Thursday, November 4, 2010
Understanding Risk Management Approaches in the Cloud Computing Service Model
Thursday, October 14, 2010
Cloud Computing Pervades ASIS Atmosphere
October 14, 2010
Thursday, September 30, 2010
Careers Need Aspiration.
Source: Info Security Magazine, the publication of (ISC)2, September 2010.
Introduction
If you work and network with leaders who have nurtured your growth, then you aspire to greater things and likely provide support to others. Solid leadership highlights the difference between showing up each day for a job and participating in a career.
We are reliant on appropriate, effective security to protect the lives and well being of people, assets, and information. Understanding the subtleties related to securing systems with both physical and virtual elements adds great value to an organization’s security posture.
We each aspire to different goals, competencies, and positions. To what do you aspire? Your future starts now.
Shayne Bates.
Friday, August 6, 2010
Assessing Risk in the Cloud
Source: Security Buyer Magazine
Introduction
The global adoption of Cloud Computing and Software-as-a-Service (SaaS) is increasing in intensity, forcing businesses that want to remain competitive to evaluate how SaaS can be put to work for them. To complete such a measured analysis, enterprises must carefully consider the relevant risks alongside SaaS’s many benefits .
Users Moving Sensitive Applications to the Cloud
I recently blogged a case study describing how a large county in the US moved several sensitive applications to the cloud and the decision-making process involved. (“Real World Risk Management and the Business Value of SaaS” (http://www.cyber-crime.biz)
For this county, both data and applications are hosted offsite and include patient care, human resources, crime reporting, credit card compliance and security team services. One of the conclusions we reached with them is how when distributing their applications and data among several independent vendors, the risk associated with catastrophic failure of all applications at once was significantly lower when compared to the failure of their own single data center.
What’s My Real Level of Security?
The other key point from this case study is the often real divide between required levels of security and an organization’s actual security posture. Our recommendation: the county’s actual security could be significantly improved when contracting a third party who is committed to a higher standard of security.
Evaluating Risk
In the case discussed above, this county organization was reaping substantial, measureable benefits from moving to the cloud. But is that where it ends? How does an organization determine what their risks are when evaluating whether to move physical security and business applications to the cloud?
ASIS International (www.asisonline.org), the Cloud Security Alliance (www.cloudsecurityalliance.org) and The European Network and Information Security Agency (http://www.enisa.europa.eu) provide valuable answers to this question. ENISA’s document titled, “Benefits, risks and recommendations for information security” is a useful guideline to help evaluate risk likelihood and impact. Some 35 policy and organizational risks are covered.
Technical Risks
To gain a more comprehensive understanding of these risks, one should read the full report. One quarter of the identified risks are significant, and those are listed briefly as follows:
- Loss of Governance (lessened security controls affecting confidentiality, integrity and availability, and subsequent compliance challenges)
- Compliance Challenges (Lack of evidence that compliance challenges will be met and the identifying the need for an independent audit)
- Changes of Jurisdiction (Unpredictable or autocratic legal frameworks in other jurisdictions may place data at risk of disclosure)
- Data Protection (Lawful handling, collection & storage of data)
- Network Management (Congestion, mis-connection & non-optimal use)
- Isolation Failure (separation of multiple tenants storage, memory & routing)
- Malicious Insider (system administrators, auditors and managed security service providers)
- Management Interface Compromise (Manipulation & availability of infrastructure)
- Insecure or ineffective deletion of data (Several scenarios whereby customer resources are maliciously used resulting in an economic impact)
Evaluation and Process Risks
In addition to the technical risks outlined above, several other factors should be considered when evaluating and developing a business case to manage risk that might impact the project. Those factors include:
- Business Case
Evaluate and document the financial and organizational benefits.
- Risk Appetite
Decide your organization’s risk appetite. Which risks are non-negotiable? (e.g. mandatory compliance)
Meet with business unit heads and discuss, in business terms, the risks and their position relative to business benefit.
- Good Advice
Ensure that you receive competent counsel. Don’t assume that all IT and security staff will be conversant with the risks process for cloud technology.
Review certifications of technical staff: For example the Cloud Security Alliance recently announced the world’s first user certification for cloud security knowledge (CCSK), available from September 2010.
Utilize the tools provided by CSA and ENISA
- Evaluate Potential Cloud Vendors
Can you measure the quality?
Do they have their own audits, which conform to a standard, and will they share control measures and audit results?
Are their staff subject to background checks?
Who has access to your data and where will it reside?
What is the degree of “fit” with your written performance and security requirements?
Does a service level agreement adequately describe what is being delivered?
Some cloud vendors are willing participants in describing their assurance process, see article by Brivo System’s John Sczygiel at http://blog.brivo.com/bid/40112/Do-You-Trust-Your-Cloud
- Contract
Your bargaining power may be limited depending on the size and duration of your requirements, and whether the application is a custom or a commercial SaaS offering.
What are you getting?
Is the service adequately described or does it leave room for assumptions?
Are there any special requirements (e.g. – availability of system log report documentation, required to meet a compliance requirement).
Document the risks and who is responsible for specific performance requirements, especially if the impact on the enterprise could be significant.
Notification and Remedies
Consider the escalation process if things do go wrong.
What is your recourse to seek performance?
If there is the potential for legal action, what form will it take and in which jurisdiction will it occur?
Ensure exit clauses cover ownership and extraction of your data. For sophisticated applications, the format you receive data in should be thought through in advance.
In Conclusion: Balance
There are many ways to manage risk. The key word is manage; meaning, to make informed, conscious decisions about the value received, compared to what is presently being attained.
The business benefits of SaaS and Cloud solutions can be maximized by forming a project team of appropriately skilled staff and/or consultants with knowledge of the source material outlined above. Utilizing this team to engage the relevant business stakeholders in a meaningful risk decision-making process prepares the organization for a relevant, targeted evaluation of vendors. In so doing, you will successfully achieve accurate specifics about the service offering and the business benefits received.
- Shayne Bates
Thursday, July 15, 2010
Real World Risk Management and the Business Value of SaaS
Source: http://blog.brivo.com/bid/39552/Real-World-Risk-Management-and-the-Business-Value-of-SaaS
This week, Brivo hosted an Executive Roundtable to better understand customer considerations when they choose to use the cloud to host business applications. A select group of participants, representing a broad mix of DC-area IT and physical security consultants, who consult with various federal and commercial clients attended.
SaaS Case Study
We met with decision makers from Montgomery County (MD), government, Brivo’s home county, who shared their reasons for moving a large portion of their departments’ business applications to SaaS.
What Type of Applications?
Some of Montgomery County’s SaaS applications include:
- Electronic patient care
- Human resources (for hiring and reviews)
- Crime reporting
- PCI (Credit card)
- Security team services
Scrutiny
It was interesting to hear about the reality of decision making around risk and compliance when using a technology strategy as a lever to achieve business goals.
Cloud technologies that offer different ways to support business and serve customers invariably receive close scrutiny, especially the application list above, because large amounts of personal data must be protected while complying with a wide array of important privacy and compliance laws.
The Montgomery County case study fueled much conversation, particularly in regard to mechanisms to protect sensitive customer data and the associated risks in doing so.
Business Reasons for SaaS
Technololgy and cost are not the only reasons to use SaaS. In Montgomery County’s case, a mix of business, financial, and security reasons drove their decision to outsource applications to a SaaS provider:
- Lower total cost of ownership
- Speed of implementation
- Reduction or elimination of capital expenditure
- Shared risk by the provider
- Disaster recovery and high availability
- Equal, or better attainable security
Raising the Bar on Security
Smart practitioners who understand and identify real-world enterprise risk know that there is frequently a gap between prescribed levels of security and the actual security posture. So how does a county close gaps during a time of budget pressures and declining tax revenues without sacrificing institutional knowledge?
Superior Performance for the Dollar
SaaS technology offered Montgomery County a way to better mitigate risk while significantly reducing capital expenses. Maintenance fees previously paid from the operating budget now fund SaaS subscriptions for applications that deliver modern IT-related services to the county and better meet the expectations of businesses and residents. In addition, the SaaS solutions freed the County’s security staff from managing hardware and applications to focus on providing better services to their internal and external constituents.
Friday, June 11, 2010
Which currency will you trade with in the Cloud? (Full Version)
When you want to gain access to a system and the use of a security credential is required, do you rummage through a spreadsheet of passwords, or fumble for one of several keys like a traditional jailer? For manufacturers, there are many choices on implementation of security during design. For example, will the security credential be contained on tangible media – such as an identity smartcard. Or will it be purely electronic, as most banks use for online banking today.
Although there have been many articles written about the volume of passwords in use and the security mechanisms the average person now relies on, how do you know whether such safeguards are trustworthy, let alone whether this information is kept private but readily available? (For manufacturers looking to increase ROI: some organizations expend over 50% of their technical support resources in password management for users!)
Most vendors of technology today do not offer a choice of security mechanisms. This is because, among other things, there is still a lack of real support for the adoption of standards. This is beginning to change and we’ll discuss more about this in future editions.
For now, imagine that you can have your own individually-chosen identity credential, one that you trust, possibly pay for, and can keep a record of its use to access multiple sites and services.
Imagine using this security credential for email, banking, and physical security devices. Would life be simpler? Although most online vendors today issue users their own identities, often a simple password attached to an email address, we all know the limited security that such rudimentary tools offer, and why this proposition has little appeal if it is known to be insecure.
Think of an identity like a currency. Unless the currency has ongoing strength and its value is effectively defended against counterfeiting and other problems, it will at some point become useless. That’s the problem many banks have today: their currencies (card numbers and passwords) become useless quickly because they cannot defend their value and identities are easily assumed by others. Additionally, the overheads associated with the cost of “currency” management and replacement are indirectly passed on to the cardholder.
Some may argue that currencies fluctuate, as do privileges on well-managed systems, but the core idea here is around sustained value and a recognizable standard that many can adopt.
If online identities are like currencies today, then almost every cloud provider is a nation and can create its own currency when it issues usernames and passwords. So how can we trade these thousands of currencies and still be assured that each other’s currencies are not counterfeit, or worthless?
Once you grasp the concept, there are several possibilities—unified groups of currencies (like the Euro) that can be regulated and defended is a contender. Also, we have the notion of validating currencies and other financial instruments that may be traded, while discarding those that cannot.
Whether you favor the free market , regulation, or a combination of both, all of these approaches work. Presently unfolding debate on the financial sector, around a mix of sound regulations for the free market, pay homage to these ideas.
In the US, the Federal Government, the worlds largest user of a unique and secure identity currency (known as the FIPS card), is assembling a strategy around where and how its identity currency can be traded to enable commerce in the cloud.
The Federal Government’s position, found at www.idmanagement.gov, is this: “…the goal is a consolidated approach for all government-wide identity, credential and access management activities to ensure alignment, clarity, and interoperability.”
It is a clear message that demonstrates strong leadership: “Here is our currency, it’s secure, we will defend it, and we are looking for trading partners”. Who wants to ignore an opportunity like that?
This approach demonstrates that the Federal Government is seeking input from those who recognize the value of an enterprise identity management system.
See cloud vendor Brivo Systems’ White Paper "SaaS and the Efficient Realization of FICAM Goals" here (abbreviated URL). Brivo’s physical security framework can be implemented to allow use of the Federal Smartcard, and can also check its validity against an online cache to ensure that the card has not been revoked.
Contenders supporting the approach to authenticate using an external source include, but are not limited to OpenID and OASIS with it’s Security Assertion Markup Language (SAML).
OpenID participant companies include AOL, BBC, Facebook, Google, IBM, Microsoft, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream and Yahoo!
The SAML idea has been around since 2001 so it’s not new, and the single most important issue that SAML is trying to solve is the Web Browser Single Sign-On (SSO) problem. The focus is to overcome the proliferation of non-interoperable proprietary technologies and assumes that the user has enrolled with at least one identity provider.
What will identity, credentialing and access management look like in the future? Is the overall cost of issuing a credential that is less than optimal and proprietary really sustainable? Can growth and efficiency of online commerce be maintained without impeding growth?
The identity train is coming, if you don’t feel the tracks shaking, you soon will.
Published in the International Security Buyers Guide June 2010
Friday, May 14, 2010
Which currency will you trade with in the Cloud? (Abbreviated)
When you want to access a system, which identity is acceptable to use? Can you bring your own from elsewhere? Most online vendors today issue users their own identities – a simple password attached to their email address. I don’t have to elaborate on the weak security that such rudimentary tools offer.
Think of an identity as being like a currency. Unless the currency has ongoing strength and can have its value defended against counterfeiting and other problems, it will, at some point become useless. That’s the problem that many banks have today – their currencies (card numbers and passwords) become useless quickly – because they cannot defend their value, and identities are easily assumed by others. Additionally, all of the overheads associated with the cost of management and replacement, are indirectly passed on to the cardholder.
If online identities are like currencies, every cloud provider is a nation and can create it’s own currency. So how can these thousands of currencies trade together and be assured that each other’s currencies are not counterfeit, or worthless?
Once you grasp the concept, there are several possibilities; the idea of unified groups of currencies (like the Euro) that can be regulated and defended is a contender. As is the notion of validating currencies and other financial instruments that may be traded, while discarding those that cannot.
Whether you favor the free market, or regulation, either approach works. Presently unfolding events for the financial sector, around a mix of sound regulations in the free market pay homage to these ideas.
The Federal Government, the worlds largest user of a unique and secure identity currency (called a FIPS card) is assembling a strategy around where and how it’s identity currency can be traded to enable commerce in the cloud.
What will identity, credentialing and access management look like in the future? Will tens of thousands of unique password systems power commerce without tangling the growth ?
The Federal Government quote, found at www.idmanagement.gov is this: “the goal is a consolidated approach for all government-wide identity, credential and access management activities to ensure alignment, clarity, and interoperability.”
It is a clear message that demonstrates strong leadership: “here is our currency, it’s secure, we will defend it, and we are looking for trading partners. Who wants to ignore an opportunity like that?
The identity train is coming, if you don’t feel the tracks shaking, you soon will.
Friday, April 23, 2010
Cloud Computing and Software as a Service - An Overview for Security Professionals
Here is an excerpt from the introduction:
"The traditional electronic security industry, whose origins are rooted in the burglar alarm, is now moving very rapidly toward more complex networked systems and information management. Much discussion has occurred about the role of IT and physical security and the need to work closely together to manage and deliver efficient and risk appropriate security systems for the benefit of organizations. Much of this discussion has occurred around the developing framework for enterprise security risk management and convergence."
Link: Cloud Computing and Software as a Service. An Overview for Security Professionals
Source: ASIS International
Friday, April 16, 2010
Can Security Management Applications Become On-Demand Business Systems?
Shared infrastructure is already commonplace
We live in a converging world where voice, telephony, business applications, and security traffic now move up and down the same communications infrastructure within organizations. While this may come as no revelation, there was a time not long ago where the very notion of using a shared resource to move security traffic was met with many objections from IT and Security personnel alike. Issues related to bandwidth, availability, and service are all items that have required discussion, definition, and consensus for organizations to unite systems and deliver solutions to meet the many technical needs of an enterprise security system.
Sharing an organization’s infrastructure is not free
While some organizations are convinced that owning and controlling their entire IT infrastructure and the applications is the most efficient approach for their business, recent research from the Yankee Group, Gartner, and others suggests otherwise when compared to adopting a Software as a Service (SaaS) model.
Because many organizations’ security systems now have the associated servers and applications managed by IT, the cost for management is regularly apportioned, taking into account the cost of software maintenance, servers, and the personnel who maintain them, as well as the shared overhead of the infrastructure.
As IT costs continue to escalate, organizations review what is “non core,” what makes sense to outsource, and what is strategic to the business mission to buy and manage.
Raising the bar: does the dedicated expertise of SaaS translate to high availability and less risk?
For organizations considering outsourcing business applications, the savings available using SaaS are compelling, because of the scale of economy that SaaS provides to deliver best value for the budget. Expert SaaS providers with larger infrastructures now deliver not only what the corporate data center did, but with a specialty focus and greater attention to redundancy and availability.
When organizations consider all costs associated with purchasing, maintaining, and upgrading applications, SaaS is a compelling choice because the core application, infrastructure, and maintenance are all outsourced. But who owns the actual application and the cost to purchase and regularly upgrade it?
This aspect of the total cost of ownership is worth examining. The customer owns what is most valuable to them—the data—but is not shackled with the cost of owning and maintaining the application, as is the case when self managed at a corporate data center.
Therefore, the overall cost of ownership is significantly reduced because it is shared across the entire user community, and delivered as an “on demand” subscription service. This model is like a utility service; you pay only for what you use, without owning the core infrastructure.
The flavor of SaaS is important
With mature SaaS applications, all users collectively, across many organizations, utilize the same application while enjoying separate data. Note the word mature. This is a flag for those considering SaaS. If you are offered a “separate instance,” in effect, you get a “standalone version.” In many ways, this replicates the corporate data center model and does not have the same cost benefits that a true, multi-tenant SaaS application offers. Multi-tenant design is at the heart of, and the very principle of mature SaaS software.
Compare paradigms
Table one looks at the phases of the security system lifecycle and compares company hosted to the cloud-based SaaS model. In addition to the comparison, it lists eight points to consider when comparing self-hosted to cloud-hosted SaaS.
Table One: SaaS Ownership Analysis