Securing Hybrid IT the Right Way

The average company today is a hybrid collection of traditional on-premise and cloud-based IT solutions.  On-premise solutions may include identity and authorization servers, custom applications, packaged applications, and local data repositories. Cloud services fulfill a wide variety of business tasks such as document sharing, group collaboration, customer relationship management, payment processing, marketing, and communication.  This combination of on-premise and cloud services is called Hybrid IT.

On-premise applications require equipment purchases, software deployment, and user training but cloud services can be purchased with a credit card and used almost immediately.  As a result, the same rigor in assessing the business need, risk, and other factors is not often conducted with adopting cloud applications.

Getting up to speed

Hybrid IT can be difficult to manage when different users who may or may not be tech savvy utilize cloud systems in whatever way they deem best for the situation.  Many organizations are in a hybrid IT situation now that was somewhat unplanned for.  Follow these steps to get up to speed.

  1. Identify the cloud solutions in place.
  2. Determine if it is feasible to continue using the solutions.
  3. Transfer administrative credentials to IT.
  4. Create an approved application list
  5. Enforce restrictions through network and endpoint controls on which cloud services can be utilized for organizational data.
  6. Standardize security controls on systems including those in organizational private clouds.

Identify a security solutions provider that can deploy consistent security onto your on-premise equipment, private clouds, and other assets. For example, Bitdefender delivers solutions that have solved the technical challenges of Advanced Persistent Threats (APT) and zero-day exploits.  These same solutions meet the increasingly stringent compliance requirements and give datacenter owners the ability to know what they don’t know, and act on information from below the operating system.

Maintaining control

The most frequently cited risk in hybrid IT is the potential for a lack of organizational control over customer, employee, and business data.  Without effective endpoint and network security controls, a single user may adopt a cloud platform using their personal email address. They can then load organizational data to it and leave the organization.  At this point, his or her successor tries to assume control over the system but realizes that they have no ability to do so.

Organizations need to strike a balance between agility and administration.  There needs to be a level of control over which cloud applications are used for business purposes, but the process for evaluating and approving applications needs to be able to keep pace with today’s fast-paced business. See the suggested steps below.

  1. Establish a procedure for requesting a cloud application.
  2. Create a semi-automated workflow from the procedure.
  3. Establish a cross-functional approval group that will respond to requests through the workflow.
  4. Educate employees on the process.

Risk mitigation

Hybrid solutions are often user or department initiated with little or no involvement of the IT department or those responsible for security within the organization.  Cloud applications may change the organizational risk profile, but the business as a whole is not often aware of this change in risk and therefore cannot evaluate whether actions are required to reduce the risk to an acceptable level. One good way for data center administrators to be as informed as possible about risks is to deploy solutions such as Hypervisor Introspection which can evaluate security independent of the virtual machine and analyze system memory at the hypervisor level.  This ensures consistent security management and awareness even when users or administrators deploy non-standard virtual machines.

From there, a combination of endpoint and network controls such as software restrictions on agents on user machines and traffic filtering on the network can be used to restrict access to unapproved cloud services and applications.  This way, users will be required to utilize the process to request applications.

Next, using the workflow developed earlier, users can take the information collected on the approved cloud applications and services and compile into a report for risk management.  The entire process of creating this document can be automated in the workflow.  The cross-functional approval team should have included someone from risk management but this portion of the process involves a more in-depth review of the hybrid IT portfolio of applications against the organizational risk tolerance threshold.  Risk management can then make recommendations to ensure that risk is kept to acceptable levels.

Reducing attack surface

In some cases, a cloud application is adopted by a user or department when another cloud application has already been adopted to satisfy the same need.  Redundant cloud services increase management costs as well as the attack surface because they create additional potential avenues for attackers to obtain access to organizational data or systems.

  1. Determine which cloud service offers the greatest fit for the organization
  2. Train users of the redundant service on how to use the preferred one
  3. Transfer data from one service to the other
  4. Terminate the redundant service.

Hybrid IT offers organizations an excellent way to augment existing on-premise IT offerings with cutting-edge cloud services.  However, it can also be a nightmare if not management properly.  Some companies are in a precarious security position. Yet, the problem is not insurmountable.  With some planning, automation, discipline and the right mix of endpoint and network security controls, organizations can deploy and manage hybrid IT so that attack surfaces, cloud costs, and management time and efforts are minimized.

Continue reading

Will Hacktivists Turn to Ransomware?

The US presidential election is upon us and some political activists are out in the streets, and in convention halls. And some are busy hacking. I am referring to the hacktivists, those who illegally use technology to promote a social or political agenda. The main difference between hacktivists and other cybercriminals is that hacktivist crimes are typically associated with a protest or political motivation.

In the early days of hacktivism, hackers used computer worms to spread messages, such as the 1989 Worms Against Nuclear Killers (WANK) anti-nuclear message that sent system announcements on DEC VMS systems.

In recent years, hacktivists have used mostly website defacing, data disclosure, and Distributed Denial of Service (DDoS) attacks to spread their message. Hacktivists typically do not create the attack technology.  They simply augment it for their use. With versions of Cryptolocker, Cerber, Locky, and Stampado for sale at reasonable prices, hacktivists have all they need to launch their own attacks.

Hacktivist ransomware? Not yet.

The good news is that we have not seen hacktivist ransomware – yet. It is a concern because it will differ greatly from the ransomware we know today. Some hacktivists may not even make a demand.  Encrypting the data will cause the disruption in business they desire.

Now is the time to guard yourself from such attacks. Take an inventory of the data in your organization so you know where it is. Next, back up the data and ensure it can be recovered in time. Lastly, ensure that users know that your organization has a plan in place to respond to ransomware (your backup strategy) and educate them on the process for spotting and reporting ransomware. That last step, prevention, is key to your success.

Three steps to data protection

Many organizations have found out too late that valuable data was on a device that they did not track, and these oversights have resulted in data breaches, or data loss. Both consequences can be avoided when the organization understands what data they have and where it is located.

Craft a backup strategy that keeps the backup copies separate from the production copies so that ransomware will not infect both. The strategy should also allow for restores to be performed quickly enough so that business interruptions are kept to an acceptable minimum. In the industry, we call this the RTO or Recovery Time Objective. You also want to make sure the backups are performed frequently enough to avoid unnecessary data loss.

The final key to protecting your data from ransomware attacks of any kind is to communicate with employees. Ensure that they understand that the organization has a plan in place to deal with ransomware. In this way, employees will not feel that they need to take on the solution themselves by paying the ransom or, in the case of hacktivism, performing the requested action. Employees should also understand how to report ransomware so that the organization can respond to the incident quickly.

If hacktivism follows the route many believe it will, hacktivist ransomware will eventually enter the scene. Protect yourself from all ransomware by putting the right controls in place before the attack.

Continue reading

Adding Ransomware to Security Radars

Ransomware is the quickest way to turn your valuable data into garbage.  Ransomware is a form of malicious software that blocks access to user data such as documents, spreadsheets, pictures, music, or videos, typically by encrypting those files.  At this point, the ransomware will display a demand for payment in order to send the victim the decryption keys to the data.

Businesses and consumers often do not know what they have until it is encrypted.  It is then that they realize their Christmas list, family photos, and personal financials are inaccessible.  It can be much worse for companies.  Imagine the impact when payroll data, product formulas, or inventory records are suddenly unavailable.  Now imagine a doctor who is unable to prescribe medicine or perform an operation because the prescription information or patient records they need are encrypted.  As you can see, the impact of ransomware can be severe.

Despite ransomware’s severe impact, its attack vectors are more mundane.  Ransomware is obtained through a variety of well-known routes including email, websites, online advertising, exploits on system vulnerabilities, and infected files on shared folders or cloud file sharing services.

Email

Emails, particularly phishing emails, frequently entice users to open attachments that contain ransomware or to click links leading to infected websites.  The techniques used here are the same ones used by scammers, hackers, and other malware distributors.  Protection techniques include screening attachments with antivirus tools and utilizing email gateway scanning and filtering tools.  It is also important to educate employees or family members on how to recognize suspicious emails.

Infected websites and online advertising

Ransomware is also distributed from infected websites and through online ads.  Extortionists seed websites with malicious code and then wait for unsuspecting Internet users to visit a compromised site and get infected with their ransomware.  The likelihood of infection from such sites can be greatly reduced by utilizing a web filter, scanning web sites for malware or by browsing the web in a virtual machine.

Extortionists also create ads on social media or in search engines that download the malware.  Ads might pretend to be a flash player update, help or chat ads, or fake antivirus.  These ads are collectively known as malvertising.  The best way to protect against ransomware distributed through malvertising is by using an ad blocker.  There are many extensions for common browsers or standalone applications that can perform this activity.

Shared folders or cloud file sharing

Ransomware can also be obtained when a computer is connected to a network share that has ransomware on it.  Many ransomware variants are capable of spreading to shares that a computer is connected through, typically through mapped drives.  Ransomware can also infect your machine if you are using a cloud file sharing service that synchronizes files between machines.  If a personal computer is infected and has the cloud file sharing software on it, it can replicate the malware to other computers that are part of the sharing relationship, infecting them all in the process.  Monitor file servers for mass file changes to detect ransomware behavior and scan files that are placed on network shares.  Similarly, equip each computer that utilizes cloud file sharing applications with antivirus software and segment business cloud file stores from personal ones.

System vulnerabilities

Vulnerabilities in operating systems, applications and browser plugins are well documented once they have been discovered.  Attackers create exploit kits to target these vulnerabilities and then other malicious actors utilize these exploit kits to deliver malware to your machine.  The most common exploits are those related to operating systems such as Windows, applications such as Adobe Acrobat, or browser plugins such as Java, Flash, or Silverlight.  The best way to protect against the exploitation of such vulnerabilities is to keep systems, applications, and plugins updated to the latest version.  Vendors frequently release new versions or patches to software that fix the vulnerabilities that have been discovered.  Applying these updates can prevent those vulnerabilities from being exploited.

Exceptions

There will always be exceptions in a security system.  No system will protect you one hundred percent of the time and that is why it is important to have contingency plans.  When ransomware gets past your defenses, and it will at some point, be sure you have up-to-date backups of critical files so that you can remove the malware and encrypted files and then restore clean versions of the files back to computers.  Backup solutions should be distinct from production systems.  For example, a hard drive connected to a computer or a network attached storage device are both accessible from an infected machine so they are likely to be infected too.  However, tape backups or online backup services are distinct from production storage and can be relied upon to restore clean copies of data if the restore points predate the infection date.

Continue reading

Big Data ROI – How to use what you already have

We may not be using more of our brains but we can probably use more of our data. Did you know that organizations typically use only 1 percent of the data they collect? Why is this and how can we change it? Do organizations need more motivation, utility, expertise, tools, or just better data retention policies?

The problem of motivation

Motivation is the driving force behind activity but businesses, and the people who run them, are often juggling many priorities. Big data may just not be on the top of their list. It is easy to push analyzing organizational data because it seems easy to keep it around. After all, storage media continues to grow and is available at lower cost. However, there are additional costs, especially associated with the loss of data in a breach that organizations do not often factor in when considering the cost of storing data that may or may not be utilized in the future.

At the same time, some organizations struggle with motivation because they are always waiting to collect a bit more data before analyzing it. Statistical analysis is typically more reliable as data sets grow. However, machine learning can be used to fill in the some of the gaps once an analytical program has been sufficiently trained. Still, no matter what method is used, a minimum amount of data will be needed for a relatively accurate analysis and some companies are afraid of acting on potentially incorrect data. The downside of this is that they are also waiting to capitalize on the benefits of the data they hold.

Motivation needs to come from the top down if you want the use of data to be both successful and consistent. Organizational leaders must decide what they want to achieve from their data and then empower those best suited to analyze the data the task of putting it all together to obtain meaningful and valuable results.

Finding the utility

Lack of data ROI could also be due to a lack of value or utility. Some organizations collect data just because it is there or because it was provided but they have no need for the data and it is not producing them any value. Further, they see no value in the information. In this case, the best course of action is to make an informed decision as to whether the data is valuable. If it is not valuable, the organization should delete the data so that they do not have to expend resources managing and protecting it.

Achieving expertise

Analyzing big data, configuring machine learning algorithms, evaluating outcomes, and implementing the underlying analytical systems for big data requires a high level of expertise in a variety of disciplines. Some organizations do not have the expertise or they are in the process of developing that expertise.

Those that are new to analyzing big data might seek the help of a trusted partner to get them up to speed or they may outsource the role entirely. However, given the value of organizational data and the risk of exposure, outsourcing should be treated with a due diligence assessment of the outsourced company’s capabilities and reinforced with a strong contract.

Building better models and tools

Those who are using big data probably see room for improvement, especially in the models they are using to interpret the data and, in lesser cases, the software and infrastructure they utilize. Cloud computing can offer great advantages in expanding to meet big data needs and in providing the raw computing power to analyze large data sets. Other companies are deploying private or hybrid clouds so that they can offer more customized analytics to decision makers.

Performing better housecleaning

Lastly, some only use 1 percent of their data because they simply do not have a policy and procedure for removing useless data. A large component of this is the data retention policy which spells out how long different types of data will be stored by the company and when that data will be destroyed. Additionally, some data that fits certain criteria may be removed immediately. This might include spam or other junk emails, draft files, temporary files, Internet history, cookies, or encryption keys. Removing this data makes it easier to manage the remaining data and it can prevent malicious outsiders from obtaining data that could be used to launch attacks or otherwise harm the company or its customers.

Humans only use a small portion of our minds and we use an even smaller portion of the data we collect. The good news is that there are viable strategies companies can employ to begin utilizing more of that data. So what is holding you back?

Continue reading

Top security initiatives for 2016

2016 is going to be a big year for security. News of data breaches and the major technological innovations of 2015 will put more pressure on companies to implement effective organizational security. I believe 2016 will see major initiatives in these seven areas:

  1. Securing the supply chain

2015 demonstrated the need for organizations to ensure that their weakest security link does not lie among one of their suppliers. Some of the security breaches that occurred were the result of suppliers or partner companies that were handling or had access to company information.

The supply chain relies on sharing of information in order for it to function effectively and 2016 will see an increase in initiatives to implement a standard or minimum set of security controls throughout the process and wherever sensitive data is shared with suppliers or other partner companies.

  1. Leverage more data analytics for security

Big data has been growing more and more each year. It has been leveraged greatly in determining shopping habits, customer needs, process improvement and many other areas but I believe 2016 will see a growth in the use of big data in security. Big data can be used to predict likely targets, identify attack patterns, detect network or data anomalies that indicate abnormal activity such as a data breach, validate data sources to better screen out garbage data or identify areas where security controls are performing well. This is all very valuable in protecting organizational assets. It is also valuable to governments trying to protect their citizens and companies against attacks from foreign nations and companies.

  1. Internet of Things security

The Internet of Things (IoT) is expected to explode next year. As more and more devices come online, companies will develop new strategies and technologies to protect the devices and the data produced from those devices. I expect the innovation in IoT and IoT security will also trickle over to other areas of security, helping to improve security overall.

  1. More companies will hire a security executive such as a CSO

The Chief Security Officer (CSO) will be a more common member of the “C-suite” in the next year as companies realize that top level support is required and an independent executive division is needed to ensure transparency and functionality between technical, operational, financial, legal and other critical business areas.

CSOs will be expected to implement security best practices and work with compliance officers or teams to ensure adherence to relevant regulations. They will also be responsible for aligning businesses and security goals so that security initiatives are more effective.

  1. Find ways to hire and retain valuable infosec talent

2016 will see an increase in hiring of other infosec professionals, as well. CSOs will need a team to achieve their objectives and they will not be able to fill that need entirely from existing resources. Such resources may include risk management professionals, security analysts, penetration testers, security engineers and architects, security managers and other security professionals.

  1. Extend security to the mobile device

Employees today are not just mobile, they are mobile with multiple devices. Employees may have a laptop, tablet, and smartphone each connected to the corporate network. Companies will be implementing more controls to extend organizational security to the mobile device. This will include mobile device management systems but also more transparent security such as data driven security, identity management systems that integrate across mobile and traditional platforms and cloud systems that offer services to mobile and traditional systems alike.

  1. Encryption is the new “minimum” security

The regulations have spoken and encryption is practically the new minimum standard for security. 2016 will see an increase in the use of encryption for key systems such as email, network communications, web traffic including traffic that was previously not deemed sensitive, end user computers and mobile devices and servers. Those systems that are already using encryption will most likely get an upgrade to the type of encryption used or to the way they manage keys so that they are in line with best practices.

Do you see any other security initiatives coming forward in 2016?  Please share your thoughts with on Twitter @evanderburg and copy @DellPowerMore.

Continue reading

No compromise with the hybrid cloud

This statement may be familiar to many who have considered cloud services and it was both the start and end to many cloud discussions.

What is most important to you, cloud security and service customization or flexibility and cost?

Those who picked security and service customization adopted a private cloud model and those who picked flexibility and cost chose a public cloud model. Those that couldn’t choose continued using traditional IT to solve today’s problems and they had a tough time of it.

The good news is that you don’t have to make that choice anymore. Security, service customization, flexibility, and cost objectives can each be met through a merger of public and private cloud approaches in the hybrid cloud. To understand how this works, let’s briefly explore both prior models and the compare them to the hybrid cloud.

Security in public and private clouds

Organizations have more control over data and services when using a private cloud. This control allows for cloud services to be tailored to the company’s security strategy to better protect the data including security controls, and procedures necessary to meet compliance requirements. Along with greater control is increased visibility into the system for easier management and incident response. For example, computer forensic or investigative work can be streamlined as no third party limits access to the data or logs and the organization can collect evidence directly, resulting in a clearer chain of custody. Public clouds offer less visibility and control, making it harder to enforce security requirements, perform investigations, collaborate on incident response and notify customers quickly about data breaches. They have received the most criticism for their ability to securely protect data, especially in regulated businesses that must meet compliance requirements.

Private clouds may be shared among business units but they are not shared between unknown entities as is common in public cloud offerings. This reduces the chance that a successful exploit of a neighboring cloud system will impact organizational systems. However, public clouds are by nature targets because they are visible, well-known repositories of data. Attackers may not know what data resides in a public cloud or whether it is worth their effort to attack but public clouds hold so much data that they make a tempting target for attackers. By placing data in a public cloud, consumers are no longer a target of opportunity, they are a target of intent.

Flexibility

Public clouds offer the best flexibility since they can be expanded or adopted almost at will. Cloud consumers purchase just the services they desire. When they want more storage or additional processing power, they simply increase their cloud plan. Similarly, when they no longer need resources, they can release them back to the cloud.

Private clouds differ greatly in their flexibility. Organizations often purchase the servers, storage, and networking equipment along with the necessary software to set up a private cloud and they must pay IT personnel to maintain it. They also need to make purchases as the environment grows. Unfortunately, if demand for the private cloud shrinks, the investment is already made and the organization must find a different use for the equipment or suffer a poor return on investment when the equipment stands idle or when IT staff are not fully utilized. Hosted options are available for private clouds, but the organization must still have staff who are capable of managing the private cloud.

Public and private cloud cost models

Cost models differ greatly between cloud offerings. Public cloud pricing is based on service level and utilization. This tends to work well for companies that want to keep service costs aligned to usage. Private clouds often require direct capital expenditure, as mentioned above, or at least additional staff to manage, create and expand them.

Putting it together with the hybrid cloud

The hybrid cloud combines elements of the private and public cloud models. Private cloud elements provide the portal to services but public cloud elements can be used to extend the private cloud as needed. This makes the hybrid cloud flexible. Standardized elements that do not need the enhanced security of the private segment can be moved to the pubic segment, allowing for growth without as significant investment in capital equipment.

Data flows between public and private segments of the hybrid cloud can be fine-tuned to adhere to organizational security, privacy and compliance rules. For example, sensitive or confidential data, such as trade secrets, financials, and customer information could reside on the private element of the cloud while more operational data and public data are pushed to the public segment as needed. Alternatively, data could be allowed to be pushed to the public segment of the hybrid cloud but would only be able to reside there for a limited time and the data would be encrypted automatically.

I’m happy to say that you don’t have to choose between security and service customization or flexibility and cost. You can get it all in the hybrid cloud. For those who have rejected public or private cloud models, I encourage you to seriously consider the hybrid cloud. Tomorrow’s challenges will come in all shapes and sizes, many of which existing IT cannot handle. Move to a platform engineered for the future and reshape your business with the hybrid cloud.

Continue reading

Cloudsizing: Finding the right fit for your cloud

The maturation of the cloud is fascinating as it continues to adapt, providing more opportunities for companies and consumers to leverage the vast computing and storage power of computers around the world. Whether those resources are housed in a corporate data center or dedicated hosting facility as part of private cloud services or through third party public cloud offerings, the cloud is most likely part of your everyday life and it is one of the biggest technology growth areas, offering companies ways to save money and become more adaptable to change.

There are many options for cloud consumers, those utilizing or wishing to utilize cloud services. A large differentiator in cloud types lies in ownership and operation of the cloud infrastructure and three main types of clouds, private, public and hybrid are used to support differing business needs.

Private cloud

Private clouds allow business units to utilize cloud services without needing direct capital investment. The organization makes the investment in the underlying technology resources and support personnel to maintain the equipment and offers cloud resources to business units as a service.

Private cloud resources are not shared with other companies, resulting in predictable performance and optimized workloads. Neither are they restricted by the requirements of other clients. This allows for private cloud services to be customized so that they are tailored for the organization’s needs.

There are disadvantages to utilizing a private cloud. The main disadvantage is the large capital investment required on the part of the organization to implement and expand a private cloud. This makes it less flexible than public cloud offerings and more difficult for organizations to test the waters by deploying pilot or prototype systems or to offer services. Rather, prototypes and pilots must make a business case that results in realistic expectations of long-term revenue to cover capital expenses. However, an organization can set up a private cloud using outside hosted resources. The difference here between a private cloud that is hosted and a public cloud is that the private cloud resources are dedicated to you, not shared among multiple companies.

Public cloud

Public clouds, on the other hand, are what most end users think of when the word “cloud” is mentioned for these clouds are owned and operated by an outside entity and services are provided on a subscription basis, or sometimes for free. Cloud consumers can purchase only the services they need and they can easily increase or decrease their cloud resources by simply purchasing more or less. Public cloud services can also be made available very quickly to consumers because the infrastructure is already there. This is important for companies that need to rapidly respond to demand. In some cases, public cloud services can be provisioned hours or minutes later compared to days or weeks of procurement time in private clouds

Many public cloud services are designed for a specific use case that may or may not fit your own organizational use case. Public cloud providers do this in order to better manage their solution and reduce complexity of upgrades and maintenance. Public cloud services can be customized but this tends to increase the cost of the service and reduce service portability or the ability of the cloud consumer to migrate from one cloud provider to another.

Since public clouds are operated by a third party, consumers of the cloud do not have the same level of visibility into the underlying technology, processes and procedures that go into providing those services. This makes it more difficult to ensure that services in the cloud meet organizational compliance requirements. This is especially crucial when a data breach occurs and the organization must investigate and notify its customers. Public cloud contracts may not specify notification and compliance requirements leading to issues such as lack of timely notification of a data breach, inability to identify breach scope or other required data, and fines and sanctions against the cloud consumer.

Hybrid cloud

Both of these cloud models are powerful methods for providing organizational technology services but not all companies neatly fit into one of these two categories. This has led to the rise of the hybrid cloud. The hybrid cloud extends the private cloud to the public cloud. This adds the flexibility private clouds lack but still allows the organization to manage the data, processes and controls in the way they do with a purely private cloud.

In a hybrid cloud, customizations can be integrated on the private segment while standardized, out-of-the-box, portions of a solution are located on the public segment. This allows the organization to tailor the solution to their needs without limiting their ability to move the standardized elements to another cloud vendor or to spread the workload and service availability risk among multiple cloud vendors.

One significant benefit of the hybrid cloud is the ability to utilize existing infrastructure and to migrate portions of a service to public segments over time. This reduces the disruption a large change would have on system availability and utilization which can increase productivity. The front-end of a system can stay the same for users while back-end components are moved around the hybrid cloud.

The piece that makes this all work is a hybrid cloud service and associated management tools such as Dell Cloud Manager.  These tools centralize the administration of the hybrid cloud and interface with the public and private segments to enforce defined rule sets and establish communication and functionality between the components.

Wrapping it up

The hybrid cloud offers many of the advantages of both public and private clouds. This is not to say that the hybrid cloud is the best solution for all cloud scenarios as many services may still find that a private or public solution meets their needs. The biggest news and key element of the hybrid cloud is its fit for the myriad solutions that have yet to make their way to the cloud due to one objection or another or for those that had to settle for one type that did not truly meet their needs. With hybrid in the mix, cloud services can be more ubiquitously deployed and utilized, resulting in increased agility, closer alignment to operational objectives, and a better match of technology expenses to revenues.

Continue reading