[Log In] []

Exploring the science and magic of Identity and Access Management
Wednesday, May 25, 2016

CSA – State of Cloud Security in 2016

Cloud Computing, Information Security
Author: Mark Dixon
Wednesday, May 18, 2016
5:30 pm

CSA2016

The State of Cloud Security 2016, published by the Cloud Security Association Global Enterprise Advisory Board, is a short, but interesting document, focused on articulating the gaps in current cloud security practices to help cloud providers better understand the needs of their customers.

Cloud computing is an incredible innovation. While at its heart a simple concept, the packaging of compute resources as an on demand service is having a fundamental impact on information technology with far reaching consequences. Cloud is disrupting most industries in a rapid fashion and is becoming the back end for all other forms of computing, such as mobile, Internet of Things and future technologies not yet conceived. As governments, businesses and consumers move to adopt cloud computing en masse, the stakes could not be higher to gain assurance that cloud is a safe, secure, transparent, and trusted platform.

With the stakes rising in cloud adoption, cloud providers need to step up with better built-in security:

Cloud computing adoption is solid and increasing. Security and compliance can be adoption barriers. Now is the time to increase the pressure on cloud providers to build security in, not try to bolt it on as an afterthought.

Cloud computing demands new approaches to security:

We need to take a hard look at many of our existing security practices and retire them in favor of new “cloud inspired” approaches that offer higher levels of security.

Finally, solving these tough problems will require cooperative effort between cloud providers and their customers:

Both enterprises and cloud providers need to work together to better align their security programs, architectures and communications.

Let’s work together to conquer these tough challenges.  

 

Cloud Security – 2016 Spotlight Report

Cloud Computing, Information Security
Author: Mark Dixon
Wednesday, May 18, 2016
5:02 pm

Spotlight title

This afternoon, I read the Cloud Security – 2016 Spotlight Report, presented by CloudPassage. It was an informative report based on responses from a Linkedin security community. Aside from the insight it provided about Cloud Security, I found it intriguing that social media groups are proving to be a valuable source of market information.

The report focuses on the risk factors facing enterprises as they progressively adopt cloud computing

Security of critical data and systems in the cloud remains a key barrier to adoption of cloud services. This report, the result of comprehensive research in partnership with the 300,000+ member Information Security Community on LinkedIn, reveals the drivers and risk factors of migrating to the cloud. Learn how organizations are responding to the security threats in the cloud and what tools and best practices IT cybersecurity leaders are considering in their move to the cloud.

It is no surprise that security is a key concern.  I would expect such a response from a self proclaimed information security community.

Cloud security concerns are on the rise. An overwhelming majority of 91% of organizations are very or moderately concerned about public cloud security. Today, perceived security risks are the single biggest factor holding back faster adoption of cloud computing. And yet, adoption of cloud computing is on the rise. The overwhelming benefits of cloud computing should drive organizations and security teams to find a way to “get cloud done”. This is a prime example to where security can have a profound impact on enabling business transformation.

Spotlight concern

It was not surprising that most respondents thought that traditional security tools were inadequate.

The survey results confirm that traditional tools work somewhat or not at all for over half of cybersecurity professionals (59%). Only 14% feel that traditional security tools are sufficient to manage security across the cloud.

Spotlight tools

I am not a expert on the validity of this type of survey vs. a more traditional survey conducted outside of the social media environment, but I think it provides some valuable insight.  There is a lot of work to do, folks!

 

The Treacherous Twelve: Cloud Computing Top Threats in 2016

Cloud Computing, Information Security
Author: Mark Dixon
Wednesday, May 18, 2016
4:24 pm

Treacherous12

This week, I read an interesting report created by the Top Threats Working Group of the Cloud Security Alliance and sponsored by Hewlett Packard. Entitled, “The Treacherous Twelve: Cloud Computing Top Threats in 2016,” this report points out that new security vulnerabilities are emerging …

the improved value offered by cloud computing advances have also created new security vulnerabilities, including security issues whose full impacts are still emerging.

… and that security is no longer just an IT issue. 

The 2016 Top Threats release mirrors the shifting ramifications of poor cloud computing decisions up through the managerial ranks. Instead of being an IT issue, it is now a boardroom issue.

More vulnerabilities and increased business awareness/responsibility. The urgency of security is rising.

The report identifies security concerns so business leaders can make better decisions about security:

The purpose of the report is to provide organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk management decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in CSA community about the most significant security issues in the cloud.

The 12 critical issues to cloud security (ranked in order of severity per survey results):

  1. Data Breaches
  2. Weak Identity, Credential and Access Management
  3. Insecure APIs
  4. System and Application Vulnerabilities
  5. Account Hijacking
  6. Malicious Insiders
  7. Advanced Persistent Threats (APTs)
  8. Data Loss
  9. Insufficient Due Diligence
  10. Abuse and Nefarious Use of Cloud Services
  11. Denial of Service
  12. Shared Technology Issues

The report provides includes a variety of useful information about each critical issue, including:

  1. Description
  2. Business Impact
  3. Anecdotes and Examples
  4. List of applicable controls from the Cloud Control Matrix (CCM)
  5. Links to further information

Some of the anecdotes are both intriguing and disturbing:

British telecom provider TalkTalk reported multiple security incidents in 2014 and 2015, which resulted in the theft of four million customers’ personal information. The breaches were followed by a rash of scam calls attempting to extract banking information from TalkTalk customers. TalkTalk was widely criticized for its failure to encrypt customer data.

Praetorian, an Austin, Texas-based provider of information security solutions, has launched a new cloud-based platform that leverages the computing power of Amazon AWS in order to crack password hashes in a simple fashion.

Heartbleed and Shellshock proved that even open source applications, which were believed more secure than their commercial counterparts … , were vulnerable to threats. They particularly affected systems running Linux, which is concerning given that 67.7% of websites use UNIX, on which the former (Linux) is based.

In June 2014, Code Spaces’ Amazon AWS account was compromised when it failed to protect the administrative console with multifactor authentication. All the company’s assets were destroyed, putting it out of business.

The threat is real, folks.  Be careful out there!

 

Oracle Public Cloud Security

Cloud Computing, Information Security
Author: Mark Dixon
Friday, May 6, 2016
11:14 am

This morning, I read a recently published Oracle white paper, “Oracle Infrastructure and Platform Cloud Services Security”: 

This white paper focuses on shared and service-specific security capabilities of the following services: Oracle Compute Cloud Service, Oracle Storage Cloud Service, Oracle Network Cloud Service, Oracle Java Cloud Service, and Oracle Database Cloud Service – Enterprise Edition.

Oracle Cloud Services have been engineered from the ground up with security in mind. 

Security is a top priority for Oracle Cloud solutions. Oracle’s vision is to create the most secure and trusted public cloud infrastructure and platform services for enterprises and government organizations. Oracle’s mission is to build secure public cloud infrastructure and platform services where there is greater trust – where Oracle customers have effective and manageable security to run their workloads with more confidence, and build scalable and trusted secure cloud solutions.

Development of Oracle cloud services follows a rigorous methodology for incorporating security into all aspects of cloud services:

The Oracle Cloud Services development process follows the Oracle Software Security Assurance (OSSA) program. The OSSA is Oracle’s methodology for incorporating security into the design, building, testing, and maintenance of its services. From initial architecture considerations to service post-release, all aspects of cloud services development consider security.

However, despite this solId foundation of security in the Oracle Public Cloud, it was interesting to read about the “shared responsibility model” for information security:

Oracle Cloud infrastructure and platform services operate under a shared responsibility model, where Oracle is responsible for the security of the underlying cloud infrastructure, and you are responsible for securing your workloads as well as platform services such as Oracle Database and Oracle WebLogic Server. The following figure shows the shared security responsibilities.

The following diagram provides a good illustration of the shared security model:

Shared

This illustrates how customers can’t just “throw things into the cloud,” and hope all will be well. There are significant responsibilities associated with deploying enterprise workloads in the cloud, even when the cloud services provide a highly secure foundation.

 

Digital Transformation: Why Security and Privacy Matter

Identity, Information Security, Internet of Things
Author: Mark Dixon
Wednesday, May 4, 2016
12:26 pm

Yesterday, I enjoyed watching a Kuppinger Cole webcast entitled, “Digital Transformation: Why Security and Privacy Matter,” presented by Martin Kuppinger, Principal Analyst, Kuppinger Cole, and Jackson Shaw, Identity Management Expert, Dell Security:

Digital technology has changed our society in an appreciable way. Just as our personal lives are being transformed digitally, the same happens in corporations and with our traditional technology solutions. The digital transformation affects everything from customer experience andoperational processes to business models and IT focus. Even software development is being digitally transformed. This leads to new security and privacy challenges: In IoT and digital transformation, organizations have to deal with more identities and relations than ever before. 

I was impressed by Martin Kuppinger’s discussion about what Digital Transformation really is.  I think some people take a very narrow, IT-centric view of Digital Transformation, but Martin took a much broader view, stating that Digital Transformation impacts every part of an organization.

The eight fundamentals of Digital transformation include:

  1. The Digital Transformation affects every organization
  2. The Digital Transformation is here to stay
  3. Digital Transformation is more than just IoT
  4. Digital Transformation mandates Organizational Change
  5. Everything & Everyone becomes connected
  6. Security & Safety: not a dichotomy 
  7. Security is a risk – and an opportunity
  8. Identity is the glue – who or what may get access to what?
As an Identity guy, I particularly liked the eighth statement.  The biggest thread weaving through the following chart is complexity – expanded interaction among multiples of almost everything.

KCIdentity

Jackson Shaw pointed out that Identity is evolving, from its initial focus on security and lowering operating costs, towards the goal of “Identity Transforming Customer Outcomes.”  Digital Transformation is all about enabling businesses to disrupt the old legacy way of doing things in favor of providing new, innovative products and services that deliver real value.  Certainly, Identity is a vital enabler to make that happen.

Identityevolution

 

Kuppinger Cole: Computer-Centric Identity Management

Identity, Information Security, Internet of Things
Author: Mark Dixon
Wednesday, April 27, 2016
8:16 am

Yesterday, I enjoyed attending a webcast entitled, “Computer-Centric Identity Management.” Led by Ivan Nicolai, Lead Analyst at Kuppinger Cole, the presentation was subtitled, “From Identity Management to Identity Relationship Management.  The changing relationship between IAM, CRM and Cybersecurity.”

I found the presentation to be concise, informative, and thought-provoking – particularly the concept that the IAM practitioner must transition from the role of “protector” to “enabler”.

I think the following diagram does a good job of illustrating the relationships people have with organizations, mobile communication devices and other devices in the growing world of IoT. Identity Relationships are critical in enabling the potential of Digital Transformation.

Kc

 

The Scraping Threat Report 2015

Information Security
Author: Mark Dixon
Monday, August 3, 2015
5:33 pm

Scraping

Back in May, I wrote a couple of posts about Illicit Internet bots:

I recently read a short, but interesting report on “Scraping,” a process of using bots and similar tools to steal information. The Scraping Threat Report 2015  published by ScrapeSentry. This reports includes this definition:

Scraping (also known as web scraping, screen scraping or data scraping) is when large amounts of data from a web site is copied manually or with a script or program. Malicious scraping is the systematic theft of intellectual property in the form of data accessible on a web site.

This theft of intellectual property can be very damaging to businesses. If, for example, a scraper can download airline fares from a legitimate site through illicit means, the stolen data can be exploited to fuel unfair business practices.

Some interesting statistics:

  • 17 % increase in scraping attacks in 2014
  • 22 % of all site visitors are considered to be scrapers
  • 49 % of the total scraping traffic originates from the US, but the ratio of total traffic to scraper traffic is worst from traffic originating in China.
  • China accounts for 1.40 % of the total traffic but 17.13 % of the scraper traffic.
  • Companies in the travel industry remain top targets for scrapers, closely followed by Online Directories and Online Classifieds.
Scrapers are generally categorized into the following areas:
  • Amateur Scrapers: These scrapers utilize a small number of IP addresses and user agent strings, and are blatantly visible in traffic logs.
  • Professional Scrapers: These scrapers are much more elusive, and usually redistribute what they scrape to other companies for a profit.
  • Advanced Scrapers: These scrapers are extremely dedicated and have a wide range of IP addresses. They change their browsing tactics and user-agents moments after a block.

In short, if you are an Internet user, these scrapers are generating so much traffic that they are undoubtedly impacting the performance of websites you visit. If you are website operator and your website contains any type of information that could exploited for nefarious purposes, scrapers probably have already penetrated your defenses or at least have you in their bomb sights.

 

Bots Generate a Majority of Internet Traffic

Information Security
Author: Mark Dixon
Friday, May 22, 2015
11:16 am

Bot1

According to the 2015 Bad Bot Landscape report, published by Distil Networks, only 40% of Internet traffic is generated by humans! Good bots (e.g. Googlebot and Bingbot for search engines) account for 36% or traffic, while bad bots account for 23%.

Bad bots continue to place a huge tax on IT security and web infrastructure teams across the globe. The variety, volume and sophistication of today’s bots wreak havoc across online operations big and small. They’re the key culprits behind web scraping, brute force attacks, competitive data mining, brownouts, account hijacking, unauthorized vulnerability scans, spam, man-inthe- middle attacks, and click fraud.

These are just averages. It’s much worse for some big players.

Bad bots made up 78% of Amazon’s 2014 traffic, not a huge difference from 2013. VerizonBusiness really cleaned up its act, cutting its bad bot traffic by 54% in 2014.

It was surprising to me that the US is the largest source for bad bot traffic.

The United States, with thousands of cheap hosts, dominates the rankings in bad bot origination. Taken in isolation, absolute bad bot volume data can be somewhat misleading. Measuring bad bots per online user yields acountry’s “Bad Bot GDP.”

Using this latter “bad bots per online user” statistic, the nations of Singapore, Israel, Slovenia and Maldives are the biggest culprits.

The report contains more great information for those who are interested in bots. Enjoy!

 

Turing Test (Reversed)

Information Security
Author: Mark Dixon
Tuesday, May 19, 2015
3:13 pm

Turing1

The classic Turing Test, according to Wikipedia, is:

a test of a machine’s ability to exhibit intelligent behavior equivalent to, or indistinguishable from, that of a human. Alan Turing proposed that a human evaluator would judge natural language conversations between a human and a machine that is designed to generate human-like responses. …

The test was introduced by Turing in his 1950 paper “Computing Machinery and Intelligence.” …

As illustrated in the first diagram:

The “standard interpretation” of the Turing Test, in which player C, the interrogator, is given the task of trying to determine which player – A or B – is a computer and which is a human. The interrogator is limited to using the responses to written questions to make the determination. …

In the years since 1950, the test has proven to be both highly influential and widely criticised, and it is an essential concept in the philosophy of artificial intelligence.

Turing2

What if the roles were reversed, and a computer was tasked with determining which of the entities on the other side of the wall was a human and which was a computer?  Such is the challenge for software that needs to decide which requests made to an online commerce system are generated by humans typing on a browser, and which are illicit bots imitating humans.

By one year-old estimate, “more than 61 percent of all Web traffic is now generated by bots, a 21 percent increase over 2012.” Computers must automatically determine which requests come from people and which come from bots, as illustrated in the second diagram.

While this is not strictly a Turing test, it has some similar characteristics.  The computer below the line doesn’t know ahead of time what techniques the bots will use to imitate human interaction. These decisions need to be made in real time and be accurate enough to prevent illicit bots from penetrating the system. A number of companies offer products or services that accomplish this task.

One might ask, “Does this process of successfully choosing between human and bot constitute artificial intelligence?”

At the current state of the art, I think not, but it is area where enhanced computer intelligence could provide real value.

 

Security: Complexity and Simplicity

Information Security
Author: Mark Dixon
Monday, May 18, 2015
4:48 pm

Leobruce

It is quite well documented that Bruce Schneier stated that “Complexity is the worst enemy of security.

As a consumer, I think this complexity is great. There are more choices, more options, more things I can do. As a security professional, I think it’s terrifying. Complexity is the worst enemy of security.  (Crypto-Gram newsletter, March 15, 2000)

Leonardo da Vinci is widely credited with the the statement, “Simplicity is the ultimate sophistication,” although there is some doubt whether he actually said those words.

Both statements have strong implications for information security today.

In the March, 2000 newsletter, Bruce Schneier suggested five reasons why security challenges rise as complexity increases:

  1. Security bugs.  All software has bugs. As complexity rises, the number of bugs goes up.
  2. Modularity of complex systems.  Complex systems are necessarily modular; security often fails where modules interact.
  3. Increased testing requirements. The number of errors and difficulty of evaluation grown rapidly as complexity increases.
  4. Complex systems are difficult to understand. Understanding becomes more difficult as the number of components and system options increase.
  5. Security analysis is more difficult. Everything is more complicated – the specification, the design, the implementation, the use, etc.

In his February 2015 article, “Is Complexity the Downfall of IT Security,”  Jeff Clarke suggested some other reasons:

  1. More people involved. As a security solution becomes more complex, you’ll need more people to implement and maintain it. 
  2. More countermeasures. Firewalls, intrusion-detection systems, malware detectors and on and on. How do all these elements work together to protect a network without impairing its performance? 
  3. More attacks. Even if you secure your system against every known avenue of attack, tomorrow some enterprising hacker will find a new exploit. 
  4. More automation. Removing people from the loop can solve some problems, but like a redundancy-management system in the context of reliability, doing so adds another layer of complexity.

And of, course, we need to consider the enormous scale of this complexity.  Cisco has predicted that 50 billion devices will be connected to the Internet by 2020.  Every interconnection in that huge web of devices represents an attack surface.

How in the world can we cope? Perhaps we need to apply Leonardo’s simplicity principle.

I think Bruce Schneier’s advice provides a framework for simplification:

  1. Resilience. If nonlinear, tightly coupled complex systems are more dangerous and insecure, then the solution is to move toward more linear and loosely coupled systems. This might mean simplifying procedures or reducing dependencies or adding ways for a subsystem to fail gracefully without taking the rest of the system down with it.  A good example of a loosely coupled system is the air traffic control system. It’s very complex, but individual failures don’t cause catastrophic failures elsewhere. Even when a malicious insider deliberately took out an air traffic control tower in Chicago, all the planes landed safely. Yes, there were traffic disruptions, but they were isolated in both time and space.
  2. Prevention, Detection and Response. Security is a combination of prevention, detection, and response. All three are required, and none of them are perfect. As long as we recognize that — and build our systems with that in mind — we’ll be OK.This is no different from security in any other realm. A motivated, funded, and skilled burglar will always be able to get into your house. A motivated, funded, and skilled murderer will always be able to kill you. These are realities that we’ve lived with for thousands of years, and they’re not going to change soon. What is changing in IT security is response. We’re all going to have to get better about IT incident response because there will always be successful intrusions.

But a final thought from Bruce is very appropriate. “In security, the devil is in the details, and those details matter a lot.”

 
 
 
 
Copyright © 2005-2013, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.