CSCC: 10 steps to ensure security for cloud computing success
The Cloud Standards Customer Council (CSCS) announced version 3 of its Security for Cloud Computing: 10 Steps to Ensure Success. The 10 steps are meant to be a reference guide for organizations to better analyze the security effects of cloud computing on the organization as a whole.
According to the CSCS, cloud security risks include loss of governance, isolation failure, management interface vulnerabilities, vendor lock-in, service unavailability, business failure of provider, malicious behavior of insiders, and insecure or incomplete data deletion.
Major changes to the guide take into account new worldwide privacy regulations, a focus on different aspects of cloud computing security, more emphasis on security logging and monitoring, and the importance of a formal information governance framework.
“As organizations consider a move to cloud computing, it is important to weigh the potential security benefits and risks involved and set realistic expectations with cloud service providers. The aim of this guide to help enterprise information technology (IT) and business decision makers analyze the security implications of cloud computing on their business,” the organization wrote in a post.
The steps are:
Step one: Ensure effective governance, risk and compliance by establishing chains of responsibility, understanding risk tolerance, understanding specific laws, notifying users if a breach occurs and ensuring app and data security.
Step two: Audit operational and business processes. Audits should leverage an established standard, be carried out by skilled staff, and be done as part of a formal certification process, according to the CSCC.
Step three: Manage people, roles and identities. “Customers must ensure that the cloud service provider has processes and functionality that govern who has access to the customer’s data and applications. Conversely, cloud service providers must allow the customer to assign and manage the roles and associated levels of authorization for each of their users in accordance with their security policies, and apply the principle of least privilege. These roles and authorization rights are applied on a per-resource, service or application basis,” the CSCC wrote.
Step four: Ensure proper protection of data and information. According to the authors, “data protection is a component of enterprise risk management.” Protecting data is crucial in terms of risk management.
Step five: Enforce privacy policies. “Enterprises are responsible for defining policies to address privacy concerns and raise awareness of data protection within their organization. They are also responsible for ensuring that their cloud service providers adhere to the defined privacy policies. Thus, customers have an ongoing obligation to monitor their provider’s compliance with customer policies. This includes an audit program covering all aspects of the privacy policies, including methods of ensuring that corrective actions will take place,” the council wrote.
Step six: Assess the security provisions for cloud applications.The authors say that “organizations must apply the same diligence to application security in the cloud as in a traditional IT environment.” The responsibilities differ depending on the deployment model. For example, in IaaS, the customer is responsible for most security components. In Platform-as-a-Service the provider is responsible for securing the operating system while the customer is responsible for application security. For Software-as-a-Service, the provider provides application security, while the customer is responsible for understanding things such as data encryption standards, audit capabilities, and SLAs.
Step seven: Ensure cloud networks and connections are secure. The authors suggest that customers should have assurance on a provider’s internal and external network security.
Step eight: Evaluate security controls on physical infrastructure and facilities. Security controls include: holding physical infrastructure in secure areas, protecting against external and environmental threats, putting controls in place to prevent loss of assets, proper equipment maintenance, and backup, redundancy and continuity plans.
Step nine: Manage security terms in the cloud service agreement. “Since cloud computing typically involves at least two organizations – customer and provider, the respective security responsibilities of each party must be made clear. This is typically done by means of a cloud service agreement (CSA), which specifies the services provided and the terms of the contract between the customer and the provider,” according to the council.
Step ten: Understand the security requirements of the exit process. Customer data should not remain with the provider after the exit process. The provider should be forced to cleanse log and audit data, though in some jurisdictions this isn’t possible because retention of records might be required by law.
“The CSCC has created a practical guide to help those with information security expertise as well as those that don’t have domain expertise,” said Ryan Kean, senior director of enterprise architecture for The Kroger Company. “This work will help organizations step through ten areas to be cognizant of when evaluating cloud providers. The end effect is helping companies avoid decisions that put their data and service at risk.”
Real words or buzzwords?: Serverless Computing – Part 2
Editor’s note: This is the 20th article in the “Real Words or Buzzwords?” series from SecurityInfoWatch.com contributor Ray Bernard about how real words can become empty words and stifle technology progress.
This article is about what the arrival of serverless computing should mean to physical security industry stakeholders. The previous article explored the technical aspects of serverless computing. Now, we’ll approach the topic from a higher-level viewpoint.
I’m repeating the definition of cloud computing by Kunjan Dalal, founder and CEO of AuroSys Solutions LLC, that I presented at the start of the first Serverless Computing article, because it properly frames the most important aspect of serverless computing: virtualization. Dalal stated: “Cloud computing is an internet based technology model that allows users to instantly access, manage and deploy large shared, virtual computing resources.”
What Does Virtual Mean?
Thanks to the evolution of computing, the word “virtual” is now being used in a way that has never been able to be used before. Prior to computers as we know them, “virtual” was defined this way according to the English Oxford Living Dictionaries:
1. almost or nearly as described, but not completely or according to strict definition.synonyms: effective, in effect, near, near enough, essential, practical, to all intents and purposes
Virtual computing originally referred to using software to mimic the functions of computing hardware (a “virtual” machine). A computer operating system and its applications wouldn’t “know” they were running on software instead of running directly on computing hardware. At first, running an operating system and applications in a virtual machine wasn’t as fast as running it directly on the hardware, and there were also a few other limitations being that the virtual machine actually wasn’t hardware.
However, as computing hardware became faster and faster, and because computer chipsets were then given special features to specifically support high-speed virtual machine computing, something happened that has drastically and permanently changed the world of computing: Virtual computers became better than the computers they originally imitated.
Thus, the virtual devices in our smartphones, like cameras, light meters, movie screens, GPS navigators and so on, are more popular than the original devices. The virtual versions cost less, are more convenient, and can go with us anywhere. They have “virtues” that their original counterparts could never possess. The idea that virtual can be better goes far beyond the original meaning of the word “virtual.”
So, it should be no surprise that the Google graph of word usage for “virtual,” for the past two hundred years, shows a huge spike in the last two decades. This is because now, most uses of the word virtual refer to virtual computing.
The Reasons for Serverless Computing
Virtualization separates functionality from the physical constraints imposed by the machine or device that originally provided that functionality. Thus, the functionality becomes more useful, more available, more sharable, more powerful, more flexible, more scalable and perhaps more importantly – more affordable at scale. Being more affordable at scale is just the opposite of non-virtual machines. Virtual machines can be created, run, managed and deleted electronically, and of course physical machines can’t be. Yes, there are physical machines underlying the virtual machines, but the complexities of computing have moved out of the physical machines and into the virtual machines—where for the first time they can be managed at scale.
Computing is evolving towards Internet scale.
To do that, computing must leave behind the server form factor, which was imposed on it because the predominant computer machine has, until very recently, been the server. Servers made data centers and Internet computing possible, but to scale up for enterprise needs and the Internet—virtual machines were required. Virtual servers further accelerated the expansion of the Internet and the World Wide Web. Now—they are holding it back. Hence the rise of serverless computing, which removes unneeded server-design constraints from virtual computing resources.
But the evolution of cloud data center computing isn’t likely to stop there. Computing hardware itself no longer needs to conform to the traditional server form factor—because virtual computing doesn’t need it. What virtual computing does need is high-performance pools of computing, storage, and networking resources. But there is no requirement for those to be packaged up in the traditional server form factor.
Now that legacy constraints are being removed from the computing hardware base underlying cloud computing, computing and networking is poised to evolve even more dramatically.
Implications for Physical Security
Unfortunately, the full spectrum of security threats is enabled by the computing and networking advances that are generally available. Physical security threats are IT-enabled, and what we used to call the “blended threat” (physical plus IT) is no longer an exception, it’s a permanent situation of increasingly enabled threat actors. This means that electronic security systems, including cloud offerings, must a) keep pace with the general advances in computing technology, and b) use information technology capabilities to more effectively enable end-users of physical security technology to the maximum extent possible.
This has implications for those of us working on the forefront of physical security industry technology. Wait a minute—isn’t that most security industry companies? Or if it isn’t, shouldn’t it be?
The arrival of serverless computing is just one of the many technology advancements occurring in the changing IoT landscape that physical security technology is a part of. Unfortunately, we’re not yet the best part of it, or even one of the better parts of it, especially regarding cybersecurity. But we could be, and there is no reason not to be. For that to happen, physical security industry companies must do three things:
Rapidly get current in their understanding of information technology, including cloud computing.
Fully adopt IT practices relating to the development, deployment and management of security products and system.
Expand the scope of technology standards, and set higher standards of practice, for physical security industry products and services.
For many industry companies, this means getting active (or more active) in the work of the Security Industry Association (SIA) committees and working groups for standards and education. SIA is a much more advanced organization than it was just five years ago, and it needs to accelerate that forward progress even more—which requires very active participation by security industry companies.
Consultants and integrators must keep looking closely at the technological maturity of security industry companies, and their participation in advancing industry initiatives. The learning and knowledge sharing that occurs puts participating companies in the strongest position to advance their own products and services.
Given the emergence of as-a-service offerings, which is the inevitable technology trend, consultant and integrator knowledge of industry companies is especially critical. There is no other way to assure we can identify the best technologies and services that match the risk mitigation needs and technical infrastructure requirements of customers, who are counting on us to do just that.
About the Author:
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security.
Remove the Chrome Security Warning Scam
The Chrome Security Warning is a web browser based scam that tries to trick you into calling an unwanted Chrome extension. This alert display an alert that pretends to be Chrome displaying a warning that states that attackers are trying to install malware and steal your information. As this is a scam, you should not call install any programs that it display to you.
When the Chrome Security Warning is displayed in your browser it will display an alert that contains text similar to the following message:
Chrome Security Warning
Attackers currently on your browser might attempt to install dangerous programmes on your Computer that steal or delete your information (for example , photos , passwords, message and credit cards).
Install The Chrome Browser Security
Once again, this is just a fake alert and the page does not know if your browser is being attacked, does not know what is running on your computer, and is just trying to trick you into the unwanted chrome extension. At the same time, for those who have never seen a message like this, they can be quite alarming as these scams make it difficult to close browser tabs or the browser itself.
Thankfully, almost all browser based tech support scams can be closed by simply opening Windows Task Manager and ending the browser process. It is important, though, that if you end the browser process that you do not reopen previously closed sites if prompted by the browser when you start it again.
On the other hand, if you are constantly seeing these types of tech support scams, or these pages are opening by themselves, then it may be possible that you are infected with an adware or other unwanted program that are displaying them. Once again, do not worry as it is quite easy to remove these infections if you follow the guide below.
The Chrome Security Warning is shown through advertisements that redirect you to sites that display this scam. These advertisements can be displayed by installed adware programs or through less than reputable sites that are displaying them to generate advertising revenue.
For the most part, if you see a browser based tech support scam, then you can simply close the browser and start it again. On the other hand, if you are continuously seeing scams with alerts like “Chrome Security Warning”, then you should scan your computer for adware and remove anything that is found.
Your computer should now be free of the Chrome Security Warning Scam program. If your current security solution allowed this program on your computer, you may want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below: http://networksecurityscanner-blog.com/reminder-2017-security-ethical-hacking-certification-training-save-98/