Tag Archives: cloud

Cloud 2

A plethora of security articles has appeared in the mainstream IT press over the last few weeks that makes me believe that security is one of the new buzzwords that you can expect to hear a lot more about in 2016. As a security practitioner and someone who has done this for well over fifteen years it's bizarre how something that we do as business as usual is now getting some attention. For over a decade we were the people you didn't talk to, or if you did you did it through gritted teeth knowing we would try to hold you to a better standard or a greater ideal for the common good.

Any and all focus on security best practice is welcome. As we all witness the explosive growth of container based cloud provisioning gather pace it's circumspect to hope that this due diligence around security will filter down through programs in organisations to build in security as a de-facto standard building block and process rather than retro fitted to shore up poor code or poor deployment / management practices.

That's not to say by having the best security folk and best practices you can't get hacked from internal or external threat or fall prey to a security vulnerability. What it does mean is that you have the plan as to how to react, how to behave during an outage, what steps to take during a fix process and how you learn from that experience, growing from it. Sharing that knowledge is even more important in the Open Source space.

Please though don't fall into a trap. Having a CISSP does not make you a security professional. Having a CISSP on board your staff says you have someone who can pass an exam and who has an understanding of how a proprietary network environment and elevated threat levels and reaction capabilities to someone hosing your Cisco / Juniper / (add other vendor kit here) will have on your ability to provide service.

Any qualification that allows it's students to keep qualified by collecting points attending conferences is devalued by stupid brand marketing folk who allow such a practice. I've met some great people who also had CISSPs and I've also met some self styled pen testers, auditors and "security professionals" with CISSPs and other exam qualifications who communally couldn't find their arse with both hands. Those same people also knew how to pass exams but who had never had actual realtime experience in the trenches with developers and operational datacentre folk to get up to speed with emerging threat.

Certification is important. Want to hire good folk or get your CISSP folk up to speed with real life threat from bleeding edge threat actors that impact actual platforms now ? Get them to sign up and study for the CCSK exam. Amazon get their staff to, so do Microsoft and HP and I personally rate the material and the exam and it will allow you to get your staff to be at a point where you have a proper belts and braces ability to deal with threat and react realtime rather than a post mortem. No this isn't an advert for the Cloud Security Alliance or a trolling attack on CISSPs it's a call to arms to employers to look outside the box because sadly the hackers are better qualified than ever before,

So while you're eating your Thanksgiving meal or preparing for a quiet Christmas think about how you can increase your security skills and also maybe think about joining an Open Source project to see how security issues and vulnerabilities are managed in the wild.

Happy Thanksgiving 2015 and have a great time with your families.

This evening I've been working my way through changes and modifications on the beta of version 3.1 of the Cloud Security Alliance CCM controls. Version 3.0 is the current shipping version of this living breathing bible of cloud security goodness. Recently I was in Amsterdam with Jim Reavis and his crew at the CSA Securecloud Conference, and I'll be out in the US at the annual CSA Congress in the fall. Whilst there I recorded a podcast with Jim that I will bring out midweek this week.

Regularly I talk at conferences expressing why the CSA CCM matrixes are one of the most powerful Swiss Army tools an IT practitioner can have when approaching a governance exercise in any facet of private, public or open hybrid cloud. Crossing business verticals allowing an organisation to be able to consider pressures of location and data type, workload or platform. This then allows you to make weighted decisions around application migration, infrastructure deployment and the isolation of services or provisioned platform services.

As the audit community continue to hone and document how they are are assessing technical and actual risk in on premise cloud, a contracted out public cloud or hybrid elastic combination of the two.

As 3.1 emerges and becomes the new defacto standard I will bring more information as to how best to adopt it, for now please point your browsers at the current shipping version of the matrix which you will find here.

A few weeks ago I sat down with senior law enforcement officers from Holland, Germany and the UK and asked them off the record the question "is there a ready role today for national crime agencies and cybercrime specialist divisions of Police forces in Europe in the Cloud age ?".

One thing was screamingly obvious that the interaction and information sharing between agencies is healthy and transparent and that's hugely beneficial to sovereign nations. However the reality is there is a gap between capability and actual delivery.

SOCA in the UK, folded into the National Crime Agency last year suffered from being seen as toothless and unable to deal in reality with cybercrime through lack of ability, lack of reach to actual sources from outside their jurisdiction (e.g mass mail spam / mail abuse and boiler office type schemes in overseas territories). We accept in Europe that there is a healthy impass between industry and law enforcement down to two clear issues,

1) Budget - even though the UK National Crime Agency has a £500m budget and interactions with intelligence partners it lacks the skillsets in depth and the tools and technologies to query data and to react at a pace thats efficient, and  industry needs to assist. The current tools and database technologies supplied by one incumbent provider are anything but helpful and if anything set UK law enforcement back by comparison to the working practices of their partners in Europe.

2) In the UK an over-reliance on agencies such as Child Exploit and Online Protection Agency (CEOP) and the Internet Watch Foundation (IWF) who are mired in being stuck between being lobbying agencies and ineffective and entirely out of touch. Whilst CEOP's continued interaction with industry partners such as Virginmedia and BT show encouraging signs it's very little too late. There is a need for a clear rethink of how take down notices and more serious protective measures can be enforced, faster, with more clarity interacting with local police forces sharing information proactively in realtime.

3) Fraud protection. The majority of online fraud happens overseas and vulnerabilities in key cornerstones of the Internet such as Heartbleed which I broke to the world now two weeks ago (no guessing who the Senior Security Developer at the Operating System vendor quoted was) are just the start. The internet glue is held together right now at managed hosting providers and internet service providers by embedded routers, switches, content delivery platforms and web hosting architectures. It could be up to three years before the least proactive ISPs who simply don't have a clue or the budget (or the kick) to fix the underlying infrastructures that provide key peace of mind to internet users, consuming service organisations and platform providers. In fact one thing that has not been identified correctly with bugs such as Heartbleed is one salient fact. Plausible deniability. A determined minimally equipped hacker today with a basic live Linux distro who wants to play merry hell quietly will do so. Don't expect to find him or her as most ISPs and Telco's haven't got staff capable of spotting them realtime. I've physically proved that this is a fact in reality.

In a past life I uncovered (with authority) a massive exploit at a major UK household name telco involving a major datacentre breach with proven exploits and a complete papertrail and audit log of intrusions and proven hops into highly protected networks previously thought segregated. As with many telco's you never hear about it because the nature of an SEC filing or public slapping from the Information Commissioner carries both a fine and red faces, as well as loss of reputation. When I then uncovered a breach in their billing platforms affecting residential customer data this was once more "lost" even though documented and brought to the attention of the board and chairman of a major household name vendor. Patched and quietly forgotten.  These things happen. They shouldn't - hopefully they happen a lot less now. I am prevented by being signatory to the Official Secrets Act to discussing far more scary real life scenarios that are in daily play today in larger infrastructures. Sadly vendor relationships and reaction need to be in a position where a reactive defensive stance should be taken ahead of time rather than faced with a major zero day exploit or data breach using publically available exploit code.

For six years I've talked about how we should practice security better. For six years I've worked with the Cloud Security Alliance and with Jim Reavis their chair. A few weeks ago I sat down with the British Standards Institute (BSI) who last summer worked with the CSA to adopt STAR and to push it to industry at least brings the UK up to speed showing, hopefully, law enforcement that they are playing behind the times and need to engage with industry better.

Relying on the badly constructed Computer Misuse Act and RIPA II is no longer good enough. If you can't communicate with industry, if you can't adopt open big data practices to analyse data and still rely on proprietary weak tools for analysis then the public suffers. If the public suffers then there is a tacit nervousness to go to the Cloud as actively as we'd like.

You can hear my interview with the BSI when I get back from the US, as to their take on why blended security controls and practical interaction between public disclosure and interaction is a great start to reacting, and to building preventative and lasting Cloud security and law enforcement. You can also listen to my interviews with Dr Udo Helmbrecht (Executive Director of ENISA) and Richard Clarke (White House Specialist Advisor on Cybercrime to the President of the United States) by following the inline links. If they take me seriously it would be nice if law enforcement woke up and changed working practices to take into account ever moving threat vectors and a larger than ever threat fabric that affects and impacts business confidence and technology investment.

Until then just cross your fingers as law enforcement are standing in the wind with their finger in the air.  Call Heartbleed a call to arms, sadly I have doubts that there is a groundswell to proactively deliver change. Let's hope that this makes someone's radar.

One salient point: We are here to help - if people reach out and ask that help is forthcoming, bury communal heads in the sand and you end up depleted in capability and unable to prosecute with mandated authority and a lot more cases thrown out in court resulting in a waste of taxpayer funded resources and costs.

Working together is smarter. Let's try.

Now this was a fun show to record, talking to a realworld cloud architect at one of Hollands leading new technology companies Schuberg Philis who sponsored the Cloud event we've been attending this week.

Funs is one of two of their architecture team tasked with helping companies in Holland in the Schuberg Philis growing portfolio of customers to get to cloud safely, navigating governance and privacy regulation and ensuring their workloads and data are successfully transitioned to cloud.

Hope you enjoy the show more to come later if I still have power and bandwidth to get them out pre my flight back to the UK.

 Download the podcast in MP3 format here - or alternatively browse the RSS.