Cybersecurity Collage

Without 3rd Party Security ‘Vendor Brokers’, AWS and Azure May Not Be For You

…at least for PCI anyway. It’s just too damned difficult to get all the security wrappers PCI requires without Vendor Brokers.

Cybersecurity has now be made too complex – by security vendors – to be able to mix-and-match with individual vendors from the AWS/Azure marketplaces. I don’t know of any single vendor who can cover even a majority of the PCI requirements related to platforms.

i.e.

  1. Firewall Management;
  2. Configuration Standard(s);
  3. Anti-Virus;
  4. Vulnerability Management;
  5. Patching;
  6. Access Control;
  7. Authentication Mechanism(s);
  8. Logging & Monitoring;
  9. Web Application Firewall; and
  10. File Integrity Monitoring

There are many reasons for this, one of which is that ever since security became a multi-billion £/$/€ a year industry, hundreds of companies have started up to try bring us the ‘silver bullet’ appliances.  Not only do silver bullets not exist in cybersecurity – and you should be shot for using the phrase in any way that’s non-derogatory – but where are the overwhelming majority of those companies now?

They either failed, or have been ‘collected’ by larger companies who have tried to duct-tape the disparate products into silver-bullet solutions.

Which have also failed.

It’s not that the original products didn’t work, some of them actually did, it’s that;

  1. Organisations threw technology at business problems without knowing why they were doing it;
  2. The big companies that collected the smaller ones tried to integrate the individual products together under one GUI, instead of unifying the functionality under a single code base; and
  3. There has never been, and there never will be, a one-size-fits-all solution to security.

But the market is still ripe for innovation, and there will continue to be companies starting up with the goal of bringing a single product to market that will catch the latest security hype/wave/buzz and make them their fortunes (UEBA for example).  They may even succeed, but only if they make their impact in the first year or two, otherwise the market will have moved on.

And if they’re VERY lucky, the larger companies will be naive / ignorant enough to buy them and save them the trouble.

Don’t get me wrong, I am not against combining single products into a larger solutions. In fact it’s the only way to go, but only if it’s done correctly.  Single product companies have 100% focus, which gives them drive, short-term goals, and a dedication to making their one product the best. The second you absorb that company however, every one of those attributes that put them on (or near) the top, are lost in the larger mix.  The functionality is diluted, innovation ceases, and the the whole thing quickly becomes obsolete.

True integration of functionality can only be accomplished with a single code base, and a single platform, which means that any organisation that absorbed the smaller companies better have a plan in mind to migrate not only the applications over to their growing solution, but they will need to consider all of the clients who bought the product prior to the M&A.  These guys often suffer from a total lack of customer service and support, and there’s no way they’ll buy into the larger program.

In my experience, the due diligence necessary to combine product companies is not overly abundant, and until it is, we should all be VERY careful when we look to resolve our security issues with multi-function solutions.

I call these Vendor Brokers ‘collage companies’, as the picture might be pretty, but it’s in no way whole.

Here are a few questions you might want to ask your potential providers;

  1. Can your solution replace some / most of my current functionality?
  2. Do you provide a consultancy ‘wrapper’ around these solutions to help us manage them against our business goals?
  3. Will the output from your solution feed into my current collection mechanism, or can my current output feed into yours?
  4. Are the various aspects / functions of your solution ‘home grown’, or obtained through acquisition?  If acquisition, how have you unified the back end code and platforms?
  5. How do you ensure that the different functions of the solution receive a similar attention to what the single product vendors provide?
  6. Do you have a single customer support process to handle all functionality questions?

Regardless of the shenanigans going on in the security product market, your choice of Vendor Broker should only be driven by what your risk assessment and gap analysis said you need, and your due diligence should cover any requirements you may have regarding integration and ongoing maintenance.

If is doesn’t, don’t expect Vendor Brokers to help, they have enough problems keeping their own houses in order. 

[If you liked this article, please share! Want more like it, subscribe!]

Cloud Computing

Are Cloud Providers ‘Too Big to Fail’ – Let’s Hope So

In a rather ludicrously titled article (yes, even for me!) ‘Too big to fail’ cloud giants like AWS threaten civilization as we know it” the author nevertheless addresses an interesting point. And while I almost entirely disagree with the final conclusions, they represent a valid, if extreme viewpoint. If those conclusions are a little self-serving, this can be forgiven in light of my own issues with some Cloud Providers.

The basic premise is that traditional hardware (servers etc.) sales are dropping, while cloud-based and managed services are on the rise. With the corresponding drop in hardware related skills (no demand), eventually we’ll be dependent on one of the big providers (Amazon, Google & Microsoft).

This is apparently very bad, as: “If one of these goes down hundreds of thousands of other companies go down too.” This is the “interesting point” I referred to earlier, unfortunately the reasoning presented simply makes no sense. Two examples provided are:

  1. power grid failures or natural disasters – with the fallout propagated worldwide; and
  2. AWS’ hiking of its UK prices post-Brexit as an example of how quickly customers could be affected.

First, suggesting the Google, Amazon or Microsoft have a single point of failure that could take them down globally is ridiculous. Second, with regard price fluctuations, this is likely the result of organisations choosing a provider based on price alone, and not performing adequate due diligence. In trying to save money by using US based provider, and not writing mitigating language into contract, you are the ones leaving yourselves exposed.

I’m really not picking on either the subject of the article, or the author, I’m just using this to demonstrate my point. Cloud services, done PROPERLY, are the future. Or without the stupid buzz-phrase; outsourced services over the Internet are the future of infrastructure management. The issue is that a lot of Cloud services are abysmal, and the due diligence performed by many organisations nothing short of a disgrace.

But outsource they will, and they should. For example, how many organisation really want to hire dedicated teams to perform all of the following;

  1. Design Operating System Hardening Guides;
  2. Build and maintain servers;
  3. Install and configure all relevant security software/application;
  4. Patching and Vulnerability Management;
  5. Data Encryption;
  6. Access Control;
  7. Logging & Monitoring
  8. …and the list goes on.

Whilst finding a single cloud provider to take care of this is almost impossible at this stage, that’s where it’s going. Only the economy of scale available to large providers can make these offerings cost effective enough to be an option for non-enterprise businesses. And frankly, the only businesses who actually care about how data is made available, are the ones being paid to make it happen for someone else.

The motivations behind the referenced article are rather simple to deduce; 1) they have a vested interest in selling hardware, and b) they can make more money through channel than Cloud.

Fair enough, but channel’s loss of market share, and their inability to pivot is entirely their fault. They are now suffering because they have never tried to put their products into perspective. The rush to maximise profit margins was at the expense of making themselves a truly valuable partner.

If channel had only put a consulting wrapper around their offerings, they could still be selling solutions, not stuck trying to flog pieces of metal and plastic.

Perhaps this article will make more sense now they they are feeling the pain; Attention Channels/Resellers, Don’t Forget Consulting Services!

[If you liked this article, please share! Want more like it, subscribe!]

All About the Data

Forget Cyber, Forget Cloud, It’s ALL About the Data!

Ever wonder why data breaches are now called cyber attacks, or an application on the Internet is now called The Cloud? It’s for the same reason that Coca Cola is constantly changing it’s ‘look’, adding ‘new’ flavours of what is basically the same sugary mess. And why they’ve changed their slogan FORTY SEVEN times in their 125 year history;

To keep things fresh, to keep you thinking about them, and of course, to help you spend money.

So is this necessarily a bad thing for the field of information security? The answer is clearly no if these marketing ‘tricks’ actually help keep you secure though valid awareness programs and good services. But a resounding YES if it’s just a new buzz-phrase used to sell the same services with less due diligence.

Too many vendors and self-interested lobby groups are frighteningly good at demand generation. From new buzz-phrases, the invention of perceived needs, and playing on an organisation’s fear of losing a competitive edge, these have all been the cause of many bad purchasing decisions. This is especially frustrating when the tools for making good decisions have been around for decades. Literally.

For example; ISO 27001 – probably the best known and de facto security framework – has it’s roots in BS 7799 first published in 1995, ISACA’s COBIT was released in 1996, and even PCI (which is just a controls based standard for the protection of cardholder data) has some merit in its 10th year in existence. If these aren’t enough, the ages-old – but still VERY much alive – concept of Confidentiality, Integrity and Availability has been around for so long that no-one seems to know when it started.

And these are just the overarching frameworks for the security of data, beneath them you have equally well known, mature, and readily available tools for the protection of your data assets:

1. Governance – The Business side and the IT side having meaningful conversations;

2. Risk Assessment – An examination of the business needs applied to the current ability to achieve those goals;

3. Vendor Due Diligence – a THOROUGH review of the external help you’ll likely need;

4. Asset Management – You can’t manage what you don’t even know you have; and

5. Vulnerability Management and Change Control – If you have absolute control over the changes you make internally, the only things that can increase risk are from the outside. These two tools work hand-in-hand.

All of these tools are covered to a varying degree in the above frameworks, and represent standard good security practices established for longer than most of us have been alive. Without these processes in place, you don’t have data security. Full stop.

So if they are that established, why are they not as well known and pervasive as they should be? Simple, and for the same reason no-one likes paying for insurance; there is no obvious positive impact on the bottom line. Where’s the ROI for spending money on security? But this assumes that an ROI involves making MORE money, but is not LOSING money just as impactful? Fines, damages / reparations, and the inevitable loss of reputation all have significant negative impact.

Instituting an appropriate level of data security for your business is actually quite simple, keeping it in place requires much more effort but is equally simple; follow the decades-old advice of the existing frameworks.

[Ed. Written in collaboration with Voodoo Technology, Ltd.]

[If you liked this article, please share! Want more like it, subscribe!]

The Internet of Things – A Security Game Changer

Imagine being able to turn the oven on 20 minutes before you get home so it’s ready to start cooking… or taking a quick remote peek into your fridge/cupboards/bread bin to see if you need anything at the supermarket … or re-programming your air conditioning / heating while you’re on Holiday.

All of the above is simple, and already possible, just go here for a bunch of others; http://postscapes.com/internet-of-things-examples/. Some are incredibly far reaching, not to mention awe inspiring.

Along with the exponential increase in convenience, efficiency, and entertainment, is an equal increase in the cost to your privacy, security, and in some cases, your actual well-being. For example, this site http://www.vitality.net/glowcaps.html is about reminding you to take medications. What happens if you start to rely on this with your critical meds and someone ‘hacks’ it?

This blog is in no way a criticism or a doomsday prediction of the trend. I love this stuff and cannot wait until every aspect of my life is a blink, gesture, or eventually a thought away. However, whereas previously our lack of knowledge in basic self-defence principles related to the Internet could have caused embarrassment or the loss of a few quid, the Internet of Things could, quite literally, put your life in danger.

If YOU let it.

As a previous article If You Want More Privacy, Stay Off the Internet stated, the conveniences you crave have a price, and the price is only going to go up the more you expect from it. The Internet is like gambling, only bet what you can afford to lose.

It’s not about the RIGHT to privacy, we all have that as a basic Human Right, it’s that you cannot EXPECT privacy given the inherent insecurity of the medium, the criminal element, and good old fashioned stupidity.

You are not owed security, or perfection, so the due diligence is entirely yours, as is the ongoing maintenance and security monitoring of your new functionality. The things you will be able to do will be unbelievably tempting, but keep these points in mind:

  1. Start Small – don’t sign up for every new thing when it becomes available, you will never be able to track them all, let alone secure them.
  2. Keep it Simple – automated notification of the need for milk is harmless, automating insulin doses is not.
  3. Rely on Nothing – especially when your physical well-being is concerned. Always, ALWAYS have a back-up if your primary mechanism fails.
  4. Minimise the Impact – expose only what you don’t mind losing. Insure everything, especially your finances.
  5. Take Responsibility – blame yourself if things go wrong, don’t waste your time pointing fingers at others. This was YOUR choice, live with it.

Like everything that’s coming in the future, innovation has benefits matched equally by the downside. ‘Government’ will do its best to protect us through laws and regulations, but they will fail to keep up with OUR demand for functionality. Security experts will do their best to protect us, but they too will fail to keep up with the competitive rush to fulfil OUR demand.

Enjoy it, just be careful.

Personally I’m going to be interested in what ‘butt-dialing’ will look like in the next decade. You’ll probably come home to find your vacuum cleaner ordering pizza and watching porn.

Internet of THings

Vendor Due Diligencce

Vendor Due Diligence: Assessing Cloud / Service Providers

There is a lot of confusion about how to treat Cloud providers from a vendor due diligence, or compliance assessment perspective.  I’m not sure why, they are just another service provider. The Cloud, in and of itself, adds nothing.

My thoughts on The Cloud are not a secret; Don’t Get Me Started On ‘The Cloud’, but it needn’t be all negative.

So you have – or you want to – outsource/d some aspect of your business function, usually an ancillary part, unless your business is almost entirely white labeled (like in e-commerce for example), and must therefore ensure that the service provider treats your data and/or systems the same way (or better) than you do.

In theory, the only reason you would not be able to measure your service/cloud provider against a defined standard, is if you don’t have one.  You have one, right?  That, by itself, precludes your compliance with ANY standard or accepted good practice.

All too often the real issue is that organisations are trying to outsource their problems (PCI compliance for example), and not focusing on their business needs in general.  While you can outsource almost every business function you can never outsource responsibility.  You can even outsource some of the liability (cyber-insurance for example), but it’s your name that will be dragged through the mud if things go wrong.

It bears repeating; You can NEVER outsource, or in any way deflect, the responsibility for the protection of the data you control.

The way to look at this is to see all 3rd parties / vendors as just a different department of your organisation.  You should have THAT kind of control, and it’s up to you to ensure that they are meeting their commitments.  Service Levels Agreements (SLAs) are a difficult concept, especially for Cloud providers, but that should not your problem, it’s should be theirs.

Here’s a lengthy but good article from IBM on SLAs; Best Practices to Develop SLAs for Cloud Computing

They may have just chosen to jump on the cloud bandwagon, and see this as a way to multiply their client base using the same, or retro-fitted, infrastructure (you need built for purpose).  Calling it a cloud service is, in this case, another phrase for smoke and mirrors.  However, there are some excellent cloud/service providers out there, and you will know them by the way in which they answer, or in some cases entirely pre-empt, your concerns.  They will:

  1. come to you with detail about how they will manage your systems / apps etc, and this will almost certainly support your policies or compliance. Ideally the services will be independently certified as compliant (against PCI for example, and if relevant).
  2. have no problem incorporating your policies or regulatory reporting needs into their service.  They may already exceed yours in this respect if they follow the concept of go-with-what’s-hardest-and-everything-else-is-covered.
  3. have various levels of SLA already defined from which to choose.  Be VERY wary of any cloud / service provider who has no pre-defined SLAs.
  4. have a seamless way for you to measure them against the SLAs.  The old misquoted cliche; You can’t manage what you can’t measure, while irritating, is completely appropriate here.
  5. be able to assist, or train you, to find everything you need during a compliance assessment.  YOU must be able to answer your auditors/assessors questions, you can’t just point at your vendor.

If you don’t have a vendor due diligence program, you need to get one.  If you don’t have a set of defined policies and business need SLAs, get them.  And if you don’t know how to go about any of this, ask someone who does!

Just like in Top 10 Roadblocks to PCI Compliance, not knowing how to do something is not an excuse, there are quite literally hundred of experts who can help you.

Find one.

[If you liked this article, please share! Want more like it, subscribe!]