Tags: Advanced Persistent Threat, cloud, consumer devices, consumerisation, crisis management, GRC, smartphones, tablets
According to Andy Warhol, everyone gets 15 minutes of fame. If you’re a security consultant, maybe that 15 minutes is the chance you get, face to face with the CEO of your customer, to convince them to focus on security.
The other day I found myself in conversation with a couple of senior execs from a large and well-known security vendor. During the discussion, they made the point that oftentimes a security health check or investigation means presenting bad news. The CISO is not always going to be overjoyed by what you have to report, so you need to present your conclusions direct to the decision maker.
So, this was the challenge – how are you going to get the CEO’s attention and a commitment to action, all in just 15 minutes? Clearly, there’s no use talking about operational security – that’s the CISO’s patch. So, I mused, frame the discussion in terms of Governance, Risk and Compliance (GRC). Most organisations of any size are now quite adept at security compliance. Faced with a plethora of legislation, regulation and contract schedules and armed with a bewildering array of control frameworks and certification schemes, IT security teams spend most of their time looking backwards at what already happened. Beyond that, the Business grants authority to the CISO and his team to implement sufficient controls to enforce the corporate IT security policy. Governance is about monitoring how that decision-making process is working. Finally, the real objective looking forward should be to deploy adequate security to meet the business risk. That ought to be something the CEO cares about.
OK, so now we have a context, but what are the big issues in security for the business? I came up with a Top 3 (you may well disagree):
- Consumerisation: Like it or not, staff are going to use their own devices (smart phones, tablets, home computers) in the course of their work. Of course, these devices are outside the control of the IT department, so how do you enforce security policies? What happens if the device is lost? Can you do a remote wipe (which will include the owner’s data as well as the company data)? This loss of control of physical assets and their configuration provides a toehold in the network for an attacker.
- Advanced Persistent Threats: The business may find itself under attack from an APT, armed with a wide range of skills and resources and focused on a long-term (months or even years) objective. Even if the IT Security team detects ATP activity, this may only be a fleeting glimpse of what’s actually happening The business may well have no idea why it is being targetted. All the while, the APT will be syphoning off vast amounts of data, maybe sensitive business information, maybe intellectual property, but also maybe personal information belonging to the business’s clients or employees.
- Cloud Services: I wrote in a previously post about the threats to security governance posed by cloud services. In many organisations, business units are adopting cloud services without the advice and support of their IT security specialists. The resulting agreements often provide little or no oversight as to how the provider will assure the security of critical or sensitive data and can place the business’ legal and/or regulatory compliance status in jeopardy.
All of these conspire to present a real and growing threat to the personal and sensitive information, stored by virtually every organisation these days. But, how to persuade the CEO that these threats are real? The challenge is to come up with a set of “world-class” questions – they don’t require an answer at the time, rather they should make our CEO reflect on what matters to the long-term health of the business. By coincidence, fellow IBMer Marc van Zadelhoff recently described his set of questions for the CISO in a blog post for the IBM Institute of Advanced Security. His candidate questions are rather more technical than what I had in mind, but that really reflects the dilemma of how to engage with the Business at a senior level. So, I thought about it for a while and this is what I came up with:
- Where is your data stored right now? Can you account for every copy? If you’ve entrusted data to a 3rd party, are you sure you can get it back if you end the service? Are you sure they’ll delete it when you tell them?
- Can you be sure that your sensitive data isn’t being exfiltrated by an attacker? If it was happening, would you know?
- If the worst were to happen and you become the target for a large-scale, highly public data breach, do you have a credible, tested crisis plan for dealing with it? Can you withstand the reputational damage while you execute your plan?
So, that’s my list, all related to the need to protect critical and sensitive data. How would your CEO answer?
Tags: cloud, compliance, governance, risk
Recently, I was reading the Times on the early train to London, and I came across a multi-page section on Cloud Security – proof positive that cloud services are now firmly on the business agenda. While I understand the attraction of cloud in delivering quick, cost effective and scalable solutions to business problems, it strikes me that it also presents yet another opportunity for the business to cut IT (and particularly IT Security) out of the decision making process.
A few weeks back the BCS Information Systems Security Group held their AGM at IBM Bedfont and a number of IBMers including myself presented during the course of the day. My topic was “Maintaining Security Governance in the Cloud”.
My central theme was that cloud computing offers the prospect of delivering IT capacity that dynamically flexes to meet changing business requirements.However, this flexibility and cost-effectiveness comes at a price.There is a substantial risk that sensitive information will leak out of the business, and the lack of transparency of the provider’s security processes make it essential that the business’s security governance processes are adapted to reflect these new risks.
So, faced with a new set of risks and preparing to trade control over IT systems (and their security) for the benefits of the SPI model of cloud services, never has it been so vital for the business to take good advice from security Subject Matter Experts on the increased governance processes needed to protect the business data and (more importantly) its reputation. Studies and surveys regularly report that 75% or more of businesses view security as the biggest single inhibitor to moving their IT operations into the Cloud. This suggests that those businesses understand – at least intuitively – that traditional controls are built on physical access to the technology stack and that Cloud deployment models mean that control is passed to the Cloud Provider. Nevertheless, a recent study conducted by Ponemon Institute for Symantec (“Flying Blind in the Cloud. The State of Information Governance“) suggests that businesses are prepared to enter into contracts with Cloud Service Providers, without engaging their IT security team to advise them:
- 65% select a CSP based on market reputation (word of mouth) while only 18% utilise their in-house security team to carry out an assessment
- 80% admit that their in-house security team is rarely or never involved in the selection of s CSP
- 49% are not confident that their organisation knows all the cloud services that are deployed.
In fact, businesses need to enlist the specialist knowledge of their security SMEs to help with the selection of a CSP and the negotiation of contracts. The Cloud Security Alliance suggests in “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” that, together, they need to:
- Review specific information security governance structure and processes, as well as specific security controls, as part of due diligence when selecting cloud service providers
- Incorporate collaborative governance structures and processes between the business and the provider into service agreements
- Engage their Security SMEs when discussing SLAs and contractual obligations, to ensure that security requirements are contractually enforceable.
- Understand how current security metrics will change when moving to the cloud.
- Include security metrics and standards (particularly legal and compliance requirements) in any Service Level Agreements and contracts.
Security SMEs will help to bring this about, when we can present a clear and unambiguous explanation to the business as to how the balance of risks and controls is altered in e Public Cloud and how this needs to translate to more sophisticated shared governance. this in turns requires that we have a precise definition of what Cloud is and a robust baseline of cloud security knowledge. The Cloud Security Alliance has introduced the Certificate of Cloud Security Knowledge (CCSK) to address this latter issue. This certification is not designed to replace existing well-established schemes, such as CISSP, CISM and CISA, but rather to demonstrate competence in the specific security challenges of Cloud deployments, by testing an understanding of two significant and authoritative documents:
- Cloud Computing. Benefits, risks and recommendations for information security. ENISA Report November 2009
The CCSK is strongly supported by a broad coalition of experts and organizations from around the world. The collaboration with ENISA means that the world’s two leading organizations for vendor neutral cloud security research are providing the foundation for the industry’s first cloud security certification. CSA’s breadth of industry participation and strategic alliances are being leveraged to communicate the need and value of this certification to employers within cloud providers, cloud consumers, consultants and variety of other stakeholders. I’ll nail my colours to the mast here and commit to sitting the CCSK exam before the end of this year. How about you?