NSA chief endorses the cloud for classified military cyber program, considerations

Perhaps old news given the NSA chief made the below comments in 2011 presenting to Congress asking for support of the projects (basically a budget justification meeting).  What is interesting is how he frames the current state weaknesses versus the benefits of the future state of leveraging Cloud architectures.  He is also referring to several key programs that are deployed and seeing active participation.

As this relates to information security professionals, control safeguards, and ultimately PCI DSS is for the eye of the beholder.  A striking point is to fundamentally challenge your risk assumptions and the benefits of moving to the cloud.  A key consideration here is the concept of redeploying, rearchitecting, and I would say restart managing access and security anew.  Cloud provides an inflection point to businesses, and governments to start fresh to meet the current threats.

As I have often have CxO discussions, the framing of these technology changes provides a mechanism to reach a stability and integrity of technology supported operations (hard to find one that is not).  Consider the NSA Chief points below and perhaps consider that he is speaking of highly sensitive data that has human life risks directly associated.  That type of data is highest sensitivity, and if such can be secured in a collaborative, cloud, integrated, and mobile enabled environment – why not other data elements and industries.

This is in line with the OCR NIST HIPAA guidance and recent clarification (June 2012) regarding how Cloud environments are subject to the BA agreement and security elements.  Clouds are permitted, but the expected controls must exist along with the proper risk management factors.

NSA Chief: “The idea is to reduce vulnerabilities inherent in the current architecture and to exploit the advantages of cloud computing and thin-client networks, moving the programs and the data that users need away from the thousands of desktops we now use — each of which has to be individually secured for just one of our three major architectures — up to a centralized configuration that will give us wider availability of applications and data combined with tighter control over accesses and vulnerabilities and more timely mitigation of the latter,” he testified before a House subcommittee in March 2011.

via NSA chief endorses the cloud for classified military cyber program – Cybersecurity – Nextgov.com.

Kind regards,

James DeLuccia IV

Security News – inspired by #RSAC

This week is the RSA Conference in San Francisco and despite itself being a huge conference with great people in attendance, there is also numerous other satellite conferences happening (BSidesSF and Cloud Summit).  All that brain power is bound to generate some discussion and research reports generally are released during this PR window.  So, here is a few items that (new and old) jumped out to me getting much discussion and would be valuable to restate.  As always, I will be punching up my notes to share as things that are meaningful are presented.

First stop the CIO of the U.S. Government:  on DarkReading: “White House CIO Lays Out ‘Cloud First’ Strategy To Streamline Bloated Government IT”.  This is generally a repeat of his prior strategy laid out before the security community [Direct D/L] and the Wall Street Journal.  Nonetheless worth zipping through:

In the same stream of thought (both highlighted at Cloud Summit) is the initiation of the updating the “Security Guidance for Critical Areas of Focus in Cloud Computing” by the Cloud Security Alliance.  Note this is a collaborative group and passionate and knowledgeable persons are highly sought – if you can give your time and help.  The prior version is available here for download.

True Cost of Compliance put forward by Ponemon Institute and TripWire (released January 2011) – right off the top states that the average non-compliance costs are more than $5 million dollars than the cost to comply.  Here is the link to the report – no registration required, very nice.  Also interested what that cover graphic is hiding…

Plenty of great streams of information flowing from the conference on twitter – set search filters to: #RSAC #RSA and of course, if you like a specific area (NIST, ISO, Cloud) hit those tags up too… This week is going to produce enough reading for a few flights across the pond for us all!

Enjoy,

James DeLuccia

 

End to End Resilience .. ENISA.. Cloud..

The beautiful opportunity with distributed computing, globalization, and cloud services is the ability to scale and run complex environments around the globe.  This is balanced of course by assurance that the operations are occurring as you expect, are managed properly, and protected to secure the competitive intelligence of the business.  Especially interesting has been the movement of centralizing data centers of a company into super data centers.

Together these points raise and are possibly met by the ENISA (The European Network for Information Security Agency) report that highlights the decisive factors of an end-to-end resilient network.  The report can be found directly at this link location.

An interesting challenge highlighted by, what appears Egypt’s government shutting down the internet, is how are these distributed cloud systems managed if they are cut-off from their administrative consoles?  Considerations for all businesses, and perhaps an appropriate addition to business continuity and such planning risk documents – is the following:

Can the business’ systems function autonomously when the primary controls and administrative connections are lost?

Perhaps a lesson could be gained by the masterful administration of the bot-net armies that leverage dark and shifting network clouds.

I would be interested of the implications that arise as a result of this disconnect of a country, and potential of other countries (whether due to more direct action, or the indirect result to further contain internet traffic).

Come join me and others in San Francisco where I will be speaking at RSA.  Stop by.. lets catchup.. and looking forward to great debates (as always).

James DeLuccia

Lessons from Microsoft’s ‘Global Criminal Compliance Handbook’

Just finished reading the Microsoft Global Criminal Compliance Handbook, and a few things jump to mind that are beneficial for every business owner, security professional, and innovator…

• First off – the detail and type of information available is very interesting and demonstrates a very and prudent effort to lock down what can be reliably provided to law enforcement.  I am certain with a bit of effort less reliable data may be uncovered if required, but consider the intense level of technology practices and controls required to unequivocally state these data points are available.
  • Ask yourself this question – what data points/metrics does my business rely upon, and can we currently make such absolute statements with regards to the availability and integrity of such information.  A step further – what information requests does your business receive (within the context of Information Technology / Audit / Security / Risk Management) throughout the year, and how rapidly can this information be presented?  It appears from this document that Microsoft has worked the process into a near real-time response, and that is the new reality and requirement for organizations to be competitive and cooperative with internal and external parties.
• Secondly – The access to the business financial accounts and the online storage accounts highlights (or simply reinforces) a concern of Cloud computing systems.  Deploying / Using systems that are not “yours” creates a reasonable chance for the true operator to grant access to your data for “appropriate” reasons.  While I encourage businesses to respond to legal requests as required, it is Risk Managers task to consider these situations and ensure operators have SLA in place along with technical assurances that provide proper safeguards.
  • SLA discrepancies between companies and third party providers is a gap that is growing with the usage of SaaS (other iterations) providers, and it is a new risk vector that must be considered, carefully.
• Thirdly – Information versus Knowledge:  The document goes beyond simply dumping data on the recipient and is designed to help the layman understand the data provided.  The effort to convey knowledge truly is exceptional and not often found within the highly technical and complex system environment that is technology.  Reflection on internal documentation and the conveyance of knowledge should be equal in effort if not more than the actual production of data points.  As technologists are able to interpret complex interactions between multiple routing devices and ACL logs, the team lead / business manager / auditor / CEO need the knowledge of this meaning in order to merge these facts into the greater business risk landscape.

While several articles highlight the privacy and direct implications, I hope this post has provided productive and next step information with this Microsoft document.  The Microsoft document may be downloaded directly here from WikiLeaks.  A ComputerWorld article is available and nicely breaks down the document.

Other perspectives?

James DeLuccia

Security and Compliance challenges with Web 2.0

What happens to the organization when the data that represents the heart of the business is distributed through Twitter, Facebook, torrent networks, gaming consoles, iphones, google phones, and such peripherals.  Many would state that DLP is the holy grail to ensuring the data never reaches these platforms, but I would challenge that statement with the fact that much content moving forward will be generated from these devices.  The difficulty of greater platforms, interfaces, availability of API, and the now efficient and mature malware market creates a new risk landscape.

Visit me next week live to discuss these challenges in depth at RSA London 2009.  I have brought together leading thinkers in this space and interjected client engagements to make it relevant and actionable.  A brief (9 minutes) podcast was published last week, and may be viewed here w/ abstract, or here for the direct link to the mp3.

A new risk landscape exists – how have you adjusted?

James DeLuccia IV