Cloud 2.0 – Built on security refinements from cloud technologies

In the world of technology, paradigms shift quickly.  Not long ago, we focused organizational security efforts on the perimeter of the network.  We assumed that systems would be secure if we could just keep the bad guys outside of the trusted network.  Phishing and malware, however, among other things, proved this to be a false assumption – perimeter defense alone would not be enough. 

Responses to this often included efforts to seize control of information assets.  Control implied security.   When the cloud stepped onto the stage, lack of organizational control stood out as a primary barrier to adoption. 

I am by no means diminishing the role control has in securing information, but control wasn’t really the issue with reluctance to cloud adoption.  The cloud has actually gone a long way in securing systems on-premise and in the cloud.  When key systems were decoupled from the perceived safety of the corporate network, secure methods of transmitting data between them had to be developed. Such methods also had to be easy for enterprises to adopt. 

We realized that we might not want our cloud vendors to have access to back-end data so we encrypted the data and distributed keys such that cloud providers could not access the data they hosted.  Robust APIs were created to integrate systems while providing only the minimum required service access.  Likewise, communications between system components such as databases and web services were also encrypted. 

The cloud offered a perception of insecurity that prompted a positive change in organizational security architectures, but a key fact here is that many of the organizational systems that moved to the cloud were not secure to being with.  They only became secure as they adopted secure practices.   The risks that were present in moving applications as they were to the cloud were already present in the application architectures.  Shortcuts like advertising services and ports, allowing back-end components to communicate unrestricted, and giving IT the keys to the kingdom, may have been overlooked in the organization but they were clearly a bad practice in the cloud. 

The cloud gave us the chance to re-architect the monolithic technology systems that had evolved over decades of growth and in response to the immediate threats of the era. These were replaced with scalable, virtual servers that were flexible enough yet specialized and hardened.  Cloud systems also offered effective ways to plug-in best of breed security technologies such as application whitelisting, monitoring and control, identity and access management (IAM), Data loss prevention (DLP), and robust anti-exploit anomaly detection to combat the latest Advanced Persistent Threat (APT).  

Some are still adopting these practices while others are taking it to the next level.  The cloud made us realize how big the gap was and now it is time to serve the attackers an eviction notice.  We can’t assume in our virtualized cloud environments that administrators or vendors will implement adequate malware protection on virtual machines, nor should we compromise with solutions that can only see a piece of the puzzle when technologies like hypervisor introspection analyze virtual machines at the hypervisor level. 

It is time to tell the bots and the ransomware that it’s not welcome here anymore.  The attackers have improved their tactics, but so have security partners.  We can now collectively say, “We confronted our fear in the cloud and emerged stronger.” 

As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.

Securing Hybrid IT the Right Way

The average company today is a hybrid collection of traditional on-premise and cloud-based IT solutions.  On-premise solutions may include identity and authorization servers, custom applications, packaged applications, and local data repositories. Cloud services fulfill a wide variety of business tasks such as document sharing, group collaboration, customer relationship management, payment processing, marketing, and communication.  This combination of on-premise and cloud services is called Hybrid IT.

On-premise applications require equipment purchases, software deployment, and user training but cloud services can be purchased with a credit card and used almost immediately.  As a result, the same rigor in assessing the business need, risk, and other factors is not often conducted with adopting cloud applications.

Getting up to speed

Hybrid IT can be difficult to manage when different users who may or may not be tech savvy utilize cloud systems in whatever way they deem best for the situation.  Many organizations are in a hybrid IT situation now that was somewhat unplanned for.  Follow these steps to get up to speed.

  1. Identify the cloud solutions in place.
  2. Determine if it is feasible to continue using the solutions.
  3. Transfer administrative credentials to IT.
  4. Create an approved application list
  5. Enforce restrictions through network and endpoint controls on which cloud services can be utilized for organizational data.
  6. Standardize security controls on systems including those in organizational private clouds.

Identify a security solutions provider that can deploy consistent security onto your on-premise equipment, private clouds, and other assets. For example, Bitdefender delivers solutions that have solved the technical challenges of Advanced Persistent Threats (APT) and zero-day exploits.  These same solutions meet the increasingly stringent compliance requirements and give datacenter owners the ability to know what they don’t know, and act on information from below the operating system.

Maintaining control

The most frequently cited risk in hybrid IT is the potential for a lack of organizational control over customer, employee, and business data.  Without effective endpoint and network security controls, a single user may adopt a cloud platform using their personal email address. They can then load organizational data to it and leave the organization.  At this point, his or her successor tries to assume control over the system but realizes that they have no ability to do so.

Organizations need to strike a balance between agility and administration.  There needs to be a level of control over which cloud applications are used for business purposes, but the process for evaluating and approving applications needs to be able to keep pace with today’s fast-paced business. See the suggested steps below.

  1. Establish a procedure for requesting a cloud application.
  2. Create a semi-automated workflow from the procedure.
  3. Establish a cross-functional approval group that will respond to requests through the workflow.
  4. Educate employees on the process.

Risk mitigation

Hybrid solutions are often user or department initiated with little or no involvement of the IT department or those responsible for security within the organization.  Cloud applications may change the organizational risk profile, but the business as a whole is not often aware of this change in risk and therefore cannot evaluate whether actions are required to reduce the risk to an acceptable level. One good way for data center administrators to be as informed as possible about risks is to deploy solutions such as Hypervisor Introspection which can evaluate security independent of the virtual machine and analyze system memory at the hypervisor level.  This ensures consistent security management and awareness even when users or administrators deploy non-standard virtual machines.

From there, a combination of endpoint and network controls such as software restrictions on agents on user machines and traffic filtering on the network can be used to restrict access to unapproved cloud services and applications.  This way, users will be required to utilize the process to request applications.

Next, using the workflow developed earlier, users can take the information collected on the approved cloud applications and services and compile into a report for risk management.  The entire process of creating this document can be automated in the workflow.  The cross-functional approval team should have included someone from risk management but this portion of the process involves a more in-depth review of the hybrid IT portfolio of applications against the organizational risk tolerance threshold.  Risk management can then make recommendations to ensure that risk is kept to acceptable levels.

Reducing attack surface

In some cases, a cloud application is adopted by a user or department when another cloud application has already been adopted to satisfy the same need.  Redundant cloud services increase management costs as well as the attack surface because they create additional potential avenues for attackers to obtain access to organizational data or systems.

  1. Determine which cloud service offers the greatest fit for the organization
  2. Train users of the redundant service on how to use the preferred one
  3. Transfer data from one service to the other
  4. Terminate the redundant service.

Hybrid IT offers organizations an excellent way to augment existing on-premise IT offerings with cutting-edge cloud services.  However, it can also be a nightmare if not management properly.  Some companies are in a precarious security position. Yet, the problem is not insurmountable.  With some planning, automation, discipline and the right mix of endpoint and network security controls, organizations can deploy and manage hybrid IT so that attack surfaces, cloud costs, and management time and efforts are minimized.

Continue reading

No compromise with the hybrid cloud

This statement may be familiar to many who have considered cloud services and it was both the start and end to many cloud discussions.

What is most important to you, cloud security and service customization or flexibility and cost?

Those who picked security and service customization adopted a private cloud model and those who picked flexibility and cost chose a public cloud model. Those that couldn’t choose continued using traditional IT to solve today’s problems and they had a tough time of it.

The good news is that you don’t have to make that choice anymore. Security, service customization, flexibility, and cost objectives can each be met through a merger of public and private cloud approaches in the hybrid cloud. To understand how this works, let’s briefly explore both prior models and the compare them to the hybrid cloud.

Security in public and private clouds

Organizations have more control over data and services when using a private cloud. This control allows for cloud services to be tailored to the company’s security strategy to better protect the data including security controls, and procedures necessary to meet compliance requirements. Along with greater control is increased visibility into the system for easier management and incident response. For example, computer forensic or investigative work can be streamlined as no third party limits access to the data or logs and the organization can collect evidence directly, resulting in a clearer chain of custody. Public clouds offer less visibility and control, making it harder to enforce security requirements, perform investigations, collaborate on incident response and notify customers quickly about data breaches. They have received the most criticism for their ability to securely protect data, especially in regulated businesses that must meet compliance requirements.

Private clouds may be shared among business units but they are not shared between unknown entities as is common in public cloud offerings. This reduces the chance that a successful exploit of a neighboring cloud system will impact organizational systems. However, public clouds are by nature targets because they are visible, well-known repositories of data. Attackers may not know what data resides in a public cloud or whether it is worth their effort to attack but public clouds hold so much data that they make a tempting target for attackers. By placing data in a public cloud, consumers are no longer a target of opportunity, they are a target of intent.

Flexibility

Public clouds offer the best flexibility since they can be expanded or adopted almost at will. Cloud consumers purchase just the services they desire. When they want more storage or additional processing power, they simply increase their cloud plan. Similarly, when they no longer need resources, they can release them back to the cloud.

Private clouds differ greatly in their flexibility. Organizations often purchase the servers, storage, and networking equipment along with the necessary software to set up a private cloud and they must pay IT personnel to maintain it. They also need to make purchases as the environment grows. Unfortunately, if demand for the private cloud shrinks, the investment is already made and the organization must find a different use for the equipment or suffer a poor return on investment when the equipment stands idle or when IT staff are not fully utilized. Hosted options are available for private clouds, but the organization must still have staff who are capable of managing the private cloud.

Public and private cloud cost models

Cost models differ greatly between cloud offerings. Public cloud pricing is based on service level and utilization. This tends to work well for companies that want to keep service costs aligned to usage. Private clouds often require direct capital expenditure, as mentioned above, or at least additional staff to manage, create and expand them.

Putting it together with the hybrid cloud

The hybrid cloud combines elements of the private and public cloud models. Private cloud elements provide the portal to services but public cloud elements can be used to extend the private cloud as needed. This makes the hybrid cloud flexible. Standardized elements that do not need the enhanced security of the private segment can be moved to the pubic segment, allowing for growth without as significant investment in capital equipment.

Data flows between public and private segments of the hybrid cloud can be fine-tuned to adhere to organizational security, privacy and compliance rules. For example, sensitive or confidential data, such as trade secrets, financials, and customer information could reside on the private element of the cloud while more operational data and public data are pushed to the public segment as needed. Alternatively, data could be allowed to be pushed to the public segment of the hybrid cloud but would only be able to reside there for a limited time and the data would be encrypted automatically.

I’m happy to say that you don’t have to choose between security and service customization or flexibility and cost. You can get it all in the hybrid cloud. For those who have rejected public or private cloud models, I encourage you to seriously consider the hybrid cloud. Tomorrow’s challenges will come in all shapes and sizes, many of which existing IT cannot handle. Move to a platform engineered for the future and reshape your business with the hybrid cloud.

Continue reading

Cloudsizing: Finding the right fit for your cloud

The maturation of the cloud is fascinating as it continues to adapt, providing more opportunities for companies and consumers to leverage the vast computing and storage power of computers around the world. Whether those resources are housed in a corporate data center or dedicated hosting facility as part of private cloud services or through third party public cloud offerings, the cloud is most likely part of your everyday life and it is one of the biggest technology growth areas, offering companies ways to save money and become more adaptable to change.

There are many options for cloud consumers, those utilizing or wishing to utilize cloud services. A large differentiator in cloud types lies in ownership and operation of the cloud infrastructure and three main types of clouds, private, public and hybrid are used to support differing business needs.

Private cloud

Private clouds allow business units to utilize cloud services without needing direct capital investment. The organization makes the investment in the underlying technology resources and support personnel to maintain the equipment and offers cloud resources to business units as a service.

Private cloud resources are not shared with other companies, resulting in predictable performance and optimized workloads. Neither are they restricted by the requirements of other clients. This allows for private cloud services to be customized so that they are tailored for the organization’s needs.

There are disadvantages to utilizing a private cloud. The main disadvantage is the large capital investment required on the part of the organization to implement and expand a private cloud. This makes it less flexible than public cloud offerings and more difficult for organizations to test the waters by deploying pilot or prototype systems or to offer services. Rather, prototypes and pilots must make a business case that results in realistic expectations of long-term revenue to cover capital expenses. However, an organization can set up a private cloud using outside hosted resources. The difference here between a private cloud that is hosted and a public cloud is that the private cloud resources are dedicated to you, not shared among multiple companies.

Public cloud

Public clouds, on the other hand, are what most end users think of when the word “cloud” is mentioned for these clouds are owned and operated by an outside entity and services are provided on a subscription basis, or sometimes for free. Cloud consumers can purchase only the services they need and they can easily increase or decrease their cloud resources by simply purchasing more or less. Public cloud services can also be made available very quickly to consumers because the infrastructure is already there. This is important for companies that need to rapidly respond to demand. In some cases, public cloud services can be provisioned hours or minutes later compared to days or weeks of procurement time in private clouds

Many public cloud services are designed for a specific use case that may or may not fit your own organizational use case. Public cloud providers do this in order to better manage their solution and reduce complexity of upgrades and maintenance. Public cloud services can be customized but this tends to increase the cost of the service and reduce service portability or the ability of the cloud consumer to migrate from one cloud provider to another.

Since public clouds are operated by a third party, consumers of the cloud do not have the same level of visibility into the underlying technology, processes and procedures that go into providing those services. This makes it more difficult to ensure that services in the cloud meet organizational compliance requirements. This is especially crucial when a data breach occurs and the organization must investigate and notify its customers. Public cloud contracts may not specify notification and compliance requirements leading to issues such as lack of timely notification of a data breach, inability to identify breach scope or other required data, and fines and sanctions against the cloud consumer.

Hybrid cloud

Both of these cloud models are powerful methods for providing organizational technology services but not all companies neatly fit into one of these two categories. This has led to the rise of the hybrid cloud. The hybrid cloud extends the private cloud to the public cloud. This adds the flexibility private clouds lack but still allows the organization to manage the data, processes and controls in the way they do with a purely private cloud.

In a hybrid cloud, customizations can be integrated on the private segment while standardized, out-of-the-box, portions of a solution are located on the public segment. This allows the organization to tailor the solution to their needs without limiting their ability to move the standardized elements to another cloud vendor or to spread the workload and service availability risk among multiple cloud vendors.

One significant benefit of the hybrid cloud is the ability to utilize existing infrastructure and to migrate portions of a service to public segments over time. This reduces the disruption a large change would have on system availability and utilization which can increase productivity. The front-end of a system can stay the same for users while back-end components are moved around the hybrid cloud.

The piece that makes this all work is a hybrid cloud service and associated management tools such as Dell Cloud Manager.  These tools centralize the administration of the hybrid cloud and interface with the public and private segments to enforce defined rule sets and establish communication and functionality between the components.

Wrapping it up

The hybrid cloud offers many of the advantages of both public and private clouds. This is not to say that the hybrid cloud is the best solution for all cloud scenarios as many services may still find that a private or public solution meets their needs. The biggest news and key element of the hybrid cloud is its fit for the myriad solutions that have yet to make their way to the cloud due to one objection or another or for those that had to settle for one type that did not truly meet their needs. With hybrid in the mix, cloud services can be more ubiquitously deployed and utilized, resulting in increased agility, closer alignment to operational objectives, and a better match of technology expenses to revenues.

Continue reading

Screen your calls in the cloud

I used to be agitated by the sound of the phone. My wife and I both have cell phones but we got a land line because there are some parts of the house where we have no reception and we occasionally misplace our phones. Shortly after we purchased it and before we could even give the number to friends, the calls started. Political calls, sales calls, and a plethora of other junk was funneled into our house. It was as if I had hooked up a sewer pipe directly to my kitchen and it dumping garbage calls into my home, hence the agitation.

Most of the calls were automated; robots per se. Companies have found it is much cheaper to record a call and then automate the call and playback process rather than hire the work out to a call center. Internet based phones, like the one I have, called Voice Over IP (VOIP) phones make it even easier and cheaper for companies or individuals to implement these automated calls. Such calls have earned the name robocalls and are increasingly used for illegal sales calls and scams. These internet-based calls often originate from overseas but have domestic phone numbers, real or spoofed, which allows them to violate the FTC’s National Do Not Call Registry so don’t count this registry to save you from them.

I wanted to get rid of the phone all-together but my wife, wanting to always be connected with friends and family, had become somewhat attached to the security of a backup line. My first step was to get a phone that audibly announced the caller ID so that I could avoid getting up for more junk calls. I then did my best to ignore the incessant ringing once I heard the telltale caller ID of another vapid robotic exchange.

Last week, however, everything changed. I was preparing for a presentation on hacktivism and I was researching how to prevent fax spam when I came across a cloud-based service that claimed to stop robocalls. I instantly wanted to learn more. Not only did this company claim to have good success in preventing these calls but they were offering the service to consumers for free.

The service I am talking about is Nomorobo. It is pronounced like No More Robo and it came out of a robocall challenge issued by the FTC to develop a solution to the robocall problem. Nomorobo maintains a black list of bad calling numbers but robocallers routinely change their numbers and these are often spoofed, meaning that they are not the actual number that the calls originate from. For this reason, Nomorobo only keeps a number in the blacklist for a short time and relies more on the characteristics of the call in much the same way that spam messages are blocked.

Now, some robocalls are legitimate ones that I actually would want to receive. These include calls from my doctor reminding me of an appointment or from my pharmacy about a prescription to pick up. Nomorobo can identify legitimate robocalls and allow those through so you do not miss that appointment or forget that prescription or bring the kids to school on a school closing.

The service relies upon answer anywhere, a feature of many VOIP carriers that allows calls to be sent to two numbers simultaneously. After signing up for Nomorobo and giving it your phone number, you log into your VOIP carrier and configure answer anywhere to go to Nomorobo’s number. Calls are then routed to both numbers and Nomorobo will drop calls after the first ring if they are a robocall. Nomorobo is currently supported on Verizon FiOS, Comcast Xfinity, Time Warner Cable, and AT&T U-verse.

So, in the end, you still receive the calls but the line will only ring once if it is a robocall. In the last year, Nomorobo has blocked 15.1 million robocalls. For me, it is blocking three to five calls each day. I am so much happier with this service and my wife can keep the phone.

Future ready cloud security

In 5 to 10 years, the cloud will be as ubiquitous as the Internet is today. It is predicted that 2015 will see a dramatic change in labor and business models as operations shift to the cloud. It will be part of our normal lives, with cloud-based apps running on stereos, watches, mirrors, glasses and many other devices that we interact with or carry with us daily. Software and data will not be hardware dependent because they will be running in the cloud but you will be able to interact with your data and systems whenever and wherever you are at.

The lines between work and home or business and pleasure are already blurred, but they will become increasingly transparent in the years to come. The floodgates of organizational data will be released into a variety of cloud-based systems. Organizations that develop a security-minded cloud culture now will better transition into the cloud in years to come as it continues to grow. Such cultures will have the framework such as policies, procedures, workflows and shared cloud successes will foster effective cloud security behaviors and habits.

So what does a security-minded cloud culture look like? Provided here are three steps that you can take to start developing it.

The first step is to foster ongoing communication about the cloud, its benefits, and challenges. Create a cloud committee made up of people from different departments and backgrounds within the company and discuss what is working for you and how that can be standardized as an organizational best practice. As part of it, subject ideas to peer review and test assumptions and risks.

Next, create and maintain a data map that details where types of data are stored and which vendors or third parties maintain the data. This is important in case there is a data breach, eDiscovery request, merger, or many other situations. Empower employees to help maintain the data map through discussions on how and where the data is located by members of the cloud committee.

Lastly, be discerning in your choice of products or services. The choice of a cloud provider is not one to be taken lightly without an appropriate level of consideration. Cloud vendors should go through a vendor risk management process that ensures they have sufficient security controls in place to mitigate risks to the type of data they will be hosting. Each vendor can be assigned a risk rating for data classifications to make it easy to determine if data can be used on the vendor’s platform. Risk management should also take into account any compliance requirements and whether the vendor’s systems adhere to those requirements. Also, ensure that service level agreements are appropriate for your data availability requirements. If this concept sounds foreign, consider classifying your organizational data based on the required confidentiality level and availability need.

You are most likely planning for growth in cloud utilization, so make sure that the solutions you choose can scale with your business. Choose a vendor that can handle several times the volume you initially would contract for and one that has a track record of success and innovation.

This is an exciting time for we stand at the cusp of great technological change. People and organizations are being given the freedom to utilize technology how, when and where they see fit without having to worry about the underlying architectural complexities or capital expenditures. #BeFutureReady, and know this is your chance to seize the cloud, to harness it or even mold it to accomplish great things. Create a culture that supports secure cloud utilization and make a difference – now and in the future!

Continue reading

What to expect in 2015 in security and technology

As hard as it is to believe, 2014 is almost at a close. While some think about Holiday gatherings and gifts, I ponder what the next year will bring. What will security, technology, mobile and the cloud look like in 2015?

Security is primed for change and we will see pressure both internally and externally. External pressure will come from compliance and consumers. It takes time for security practices, even those specified by governing bodies, to be widely accepted and practiced. However, we have reached the point where the expectation is for compliance and best practices rather than best effort. Customers are also exerting pressure on organizations to better protect their data and privacy. 2014 was full of significant breaches by major companies and this has shaken consumer confidence.

Internal pressures will be seen in the need for more integrated security technologies that help improve the way they do their job without being so invasive. This will result in a greater push for security architectures to closely conform to operational objectives. Adoption of IDM and MDM will increase along with “software defined” systems, placing the focus on the purpose rather than the process.

I anticipate a growth in the use of analytics and supporting systems such as databases and storage. The Internet of Things is creating more and more data that corporations can use to gain more information on customers and operations. Existing tools and many custom developed tools will be harnessed to take advantage of this data. The cloud will play a big role in allowing companies to scale and to utilize powerful online analytical capabilities of cloud providers.

Lastly, companies will integrate more business operations into mobile apps and employ technologies to create seamless experiences for users no matter where and on which device they connect. Again, the cloud and virtualization technologies will fuel this capability.

I see 2015 as an exciting time for those in security and technology but even more so for those companies and individuals who will be empowered through more effective and secure systems.

Continue reading