Aujas US

An IDG Ventures Company

Managing Risk of Privileged Access and Activity Management

Managing the risk of privileged accessThe Problem
As organizations continue to leverage IT systems to support their businesses, the requirement of managing privileged users is rapidly emerging. Privileged IDs are the in-built system accounts within applications, operating systems, and databases. Additionally, user accounts that are created for administration of systems are also privileged IDs.
These IDs have higher and generally unrestricted authority associated with them to allow efficient system maintenance. As a side effect, these IDs can also be used to make widespread changes to the business systems.

The Risk
Usually, these IDs, especially the ones that are in-built, are shared among the groups of administrators. This method of sharing highly powerful access can cause accountability concerns and non compliance with regulatory requirement, thereby significantly increasing the access risk.

Data can be stolen undetected or IT systems can be sabotaged by misusing the privileged access, since these IDs have access to systems from the backend and can bypass the control deployed for business users.

The rapidly emerging trends of cloud computing, consolidation of data centers, virtualization and hosted application services providers imply growing numbers of IT systems and privileged IDs. Any organization using significant number of IT systems like servers, network devices, desktops, or applications faces the requirement of managing privileged IDs.

Regulatory and government requirements for telecom, banking and IT verticals create an even greater need to address this requirement. Recent prominent and high profile security breaches in these verticals across the globe highlight the degree of access risk caused by inadequate privileged ID management.

What Not to Do
Limiting the privileges granted to these IDs will not mitigate the risk as it will render the useless IDs to perform its functions. Alternatively, some organizations aim to bring in accountability by assigning individual IDs to their administrators in order to eliminate sharing. This approach is helpful only for managing a small number of administrators managing few systems.

In-built IDs will still need to be shared even if administrators use their own individual IDs. To add to the complexity, some IT systems enforce a limit on the number of individual accounts that can be created to manage them. Moreover, the number of individual IDs grows multiplicatively with the increase in both the number of administrators and managed systems.

For example, an admin team of twenty managing a thousand systems can easily be dealing with more than 20,000 IDs. The cost and complexity of managing the lifecycle, enforcing password policies and access controls on so many individual IDs makes this approach suboptimal.

Mitigating the Risk
What is needed is a comprehensive and modular approach to privileged access and activity management. Privileged access and activity management is an identity management domain comprising of the same traditional building blocks of User Provisioning, Single Sign-on and Access Management, Role Management, Password Vault and SIEM tied together with robust solution design based on well thought of policies and procedures.

A good solution approach uses an iterative model to focus on each of these areas and improve them incrementally by understanding how it integrated with other building blocks. This approach allows for a modular solution which not only can solve immediate problems with least disruption and change to the existing practices, but also scale to meet the evolved requirements as the business and expectations grow.

Advertisements

July 26, 2011 Posted by | Access control, IT security, Risk management | , , , | Leave a comment

Aujas among the Most-Requested Information Risk / IT Security Firms at 2011 CIO & IT Security Forum

For Immediate Release

Jersey City, New Jersey, USA – Senior IT decision makers knew who they wanted to talk to at the May 24-26, 2011 CIO & IT Security Forum – and they wanted to talk to Aujas. The global information risk management company was among the top five most requested suppliers at the Jacksonville, FL, forum. Sameer Shelke, Aujas cofounder and Chief Operations and Technology Officer, and Karl Kispert, Vice President of Sales and Business Development, met one-on-one with close to 50 Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) who specifically requested a meeting with Aujas.

“The forum gave us the opportunity to meet with IT security executives and discuss the security issues that were keeping them up at night,” says Karl Kispert. “Phishing and application security are critical issues, and we were able to share with the execs how Aujas can help them manage risk in these areas as well as others.”

The forum, hosted by Richmond Events, is invitation-only for 100 senior IT executives with budget authority. It offers a unique experience for these individuals to get together, debate the big issues and explore collaborative opportunities. “From our perspective, the forum gave us the opportunity to meet and develop relationships with those we are most able to help,” says Kispert.

About Aujas
Aujas is a global Information Risk Management services company and an IDG Ventures funded company. It is headquartered in Bangalore, India, with its US headquarters in Jersey City, New Jersey.

Aujas consultants work with the client’s management teams to align information risk with business initiatives, so that security becomes a business driver and competitive advantage. The firm helps clients manage emerging technologies – mobile devices, social media, cloud computing – that are transforming the business environment and posing increasing security challenges.

Aujas offer global clients:
• Information Risk advisory services
• Secure Development Life-cycle services
• Identity and Access Management services
• Managed Information Risk services
• Vulnerability Management services
• Mobile, social media and cloud security services
For more information about Aujas services, contact Karl Kispert at karl.kispert@aujas.com or visit http://www.aujasus.com.

June 20, 2011 Posted by | Enterprise Security, IT security, Phishing, Risk management, Secure code development | , , , , | 1 Comment

Mitigating Security Risks in USSD-Based Mobile Payment Applications

Security breaches are inevitable as mobile usage grows.

The number of mobile users is rapidly growing and expected to cross 3 billion in next 3 years, according to Gartner. Mobile payments and  financial services are going to be among the hottest mobile technology applications. Various communication channels – including SMS, Unstructured Supplementary Service Data (USSD) and IP-based communications – have security vulnerabilities.  This will increasingly cause major security concerns among banks, telecom companies and service providers.

Critical threats such as fraudulent transactions, request/response manipulations, and insecure message communications are directly triggering revenue loss for mobile payment service providers. Sensitive information disclosure due to weak cryptographic implementation, improper account management, and modification of sensitive information may also cause security breaches and loss of sensitive data in USSD-based mobile payment applications.

Experts believe that more security breaches will be inevitable as mobile usage grows. Deploying secure, reliable and robust products is a challenging task since there are multiple channels involved to provide each service. Proper security controls must be an intrinsic part of mobile phones and mobile applications to avoid major business impacts including:

  • Fraudulent transactions (Revenue Loss) through mobile applications
  • Confidentiality (Users sensitive data- credit/debit card data, PIN , user credentials)
  • Revenue loss through communications services misuse
  • Brand value degradation through SIM card cloning and related attacks
  • Misuse of enterprise data through personal handheld devices
  • Fraudulent transactions through USSD and DSTK (Dynamic SIM Toolkit) applications

Unstructured Supplementary Service Data (USSD)

The USSD communication protocol is widely used to provide mobile communication services, location-based services, mapping services, recharge/booking services, and mobile payment and banking services. USSD is preferred over the SMS communication channel. In USSD, direct communication between the sender and recipient is established, which promotes faster data transmission. USSD communication is session-oriented and it is easily implementable while being more user-friendly. The USSD application is connected as interface between the customer’s telecom provider and his bank account. The customer can transact through handheld devices as well as in web-based applications (USSD in IP mode).

Top 5 Threats

Understanding the top 5 security threats for USSD-based apps can help you avoid major business impact

USSD Commands Request/Response Tampering – A malicious user can tamper with USSD command requests and responses through hardware and software interceptors leading to fraudulent transactions. Weak encrypted request and response messages are prime concerns in such threat vectors.

USSD Request/Response Message Replay Attacks – When a phone is lost, an adversary may perform fraudulent transactions through an installed USSD application in absence of authenticating USSD request originator (e.g., by MSISDN, IMEI, PIN and unique Message Tracking ID).

USSD Application Prepaid Roaming Access Test – An adversary may cause direct revenue loss for service providers by using roaming access parameters manipulation and getting unauthorized access to USSD application prepaid roaming services.

Verify Strong Cryptographic Implementation – Weak cryptography implementation for critical data (customer number, card numbers, PIN, beneficiary details – account numbers, balance summary) can be tampered with, leading to fraudulent transactions.

Improper Data Validation (USSD IP Mode Applications) – Improper data validation in USSD IP mode application can lead to SQL injection, cross site scripting attacks. An adversary may purposely insert specifically crafted scripts in user input and may try to use the same to perform malicious actions at the database or at another user’s active session.

Best Practices to Secure USSD-Based Mobile Payment Applications

A systematic approach to assessing and remediating vulnerabilities in mobile applications is critical to ensuring secure payment transactions. The following practices can be helpful:

  1. Detailed and proactive security assessment helps the client ensure secure financial transactions through mobile payment client applications
  2. Mobile client application  and mobile validation layers security are enhanced through a proactive approach during entire SDLC
  3. Detailed analysis of the  security gaps against the security best practices benchmarks
  4. Threat modeling activity using the STRIDE/DREAD approach helps in identifying the application’s vulnerabilities
  5. Mapping identified vulnerabilities to threats brings about a clear understanding of security issues in the application and how they may be exploited
  6. Mapping vulnerabilities to flaws at the architecture and design levels helps prepare a comprehensive remediation plan identifies vulnerabilities in financial transactions, application residing on mobile device and sensitive data transmission over wireless network which automated tools may not detect.

Aujas can help your company manage mobile application risks. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

May 31, 2011 Posted by | Cyber Crime, IT security, Mobile device security, Secure code development, Secure Development Lifecycle, USSD-based mobile applications | , , | 1 Comment

Amazon EC2 Failures Are a Wakeup Call for Cloud Customers

Amazon data center crashes

Building Cloud-friendly applications can help your company manage risk and avoid losses when the host's data center crashes

Early in the morning of April 21, Amazon’s EC2 data center in Virginia crashed, bringing down many popular websites, small businesses and social networking sites.

The strange fact is that the outage still ensures that the 99.55% availability as defined in the SLA (Service Level Agreement) is not breached. Let us put aside the other aspects and focus on Cloud services and the new generation of programmers and business who use these services. Though the SLA leads to quite an interesting debate, we will leave that to the legal experts.

More often than not, when we discuss building applications in the Cloud, the basic assumption is that of 24×7 service availability. While Cloud service providers strive to live up to this expectation, the onus of designing a system resilient to failures is on the application architects.  On the other hand, SLA driven approaches are very reactive in nature. In purest sense, SLA’s are just a means of trust between the user and the service provider. The fact is that SLA’s can never repay for losses. It is up to an Architect and CIO to build systems that tolerates such risks (Cloud system failures, connectivity failures, SLA’s, etc).

With Cloud infrastructure, we end up building traditional systems that are so tightly coupled and hosted without taking advantages of the availability factor. These shortcomings maybe part and parcel of software world where functionality takes precedence over all other aspects, but such tolerance cannot be expected in the Cloud paradigm. A failure on part of the Cloud service provider will bring down the business and getting back the data becomes a nightmare when all the affected businesses are trying to do the same.

Accommodating and managing these factors are the business risks, which need to be identified. Businesses that do not envision these risks are sure to suffer large scale losses. The truth is that building such resilient systems is not very complex task. The basics of all software principles have remained same whether they are built for Cloud or enterprise-owned hardware. Mitigating as many risks as possible requires that several basic designs and business decisions be made – while considering the software provider – such as:

  • Loosely couple the application
  • Make sure the application follows “Separation of Concerns”
  • Distribute the applications
  • Backup application & user data
  • Setup DR sites with a different Cloud service provider

These decisions involve software that follows these basic designs and business decision managers who identify various service providers to mitigate such risks. Cloud service will enforce a thinking among the business managers that availability should not and cannot be taken for granted.

These failures will not stop the adoption to Cloud but will make the customers aware of the potential risks and mitigation plans. The Cloud failure will have serious impact on the CTO/ CIO and the operations head. In a non-Cloud model, a CIO’s role has been noted as very limited. The interaction of the CIO with a CTO in the everyday business is much less. These two executives need to work more closely to protect the business and reduce risk.

The best practices for the Cloud application builders are:

  • Build Cloud applications, not applications in the Cloud
  • Design fault tolerant systems, wherein nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component

The best practices are necessary for all the architects who build Cloud applications. Do not simply port a traditional application to the Cloud. They are architecturally different and will not take advantage of the underlying services – and most often – will result in failure.

Remember “Everything fails, all the time.” It is time to think and manage risks and not let the SLA stare at you when you are losing business. Be proactive; build Cloud-friendly applications.

The new world on Cloud looks more promising than ever. However, failures can make us realize that functionality without proper foundation and thought process can have serious repercussions. It is essential for every business to review their risks and redefine their new perimeter in the Cloud.

For more information on how Team Aujas is assisting clients with security risk in the Cloud, please contact Karl Kispert, our Vice President of Sales. He can be reached at karl.kispert@aujas.com or 201.633.4745.

April 27, 2011 Posted by | Cloud Security, Data Losss Prevention, Data protection, IT security | , , , , , | Comments Off on Amazon EC2 Failures Are a Wakeup Call for Cloud Customers

Data-Breach Risk Is Not Only from Insider Threats

Data Breach Risk

Consider the threats and risks involved when you share data outside your company.

There’s a very large push within the last few years for many organizations to spend their data protection efforts mainly on the “Insider Threat” – the employee or temp with access who decides to misuse or abuse those privileges. While this needs to be addressed; it is possible that some of us may be losing sight of what may be happening on the outside.

The question to consider is: “What about the critical data assets businesses willingly send out to external organizations?”

Delivering data to external parties is, after all, a necessary part of doing business. A bank, for instance, needs to share information with auditors, regulators, suppliers, vendors, and partners. Sharing data is quite a risky activity, with an elevated probability of data loss, and can potentially have a huge negative impact on a firm’s reputation, when not properly controlled.

Here’s what you need to consider when you share data outside your company:

  • Threats

–    What or who is placing the data at risk?

–    The data, as it flows externally from your firms’ environment, is subject to many threats ranging from man-in-the-middle attacks while in transit, to social engineering hacks while stored at the 3rd party’s network.

  • Risks

–    The threats mentioned above create serious risks around a firm’s critical data assets. One is the obvious loss or breach of confidentiality or data. If your firm doesn’t have the proper data transmission controls, such as TLS, SSL or sFTP, the man-in-the-middle threat can successfully materialize the risk of data loss.

–    Such loss can then compound the risks and impact to an organization or entity, via such things as revenue loss, negative reputation, remediation cost, customer notification expense, and loss of client trust.

  • Security Controls

–    The set of controls to consider for countering threats and mitigating risks are not only those pertaining to electronic data protection, such as software/hardware encryption.

–    Think beyond technology – to Social, Governance, Operational and Process controls, to protect against such things as Social Engineering and to ensure other factors are in place including Password Policy, User-Access/Entitlements processes and Data-Security Awareness activities.

The bottom line is that once your firm’s information leaves its own environment, most of the controls you had no longer apply. Your firm’s data is now sitting on a third party’s infrastructure, and is now dependent on their data security controls and processes. This isn’t just about whether the data is being encrypted in transit to the third party, but very much about how that data is safeguarded all throughout its lifecycle. Here are some relevant questions to ask:

  • Have the proper Confidentiality or Non-Disclosure agreements been executed with the third party receiving the data from your firm?
  • Who and how many people will have access to your data while sitting out at a third party?
  • Do you know the third party’s process for giving only the limited and necessary group of people in their environment access to your data? What about the access rights to people outside their organization (such as their partners or vendors)?
    • How are the servers and firewalls at the third party configured to adequately protect your data while in their environment?
    • Does the party receiving the data have the technology and processes in place to respond to and sufficiently investigate a data-loss incident?

These are only a handful of many questions to ask before sharing sensitive information. You also need to take into account various perspectives including technological, operational and process controls.

As an example, a bank business manager decides one day to send the firm’s tax data to their CPA via plaintext email, instead of the approved sFTP or PGP encrypted email transmissions. The email is intercepted at the CPA’s ISP mail server. A rogue administrator at the ISP sees the email with critical valuable data and uses it to tap into the bank’s equity funds to steal $1.2 million.

Per the Open Security Foundation’s DataLossDB (http://datalossdb.org/statistics ) data loss statistics for YTD 2011:

“…a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis, mostly all speculative as little data exists to establish one cause as dominant. The trend is, however, concerning.”

In the end this supports the fact that the riskiest environment for data is one that is not controlled by the enterprise owning that data. Though an insider with the access and intent can cause havoc with data on the inside, the enterprise should be able to implement the proper technical, process and operational/people controls to safeguard its own data. It is when the data leaves that environment where we’re truly no longer in control. That’s when the proper audits, interrogations and testing will assist as much possible.

Concerned about the external risks your company is facing? Let Aujas help. Contact Karl Kispert, Aujas VP of Business Development, at karl.kispert@aujas.com.

April 1, 2011 Posted by | Cyber Crime, Data governance, Data Leak Prevention, Data protection, IT security, Risk management | , , , , , | 1 Comment

Data Protection and Controls – Does Format Really Matter?

Identity and Access RiskNo one can argue that the most valuable asset for any enterprise, regardless of industry (whether military, finance, healthcare) is its Data. Whether that data includes an investment strategy/portfolio, personal identity, healthcare history or national security, it must be safeguarded and controlled.

We’re all familiar with the data lifecycle and related security controls, including storage transfer encryption and effective destruction. But do we also consider the format of the data? Data lives in many forms outside of the regular electronic email, Internet, PC, server or mainframe types that we normally work with. Unfortunately, some of our biggest vulnerabilities live in many other forms.

Printed paper is not the least of those. Scribbled notes, copied material, casual conversations on an elevator, voicemails or even a fellow passenger’s laptop (with the curious snooper watching over) are other forms of sensitive data. The main issue here is that most of us may not view these as “data types”. The truth is they can cause the same amount of harm as a DVD, USB or PC packed with information, and can just as easily land you on the front page. Let’s take a look at an unfortunate use-case to bring this all into context.

Henry S., a database administrator, was working over the weekend to get a presentation finished for his board of directors. His area of focus was his firm’s strategy on the proprietary development of a database-software that would revolutionize the storage and sharing of information with clients. Henry’s developments were ahead of all others in the enterprise and possibly the industry. What wasn’t being thought about was how valuable the information being prepared could be to competitors or thieves for profit.

It was late Sunday night and Henry was just happy finalizing and saving everything. Now he just had to print it. At about 11:30 that evening he found himself printing 20 color copies of his “master presentation” at the neighborhood copier. He felt the data he was bringing with him was safe since he brought it on an encrypted USB drive. At one point Henry’s copying streak went awry – after about 10 copies the machine began spitting out green paint. Henry wasn’t panicking – he knew there was plenty of time and his current set of copies were safe. After getting assistance and finishing the job on another machine, he found himself in the middle of a chaotic frenzy of paper crazily thrown all around his area. He was able to get things cleaned up, but what he wasn’t aware of was the 5 copies he’d left at the malfunctioning printer. Though a good multi-tasker, Henry was exhausted, yet practically livid with the thought of next day’s presentation and the effects it would have on his career and department. All he could think about was getting the deck right and being well prepared for the audience.

He got home with all the paperwork in his backpack and passed out. The next day at the presentation all went well, the crowd loved it and Henry was on top of the world. There’d been a slight mishap though, since there weren’t enough hard copies to go around for everyone at the meet. That was weird – he was sure he’d made enough. Everything had gone well, except for those 5 mysteriously missing copies of the presentation. What then seemed to be a small loss, within the next few days landed Henry and his firm on the front page of the paper.  The headline read “Leading Financial Firm’s Innovative Software Idea up for Grabs at Local Print Shop” – not quite the fabulous outcome he’d hoped for. Turns out that whoever got a hold of the lost copies managed to re-engineer the software and get it to market. To make things worse, the data-loss incident was widely publicized; the fall-out including Henry’s suspension and investigation, a full 10 point drop in his firm’s stock price and a long-term negative reputational impact for his firm.

Data in any format is an extremely critical asset and liability when not controlled or secured properly. The effect of negligence over that asset can be detrimental to a career, an innovative idea and possibly an entire franchise. Proper due diligence and controls for the entire lifecycle of the data; be it either encryption while in storage or transit for electronic material, or locks/safes for storage and shredding for destruction of hardcopy material.

Had Henry only given a bit of thought to these things as a top priority, reputations and careers may have been saved (and likely excelled astoundingly). Instead everyone had to run for cover, hope to not get hit by the shattering fallout, and hope to keep their shirts on their backs.

Need help with your company’s data protection programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data protection, IT security | , , , , | Leave a comment

Data Governance – What We Need to Think About

These are some risk areas that you might want to think about when discussing Data Governance with your team: 

1. Disparate sources of data across the organization’s applications, producing incomplete and incorrect production data used in key decision making processes for capital investment. (Accuracy)

2. Trading ledger for risk management review is typically delayed because of multiple data feeds, the availability of which is impeded by network speed due to file size in two custom applications. (Availability)

3. Inability to solve data quality issues in the sales division because data is spread across multiple systems and owners, resulting in a blame game. (Agility)  

4. Customer service representatives are not presented a single view of a customer account, and have to use multiple programs to achieve unified profile presentation, requiring more time to solve issues, and increased call center costs. (Access)

A Data Governance Methodology That Works

Building Blocks for Success

Analyze

* Perform data governance readiness assessment

* Define guiding principles

* Identify decision making bodies

Design

* Determine focus of data governance program (security/privacy, data quality, architecture, etc.)

* Design data governance program (standards, policies, strategy)

* Determine cross functional teams and data stewards

* Define decision areas and decision rights

Transform

* Conduct employee training and awareness

* Enact data governance program

* Deploy data governance mechanisms and tools

Sustain

* Monitor and adjust key performance metrics

* Ensure accountability and ownership through periodic review

Need help with your company’s data governance programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data governance, IT security | , , , | Leave a comment

Cloud Computing – Security Threats and More…

Privacy and security in the CloudCompanies that struggle to maintain their IT infrastructure often look to cloud computing to provide a significant cost savings. However, you must look into the clouds and understand what risks are swirling around when it comes to storing your data.

In a recent survey by CIO Research, respondents rated their greatest concerns about cloud adoption. Security was their top concern, with loss of control over data number two:

  • Security  45%
  • Loss of control over data  26%
  • Integrations with existing systems 26%
  • Availability concerns 25%
  • Performance issues 24%
  • IT governance issues 19%
  • Regulatory/compliance concerns 19%
  • Dissatisfaction with vendor 12%
  • Ability to bring systems back in 11%
  • Lack of customization opportunities 11%
  • Measuring ROI 11%
  • Not sure 7%

Is there security in the cloud?
Security is often an afterthought for cloud service providers. It isn’t built into their applications and is often added as a plug-in. What’s more, if a cloud storage system crashes, millions and millions pieces of information can be lost, often in spite of backup procedures.  In contrast, when we are in the thick client world, the information that is lost can be more easily tracked by the number of PCs or notebooks affected or stolen.

How different should security be in the cloud world?
Business technologies may change, but security fundamentals and lessons learned are still applicable. Some areas to consider for the cloud:

Physical security is a must for any strong security program. The data centre should have a high level of physical security. If sensitive data is being stored, consider deploying biometrics, surveillance camera monitored by professionals, and very stringent policies for physical access to the system.

Authentication is crucial, whether cloud or corporate individual network authentication will remain the same. Given the processing power of the cloud, you may choose to implement two-factor authentication, one-time passwords or other authentication tools. In spite of a highly secured processing environment, a weak password has the potential to ruin other safeguards. Maintaining password standards is a must.

Access rights are critical for all the objects inside the cloud. This part of the security will not change in the user’s point of view. There are some levels of changes required to manage multiple corporate accesses inside the single cloud service provider’s organization.

Strong firewalls are another integral part of today’s security. Even in the cloud, the same rule applies: cloud clients should secure their own networks. The only advantage is they have less information to be secured within their network. The cloud service provider should secure their network with firewalls.

Data integrity is one of the key aspects in security. Today for example, it’s hard for every notebook to implement a cryptographic checksum or hash. But in cloud service this could become commonplace.

Security threats in the cloud

Security threats can come in all forms; let’s consider some of them here.  In the cloud-based service, the provider decides where your data is stored and how your data is accessed. If your provider offers virtual boxes, a mischievous user can gain control over a virtual box, attack your data and exploit it. Another security threat in cloud computing is the attack on the perimeter of the cloud. This may be a simple ping sweep to DoS. A cloud service provider must ensure the data of each company is properly isolated and partitioned, if not, data leakage can be expected.

Another important factor that has to be addressed in the cloud world is the privileges of the power user. How do we handle the administrators and data access? The administrator’s rights are not part of the customer anymore; it is part of the cloud service provider. There should be clear transparency and access records to prevent any misuse by an administrator.

Implementing security in the cloud environment is different than what we are used to in a traditional environment.  However, remembering the fundamentals of information risk management and lessons learned along with an understanding of cloud provider risks, may help you to weather the storms looming in a dark Cloud.

Why should the cloud customer implement security?

Though the cloud promises high security, it’s essential for the cloud customer to implement their own security and maintain standards. An unsecured customer network will attract hackers and is an easy entrance to the cloud.

Data transfer between the cloud service provider and customer should be on a secured connection and the customer should take necessary steps to secure his network from attacks such as the Man in the Middle (MITM).

The applications hosted on the customer network should also be secured. Customers using the cloud to deploy applications should ensure that their software is secured. Unsecured applications can be dangerous for both the cloud service provider and customer.

Cloud security can help a little if there is a vulnerable system unmaintained or not patched.

Virus attacks are not going to change in-spite of moving your data into the cloud.

How can you do business securely over the cloud?

Before you decide to buy a cloud service, go security shopping. We always bargain based on price, but that is not enough here. You need to bargain for security rights, transparency and privacy.

The legal agreement is the first level of security that you will always require, no matter where you do business. A well prepared agreement can provide all the legal benefits over your data in the cloud. Make sure to include the ownership of the following:

  • Data
  • Data backups
  • Log files

Your day-to-day business runs with the help of data. It’s essential that the cloud service provider shows transparency in his data centre location, physical security, containment measures, and time taken to recover in case of any catastrophe.

End-to-end encryption is must in cloud computing to ensure the security of data transfer. The customer should require this capability from the provider.

Authentication and proper access rights must also be secured. Given that you can access the applications in cloud from anywhere, it’s essential to block the entire user account for former employees. This has to be an integral part of the customer’s HR policies.

Patch management is also very important. Though cloud acts like a versionless world, it is essential that the service provider either informs you about the patches required to access his network or provide automatic patch management. If you use third party clients to access the customer application, you should ensure that these clients are up-to-date with security-related patches.

You should also require log analysis reports, user accounts and privileges reports, uptime/downtime reports, and penetration test/vulnerability assessment reports from the service provider on a regular basis. To ensure more transparency, require that these reports be provided by a third party security company. You should also demand real time security alerts from the service provider.

The last level of security that is often exploited is the application security. How secure is the cloud service provider’s application? There is no real way of knowing it. There are third party security companies and tools available to certify application security. This should be done on a routine rather than a one-off basis.

Social engineering is another threat that has to be addressed. It is essential for the cloud service provider and customer to be aware of such threats and educate their employees.

Phishing attack will also target the cloud consumers. Strong phishing filters should be deployed.

You will also want to involve third party security companies as partners to verify the cloud service provider’s security policies and verify his reports.

Summary

Security should be built as an integral part of the cloud. This is a must for the cloud service provider to gain trust from their customers. Gaining customer trust is the key to winning the cloud service game. Security is an ongoing measure to protect and deal with everyday threats. No matter where you do business you should secure yourself with the best practices.

February 23, 2011 Posted by | Cloud Security, Data Losss Prevention, IT security | , , , | Leave a comment

Security Breaches Continue to Grow

Identity TheftWhat do Tulane University, South Carolina State Employee Insurance Program, National Guard Headquarters – Santa Fe NM, BlueCross/BlueShield –Michigan, Seacoast Radiology, and University of Connecticut -HuskyDirect.com have in common?  They were just a few of the companies that reported security breaches in January 2011.

Information management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In prior issues of Risky Business, I posted this brief article and supporting statistics about security breaches.  I was curious to see how the data changed.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org and refers to the number of total data breaches that were reported with an estimate of how many records were exposed:

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043

2010 Breach List: Breaches: 662 Exposed: 16,167,542

You must understand that the majority of the reported breaches do not reveal the actual number of exposed records so therefore the number is MUCH larger than what is listed here.

Your call to action is to ensure your Information Risk Management Program is as secure as you think it is and as secure as your stakeholders, customers, Board of Director’s believe it to be.  Aujas is helping organizations manage risk and enhance information value with practical, innovative solutions!

January 31, 2011 Posted by | Data Losss Prevention, Identity Theft, IT security | , , | Leave a comment

What Is Needed for Data Protection?

Data protectionA more holistic approach is needed for protecting data that goes beyond individual tools and addresses data at its source: the business. The principles of data governance, data classification and the DLP tool need to work as one solution to effectively protect data in an organization.

Approach

  • Develop a strategy – Start by developing an organization-wide data protection strategy
  • Set up a data classification policy and a program – Individual business processes should identify and document all forms of data, its classification and its authorized movement.
  • Create a governance program – Establish accountability, roles and responsibilities for data protection and data ownership.
  • Create and ensure awareness and training for business users – To ensure that the data protection remains a strong focus within the organization, management should ensure users are made aware of their roles and responsibilities around data protection.

The Aujas Data Protection Service helps organizations extract maximum value from their investment in security technology and solutions. We build the governance framework, data protection strategy and data protection program. Then we assist organizations with data flow analysis to identify data movement within and between processes, the forms data takes, and user awareness levels. Our data flow analysis results in effective DLP policies while the governance framework and strategy translates into continuous data protection for the organization.

To learn more about the Aujas Data Protection Service, and our complete portfolio of services, please contact Karl Kispert, our VP of Sales at karl.kispert@aujas.com or at 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, Enterprise Security, IT security, Risk management | , , , | 1 Comment