Posts Tagged ‘cloud security tips’

The Cloud Intensifies the Conversation About Cyber Insurance

No Comments
February 22, 2012 · by Duane Craig · Security

In December 2011, the New York Times reported that only one third of companies had insurance against losses related to their information technology. Generally called, Cyber Insurance, this protection gained a foothold during the 1990s. For AEC businesses using the cloud, cyber insurance can be the backstop to scenarios where the best laid security plans didn’t work out.

According to a U.S. government report:

Cyber-insurance is an insurance product used to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies. Coverages provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds.

While estimates of total premiums being paid for cyber insurance currently rest in the hundreds of millions range, there are those who are predicting a 50 percent growth in that number during the next 12 months, according to the New York Times article. The thing is that, IT has not been traditionally involved in insurance planning, yet those are the people who are most familiar with the potential risks. When you add a general low understanding of just what is covered and what is not covered by insurance policies, the stage is set for surprises when things go wrong. Just like with homeowners’ policies, business policies have many exclusions. In one example cited in a Computerworld article this year, the cost of a damaged server is generally covered under business insurance policies, but not the cost of liability associated with NOT providing contracted services to a customer. Likewise, data loss, and not being able to access data is usually not covered.

While cyber insurance was initially focused on protecting companies when data breaches occurred, today’s adoption of the cloud adds a whole new level of complexity to insuring against cyber losses. Vendors of cloud computing products and services aren’t going to insure your losses, so it falls to you. But the risks now extend beyond the cloud and to all of those mobile consumer devices being brought to the job by employees. You can bet your standard business insurance isn’t going to cover any problems that arise from company data breached on an employee’s hardware. So far though, it is generally assumed that cyber insurance policies will follow the risks to their natural destinations.

In 2010, every breached data record cost companies more than $20 and the costs can be staggering, going beyond just the data loss or compromise to lawsuits for damages brought by those whose data was affected. One sobering example was Sony’s experience with more than 100 million records breached. Cyber insurance in many cases should be a no-brainer with that kind of potential for loss. However, many companies resist buying the coverage because cyber insurance policies can cost up to 4 percent per million. With potential losses running in the hundreds of millions for large events, the outlay could appreciably increase a firm’s annual insurance expenses.

The experts say a thorough assessment of the risks is the place to start when deciding if a cyber insurance policy is needed. For those moving to the cloud the urgency in doing that is increased, and it might even be considered as a final component to a complete cloud security plan.

BeyondTrust Awarded Significant Patent for PowerBroker Desktops

No Comments
January 4, 2012 · by Duane Craig · Security

BeyondTrust announced it was awarded U.S. patent number 8,006,088 covering key technologies that allow administrator privileges to be limited on a per-application basis on Microsoft Windows computers.

BeyondTrust is committed to innovation and thought leadership in the privileged identity management market, demonstrated by this latest patent, said John Mutch, CEO at BeyondTrust. The patent, which makes claims in connection with our technology for granting and removing user rights on a per-application basis, demonstrates our clear leadership in this market, and proves we are ahead of the competition in technology innovation and the fight against insider threats.

The patent covers the technology in BeyondTrust’s PowerBroker Desktops product for the network-based management of application security by modifying a Windows security token on a per-application basis. Specifically, the patent covers the methods by which PowerBroker Desktops modifies application security tokens by adding or removing permissions or privileges from the security token on a per-process basis, based on a set of rules that are enforced by an agent on the client.

Today’s marketplace is growing increasingly competitive with the introduction of new technologies almost daily, and the most successful businesses will be those that leverage their intellectual property to give customers the assurances they need when buying new products and services, continued Mutch. BeyondTrust has a number of patents covering our technology, and we are anticipating strong revenue growth as IT departments increasingly adopt the least privilege model of defending against insider threats.

Demand for Windows privilege management in particular is growing rapidly as more IT departments look for ways to mitigate insider threats (as well as reducing external threats from hacking or malware) as part of their Windows 7 deployments.

Here’s more information about the patent.

About BeyondTrust - Founded in 1985, BeyondTrust is the global leader in privilege authorization management, access control and security solutions for physical, virtual, cloud and infrastructure computing environments. The company’s products mitigate insider threats and secure the perimeter within across the enterprise, empowering IT governance to strengthen security, improve productivity, drive compliance and reduce expense. BeyondTrust, the BeyondTrust logo and PowerBroker are trademarks or registered trademarks, in the United States and certain other countries of BeyondTrust Software. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.

Access Management Policies Hold Keys to Minimizing Administrator Risks

No Comments
September 13, 2010 · by Duane Craig · Security

In its December 2009 cloud computing security guidance paper, the Cloud Security Alliance (CSA) focused on adding clarity to what it described as a “complicated landscape, which is often filled with incomplete and oversimplified information.” Indeed, in talking to providers of cloud security services and products it would seem there is an unimaginable range of security concerns, each requiring its own unique solution from yet another solution provider.

But beyond the concerns there appears to be the opportunity to minimize risks in some areas while simplifying security at the user level. In other cases, existing security concerns that are magnified by cloud computing can bring new attention to them and foster new approaches to solving them. One such security risk that has been around since computing began is the one of administrator rights.

“Historically, if you are in an administrative role you’ve got root access, and root access is the equivalent of being omnipotent on that machine,” says Brian Anderson, chief marketing officer for BeyondTrust, a solutions provider for privilege authorization management, access control and security solutions for virtualization and cloud computing environments. “You can literally do anything, under any circumstances, to any amount of data, no matter how sensitive it is, and no matter how much encryption.”

Of course the level of data security policy should be matched to the sensitivity of the data and the vulnerabilities of the network where it resides. If you are running an estimating program in the cloud as strictly a number cruncher, with no associated customer information, then your risks are lower than if running it with customer information.

Access Management Policies

The CSA cites nine aspects, (page 66 of the guidance paper noted above), related to access control that you should review when you are selecting a cloud service or product. At the same time the organization admits the immature state of the cloud ecosystem and recommends an honest assessment of your own company’s ability to manage an access system. It also highlights the importance of knowing your cloud computing provider’s abilities related to access management. One important consideration involves the cloud provider’s access system used for its own administrators.

Anderson points to the risk associated with cloning a virtual instance of your virtual server. He describes it as virtual sabotage and outlines the process. An administrator who has access to the hyper visor, (the traffic cop for all the virtual servers), clones the server where your data lies and then deletes it. The deletion however does not remove the server’s image. Then the administrator remounts the server outside of its original environment and has access to all the data with no one ever knowing it was stolen. With ample time the administrator could then crack the encryption scheme if one was present. This doesn’t necessarily have to be a cloud provider’s administrator – it could be one of your own – and that’s a risk Anderson says is often taken too lightly.

“Even my most trusted admin potentially could go psycho one day,” he says. “We talk a lot about intentional, indirect and accidental misuse of privilege. Intentional misuse of privilege is when the cloud administrator wasn’t happy with the raise he got, or decided he could make more money by selling your assets to a competitors, so he used his authority to create harm. If they have full authority at the root level through their cloud servers, (typically Linux or Unix), then they can plant logic bombs, they can copy data, and they can bring the system to its knees if they want to be intentionally harmful.”

He says though, it’s more likely they’re going to do accidental things like issue the wrong command in the wrong directory and delete all the users. That’s why he says his company focuses on setting up an environment where administrative permissions are parceled out privilege by privilege.

“So now, instead of giving root access to your cloud administrator, he comes in as a standard user, but when he wants to do a function it goes through the policy management function and inquires if the user has the authority to do that function,” Anderson explains. “If so, the operating system grants the authority for that administrator to do just that function.” He adds that there is also no more logging out and back in, or re-authentication needed.

Those in construction and architecture and engineering often have a good understanding of the access and the authentication processes, but may not be as knowledgeable on authorization. Whether moving to the cloud or not, that third piece of access control adds an important security element.

Cloud Security By The Numbers

No Comments
August 21, 2010 · by Duane Craig · Security

Trust, security and privacy are three terms that surface quickly when people are discussing cloud computing. A survey, reported on by McAfee here and done by IDC showed more than 85 percent of Software-as-a-Service users were uncomfortable adopting cloud services because of security concerns. For those in construction, architecture and engineering the stakes are high.

From the cloud computing trust perspective AEC firms are concerned about uptime, file availability and bandwidth, not to mention the need for some reassurance that the company housing the data and providing the links is in business for the long haul.

But it’s the security and privacy implications of cloud computing that make those in construction businesses shiver the most. Security of files and documents that hold sensitive company and customer information is of top concern. Especially with companies in the AEC industries, the types of files where the information may be stored are expansive. Email, memos, images and contract documents might seem innocuous on the surface, but when you scrutinize them closely there are many opportunities for information compromise.

Where privacy is concerned there are compliance regulations that have to be followed, and for companies doing business across national borders the complexity of managing the privacy needs of the information gets increasingly difficult. Governments, standards organizations and computer software and hardware associations are grappling with the issues of trust, security and privacy for the cloud.

Data Security Policy

One key player is the Cloud Security Alliance that includes individuals, corporations and industry groups organized into chapters.

The U.S. Federal government has stepped up to the plate and thrown its weight behind the cloud computing concept. The recently appointed federal CIO, Vivek Kundra, is bullish on getting the government out of data center operations and on to the cloud provided by outsiders. Classified data will be handled on a platform designed by NASA called Nebula.

The National Institute of Standards and Technology (NIST) released a draft of its “Guide to Security for Full Virtualization Technologies,” July 21, 2010. In brief the recommendations outlined in the press release were:

  • Secure all elements of a full virtualization solution and maintain their security;
  • Restrict and protect administrator access to the virtualization solution;
  • Ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and
  • Carefully plan the security for a full virtualization solution before installing, configuring and deploying it.

Brian Anderson, chief marketing officer for BeyondTrust, a solutions provider for privilege authorization management, access control and security solutions for virtualization and cloud computing environments suggests attending to security in this order:

  • Be sure data is encrypted
  • Provide transmission security
  • Maintain physical security of devices holding data
  • Use secure authentication to ensure the identities of those with access
  • Give the least amount of authorization to administrators as possible

You can also download the Cloud Security Alliance’s “Cloud Security Guide,” for very in-depth cloud security guidance and advice on the right questions to ask of cloud providers and managed security services.