Tag Archives: cybersecurity act

IT Controls and Cloud Computing, Part I

The past 12 months I have spent more time wrestling with Cloud infrastructures, Cloud security plans, and Cloud audit controls then I expected…  While a tremendous amount of material has been produced on the challenges of Cloud computing I feel a voice of “reason” is valuable related to actual usage of cloud environments and working in the here and now.  More pointedly, too much of our focus within risk and security is on the problems of the Cloud Providers (insert any definition you wish) practices, and not sufficiently on the operator’s requirements and needs.  So, let me consolidate my thoughts below and save greater detail for future posts and (I am certain) lively discussions.

Cloud Security Providers are just that – providers, and we need to work with what we are given to meet compliance, security, and operational targets.  It is not prudent to spend time wishing for new security practices from providers (such as Amazon / Salesforce) – when we have (and have had) the tools to mitigate the risks that they present.  I prefer to present this concept to colleagues that Cloud providers should be treated as the power company – trust them enough to get you power, and proactively plan for the rest.  In this context we have breakers for our homes; power strips; battery backups, and a number of power cleaning solutions at the enterprise level.

The primary reality of Cloud computing can be thought of in this manner – if we were running our systems (full machines or the application) remotely what security safeguards would we put in place?  This covers a significant number of the traditional risks that exist to the systems and functions.  These are not the only risks however…

The second reality of Cloud computing is the new paradigm of cloud operations.  This is an effect I spend the most time on with organizations and experts – not what is missing from XYZ provider, but how are business operations different?  This difference creates a material change in the organizatoin’s business process; IT Controls; and ability to maintain agility in operations.  Let me be specific on some of the areas that require prudent attention:

  • Culture shift, job responsibilities and separation of duties collapse in most cases  (the provisioning of servers was once operated by Jane is now also done by Bob for the virtual systems, but in a Shadow and less prudent manner)
  • Assumptions of operations – Operators of systems assume that the systems will be updated; patched; secured; and managed.  This is also true beyond the simple ‘is the server patched’ to include ‘how / who is securing the systems at the network layer’
  • Direct / Console access to data – A concern related to Cloud service providers is the administrative capabilities that exist within the various Cloud deployments.  This should be addressed through end-point security solutions that can be deployed on the given hosts (where applicable) and managed through data custodianship for data and application providers.

The first two bullets above contain the absolute largest challenges to auditors, operators, and the ongoing success of Cloud services.  More on that later though…
An interesting result of the Cloud deployment is the velocity and fluidity of information demands better understanding and management of such information.  Through proper data controls and maintenance the greatest risks can be reduced.

Of course… it depends on your intent, industry, data type, and business…but this is a great place for consideration and thought.

Challenges / Thoughts / Additions / Corrections,

James DeLuccia

Excerpts from s.773 as introduced in the U.S. Senate: Cybersecurity Act of 2009

The following are interesting excerpts from S.773 that were of particular interest.  I strongly suggest reading the full bill and the included comments, as this will be impactful to global information technology security controls in the near future.


(b) CRITERIA FOR STANDARDS- Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline, in establishing standards under this section, the Institute shall disregard the designation of an information system or network as a national security system or on the basis of presence of classified or confidential information, and shall establish standards based on risk profiles.

Developing standards based on a “Risk Profile” is massively more universal and feasible to execute than the minutiae that exists broadly.  It is important to note that the Risk Profile for one institution shall be different than another institution based on the infrastructure, management setup, personnel, and third party service providers enjoined in the business/government processes.  This is equally true for businesses, and a point often raised with regards to PCI DSS – that it addresses specific risks for specific data, but is not an appropriate information security framework for all / any / whole businesses.


(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated…as a critical infrastructure information system or network, who is not licensed and certified under the program.

The establishment of a mandatory certification program is important, and valuable.  I would stipulate that a series of certifications shall be presented (likely from an existing training provider, such as SANS) to provide certifications that reflect specific subject areas (network security; application security; governance and compliance; etc…).


(b)(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access

The consolidation of “relevant data” will create a large of amount of information that can be transformed into very actionable intelligence for both public and private institutions.  It is great that (C ) INFORMATION SHARING allows for the private sector to access this data repository.  The amount of trending and innovations that could be developed would be significant.  Conversely it is also highly risky to setup widespread data sharing permissions, large scale transmission of likely sensitive data, and the propensity for organizations to institute data masking and privacy measures to limit their risk but also the value of such data.

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network

This is a section that has received widespread attention, so I shall not comment but it is a concern that should be evaluated by all parties.

As this bill is continually debated and amended it will surely change, but it is critical that security professionals understand the intent of this legislation.  It is this core intent that will prevail in the long term.  The focus of information security and national threats is escalating, as highlighted specifically in the – 2009 Report to Congress on the US-China Economic and Security Review Commission and the ‘Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation‘ (There are many threats across the globe, but these two reports are simply highlighted given their recent release).

Comments / Concerns?

James DeLuccia

PCI Data Breaches: Washington, Safe Harbor 2010 Update, and Federal Cybersecurity

A number of state laws have come into effect and updated to respond to the challenges created by breaches of sensitive data – specifically, credit card data that allows for fraudulent charges to be conducted.  A very nice article is available by Charlene Brownlee on Davis Wright Tremaine LLP’s advisory page.  I strongly suggest clicking over there from the link below to read the entire article.  A few points to highlight:

Safe Harbor – Washington state has amended their Data Breach statute to focus on large businesses, processors, and vendors to take reasonable care to secure access to account information.  Most interesting is the Safe Harbor clauses – encryption OR an appropriate certification under PCI DSS within the past 12 months!  This is in stark contrast to the situations where organizations that suffered data breaches were found to not be in compliance ‘at that moment’, and therefore paid associated fines.

Massachusetts – effective March 1 2010, requires a comprehensive written security program in place.
Minnesota and Nevada’s data breach laws are also highlighted in this article.  The table is especially informative.

Direct link to Davis Wright Tremaine LLC Advisory article

States are moving strongly against Data Breaches and are referencing and supporting industry standards such as PCI DSS.  Additional legislation at the Federal level for example: H.R. 4900, and H.R. 4061 (Cybersecurity Actpassed on March 2010 by the House and discussed here) are also being enhanced, and have the potential to create a larger framework of best practices for organizations to follow.  Continued focus on appropriate risk management and threat models shall be more necessary as these laws mature and are amended.

Other thoughts?

James DeLuccia