Get My Score

Trending in Security

aws outage

The Benefits of a Hybrid Cloud

Having different workloads on both public and private clouds embraces a hybrid cloud strategy that is increasingly becoming popular with IT and CISOs. In essence, this strategy means avoiding the proverbial “putting your eggs in one basket”, which is the best way to invite risk and breaches to your data.

We got a glimpse into the vulnerability of the cloud last week when Microsoft Azure’s South-Central US data center region was down for a while after a severe lightning storm disrupted their cooling system.

According to a TechTarget article, Azure Outage Spotlights Cloud Infrastructure Choices, “the surge hit the power cooling systems, and subsequent rising temperatures triggered automatic hardware shutdowns.  Nearly three dozen cloud services, as well as the Azure status page, bore the brunt of the storm”.  The article cited that “much of the problem lies in how Microsoft has built out its public cloud architecture, where most Azure regions are comprised of a single data center”.  Additionally, there are so many risks of failures from many events, when workloads are solely stored on single data centers. To avoid this happening in the future writer James Montgomery at TechTarget said, “Microsoft must also modify its software to accommodate a multi-availability-zone architecture”.

This Microsoft incident points out, once again, that a cloud first strategy opens up an organization to service outages and downtime.  According to analytics firm Cyence, a startup that models the economic impact of cyber risk, the four-hour AWS outage in 2017 caused S&P 500 companies to lose approximately $150m.  It’s crazy to think how much could be lost if a major cloud provider is offline for days.  Lloyd’s, the specialist insurance and reinsurance market, in partnership with the risk modeler, AIR Worldwide put out a report in January that calculated an "extreme" cyber-incident -- one that takes a top cloud provider offline in the US for three to six days -- would result in industry losses of $15bn. 

Azure Outage, AWS downtime

A hybrid cloud infrastructure provides organizations more control of their critical workloads, which could mean everything if a cloud provider is unfortunate enough to be pushed offline for hours/days.  Check out our eBook, The Enterprise Journey to the Hybrid Cloud, which walks you through the steps required to building a world-class Hybrid Cloud infrastructure from setting goals and developing consensus to building and deploying secure hybrid workloads.

 

0
0
0
s2sdefault
vote tampering

 

Looking ahead to this fall’s elections, I won’t dwell on the ‘who’, be it Russia, China, North Korea, or someone closer to home, but some entity, somewhere, will  ‘meddle’, and the best we can do is to minimize the impact. 

 We’ve read that the Russians have moved beyond simple (ok… not so simple) vote tampering, and social networks are old hat.  So what can we control?

The very integrity of the data, an assurance that what is stored within the enterprise or in the cloud is unaltered;  has not been tampered with.  Here is where cloud security comes into play.

Over the past few years, we’ve witnessed way too many instances of data stored in the cloud compromised, including marketing data, political party data, health records, etc.     With the rush to the cloud, pressures from our CFOs, and a bit of groupthink, we’ve become sloppy.  The same precautions we’ve taken for our on-premise data centers – access controls, both internal and external, encryption, and even record keeping – some of us have forgotten, with negative impacts that shouldn’t be a surprise.  But posting the data across the internet is only the first salvo.  Hackers now have the tools to alter the data at-rest, and without proper checks in place, the source of truth becomes elusive. But the solution is not difficult, and doesn’t require a string of esoteric certifications.  Just common sense.

The public cloud providers offer a number of services designed to monitor your accounts – your controls, services, and applications – while at the same time providing notifications if something is amiss.  In parallel, software vendors like Cavirin offer powerful security tools that pick up where the cloud provider leaves off.  Cavirin provides real-time visibility and remediation of hybrid infrastructures so that governments can identify gaps in their defenses and take immediate action to more effectively address pressing threats they might/will face.

As part of making your move to the cloud, understand your exposure and the tools available, both CSP and 3rd party, to mitigate.  And put in place and execute a plan before moving any critical workloads or data to AWS, Azure, Google Cloud, etc.  Looking forward to November, this should serve as a call-to-action.

In the same way that GDPR forced the privacy issue, and even in the US had a positive impact such as the CCPR in my home state of California, we can take it upon ourselves to make sure that our clouds are in order… are secure and free from tampering.  We’re at 90 days, so put in place a plan!

0
0
0
s2sdefault
ciso challenges 2018

 

Instituting Solid Security Standards in Tough Times

The modern Chief Information Security Officer (CISO) faces myriad challenges as he or she strives to protect company data, meet regulatory requirements, and spread security awareness. Their mission to institute solid security standards is often hampered by a lack of readily available talent and a limited budget.

It’s a difficult, often thankless task, but resourceful CISOs with the right strategy, support, and tools can prevail. 

 

A Varied Role

The lack of a common, widely agreed upon definition of a CISO’s job muddies the waters considerably. The first wave of CISOs were often tasked with defining the role as they worked and there are still major differences in the responsibilities bestowed by different organizations.

First and foremost is the need to manage security and protect data, but many CISOs are also now expected to help build security into the infrastructure and train the workforce to be vigilant.

With the mass adoption of cloud services and the proliferation of complex hybrid environments, exacerbated by the rise of the IoT, the virtual office, and shadow IT, CISOs really have their work cut out for them.  A difficult job that requires synergy with various departments is fast-becoming more difficult.

CISOs must recognize potential threats and evangelize for the security cause to secure the budgets and cooperation they need to be successful.

 

Spreading Awareness

As cloud adoption continues to gather pace and organizations look for safe ways to migrate vast amounts of data, some security risk is inevitable. Perhaps the single greatest action CISOs can take to combat and mitigate that threat is to train the workforce and advance security awareness. After all, Gartner suggests that through 2022, at least 95 percent of cloud security failures will be the customer’s fault.

CISOs must develop a set of policies that enumerate precisely what action employees need to take when an incident occurs, whether it’s a suspected breach, a malware infection, or something else. Embrace the reality that people make mistakes and focus on how to deal with errors to swiftly correct them and minimize their potential impact.

Every employee should regularly complete a constantly evolving security training program that reflects the latest threats. It’s not enough to tick the completion box and move on; employees also need to be tested to ensure they are following policies. When people fail, further training is required.

 

Providing Proper Support

When CISOs were asked about their concerns for this year by the Ponemon Institute most of them named “lack of competent in-house staff” as their primary worry. There’s a dearth of experienced security professionals and this often leads to people being promoted from unrelated departments and training up in the job. Mistakes are the inevitable consequence.

To help support these security fledglings, CISOs can deploy supportive tools and software that offer an accessible overview of their organization’s cyber posture. (Know what is your CyberPosture Score.)
Automated alerts that highlight potential security issues, alongside clear advice on how to meet security standards and adhere to regulatory requirements can elevate the performance of inexperienced employees.
By conducting a full analysis of an organization’s security posture, compared with the necessary compliance considerations, best practices, and the latest benchmarks, CISOs can identify gaps in their defenses. This allows them to laser focus limited resources in the right places.

It’s crucial to bolster novice security teams with configurable software tuned to the required security standards. To effectively safeguard business-critical data, CISOs need the right strategy coupled with the right tools.

0
0
0
s2sdefault

New Generation Companies

IT has changed from driving the bottom line to driving the top line for enterprises. Most of these new applications are developed and built using the DevOps model. This movement was driven by new generation companies such as Google, Facebook, LinkedIn, Pinterest, Twitter, etc. Places where open collaboration is key, and more contributors are encouraged. In addition to changing the business landscape, these companies also built the next set of tools for big data, cloud, AI/machine learning and containers. All of these technologies are mostly open-source. This means the demand is rising for companies to get onboard. There has been a tremendous growth in recruitment activities among organizations that want to boost their open source technology presence. Hiring open source talent was a priority for 83 percent of hiring managers, an increase from 76 percent in 2017. Additionally, containers have been growing rapidly in popularity with 57 percent of hiring managers seeking container expertise (rise from 27 percent in 2017). Overall, we are now entering the scale of massive adoption across the business landscape hence driving the need for open source talent.

DevOps and Security Hiring

 

What are some steps companies and job candidates can take to benefit from this data?

Time to market is key. In the current business landscape, the speed of innovation has gone up dramatically with this new generation of open source tools. Companies need to recognize that they need in-house talent with the right set of expertise for their chosen toolset. Community-based technology fuels big structured and unstructured data. This also means innovative data-management and storage solutions. Both DevOps and SecOps must respond with an “open-source first” approach when it comes to deploying new software and security infrastructure. Almost any business that plans to survive wants motivated, creative people. They need a talent pool that’s more agile. They need the right mix of enterprise-grade folks who know what it takes to build enterprise-grade – secure, highly available, and robust applications. The newer generation of fast learners that can pick up the new toolset and drive innovation, with security, for business is in high demand.

How can people who are interested in a career in open source enter the field? 

 Jump with both feet into the pool. There are tons of amazing technologies available in the market to choose from. Pick the technology area that’s most aligned with your interest. Study it in and out and become an expert in the field. Participate and contribute to free and open source software (aka FOSS). These projects can offer a variety of learning opportunities. This can even help you start to build a portfolio of your work for prospective employers.  Another strategy is to learn how to make the best use of today's powerful open source technologies. Most of these technologies are new (a handful of years old) hence it depends on an individual’s attitude and aptitude to become the expert in the field and command top dollars from their perspective enterprises for their talent and deliver the results to their employers.

 

 

 

 

0
0
0
s2sdefault

Too start off the year, at least two publications have reported on surveys that detail the criticality of the cybersecurity skills gap.  For those old enough, it harkens back to the Cold War missile gap of the 1950s.  But unlike the missile gap, which was mostly fictional, this gap is very real, and much more relevant to the typical enterprise.

CSO drew on a Nov, 2017 ESG study that looked at gaps and potential solutions. The most alarming observation is that, despite increased spending and visibility, the percentage of respondents that reported a shortage of skills rose from 23% in 2014 to 51% in 2018. This doubling implies that the majority of organizations are threatened. As solutions, two areas that stand out include:

  • Moving toward technologies with advanced analytics.Think of artificial intelligence and machine learning as a helper application that can accelerate security processes and make the staff more productive.
  • Automating and orchestrating processes.Cybersecurity grew up with a reliance on manual processes, but these processes can no longer scale to meet growing demands. As a result, security automation/orchestration has become a top priority for many organizations.

 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.