The Cloud Security Alliance (CSA) has rolled out the Security, Trust and Assurance Registry (STAR) initiative where Cloud Service Providers (CSP) can publish their controls, safeguards and/or practices so that cloud consumers may know how secure they are. This effort involves previous research by the CSA in the way of their Cloud Controls Matrix (CCM) and Consensus Assessment Initiatives Questionnaire (CAIQ).
See the link below.
https://cloudsecurityalliance.org/star/
It will be interesting to see how this turns out.
Thursday, September 22, 2011
HIPAA Audit Checklist
Here is a link to a HIPAA audit checklist that you may want to at least glance at prior to KPMG/ONC knocking on your door.
http://www.healthcareinfosecurity.com/articles.php?art_id=4010&pg=1
http://www.healthcareinfosecurity.com/articles.php?art_id=4010&pg=1
Monday, September 12, 2011
Cloud Computing & ROI
I have spent several hours today reading about various takes on calculating the ROI on cloud computing and the consensus seems to be that it is nebulous. Though, one can break down the cloud into various buckets, such as: hardware, software administration, provisioning, etc. and each of these can be measured better.
These buckets may assist in the overall ROI of the cloud, but my experience is that a Business Analyst/Manager type uses ROI to build a business case for going to the cloud for a specific application. So, in that case I believe a TCO for an internal solution could be used for calculating the ROI for a one-off app going to the cloud.
At the end of the day, you need a number the CxO will be satisfied with. If that happens then the how you came about that number may not be questioned.
Sunday, September 11, 2011
Dart: Google's New Web Procedural Language
So, Google has announced that they are rolling out a new web procedural language called Dart, which strikes my fancy as I wonder if security was built from the ground up.
Specifically, IAM, encryption/hashing, prepared statements/input validation, enhanced error/exception checking all come to mind as points I hope they considered.
We will see.
Specifically, IAM, encryption/hashing, prepared statements/input validation, enhanced error/exception checking all come to mind as points I hope they considered.
We will see.
Wednesday, September 7, 2011
Top 10 Cloud Computing Security Threats
Cloud Security Alliance and Gartner published several research reports addressing cloud computing security issues. There are numerous risks that can hamper the integrity of a Cloud Infrastructure, but here we will focus on those that emerged as the
Top 10 Security Threats and Risks of the cloud.
1. Abusive use of Cloud Computing Resources:
Cloud computing technologies can be used as a platform for launching attacks, hosting Spam/Malware, software exploits publishing and for many other unethical purposes. Cloud computing service platforms, especially PaaS with its enhanced service portfolio and the independence, allows anyone to propagate their malicious intent. IaaS based perforations are also picking up pace with PaaS. Cloud computing service providers normally provide literally anyone with a valid credit card to avail their services, thus opening wide horizon of users to facilitate from their platform; malicious hackers & crackers cannot be filtered easily from that large pool of users.
2. Privileged Access & Malicious Insiders:
Cloud computing provides flexibility by outsourcing the services, but it also brings inherent risks of malicious insiders and abusive use of login access by an unauthorized person. The customer’s security controls remain outside the cloud security mechanism and customer has no control over the service provider’s internal security control. This brings substantial risk where any infiltration of such sort can deliver organization a great deal of loss in terms of financial, productive and /or brand image depreciation.
3. Insecure API’s:
Cloud computing vendors provide APIs for customers to interact and avail services and often the customers using these APIs are offering much more services based on them to facilitate their own customer base. Cloud APIs with weak authentication and access control can jeopardize the confidentiality, integrity and availability of the pertaining customer. As the services are spread over vast domain of users, any vulnerability in the API can be exploited for malicious intents.
4. Shared Technology and Data Segregation:
Public cloud infrastructure components are typically not designed for compartmentalization and are prone to vulnerabilities than can be exploited. There might be scenarios where an attacker tries to gain unauthorized access or excessively use the resources which can affect the performance of other user residing in the same infrastructure. One of the prevailing cloud security issues is the lack of encrypting schemes which can dent the integrity of the data stored and absence of proper controls can make the data totally unusable.
5. Identity or Service Theft:
Account or service credentials if stolen can jeopardize the confidentiality, integrity and availability of the entire services linked with that account. It’s just like giving the keys of all cloud resources to the attacker. Furthermore cloud computing service theft can be used for array of attacks which take illegal benefit of the user’s cloud infrastructure as their launching platform.
6. Data Loss:
Cloud computing architecture provides greater challenges in controlling and mitigating risks due to its unique framework and operational attributes. Data in the cloud is prone to so many threats, such as deletion of record, loss of encryption key and weak encryption, resulting in corruption of data. Any organization no matter how big or small relies heavily on data, and any puncture, trespassing by an unauthorized person can have devastating impact on business.
7. Forensic Support:
In cloud computing, it’s very difficult to get forensic evidence in case of a breach or incident because your data might be spread across many different hosts & data centers and possibly reside in a multi-tenant environment. Usually the applications deployed on cloud computing service models are designed without data integrity and security in mind hence being left with vulnerabilities & security issues. Contractual support by the provider for investigation on when and where the incident occurred is a must have clause in the Service Level Agreement otherwise a business can be exposed to serious threats.
8. Geographical Location of Data and its Recovery:
There is a big question mark when it comes to geographical location of data in the cloud computing environment. The data can be stored on many severs, in different locations, possibly different cities, even different country or continent. In case of a disaster, systems with no Disaster Recovery Plan and no Business Continuity Plan to ensure that business runs smoothly again are most vulnerable to failure. There might also be legal or government regulations involved in recovering data if the data is hosted in a different country. This can get tricky if there has been a breach or a criminal act associated with that specific data.
9. Regulatory Compliance in Cloud Computing:
Cloud computing services have certain benefits for an end user. But what about the internal control, compliance, internal security procedures and patch updating of all applications? Lack of adherence to regulatory compliance is a serious risk considering that provider is the custodian of your data. In case of an incident, providers who are not complying with regulatory standards and not providing the auditing and logging of data, leave the customer with high risk profile and it’s a cloud computing security issue worth considering.
10. Stability of the Cloud Provider:
Perhaps this is not a security risk but it’s a very threatening risk if the provider is not financially stable enough to sustain the operations as per the goals of the customer. A cloud computing provider if swallowed up by a merger can ring bells for the confidentiality, integrity and availability of data. Absence of a Recovery Plan resulting by a disaster or a complete shutdown can affect the operations of the customer until it’s recovered. Any cloud computing provider with meager financial stability, lack of back-up infrastructure and no long terms plans to complement the needs of the customer is a definite risk for any mission critical deployment.
Top 10 Security Threats and Risks of the cloud.
1. Abusive use of Cloud Computing Resources:
Cloud computing technologies can be used as a platform for launching attacks, hosting Spam/Malware, software exploits publishing and for many other unethical purposes. Cloud computing service platforms, especially PaaS with its enhanced service portfolio and the independence, allows anyone to propagate their malicious intent. IaaS based perforations are also picking up pace with PaaS. Cloud computing service providers normally provide literally anyone with a valid credit card to avail their services, thus opening wide horizon of users to facilitate from their platform; malicious hackers & crackers cannot be filtered easily from that large pool of users.
2. Privileged Access & Malicious Insiders:
Cloud computing provides flexibility by outsourcing the services, but it also brings inherent risks of malicious insiders and abusive use of login access by an unauthorized person. The customer’s security controls remain outside the cloud security mechanism and customer has no control over the service provider’s internal security control. This brings substantial risk where any infiltration of such sort can deliver organization a great deal of loss in terms of financial, productive and /or brand image depreciation.
3. Insecure API’s:
Cloud computing vendors provide APIs for customers to interact and avail services and often the customers using these APIs are offering much more services based on them to facilitate their own customer base. Cloud APIs with weak authentication and access control can jeopardize the confidentiality, integrity and availability of the pertaining customer. As the services are spread over vast domain of users, any vulnerability in the API can be exploited for malicious intents.
4. Shared Technology and Data Segregation:
Public cloud infrastructure components are typically not designed for compartmentalization and are prone to vulnerabilities than can be exploited. There might be scenarios where an attacker tries to gain unauthorized access or excessively use the resources which can affect the performance of other user residing in the same infrastructure. One of the prevailing cloud security issues is the lack of encrypting schemes which can dent the integrity of the data stored and absence of proper controls can make the data totally unusable.
5. Identity or Service Theft:
Account or service credentials if stolen can jeopardize the confidentiality, integrity and availability of the entire services linked with that account. It’s just like giving the keys of all cloud resources to the attacker. Furthermore cloud computing service theft can be used for array of attacks which take illegal benefit of the user’s cloud infrastructure as their launching platform.
6. Data Loss:
Cloud computing architecture provides greater challenges in controlling and mitigating risks due to its unique framework and operational attributes. Data in the cloud is prone to so many threats, such as deletion of record, loss of encryption key and weak encryption, resulting in corruption of data. Any organization no matter how big or small relies heavily on data, and any puncture, trespassing by an unauthorized person can have devastating impact on business.
7. Forensic Support:
In cloud computing, it’s very difficult to get forensic evidence in case of a breach or incident because your data might be spread across many different hosts & data centers and possibly reside in a multi-tenant environment. Usually the applications deployed on cloud computing service models are designed without data integrity and security in mind hence being left with vulnerabilities & security issues. Contractual support by the provider for investigation on when and where the incident occurred is a must have clause in the Service Level Agreement otherwise a business can be exposed to serious threats.
8. Geographical Location of Data and its Recovery:
There is a big question mark when it comes to geographical location of data in the cloud computing environment. The data can be stored on many severs, in different locations, possibly different cities, even different country or continent. In case of a disaster, systems with no Disaster Recovery Plan and no Business Continuity Plan to ensure that business runs smoothly again are most vulnerable to failure. There might also be legal or government regulations involved in recovering data if the data is hosted in a different country. This can get tricky if there has been a breach or a criminal act associated with that specific data.
9. Regulatory Compliance in Cloud Computing:
Cloud computing services have certain benefits for an end user. But what about the internal control, compliance, internal security procedures and patch updating of all applications? Lack of adherence to regulatory compliance is a serious risk considering that provider is the custodian of your data. In case of an incident, providers who are not complying with regulatory standards and not providing the auditing and logging of data, leave the customer with high risk profile and it’s a cloud computing security issue worth considering.
10. Stability of the Cloud Provider:
Perhaps this is not a security risk but it’s a very threatening risk if the provider is not financially stable enough to sustain the operations as per the goals of the customer. A cloud computing provider if swallowed up by a merger can ring bells for the confidentiality, integrity and availability of data. Absence of a Recovery Plan resulting by a disaster or a complete shutdown can affect the operations of the customer until it’s recovered. Any cloud computing provider with meager financial stability, lack of back-up infrastructure and no long terms plans to complement the needs of the customer is a definite risk for any mission critical deployment.
Subscribe to:
Posts (Atom)