The study, published by the global law firm Hogan Lovells (.pdf), looked at the laws of ten countries, including the U.S., France, Germany, Canada and Japan, and found each one vested authority in the government to require a cloud service provider to disclose customer data. The study showed that even countries with strict privacy laws have anti-terrorism laws that allow for expedited government access to cloud data.
“On the fundamental question of governmental access to data in the cloud, we conclude …that it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities,” wrote Christopher Wolf, co-director of Hogan Lovells’ privacy and information practice, and Winston Maxwell, a partner in the firm’s Paris office.
In a blog post, Dave Asprey, vice president of cloud security at Trend Micro, said the research “proves a bigger point; that your data will be disclosed with or without your permission, and with or without your knowledge, if you’re in one of the 10 countries covered.”
The only solution to this problem, he added, is encryption. But how encryption keys are handled is critical; encryption keys need to be on a policy-based management server at another cloud provider or under your own control, Asprey wrote. Now, Trend Micro has a vested interest here since it provides encryption key management, but it’s a point worth noting for organizations concerned about protecting cloud data not just from governments, but from cybercriminals.
For another examination of the Patriot Act’s impact on cloud computing, check out the article by SearchCloudSecurity.com contributor Francoise Gilbert. She looks at the rules for the federal government to access data and how they undercut concerns about the Patriot Act and cloud providers based in the U.S.]]>
Launched by the Obama administration in December, the Federal Risk and Authorization Management Program (FedRAMP) aims to set a standard approach for assessing the security of cloud services. The goal is to cut the cost and time spent on agency cloud assessments and authorizations.
3PAOs will assess cloud service providers’ security controls to validate they meet FedRAMP requirements. Their assessments will be reviewed by the FedRAMP Joint Authorization Board, which can grant provisional authorizations that federal agencies can use.
Here’s the list of accredited 3PAOs: COACT, Department of Transportation Enterprise Service Center, Dynamics Research Corp., J.D. Biggs and Associates, Knowledge Consulting Group, Logyx, Lunarline, SRA International and Veris Group.
If you’re wondering how these companies became 3PAOs, they had to submit an application demonstrating technical competence in assessing security of cloud-based systems, according to the GSA. They also had to meet ISO/IEC 17020:1998 requirements for companies performing assessments.
When I wrote about FedRAMP earlier this year, the program drew praise, criticism and cautious optimism. Will it get bogged down in bureaucracy? Will it become simply another paper-pushing compliance exercise? Will it help advance cloud security standards for the private sector? Hard to say how long it will take until we know those answers, but at least FedRAMP appears to be on schedule. With the release of the 3PAOs, the program moves closer its target of becoming operational next month.
I’m planning to speak with one of the 3PAOs tomorrow; hopefully I’ll have some additional information from that interview about the 3PAO process and FedRAMP in general. If I do, I’ll post it on SearchCloudSecurity.com.]]>
“The key for us practitioners is to go into this with eyes wide open,” said Walker, who has held senior security positions at Symantec and Cisco, among other global firms. He spoke at the Cloud Security Symposium, which was sponsored by Trend Micro.
The traditional focus on building fortresses with firewalls and IPSes won’t translate to the cloud, he said. Cloud provider requirements include increased transparency about their operations and how they detect rogue tenants, and information security pros need to be aggressive in making sure providers meet security requirements, he said.
That’s certainly easier said than done, especially when business units are going around IT and signing up on Amazon. It’s a hard to press for security when you don’t even know what cloud services your company is using.
In many cases, lines of business aren’t waiting for IT when they need something – they simply use their credit card to buy cloud services, said JJ DiGeronimo, senior accelerate practice manager and cloud strategist at VMware. “IT departments have true competition from outside service providers,” she told attendees.
“People are used to securing a box, but now we’re moving to securing the data,” she said. “Data is going to sit everywhere and you’ll have to manage it regardless of where it sits.”
Data-centric security has been an ongoing theme in the industry for several years as corporate network boundaries crumble as employees increasingly become more mobile. Enterprise adoption of cloud computing is becoming yet another driver.
“If you can’t control the systems anymore. … That’s the only way to do it [security] — to protect the data,” Trend Micro CTO Raimund Genes told me in an interview.
Trend Micro naturally has a vested interest in this trend – the company sells encryption products including a key management service for cloud and virtual environments – but it does make sense given that enterprise data is increasingly flowing to cloud environments and becoming harder to track. Maybe the rise of cloud computing will help push data-centric security into the mainstream.
In the meantime, if you’re looking for ways to track down unauthorized use of cloud services by your developers or sales executives, we published tips in this article.]]>
Perhaps the most dismaying finding from U.K.-based Context’s investigation was the discovery of remnant data left behind by previous cloud customers. As part of its research, Context created virtual machines (VMs) on the CSPs platforms, and was able to see data stored by previous tenants on Rackspace and VPS.net disks. (VPS was using the OnApp platform.) Context referred to this finding as the “dirty disk” problem.
At first it may seem Context’s report serves as notice to CSPs that they are falling short of basic security expectations. Yet, in many ways, the problems can be tied to customers’ own shortcomings. Too often, customers count on their CSP to lock down their applications and safeguard their data, even though most CSPs explicitly state these precautions are not included in their standard offerings. Unfortunately, this sometimes comes as an unpleasant surprise for customers.
The base service offered by many CSPs does not include antivirus, patching or data deletion services. To protect their data security, cloud computing customers need to treat VMs in the cloud as if they were on-site servers. Customers must adopt a “do-it-yourself” (DIY) mindset and apply their own security applications and procedures to their cloud implementation, or pay their CSP for more security services.
The four CSPs investigated by Context are likely representative of the data security problems to be found on all cloud platforms. Companies storing data in the cloud need to act quickly to find out how their CSP is protecting the confidentiality of their data, and do their part in protecting their data in the cloud.]]>
Several security applications are among the options, including a virtual appliance from Check Point Software Technologies, SaaS endpoint protection from McAfee, and SaaS network IDS and vulnerability assessment from Alert Logic. Customers are charged for what they use on an hourly or monthly basis, and the charges appear on the same bill as their other AWS services.
“We wanted to shrink the time between finding what you want and getting it up and running,” Werner Vogels, CTO at Amazon.com, wrote in a blog post.
By making it easy for organizations to add security to their cloud environments, AWS has made a promising move. Integrating security can be complicated, but the AWS Marketplace appears to eliminate any heavy lifting. It could leave organizations with fewer excuses to not implement cloud security.
But not all is hunky dory with the AWS Marketplace, according to a blog post by Joe Brockmeier at ReadWriteCloud. While the AWS Marketplace makes it simpler to consume single-server apps, it “still leaves a lot of configuration to the end users,” he wrote. For example, he said, deploying Sharepoint with Amazon Virtual Private Cloud involves an architecture that’s “much less simple than a single EC2 image,” which means the marketplace doesn’t offer anything right now for those with needs beyond a single EC2 image.
Still, it will be interesting to see what other security services are offered via the marketplace and whether other cloud providers follow Amazon’s lead in easing the path to cloud security.]]>
Last summer, the LulzSec hacking group signed up its website for CloudFlare, drawing the website security service and accelerator company into one of the biggest cyber battles ever, as LulzSec created mayhem on the Internet while rivals and others tried to knock it offline. CloudFlare’s CEO and Co-founder Matthew Prince detailed the attacks in a presentation at RSA Conference 2012; I wasn’t able to attend, but he filled me in during a briefing at the show last week.
LulzSec registered for CloudFlare on June 2, 2011 after it a substantial DoS attack knocked its newly launched site — LulzSecurity.com — offline for 45 minutes, Prince said. “We had no idea who LulzSec was,” he said. As it turns out, the group had just published information it had allegedly stolen from Sony.
For the next 22 days, LulzSec waged battle on the Web as rivals and white hat hackers launched a volley of attacks against the group’s site. “It was like a gunfight and we were sitting in the middle of it,” Prince said.
The battle proved a mighty test for Palo Alto, Calif.-based CloudFlare, which protects websites against threats like DDoS, XSS and SQL injection attacks while also boosting site performance. “It was the most massive pen test ever,” Prince said. “We learned a ton from the fact that LulzSec was with us.”
He explained that CloudFlare’s system automatically looks for anomalies to detect attacks and once it does, adds protection for all the websites it protects. More than 250,000 websites, from Fortune 500 companies to individual blogs, use CloudFlare. Using the service doesn’t require any hardware installation, only a change to network settings to allow site traffic to pass through CloudFlare, which operates 14 data centers around the world.
“We’re like a smart, skilled router on your network,” Prince said.
The fact that LulzSec stayed online for the 22 days it was with CloudFlare illustrates the company’s core value proposition, Prince said. “Because we saw these threats our network got smarter,” he added.
Prince said CloudFlare never got a request from law enforcement to take LulzSec offline, but quickly added that it has no mechanism to do that anyway. He noted that CloudFlare wasn’t LulzSec’s hosting provider.
As to whether CloudFlare considered shutting off service for LulzSec – a group linked to a number of attacks on corporate government sites – Prince said his company’s role isn’t that of an Internet censor.
“There are tens of thousands of websites currently using CloudFlare’s network,” he said in a blog post last summer. “Some of them contain information I find troubling. Such is the nature of a free and open network and, as an organization that aims to make the whole Internet faster and safer, such inherently will be our ongoing struggle. While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published. That is a slippery slope down which we will not tread.”]]>
NATIONAL HARBOR, Md. — Enterprise information security professionals, by nature, tend to be somewhat paranoid, especially regarding new and emerging technology. So to this observer it seemed somewhat surprising not only to hear two Google Enterprise desktop customers extol the security and privacy of the search giant’s enterprise productivity offerings, but also to watch about 200 of the attendees at Gartner Inc.’s Security and Risk Management Summit 2010 hanging on every word.
During a session today, Brian Bolt, lead systems engineer for the office of information technology at Boise State University, and Chet Loveland, global information security and privacy officer for MeadWestvaco, took to the stage to share their experiences migrating from Novell and IBM Lotus infrastructures, respectively, to the hosted messaging, calendaring and collaboration infrastructure provided by Google.
Loveland said his employer, a $6 billion global packaging firm, wanted to standardize its email and collaboration tools across geographies. His key privacy concerns were providing users unfettered access to corporate data – both email and shared documents — from virtually any Internet-connected computer, and offering the ability to sync with mobile devices not managed by the company.
The implementation was smoothed by focused end-user training, including “Google guides” who worked one-on-one in person with employees offering training and problem solving. Loveland said his organization had already outsourced email processing to a third-party provider several years ago, so there was little trepidation about moving to Google, though he did do his homework to make sure he understood how and where Google would store the company’s data.
Bolt, looking to move to a best-of-breed provider to manage email for his school’s more than 22,000 students, faculty and staff, was comfortable with Google’s security after pouring through its copious security process documentation, including the Google Apps admin help: Security and privacy page.
“Google’s security strategy revolves around hiring talented security professionals and building multiple wholly owned data centers,” Bolt said. Those data centers, according to Google, feature custom-built servers running a hardened version of Linux with no video cards, drivers, USB ports or any other service that could risk compromising security. ”These layered security practices span the physical and logical, and they hire the right people and install values of security.”
Google’s enterprise offerings include one product, a search appliance, and several hosted services including Google Desktop, Google Maps and Google Earth, and its Postini service for antispam and mail archiving. It has more than 1,500 employees focused on its enterprise business; it claims 20,000 search appliance customers, 50,000 Postini customers, and says 3,000 new businesses sign up for Google Apps daily.
Attendee Douglas W. Fee, director and IT security officer for the University of Kentucky in Lexington, said the discussion was helpful for him as UK considers the future of its Exchange-based email system. While it seemed notable that neither of Google’s featured customers migrated from an Active Directory-based Exchange system, a notoriously difficult platform to abandon, Fee was unfazed, instead eager to benefit from the reduced cost of managing email systems and storing their data.
As for the security and compliance issues, Fee said Google’s third-party attestations, like SAS 70 Type II, which it achieved last year, would likely be enough to convince most enterprise decision makers that Google is a viable option.
Still, there’s no question Google’s enterprise program is benefiting from what seems to be a rising tide for all enterprise services that live in the cloud. In terms of security, reliability and innovation, Fee said, “Google is setting the goal for the rest of the world.”]]>
What is cloud computing? In an interview with Cigital’s software security expert Gary McGraw, Network security expert Christopher Hoff tries to answer that question from two perspectives — a cloud provider and a consumer. After understanding what cloud computing is, the conversation ultimately moves to what is being done right and perhaps wrong to secure it. Hoff, formerly of Unisys Corp. is currently director of cloud and virtualization solutions at Cisco Systems Inc. The podcast is a good overview of cloud computing and security because it peels away all the vendor marketing hype that, pardon my pun, has clouded the issue.
According to Hoff:
The cloud is not impervious to failure, Hoff says. A lot of interesting expectations are being set and Hoff says that is illustrated by Larry Ellison of Oracle Corp. who says there’s nothing new and we’ve been doing it for years versus the perspective from others who say that how we’re using the cloud is different.
“Every time we’ve had a new instance, a new way of operationalizing our computing resources we’ve had this same sort of turn that takes place in the industry. It ultimately smooths out.”
McGraw says while we’re not so bad at protecting hardware, we’re really bad at protecting virtual operating systems and applications.
Hoff explains the three levels of cloud computing and how security applies: Infrastructure as a service, platform as a service and software as a service … He says the lower down the stack you go the more responsible you are as a consumer for the security of that service. “With infrastructure as a service you are essentially building in security, with software as a service you are basically contracting it …” Hoff goes on to say that platform as a service is more interesting from a security perspective because your apps are somewhat tied into the platform. Since you are writing the applications and you own the data “maintaining security as it relates to that model is a shared, cooperative approach.”
Security is always playing catch up and disruptive innovation and cloud computing is a good example of that, Hoff says. It ultimately comes down to the age old problem that “consumers see security and applications thereof as an adverse function of convenience.”
“When it comes down to any enterprise architecture in general, time to market and delivery just trumps our capability, desire, wants and needs and ultimately budgets to get stuff done as a balance of security versus convenience.”
The final part of the podcast talks about the problems companies are having applying security to the three cloud computing models from a design pattern versus the bolt on approach. Hoff says the people behind the cloud model are fragmented — developers work on their applications — network architects deal with the network — and the security guys try to figure out what each of them are doing.
Hoff says what is terrifying is the metastructure pieces — the protocols, the glue that holds the application layer and infrastructure layer together is for the most part completely ignored. DNS and identity and access management issues are starting to show cracks.
Check out Hoff’s blog Rational Survivability for more of his great insight into the cloud computing models and the security issues they raise.]]>