Crafting a cloud security policy… are you asking the right questions?

Has your organization created a cloud security policy? Crafting one can be tricky. You have to be thinking about the right questions, and it’s a good idea to first determine what (and why) you’re moving certain information assets to the cloud. It’s also important to find a good fit in a cloud provider, one that understands your organization’s culture. Consulting with peers and reviewing existing cloud policies and standards is a helpful first step. And Neohapsis’ Scott Hazdra shares his advice about questions to ask:

  1. First, what do we want to put in the cloud? Data, applications, both? Based on this, you will be able to identify important criteria that will help lead you to determine the best cloud provider and also services required such as IaaS, PaaS or SaaS.
  2. Do we have a good data classification policy and procedure? And what type of data will we allow in the cloud– sensitive corporate data, data that should be privacy-protected per compliance regulations (PII, SSNs, etc.), day-to-day operational data? If you don’t already have a good data classification policy, create one so that you don’t end up inadvertently transmitting and storing the wrong data in a cloud environment.
  3. What existing policies do we have have may also apply to what we want to do in the cloud?
  4. What have others in our industry done that we can borrow from? This is a good way to learn what works, what doesn’t, and what unexpected issues can come up. Take a look at what standards bodies, like ISO, NIST or the CSA, have created as well to discover policy areas that you may not have considered.
  5. Who within our organization is allowed to enter into agreements with cloud providers? And who has the authority to negotiate SLA’s? Be certain to involve those with the proper authority and approval levels.
  6. Finally, if you have just created your policy, allow the stakeholders in your organization to weigh in and comment on it.

If you follow these guidelines, you’ll be better prepared when the first packet of data moves from your servers and into your provider’s trusted cloud!

For more information and advice, see the full article in SecurityWeek:

NSA Leak: Did Snowden take the “Security” out of National Security Agency?

From Wikileaks to Whistleblowers, for example todays’ NSA PRISM story, we keep seeing new ways that private or sensitive data can be breached.

In this instance, an I.T. contractor working for Booz Allen, Edward Snowden, released details of a NSA domestic surveillance program. How did he get access to this [probably classified] information, you ask?

Said Snowden: “When you’re in positions of privileged access like a systems administrator … you’re exposed to a lot more information in a larger scale than the average employee … Anybody in positions of access with the technical capabilities that I had could suck out secrets and pass them on the open market to Russia … I had access to the full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world … If I had just wanted to harm the U.S. … you could shut down the surveillance system in an afternoon.”

Is that shocking to you? It should be. How does a low level IT admin get access to virtually everything – internal confidential documents, secret data…? The mere act of managing these systems allows administrative access to “privileged” accounts.

In virtualized or cloud environments, this situation is exacerbated. But, companies like HyTrust provide the security and controls necessary to address this issue. Clearly, solutions are available to address the problem . . . so why weren’t they being used?

Snowden indicated that he revealed what he knew about the NSA because he felt the public had a right to know about wrongs being committed. A modern day Robin Hood, he may have done what he did for the common good. But whether someone breaches sensitive information for good or evil (Sheriff of Nottingham, Benedict Arnold), the same breach can have devastating consequences for businesses.

This is something every business can learn from, said Eric Chiu, president of HyTrust. Wired Magazine recently published this article on the topic- Brand Damage Through Information Access, written by Chiu.

“Without implementing adequate role-based access controls based on least-privileged access, organizations are granting systems administrators god-like access to every piece of data that runs on every system,” Chiu advises.

In a recent Dark Reading article, Scott Hazdra, principal security consultant for Neohapsis states: “Authorized users are authorized users,” meaning that if someone has authorized access to data, then it may be near impossible to know if that person has malicious intent when accessing it. He advises: “You need to set aside a little time to see who has access to what and actually identify specific access controls.”

Lingering questions remain in the PRISM issue: Is Snowden a traitor or a hero? What other information might he be able to leak? Will he receive asylum? What do you think?

Knowledge is power. . . who has your personal information?

The Department of Health and Human Services (HHS) recently fined Idaho State University (ISU) half a million dollars for HIPAA violations.

Data on 17,500 patients of ISU’s medical clinic was exposed during, at minimum, a 10 month period, during which the university had disabled a firewall. More on that here:

We’ve been noticing this spate of attacks on education institutions and healthcare organizations, and a recent USA Today article points out that universities are tightening security in the wake of so many attacks.

Negligence like this is surprising but, sadly, common. Lax security measures are often cited as the cause of data breaches. Things like incorrect access settings, misconfigurations, unencrypted sensitive data on stolen laptops, lost tapes, data emailed to a personal account and more. . . all these issues are unacceptable and avoidable, yet they continue to happen. Is no one paying attention?

Another thing that may come as a surprise is that very often there’s little (or no) security in place. Yet it should come as no surprise that as systems are increasingly connected to the internet, they become much more vulnerable to exploits.

Educational and healthcare institutions need to seriously step up their game.

In the meantime, students and patients should do a better job of taking their own personal privacy into their own hands, and asking about security measures their providers are taking. For example, when asked to fill out forms, don’t simply include personal information like your social security number, driver’s license, mother’s maiden name and other obvious private information that can fall into the wrong hands. If they ask for it, you’re entitled to ask why they need it, why it’s on paper rather than entered into a system and immediately encrypted so that even the workers cannot access it. Demand to know how they plan to protect your privacy. You have a right to know. More than that, no one should care as much about you and your personal privacy. And you’re the only one that’s going to have to face the music if your data or identity is breached. Law enforcement and the government simply don’t have the resources to investigate every issue, and it’s often difficult to tell how and from where breaches originate.

Teachers and medical practitioners tell us “Knowledge is power.” Meanwhile the very institutions they work for are practically handing over knowledge about us over to attackers. Shouldn’t they have a duty to protect and secure?

Bottom line: Don’t give your personal power and identity away.

Yahoo! Japan breach possibly leaks 22 million user IDs

Attackers recently broke into systems at Yahoo! Japan and may have accessed some 22 million user IDs (representing 10% of all Yahoo! users). While the internet giant didn’t disclose how attackers got in – and stressed that no other personal information could have been accessed – this still represents a threat to users, who may receive spam messages containing malware or links to malicious websites.

Here’s what a few security experts had to say:

“Many people use the same passwords for work as they do for personal websites,” Eric Chiu, president & founder of HyTrust (, the cloud control company pointed out. “If an attacker is able to gather these account passwords through phishing emails, it can lead to compromises of corporate networks in order to siphon data.”

So be alert. Attackers will try to get you to provide passwords and there are many ways they can do this. For example, a phishing email can trick you into providing it by making you think you’re entering for a valid purpose by a trusted organization. Also, once you or your PC has been compromised, attackers can gain access to your company’s network and do much worse damage.

Chiu also warns organizations about security monitoring tools, saying, “Unfortunately, most security monitoring solutions today are incapable of detecting good insider activity from bad. And, as organizations move critical infrastructure and applications to the cloud, the risk of attackers posing as insiders to gain access is compounded, since cloud and/or virtualized data can be copied, deleted, and/or moved from anywhere on the globe virtually undetected.”

Security organizations should look at Role-Based Monitoring (RBM) as a much more effective approach and, Chiu says, the industry’s future direction.

Chiu warns that attackers can also potentially destroy an entire corporate datacenter in a matter of minutes. These risks highlight the need for companies to secure access with technologies and processes that can detect and prevent bad actions in real-time, he said.

Nathaniel Couper-Noles, senior security consultant at Neohapsis (, a security and risk management consulting company specializing in mobile and cloud security services, said: “The information possibly leaked [in the Yahoo! Japan breach] can be useful to attackers indirectly, for example by facilitating further attacks such as social engineering or password guessing.”

So again, be wary when receiving email messages from people you don’t know, and even those you DO know when messages look suspicious. To avoid becoming victim of an attacker, don’t click any links, provide any information, or even respond, and further, don’t even open or read these message in a “preview pane.”

Feel free to add your guidance to ours by commenting, and stay safe online!

DDoS: Not just for taking down websites anymore

We all know about DDoS attack being used to temporarily take down targeted websites. But Jordan Robertson at Bloomberg reports that attackers are now using them as a distraction – a means to attack the victim company while their defenses are down in order to steal money, data, and cause other damage. “They’ve become the online equivalent of a common street hustle, with the initial assault being the shiny object that distracts bank security teams long enough to pick customers’ pockets,” the article reads.

Robertson recounts how attackers nabbed tens of millions of dollars from banks over the last year. And what’s worse – the affected banks didn’t learn of the intrusions until getting word from customers and investigators. Sadly, this is all too common: the most recent Data Breach Investigations Report from Verizon shows that the majority of breaches, 69 percent, are detected by third parties.

Something needs to change to enable companies to catch these breaches themselves, and much quicker. One expert calls for a change in monitoring, leading with role-based technology to catch threats in real-time. Read more on that in our previous post, Infographic: The Future of Security Monitoring.

Infographic: The Future of Security Monitoring

Twitter, Apple, Facebook, and Microsoft are all household corporate brands, and they have something in common: They have all suffered data breaches.

As attacks make headlines daily, industry influencers seem to all be calling for security monitoring and forensics tools as the “end all, be all” for solving these types of issues and preventing future incidents. But sadly, monitoring tools like SIEMs catch maybe 50% of threats, best case scenario. Gartner says 85% of organizations are failing at early breach detection. Even the recent Verizon Data Breach Investigations Report found 66% of breaches are taking months or longer to be detected. HyTrust agrees, and has found the same or similar numbers in informal polling. In fact, Eric Chiu, president and founder of HyTrust (, the cloud control company, says “Security monitoring tools such as SIEMs are broken — they’re slow, reactive and weak.”

It’s obvious a new approach is sorely needed. Chiu says Role-Based Monitoring (RBM) is the future of security monitoring, and shared the below infographic. Based on pre-defined user roles, RBM can detect and block threats in real-time. It alerts you when something outside the norm happens. For example, an attacker using an advanced persistent threat (APT) technique might hijack someone’s corporate “privilege” – in other words, their advantages, benefits, entitlements or rights based upon their role within the organization – in order to carry out their breach more effectively.

“RBM is the fastest, strongest and most certain method of identifying threats with 98% accuracy,” Chiu said. “It provides a deeper examination of the context, looking at what was done as well as who executed the action, what their job is, and what resources they’re allowed to manage.” This enables organizations to zero-in and separate appropriate administrative operations from malicious ones, Chiu explained.

RBM is useful especially in cloud environments where ‘super admins’ have ‘super access’ to everything, i.e. they can copy, if they wish, every virtual machine with sensitive data, or tamper with controls and potentially destroy the entire virtual datacenter.

“It’s time to rethink security in-line with emerging technologies and change the way we do business,” said Chiu.