Cloud Sentry Blog https://cloudsentry.evident.io Powered by Evident.io Thu, 27 Apr 2017 16:27:01 +0000 en-US hourly 1 https://wordpress.org/?v=4.6.5 ../wp-content/uploads/2016/08/cropped-evident-shield-512-32x32.png Cloud Sentry Blog https://cloudsentry.evident.io 32 32 NIST Compliance for AWS – On-Demand Webinar ../nist-compliance-aws-webinar/ ../nist-compliance-aws-webinar/#respond Thu, 27 Apr 2017 16:27:01 +0000 ../?p=1550 When compliance experts get together, they speak a unique language that’s peppered with acronyms and hyphens. The casual observer might see it as the quintessential “geek-out”, but this crew carries a serious burden. Without industry, governmental, or other types of standards, it would be nearly impossible to conduct any type of business, especially if you... Read more »

The post NIST Compliance for AWS – On-Demand Webinar appeared first on Cloud Sentry Blog.

]]>

When compliance experts get together, they speak a unique language that’s peppered with acronyms and hyphens. The casual observer might see it as the quintessential “geek-out”, but this crew carries a serious burden. Without industry, governmental, or other types of standards, it would be nearly impossible to conduct any type of business, especially if you want to work with others who take security very seriously.

In our most recent webinar, Evident.io brought together three of the top minds in the fields of cloud security to talk about ensuring compliance of the U.S. government’s NIST Cybersecurity Framework in Amazon Web Services (AWS):

  • David Rubal – Chief Data and Analytics Technologist at DLT
  • Tim Sandage – Senior Security Partner Strategist at Amazon Web Services
  • Sebastian Taphanel – Federal Solutions Architect at Evident.io

With an emphasis on NIST 800-53 (which recommends security controls for federal information systems and organizations and documents security controls for all federal information systems), these experts go into depth about the intricacies of compliance in the cloud, and challenges with achieving NIST security controls on AWS.

As more businesses and government organizations move to AWS to host their data and application infrastructure, NIST 800-53 compliance becomes critical. It is an in-depth process that allows organizations to update their risk-management approach to information security and be compliant with security best practices. It’s curated from the best thinkers across many government agencies and specifically addresses some of the complexities of using public cloud offerings like AWS.

If you’re concerned about achieving compliance for regulated workloads in AWS or any cloud environment — and you certainly should be — we encourage you to view the webinar to learn more about continuous cloud security compliance through automation and monitoring.

View the webinar.

The post NIST Compliance for AWS – On-Demand Webinar appeared first on Cloud Sentry Blog.

]]>
../nist-compliance-aws-webinar/feed/ 0
More than half of execs (incorrectly) see cloud as more secure than their own data centers ../execs-see-cloud-more-secure-than-own-datacenters/ ../execs-see-cloud-more-secure-than-own-datacenters/#respond Tue, 25 Apr 2017 22:32:44 +0000 ../?p=1538 You hear it all the time: the cloud is more secure than on-premises systems. It’s stated as if it’s an irrefutable fact, but the reality is that the cloud still requires a great deal of security management and monitoring for it to truly be secure. Still, according to a recent survey of 500 information technology... Read more »

The post More than half of execs (incorrectly) see cloud as more secure than their own data centers appeared first on Cloud Sentry Blog.

]]>

You hear it all the time: the cloud is more secure than on-premises systems. It’s stated as if it’s an irrefutable fact, but the reality is that the cloud still requires a great deal of security management and monitoring for it to truly be secure.

Still, according to a recent survey of 500 information technology execs (conducted by iSense Solutions for anti-malware vendor Bitdefender), 53 percent of respondents in the U.S. believe cloud is more secure than their on-premises systems. There’s no doubt security benefits are certainly one of the perceived benefits enterprises seek when moving to the cloud. And moving they are. Organizations are swiftly embracing cloud as they aim to capture as much value from their technology investments as they can as they find themselves under increased pressure to deliver more apps, functionality, storage, and business agility than ever before.

And while hybrid infrastructures, a mix of public cloud, private cloud, and on-premises infrastructure are widely in use today, many predict that data centers will eventually give way to public and private clouds in the near future. Oracle CEO Mark Hurd predicted earlier this year that 80 percent of corporate on-premises data centers will vanish in eight years. According to Gartner, the total worldwide public cloud market will have grown from $209 billion in 2016 to $383 billion by 2020.

And many experts expect that by the end of the 2020s there won’t be any more on-premises cloud deployments left.

According to the same survey cited above, 55 percent of companies are currently turning to the cloud. They cite increased productivity (54 percent), superior storage capacity (47 percent), and lower costs (46 percent) as their main reasons.

But let’s look at this bias that public cloud is more secure than on-premises systems. While a public cloud infrastructure may very well be more secure than what any specific enterprise can do in-house, even this depends on the skills, resources, and deployment use cases — the cloud infrastructure is only part of what needs to be managed in order to secure a cloud deployment.

While the infrastructure (virtual servers, networking functionality, storage, etc.) of the cloud services provider may be secured to a higher level than enterprises can do themselves: what about the ongoing configuration of these systems? The identity and access management to them? What about the security of the applications and how they are configured? Systems configurations can change quickly in cloud, so what about change control and logging and auditing capabilities? What about logical network and storage segmentation?

You get the idea. There are still plenty of things in cloud deployments that enterprises must focus on in order to keep their deployments secure.

And any systems or data in the cloud don’t get a magic pass from compliance and regulatory certifications. So rather than thinking about public cloud as being more secure, it’s better to think of the cloud as something that helps to limit the scope of information security that must be directly managed. That’s a much more realistic perspective than the assumption that public cloud is more secure than on-premises systems.

The post More than half of execs (incorrectly) see cloud as more secure than their own data centers appeared first on Cloud Sentry Blog.

]]>
../execs-see-cloud-more-secure-than-own-datacenters/feed/ 0
My Mom Said it’s OK If I Code For You Guys: Finding Security Talent In Unusual Places ../finding-security-talent-unusual-places/ ../finding-security-talent-unusual-places/#respond Tue, 25 Apr 2017 21:40:26 +0000 ../?p=1530 Teenage rebellion manifests itself in many forms, and it takes a visionary to recognize genius in it. While some demonstrate their angst with green hair or eardrum-piercing speed metal, there also exists a subculture of teens who buck the system with code. Indeed, teen hacker activity runs the spectrum from mischievousness to outright criminal activity.... Read more »

The post My Mom Said it’s OK If I Code For You Guys: Finding Security Talent In Unusual Places appeared first on Cloud Sentry Blog.

]]>

Teenage rebellion manifests itself in many forms, and it takes a visionary to recognize genius in it. While some demonstrate their angst with green hair or eardrum-piercing speed metal, there also exists a subculture of teens who buck the system with code. Indeed, teen hacker activity runs the spectrum from mischievousness to outright criminal activity. Somewhere in the middle are the hackers who, out of curiosity and challenge, use their programming skills as a way to assert, discover, and have fun. Keep an eye out for that group – they may wind up being the most important protectors of your company.

Take the case of Jon Oberheide who, as a 17 year-old in 2010, sat in a Starbucks in Ann Arbor, Michigan and repeatedly hacked his way into the internal network of Arbor Networks. The company is, ironically, an infrastructure security company, so one can only imagine the level of freak out that happened when they discovered their network was being exploited. Arbor’s Chief Security Architect at the time, Dug Song, identified the young Oberheide as the dark hat, but rather than alert authorities, he hired Oberheide to join Arbor’s security team. Seven years later, Song and Oberheide have co-founded device security company, Duo Security, that’s received $49 million in venture capital funding.

Network and data security isn’t taken lightly. Hacks and security breaches have created major issues to the brands and bottom lines of companies and governments all over the world. Most people have a very negative view of of hackers and prefer a law and order approach to their activities; lock ’em up and throw away the key. But security is hard and it requires a unique skill set, and the Song and Oberheide story demonstrates that if you can find people who approach security with determination, skill, and a sense of unabashed enthusiasm, it’s probably best to get them on your team.

Evident.io CEO and founder, Tim Prendergast, along with Robert Half CISO, Eddie Borrero, recently presented at an Amazon Web Services (AWS) Summit in San Francisco on the topic of finding and hiring security experts. One piece of advice from Tim was, “look for aptitude, not experience.” There’s a pragmatic element to this, especially when there’s a huge need for highly qualified security experts in the job market. It also speaks to the speed of innovation in this space; just because you’ve “done” security for 15 years, doesn’t mean you’re capable of building the best security monitoring tool for the cloud. Someone who has beaten you at your own game, however, is probably a solid candidate.

Tim and fellow founder (and Evident.io CTO) Justin Lundy approach security expertise as something that must always be evolving and growing. The best security engineers are those who understand the severity of what is being secured, but are able to pair that with a sense of discovery and a deep understanding of what physicist Richard Feynman called “the pleasure of finding things out.”

It’s hard to find talent when you’re beholden to the traditional game plan. Resumes will tell you something, but there’s no substitute for seeing a person in action, especially when being successful at things they aren’t getting paid to do. Dug Song said, “Some of the best hackers don’t come with credentials or an Internet degree. A lot of this is driven by curiosity and a longing to learn more about systems.”

If you approach recruiting as a search to identify ability and desire, you might be surprised at where your next great hire comes from. Skill and desire know no age, gender, or orientation of any kind. Your next great security engineer could come from almost any walk of life or demographic. He or she might even need a permission slip from school to leave school for the interview. When you find that person, make an offer before you notice your data has been leaked.

The post My Mom Said it’s OK If I Code For You Guys: Finding Security Talent In Unusual Places appeared first on Cloud Sentry Blog.

]]>
../finding-security-talent-unusual-places/feed/ 0
The New Global Economy, Brought to You by PCI, APIs, and the Cloud ../new-global-economy-pci-api-cloud/ ../new-global-economy-pci-api-cloud/#respond Fri, 21 Apr 2017 20:37:32 +0000 ../?p=1513 The importance of a security standard can be measured not just in how accurate it is, but in how widely its effects are felt. Considering that the population of the United States alone holds just north of $1 trillion in credit card debt, it’s safe to say that the impact of the Payment Card Industry... Read more »

The post The New Global Economy, Brought to You by PCI, APIs, and the Cloud appeared first on Cloud Sentry Blog.

]]>

The importance of a security standard can be measured not just in how accurate it is, but in how widely its effects are felt. Considering that the population of the United States alone holds just north of $1 trillion in credit card debt, it’s safe to say that the impact of the Payment Card Industry Data Security Standard (PCI DSS) reaches far, wide, and deep. And if we look closely at what the standard does, it’s clear that it’s not just about the card anymore. Any organization that conducts digital financial transactions of any sort need to demonstrate a commitment to security and willingness to conduct business on behalf of users in a safe environment.

PCI DSS is a compliance framework to protect debit, credit, and cash card holders against misuse of their personal data, and was created as a way to protect themselves, and to ensure trust with customers. It was developed through a collaboration among American Express, Discover, JCB, MasterCard, and Visa in the midst of increasing credit card activity on the web. As customer data touched more digital endpoints, these companies were seeing more vulnerabilities that required considerable time and resources to remediate. PCI DSS is the de facto standard for guiding security aspects of digital payment systems.

To be clear, however, the standard is not about just the data. As it’s written, it is “an actionable framework for developing a robust payment card data security process”. Note the word “processes”. PCI DSS isn’t so much about locking up user data, but rather, it is far broader in scope and intent.

This is especially important now that purchasing opportunities are increasingly enabled in non-traditional formats. It’s not just paying bills online, but the ability to buy and sell on mobile devices and through the Internet of Things (IoT). These are almost all governed by APIs, some of which are directly relevant to financial transactions. The proliferation of API usage means that that data can be delivered to users in a highly usable and customized way, but to do that means more endpoints and more touches. By extension, that unfortunately means more potential to be exposed. One could make the case that it’s now APIs and the cloud that run the global economy. Data is now the foundation, and all these technology innovations facilitate an expanding latticework of processes that create opportunities for credit, debit, and other payment cards to be used.

While data sits in software and moves around and between applications, it’s processes that facilitate all this interaction. Processes identify, transact, and deliver user data where it can be most meaningful. More financial organizations are relying on the cloud to host and operate their technology functions, which means they’re using more web services that engage processes. Every payment requires multiple API calls and even more processes are triggered. Staying on top of the security for all of this activity is critical, but can be overwhelming. Organizations that are PCI-compliant with their public cloud offerings, however, can take advantage of continuous cloud monitoring solutions like Evident.io Security Platform (ESP) to ensure they are aware of the security health of their cloud environment.

Purchasing opportunities are increasingly enabled on mobile devices and through the Internet of Things (IoT). These are almost all governed by APIs, some of which are directly relevant to financial transactions. The proliferation of API usage means that that data can be delivered to users in a highly usable and customized way, but to do that means more endpoints and more touches. By extension, that unfortunately means more potential to be exposed, so understanding where potential threats are, and invoking a way to fix them, is critical not just as a technology component, but as a business imperative.

Being PCI-compliant, therefore, is a necessity for any organization that makes, or facilitates, digital financial transactions. Companies that use APIs and cloud applications as forms of currency should take great care to ensure PCI DSS compliance so they can be employed for payment services with other vendors, and in their own right. When they do that, it means that customers using their services can safely operate, confident in the knowledge that their user data meets the strictest and most widely accepted requirements.

The post The New Global Economy, Brought to You by PCI, APIs, and the Cloud appeared first on Cloud Sentry Blog.

]]>
../new-global-economy-pci-api-cloud/feed/ 0
Staying Secure on Cloud 9 ../staying-secure-on-cloud-9/ ../staying-secure-on-cloud-9/#respond Wed, 19 Apr 2017 20:55:02 +0000 ../?p=1500 With the legal cannabis industry expected to grow to over $20 billion by 2020, this fast growing industry is gaining attention amongst investors and companies looking to ride the wacky tobacky wave. However, the industry faces a lot of challenges, too. The industry has to deal mostly in cash as the conflict between federal and... Read more »

The post Staying Secure on Cloud 9 appeared first on Cloud Sentry Blog.

]]>

With the legal cannabis industry expected to grow to over $20 billion by 2020, this fast growing industry is gaining attention amongst investors and companies looking to ride the wacky tobacky wave.

However, the industry faces a lot of challenges, too. The industry has to deal mostly in cash as the conflict between federal and state laws makes it difficult for those businesses to get business bank accounts. The rules and regulations imposed by local and state governments change with great frequency and requires the industry to be adaptive in how they deal with regulations and required licenses or permits.

But, one real area of concern for both the industry and cannabis consumers alike is data privacy and cybersecurity. As the revenue and customer numbers for dispensaries and growers start going sky high, the potential cybersecurity breaches have been on the rise, too. This is a huge issue for this particular customer base that values their privacy more than most.

As the industry matures, cannabis-centric companies need to be certain that they are following security best practices to keep their data secure and out of the reach of hackers who might be eager to expose customer data, or hold their systems ransom. If attacked, the risk is real and that totally blows for businessmen that would rather be dankrupt than bankrupt.

The reality, however is that the industry doesn’t need to start from scratch when devising its cybersecurity best practices. Those companies that are running their systems in the Cloud, like Amazon Web Services (AWS) or Microsoft Azure, need to take steps to secure their data and systems even though the cloud itself is very secure. Mainstream businesses have the advantage of specific frameworks that set the best practices for security and privacy — like HIPAA, PCI, or NIST 880-53.

While the cannabis industry hasn’t advanced that far to have set specific compliance standards, I could imagine what they could be called:

  • TOKE – Total Oversight of Key Environments
  • PUFFS – Persistent Unified Framework For Security
  • POT – Preventing Ongoing Threats

Until the powers-that-be work on compliance frameworks specific to the cannabis industry, following the guidelines set by CIS, PCI DSS or NIST 800-53 can set organizations on the right path to ensure they are following security and privacy best practices.

If you need help getting started, we’ve got lots of security pros here who will be glad to light you up.

The post Staying Secure on Cloud 9 appeared first on Cloud Sentry Blog.

]]>
../staying-secure-on-cloud-9/feed/ 0
Guided Risk Remediation: On-the-Job Cloud Security Training ../guided-risk-remediation-job-cloud-security-training/ ../guided-risk-remediation-job-cloud-security-training/#respond Mon, 10 Apr 2017 17:48:33 +0000 ../?p=1491 In the recent Cloud Security 2017 Spotlight Report, 28% of respondents cited a lack of staff resources and expertise as a barrier to moving to the cloud. We hear this concern all the time — it’s hard enough to keep up with all of the security tasks at hand, let alone add on the additional... Read more »

The post Guided Risk Remediation: On-the-Job Cloud Security Training appeared first on Cloud Sentry Blog.

]]>

In the recent Cloud Security 2017 Spotlight Report, 28% of respondents cited a lack of staff resources and expertise as a barrier to moving to the cloud.

We hear this concern all the time — it’s hard enough to keep up with all of the security tasks at hand, let alone add on the additional need to train employees on new technology. Given the huge cybersecurity skills gap in the market today, trying to hire people who know everything already is nearly impossible.

That’s why the Evident Security Platform (ESP) was designed to be useful for both Cloud newbies and Cloud experts, and everyone in between, too. The uptick in DevOps adoption means that more and more people are pushing code and setting up Cloud services. The experts you have on staff can’t manage all of the security risks alone — so the ESP platform is designed to guide everyone through the process of remediating risks.    

Did you know that ESP provides recommended steps for remediation?  
It’s true, when you look at the Alert Details screen, you will find a Description of the Alert, the Remediation Steps, and if you have enabled our User Attribution feature you will see who, when, how and where the risk was introduced into the system. The description and remediation steps will explain not only why you should be concerned about the Alert, but how you can resolve the problem.

I wish that I had Remediation Steps when putting things together from Ikea!  My wife is the builder in our family.  We have a saying “Her Tools, His Tech” because she is excellent at putting things together and building things.  Even with simple things I screw them up.  

That’s what is great about Evident though, we give you guided remediation to fix the problems fast and get your cloud infrastructure looking a little less attractive to the hackers that are lurking out there.  

Here’s a sample of the Remediation Steps for an alert that flags when Multi-factor Authentication is not set-up properly. (Do us all a favor…please set up MFA on all your accounts!)

remediation-steps

If you can follow instructions (unlike me most times) you can make your boss happy and secure your infrastructure by remediating the risks. And, you get hands-on, on-the-job cloud security training while you’re burning down the alerts!

I would HIGHLY recommend that enable our User Attribution feature if you haven’t already.  It’s going to give you the who, when, and where of your alerts by correlating directly with your AWS CloudTrail events.  For more information on this, check out docs page here.

The post Guided Risk Remediation: On-the-Job Cloud Security Training appeared first on Cloud Sentry Blog.

]]>
../guided-risk-remediation-job-cloud-security-training/feed/ 0
With Cloud Maturity Comes Security Growing Pains ../cloud-maturity-comes-security-growing-pains/ ../cloud-maturity-comes-security-growing-pains/#respond Thu, 06 Apr 2017 21:18:39 +0000 ../?p=1486 In battle things happen fast. Environmental conditions change, targets change, and throughout the fight, the capabilities of the various sides change. It can all happen so quickly that it’s difficult for decision makers on the ground to know what is going on without accurate, near instantaneous updates. Without such updates, visibility into the fight becomes... Read more »

The post With Cloud Maturity Comes Security Growing Pains appeared first on Cloud Sentry Blog.

]]>

In battle things happen fast. Environmental conditions change, targets change, and throughout the fight, the capabilities of the various sides change. It can all happen so quickly that it’s difficult for decision makers on the ground to know what is going on without accurate, near instantaneous updates.

Without such updates, visibility into the fight becomes nearly nil and decision making not only becomes difficult but treacherous.

Securing cloud environments, albeit with generally much less dire consequences, can be similar. For security and compliance professionals to be able to properly respond to attacks and the ever-changing conditions of both their environment and adversarial tactics. To succeed, up to the minute visibility is essential.

And it just so happens that visibility into cloud infrastructure operations is one of the most sought after capabilities among those who are embracing cloud for increasingly business critical and data-sensitive applications.

According to a recent survey of more than 2,200 global cybersecurity professionals, among the more than 300,000 members of the Information Security Community on LinkedIn, gaining visibility into cloud infrastructure was cited as the, relative to other concerns, most painful security management headache for 37% of respondents. Visibility was ranked as the second concern in the study conducted a year ago. This year attaining compliance came in second (36%) and then establishing and maintaining consistent security policies ranked third at 33%.

The survey was sponsored by Evident.io, among other security vendors, and it found, not surprisingly, respondents view security as the top barrier to cloud adoption. It also found (and also not surprisingly) that legacy (to cloud) security tools don’t get the job done in cloud environments.

Of course, none of this is slowing cloud adoption. The survey states that cloud investment, overall, continues to grow over 20% annually “as organizations are looking for faster time to deployment, scalability, reduced maintenance, and lower cost.” And according to research firm Gartner, the IaaS segment alone is projected to grow 36.8 percent and reach $34.6 billion this year.

Key cloud security trends highlighted in the study include:

  • Security concerns top the list of barriers to cloud adoption led by general security concerns (53 percent, up from 45 percent in last year’s survey), legal and regulatory compliance concerns (42 percent, up from 29 percent), and data loss and leakage risks (40 percent). The rise in specific concerns about compliance and integration suggests that companies are moving from theoretical exploration of cloud models to actual implementation.
  • Unauthorized access through misuse of employee credentials and improper access controls is the single b iggest threat (53 percent) to cloud security. This is followed by hijacking of accounts (44 percent) and insecure interfaces/APIs (39 percent). One in three organizations say external sharing of sensitive information is the biggest security threat.
  • The vast majority (84 percent) of respondents are dissatisfied with traditional security tools when applied to cloud infrastructure. Respondents say traditional network security tools are somewhat ineffective (48 percent), completely ineffective (11 percent), or can’t be measured for effectiveness (25 percent) in cloud environments.
  • The top three security headaches for organizations moving to the cloud include the following use cases: verifying security policies (51 percent), visibility (49 percent), and compliance (37 percent). These results suggest that companies are further along in implementation of cloud models compared with last year and are looking for security solutions that enhance the capabilities provided by service providers.
  • Organizations moving to the cloud have a variety of choices available to strengthen cloud security. 61% of organizations plan to train and certify existing IT staff, 45% partner with a managed security services provider, and 42% deploy additional security software to protect data and applications in the cloud.

There are a number of interesting findings here. The spike in regulatory compliance concerns shows, as the report states, that companies are moving from theoretical exploration of cloud models to actual implementation. But it also means, in my view, that more companies are moving from non-production and non-critical app and data to more confidential information and business-critical applications, as well as information that falls under regulatory compliance efforts.

The survey also shows, with a resounding majority dissatisfied with traditional security tools, what many of us have suspected for a while: security vendors that try to retool security applications that were built for legacy environments won’t fare well in the long run. And in that long run, organizations will select those vendors that provide the security controls – and visibility – that are designed for cloud and then actually clear the fog.

You can find the complete cloud security report here.

The post With Cloud Maturity Comes Security Growing Pains appeared first on Cloud Sentry Blog.

]]>
../cloud-maturity-comes-security-growing-pains/feed/ 0
What you need to know about NIST 800-53 Compliance in AWS ../what-you-need-to-know-about-nist-800-53-compliance-in-aws/ ../what-you-need-to-know-about-nist-800-53-compliance-in-aws/#respond Wed, 05 Apr 2017 16:15:01 +0000 ../?p=1476 As more agencies in the public sector and their partners move to the cloud, NIST 800-53 revision 4 (rev. 4) by the National Institute of Standards and Technology is the primary security standard for security controls for federal information systems. Join DLT, one of the nation’s top providers of IT solutions, Amazon Web Services (AWS),... Read more »

The post What you need to know about NIST 800-53 Compliance in AWS appeared first on Cloud Sentry Blog.

]]>

As more agencies in the public sector and their partners move to the cloud, NIST 800-53 revision 4 (rev. 4) by the National Institute of Standards and Technology is the primary security standard for security controls for federal information systems.

Join DLT, one of the nation’s top providers of IT solutions, Amazon Web Services (AWS), and Evident.io in this webinar, where these experts will exchange perspectives on what NIST 800-53 rev.4 compliance means for government agencies and private organizations alike.

Watch the Webinar

In this blog, David Rubal, Chief Data and Analytics Technologist at DLT, Tim Sandage, senior security partner strategist at Amazon Web Services, and Sebastian Taphanel, federal solutions architect at Evident.io discuss what NIST 800-53 rev.4 compliance is and how to address the challenges this set of regulatory security standards brings.

Q:          Who needs to think about NIST 800-53 rev.4 Compliance?

[David Rubal]   Any organization that needs to pursue and maintain FedRAMP Authorization / FISMA Certification / DoD SRG / NIST 800-171 (Protection of Controlled Unclassified Information) / ICD 503, etc. In short, anyone working with the Federal Government to include Federally Funded Research Grants, Federal System Integrators, etc.

Q:          What’s the perspective from the agency side?

[Tim Sandage]   NIST 800-53 rev.4  is the ‘gold standard’ for federal security controls. Prior to AWS, Agencies owned their data centers and all associated hardware/software that ran on it. The tools used to keep an eye on the infrastructure services may not work the same way in the Cloud. Cloud Native solutions are specifically designed to meet the demand, growth, and elasticity required by a Cloud-enabled organization. Agent-based solutions don’t have access to the AWS API which manages the AWS customer infrastructure services for an Agency workload running in AWS. Without accessing the AWS API, there is a lack of visibility and transparency to what is really going on within an AWS customer environment.

Q:          How does this apply to private organizations?

[Sebastian Taphanel]   Some Private Organizations are contractually mandated to follow NIST 800-53 rev.4. Additionally, depending on the type of Risk Management Framework and overall maturity of their respective Risk Program, some private organizations may choose to follow NIST RMF (SP 800-37) and its associated Controls (SP 800-53 rev.4) as it is both comprehensive and well-documented. It should be noted, some smaller private organizations with limited resources sometimes opt for NIST Controls as a ‘catch all’ approach to managing their overall risk, in lieu of trying to manage several Risk Frameworks simultaneously.   

Q:          What are the challenges of achieving NIST compliance using NIST 800-53 rev.4  in AWS?

[Sebastian Taphanel]   Understanding the scope of AWS services, shared responsibility and the inheritance of controls a customer can leverage from the authorizations granted to AWS:  Inheriting AWS Controls does NOT get your system compliant. They help, but they are specific to data center security controls (e.g. Physical, Environmental and Maintenance). The Scope of AWS services which are authorized may also be challenging for some agencies as authorizing officials may only accept in-scope AWS FedRAMP accredited services within a customer authorization. Lastly the AWS shared responsibility model should be reviewed as agencies are responsible for implementing many of the NIST 800-53 rev.4 controls within their customer environment.

HINT: AWS is constantly adding to their list of Certified / Accredited AWS Services, keep your eyes open to updates! See: AWS Services in Scope by Compliance Program

However, the Customer must still do their own due diligence and document how they intend to meet the NIST security controls in a continuous manner. Without a solution that actually captures changes to AWS Resources / Services in a real-time manner, getting to a state of Compliance and more importantly, maintaining it, is a real challenge. Fortunately, Evident.io can help to do both.   

Watch the Webinar

 

The post What you need to know about NIST 800-53 Compliance in AWS appeared first on Cloud Sentry Blog.

]]>
../what-you-need-to-know-about-nist-800-53-compliance-in-aws/feed/ 0
Evident.io and Robert Half International head to AWS Summit San Francisco to talk about the Cloud Security Skills Gap ../robert-half-international-aws-summit-san-francisco-cloud-security-skills-gap/ ../robert-half-international-aws-summit-san-francisco-cloud-security-skills-gap/#respond Tue, 04 Apr 2017 16:38:50 +0000 ../?p=1468 The shift to Cloud IaaS and PaaS hasn’t lessened the workload that organizations have for security and compliance — it’s just changed the type of work that needs to be done. With all the focus on cybersecurity and new regulations in the news it’s no wonder that Security, SecOps and Compliance roles within companies take... Read more »

The post Evident.io and Robert Half International head to AWS Summit San Francisco to talk about the Cloud Security Skills Gap appeared first on Cloud Sentry Blog.

]]>

The shift to Cloud IaaS and PaaS hasn’t lessened the workload that organizations have for security and compliance — it’s just changed the type of work that needs to be done. With all the focus on cybersecurity and new regulations in the news it’s no wonder that Security, SecOps and Compliance roles within companies take months to fill. As enterprises continue their digital transformation efforts, they need more help when it comes to training and coaching development teams to develop and run applications more securely.

Where do you find your next 20 Cloud Security experts?  That’s the title and topic of the discussion that Eddie Borrero, CISO at Robert Half International and Evident.io’s CEO and Founder, Tim Prendergast will be leading at the upcoming 2017 AWS Summit in San Francisco.

In their joint presentation, Eddie and Tim will discuss how to shift the common paradigm that the only way to fill a skills gap is with big teams and lots of money. They will share their perspectives and real world examples on how the right tools have enabled them to cultivate individuals from within their organizations to fulfill the security work that needs to get done. They’ll explore why automation is critical for continuous security and continuous compliance.

But, the conversation won’t be all about technology. Filling job vacancies and keeping your team happy also requires that you build talent pipelines and maybe even think about globalizing the security teams. Eddie and Tim will share their insights about recruiting, managing, and developing people to support our modern cloud security threat landscape.

Join Tim and Eddie on Wednesday, April 19th at 2:30pm in room 2006 for Where do you find your next 20 Cloud Security Experts? This session is one you won’t want to miss. See the full Summit schedule here.

If you are attending AWS Summit San Francisco, send us a note to schedule a time to chat. We’d love to meet up!

 

The post Evident.io and Robert Half International head to AWS Summit San Francisco to talk about the Cloud Security Skills Gap appeared first on Cloud Sentry Blog.

]]>
../robert-half-international-aws-summit-san-francisco-cloud-security-skills-gap/feed/ 0
Small businesses, big target ../small-businesses-big-target/ ../small-businesses-big-target/#respond Mon, 03 Apr 2017 16:26:24 +0000 ../?p=1460 I’ve had this conversation hundreds of times, so I wasn’t surprised when it came up again—this time with a friend who is also a small business owner. Let’s call him Frank, to protect the innocent here. He owns and operates a successful manufacturing concern. “I’m not sure why I should care about all this cybersecurity... Read more »

The post Small businesses, big target appeared first on Cloud Sentry Blog.

]]>

I’ve had this conversation hundreds of times, so I wasn’t surprised when it came up again—this time with a friend who is also a small business owner. Let’s call him Frank, to protect the innocent here. He owns and operates a successful manufacturing concern. “I’m not sure why I should care about all this cybersecurity stuff,” Frank said. “We’re a small shop, and we don’t have anything of much interest to anyone.”

I’ve heard this so many times; I couldn’t help but sigh. I explained to Frank that the vast majority of attacks on the Internet or the cloud don’t have much to do with any tangible value an organization may have. It’s not like the physical world, where it is time-consuming and risky to check whether doors are locked. Online, it’s fast, cheap, easy and relatively risk-free to find systems that are vulnerable. Then those systems can be used for all kinds of things like launching attacks on other systems. That’s what happened with the Mirai botnet attacks, which commandeered thousands of networked devices to launch attacks on third parties—business partners of Frank’s—who might be juicier targets.

Not to mention, I explained to Frank, his business is a juicy target itself. There are financial threats, bank accounts, employee information, ransomware risks, and competitors may want to attack his business to gain information for a competitive edge. The list goes on.

I was trying my best but making no headway. I could tell by his expression.

You’d think, or hope, that Frank is an anomaly, but he isn’t. Many small business owners and startups think they are not valuable targets. They think they don’t have to worry about sophisticated hackers, or do any more than the bare minimum when it comes to cybersecurity. They couldn’t be more wrong.

Consider a study by Jay Vadiveloo, Director of UConn’s Goldenson Center for Actuarial Research, Cyber Risk for Small and Medium-sized Enterprises, released last week at Travelers Institute’s Cyber: Prepare, Prevent, Mitigate, Restore forum. He found that about half of small businesses reported that they had been victims of a cyberattack in 2014.

Vadiveloo was paraphrased in this story, Cybersecurity: Small Businesses a Big Target, as stating that many small and midsize businesses are targeted because they are unaware of the severity of cyberattacks and lack the proper security measures. “Small businesses harbor the misconception that cybercriminals only target large organizations,” Vadiveloo was quoted as saying.

That’s exactly what I’ve been saying. But here are some highlights from the report:

Cyber risk is a real and growing concern for SMEs.

As SMEs integrate new technology into their business, their cyber risk exposure increases. Businesses must develop an understanding of what cyber risk is and the extent of their recent exposure as it pertains to their business sector.

SME perceptions of cyber risk may not be an accurate measure of what the actual reality for cyber risk is.

More than half of SMEs haven’t realized that they lack adequate protection from cyber threats (KPMG). While some SMEs are aware of these threats, they take no additional preventive measures to protect themselves, as reflected in the budget allocated to IT spending (SANS).

The impact of cyber risk for SMEs is significant.

Once a business has developed an understanding of what cyber risks are, it is crucial that they assess the potential impact of a potential cyber breach on the company. The impact for SMEs may be different than for large businesses, and likewise, an impact for one SME might not be a concern for another. However, in either case, the cyber risk impact for SMEs is very significant as described in the report below.

SMEs face many challenges in the process of reducing their cyber risk.

Because cyber risk is hard to understand, most SMEs lack knowledge of cyber risk and are incapable of handling these cyber risks on their own. Also, myriad cybersecurity solutions are available in the market, but SMEs lack access to reliable guidance on how to create a robust cyber risk management plan. And lastly, although cyber insurance is considered a cybersecurity solution, it is not easily accessible to SMEs.

To me, these findings are no surprise. I’ve helped conduct dozens of surveys over the years and have found lots of Franks out there – they either think they won’t be targeted or are overconfident in their security postures. A few years ago, CSO online colleague Steve Ragan covered a study by Office Depot and McAfee that showed just this. “McAfee says that SMBs are suffering from a false sense of security, basing their claims on a recent study conducted with Office Depot. Those who took part in the study showed a high degree of confidence that their data and devices were safe from attackers, despite industry research and evidence that proves otherwise,” Ragan wrote.

The study, consisting of 1,000 SMB survey respondents, found that “66 percent…were confident that their data and devices were secure and safe from criminal hackers, with 77 percent reporting that their organizations have never been attacked,” Ragan wrote.

But get this: “When asked for details, 80 percent of the respondents to Office Depot’s survey admitted to not using data protection. Only about half of them confirmed that they’re using email and Internet security measures,” he wrote. “And almost all of them—91 percent—said they don’t use endpoint or mobile device security. Yet, the frightening admission comes from the 14 percent of SMB owners who said they haven’t implemented security measures of any kind in their environment.”

Clearly, SMBs, start-ups, and even businesses that consider themselves too boring to target are actually targets and should take steps to protect themselves. I know I haven’t convinced Frank, but I also know that Frank is at risk of paying a big price one day for playing ostrich.

The post Small businesses, big target appeared first on Cloud Sentry Blog.

]]>
../small-businesses-big-target/feed/ 0