Archive for the ‘Security’ Category
In December 2011, the New York Times reported that only one third of companies had insurance against losses related to their information technology. Generally called, Cyber Insurance, this protection gained a foothold during the 1990s. For AEC businesses using the cloud, cyber insurance can be the backstop to scenarios where the best laid security plans didn’t work out.
According to a U.S. government report:
Cyber-insurance is an insurance product used to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies. Coverages provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds.
While estimates of total premiums being paid for cyber insurance currently rest in the hundreds of millions range, there are those who are predicting a 50 percent growth in that number during the next 12 months, according to the New York Times article. The thing is that, IT has not been traditionally involved in insurance planning, yet those are the people who are most familiar with the potential risks. When you add a general low understanding of just what is covered and what is not covered by insurance policies, the stage is set for surprises when things go wrong. Just like with homeowners’ policies, business policies have many exclusions. In one example cited in a Computerworld article this year, the cost of a damaged server is generally covered under business insurance policies, but not the cost of liability associated with NOT providing contracted services to a customer. Likewise, data loss, and not being able to access data is usually not covered.
While cyber insurance was initially focused on protecting companies when data breaches occurred, today’s adoption of the cloud adds a whole new level of complexity to insuring against cyber losses. Vendors of cloud computing products and services aren’t going to insure your losses, so it falls to you. But the risks now extend beyond the cloud and to all of those mobile consumer devices being brought to the job by employees. You can bet your standard business insurance isn’t going to cover any problems that arise from company data breached on an employee’s hardware. So far though, it is generally assumed that cyber insurance policies will follow the risks to their natural destinations.
In 2010, every breached data record cost companies more than $20 and the costs can be staggering, going beyond just the data loss or compromise to lawsuits for damages brought by those whose data was affected. One sobering example was Sony’s experience with more than 100 million records breached. Cyber insurance in many cases should be a no-brainer with that kind of potential for loss. However, many companies resist buying the coverage because cyber insurance policies can cost up to 4 percent per million. With potential losses running in the hundreds of millions for large events, the outlay could appreciably increase a firm’s annual insurance expenses.
The experts say a thorough assessment of the risks is the place to start when deciding if a cyber insurance policy is needed. For those moving to the cloud the urgency in doing that is increased, and it might even be considered as a final component to a complete cloud security plan.
BeyondTrust announced it was awarded U.S. patent number 8,006,088 covering key technologies that allow administrator privileges to be limited on a per-application basis on Microsoft Windows computers.
BeyondTrust is committed to innovation and thought leadership in the privileged identity management market, demonstrated by this latest patent, said John Mutch, CEO at BeyondTrust. The patent, which makes claims in connection with our technology for granting and removing user rights on a per-application basis, demonstrates our clear leadership in this market, and proves we are ahead of the competition in technology innovation and the fight against insider threats.
The patent covers the technology in BeyondTrust’s PowerBroker Desktops product for the network-based management of application security by modifying a Windows security token on a per-application basis. Specifically, the patent covers the methods by which PowerBroker Desktops modifies application security tokens by adding or removing permissions or privileges from the security token on a per-process basis, based on a set of rules that are enforced by an agent on the client.
Today’s marketplace is growing increasingly competitive with the introduction of new technologies almost daily, and the most successful businesses will be those that leverage their intellectual property to give customers the assurances they need when buying new products and services, continued Mutch. BeyondTrust has a number of patents covering our technology, and we are anticipating strong revenue growth as IT departments increasingly adopt the least privilege model of defending against insider threats.
Demand for Windows privilege management in particular is growing rapidly as more IT departments look for ways to mitigate insider threats (as well as reducing external threats from hacking or malware) as part of their Windows 7 deployments.
Here’s more information about the patent.
About BeyondTrust - Founded in 1985, BeyondTrust is the global leader in privilege authorization management, access control and security solutions for physical, virtual, cloud and infrastructure computing environments. The company’s products mitigate insider threats and secure the perimeter within across the enterprise, empowering IT governance to strengthen security, improve productivity, drive compliance and reduce expense. BeyondTrust, the BeyondTrust logo and PowerBroker are trademarks or registered trademarks, in the United States and certain other countries of BeyondTrust Software. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.Cloud security is a topic that enjoys coverage by thousands of voices and nearly as many vendors offering services and products aimed at taking the pain out of moving data and applications to the cloud. Perhaps no more onerous is the topic of trust placed in individuals. When you move to the cloud the people who you are asked to trust grows exponentially and there are those who say this is indeed the most difficult of security concerns.
In his revealing paper 10 Security Concerns for Cloud Computing, Michael Gregg, Global Knowledge instructor and someone with an arm’s length of security certifications, names Who Has Access as a “huge risk.” He cites a Fannie Mae insider accused of planting a logic bomb that when launched could have caused massive damage. The Cloud Security Alliance has a comprehensive guide on cloud security entitled Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 where the organization states:
Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today. While an enterprise may be able to leverage several Cloud Computing services without a good identity and access management strategy, in the long run extending an organization’s identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services.
So you not only have to ensure the people YOU trust are trustworthy, but ultimately you have to extend that person’s ability to manage your data into the cloud along with an identity and access management (IAM) scheme that is bullet proof. Along the way you will inevitably be extending trust to the people who the cloud vendor hires and has placed its trust in. With so much at stake you really can’t assume the person you are trusting today with the keys to the kingdom will remain trustworthy. To complicate things you will want to leverage investments already made in IAM at the enterprise level, but they may be difficult to extend to the cloud.
For Identity Provisioning the CSA says those functions offered by cloud vendors are not currently adequate for enterprise requirements and you should resist vendor proprietary solutions like custom connectors and insist instead on standard connectors that use the SPML schema.
When it comes to SaaS and PaaS authentication, authenticate users with your identity provider and use federation for trust with the SaaS vendor. Interestingly the CSA recommends enabling the use of a single set of credentials valid across multiple sites for individual users and to avoid vendor proprietary methods. The alliance says using dedicated VPN for IT personnel will help them leverage existing investments.
As with most things in life, nothing is really guaranteed and that’s probably why Andy Grove, the former CEO of Intel once quipped: “only the paranoid survive.” When it comes to the people you place your trust in we’d all like to think the trust is well-placed, and in most cases it probably is. There is always a “but” though. There is much more on this subject in the papers referenced above.
In its December 2009 cloud computing security guidance paper, the Cloud Security Alliance (CSA) focused on adding clarity to what it described as a “complicated landscape, which is often filled with incomplete and oversimplified information.” Indeed, in talking to providers of cloud security services and products it would seem there is an unimaginable range of security concerns, each requiring its own unique solution from yet another solution provider.
But beyond the concerns there appears to be the opportunity to minimize risks in some areas while simplifying security at the user level. In other cases, existing security concerns that are magnified by cloud computing can bring new attention to them and foster new approaches to solving them. One such security risk that has been around since computing began is the one of administrator rights.
“Historically, if you are in an administrative role you’ve got root access, and root access is the equivalent of being omnipotent on that machine,” says Brian Anderson, chief marketing officer for BeyondTrust, a solutions provider for privilege authorization management, access control and security solutions for virtualization and cloud computing environments. “You can literally do anything, under any circumstances, to any amount of data, no matter how sensitive it is, and no matter how much encryption.”
Of course the level of data security policy should be matched to the sensitivity of the data and the vulnerabilities of the network where it resides. If you are running an estimating program in the cloud as strictly a number cruncher, with no associated customer information, then your risks are lower than if running it with customer information.
Access Management Policies
The CSA cites nine aspects, (page 66 of the guidance paper noted above), related to access control that you should review when you are selecting a cloud service or product. At the same time the organization admits the immature state of the cloud ecosystem and recommends an honest assessment of your own company’s ability to manage an access system. It also highlights the importance of knowing your cloud computing provider’s abilities related to access management. One important consideration involves the cloud provider’s access system used for its own administrators.
Anderson points to the risk associated with cloning a virtual instance of your virtual server. He describes it as virtual sabotage and outlines the process. An administrator who has access to the hyper visor, (the traffic cop for all the virtual servers), clones the server where your data lies and then deletes it. The deletion however does not remove the server’s image. Then the administrator remounts the server outside of its original environment and has access to all the data with no one ever knowing it was stolen. With ample time the administrator could then crack the encryption scheme if one was present. This doesn’t necessarily have to be a cloud provider’s administrator – it could be one of your own – and that’s a risk Anderson says is often taken too lightly.
“Even my most trusted admin potentially could go psycho one day,” he says. “We talk a lot about intentional, indirect and accidental misuse of privilege. Intentional misuse of privilege is when the cloud administrator wasn’t happy with the raise he got, or decided he could make more money by selling your assets to a competitors, so he used his authority to create harm. If they have full authority at the root level through their cloud servers, (typically Linux or Unix), then they can plant logic bombs, they can copy data, and they can bring the system to its knees if they want to be intentionally harmful.”
He says though, it’s more likely they’re going to do accidental things like issue the wrong command in the wrong directory and delete all the users. That’s why he says his company focuses on setting up an environment where administrative permissions are parceled out privilege by privilege.
“So now, instead of giving root access to your cloud administrator, he comes in as a standard user, but when he wants to do a function it goes through the policy management function and inquires if the user has the authority to do that function,” Anderson explains. “If so, the operating system grants the authority for that administrator to do just that function.” He adds that there is also no more logging out and back in, or re-authentication needed.
Those in construction and architecture and engineering often have a good understanding of the access and the authentication processes, but may not be as knowledgeable on authorization. Whether moving to the cloud or not, that third piece of access control adds an important security element.
As more people and businesses use Web-based applications the list of vulnerabilities increases generating issues with cloud security trust. In 2008, IBM’s Annual X-Force Report showed Web application vulnerabilities on a steep ascent, climbing by approximately 3,000 over the previous year. The same report showed data manipulation and file manipulation as the only two of eight vulnerability items on the increase, with data manipulation steeply climbing, and file manipulation on a gradual upward trend.
Attacks are shifting from the network layer to the framework of the applications layer. This is happening because the applications are largely run through Web browsers. The other troubling issue is one of application provider response to vulnerabilities that can affect cloud security trust. IBM’s report also showed that of all the Web application vulnerabilities exposed in 2008, 74 percent had no patches available by the end of the year.
A classic example of a data manipulation scheme is an SQL injection attack and according to Georg Hess, CEO and cofounder of Art of Defence, a company that provides comprehensive application security technology for every scale, these attacks can gather your database contents by simply populating the login field with a valid SQL command.
“Typical attack vectors are not targeting the network layer but they are trying to manipulate the software itself,” Hess says. “Think of a log-in field where you supply your name. When you put in your name there will be a cloud application that takes your name and checks it with a database. If the name is in the database you get access to your CAD data in the cloud. But if that cloud application does not validate the input then anyone could input a small phrase written in the database language that causes the database to reveal all the data files of all the valid users of that application.”
In the annually updated Open Web Application Security Project Top Ten List, (OWASP), of the typical attacks that only attack the application layer, this SQL injection attack is one of the most prominent.
According to OWASP, injection attacks, (not limited to SQL databases), let attackers spoof identity, tamper with data, change transactional data, reveal all the data on the system, destroy data or take control of the data as an administrator. The organization recommends having a strong data security policy and using methods that complement each other to mitigate SQL injection.
- Parameterized queries that keep the query and data separate by using placeholders called “bound” parameters
- Using parameterized stored procedures
- Minimum privilege accounts and never sa, dba or admin
Hess recommends making sure to ask your SaaS cloud provider to describe the kinds of security controls it uses on all layers subject to vulnerabilities. This should go beyond just network security and also address application security. Ask the same questions of any managed security services you use, or intend to use. Identity management is another key area to inquire about.
When moving applications to an infrastructure as a service (IaaS) provider it may not be able to cover the full range of security controls for all of the layers. In that case Hess says to use the services of one of the provider’s partners that offers those kinds of security packages. For example, he says, Art of Defence offers a small plugin that works with Amazon’s offerings.
The keys to cloud security focus on knowledge. You have to know what your vulnerabilities are and how to mitigate the risks. Your cloud provider must be part of that equation.
Facebook Page
Cloud News
- Clare Computer Solutions to Hold Seminar Series on Cloud Computing for Business - PR Newswire February 22, 2012
- Rules 'Threatens Cloud Computing Growth' - Industry Week February 22, 2012
- Can Cloud Computing Open Up New Opportunities? - Soa Wolrd February 22, 2012
- Cloud Computing: AWS Adds Simple Workflow Service to Its Wares - Soa Wolrd February 22, 2012
- US cloud computing report slams Brazil, India, China - Economic Times February 22, 2012
Construction Informer
- Video Walls May Be Coming to a Construction Project Near You…Real Soon February 22, 2012 DCraig
- Redesigned iPhone Weather App Does Better Job of Keeping Users Informed February 21, 2012 DCraig
- Low Profile Septic Tanks Promise Installation Advantages February 20, 2012 DCraig
- Gee, An Energy Efficient Hot Water Heater February 17, 2012 DCraig
- Smart Elevator Tech Promises New Levels of Efficiency February 16, 2012 DCraig
Badges
Support Wikipedia
