CISO to rely more on external legal and technical aspects (compared with internal policies, proce-dures, and tools) for managing security.This article reviews such aspects from a security perspective. It introduces a definition of various cloud service types, dis-cusses legal aspects of cloud security starting with the impact of a service level agreement (SLA) on overall cloud security, including SLA limitations and obligations, and continues the legal discussion with data residency aspects, including con-cerns for multi-national organizations.I note the importance of investigation availability in pre-venting and resolving security breaches, especially when the source of the attack is now usually cloud-based as well, and close with technical aspects of cloud security such as data-at-rest protection and key management.
Cloud systems defined
Cloud computing is a natural evolution of improve-ments in time-sharing services, virtual-machine operating systems, and network communications.1
Cloud computing offerings are generally classified into one of three types:2
• Infrastructure as a Service (IaaS): deployment of discrete information system components, such as individual serv-ers, firewalls, networks, and so on in a public-cloud envi-ronment. In general, IaaS requires the installation of an operating system and an application on a virtual machine. Amazon Web Services (AWS) Elastic Compute Cloud (EC2) and Rackspace Cloud Servers are examples of IaaS.
• Platform as a Service (PaaS): deployment of general pur-pose nodes, such as database servers and load balancers. These nodes are ready-to-run, but integrating PaaS nodes with code or scripts is necessary to drive an end-user ap-
1 “Cloud Computing,” Wikipedia, accessed November 20, 2015, https://en.wikipedia.org/wiki/Cloud_computing.
2 Vaquero, Luis M., et al. “A break in the clouds: towards a cloud definition.” ACM SIGCOMM Computer Communication Review 39.1 (2008): 50-55.
As workloads are moved from privately owned, on-premises infrastructure to public cloud computing platforms, an organization must rely more on external legal and technical aspects (compared with internal policies, procedures, and tools) for managing security. This article reviews such aspects from a security perspective.
By Jason Paul Kazarian
the term “SLA” to designate all of the service agreements be-tween an organization and a provider.
Legal obligations and limitationsSince it is a contract, the SLA specifies the legal requirements for the involved parties. Some of these are obligations, for ex-ample the requirement to protect non-public access creden-tials. Others are limitations, for example consuming cloud services within the boundaries of acceptable uses.One “feature” of the SLA is to limit the liability of a cloud service provider in the event of a third-party dispute. For this case, the SLA should clearly state what resources the provid-er will and will not offer to resolve the dispute. Often times the organization is solely responsible for the data stored with the provider except in limited circumstances. A CISO should ask counsel to review the SLA with an eye towards recovering from a security-related third-party dispute.More importantly, the SLA will require an organization to indemnify the cloud provider for disputes that may arise from using the services as well as stipulate when access to services may be terminated, either permanently or temporar-ily. Further, the SLA will grant the provider the flexibility to change terms and conditions at will, perhaps without notice, requiring that the organization regularly monitor the latest SLA version for changes. In many cases, the SLA is non-ne-gotiable. In almost all cases, using the service constitutes SLA acceptance.The legal framework of a cloud SLA is quite different from on-premises software licenses. In the latter, larger enterprises are able to (and often do) insist on specific terms and con-ditions more favorable to the entity in exchange for higher license premiums. Moreover, these terms often remain con-fidential. By contrast, for most organizations this practice is often restricted by the SLA, itself a public document.
plication. AWS Remote Database Service (RDS) and the use of force.com as a mobile development platform are ex-amples of PaaS.
• Software as a Service (SaaS): deployment of complete, ready-to-run, end-user applications. These applications may require administration or configuration, such as the integration of a login function with a directory server. In-stances delivered by the AWS Marketplace and the use of SalesForce as a browser-based application are examples of SaaS.
Most organizations will use all three offering types. For exam-ple, an organization may use Azure Compute for IaaS, Azure SQL Database for PaaS, and Office 365 for SaaS. Even though these are Microsoft offerings, a CISO using all of them would (as we discuss in the following section) be subject to multiple service level agreements.
Service level agreementsThe service level agreement (SLA) is the contracting vehicle for implementing cloud security. The SLA, along with oth-er documents, such as an Acceptable Use Policy, Customer Agreement, and Terms of Service, defines the limitations and the responsibilities of the customer and service provider. Without sufficient support from the SLA, it is not possible to implement cloud security best practices.3
Note that the SLA may also include service-specific provi-sions that apply only to some cloud service types, such as PaaS, but not others, such as IaaS. For example, customers using AWS RDS must agree that unregistered nodes not used for thirty days may be deleted. There is no a similar provision for AWS EC2. Throughout the rest of this article, I will use
3 William Yurek, panelist, Cloud Application and Protecting the Cloud, November 17, 2015, SecureHEALTH Summit, Healthcare Technology Research and Advisory Council (HTRAC), Homestead, Virginia.
January 2016 | ISSA Journal – 17
Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian
Data residency aspectsA legal aspect deserving special mention is the SLA’s defini-tion of data residency, meaning where is cloud data physically stored? Privacy and security requirements vary from country to country. For example, United States citizens have privacy torts,4 which allow remedy in civil court for proven damages,5 while EU citizens have privacy rights,6 which allow remedy in justice court for negligence.Although we may pick a data center within the geographic boundaries of one country, the governing SLA may allow the provider to store a back-up copy of that data in another coun-try. Does this provision add risk to the organization? In many cases the answer is yes. For example, Germany regulates the transmission of personal information, requiring a CISO to verify equivalent protection exists for back-ups residing out-side the EU.7
Sometimes a service provider will have a different data resi-dency policy depending on the service offered. For example, Microsoft has a blanket online service policy that allows stor-ing and transferring customer data to any region of the world where Microsoft conducts business. This policy offers excep-tions on a service-by-service basis.8 Thus Azure, InTune, Dy-namics, and Office 365, while cohesively marketed as cloud services, all have different data residency policies.9
4 Samuel D. Warren and Louis D. Brandeis. “The right to privacy.” Harvard law review (1890): 193-220.
5 “Tort Law,” Free Dictionary, Farlex, Inc., accessed December 23, 2015, http://legal-dictionary.thefreedictionary.com/Tort+Law.
6 David L. Baumer, Julia B. Earp, and J. C. Poindexter. “Internet privacy law: A comparison between the United States and the European Union.” Computers & Security 23, no. 5 (2004): 400-412.
7 Paul M. Schwartz, “European data protection law and restrictions on international data flows.” Iowa L. Rev. 80 (1994): 471.
8 “Privacy and Cookies,” Microsoft, updated June, 2015, https://www.microsoft.com/privacystatement/en-us/OnlineServices/Default.aspx.
9 “Microsoft Trust Center,” Microsoft, accessed December 17, 2015, https://www.microsoft.com/en-us/trustcenter/privacy/you-are-in-control-of-your-data.
Verifying compliance requires knowledge of the time, place, and manner of back-up data storage. In the worst case, the SLA will not specify these parameters at all. A better case exists when the SLA specifies data residency precisely or the CISO can control physical data duplication. For example, the AWS SLA explicitly states that customer data is not stored outside of the selected region,10 while Azure provides an in-terface for disabling data duplication.11
“Safe Harbor” annulmentThe recent annulment of “Safe Harbor” by the European Union (EU) Court of Justice (EUCJ) illustrates the impact of data residency policies on public-cloud operations. The EUCJ is responsible for determining if a third country ensures ad-equate protection to EU citizens when processing personal data.12
On October 6, 2015, the EUCJ declared its previous accep-tance of US Safe Harbor Privacy Principles (hereinafter Safe Harbor) invalid. This reversed a fifteen-year policy of allow-ing data governed by Directive 95/46/EC to be stored in the US despite an absence of a national data protection law.13
This change sent shock waves through the industry, especial-ly since most providers rely on Safe Harbor as a focal point of their privacy policy. As of this writing, manual inspection shows Amazon, Datapipe, Dell, Microsoft, and Rackspace still cite Safe Harbor as a point of compliance. We do not yet
10 “AWS Customer Agreement,” Amazon Web Services, accessed December 17, 2015, http://aws.amazon.com/agreement/.
11 “Introducing Geo-replication for Windows Azure Storage,” Microsoft, accessed December 17, 2015, http://blogs.msdn.com/b/windowsazurestorage/archive/2011/09/15/introducing-geo-replication-for-windows-azure-storage.aspx.
12 “Commission decisions on the adequacy of the protection of personal data in third countries,” European Union Court of Justice, accessed December 18, 2015, http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.
13 European Union Court of Justice, Schrems v Data Protection Commissioner, COM(2015) 566 final, November 6, 2015.
A Wealth of Resources for the Information Security Professional – www.ISSA.org
Forensics: Tracking the Hacker2-Hour Event Recorded Live: November 17, 2015Big Data–Trust and Reputation, Privacy–Cyberthreat Intel2-Hour Event Recorded Live: Tuesday, October 27, 2015Security of IOT–One and One Makes Zero2-Hour Event Recorded Live: Tuesday, September, 22, 2015Biometrics & Identity Technology Status Review2-Hour Event Recorded Live: Tuesday, August 25, 2015Network Security Testing – Are There Really Different Types of Testing? 2-Hour Event Recorded Live: Tuesday, July 28, 2015Global Cybersecurity Outlook: Legislative, Regulatory and Policy Landscapes2-Hour Event Recorded Live: Tuesday, June 23, 2015
Breach Report: How Do You Utilize It?2-Hour Event Recorded Live: Tuesday, May 26, 2015Open Software and Trust--Better Than Free?2-Hour Event Recorded Live: Tuesday, April 28, 2015Continuous Forensic Analytics – Issues and Answers2-Hour Event Recorded Live: April 14, 2015Secure Development Life Cycle for Your Infrastructure2-Hour Event Recorded Live: Tuesday, March 24, 2015What? You Didn’t Know Computers Control You? / ICS and SCADA2-Hour Event Recorded Live: March 2, 2015Cybersecurity – New Frontier2-Hour Event Recorded Live: February 24, 2015
Click here for On-Demand Conferenceswww.issa.org/?OnDemandWebConf
18 – ISSA Journal | January 2016
Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian
understand how the industry will evolve to deal with this change.At a minimum, a CISO with multi-national responsibilities should take measures to protect the organization from vi-olating this directive. One measure would be to verify data subject to the directive is not resident in the US. Another measure would be to encrypt regulated data when it stored in the US. Counsel should be engaged to assess if the measures taken are adequate to comply with the directive.
Investigation availabilityMany organizations discover data breaches all too late. According to the 2014 Data Breach Investigation Report (DBIR),14 while 87 percent of breached systems surveyed were compromised on the order of minutes or less time, 99 percent of breaches were discovered in on the order of weeks or more time. Or more abstractly, the survey found a breach will be discovered in no sooner than O(nk) time if the compromise originally happened in no later than O(n) time.A major reason for this latency per the DBIR is that only 12 percent of web fraud is detected through internal audits or controls, while 74 percent is reported by customers, ostensi-bly after reviewing monthly statements. This demonstrates that even though a system may have a large attack surface, for example the infrastructure involved in web e-commerce, the investigation surface for detecting misuse is small by com-parison, for example customer monthly statements. Among other aspects, the SLA defines the frequency and type of monitoring available to the customer from the provider, such as access attempts or system loading. In many cases, more detailed metrics are available at a higher premium rate. But in other cases, the SLA will not afford a monitoring ca-pability similar to on-premises systems. The cognizant CISO must determine if the monitoring available will support cur-rent security practices (or work around limitations if support is inadequate).Breach reporting policies also vary from provider to provid-er. In some cases, the provider will notify the customer of a breach upon detection. In other cases, a provider will noti-fy the customer only when a full investigation is concluded. Some providers ask that customers not post potential vulner-abilities publicly, ostensibly as such exposure may introduce risk for other customers.15 In some cases, lack of breach no-tification upon detection may contradict local laws requiring immediate notification instead.16
Organizations relying on vulnerability testing should verify their practices comply with the SLA. A CISO would expect an SLA to prohibit vulnerability testing against resources outside her subscription. But some providers prohibit all such
14 Verizon Enterprise Solutions. “2014 Data Breach Investigations Report.” Accessed December 18, 2015, http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf.
15 “Rackspace Security Vulnerability Reporting,” Rackspace US, Inc., accessed December 17, 2015, http://www.rackspace.com/information/legal/rsdp/.
16 “Security Breach Notification Laws,” National Conference of State Legislatures, October 22 2015, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. [email protected] • WWW.ISSA.ORG
ISSA Journal 2016 CalendarPast Issues – click the download link:
JANUARY Securing the Cloud
Editorial Deadline 11/22/15
FEBRUARY Big Data / Data Mining & Analytics
Editorial Deadline 12/22/14
MARCH Mobile Apps
Editorial Deadline 1/22/16
APRILMalware Threat Evolution
Editorial Deadline 2/22/16
MAY Breach Reports –
Compare/ContrastEditorial Deadline 3/22/16
JUNE Legal, Privacy, Regulation
Editorial Deadline 4/22/16
JULY Social Media Impact Editorial Deadline 5/22/16
AUGUST Internet of Things
Editorial Deadline 6/22/16
SEPTEMBER Payment Security
Editorial Deadline 7/22/16
OCTOBER Cybersecurity Careers & Guidance
Editorial Deadline 8/22/16
NOVEMBER Practical Application and Use of Cryptography
Editorial Deadline 9/22/16
DECEMBER Best of 2016
You are invited to share your expertise with the association and submit an article. Published authors are eligible
for CPE credits.
For theme descriptions, visit www.issa.org/?CallforArticles.
19 – ISSA Journal | January 2016
Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian
Encryption key managementWhen a CISO uses encryption in a public cloud environment, the question of key management is raised. In many cases, the CISO can choose to store these keys either in the cloud itself or in privately owned infrastructure. For example, AWS Sim-ple Storage Service (S3) offers an application programming interface (API) for key management.23 One may encrypt S3 objects with a key managed either within the AWS infra-structure or within corporate infrastructure.In the former case, an implementer uses the AWS API to cre-ate and store an encryption key within S3 itself. In the latter case, a programmer uses the organization’s resources to cre-ate and store a key, using a different API to grant S3 key access only when storing or retrieving an object. While the former approach is simpler for the implementer, the latter approach offers the organization more control over cryptographic re-sources.Should a CISO elect to use enterprise-based (as opposed to provider-based) key management, the organization has mul-tiple options, including the following:• Software provisioning: use individual application-level
libraries to generate keys.• Static provisioning: use a centrally managed appliance to
generate and store static keys.• Dynamic provisioning: use an appliance to generate keys
dynamically.These options are sorted from highest to lowest management complexity. Managing software provisioning is the most complex as the entire burden of key management falls on the implementer, who is responsible for choosing a key algorithm, invoking a generation function, and storing the resulting key securely for use and subsequent retrieval.Managing static provisioning is less complex as the imple-menter may use an identity string, such as a key name, to gen-erate a key, store this key in the appliance, and later retrieve the same key when needed. However the programmer must manage associating this key with an external object, such as a user name or device serial number.Managing dynamic provisioning is the least complex as keys are generated based on an identity string and associat-ed metadata. The implementer need not worry about storing or retrieving keys, but merely pass the appropriate identity string to the appliance and receive the necessary key in re-sponse.The first two methods of key management are state-full, meaning that each key used must be generated, stored, and managed. As the number of keys increases, the management burden increases as well. The last method is stateless, mean-ing keys are generated dynamically when needed. As the number of keys increases, the management burden stays the
23 Amazon Web Services, “Class Encryption Key” AWS SDK for Java – 1.10.35. http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/index.html.
testing entirely unless authorization is obtained in advance.17 A CISO may be forced to avoid using this testing on cloud workloads.Finally the DBIR reports that as of late 2012, the origin of denial-of-service attacks has migrated from compromised networks of desktop and server machines with slower, “last mile” Internet access links to public cloud-based networks with data-center-grade pipes. A CISO should consider if the SLA offers adequate resources for investigating a potential at-tack from a neighboring rack.
Data at rest limitationsMany cloud providers now offer (or soon will be offering) data-at-rest protection for block storage. This protects blocks stored on a disk partition from being read by another party by either shuffling the file system index,18 encrypting blocks within the file system,19 or encrypting at the virtual ma-chine-to-physical storage interface.20 In general, data-at-rest methods offer protection only while the data container is not in use: once loaded, a driver translates the protected structure into a normal one.A CISO using data-at-rest protection as part of a comprehen-sive security policy should verify multiple factors in cloud environments. The first is the protection algorithm itself: is index shuffling21 sufficient? Or should the CISO insist on a higher security, lower performance block encryption algo-rithm?More importantly, a CISO should determine what storage structures offer data-at-rest protection. In particular, are all disk partitions protected? Or just data storage partitions? This differentiation is significant when a swap partition, used for storing virtual memory as opposed to files, remains un-protected. In this case, swap space is subject to key scaveng-ing attacks.22
If the cloud provider offers data-at-rest protection without role-based access methods, the protection afforded may be limited to storage device theft, somewhat moot for mass stor-age in a remote data center. May an authorized IaaS user, for example, duplicate a virtual machine, export the “snapshot” into a different account, and run the copy? Or is this oper-ation restricted, based on the user’s role, with dual controls offered to regulate the export of protected machines?
17 “Acceptable Use Policy,” Datapipe Inc., accessed December 17, 2015, https://www.datapipe.com/legal/acceptable_use_policy/.
18 Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi, Gerardo Pelosi, and Pierangela Samarati. “Efficient and private access to outsourced data.” In Distributed Computing Systems (ICDCS), 2011 31st International Conference on, pp. 710-719. IEEE, 2011.
19 Dawn Song, Elaine Shi, Ian Fischer, and Umesh Shankar. “Cloud data protection for the masses.” Computer 1 (2012): 39-45.
20 Michael Austin Halcrow, “eCryptfs: An enterprise-class encrypted filesystem for linux.” In Proceedings of the 2005 Linux Symposium, vol. 1, pp. 201-218. 2005.
21 Rearranging the file system’s directory structure in a reversible manner such that the location of files on the disk surface are obscured but the actual blocks containing data remain in their original form. This low-overhead data protection method blocks attacks that retrieve data through the file system, but not attacks that scan data blocks directly.
22 Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. “Cross-VM side channels and their use to extract private keys.” In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 305-316. ACM, 2012.
20 – ISSA Journal | January 2016
Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian
cloud. Service level agreements govern the CISO’s ability to implement and maintain security policy. These agreements are complex and should be reviewed by legal counsel. A multi-national organization must consider data residency definitions for each country’s workload. The type of cloud service chosen (IaaS, PaaS, or SaaS) may limit an organiza-tion’s ability to perform pre- and post-breach investigations. Within limits, data-at-rest protection offers some security benefit for cloud data storage. Organizations implementing encryption as part of security best practices benefit from considering key management issues. Finally, the CISO may need to advocate for hybrid infrastructure to meet security needs even when others promote moving all IT resources to the cloud.
About the AuthorJason Paul Kazarian is a Senior Architect for Hewlett Packard Enterprise and specializes in integrating data security products with third-party subsystems. He has thirty years of industry experience in the aerospace, da-tabase, security, and telecommunications do-mains. He has an MS in Computer Science from the University of Texas at Dallas and a BS in Computer Science from California State University, Dominguez Hills. He may be reached at [email protected].
same. Thus stateless solutions cost less than state-full solu-tions at scale.Key management overhead cost depends on the number of keys issued. Organizations with few protected objects, per-group keying (all members of a group share the same key), and infrequent rotation policies need to manage fewer keys, perhaps in the tens of thousands annually. Organizations protecting all cloud objects, implementing per-user keying (each user has a unique key, possibly shared within a group), and rotating frequently may manage millions of keys annual-ly. A CISO should quantify the cost of key management when moving to the public cloud.
Security aspects of hybrid infrastructureSome organizations are moving rapidly to 100 percent public IaaS to reduce IT costs, especially when the negotiated cost of service is less than the burdened rate of on-premises in-frastructure. But it behooves a CISO to consider hybrid in-frastructure—the integration of on-premises hardware with public IaaS—for maintaining strong security. Organizations with mission-critical and root-of-trust needs may require this hybrid approach.Many cloud providers include language in the SLA that bans mission-critical workloads, usually defined where the failure would increase the risk of losing life, causing injury, or dam-aging property. Sometimes a specific use, such public trans-portation, is also banned. In such cases, a CISO might advo-cate that affected workloads remain on-premises with public IaaS used for limited purposes, such as archival backup of these applications.A hardware security module (HSM) is a physical device for generation and storage of cryptographic material in a secure environment.24 A CISO typically relies on an HSM as root-of-trust and to avoid security risks from software vulnerabilities during cryptographic processing. At the moment, multiple providers offer cloud-based HSM capabilities as a premium service.25 While a cloud-based HSM may protect the organization from key inspection by an attacker or the service provider, other benefits may be restricted, such as using the HSM as a root-of-trust for locally generated keys and certificates. A CISO should verify a cloud-based HSM will support all of the orga-nization’s security practices, including auditing, compliance, dual control, and role policies, before replacing on-premises security equipment with cloud equivalents.
SummaryThe CISO faces multiple security challenges when moving workloads from private, on-premises resources to a public
24 “Hardware Security Module,” Wikipedia, accessed December 17, 2015, https://en.wikipedia.org/wiki/Hardware_security_module.
25 “Azure Key Vault,” Microsoft, accessed December 17, 2015, http://blogs.technet.com/b/kv/archive/2015/01/08/azure-key-vault-making-the-cloud-safer.aspx; “AWS Cloud HSM,” Amazon Web Services, accessed December 17, 2015, https://aws.amazon.com/cloudhsm/.
January 2016 | ISSA Journal – 21
Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian
Gaining Confidence in the CloudBy Phillip Griffin – ISSA Fellow, Raleigh Chapter and Jeff Stapleton – ISSA member, Fort Worth Chapter
In cloud deployments organizations remain responsible for ensuring the security of their data. Can cloud-based technologies, such as the blockchain, play a role in providing cloud subscribers assurance their data is being properly managed and that their cloud service provider is in compliance with established security policies and practices?
AbstractThe Cloud offers organizations faster, cheaper, richer, and some-times more secure application deployments than they them-selves can orchestrate. However, organizations remain re-sponsible for ensuring the security of their data, even when they transfer its physical control to a cloud service provider (CSP). What information does an organization require from a CSP to gain confidence they are meeting their data gover-nance obligations? Can cloud-based technologies, such as the blockchain, play a role in providing cloud subscribers assur-ance their data is being properly managed and that their CSP is in compliance with established security policies and prac-tices? For the financial service industry the X9.125 standard is under development to define requirements and provide a compliance model using blockchain technology.
Introduction
As organizations embrace the Cloud and migration or deploy applications and invariably data, they trans-fer control from internal processes to a cloud service
provider (CSP). However, organizations (subscribers) remain responsible for industry information-security compliance despite the delegation to the CSP. Health care1 data and pay-ment2 data notwithstanding, organizations must ensure they exert adequate governance over how their data is protected. Regardless of where their data is located and who actually
1 http://www.hhs.gov/ocr/privacy/index.html. 2 https://www.pcisecuritystandards.org/.
has physical control over the data—whether within a virtual environment or the cloud—the organization remains respon-sible for ensuring it can meet legal and regulatory control requirements. For the financial services industry, the X9.125 standard for cloud compliance is being developed to address requirements and compliance between a cloud subscriber and its CSP. Some background might help clarify how X9.125 fits into fi-nancial and cloud services. As shown in figure 1, the Ameri-can National Standards Institute3 (ANSI) is the United States’ representative to the International Standards Organization4 (ISO) among others. However, ANSI does not develop stan-dards; rather, they accredit other organizations as indus-try-specific standards developers and technical advisory groups (TAG) to ISO technical committees. The Accredited Standards Committee X95 (ASC X9 or just X9) is one such organization designated by ANSI to perform the following roles:
• Develop ANSI standards for the financial services in-dustry
3 www.ansi.org. 4 www.iso.org. 5 www.x9.org.
Figure 1 – Standards overview
22 – ISSA Journal | January 2016
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
• Represent the United States as the TAG to ISO technical committee 68 Financial Services (TC68)
• Manage TC68 and as the official secretariat
Consequently, many X9 standards are sub-mitted to ISO for international standardization. Further, X9 often initiates ISO work items, adopts ISO financial stan-dards, and retires ANSI standards in favor of its ISO version. Sometimes the US markets are uniquely distinct that a do-mestic X9 standard is needed in absence or parallel with an ISO standard. The cloud security work item is assigned to the X9F4 cryptographic protocols and application security work group; Jeff Stapleton is the X9F4 chair, and Phil Griffin is the X9.125 editor. One of the first X9F4 actions was to review the existing body of work including special publications from the National Institute of Standards and Technology (NIST),6 Federal Fi-nancial Institutions Examination Council (FFIEC)7 cloud computing recommendations, Central Intelligence Agency (CIA) views on cloud computing, and the Cloud Security Al-liance (CSA) research on comparable audit programs. These materials were digested to formulate a core set of security requirements for managing and securing information in the cloud, whether this information is located in a private cloud completely under control of the organization, or managed in a hybrid or public cloud environment. Regardless of the cloud service type or environment, these basic questions were iden-tified: 1. What security controls does the cloud subscriber (the
consumer of the cloud services) need to protect the confi-dentiality and integrity of its data?
2. What security controls does the cloud service provider offer to protect the confidentiality and integrity of its sub-scriber’s data?
3. What security controls provided by the cloud service pro-vider can be monitored by the cloud subscriber to verify compliance?
While the development of X9.125 is still work in progress and has undergone several redesigns, cloud services and its adoption in the financial industry have continued to evolve. Thus the X9.125 standard is attempting to hit a moving tar-get. X9 standards provide requirements (“shall”) and recom-mendations (“should”) that are practical and verifiable. Thus, as shown in figure 2, the standard needs to address security controls and interoperability between the cloud service pro-vider and the cloud subscriber, in addition transparency of any service sub-providers. Cloud service providers, like any organization relying on in-formation technology (IT), need to have their security con-trols documented in policy (why), practices (what), and pro-
6 http://csrc.nist.gov/publications/PubsSPs.html. 7 http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_
computing_-_public_statement.pdf
cedures (who). They also need to securely manage resources, including people, places, and processes. IT controls include network, systems, and applications addressing authentica-tion, authorization, and accountability (AAA). Data must also be managed across its life cycle including creation, dis-tribution, storage, and termination. When cryptography is used, the keys must be managed in a secure manner. How the controls are deployed and managed depends on the re-lationship between the CSP and the subscriber is depicted in figure 2: • The topmost solid arrow shows the case when controls are
provided solely by the CSP to the subscriber. For example, the CSP might encrypt the subscriber’s data in storage us-ing cryptographic keys managed solely by the CSP.
• The middle arrows show cases when controls are mutually managed by both the CSP and the subscriber. For exam-ple, data in transit is encrypted using a session key that is dynamically established, based on an exchange of public key certificates between the CSP and the subscriber.
• The bottommost dotted arrow shows the case when con-trols are provided solely by the subscriber. For example, the subscriber might encrypt or tokenize data before it is sent to the CSP for storage or processing.
• The dotted arrow between the CSP and its service sub-pro-vider shows the case when controls are provided indirect-ly to the subscriber by the sub-provider. For example, the sub-provider might be a tokenization service used by the CSP to protect the subscriber’s data in storage.
While the X9.125 is still work in progress, another major as-pect is to develop a reporting model such that a cloud sub-scriber can verify a CSP’s compliance. Compliance might be to the CSP policy and practices aligned with the subscriber, or preferably the security requirements being defined in the X9.125 standard adopted by both parties. Regardless, this im-plies that the CSP provides compliance information that is reliable and verifiable. One method for a digital ledger might be blockchain technology, more contemporarily known be-cause of Bitcoin.
BlockchainsBlockchains have been around for decades. Notably Merkle trees were addressed in a US Patent [2] issued in 1982; so the technology is well vetted. While the Bitcoin blockchain is used as a general ledger for Bitcoin transactions, any in-formation can be encapsulated within a blockchain that can provide data integrity. Incorporating timestamps within the blockchain (as does Bitcoin) also provides a historical record
Figure 2 – Controls overview
January 2016 | ISSA Journal – 23
Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton
modifies the data so it contains PJ and no longer PK, and pub-lishes it as the real Block K. The attacker then updates Block K+1 to link to Block J instead of Block K. Thus, the blockchain has been compromised but yet still appears to be valid since all of the links are valid. Without some method of either ver-ifying the publisher or the whole blockchain, a simple substi-tution attack is possible. Replacing the previous link as a sim-ple hash of the previous data with a digital signature would prevent the substitution attack; however, this would require the support of a public key infrastructure (PKI) with certif-icates, private key storage, certificate authorities, revocation lists, and the like. Alternatively, replacing the previous link with a hash chain achieves the same anti-substitution control without the PKI overhead. Referring back to figure 3, we have provided another a chain field where each block contains a chain numbered by its block number: C0, C1…CN. Each chain is a link to all of the pre-vious blocks, which is a hash of two elements: the previous chain and a hash of its own data. Thus, Block N contains a hash of CN-1 and a hash of its own data H(PN), that is H(CN-1, H(PN)). Likewise, Block 1 contains a hash of C0 and a hash of its own data H(P1), namely H(C0, H(P1)). Block 0 only con-tains a hash of a hash of its own data H(H(P0)) because there is no previous chain. In this manner an attacker cannot re-place any of the published blocks without updating the whole chain, which is the basis of the Bitcoin blockchain security. The presumption is that it is cheaper to be honest than dis-honest.
If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added. [3]
Much of the media discussion around Bitcoin has focused on its role as a crypto currency. Bitcoin provides a means for achieving efficient, anonymous financial transactions. In this context, Bitcoin is sometimes described as a disruptive technology, one that facilitates the activities of drug deal-ers and terrorists, one that threatens to disintermediate and undermine the existing financial services industry, or one that presents banks who serve Bitcoin industry players with
of what happened when and by whom. Consider figure 3 as an example. The blocks are number sequentially: Block 0, 1…to N. There is always an initial block conventionally numbered “0” to indi-cate its special nature. There is always a last block (N) which is the most current addition to the blockchain. Each block con-tains data, in this example a cloud service provider’s policy numbered accordingly to its block number: P0, P1…PN and so on. In this example, each block contains a hash (H) of its own policy data, essentially a link to itself, so Block 0 contains H(P0), Block 1 contains H(P1), and Block N contains H(PN). Additionally, each block contains a hash of its processor, so Block 1 contains H(P0) as a link to Block 0, and Block N con-tains H(PN-1) as a link to Block N-1. Note that Block 0 does not contain a previous link since Block 0 is the blockchain origin. At this point one might think that the blockchain is completely reliable, but it turns out that simple links based on a hash of just the data in the previous block is unreliable. Consider an attacker that takes some intermediary Block K which links to Block K-1 and has Block K+1 linked to it. The attacker makes a replica of Block K, which we will call Block J,
Don’t Miss This Web Conference!2015 Security Review &
Predictions for 20162-hour live event – 9:00 am PDT, 12:00 pm EDT,
5:00 pm London, Tuesday, January 26, 2016.
Yes, once again some brave (or foolish?) folks will volunteer their insights and make predictions for the 2016 infosec challenges. Join us, make notes, and then check back in a year to see how we did!
Moderator: Michael F. Angelo, CRISC, CISSP, Chief Security Architect, NetIQ Corporation, ISSA Web Conference Committee Chair
For more information on this or other webinars:www.issa.org => Learn => International Web
Conferences.
Figure 3 – Simple blockchain
24 – ISSA Journal | January 2016
Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton
originated by the next miner to solve the hash solution. The idea is that the amount of work to perpetrate fraud far ex-ceeds the work factor for mining. Sometimes a race condition creates a bifurcated blockchain generated by two different Bitcoin nodes; however, consensus processing will eventually prune the blockchain to only one authentic version. There is no central authority that provides a processing choke point, a single point of failure, or a single point of attack. However, blockchain management is not without its prob-lems. There are orphaned blocks, which are valid but did not make it into the main Bitcoin chain. There are always uncon-firmed transactions waiting for the next block, which might get lost during the bifurcation and pruning process. There are double spends, transactions where the same Bitcoin fractions get spent by the same entity to two different receivers. There are strange transactions, where the syntax or semantics are invalid. And there are outright rejected transactions dropped by Bitcoin nodes that never get included in the chain. Some of these might be processing errors due to software bugs, Bit-coin versions, or rules issues. Alternatively, some transactions might be fraudulent in nature. Bitcoin fraud management is relatively nascent, and without a central authority there are no arbitration or adjudication programs available. Bitcoin information is publicly accessible by definition. Hash algorithms provide the links between blocks and transac-tions, and digital signatures provide transaction integrity and authentication. Non-repudiation is not feasible as Bitcoin identifiers support anonymity, and the lack of arbitration does not meet legal needs discussed in the Digital Signature Guide-lines [4] and the PKI Assessment Guideline [5]. Further, the Bitcoin blockchain does not offer data confidentiality. Some of the cloud server provider’s information security manage-ment data is sensitive such that it might need to be encrypted, but only accessible by authorized clients or regulatory bodies. Thus, key management schemes need to be considered. There is also growing interest in cloud data confidentiali-ty and user anonymity. In a paper presented at the Security Standardization Research (SSR) 20158 conference held re-cently in Tokyo, Japan, researchers McCorry, Shahandashti, Clarke, and Hao proposed a new category of Authenticated Key Exchange (AKE) protocols. These new protocols, which “bootstrap trust entirely from the blockchain,” are identi-fied by the authors as “Bitcoin-based AKE” [6]. The SSR 2015 paper describes two new protocols, one with a guarantee of forward secrecy, and offers proof-of-concept prototypes with experimental results to demonstrate their practical feasibil-ity. Both protocols provide greater anonymity than can be achieved using digital certificate or password-based AKE. Following the guidance of international security standards can help ensure that the same information security policies used to manage risk when information systems resides in traditional non-cloud environments are also applied in the cloud. Recently, the big three international security standard-
8 http://www.ssr2015.com/.
heightened “Bank Secrecy Act (BSA)/Anti-Money Launder-ing (AML) Act compliance risks” [1]. On the other hand, Bitcoin has seen adoption by e-commerce stalwarts such as PayPal, Overstock, Dish Network, and Dell Computers, as wells as “many community-driven organiza-tions” that “allow anonymous donations using Bitcoin” [6]. Despite any negative aspects associated with Bitcoin, “there remain many legitimate uses for Bitcoin and businesses that facilitate these legitimate transactions” [7]. There is also growing interest in leveraging the blockchain technology that underpins Bitcoin to both reduce transaction costs and strengthen financial services security. To this end, more gen-eral purpose applications of the blockchain that are far re-moved from the use of Bitcoin to facilitate financial services transactions are being considered. For example, blockchains might be used to evaluate, monitor, assess, or even audit a cloud services provider: • The CSP might publish its information security policy and
practices in a blockchain providing a historical record of versions and changes. In this manner, new subscribers can evaluate the CSP, existing subscribers can monitor chang-es, internal audit can assess the CSP, and professionals can perform independent audits of the CSP.
• The CSP might distribute information security news in a blockchain providing notifications or alerts to its subscrib-ers about incidents or events about new vulnerabilities in a reliable manner. Today, this information is typically pro-vided via emails or blogs.
• The CSP might issue information security details in a blockchain providing real-time data about its controls. In this manner, existing subscribers can monitor the CSP for its dependability, consistency, and overall trustworthi-ness. Another name for this would be compliance.
Hence, the concept of using blockchains to record and ver-ify CSP compliance data is not as farfetched as might have been initially considered. For cloud subscribers to gain such assurance, and to exercise due diligence in the conduct of their governance and risk management responsibilities, they need some insight into what goes on under the covers at their CSP. Cloud subscribers need the same types of operational evidence of compliance from their CSP that they would ex-pect their internal IT departments to provide. Whether an organization’s data is inside its firewall or floating around in the cloud, informed information security management prac-tices still depend on access to the basics: vulnerability scan results, penetration test results, system logs, application logs, analytical results, security alerts, and summarized informa-tion. Compliance evidence must have origin authenticity, data integrity, and often confidentiality safeguards that pro-hibit access by attackers and other unauthorized individuals. The attractiveness of the Bitcoin blockchain includes its de-centralization. Bitcoin spenders submit their transactions (signature, inputs, outputs) to multiple Bitcoin nodes such that the transaction get published in the next block which is
January 2016 | ISSA Journal – 25
Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton
ization bodies published Recommendation ITU-T X.1631 | ISO/IEC 27017 Code of practice for information security con-trols based on ISO/IEC 27002 for cloud services.9 This standard builds on selected parts of the familiar ISO/IEC 27002 Code of practice for information security management10 but adds additional cloud-specific recommendations and guidance. Although ITU-T X.1631 | ISO/IEC 27017 provides import-ant recommendations and guidance, it contains no actual requirements. Conversely, the draft X9.125 standard hardens the ISO, IEC, and ITU-T recommendations and guidance into a set of specific information security management re-quirements. Where ITU-T X.1631 | ISO/IEC 27017 relies on clauses 5 through 18 of the ISO/IEC 27002 Code of Practice, X9.125 defines requirements based on comparable clauses in the ISO/IEC 27001 Information security management systems – Requirements.11
ConclusionsBlockchains, a decades old cryptographic technology, has become a creature of the Cloud. Its adoption and use carry many of the same security concerns as other cloud-based ap-plications and services. But for blockchains to be trusted in the current financial services regulatory environment, and for it to be widely adopted, blockchain-based systems must comply with an organization’s existing security policy and practices. Many of the policies needed to manage blockchains and other cloud-based deployments are the same as those used to manage security risk within an organization. Organi-zations must continue to manage risk and fully exercise their information security governance responsibilities regardless of where their data and applications roam. Cloud subscribers need the ability to verify that their cloud service providers are securing information in a compliant manner with established requirements. ASC X9 is currently developing the X9.125 standard with the option of the United States submitting the work to ISO for in-ternational standardization. Once the cloud security require-ments have been completed, the corresponding compliance data might be encapsulated in a publicly available or privately provided blockchain. Cloud subscribers, internal or external auditors, regulators, or any independent third-party assessor should be able to validate the CSP by verifying its informa-tion security blockchain. This article is also a call for participation. Cloud service pro-viders, cloud subscribers, or organizations that are interested in the development of the X9.125 standard are encouraged to contact the ASC X9 or the X9F4 work group chair. Par-ticipation by any X9 member is welcomed. Once the X9.125 standard is approved as a new ANSI standard, the possibility of it being submitted to ISO as a USA offering is something
9 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43757.
10 http://www.iso.org/iso/catalogue_detail?csnumber=54533. 11 https://en.wikipedia.org/wiki/ISO/IEC_27001:2013.
that will be seriously considered with the appropriate organi-zations’ support.
References1. King, Douglas. (2015). Banking Bitcoin-Related Businesses: A
Primer for Managing BSA/AML Risks. Federal Reserve Bank of Atlanta. Retrieved November 19, 2015, from https://www.frbatlanta.org/-/media/Documents/rprf/rprf_pubs/2015/banking-Bitcoin-related-businesses.pdf.
2. Merkle, R. C. (1988). “A Digital Signature Based on a Con-ventional Encryption Function.” Advances in Cryptology — CRYPTO ‘87. Lecture Notes in Computer Science 293. p. 369. doi:10.1007/3-540-48184-2_32 ISBN 978-3-540-18796-7. US Patent 4309569, Method of Providing Digital Signatures, Ralph C. Merkle, January 5, 1982.
3. Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, Bitcoin.org, retrieved 31 October 2008, https://bit-coin.org/bitcoin.pdf.
4. ISC, Digital Signature Guidelines, Legal Infrastructure for Certification Authorities and Secure Electronic Commerce, In-formation Security Committee (ISC), Electronic Commerce and Information Technology Division, Section of Science and Technology, American Bar Association (ABA), ISBN 1-57073-250-7, August 1996.
5. ISC, PKI Assessment Guideline (PAG), Information Security Committee (ISC), Electronic Commerce Division, Section of Science & Technology Law, American Bar Association (ABA), ISBN 1-57073-943-9, June 2001.
6. Patrick McCorry, Siamak F. Shahandashti, Dylan Clarke, Affiliated with School of Computing Science, Newcas-tle UniversityFeng Hao, Authenticated Key Exchange over Bitcoin, Security Standardisation Research, Volume 9497, Lecture Notes in Computer Science, pp 3-20, December 9, 2015 – retrieved November 8, 2015, from http://eprint.iacr.org/2015/308.pdf.
7. Douglas King, Retail Payments Risk Forum Working Paper, Federal Reserve Bank of Atlanta, October 2015.
About the AuthorsPhillip H. Griffin, CISM, has over 20 years experience in the development of commer-cial, national, and international security standards and cryptographic messaging pro-tocols. Phil has a Master’s of Information Technology, Information Assurance and Se-curity degree, and he has been awarded nine US patents at the intersection of biometrics, radio frequency identification (RFID), and information security management. He may be reached at [email protected]. Jeff Stapleton has been an ISSA member and participated in X9 for over twenty years; he has contributed to the development of over three dozen X9 and ISO security standards, and has been the chair of the X9F4 work group for over 15 years. The X9F4 work group’s pro-gram of work includes the five-year review of two published standards (X9.73, X9.84) and development of three new standards (X9.112, X9.122, X9.125) in addition to supporting ISO standard efforts. He may be reached at [email protected].
26 – ISSA Journal | January 2016
Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton
Why Risk Management Is HardBy Luther Martin – ISSA member, Silicon Valley Chapter and Amy Vosters
Risk management is harder than we would like it to be because people do not think rationally. Our built-in irrational biases affect all of the decisions that we make, and this includes how we choose to manage risks. Fortunately, we now understand how our biases work, so we can account for them and avoid making some of the bad decisions that they might lead us to make.
Hoo.2 Unfortunately, the complexity of the models used to explain these biases often made them inaccessible to non-spe-cialists.
A good model is hard to findThere is a popular theory that we prefer to use one side of our brain more than the other. If you prefer to use the right half of your brain, this theory tells us, you tend to be artistic and creative, and if you prefer to use the left half of your brain, you tend to be precise and analytic. There are lots of both books and online quizzes that can help you tell which side of your brain you prefer and how to use this information to help you find jobs that are best suited to your preferred way of thinking.But research using functional magnetic resonance imaging (fMRI) seems to support the idea that the left brain-right brain model actually has no basis in fact.3 This does not mean that the model is not useful, however. The left brain-right brain model may give us some useful insights into some as-pects of our personalities, even if it does not survive a careful look by scientists. Apparently, finding a good balance be-tween scientific facts and a useful model is harder than we might like it to be.For example – hot water freezes faster than cold water. Or does it?
2 K. Soo Hoo, How much is enough? A risk management approach to computer security, Stanford, CA: Stanford University, 2000.
3 J. Nielsen, B. Zielinski, M. Ferguson, J. Lainhart and J. Anderson, “An Evaluation of the Left-Brain vs. Right-Brain Hypothesis with Resting State Functional Connectivity Magnetic Resonance Imaging,” PLoS ONE, Vol. 8, No. 8, 2013.
AbstractRisk management is harder than we would like it to be be-cause people do not think rationally. Our built-in irrational biases affect all of the decisions that we make, and this in-cludes how we choose to manage risks. Fortunately, we now understand how our biases work, so we can account for them and avoid making some of the bad decisions that they might lead us to make. Doing this can let us make an information security strategy more effective, and one that gives the best return on the investment made in implementing it.
I nformation security fundamentally concerns managing the risks associated with IT systems, and risk manage-ment fundamentally concerns making decisions under
uncertainty. This is something that people generally do not do well, and understanding both how and why our brains seem to make this so hard can be useful. A part of psychology known as “prospect theory” provides a good way to do this. It also explains the differences between how we should think about risk and how we really think about risk. Understanding this can help provide the best value from limited IT security budgets, so it should be interesting to any-one working in the IT security industry. The fact that even the most expert opinions, including those of information security experts, are almost certainly biased has been known for many years: it was noted in 1995 by Bar-bara Guttman and Edward Roback1 and in 2000 by Kevin Soo
1 B. Guttman and E. Roback, An Introduction to Computer Security: The NIST Handbook, NIST Special Publication 800-12, October 1995.
January 2016 | ISSA Journal – 27
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
A cup filled with cold water at 0.01º C will probably freeze faster than the same cup of hot water at 99.99º C, and a small drop of cold water will probably freeze faster than a gallon-jug full of hot water. So it is certainly the case that hot water does not always freeze faster than cold water. But it is true in some cases, and there are enough of these cases to make the prop-erty interesting. In particular, if you use the tap in your kitchen sink to fill two ice cube trays—one with hot water and the other with cold water—and then put them into your freezer, you are in the realm of the interesting cases, and you will probably see the hot water freeze faster than the cold water. The fact that hot water sometimes freezes faster than cold water is called the “Mpemba effect” after Erasto Mpemba, who brought it to the attention of the scientific community in 1963 while he was a high-school student in Tanzania.4 It turns out that stating the Mpemba effect in a way that is possible to verify experimentally is fairly tricky. You probably need something like this: there exists a set of physical parameters and a pair of temperatures such that given two samples of water identical in these parameters and differing only in their initial uniform temperatures, the hotter of the two will freeze sooner.If that is what it takes to carefully state the Mpemba effect, it is easy to see why just saying that hot water freezes faster than cold water is preferred by most people, even if it is not quite accurate.Similarly, even though the left brain-right brain model may not be not very accurate, it seems to explain enough of what we experience to be useful. But it also seems reasonable to ask if there is a way to use what science tells us about how our brains operate to create a better model—perhaps one that lets us predict things that the left brain-right brain model does not. This is not too hard to do, although it does require a slightly more complicated model. And this model turns out to be particularly relevant to understanding how we under-stand and manage risk.
The evolution of understanding risk The simplest and earliest model for understanding risk and how we make decisions in the face of uncertainty was based on expected value calculations. This is exactly what we do in the annual loss expectancy model (ALE) that most informa-tion security professionals learn at some point. In this model we calculate the risk (R) to be the amount of a loss (L) multiplied by the probability of the loss happening (P). We often summarize this in the equation
R = P x LSo, if we have an uncertain event that will happen with a probability of 10 percent (P = 0.1) and will cause a loss of $1 million when it happens (L = $1 million), this represents $100,000 of risk, which we calculate as
4 E. Mpemba and D. Osborne, “Cool?” Physics Education, Vol. 4, No. 3, pp. 172–175, 1969.
R = P x L = (0.1) x ($1 million) = $100,000If you set the time period for the variables in this calculation to exactly one year so that P represents the probability of an event happening in a one-year period, you get the ALE model.This may make perfect sense mathematically, but it does not reflect how our brains seem to understand risk. It is easy to create experiments that show that the expected value model does not always predict how we make choices. The most fa-mous example of this is probably the St. Petersburg paradox. In the St. Petersburg paradox, we have a game in which the winnings are determined as follows (we assume that a player pays a fixed amount to play this game):• We start with a $1 pot• We then flip a fair coin until it comes up “heads,” and the
amount that the player wins doubles after each flip of the coin • If “heads” comes up on the first flip, the player wins $2
(which happens with probability 1/2)• If it comes up on the second flip, the player wins $4
(which happens with probability 1/4) • If it comes up on the third flip, the player wins $8
(which happens with probability 1/8), etc. • Players win the game if their winnings from the game is
more than they paid to play it, and they lose if their win-nings are less than what they paid to play it
It turns out that the expected amount that a player will win from playing this game is infinite. We can see this by calcu-lating the expected value of what a player of this game will win as the sum of the gains from each outcome multiplied by the probability of the respective outcome happening:
E = (1/2)($2) + (1/4)($4) + (1/8)($8) + …= $1 + $1 + $1 + …
So the expected value is indeed infinite.Even though this game promises a high average amount of winnings to its players, people are typically hesitant to pay much to play this game. It is hard to find someone willing to pay more than $25 to do this, even though a little math tells us that they should expect to win a very large amount by playing it.5
Researchers were puzzled by this apparent discrepancy for many years, but in 1738 mathematician David Bernoulli de-scribed a way to understand it that was based on replacing the monetary gain in this game by “utility,” a more generalized way to measure the benefit provided by something of value.6 Utility includes all non-monetary ways in which we might value things. If we prefer a certain brand of car, for example, that preference can be included in our utility for a car, even if
5 I. Hacking, “Strange Expectations,” Philosophy of Science, Vol. 47, No. 4, pp.562-567, 1980.
6 D. Bernoulli, “Specimen theoriae novae de mensura sortis,” Commentarii Academiae Petropolitanae, Vol. 5, No. 1730-1, pp. 175-192, 1738. Translated and reprinted as D. Bernoulli, “Exposition of a New Theory on the Measurement of Risk, Econometrica, Vol. 22, No. 1, pp. 23-36, 1954.
28 – ISSA Journal | January 2016
Why Risk Management Is Hard | Luther Martin and Amy Vosters
can explain any behavior at all. But in 1953, Maurice Allais, winner of the 1988 Nobel Prize in Economics, found exam-ples where expected utility theory could not explain the way people behave, no matter how clever a utility function we try to use.8 More precisely, if we use any function from expected utility theory to explain the behavior that Allais noted,
8 M. Allais, “Le comportement de l’homme rationnel devant le risque: critique des postulats et axiomes de l’école Américaine,” Econometrica, Vol. 21, No. 4, pp. 503–546, 1953.
the dollar value of the car does not reflect this preference. Utility is an easy way to account for all of our emotional and ir-rational biases that affect how we make decisions. To explain the St. Petersburg paradox, Bernoulli argued that although the mon-etary gain from consecutive “heads” outcomes grew very quickly, the utility from them did not, which resulted in a finite level of utility from the game in-stead of an infinite one. His argument was roughly that the utility that you get from an additional dollar depends on how much money you currently have—in particular, it decreases as the amount of wealth you have increases. If you have no money at all, an addition-al $100 is very valuable to you—it can be the difference between starving and not starving. But if you have $1 million, an additional $100 is probably not as valu-able to you. From this point of view, the utility of larger and larger gains that a player could win in the St Petersburg paradox game might not increase as quickly as the dollar value of the gains themselves, and this could easily reduce the infinite expected value of the game to a finite one. Researchers eventually generalized this idea to the expected utility model.7 In this model, a decision-maker uses an ex-pected utility to make a decision, where the expected utility is the weighted sum of the probabilities of outcomes (denoted P) and some complicated utility function (denoted u) that tells us the utility asso-ciated with the corresponding outcomes. This utility function can represent any factors that might make one outcome preferable to another. It might include financial information, like the dollar value of a loss or gain, but it can also in-clude other information, like which color or brand a person might prefer—things that are better modeled by utility than by a purely financial measure. And just like we might think of the expected value to be the average monetary gain or loss from an uncertain event, we can think
7 J. Von Neumann and O. Morgenstern, Theory of Games and Economic Behavior, Princeton University Press, 1944.
of expected utility as the average gain or loss in utility from an uncertain event. Researchers also assumed that utility functions have a certain level of logical consistency. For example, if someone preferred outcome A to outcome B, and preferred outcome B to outcome C, then they would always prefer outcome A to outcome C. Because a utility function can be arbi-trarily vague, it might seem reasonable to believe that the expected utility model
Platinum sponsor
Association sponsor
Go to www.rsaconference.com/issa to register today!Use code 16UISSAFCD when you register to save $175 off a Full Conference Pass!
Follow us on:
#RSAC
Join the ISSA community at RSA Conference 2016 in San Francisco, February 29-March 4. Connect with the people and information you need to address the latest threats, vulnerabilities and security challenges.
RSA Conference will also feature:• More than 500 exhibitors in two halls with
NEW expanded hours!
• Over 400 sessions. NEW! Sessions will be spread out over the full day so you can attend more!
• NEW content and programs such as Birds of a Feather Breakfasts, Focus-On Series, additional Learning Labs and much more!
Exclusive ISSA member discount on RSA® Conference 2016
Diamond sponsor
January 2016 | ISSA Journal – 29
Why Risk Management Is Hard | Luther Martin and Amy Vosters
the cases where expected utility theory failed to do so, it seems like a very useful model. The Allais paradox is no lon-ger a paradox if we can explain it using prospect theory, for example. This is getting dangerously close to the sort of broad and al-most-accurate generalization that we make when we say that hot water freezes faster than cold water, but one of the big ideas that made prospect theory more than just a generaliza-tion of expected utility theory was that it turned out to have a basis in how our brains operate. In particular, the interaction of two different types of thought processes seems to provide a good basis for what prospect theory describes.One of these processes is fast and intuitive. This type of think-ing was popularized by Malcolm Gladwell’s book Blink.12 The other is slow and deliberate. The differences between the two ways of thinking were popularized by Daniel Kahneman’s book Thinking Fast and Slow.13 The fast and intuitive way of thinking is attributed to the brain’s notional System 1, and the slow and deliberate way of thinking is attributed to the brain’s notional System 2. And although the connections in our brains are almost certainly more complicated that what can be easily described by a simple two-system model, fMRI scans of the brain seem to suggest that our brains do function this way, at least at a high level.14 It is easy to tell when our brains engage System 2: our pu-pils dilate and our heart rate increases.15 Thinking carefully is hard work. Because it is hard, our brains are not fond of the precise thinking that System 2 does, so we tend to just use the fast yet inaccurate System 1 whenever possible. And this includes many situations where System 1 tends to give us the wrong answer. This can be illustrated by the so-called Moses illusion: when asked “How many animals of each kind did Moses take onto the ark?” most people do not notice that it is a trick question designed to take advantage of the way our brains operate.16 Moses took no animals onto the ark—Noah did. But because both Moses and Noah are biblical characters, the question passes the limited level of plausibility checking that System 1 does, and most people give the wrong answer.Similarly, most people incorrectly answer the bat-and-ball problem: a ball and bat together cost $1.10, the bat costs $1 more than the ball, how much does the ball cost? Even peo-ple who are very proficient at algebra often give the incorrect answer of $0.10.17 (The correct answer is that the ball costs $0.05.) But because this incorrect answer passes the limit-ed plausibility checking that System 1 does (it “looks” right, doesn’t it?), most people are unwilling to expend the addi-
12 M. Gladwell, Blink: The Power of Thinking without Thinking, Back Bay Books, 2007. 13 D. Kahneman, Thinking Fast and Slow, Farrar, Straus and Giroux, 2012.14 V. Goel and R. Dolan, “Explaining modulation of reasoning by belief,” Cognition,
Vol. 87, No. 1, pp. B11–B22, 2003.15 D. Khaneman, Attention and Effort, Prentice-Hall, 1973. 16 T. Erickson and M. Mattson, “From words to meaning: A semantic illusion,” Journal
of Verbal Learning and Verbal Behavior, Vol. 20, No, 5, pp. 540–551, 1981.17 S. Frederick, “Cognitive Reflection and Decision Making,” Journal of Economic
Perspectives, Vol. 19, No. 4, pp. 25-42, 2005.
we will always end up with an inconsistent result—the so-called Allais paradox. The Allais paradox seemed to indicate that finding a theory that explained how we make decisions under uncertainty was going to be harder than we might have hoped. The fact that it, and many other examples, seemed to conclusively show
that the expected utility model did not adequately explain how people actually make decisions led economists Mathew Rabin and Richard Thaler to recall the “dead parrot” sketch from Monty Python’s Flying Circus when they noted that “it is time for economists to recognize that expected utility is an ex-hypoth-
esis.”9 The logical consistency required by the expected utility model seemed to make sense, but it ended up being a fatal flaw.The 1979 work of Daniel Kahneman and Amos Tversky even-tually provided a way to make sense of the shortcomings in expected utility theory. This insight was so important that Kahneman shared the 2002 Nobel Prize in Economics for the work that he did with Tversky in this area. (Tversky had un-fortunately died by the time the significance of this work was recognized.) Their research led to the development of pros-pect theory,10 which finally seemed to provide a good frame-work for understanding the puzzling aspects of how we make decisions in the face of uncertainty. (Kahneman has said11 that the term “prospect theory” was chosen to be intention-ally vague, so it should not be surprising if it does not easily suggest what the theory actually describes.)
Prospect theoryKahneman and Tversky noticed that the results of many dif-ferent experiments showed the same general patterns: people think in terms of a gain or loss relative to their current state instead of the absolute magnitude of the gain or loss; people discount larger gains, much like Bernoulli’s model suggested; and people tend to be averse to losses. To model these observations, prospect theory assumes that people make decisions based on two generalized functions: a weighting function p that generalizes the probability func-tion P from expected utility theory and a value function v that generalizes the utility function u from expected utility theory. And while expected utility theory required a certain level of logical consistency across the utilities assigned to out-comes, prospect theory relaxed this requirement. This seems to make prospect theory a very reasonable next step past expected utility theory. And because it can explain
9 M. Rabin and R. Thaler, “Anomalies: Risk Aversion,” Journal of Economic Perspectives, Vol. 15, No. 1, pp. 219-232, 2001.
10 D. Kahneman and A. Tversky, “Prospect Theory: An Analysis of Decision under Risk,” Econometrica, Vol. 47, No. 2, pp. 263-291, 1979.
11 http://www.nobelprize.org/nobel_prizes/economic-sciences/laureates/2002/kahneman-bio.html.
Thinking carefully is hard work…our brains are not fond of precise thinking.
30 – ISSA Journal | January 2016
Why Risk Management Is Hard | Luther Martin and Amy Vosters
tional effort that engaging the careful and analytic System 2 requires, even though it is typically needed to find the correct answer. The fast but inaccurate System 1 seems to significantly affect how we make decisions under uncertainty. This influence is shown in figure 1. In the absence of any input from System 1, we should expect our precise and analytic System 2 to put the same emotional value on an outcome v(x) as the absolute monetary value x of the outcome. This is shown by the dashed line in figure 1. As prospect theory suggests, the zero point for value in this graph represents the reference point from which we measure gains and losses from, not the absolute quantity of interest.If we were perfectly rational, there would be no difference between the way that we make decisions, both with account-ing for any irrational biases and without accounting for any irrational biases, and the dashed line in figure 1 shows how this situation would look, where the value v(x) of an outcome exactly matches the purely monetary value x of the outcome. But because we do not think perfectly rationally, we deviate from this ideal scenario, and we deviate from it in differ-ent ways for gains than for losses. For gains (the part of the graph to the right of the O point), the lower values that we give to larger and larger gains reflect the diminishing utility that Bernoulli used to explain the St. Petersburg paradox. For losses (the part of the graph to the left of the O point), the even lower values reflect the fact that we seem to be hard-wired to be averse to losses, something that was probably very useful for ensuring our survival in ancient times.
Figure 1 – Value v(x) vs. monetary gain or loss x according to prospect theory
Why this mattersIndividuals should feel free to make decisions that only affect them based upon their personal preferences instead of on a
precise and analytic metric. If you prefer a red car, you should feel free to buy a red car, even if it costs more than an identical blue model. But when we are making decisions about how to make investments in information security technologies, we need to be more careful. These types of decisions need to be as precise and analytic as possible. We need to ensure that we are making the best possible in-vestments if we want to get the best possible advantage from our limited information security budgets. And we need to ensure that we are getting the best possible advantage from the overall investment in information security, because the same funding might be put to a better use in another part of a business. But these are also the very types of decisions that our brains do not handle well. Research has even suggested that our initial emotional response is often different than what we would decide after a careful and thoughtful review of all of the facts.18 So, although falling prey to the quirks of how our brains work is very easy to do and very hard to avoid, it is definitely worth trying to avoid.Even though it seems that our brains do not use an expected value calculation to assign relative values to uncertain out-comes, this is the best possible way to compare investments in information security technologies, where we are more con-cerned with maximizing the return on the investments in-stead of doing things that we would like or prefer to do. This means that we need to make an effort to carefully gather data that is as accurate as possible and to use that data in mod-els that are as accurate as possible to get the best decision on what investments to make. For a security-relevant application of how the biases de-scribed by prospect theory can affect the decisions that we make, consider the 2000 Stanford doctoral dissertation of Kevin Soo Hoo,19 in which he did a careful cost-benefit anal-ysis of many information security technologies. His results were somewhat surprising: some technologies that are widely used seem to be hard to justify, while other technologies that are not widely used seem to be easy to justify. And while no one has taken the time and effort to argue that Soo Hoo’s re-sults are inaccurate or incorrect, they are widely ignored by the information security community. Perhaps prospect theo-ry can explain this behavior.First, Soo Hoo’s work involved analyzing data and building mathematical models from it. This is clearly the sort of ma-terial that requires us to use our System 2 thinking to under-stand, and that is something that we generally do not want to do. Because of this, we should not find it surprising that very few people have spent the time and effort needed to under-stand these models. And consider what might happen if we were to do what Soo Hoo’s analysis suggests. In one case, we could adopt new
18 M. Bazerman, A. Tenbrunsel and K. Wade-Benzoni, “A behavioral decision theory perspective to environmental decision making,” in D. Messick ad A. Tenbrunsel (eds.), Ethical Issues in Managerial Decision Making, Russel Sage, 1998.
19 K. Soo Hoo, ibid.
January 2016 | ISSA Journal – 31
Why Risk Management Is Hard | Luther Martin and Amy Vosters
14 months for this project. But if the wider interval is a more accurate reflection of reality, we will often see the narrower estimate turn out to be wrong. A project that ends up taking 16 months is in the range of expected values for the wider in-terval, but not for the smaller one. So an inaccurate estimate for how long the project should take can make the difference between an apparent success and an apparent failure.Overconfidence can be a particularly insidious problem be-cause the people who are affected the most by it are also the same people who are the most unaware that it is a problem for them. This was noted by Justin Kruger and David Dunning in 1999,20 although people probably suspected that this was the case for hundreds of years before its first careful descrip-tion: people who do not know what they do not know are often trouble.
SummaryProspect theory is a logical next step in the evolution of how we understand decision making under uncertainty, but it is also clearly inadequate in some ways. It assumes that people make decisions based on the short-term emotional impact of decisions instead of on potential long-term implications of the decisions. And it does not account for how the very real emotions of disappointment and regret affect our deci-sion-making. Theories that model these additional factors are both more complicated than prospect theory and do not yet offer any significant advantages over prospect theory. Be-cause of this, prospect theory has become the leading model for explaining decision-making under uncertainty, but it is certainly possible that it will be replaced by a different model in the future. Until then, it provides a good way to understand many of the errors that we will tend to make. We are not as smart as we would like to be, but if we are careful, we can be smart enough to avoid the problems that our brains can cause us. It is fairly common to hear that to be successful in the in-formation security industry, you need to understand how your adversaries think. Perhaps it is equally important to understand how people think. When we do that, we can do a reasonable job of avoiding our built-in biases and allocate resources in ways that create the best possible information security solutions.
About the AuthorsLuther Martin is a Distin-guished Technologist at Hew-lett Packard Enterprise. You can reach him at [email protected]. Amy Vosters is a marketing manager at SOASTA. You can reach her at [email protected].
20 J. Kruger and D. Dunning, “Unskilled and Unaware of It: How Difficulties in Recognizing One’s Own Incompetence Lead to Inflated Self-Assessments,” Journal of Personality and Psychology, Vol. 77, No. 6, pp. 1121-1134, 1999.
technologies that are not currently used. In this case, there are possible gains from using these additional technologies. But we are inclined to discount these potential gains, perhaps valuing a $3 million savings as if it was only a $2 million sav-ings, possibly making the new technologies seem less appeal-ing than they should.In the other case, we could discontinue the use of the tech-nologies that may not be worth using because they cost more than the benefits that they provide. If we did this, it is possible that hackers could take advantage of the reduced defenses. In fact this is almost certain to happen, but Soo Hoo’s analysis tells us that the cost of the additional damage caused by this is probably less than the cost of using the discontinued technol-ogies. But because we are strongly averse to losses, it should not be surprising that we are inclined to not follow this par-ticular recommendation. So, even if Soo Hoo’s results are correct, we should not be surprised that they have not been generally read, understood, or acted upon by the information security industry. In fact, we should expect the opposite—that they would have gener-ally not been read, understood, or acted on—which is indeed what we have seen. Understanding the limitations imposed by how we think can have many other benefits. The book, Judgment in Manageri-al Decision Making, by Max Bazerman and Don Moore pro-vides a good overview of the cognitive errors that people tend to make as well as ways to prevent them. One of the most significant of these is overconfidence, which the authors call “the mother of all biases,” and it often causes IT projects to fail. Most software projects fail in some way, and information security projects are no exception to this general rule. The Standish Group, a specialized IT consultancy, has tracked how successful software projects are since their founding in 1985. Since 1995 they have published their annual CHAOS Report that tracks how successful software projects are and what factors contribute to the failure of unsuccessful proj-ects. The Standish Group has consistently found that software projects typically end up challenged in some way: they end up taking longer than anticipated, costing more than budgeted, or delivering fewer capabilities than originally planned. Un-realistic expectations are often a contributing factor to failed projects, and this can often be explained by the cognitive bias of overprecision, one way in which overconfidence is mani-fested.Overprecision is the tendency to be overly sure that our judg-ments are accurate. We tend to not test our assumptions and dismiss evidence that suggests that we might be wrong. As a result, we tend to estimate overly narrow confidence intervals for the cost and schedule of projects, for example. Instead of estimating that a project might take 12 months, with a 90 percent chance of it being completed in the range of 6 to 18 months, we might make a much more precise estimate that is not very realistic, perhaps estimating a range of 10 to
32 – ISSA Journal | January 2016
Why Risk Management Is Hard | Luther Martin and Amy Vosters
Securing the CloudBy Barettè Mort – ISSA member, North Texas Chapter
This article discusses cloud environments and focuses on security issues in the areas of availability, privacy, and reliability.
of components such as hardware, network, and operating systems. The vendor possesses ultimate control over the in-frastructure and the user has capabilities such as managing storage, performing backups, or deploying virtual machines (VMs). At the IaaS level, the user also assumes all security responsibilities. With PaaS the vendor provides platform ser-vices that rest on top of IaaS and offers capabilities such as databases, web servers, runtime environments, and software applications. The user has the ability to utilize these capabil-ities for various offers such as developing software, source control, and database design. In this environment the system tools are usually provided, maintained, and supported by the PaaS vendor. SaaS provides the user with tools such as games, email, and virtual desktops. SaaS users will have no control over the infrastructure or the application platform and will access this service via the Internet [17]. There are networks connecting these service models, and depending on how a specific user is accessing the layers, they can be supporting, consuming, or providing services. A visual description and additional examples of the functions of each service model are shown in figure 1 [15].Cloud architectures are made available via public, private, community, and hybrid deployment models [18]. Anyone with a network connection can access a public cloud. Private clouds are restricted to a certain set of users and are usual-
AbstractResearch was performed to identify security risks and vulnerabilities of cloud computing. This article will dis-cuss cloud environments and focus on security issues in the areas of availability, privacy, and reliability. Al-though the challenges of cloud computing are under-scored by the ongoing rapid advancement of technology, the community is encouraged to plan proper layers of defense and continually seek prospective solutions and opportunities.
Cloud computing has numerous advantages: the ability to store and access data from any location or device; and the ability to run applications, work re-
motely, backup data, store photos, share files, perform data analytics, and more over the Internet. However, it inherits many of the Internet’s weaknesses and vulnerabilities. Cloud computing is defined by National Institute of Stan-dards and Technology (NIST) 800-145 as a model for en-abling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal manage-ment effort or service provider interaction.1 NIST 800-145 also highlights the key characteristics of what distinguishes cloud computing from the traditional information technol-ogy (IT) networked environment. These characteristics in-clude on-demand self service, broad network access, resource pooling, rapid elasticity, and measured service. Additional benefits of cloud computing that require less financial com-mitment from consumers are its scalability and flexibility. Layers of the cloud support and deliver different services. These layers, referred to as service models, are known as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) [18]. IaaS consists
1 The NIST Definition of Cloud Computing – http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.
Figure 1 – Service model functionality
January 2016 | ISSA Journal – 33
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
ly functioning for a single organization. Community clouds consist of a group of organizations which all work together to achieve a common goal. They are all owners; therefore, el-ements of the cloud are agreed upon by all in the community before being defined or implemented as a part of the struc-ture. Hybrid clouds can be a mixture of any of the available cloud deployment models. The term Cloud is a good, yet simple way to describe the huge presence and impact it has. The concerns and challenges are ongoing in an effort to define an environment that is not fully formed or trusted. The major security risks of cloud comput-ing are availability, privacy, and reliability.
Availability concernsData must be readily available when a user attempts access. This protection of data and system functionality covers a va-riety of potentially exploitable areas, for example physical lo-cation, physical access, and logical access. The IaaS layer infrastructure and related data are possibly located in locations unknown to the user, and availability may be ultimately dependent on the vendor. The user relies on the vendor to keep the systems operating. To ensure that physical and logical access is safeguarded, the system must be protected from both intentional and unintentional misuse. To prevent malicious insider threats, highly qualified person-nel with trusted background checks will be responsible for configuring and maintaining the network and its services [1]. The personnel who guard and have access to the facility must also be verified. Personnel have access to both the physical and logical components and are familiar with the environ-ment; therefore, continuous verification of personnel allows a vendor to maintain trustworthy and knowledgeable people as well as assist in keeping them honest. The probability of natural disasters, elements of nature, in-sider threats, and system power failures affecting operations have to be considered. The data centers where information is stored must be physically sound, and supporting materi-als must be carefully planned when being constructed or re-modeled to protect against attacks that are both human and nature related [9]. Hardware at the IaaS level may be the most tangible component and as such falls under the same protec-tion levels of all physical resources. Loss of data or failure of a system is a great possibility.
Both internal and external threats to IT networks are on the rise. According to Verizon’s 2015 Data Breach Investigations Report, of the companies surveyed, in 38 percent of cases it took attackers seconds to compromise a system, and in 28 per-cent of cases it took attackers minutes to extract data [3]. The vulnerabilities that exist to allow this type of compromise are very common on a LAN or WAN, and are just as common in the cloud. The difference is that what is boasted as a ben-efit of cloud computing can also assist in the expansion of an exploited vulnerability. Take for example, operating sys-tem vulnerabilities; they are usually published on websites of the applicable operating system or highlighted on “dark” websites. For nearly every known operating system, there are multiple known vulnerabilities. An operating system vulner-ability exploited in a cloud computing environment could have a severe impact. Data, when requested must be accessed and possibly passed to a service for processing before being delivered. At the IaaS and PaaS levels, data location is a common cause for concern. There are laws and regulatory compliance requirements that may restrict where data is stored. This also applies to back-ups and archives. All data accessed at these levels may not be within the same state or country. Disregarding such regula-tions will usually result in fines and penalties.At the SaaS layer, the average user can conveniently interact but also attackers can exploit weaknesses to obtain confi-dential, sensitive, secret, and personal information. Loss of data can result from a malicious attack, insider threat, or an accidental deletion. A huge benefit of the cloud for a user is the ability to store and backup data. However, when users do not adhere to proper backup practices, accidental deletion can cause them to lose their data. Security flaws within the client environment that can also expose the system to ex-ploitation can result in a malicious attack. Weak passwords, phishing scams, and malicious code can put data in danger of being loss, stolen, or inaccessible. Users would benefit from suggestions of NIST publications, which call for the use of varied multi-factor authentication methods—Something you know, Something you have, and Something you are—with mit-igation suggestions for each factor [4]. Insider threat actions can result in compromise or destruction of information or disruption of services. The best counters to insider threat are security, education, training, and awareness (SETA) and continuous monitoring tools implemented on sound security policies and procedures.
Privacy concernsData must be protected at all times: at rest, in transit, and during processing. In a properly designed system, data ex-pects to be received in an encrypted format, processed in a protected environment, and encrypted again before being returned or pushed forward. The challenges presented here include system performance as a result of encrypted data, the inability to encrypt data that is being processed, and isolation failures.
Easy and Convenient!
www.issa.org/storeComputer Bags • Short-Sleeve Shirt • Long-Sleeve Shirt • Padfolio • Travel Mug • Baseball Cap • Fleece Blanket • Proud Member Ribbon • Sticky Note Pads
34 – ISSA Journal | January 2016
Securing the Cloud | Barettè Mort
System performance typically suffers when proper encryption, system hardening, and multilayers of security are part of the security approach. This affects the performance across all service models—IaaS, PaaS, and SaaS. This trade off is to be expected, but many ven-dors may overlook this in exchange for better performance rates. If users cannot speedily access data they may resist using the service. Data at the IaaS level can be encrypted in both “at rest” and “in transit” states [5]. Data cannot be processed in an encrypted format. At the PaaS and SaaS levels unencrypted or poorly encrypted data leave a system with multiple points of fragility. Data at both the SaaS and PaaS level remain unen-crypted because encrypted data would prevent functionality such as indexing, searching, and mathematical operations [5]. Client data at the SaaS level are more vulnerable to com-promise and are subjected to malicious attacks.The IaaS, PaaS, and SaaS environments are where the distinc-tion of tenants, users, and organizations is made by specifying space to allow for multi-tenancy, allowing multiple tenants to share the same resource. Isolation failure becomes a problem when one or more of the tenants has access to the resources of another tenant. This could be in the form of processing power or accessing data. Virtual machines (VM) are a valuable asset when trying to avoid isolation failure. Each instance of a VM creates a separate environment for each tenant. Proper sys-tem configurations and settings on hardened machines are needed to avoid isolation failure. Virtualization creates cop-ies of a configured system. When a VM is configured improp-erly, inadequately hardened, or contains out-of-date patches, the vulnerabilities can increase significantly. Using the PaaS model as an example, virtual machine envi-ronments (VME) are instituted in combination with data; when resources are utilized, the possibility of data recovery may be presented through memory and storage resources. Some server disks may be reused or recycled, but if not san-itized properly, they may contain residual data[10]. Digital Ocean Cloud, a New York-based cloud infrastructure pro-vider, found that scrubbing hard drives after a VM instance cause performance degradation. After this finding the com-pany stopped the procedure of scrubbing the user data from its hard drives after users deleted a VM instance. What Digi-tal Ocean found was that other users could potentially access data on the “un-scrubbed” drive [14]. The scrubbing process is difficult and tedious to perform in a cloud computing envi-ronment, but it does securely remove residual data.
Reliability concerns Cloud security is dependent on data integrity and system re-liability. Data integrity practices ensure that no unauthorized changes have been made to the data. With IaaS the vendor is responsible for data integrity, whereas in PaaS and SaaS both the vendor and the users are responsible for data integrity
[12]. System reliability demonstrates that dependable system techniques are exercised. These techniques ensure a function-ing system and an associated system status. Many traditional IT methods are buried in the cloud environment. Ensuring that known and authorized devices and users are connected to the network in a cloud setting assists with maintaining the reliability of a system by allowing support for auditing and monitoring. In performing these tasks, not only is the system aware of who or what is connected and whether or not it is allowed but also who or what is not allowed as well as the means of entry [11]. At the IaaS level, layered network security is required both externally and internally, which includes firewalls, pack-et inspections, monitoring, and auditing. The external net-work environment will require a demilitarized zone (DMZ) and access to virtual private networks (VPNs) for personnel connecting from outside locations. The internal network will house an intrusion detection system (IDS) and an intrusion protection system (IPS) for monitoring the networks. Con-tinuous efforts to prevent attacks will require test teams to be established for vulnerability and penetration testing of all service levels. The system monitors network traffic, usage of the system resources, management of the system, as well as management of security and availability. The configuration management component of a cloud environment must be in-troduced with processes and certainty to verify what makes and defines a system is documented, reproducible, and com-parable to an audit log or a system image. There are, however, vulnerabilities of cloud computing at the service levels that are unique to the cloud. When multiple op-erating systems run on a host computer that has VM capabili-ties, a virtualization management tool known as a hypervisor is used. There are two types of hypervisors, native and hosted. Depending on which type the vendor users, the hypervisor may sit between the hardware and the VM, or it may sit be-tween the operating system and the VM. Type 1 hypervisor shown in figure 2 [13] is the native hypervisor. It resides di-rectly above the hardware components and is responsible for providing virtual memory and CPU scheduling policies [8]. Type 2 hypervisor is the hosted hypervisor. It resides directly above the operating system.Hyper-jacking is a weakness introduced to the operating sys-tem by an attacker via a rouge hypervisor. It is an opportunity
Figure 2 – IBM, hypervisor differences
January 2016 | ISSA Journal – 35
Securing the Cloud | Barettè Mort
for an attacker to take advantage of the hardware and the VM. When a rouge hypervisor is introduced on an operating sys-tem, it usually cannot be detected because it runs under the operating system and in a very stealth-like manner to com-promise the server. Virtualization can capitalize on these op-portunities in that each time a new environment instance is created, the creation of the same weaknesses for the operating system within the environment are created. Virtualization is subject to stasis, which means VMEs that are pre-configured exactly like all of the other VMEs are susceptible to attack regardless if they are exploited or not. “Technologies such as virtualization mean that network traffic occurs on both real and virtual networks… Such issues constitute a control chal-lenge because tried and tested network-level security controls might not work in a given cloud environment” [10].Precariously configured web services or less-than-strict ap-plication development at the IaaS and PaaS level have the ability to compromise data integrity and system reliability, particularly in the area of application programming inter-faces (APIs), which are developed for integration of cloud components. There are numerous types of APIs for operating systems, applications, websites, and software solutions. There a several concerns surrounding APIs: vulnerabilities in the system calls, data connections, and data queries, if present, can cause data to be modified. The user at the SaaS level has little or no control over the in-frastructure but is responsible for some security of the sys-tem. Multi-factor authentication as defined by NIST Elec-tronic Authentication Guideline [4] should be used to prevent client-side threats in a private cloud.
Standards to be applied The need for well-defined standards remains a necessity for systems and data within the cloud computing environment. Cloud computing standards for security haven’t been created [16]. The lack of standards for providers creates a more unsta-ble environment for systems, data, security, and users. NIST calls for the standardization of interoperability, portability, security, performance, and accessibility [15]. The Cloud Stan-dards Customer Council [6] recognizes the need for interop-erability and portability. NIST indicates that standardization of interoperability al-lows for the discovery of key interoperability requirements and features [15]. Interoperability is the ability of different systems to interact and communicate in a common manner. The service, application, or system may access data or services differently but they will not impede the operations of other services, applications, or systems. Interoperability challenges affect all service models; however, SaaS is most impacted as there are only a small number of APIs for SaaS applications. Standardization of this practice would allow a customer to swap vendors with little effect to its service, application, or system [6]. Take, for example, APIs; they may be custom de-veloped for a specific vendor environment and interact with explicit components. If these components are not standard,
the consumer will not have a choice outside of the current vendor as these components will not be able to communicate with components of another vendor.Portability addresses the possibility or ability of moving code or data between vendors without having to accomplish a re-write of existing code or reformat of data. Portability con-cerns are present in both IaaS and PaaS but are more prev-alent in PaaS due to the varying services offered across PaaS vendors. Standardization of portability and interoperability will lessen the occurrences of vendor lock. Consumers will benefit from the standards as it will provide alternatives for cloud vendors. Industry will benefit from the regulations as it will be able to better identify security goals and strategies as well as encourage innovation. Evaluating the trade off of protecting the data versus the cost of protecting the data introduces risk management. Using the NIST Risk Management Framework [7] as the basis for a risk management plan, coupled with business processes, regulatory legal and compliance requirements, will allow a continuous evaluation of the cloud security life cycle (figure 3). A continuous evaluation allows the risk management plan to adapt and grow as technology expands while ensuring that security is evaluated.
Figure 3 – NIST Risk Management Framework
NIST is an organization valued for the measurements, tech-nology, standards, and procedures that are needed to ensure that the United States continues to advance and stay compet-itive in the fields of technology and industry. “Categorize” allows for the identification, process, storage, and transmittal of the system or data. “Select” focuses on capturing an initial set of baseline security controls based on how the system or systems have been grouped. “Implement” expects the secu-rity controls to be in place with supporting documentation of how the controls were placed. “Assess” looks at the system with respect to the controls to determine if the procedures put in place are affective and producing expected results. “Authorize” establishes whether the risks within the system are satisfactory or unacceptable. “Monitor” maintains securi-
36 – ISSA Journal | January 2016
Securing the Cloud | Barettè Mort
* Name _____________________________________________________ Certifications ___________________________________
* Employer ___________________________________________________ * Email ________________________________________
Job Title ___________________________________________________ * Preferred phone number for receiving calls: (choose one)
* Preferred address for receiving mailing (choose one): n Home n Professional n Home n Mobile n Professional
* Address 1 __________________________________________________ * Phone ________________________________________
Address 2 __________________________________________________ Fax _________________________________________
* City ________________________________ State/Province ___________ * Country ____________ * Zip/Postal Code _____________
In order to obtain personal information and account access over the phone, ISSA Member services will ask your provided security question.
* Security Question: _____________________________________________ * Security Answer: ________________________________
* Only Online Journal: n Yes n No Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal.
ISSA Code of EthicsThe primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I have in the past and will in the future:
• Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
• Promote generally accepted information security current best practices and standards; • Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the
course of professional activities; • Discharge professional responsibilities with diligence and honesty; • Refrain from any activities which might constitute a conflict of interest or otherwise damage the
reputation of employers, the information security profession, or the Association; and • Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or
employers.
Signature __________________________________________ Date ______________
To enable us to better serve your needs, please complete the following information:
Your Industry (Select only ONE number from below and enter here) _______________________________
A. Advertising/Marketing J. Engineering/Construction/Architecture S. Manufacturing/Chemical B. Aerospace K. Financial/Banking/Accounting T. Medicine/Healthcare/Pharm. C. Communications L. Government/Military U. Real EstateD. Computer Services M. Hospitality/Entertainment/Travel V. Retail/Wholesale/Distribution E. Security N. Information Technologies W. Transportation/Automobiles F. Consulting O. Insurance X. Energy/Utility/Gas/Electric/Water G. Education P. Internet/ISP/Web
Y. Other ___________________ H. Computer Tech-hard/software Q. Media/Publishing I. Electronics R. Legal
Your Primary Job Title (Select only ONE number from below and enter here) _________________________ 1. Corporate Manager/CIO/CSO/CISO 9. Operations Manager 17. Engineer 2. IS Manager/Director 10. Operations Specialist 18. Auditor 3. Database Manager, DBA 11. LAN/Network Manager 19. President/Owner/Partner 4. Database Specialist, Data Administrator 12. LAN/Network Specialist 21. Financial Manager 5. Application Manager 13. Security Specialist 22. Administrator 6. Applications Specialist 14. Contingency Planner 23. Educator 7. Systems/Tech Support Manager 15. Sales/Marketing Specialist
24. Other________________8. Systems Programmer/Tech Support 16. Independent Consultant
Your Areas of Expertise (List all that apply) ______________________________________A. Security Mgmt Practices E. Security Architecture I. Operations Security B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security C Network Security G. Law/Investigations/Ethics K. Telecommunications Security D. Access Control Systems/Methods H. Encryption L. Computer Forensics
ISSA Membership ApplicationReturn completed form with payment. * Required Entries
ISSA Member Application 01/15
Membership FeesMembership Categories (descriptions on back)
General Membership: $95 (USD) plus chapter dues 2-Year: $185 (USD); 3-Year: $275 (USD); 5-Year: $440 (USD)
Government Organizational: $90 (USD) plus chapter dues
Student Membership: $30 (USD) plus chapter dues
CISO Executive Membership: $995 (USD) plus chapter dues
*Membership Category _______________________________(See above)
*Chapter(s) _______________________________________(Required within 50 miles of local chapter - list on reverse)
Referring Member & Chapter __________________________
ISSA Member Dues (on reverse) $ _______________
Chapter Dues x Years of Membership $ _______________ (on reverse)
Additional Chapter Dues $ _______________(if joining multiple chapters - optional)
Total Membership Dues $ _______________
ISSA Foundation Donation $ _______________A tax-deductible contribution, as allowed by US tax code, can be made in addition to your ISSA Membership Payment. For more infor-mation on the foundation and its programs, visit www.issaef.org.
Total (dues + ISSA Foundation) $ _______________
You may fill out the form and submit it electronically as an email attachment. You will need an email account to send it.
Submit by EMAIL to: [email protected]
ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at www.issa.org/?PrivacyNotice.
Print out and mail or fax form to: ISSA Headquarters
12100 Sunset Hills Road, Suite 130, Reston, VA 20190
Fax +1 (703) 435-4390Phone +1 (866) 349-5818 • www.issa.org
www.ISSAEF.org
Risk Radar: Real-World Rogue AV | Ken Dunham
At-Large ............................ 25
Asia PacificChennai............................... 0 Hong Kong .......................... 0 Philippines ........................ 20 Singapore.......................... 10 Sri Lanka ........................... 10 Sydney ................................ 0 Tokyo ................................ 30 Victorian.............................. 0
Europe, Middle East & AfricaBrussels European ............ 40 Egypt ................................... 0 France ............................... 00 Irish................................. 155 Israel ................................... 0 Italy ................................... 65 Netherlands ....................... 30 Nordic ................................. 0 Poland................................. 0 Romania .............................. 0 Saudi Arabia........................ 0 Germany............................ 30 Spain................................. 60
Switzerland........................ 80 Turkey ............................... 30 UK ..................................... 0
Latin AmericaArgentina............................. 0 Barbados ........................... 25 Brasil................................... 5 Chile ................................. 30 Colombia ............................ 5Ecuador ............................... 0 Lima, Perú........................... 5 Puerto Rico ....................... 35Uruguay .............................. 0
North AmericaAlamo................................ 20 Alberta............................... 25 Amarillo ............................ 25 ArkLaTex ............................. 0 Baltimore........................... 20 Baton Rouge...................... 25 Blue Ridge......................... 25 Boise ................................. 25 Buffalo Niagara.................. 25 Capitol Of Texas ................ 35 Central Alabama .................. 0
Central Florida .................. 25 Central Indiana .................. 25 Central New York................. 0 Central Ohio ...................... 20 Central Pennsylvania......... 20 Central Plains.................... 30 Central Virginia ................. 25Charleston......................... 25 Charlotte Metro ................. 30 Chicago............................. 30 Colorado Springs .............. 25 Connecticut ....................... 20 Dayton............................... 25 Delaware Valley ................. 20 Denver............................... 25 Des Moines ....................... 30 East Tennessee ..................15 Eastern Idaho ...................... 0 Eastern Iowa ........................ 0 Fort Worth ......................... 20 Grand Rapids ...................... 0 Greater Augusta................. 25 Greater Cincinnati ............. 10 Greater Spokane ................ 20 Hampton Roads................. 30 Hawaii ............................... 20
Inland Empire .................... 20 Kansas City ....................... 20 Kentuckiana....................... 35Kern County ...................... 25 Lansing ............................. 20 Las Vegas .......................... 30 Los Angeles ...................... 20 Madison ............................ 15 Mankato ............................ 20 Melbourne, FL................... 25 Memphis ........................... 30 Metro Atlanta..................... 30 Middle Tennessee ............. 35 Milwaukee ......................... 30 Minnesota ......................... 20Montana ............................ 25 Montreal.............................. 0 Motor City ......................... 25 Mountaineer ...................... 25 National Capital................. 25 New England ..................... 20 New Hampshire ................. 20 New Jersey ........................ 20 New York Metro................. 55 North Alabama .................. 15 North Dakota ..................... 25
North Oakland ................... 25 North Texas ....................... 20 Northeast Florida............... 30 Northeast Indiana .............. 10 Northeast Ohio .................. 20 Northern New Mexico........ 20 Northern Virginia............... 25 Northwest Arkansas........... 15 Oklahoma .......................... 30 Oklahoma City................... 25 Omaha................................. 0 Orange County .................. 20 Ottawa ............................... 10 Palouse Area ..................... 30 Phoenix ............................. 30 Pittsburgh ......................... 30 Portland ............................ 30 Puget Sound ..................... 20 Quebec City......................... 0 Rainier............................... 20 Raleigh .............................. 25 Rochester .......................... 15 Sacramento Valley ............. 20 San Diego ......................... 30 San Francisco ................... 20 SC Midlands ..................... 25
Silicon Valley .................... 30South Bend, IN (Michiana) .. 25 South Florida .................... 20 South Texas ....................... 30 Southeast Arizona ............. 20 Southern Indiana ............... 20 Southern Maine................. 20 Southern Tier of NY ............. 0 St. Louis............................ 20 Tampa Bay ......................... 20 Tech Valley Of New York .... 35 Texas Gulf Coast ............... 30 Toronto .............................. 20 Tri-Cities ........................... 20 Triad of NC ........................ 25 Tucson, AZ ........................ 10 Upstate SC .......................... 0 Utah .................................. 15 Vancouver ......................... 20 Ventura, CA ....................... 30
Yorktown ........................... 30
ISSA Chapters & Annual Dues Changes/additions – visit our website – www.issa.org
ISSA Member Application 01/15
Credit Card InformationChoose one: n Visa n MasterCard n American Express
Card # ___________________________________ Exp. Date ____________
Signature ________________________________ CVV code _____________
Membership Categories and Annual DuesGeneral Membership: $95 (USD) plus chapter dues
Professionals who have as their primary responsibility information systems security in the private or public sector, or professionals who supply information systems security consulting services to the private or public sector; or IS Auditors, or IS professionals who have as one of their primary responsibilities information systems security in the private or public sector; Educators, attorneys and law enforcement officers having a vested interest in information security; or Professionals with primary responsibility for marketing or supplying security equipment or products. Multi-year mem-berships for General Members, are as follows (plus chapter dues each year): 2-Year: $185; 3-Year: $275; 5-Year: $440.
Government Organizational: $90 (USD) plus chapter dues This membership offers government agencies the opportunity to purchase membership for an em-ployee. This membership category belongs to the employer and can be transferred as reassign-ments occur. When an employee is assigned to this membership, he or she has all of the rights and privileges of a General Member.
Student Membership: $30 (USD) plus chapter duesStudent members are full-time students in an accredited institution of higher learning. This mem-bership class carries the same privileges as that of a General Member except that Student Members may not vote on Association matters or hold an office on the ISSA International Board. There is no restriction against students forming a student chapter.
CISO Executive Membership: $995 (USD) plus chapter duesThe role of information security executives continues to be defined and redefined as the integration of business and technology evolves. While these new positions gain more authority and respon-sibility, peers must form a collaborative environment to foster knowledge and influence that will help shape the profession. ISSA recognizes this need and has created the exclusive CISO Execu-tive Membership program to give executives an environment to achieve mutual success. For more information about CISO Executive Membership and required membership criteria, please visit the CISO website – http://ciso.issa.org.
Please check the following:Where would you place yourself in your career lifecycle? n Executive: CISO, senior scientist, principal or highest level in respective field n Senior: department manager or 7+ years in respective field n Mid-Career: 5-7 years with an identified field of security specialty n Entry Level: 1-5 years, generalist n Pre-Professional: Student or newcomer exploring the field
The most important aspects of my membership for the current membership term are: n Build or maintain professional relationships with peers n Keep up on developments and solutions in cybersecurity, risk or privacy n Establish a professional development strategy to achieve my individual career goals n Increase my personal visibility and stature within the profession n Share my knowledge and expertise to advance the field n Develop the next generation of cybersecurity professionals n Earn CPEs/CPUs to maintain certifications or credentials n Access to products, resources and learning opportunities to enhance job performance n Problem solving or unbiased recommendations for products and services from peers n Gain leadership experience n All n None
Most challenging information security issue? n Governance, risk and compliance n Securing the mobile workforce and addressing consumerization n Data protection n Application security n Security and third party vendors n Security awareness n Threat updates n Legal and regulatory trends n Endpoint security n Incident response n Strategy and architecture n All n None
Which business skills would be most valuable for your professional growth? n Presenting the business case for information security n Psychology behind effective security awareness training n Budgeting and financial management n Business forecasting and planning n Management and supervisory skills n Legal knowledge n Presentation skills n Negotiation skills n Written and verbal communications n All n None
West Texas ........................ 30
6. Cloud Standards Customer Council, November 2014. – http://www.cloud-council.org/CSCC-Cloud-Interopera-bility-and-Portability.pdf.
7. Computer Security Division, Computer Security Re-source Center, Risk Management Framework Overview, NIST, April 2014 – http://csrc.nist.gov/groups/SMA/fis-ma/framework.html.
8. Erl, Thomas, Mahmood, Zaigham, Puttini, Ricardo. Cloud Computing: Concepts, Technology and Architec-ture, Prentice Hall, 2014.
9. Fennelly, Lawrence J., Effective Physical Security, 4th Edi-tion. Butterworth-Heinemann, November 2012.
10. Grobauer, Bernd, Walloschek, Tobias and Stöcker, El-mar. Understanding Cloud Computing Vulnerabilities, InfoQueue, August 2011 – http://www.infoq.com/arti-cles/ieee-cloud-computing-vulnerabilities.
11. Halpert, Ben. Auditing Cloud Computing: A Security and Privacy Guide, John Wiley and Sons, 2011.
12. Hwang, Kai, Fox, Gregory C., Dongarra, Jack J., Distrib-uted and Cloud Computing, Morgan Kaufmann, Decem-ber 2013.
13. IBM developerWorks, http://www.ibm.com/developer-works/cloud/library/cl-hypervisorcompare/.
14. Kerner, Sean M., “Scrubbing Data a Concern in Digital Ocean Cloud,” eWeek, January 2014 – http://www.eweek.com/cloud/scrubbing-data-a-concern-in-the-digital-ocean-cloud.html.
15. NIST Cloud Computing Standards Roadmap Working Group. NIST Cloud Computing Standards Roadmap, NIST SP 500-291, July 2013 – http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf.
16. Sheikh, Shah. A Holistic Security Approach to Cloud Computing, ISACA, 2013 – http://www.isaca.org/Jour-nal/archives/2013/Volume-5/Pages/JOnline-Does-Your-Cloud-Have-a-Secure-Lining.aspx.
17. Tahlia, Domenico, Trunfio, Paolo, Marozzo, Fabrizio. Data Analysis in the Cloud: Models, Techniques and Ap-plications, Elsevier, 2015.
18. Zamora, Edward. “Cloud Testing Methodology,” SANS, July 2015 – https://www.sans.org/reading-room/white-papers/testing/cloud-assessment-survival-guide-36427.
About the AuthorBarettè Mort is a security professional with Raytheon. She has worked in the industries of finance, web development, consulting, and defense. She holds a Master’s degree in Sys-tems Engineering from George Washington University, and a Bachelor of Science degree in Computer Science from the University of Southern Mississippi. Barettè can be reached at [email protected].
ty controls by keeping documents up-to-date, capturing met-rics, conducting analysis, and providing reporting status [7]. Utilizing the concept of defense in depth will allow for a multilayered defense that will assist with the protection, detection, and reaction capabilities provided in the system mitigation efforts. This strategy allows for the use of various security methodologies and tactics to be placed in the system at every possible level. If one area of the system succumbs to attack, the next layer will have another defense. “The goal is to place enough defensive measure between our truly important assets and the attacker so that we will both notice that an at-tack is in progress and also buy ourselves enough time to take more active measures to prevent the attack from succeeding” [1].
ConclusionThe model of cloud computing is evolving and standards are still being defined. There are challenges that are unknown in the early state of cloud computing, but in the face of challenge there is opportunity. The attractiveness and accessibility of the Cloud demands attention, and while still in its infancy it is being widely em-braced. With all of the attention, it also becomes a target. The vulnerabilities of the systems and the persistence of attack-ers will cause the challenges of cloud computing to continue. As progress is made across many areas of cloud computing, research and investigation indicate that cloud security con-cerns are addressed by implementing sound security mea-sures. Users are recommended to consider a security plan for cloud computing even if one is hesitant to embrace it.
References1. Andress, Jason. The Basics of Information Security: Un-
derstanding the Fundamentals of InfoSec in Theory and Practice. Syngress, June 2011.
2. Badger, Lee, Bohn, Robert, Chu, Shilong, Hogan, Mike, Liu, Fang, Kaufmann, Viktor, Mao, Jian, Messina, John, Mills, Kevin, Sokol, Annie, Tong, Jin, Whiteside, Fred, Leaf, Dawn, 2010. US Government Cloud Comput-ing Technology Roadmap, Volume II, Release 1.0, NIST SP 500-293, November 2011 – http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf.
3. Brumfield, Janet. Verizon 2015 Data Breach Investiga-tions Report, Verizon, April 2015 - http://news.verizo-nenterprise.com/2015/04/2015-data-breach-report-info/.
4. Burr, William E., Dodson, Donna F., Polk, W. Timo-thy. Electronic Authentication Guideline, NIST SP 800-63, April 2006 – http://csrc.nist.gov/publications/nist-pubs/800-63/SP800-63V1_0_2.pdf [updated version http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf].
5. Catlet, C. Cloud Computing and Big Data. IOS Press, 2013.
January 2016 | ISSA Journal – 39
Securing the Cloud | Barettè Mort
They’re everywhere.
Cyber threats. Minsk. Karachi. Marseille. Beijing. Not to mention Mayberry RFD.
In all guises. Crime syndicates. Clandestine agencies. Pimply adolescent psycho-prodigies.
The only thing anyone knows for sure is: you’re here. And that’s where airtight, buck-stops-now security has to happen.That’s what we’re uniquely about. Distilling the global complexities of cybersecurity down to your city, your network, your shot at a decent night’s sleep.
How do you consult, collaborate and kvetch with like-minded area companies?
SecureWorld connects you to all the players in your local cybersecurity community, giving you access to practitioners, thought leaders, and vendors who come to you.
Let’s talk.
In this world, too close for comfort is a contradiction in terms.
SecureWorld. See globally. Defend locally.
SECUREWORLDCHARLOTTE: Feb 11
BOSTON: Mar 29 - 30PHILADELPHIA: Apr 20 - 21
KANSAS CITY: May 4HOUSTON: May 11ATLANTA: Jun 1 - 2PORTLAND: Jun 9
CINCINNATI: Sep 8DETROIT: Sep 14 - 15
DALLAS: Sep 27 - 28DENVER: Oct 5 - 6
ST. LOUIS: Oct 18 - 19BAY AREA: Oct 27
SEATTLE: Nov 9 - 10
www.secureworldexpo.com
Connecting you to larger forums, articles and gatherings to shape the conversation. Visit us today at www.secureworldexpo.com to sign up for exclusive web conferences and subscribe to the SecureWorld Post.
Shaping the Conversation
Cybersecurity Conferences
SECU0185_ISSA_Mag_Ad_DEC_2015.indd 1 12/18/2015 10:35:07 AM