Cloud Sentry Blog https://cloudsentry.evident.io Powered by Evident.io Wed, 24 May 2017 23:11:30 +0000 en-US hourly 1 https://wordpress.org/?v=4.6.6 ../wp-content/uploads/2016/08/cropped-evident-shield-512-32x32.png Cloud Sentry Blog https://cloudsentry.evident.io 32 32 Everyone’s Talking About Ransomware, But What Are You Doing About It? ../everyones-talking-ransomware/ ../everyones-talking-ransomware/#respond Wed, 24 May 2017 23:11:30 +0000 ../?p=1596 A Guide to Protecting Your Cloud From Ransomware That look you’ve undoubtedly noticed on the faces of your IT team over the past few weeks is most definitely not Blue Steel; no, it’s the look of stark terror. Over the course of the past few weeks, as cyber bullies spread ransomware attacks across the globe,... Read more »

The post Everyone’s Talking About Ransomware, But What Are You Doing About It? appeared first on Cloud Sentry Blog.

]]>

A Guide to Protecting Your Cloud From Ransomware

That look you’ve undoubtedly noticed on the faces of your IT team over the past few weeks is most definitely not Blue Steel; no, it’s the look of stark terror. Over the course of the past few weeks, as cyber bullies spread ransomware attacks across the globe, questions about responsibility, ownership, and “how could this have happened?” have crept into the late nights when engineers and network admins scramble to figure out how to prevent getting hit by the next wave of ransomware attacks.

Securing networks and data has always been discussed as a top priority in organizations, but it’s not always treated that way. For enterprises that use the cloud, part of the issue is not fully understanding the different layers that make up the components of their cloud stack. These different layers create multiple potential targets, and for the prepared, they each represent a piece of the cloud environment that can be secured against potential threats.

Ransomware is effective because it uses the path of least resistance to find an opening. As code and a programming function, ransomware is not terribly complex, nor does it need to be. To achieve its goals it just needs access and there are a surprising number of access points that, if not adequately protected, are easily hacked.

By paying attention to the different pieces of the cloud stack and addressing their unique security needs with these preparations, your environment will be far more resistant to ransomware threats. In part one of this series, we look at how to address identity management. Secondly, we will review the compute layer and the things that serve to protect your systems and data. Storage is a critical and often overlooked element that needs to be secured, and part three of the series will consider the keys for security of your storage in the cloud. Lastly, the actual cloud services, the “things” that operate and transact within your cloud environment, will be addressed.

Bear in mind that even with media coverage of high-profile ransomware attacks hitting all over the world, there still doesn’t seem to be enough damage done to encourage change in behavior on the part of IT and security departments. This will come back to haunt organizations and individuals who don’t heed these attacks as warnings. Essentially, if you operate across the web, you’re exposed and there’s risk. Yet, we compartmentalize risk and create mitigation scenarios to rationalize our inattentiveness. And while no one wants to go into fire drill mode, that’s exactly what happens when something like WannaCry or Adylkuzz hits and we’re not prepared. What we need is a protection default button, not an alarm switch, and that default button has to be about preparation and it needs to be on at all times.

Ransomware may not have made a dent in your organization, or maybe it has and you’ve been able to prevent major damage. But even though it’s starting to get board-level attention in major corporations, it still isn’t the priority it needs to be. Rather, organizations keep adding more functionality to their IT environments, or moving to cloud infrastructures that they haven’t taken the time to fully understand. There are many solutions that suggest they can wrap your entire technology presence in a protective wrapper, but that’s not how the cloud stack works. All the benefits of the cloud…its agility, elasticity, scalability…all of this is built upon a flexible set of layers that make it a desirable solution for 21st Century enterprises. Inherent in that model are, by definition, multiple potential points of access that are best secured through behavioral requirements, policies, continuous monitoring and automation of detection and remediation.

The Evident Security Platform analyzes more than 10 billion events every month, and we see that poor configuration, lack of policies, and permissive behaviors lead to too many openings that are exploitable by ransomware. This series will help you create an optimal security environment for your organization that will assist in thwarting ransomware through a set of corrective actions and behavioral modifications. There will always be bad guys, but we’re going to figure out how to keep them out of our house.

The post Everyone’s Talking About Ransomware, But What Are You Doing About It? appeared first on Cloud Sentry Blog.

]]>
../everyones-talking-ransomware/feed/ 0
Hackers gonna hack ../hackers-gonna-hack/ ../hackers-gonna-hack/#respond Fri, 19 May 2017 18:33:09 +0000 ../?p=1585 Defending against cyberattacks is a critical function of IT professionals, but the innovations and tactics of the attackers are constantly evolving. In order to keep up, IT organizations turn to threat hunters to proactively monitor cloud infrastructure for vulnerabilities and protect against major breaches. In light of the recent wave of ransomware attacks, organizations are... Read more »

The post Hackers gonna hack appeared first on Cloud Sentry Blog.

]]>

Defending against cyberattacks is a critical function of IT professionals, but the innovations and tactics of the attackers are constantly evolving. In order to keep up, IT organizations turn to threat hunters to proactively monitor cloud infrastructure for vulnerabilities and protect against major breaches.

In light of the recent wave of ransomware attacks, organizations are quickly adopting threat-hunting programs to fight hackers and improve overall security posture.

Who are these threat hunters and how can you assemble a focused, valuable team?

First thing is to assign this team a specific mission; this project isn’t going to be a standard, by-the-book operation.  It is important to look for certain qualities when forming this threat hunting task force, and you should seek people who demonstrate the following traits:

  • Analytical thinkers — Curiosity is one of their strongest motivators. These are your creative problem solvers that are not afraid to step outside the box to look for an answer.
  • Inherent tinkerers — They like to take things apart and rebuild them for a thorough understanding of how they work from the inside out.
  • Good communicators — I cannot stress the importance of communication enough. These folks will be the security ambassadors for your entire organization and will be responsible for communicating not only to their own department but to the cross functional teams when threats are detected and remediation is required. They will need to make security more approachable.

How do we enable them to do their jobs?

By embracing automation as much as possible. You don’t enlist threat hunters so they can waste time manually sweeping the perimeter every hour (or as often as humanly possible), you hire them to to think strategically. Automation tools provide near-real time visibility, one source of truth into your security posture. Automation helps strengthen what has been configured in the cloud with security best practices, and as a bonus, automating security controls and risk remediation can free up time for your threat hunters to hunt.

How to structure your threat hunter program?

Step one, look for your champions internally first. These hunters may already be on the inside, try checking under the foosball table. Step two, implement “seek and destroy” bounty program, ie locate vulnerability, remediate, collect a bounty. Find out what motivates your team and implement a reward system for improving overall security posture. Step three, enlist security evangelists. Security within an organization can often be perceived as a black box or on a “need to know” basis. A security evangelist needs to make the conversation about security comfortable and inclusive.

In the end, Hackers gonna hack and organizations will continue to protect themselves. But rather than playing an endless game of cat and mouse, the adoption of a threat hunting program provides a proactive cloud security solution and it creates an organizational mindset that makes awareness and protection a priority. By having full visibility into your environment, actively searching for vulnerabilities and anomalies and developing awareness of threats, IT professionals can better protect against breaches and ensure that the organization continues with “business as usual”.

To find out more about how our technology can reduce the number of bounties you pay out,  visit our website. ESP provides a single pane of glass view of all of your AWS accounts, regions and services in one easy to customize dashboard. By consuming all of Amazon’s APIs, ESP can detect and reveal vulnerabilities and alert your threat hunters of configuration changes and policy violation and provide a path to remediation.

The post Hackers gonna hack appeared first on Cloud Sentry Blog.

]]>
../hackers-gonna-hack/feed/ 0
It’s Time For Automate-first Policies When it Comes to Security ../automate-first-policies-security/ ../automate-first-policies-security/#respond Tue, 16 May 2017 21:06:47 +0000 ../?p=1581 It’s time to stop thinking about security in terms of siloed toolsets and processes and start thinking about security as something to be integrated into the very fabric of the infrastructure, processes, and systems deployment of an enterprise. In fact, thanks to the cloud, APIs, and microservices, many aspects of security have become programmable and... Read more »

The post It’s Time For Automate-first Policies When it Comes to Security appeared first on Cloud Sentry Blog.

]]>

It’s time to stop thinking about security in terms of siloed toolsets and processes and start thinking about security as something to be integrated into the very fabric of the infrastructure, processes, and systems deployment of an enterprise. In fact, thanks to the cloud, APIs, and microservices, many aspects of security have become programmable and are increasingly able to be automated.

Security automation and orchestration certainly isn’t a new topic. At the turn of the century, when I was a reporter at InformationWeek covering information security, it was common for IBM to pitch stories and sell ideas around the role of security and autonomic computing. Back then, though, it wasn’t much of a story. The entire concept was only feasible to even consider in limited ways and in certain kinds of environments.

Today, however, security automation is much more attainable than it was back then. In fact, it’s time to think of automate-first when it comes to security.

I’m not just speaking about automating security checks in enterprise continuous deployment pipelines. I’m talking about that plus continuous security monitoring and continuous policy compliance monitoring of an enterprise’s cloud environment for security threats and systems falling out of compliance. And I’m talking about the ability to automatically respond to vulnerable conditions. This is all about taking a close look at one’s environment and automating every aspect of security controls that can be reasonably automated.

Just like many organizations have a cloud-first policy, they should also have a similar policy, or at least a mindset, around automating security whenever possible. It should involve an understanding of the assets and data your organization is responsible for within your cloud service provider’s shared responsibility model.

Automation needs to embrace testing in continuous pipelines and automating quality assurance and security acceptance tests as part of the standard workflow. It should also include continuous application and infrastructure security checks on production systems. In cloud environments, enterprises should make it a practice of automating most aspects of security when they deploy infrastructure that is designed to specifications that are aligned with security policy. Because it is agile, the cloud enables security automation to include elements like infrastructure as code, elastic clouds, and DevOps.

Today, application development teams are pushing code out more quickly than ever. Perhaps a minimum viable product was deployed, and the team moved so quickly that not everything about how the app could impact their security posture was considered. Since oversights will only be spotted in a reasonable timeframe if tests on production systems are running, continuous security monitoring is essential.

The cloud makes aspects of the environment beyond just infrastructure and application scans programmable. Cloud infrastructures and APIs make it possible to interface with identity and access management controls to networks, application scanners, infrastructure, storage and everything in-between. So, instead of calling security teams to go see what is happening every time there’s an issue, savvy enterprises are always monitoring for deviations from what an optimal state should look like.

Obviously not everything in security can be codified, or is accessible through an API – but today much of it is. And that’s what we are speaking about here: focus on those things that can be automated and continuously improve those processes. And in areas where security can’t be automated – build the most effective processes possible and improve from there. One day soon, those processes too will be programmable. It’s time for an automate-first policy.

The post It’s Time For Automate-first Policies When it Comes to Security appeared first on Cloud Sentry Blog.

]]>
../automate-first-policies-security/feed/ 0
White House Cybersecurity Executive Order Signals Need For Better Cloud Security ../white-house-cybersecurity-executive-order/ ../white-house-cybersecurity-executive-order/#respond Thu, 11 May 2017 22:18:51 +0000 ../?p=1577 As promised, President Trump has signed the long-awaited White House Cybersecurity Executive Order that is intended to improve overall digital security for the federal government, as well as provide direction for how public and private groups can measure and collaborate on cybersecurity issues. The Order is especially important in light of reported flaws in our... Read more »

The post White House Cybersecurity Executive Order Signals Need For Better Cloud Security appeared first on Cloud Sentry Blog.

]]>

As promised, President Trump has signed the long-awaited White House Cybersecurity Executive Order that is intended to improve overall digital security for the federal government, as well as provide direction for how public and private groups can measure and collaborate on cybersecurity issues.

The Order is especially important in light of reported flaws in our national cyber infrastructure which have resulted in ominous repercussions for both government officials and the American public. Reports of Russian interference in the 2016 presidential election, and hacking into former Secretary of State Hillary Clinton’s email server are just two high-profile examples of how, and why, cybersecurity needs more thorough policing and guidelines. Especially since the government continues to seek innovative ways to run their IT infrastructure, mostly by moving to the cloud, the potential for vulnerabilities increases all the time.

Timing and politics aside, we think this is a step forward for the security of our federal intellectual property, and American innovation in general. The Cybersecurity Executive Order focuses on three key elements: protection of the United States’ federal networks, upgrade the federal infrastructure, and coordinate better across agencies. It also provides important validation that a cloud-first approach is the best way to manage government technology assets and capabilities.

It’s fitting that there is a mandate for the usage of existing guidelines from National Institute of Standards and Technology (NIST) as the basis for this Order. It is an accepted and vetted set of requirements and conditions that are included within the compliance guidelines of most cloud service providers (CSPs), and when used with complementary security automation solutions, can help to ensure compliance and help with prescriptive remediation. This helps further greater collaboration among public and private organizations who have a vested interest in mitigating risk.

Previously, the Obama administration encouraged the private sector to voluntarily adopt the NIST framework, but it was not required of government agencies. With the Executive Order now directing government agencies to follow the NIST guidelines, they are effectively practicing what they preach, and can hopefully create an infrastructure that has a reduced attack surface and is more resilient.

Department of Homeland Security advisor Tom Bossert voiced support for the Order today when he said, “We spend a lot of time and inordinate money trying to protect antiquated systems. We’ve got to move to the cloud to try to protect ourselves instead of fracturing our security posture.” His assessment is accurate and highlights the sensitive nature of what the Order proposes to protect. And while protection is the goal, ensuring it is going to require a security-first approach to compliance and management of the federal government’s technology and data assets.

In 2011, the sitting U.S. Chief Information Officer, Vivek Kundra published a defining report that recommended moving to the cloud, and emphatically advised that the federal government needs to “… be vigilant to ensure the security and proper management of government information to protect the privacy of citizens and national security.” Kundra, and now Trump, are helping to create an mindset within the government that is both cloud-first, and security-first.

So today we now have what amounts to the defining mandate for decisions about cybersecurity in the government for the foreseeable future. It embraces change and innovation, and also recognizes that major responsibilities come with the agile and dynamic attributes of operating in the cloud. To keep pace with this change will require constant vigilance and attention, so government agencies will need solutions that will enable them to maintain the highest degree of security while still taking advantage of new ways of doing business.

As we look closely at the Order (and take into consideration the cybersecurity skills gap that we have in the United States), it’s clear that federal agencies will need automated, continuous security monitoring of their cloud environments. The requirements are made very clear, and to be compliant, all agencies will be required to acquire tools and capabilities to protect their workloads and data, and the digital footprint that impacts U.S. citizens more than ever before.

With this Order, we hope to see federal agencies quickly get the resources needed to deliver on better cybersecurity. Doing so will meet the President’s demands, but more importantly, it will create a more secure operating environment for the government’s technology infrastructure. As a nation, we won’t make progress if they don’t have access to the people and tools they need to achieve and maintain better cybersecurity.

The post White House Cybersecurity Executive Order Signals Need For Better Cloud Security appeared first on Cloud Sentry Blog.

]]>
../white-house-cybersecurity-executive-order/feed/ 0
A Roadmap for Hiring the Best Cloud Security Talent ../hiring-best-cloud-security-talent/ ../hiring-best-cloud-security-talent/#respond Wed, 10 May 2017 20:58:37 +0000 ../?p=1574 The job market is pretty good right now, and the general feeling is that hiring for skilled workers will remain steady, if not grow in the coming quarters. The numbers look good, but in the field of cloud security, there is no rejoicing among recruiters and development teams. There is huge shortage of qualified people,... Read more »

The post A Roadmap for Hiring the Best Cloud Security Talent appeared first on Cloud Sentry Blog.

]]>

The job market is pretty good right now, and the general feeling is that hiring for skilled workers will remain steady, if not grow in the coming quarters. The numbers look good, but in the field of cloud security, there is no rejoicing among recruiters and development teams. There is huge shortage of qualified people, and it’s critical that new strategies are applied in an effort to build an innovative, agile team of security experts who can keep your organization on top of vulnerabilities and threats.

Our new ebook, How to Find Your Next Cloud Security Experts, explains how to approach hiring by looking internally, as well as seeking candidates from nontraditional sources. It also describes how to create a culture of innovation and security that will make your organization a more attractive place for top talent.

Hiring also isn’t just about bringing people in and hoping they perform. Organizations must create an environment that values learning and encourages smart experimentation. A culture that does that benefits in two ways: 1) it creates an organizational mindset that emphasizes problem solving, and 2) word travels among job-seekers that this organization is an attractive place to work. It’s a way of matching your organizational goals and vision with the kind of people you seek, but are sometimes hard to find.

Organizations will do all kinds of things to attract top talent. A snack-filled break room and unlimited vacation days have become standard fare these days, however. To really get the right people, you’ll need to foster a vision in which people can contribute; especially in the security space, where developers and architects want to chase bad guys, you’ll need to provide a place where the best minds can gather to get the job done, grow their careers, and save the world from cybercriminals.

The post A Roadmap for Hiring the Best Cloud Security Talent appeared first on Cloud Sentry Blog.

]]>
../hiring-best-cloud-security-talent/feed/ 0
Cloud Computing Growth Set to Soar ../cloud-computing-growth/ ../cloud-computing-growth/#respond Mon, 08 May 2017 21:28:09 +0000 ../?p=1569 It seems like we have been talking about the transformational power of cloud computing forever, especially about how the cloud is cheaper, provides more speed to value, and is more agile than traditional on-premises systems. Despite all of this talk about the transformation cloud computing has brought to enterprise IT, a recent study shows just... Read more »

The post Cloud Computing Growth Set to Soar appeared first on Cloud Sentry Blog.

]]>

It seems like we have been talking about the transformational power of cloud computing forever, especially about how the cloud is cheaper, provides more speed to value, and is more agile than traditional on-premises systems. Despite all of this talk about the transformation cloud computing has brought to enterprise IT, a recent study shows just how much more potential remains on the table for the taking.

According to the recent Enterprise Strategy Group (ESG) report, 2017 Public Cloud Trends, public cloud adoption continues to soar. In his post announcing the report, analyst Dan Conde writes that more than one-third of the respondents currently have what former federal CIO Vivek Kundra referred to as a “cloud-first policy”. This policy, first described by Kundra in 2010 in his 25 point plan to reform the federal government’s IT operations, called for federal agencies to procure new apps and services from cloud providers, unless there was a compelling reason made to use on-premises systems. According to ESG, these policies are increasingly popular in newer companies as well.

Additionally, the ESG survey found that the SaaS model continues its torrid growth with 62 percent of respondents stating that 20 percent of their apps are currently SaaS applications. That’s a sizable bump from 38 percent who said the same in 2013. When it comes to platforms as a service and public cloud infrastructure, it’s clear that there still remains room for tremendous growth. “The most popular use cases for IaaS or PaaS are to serve as a repository for backup and archive data, running production apps, and serving as a disaster recovery target, followed by test and dev,” Conde wrote.

This is changing quickly, I’m finding, as I speak with CIOs and CISOs from different industries and various sized enterprises: more and more business critical and regulated information and applications are heading to the cloud. Their concerns around making this move are what they have always been when it comes to any type of cloud deployment: regulatory compliance and security.

And as we covered in Despite Security Fears, Digital Transformation, Cloud Journey Continues, serious concerns exist when it comes to moving to the cloud. According to an IDC survey in that post, 88 percent of respondents cited data security in the cloud as a top priority for competitiveness, while only 32 percent cite significant progress having been made in cloud security. As I wrote then, that leaves well more than half of organizations with a security chasm that they must close if they are to get to where they believe they need to be.

The good news is the toolsets necessary to bring the needed amount of transparency, monitoring, and security controls to bear, including greater degrees of automation, to public cloud are finally available.

What does all of this point to? Plenty more runway for enterprise cloud growth. While it feels like cloud has already transformed IT, and to a large degree it certainly has, it is just getting moving and finally hitting real takeoff velocity. Consider the findings from the seventh annual Data Center Industry Survey from the Uptime Institute.

This survey found that 65 percent of assets are currently deployed in enterprise-owned data centers, and 22 percent on co-location of multi-tenant data centers, while only 13 percent are in a cloud computing environment.

I expect these numbers to change quickly as cloud continues to win increasingly more workload from traditional systems. A sizable 67 percent of Uptime Institute respondents report that workloads that would previously have resided in their own data centers are heading to the cloud.

Interestingly, the largest organizations surveyed are 10 percent more likely to deploy to the cloud than the smallest IT groups. And this rate of cloud adoption and migration is likely to not just continue, but accelerate, as people become more comfortable with the cloud through increases in transparency, and better toolsets used to manage the security their environments.

The post Cloud Computing Growth Set to Soar appeared first on Cloud Sentry Blog.

]]>
../cloud-computing-growth/feed/ 0
A Solution Architect’s Evolution to the Cloud ../solution-architect-evolution-to-cloud/ ../solution-architect-evolution-to-cloud/#respond Fri, 05 May 2017 19:24:48 +0000 ../?p=1565 Several years ago I was part of a storage technology company that was stuck in neutral. We had a great hardware-accelerated file system that was technically superior to anything available, but our challenge was getting traction and momentum in the marketplace. I had a short hallway conversation with the CEO and asked him if he’d... Read more »

The post A Solution Architect’s Evolution to the Cloud appeared first on Cloud Sentry Blog.

]]>

Several years ago I was part of a storage technology company that was stuck in neutral. We had a great hardware-accelerated file system that was technically superior to anything available, but our challenge was getting traction and momentum in the marketplace. I had a short hallway conversation with the CEO and asked him if he’d read the Jim Collins book, “Good to Great”. He hadn’t, but was familiar with it and impressed with the core concepts. He ended up reading it and then distributed copies throughout the company.

The key concepts that took root were:

  • Confront the brutal facts: The Stockdale paradox—Confront the brutal truth of the situation, yet at the same time, never give up hope.
  • Hedgehog concept: Focus on these three overlapping circles: What lights your fire (“passion”)? What could you be best in the world at (“best at”)? What makes you money (“driving resource”)?
  • Technology accelerators: Use technology to accelerate growth within the three circles of the hedgehog concept.

A few quarters after that conversation our primary OEM decided to buy the company outright.

Fast forward a few years and in a new role, I was designing, deploying, and building hybrid cloud infrastructures for enterprise customers using industry-standard hardware and software. I started to hear about the public cloud, and saw increasing demand from customers for web-native, twelve-factor style Software as a Service (SaaS) apps. As part of the evolutionary plans, these customers began to feel more secure with the public cloud as a viable way to manage their overall technology infrastructures. I loved seeing this change, but started to ask, “How are these enterprises going to deal with the security compliance regime they must conform to? Were the rules and processes they used for their traditional IT constructs still applicable to the public cloud?”

My friend John Martinez is Vice President of Customer Solutions here at Evident.io and he talked with me about some fascinating work he was doing. Based on the original concepts of Evident.io’s founders, the company is working on solving the problem of securing public clouds with automated threat detection solutions. They are eliminating the need for organizations to build tools from scratch and instead use a tool that does continuous monitoring for security and compliance. I watched as they developed and built up the company and continued to have conversations on how things were going. Finally, I determined that the market is in dire need of the Evident Security Platform (ESP), and considering the maturity of their intellectual property, I saw the opportunity as huge. Needless to say, I joined as soon as I could.

I found that in addition to the “Good to Great” concepts that were critical to success in my previous startup, Evident.io also had others:

  • Level 5 leadership: Leaders who are humble, but driven to do what’s best for the company.
  • First who, then what: Get the right people on the bus, then figure out where to go. Find the right people and try them out in different positions.

There is no guarantee that any company that adheres to these concepts will be a great success as defined by financial performance,but success does leave clues.

My aim is to share my experiences to help others who might be making the same walk to the public cloud from traditional IT. It’s not so scary if you have a roadmap.

The post A Solution Architect’s Evolution to the Cloud appeared first on Cloud Sentry Blog.

]]>
../solution-architect-evolution-to-cloud/feed/ 0
NIST Compliance for AWS – On-Demand Webinar ../nist-compliance-aws-webinar/ ../nist-compliance-aws-webinar/#respond Thu, 27 Apr 2017 16:27:01 +0000 ../?p=1550 When compliance experts get together, they speak a unique language that’s peppered with acronyms and hyphens. The casual observer might see it as the quintessential “geek-out”, but this crew carries a serious burden. Without industry, governmental, or other types of standards, it would be nearly impossible to conduct any type of business, especially if you... Read more »

The post NIST Compliance for AWS – On-Demand Webinar appeared first on Cloud Sentry Blog.

]]>

When compliance experts get together, they speak a unique language that’s peppered with acronyms and hyphens. The casual observer might see it as the quintessential “geek-out”, but this crew carries a serious burden. Without industry, governmental, or other types of standards, it would be nearly impossible to conduct any type of business, especially if you want to work with others who take security very seriously.

In our most recent webinar, Evident.io brought together three of the top minds in the fields of cloud security to talk about ensuring compliance of the U.S. government’s NIST Cybersecurity Framework in Amazon Web Services (AWS):

  • David Rubal – Chief Data and Analytics Technologist at DLT
  • Tim Sandage – Senior Security Partner Strategist at Amazon Web Services
  • Sebastian Taphanel – Federal Solutions Architect at Evident.io

With an emphasis on NIST 800-53 (which recommends security controls for federal information systems and organizations and documents security controls for all federal information systems), these experts go into depth about the intricacies of compliance in the cloud, and challenges with achieving NIST security controls on AWS.

As more businesses and government organizations move to AWS to host their data and application infrastructure, NIST 800-53 compliance becomes critical. It is an in-depth process that allows organizations to update their risk-management approach to information security and be compliant with security best practices. It’s curated from the best thinkers across many government agencies and specifically addresses some of the complexities of using public cloud offerings like AWS.

If you’re concerned about achieving compliance for regulated workloads in AWS or any cloud environment — and you certainly should be — we encourage you to view the webinar to learn more about continuous cloud security compliance through automation and monitoring.

View the webinar.

The post NIST Compliance for AWS – On-Demand Webinar appeared first on Cloud Sentry Blog.

]]>
../nist-compliance-aws-webinar/feed/ 0
More than half of execs (incorrectly) see cloud as more secure than their own data centers ../execs-see-cloud-more-secure-than-own-datacenters/ ../execs-see-cloud-more-secure-than-own-datacenters/#respond Tue, 25 Apr 2017 22:32:44 +0000 ../?p=1538 You hear it all the time: the cloud is more secure than on-premises systems. It’s stated as if it’s an irrefutable fact, but the reality is that the cloud still requires a great deal of security management and monitoring for it to truly be secure. Still, according to a recent survey of 500 information technology... Read more »

The post More than half of execs (incorrectly) see cloud as more secure than their own data centers appeared first on Cloud Sentry Blog.

]]>

You hear it all the time: the cloud is more secure than on-premises systems. It’s stated as if it’s an irrefutable fact, but the reality is that the cloud still requires a great deal of security management and monitoring for it to truly be secure.

Still, according to a recent survey of 500 information technology execs (conducted by iSense Solutions for anti-malware vendor Bitdefender), 53 percent of respondents in the U.S. believe cloud is more secure than their on-premises systems. There’s no doubt security benefits are certainly one of the perceived benefits enterprises seek when moving to the cloud. And moving they are. Organizations are swiftly embracing cloud as they aim to capture as much value from their technology investments as they can as they find themselves under increased pressure to deliver more apps, functionality, storage, and business agility than ever before.

And while hybrid infrastructures, a mix of public cloud, private cloud, and on-premises infrastructure are widely in use today, many predict that data centers will eventually give way to public and private clouds in the near future. Oracle CEO Mark Hurd predicted earlier this year that 80 percent of corporate on-premises data centers will vanish in eight years. According to Gartner, the total worldwide public cloud market will have grown from $209 billion in 2016 to $383 billion by 2020.

And many experts expect that by the end of the 2020s there won’t be any more on-premises cloud deployments left.

According to the same survey cited above, 55 percent of companies are currently turning to the cloud. They cite increased productivity (54 percent), superior storage capacity (47 percent), and lower costs (46 percent) as their main reasons.

But let’s look at this bias that public cloud is more secure than on-premises systems. While a public cloud infrastructure may very well be more secure than what any specific enterprise can do in-house, even this depends on the skills, resources, and deployment use cases — the cloud infrastructure is only part of what needs to be managed in order to secure a cloud deployment.

While the infrastructure (virtual servers, networking functionality, storage, etc.) of the cloud services provider may be secured to a higher level than enterprises can do themselves: what about the ongoing configuration of these systems? The identity and access management to them? What about the security of the applications and how they are configured? Systems configurations can change quickly in cloud, so what about change control and logging and auditing capabilities? What about logical network and storage segmentation?

You get the idea. There are still plenty of things in cloud deployments that enterprises must focus on in order to keep their deployments secure.

And any systems or data in the cloud don’t get a magic pass from compliance and regulatory certifications. So rather than thinking about public cloud as being more secure, it’s better to think of the cloud as something that helps to limit the scope of information security that must be directly managed. That’s a much more realistic perspective than the assumption that public cloud is more secure than on-premises systems.

The post More than half of execs (incorrectly) see cloud as more secure than their own data centers appeared first on Cloud Sentry Blog.

]]>
../execs-see-cloud-more-secure-than-own-datacenters/feed/ 0
My Mom Said it’s OK If I Code For You Guys: Finding Security Talent In Unusual Places ../finding-security-talent-unusual-places/ ../finding-security-talent-unusual-places/#respond Tue, 25 Apr 2017 21:40:26 +0000 ../?p=1530 Teenage rebellion manifests itself in many forms, and it takes a visionary to recognize genius in it. While some demonstrate their angst with green hair or eardrum-piercing speed metal, there also exists a subculture of teens who buck the system with code. Indeed, teen hacker activity runs the spectrum from mischievousness to outright criminal activity.... Read more »

The post My Mom Said it’s OK If I Code For You Guys: Finding Security Talent In Unusual Places appeared first on Cloud Sentry Blog.

]]>

Teenage rebellion manifests itself in many forms, and it takes a visionary to recognize genius in it. While some demonstrate their angst with green hair or eardrum-piercing speed metal, there also exists a subculture of teens who buck the system with code. Indeed, teen hacker activity runs the spectrum from mischievousness to outright criminal activity. Somewhere in the middle are the hackers who, out of curiosity and challenge, use their programming skills as a way to assert, discover, and have fun. Keep an eye out for that group – they may wind up being the most important protectors of your company.

Take the case of Jon Oberheide who, as a 17 year-old in 2010, sat in a Starbucks in Ann Arbor, Michigan and repeatedly hacked his way into the internal network of Arbor Networks. The company is, ironically, an infrastructure security company, so one can only imagine the level of freak out that happened when they discovered their network was being exploited. Arbor’s Chief Security Architect at the time, Dug Song, identified the young Oberheide as the dark hat, but rather than alert authorities, he hired Oberheide to join Arbor’s security team. Seven years later, Song and Oberheide have co-founded device security company, Duo Security, that’s received $49 million in venture capital funding.

Network and data security isn’t taken lightly. Hacks and security breaches have created major issues to the brands and bottom lines of companies and governments all over the world. Most people have a very negative view of hackers and prefer a law and order approach to their activities; lock ’em up and throw away the key. But security is hard and it requires a unique skill set, and the Song and Oberheide story demonstrates that if you can find people who approach security with determination, skill, and a sense of unabashed enthusiasm, it’s probably best to get them on your team.

Evident.io CEO and founder, Tim Prendergast, along with Robert Half CISO, Eddie Borrero, recently presented at an Amazon Web Services (AWS) Summit in San Francisco on the topic of finding and hiring security experts. One piece of advice from Tim was, “look for aptitude, not experience.” There’s a pragmatic element to this, especially when there’s a huge need for highly qualified security experts in the job market. It also speaks to the speed of innovation in this space; just because you’ve “done” security for 15 years, doesn’t mean you’re capable of building the best security monitoring tool for the cloud. Someone who has beaten you at your own game, however, is probably a solid candidate.

Tim and fellow founder (and Evident.io CTO) Justin Lundy approach security expertise as something that must always be evolving and growing. The best security engineers are those who understand the severity of what is being secured, but are able to pair that with a sense of discovery and a deep understanding of what physicist Richard Feynman called “the pleasure of finding things out.”

It’s hard to find talent when you’re beholden to the traditional game plan. Resumes will tell you something, but there’s no substitute for seeing a person in action, especially when being successful at things they aren’t getting paid to do. Dug Song said, “Some of the best hackers don’t come with credentials or an Internet degree. A lot of this is driven by curiosity and a longing to learn more about systems.”

If you approach recruiting as a search to identify ability and desire, you might be surprised at where your next great hire comes from. Skill and desire know no age, gender, or orientation of any kind. Your next great security engineer could come from almost any walk of life or demographic. He or she might even need a permission slip from school to leave school for the interview. When you find that person, make an offer before you notice your data has been leaked.

The post My Mom Said it’s OK If I Code For You Guys: Finding Security Talent In Unusual Places appeared first on Cloud Sentry Blog.

]]>
../finding-security-talent-unusual-places/feed/ 0