Tag Archives: saas

Methodology for the identification of critical connected infrastructure and services — SAAS, shared services..

ENISA released a study with a methodology identifying critical infrastructure in communication networks. While this is important and valuable as a topic, I dove into this study for a particularly selfish reason … I am SEEKING a methodology that we could leverage for identifying critical connected infrastructure (cloud providers, SAAS, shared services internally for large corporations, etc..) for the larger public/private sector.  Here are my highlights – I would value any additional analysis, always:

  • Challenge to the organization: “..which are exactly those assets that can be identified as Critical Information Infrastructure and how we can make sure they are secure and resilient?”
  • Key success factors:
    • Detailed list of critical services
    • Criticality criteria for internal and external interdependencies
    • Effective collaboration between providers (internal and external)
  • Interdependency angles:
    • Interdependencies within a category of service
    • Interdependencies between categories of services
    • Interdependencies among data assets
  • Establish baseline security guidelines (due care):
    • Balanced to business risks & needs
    • Established at procurement cycle
    • Regularly verified (at least w/in 3 yr cycle)
  • Tagging/Grouping of critical categories of service
    • Allows for clean tracking & regular security verifications
    • Enables troubleshooting
    • Threat determination and incident response
  • Methodology next steps:
    • Partner with business and product teams to identify economic entity / market value
    • Identify the dependencies listed about and mark criticality based on entity / market value
    • Develop standards needed by providers
    • Investigate how monitoring to standards can be managed and achieved (in some cases contracts can support you, others will be a monopoly and you’ll need to augment their processes to protect you)
    • Refresh and adjust annually to reflect modifications of business values

I hope this breakout is helpful. The ENISA document has a heavy focused on promoting government / operator ownership, but businesses cannot rely or wait for such action and should move accordingly. The above is heavily modified and original thinking based on my experience with structuring similar business programs. A bit about ENISA’s original intent of the study:

This study aims to tackle the problem of identification of Critical Information Infrastructures in communication networks. The goal is to provide an overview of the current state of play in Europe and depict possible improvements in order to be ready for future threat landscapes and challenges. Publication date: Feb 23, 2015 via Methodologies for the identification of Critical Information Infrastructure assets and services — ENISA.

Best, James

What the Cyber Executive Order means to your business, a critique

As expected for many months, the Executive Order entitled ‘Improving Critical Infrastructure Cybersecurity” has been signed and released.  There are numerous write-ups providing analysis and perspectives.  My favorites so far are from DWT , , and an article from American Banker.

What is important is businesses and leaders should take this in balance to their own business.  The first is – if you are not considered infrastructure plainly, you should analyze if and how you support those industries, because if so you will need to meet and participate in the realm of requirements that will roll forward from this EO.  The second is – if everybody is having serious problems on maintaining their business’ confidentiality, integrity of operations, and availability of services against foes, competitors, and nation states (as highlighted hundreds of times over the last few years) – how can Executives / Senior leadership / Board of Directors / and owners not consider this a risk that requires mature and top performer attention.

As I reviewed the EO with several clients this week (and I was both impressed with their interest and startled in some cases when the conversations shifted to ‘I don’t have to do this .. do I?’), I thought I would share several top points raised… I’ll update the list below over the next few weeks as the discussions continue:

  • “Sec2Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
    • Virtual is an interesting point that I raise below in the riddle ..
  • “4.12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.”

    • The use of the phrase ‘timely’ instead of actionable was a highlighted environment.  The difference is that actionable means that information shared would be more real-time, while timely may not meet this test.
  • [updated 2/18/13] “10.(c) Within 2 years after publication of the final Framework, consistent with.. and Executive Order.. (Identifying and Reducing Regulatory Burdens).., agencies..shall..report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements.”
    • This is an important section that will hopefully drive cross-standard acceptance, and at least conform to the principle of establishing a unified corporate compliance framework, as I articulated in my book back in 2008.

A few riddles to debate and seek to understand:

  • Is Amazon’s AWS considered Critical Infrastructure?  What about Microsoft Azure?  Expand that generally – what elements of PAAS, SAAS, IAAS are critical infrastructure.  
  • If they ARE the infrastructure (you know, that whole ‘Cloud’ thing is a pretty huge market and sometimes not always well understood what has shifted to a Cloud architecture), or what of the dependencies to the point that the Critical Infrastructure itself relies on these services (logging, alerting, big data analytics, etc…)


Still seeking,

James DeLuccia