Cloud Computing

Are Cloud Providers ‘Too Big to Fail’ – Let’s Hope So

In a rather ludicrously titled article (yes, even for me!) ‘Too big to fail’ cloud giants like AWS threaten civilization as we know it” the author nevertheless addresses an interesting point. And while I almost entirely disagree with the final conclusions, they represent a valid, if extreme viewpoint. If those conclusions are a little self-serving, this can be forgiven in light of my own issues with some Cloud Providers.

The basic premise is that traditional hardware (servers etc.) sales are dropping, while cloud-based and managed services are on the rise. With the corresponding drop in hardware related skills (no demand), eventually we’ll be dependent on one of the big providers (Amazon, Google & Microsoft).

This is apparently very bad, as: “If one of these goes down hundreds of thousands of other companies go down too.” This is the “interesting point” I referred to earlier, unfortunately the reasoning presented simply makes no sense. Two examples provided are:

  1. power grid failures or natural disasters – with the fallout propagated worldwide; and
  2. AWS’ hiking of its UK prices post-Brexit as an example of how quickly customers could be affected.

First, suggesting the Google, Amazon or Microsoft have a single point of failure that could take them down globally is ridiculous. Second, with regard price fluctuations, this is likely the result of organisations choosing a provider based on price alone, and not performing adequate due diligence. In trying to save money by using US based provider, and not writing mitigating language into contract, you are the ones leaving yourselves exposed.

I’m really not picking on either the subject of the article, or the author, I’m just using this to demonstrate my point. Cloud services, done PROPERLY, are the future. Or without the stupid buzz-phrase; outsourced services over the Internet are the future of infrastructure management. The issue is that a lot of Cloud services are abysmal, and the due diligence performed by many organisations nothing short of a disgrace.

But outsource they will, and they should. For example, how many organisation really want to hire dedicated teams to perform all of the following;

  1. Design Operating System Hardening Guides;
  2. Build and maintain servers;
  3. Install and configure all relevant security software/application;
  4. Patching and Vulnerability Management;
  5. Data Encryption;
  6. Access Control;
  7. Logging & Monitoring
  8. …and the list goes on.

Whilst finding a single cloud provider to take care of this is almost impossible at this stage, that’s where it’s going. Only the economy of scale available to large providers can make these offerings cost effective enough to be an option for non-enterprise businesses. And frankly, the only businesses who actually care about how data is made available, are the ones being paid to make it happen for someone else.

The motivations behind the referenced article are rather simple to deduce; 1) they have a vested interest in selling hardware, and b) they can make more money through channel than Cloud.

Fair enough, but channel’s loss of market share, and their inability to pivot is entirely their fault. They are now suffering because they have never tried to put their products into perspective. The rush to maximise profit margins was at the expense of making themselves a truly valuable partner.

If channel had only put a consulting wrapper around their offerings, they could still be selling solutions, not stuck trying to flog pieces of metal and plastic.

Perhaps this article will make more sense now they they are feeling the pain; Attention Channels/Resellers, Don’t Forget Consulting Services!

[If you liked this article, please share! Want more like it, subscribe!]

Forget Cyber, Forget Cloud, It’s ALL About the Data!

Ever wonder why data breaches are now called cyber attacks, or an application on the Internet is now called The Cloud? It’s for the same reason that Coca Cola is constantly changing it’s ‘look’, adding ‘new’ flavours of what is basically the same sugary mess, and why they’ve changed their slogan FORTY SEVEN times in their 125 year history;

To keep things fresh, to keep you thinking about them, and of course, to help you spend money.

So is this necessarily a bad thing for the field of information security? The answer clearly is no if these marketing ‘tricks’ actually help keep you secure though valid awareness programs and good services, but a resounding YES if it’s just a new buzz-phrase used to sell the same services with less due diligence.

Too many vendors and self-interested lobby groups are frighteningly good at demand generation; new buzz-phrases, invention of perceived needs, and playing on an organisation’s fear of losing a competitive edge, have all been the cause of many bad purchase decisions. This is especially frustrating when the tools for making good decisions have been around for decades. Literally.

For example; ISO 27001 – probably the best known and de facto security framework – has it’s roots in BS 7799 first publish in 1995, ISACA’s COBIT was released in 1996, and even PCI (which is just a controls based standard for the protection of cardholder data) has merit in its 10th year in existence. If these aren’t enough, the ages-old – but still VERY much alive – concept of Confidentiality, Integrity and Availability has been around for so long that no-one seems to know when it started.

And these are just the overarching frameworks for the security of data, beneath them you have equally well known, mature, and readily available tools for the protection of your data assets:

1. Governance – The Business side and the IT side having meaningful conversations;

2. Risk Assessment – An examination of the business needs applied to the current ability to achieve those goals;

3. Vendor Due Diligence – a THOROUGH review of the external help you’ll likely need;

4. Asset Management – You can’t manage what you don’t even know you have, and;

5. Vulnerability Management and Change Control – If you have absolute control over the changes you make internally, the only things that can increase risk are from the outside. These two tools work hand-in-hand.

All of these tools are covered to a varying degree in the above frameworks, and represent standard good security practices established for longer than most of us have been alive. Without these processes in place, you don’t have data security. Full stop.

So if they are that established, why are they not as well known and pervasive as they should be? Simple, and for the same reason no-one likes paying for insurance; there is no obvious positive impact on the bottom line. Where’s the ROI for spending money on security? But this assumes that an ROI involves making MORE money, but is not LOSING money just as impactful? Fines, damages / reparations, and the inevitable loss of reputation all have significant negative impact.

Instituting an appropriate level of data security for your business is actually quite simple, keeping it in place requires much more effort but is equally simple; follow the decades-old advice of the existing frameworks.

[Ed. Written in collaboration with Voodoo Technology, Ltd.]

The Internet of Things – A Security Game Changer

Imagine being able to turn the oven on 20 minutes before you get home so it’s ready to start cooking… or taking a quick remote peek into your fridge/cupboards/bread bin to see if you need anything at the supermarket … or re-programming your air conditioning / heating while you’re on Holiday.

All of the above is simple, and already possible, just go here for a bunch of others; http://postscapes.com/internet-of-things-examples/. Some are incredibly far reaching, not to mention awe inspiring.

Along with the exponential increase in convenience, efficiency, and entertainment, is an equal increase in the cost to your privacy, security, and in some cases, your actual well-being. For example, this site http://www.vitality.net/glowcaps.html is about reminding you to take medications. What happens if you start to rely on this with your critical meds and someone ‘hacks’ it?

This blog is in no way a criticism or a doomsday prediction of the trend. I love this stuff and cannot wait until every aspect of my life is a blink, gesture, or eventually a thought away. However, whereas previously our lack of knowledge in basic self-defence principles related to the Internet could have caused embarrassment or the loss of a few quid, the Internet of Things could, quite literally, put your life in danger.

If YOU let it.

As a previous article If You Want More Privacy, Stay Off the Internet stated, the conveniences you crave have a price, and the price is only going to go up the more you expect from it. The Internet is like gambling, only bet what you can afford to lose.

It’s not about the RIGHT to privacy, we all have that as a basic Human Right, it’s that you cannot EXPECT privacy given the inherent insecurity of the medium, the criminal element, and good old fashioned stupidity.

You are not owed security, or perfection, so the due diligence is entirely yours, as is the ongoing maintenance and security monitoring of your new functionality. The things you will be able to do will be unbelievably tempting, but keep these points in mind:

  1. Start Small – don’t sign up for every new thing when it becomes available, you will never be able to track them all, let alone secure them.
  2. Keep it Simple – automated notification of the need for milk is harmless, automating insulin doses is not.
  3. Rely on Nothing – especially when your physical well-being is concerned. Always, ALWAYS have a back-up if your primary mechanism fails.
  4. Minimise the Impact – expose only what you don’t mind losing. Insure everything, especially your finances.
  5. Take Responsibility – blame yourself if things go wrong, don’t waste your time pointing fingers at others. This was YOUR choice, live with it.

Like everything that’s coming in the future, innovation has benefits matched equally by the downside. ‘Government’ will do its best to protect us through laws and regulations, but they will fail to keep up with OUR demand for functionality. Security experts will do their best to protect us, but they too will fail to keep up with the competitive rush to fulfil OUR demand.

Enjoy it, just be careful.

Personally I’m going to be interested in what ‘butt-dialing’ will look like in the next decade. You’ll probably come home to find your vacuum cleaner ordering pizza and watching porn.

Internet of THings

Vendor Due Diligencce

Vendor Due Diligence: Assessing Cloud / Service Providers

There is a lot of confusion about how to treat Cloud providers from a vendor due diligence, or compliance assessment perspective.  I’m not sure why, they are just another service provider. The Cloud, in and of itself, adds nothing.

My thoughts on The Cloud are not a secret; Don’t Get Me Started On ‘The Cloud’, but it needn’t be all negative.

So you have – or you want to – outsource/d some aspect of your business function, usually an ancillary part, unless your business is almost entirely white labeled (like in e-commerce for example), and must therefore ensure that the service provider treats your data and/or systems the same way (or better) than you do.

In theory, the only reason you would not be able to measure your service/cloud provider against a defined standard, is if you don’t have one.  You have one, right?  That, by itself, precludes your compliance with ANY standard or accepted good practice.

All too often the real issue is that organisations are trying to outsource their problems (PCI compliance for example), and not focusing on their business needs in general.  While you can outsource almost every business function you can never outsource responsibility.  You can even outsource some of the liability (cyber-insurance for example), but it’s your name that will be dragged through the mud if things go wrong.

It bears repeating; You can NEVER outsource, or in any way deflect, the responsibility for the protection of the data you control.

The way to look at this is to see all 3rd parties / vendors as just a different department of your organisation.  You should have THAT kind of control, and it’s up to you to ensure that they are meeting their commitments.  Service Levels Agreements (SLAs) are a difficult concept, especially for Cloud providers, but that should not your problem, it’s should be theirs.

Here’s a lengthy but good article from IBM on SLAs; Best Practices to Develop SLAs for Cloud Computing

They may have just chosen to jump on the cloud bandwagon, and see this as a way to multiply their client base using the same, or retro-fitted, infrastructure (you need built for purpose).  Calling it a cloud service is, in this case, another phrase for smoke and mirrors.  However, there are some excellent cloud/service providers out there, and you will know them by the way in which they answer, or in some cases entirely pre-empt, your concerns.  They will:

  1. come to you with detail about how they will manage your systems / apps etc, and this will almost certainly support your policies or compliance. Ideally the services will be independently certified as compliant (against PCI for example, and if relevant).
  2. have no problem incorporating your policies or regulatory reporting needs into their service.  They may already exceed yours in this respect if they follow the concept of go-with-what’s-hardest-and-everything-else-is-covered.
  3. have various levels of SLA already defined from which to choose.  Be VERY wary of any cloud / service provider who has no pre-defined SLAs.
  4. have a seamless way for you to measure them against the SLAs.  The old misquoted cliche; You can’t manage what you can’t measure, while irritating, is completely appropriate here.
  5. be able to assist, or train you, to find everything you need during a compliance assessment.  YOU must be able to answer your auditors/assessors questions, you can’t just point at your vendor.

If you don’t have a vendor due diligence program, you need to get one.  If you don’t have a set of defined policies and business need SLAs, get them.  And if you don’t know how to go about any of this, ask someone who does!

Just like in Top 10 Roadblocks to PCI Compliance, not knowing how to do something is not an excuse, there are quite literally hundred of experts who can help you.

Find one.

[If you liked this article, please share! Want more like it, subscribe!]

No Cloud

Don’t Get Me Started On ‘The Cloud’

With the exception of the iPhone ‘S’ versions;, The Cloud is perhaps the most irritating concept of the last decade.  It is the definitive re-branding of an existing service in order to drive new business in an era of doubt and uncertainty.

Security issues have become far more mainstream over the last few years, and lawmakers in every country are struggling to keep up with the demands for better protection of personal data.  So what we have now are hundreds of companies providing cybersecurity services ‘In the Cloud’. As though this is something new, and a must have for all organisations.

Breaking it down into its simplest terms, services in the cloud are services provided over the Internet.  Haven’t we had this for quite literally decades?  Why is the service to manage your firewalls suddenly a Cloud service, what’s wrong with simply calling it a MSS?

There are really only two valid ‘Cloud’ services;

1. Access to applications or resources you don’t have, and;

2. Distribution of functionality.

Everything else you do ‘In the Cloud’ is simply outsourcing, which is a perfectly valid, and often the best option.

Like everything else in security, never buy anything based on either a perceived need, what is the latest-and-greatest, and especially not a compelling sales pitch.  All capital expenditure, and moves toward outsourcing start with a business need, not external influences. This  includes compliance to regulatory standards.

You don’t need Cloud per se, you need a business process made cheaper, more efficient, or more competitive. HOW you get that done MAY include Cloud-esque services, but that will be determined by your Risk Assessment. Not by your CEO who read an article on his/her way to work, and certainly not by the fear of not having the latest toy.

Cloud services also add a layer of complexity that will generally be missing from most bespoke managed services; shared resources across multiple clients.  Who has access to your data?  How is your data kept separate from everyone else’s?  Because Cloud is a relatively new phenomena, SLAs and contract language has yet to catch up, so vendor due diligence takes on additional import.

In terms of providing a platform expertise that you don’t posses, or an operational resilience you simply can’t afford, Cloud may be an option. That said, you have best be sure your ‘Cloud’ provider has designed their service from the ground up, and not adjusted their marketing material. The latter, sadly, is by far the most prevalent.

Bottom line; do your homework, and run your needs by a security expert before taking the plunge.