Tag Archives: Cloud top tips

Advent IM Join G-Cloud

Advent IM Supplier to Government, G-Cloud

Advent IM – now available to procure directly via G-Cloud

Advent IM Ltd is pleased to announce its inclusion on the Government’s Cloud Store – G-Cloud. This is the newest Government Procurement Framework and gives the public sector access to highly discounted and exclusive Government framework pricing. This means confident procurement and avoids the need for expensive tendering, whilst offering reassurance that procurement rules and guidelines are being met.   It also offers the private sector an easier route to work with public bodies.

 Advent IM has a lengthy track record as a Security Consultancy for public bodies and Her Majesty’s Government.  The Advent IM Catalogue on G-cloud shows the full range of services available to both public and private sector organisations. G-Cloud is designed to make it easier and faster for those public bodies and departments to procure directly and that now includes expert Security Consultancy from the team of specialists at Advent IM. No longer having to face the convolutions and cost that the tender process can sometimes entail.

Advent IM consultants also work closely and very successfully with the private sector. This framework is a vehicle for the private sector to work with HMG more easily, especially small businesses for which the process of tendering may have been prohibitive.  The incentive for the private sector is clear; however there will be certain standards of security practice that will be expected of them and their systems, in order to be accepted onto the G-Cloud.  Advent IM can offer expert assistance and support to those private sector businesses seeking entry onto this framework, whether that be training, accreditation, Cyber Security and Information Assurance or a host of other areas that need to be considered for G-Cloud.

 “We are delighted to have been selected as a G-Cloud supplier. Although we have had an excellent relationship with the public sector over many years, this marks the start of a direct procurement communications path between Advent IM and potential new clients. It opens doors that were previously not available to us and we look forward to the framework fulfilling its promise of quicker and smoother purchasing processes for public bodies. We also relish the opportunity to help more organisations become G-Cloud suppliers themselves by sharpening their security practices and gaining access to public sector work they were previously unable to tender for.” – Julia McCarron, Advent IM Operations Director

www.advent-im.co.uk-G_Cloud.aspx 

If you are a public body and are interested in procuring security consultancy direct, you can search us here.

http://govstore.service.gov.uk/cloudstore/search/?q=advent+im

 

 

Advertisements

Out-sourcing and Risk

Recently we have been reminded frequently about the growth in outsourced services; Computer Weekly’s recent report showed the continued growing appetite for outsourcing across the globe http://www.computerweekly.com/news/2240151385/Shared-services-take-up-fastest-in-growing-market) and both PwC (http://www.pwc.com/gx/en/information-security-survey/giss.jhtml) and CIF (http://www.cloudindustryforum.org/) have lately demonstrated the growth in these markets.  If you are entrusting someone else with your information and information processing facilities clearly this has some implications for your security.  But what are they…?

Can you see and understand the whole Risk picture?

Well, first of all not all arrangements with external parties are equal.  Clearly the persons hosting your hotel reservation and train fare booking systems are important, but probably not as important as those hosting your critical business systems and client information.  Security is a risk based discipline and before you start making decisions about what security controls you should and should not put in place you should risk assess the third party.  Examples of things you should consider include the type and sensitivity of the data, the extent and maturity of their existing security controls, any legal and regulatory requirements you or your clients are required to meet and the impact of not having access to your information and information processing facilities would have.

Any agreement with a third party involving their access to your information and information processing facilities should be comprehensive and (as a minimum) include the physical and logical controls you expect to be maintained around your assets, the requirements you expect of their personnel (if you vet your staff then you might think it pertinent to make sure they do their’s?), incident and weakness reporting procedures to you, their procedures for access to and segregation of your assets, applicable SLAs and your right to audit them.  And once you have entered in to agreement with them make sure you enforce your right to audit!

If your outsourcing strategy does or may include the use of Cloud based services read our short guide to Cloud security

Cloud post #2 – The Revenge

Growth in the ‘usage of Cloud services’ is in growth what do we think about that? Assess the real risks and don’t cloud the security issues.

OK so there aren’t any actual sharks and the leader does have a shameless pun, but it is an addendum, or part 2, to our original Cloud blog post which you can read here if you haven’t already. (It will open in a new window so you won’t lose you place)

Reading a survey from CIF last week (here), its clear to see that the number or at least the percentage of organisations using Cloud services, is increasing. This includes the public sector, perhaps an enlightened reader can tell us how much of that is driven in UK by G-Cloud.

However, its clear that the research term ‘Use of Cloud services’ could be a bit misleading. There are variations in service types – Platform services, Software Services and Infrastructure services and they are not all in growth.

Geographical references beyond ‘Europe’ are not available in the report, which makes it difficult to deep dive on the cause. However, according to the PWC Global State of Information Security Survey – in terms of ‘Government’, as we had noted Public Sector increased interest, IaaS is over-indexing in terms of uptake on this particular service type.

‘Global’ vs. ‘Government’ vs. ‘Europe’ Cloud Service % of organisations taking this service. Source PWC Global State of Information Security 2012

The same source highlights security concerns amongst Cloud users and if we refer these back to some of the points made in our original blog, the security policies of the data end location is clearly a very important and sensitive issue, this comes through with over 30% of respondents flagging this up and making it the top security threat in this survey.

One of the other things we highlighted back in January was the ability to be able to audit the data centre where your organisation’s data is held, this also comes through as a concern from Cloud users, including ‘Government’ users.

What is the greatest risk to your Cloud computing strategy? ‘Government’ vs. ‘Global’

Being able to audit where your data goes or is moved to, as well as fixing the end points for moving your data are very important, as we said back in January. Whether this is achievable if going through a ‘broker’ style relationship for instance, is debatable. In these situations, the cost model the driver and so wherever the broker can source will be where the data sits or is moved to and this may not mean all of the data  is in the same place either. Specifying end points, for instance, in a service level agreement may start to push the price up and so it is crucial you understand just what your risk appetite is in terms of what you will allow to happen to your data. Disturbingly, as a footnote to all the security issues highlighted in the PWC data, the CIF survey  identified that 1 in 5 respondents were expecting to put their IT security services in the Cloud…

The CIF report states “One sign of the immaturity of the cloud market is reflected in terms of contractual process, as barely half (52 per cent) of cloud users negotiated the legal terms of their contract with their cloud service provider (CSP), with larger organisations more likely to do so. This also infers an evolution of the culture that led to the click-thru agreement online more than a business critical supply agreement.”

Its clear then that  organisations need to go into the Cloud with its eyes wide open and armed with a comprehensive Risk Assessment.  Whilst it’s easy to label security consultants as Luddites who want to hold back the tide of progress, it is in fact not true. We are realists who want businesses to protect themselves, their clients, their supply chain and their employees and progress into the future securely.

The safest place to keep your data…”Cloud” or “Train”..?

How will “Cloud” compete with “Train”?

We all know that the Cloud is the place to store all your data right? We used to think that “Train” was the best place to store our data and some traditionalists, such as the person who left the Olympic Security plans on Train” clearly think it’s still the best data storage option. Of course, there is also “Taxi”  – still popular but you can only get your data to go on a maximum 20 mile round trip, so it’s a bit limited really. Not as limited as “Pub” though this is a data storage concept that is still hanging around after all these years.

“I found this on the back seat of a Taxi.”

OK,  joking aside, are businesses and organisations going into the Cloud fully armed with information? If they aren’t, then they may as well stick with Train and Taxi. We have put together a guide to help inform, dispel some myths – as we see them, and give some real clarity and guidance. With sincere thanks to our gifted and expert Consultants.

SC Magazine published an interesting piece just before Christmas on Cloud computing (http://www.scmagazineuk.com/loglogic-the-public-Cloud-will-be-breached-next-year/article/219907/).

Amongst the issues identified in the article were:

  • That Cloud-based infrastructure has a distinctive threat profile (right);
  • That the answer to Cloud security is through compliance and standards (to a degree); and
  • That Cloud service providers should be regulated by an independent body (we don’t agree).

These three assertions are worth some further digging and clarification.

The distinguishing threats relating to Cloud services have been well publicised but here is a quick run-down of our top Cloud-based information security threats:

I.            System Complexity – Public Cloud services offered by providers have a serious underlying complication—subscribing organisations typically share components and resources with other subscribers that are unknown to them. Threats to network and computing infrastructures continue to increase each year and have become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and requires a high level of assurance for the strength of the security mechanisms used for logical separation.

II.            Shared Multi-tenancy – While not unique to Cloud computing, logical separation is a non-trivial problem that is exacerbated by the scale of Cloud computing.  An attacker could also pose as a subscriber to exploit vulnerabilities from within the Cloud environment to gain unauthorized access.

III.            The Internet – Applications and data that were previously accessed from the confines an organisation’s network, but moved to the Cloud, must now face increased risk from network threats that were previously defended against at the perimeter of the organisation’s network and from new threats that target the exposed end-points.

IV.            Compliance – When information crosses borders the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns. Consequently, constraints on the trans-border flow of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations. Among the concerns to be addressed are whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits.

V.            Loss of control – Remote administrative access as the single means of managing the assets of the organisation held in the Cloud also increases risk, compared with a traditional data centre, where administrative access to platforms can be restricted to direct or internal connections

VI.            Mechanism cracking – With Cloud computing, a task that would take five days to run on a single computer takes only 20 minutes to accomplish on a cluster of 400 virtual machines. Because cryptography is used widely in authentication, data confidentiality and integrity, and other security mechanisms, these mechanisms become, in effect, less effective with the availability of cryptographic key cracking Cloud services. Granted this isn’t just a Cloud based threat – traditional types of system are also possible targets.

VII.            Insider Access / Threat – Data processed or stored outside the confines of an organisation, its firewall, and other security controls bring with it an inherent level of risk. The insider security threat is a well-known issue for most organisations and, despite the name, applies as well to outsourced Cloud services. With the Cloud, insider threats go beyond those posed by current or former employees to include contractors, organisational affiliates, and other parties that have received access to an organisation’s networks, systems, and data to carry out or facilitate operations. Incidents may involve various types of fraud, sabotage of information resources, and theft of confidential information. Incidents may also be caused unintentionally—for instance, a bank employee sending out sensitive customer information to the wrong Google mail account.

VIII.            Data Ownership – The organisation’s ownership rights over the data must be firmly established in the service contract to enable a basis for trust. The continuing controversy over privacy and data ownership rights for social networking users illustrates the impact that ambiguous terms can have on the parties involved. Ideally, the contract should state clearly that the organisation retains ownership over all its data; that the Cloud provider acquires no rights or licenses through the agreement to use the data for its own purposes, including intellectual property rights or licenses; and that the Cloud provider does not acquire and may not claim any ownership interest in the data.

IX.            Data Sanitisation – The data sanitisation practices that a Cloud provider implements have obvious implications for security. Sanitisation is the removal of sensitive data from a storage device, including servers, in various situations, such as when a storage device is removed from service or moved elsewhere to be stored. Data sanitisation also applies to backup copies made for recovery and restoration of service, and also residual data remaining upon termination of service. In a Cloud computing environment, data from one subscriber is physically combined with the data of other subscribers, which can complicate matters. For instance, many examples exist of researchers obtaining used drives from online auctions and other sources and recovering large amounts of sensitive information from them.

So what is the answer to these Cloud-based security conundrums?  Compliance with information security standards as Mr Churchward* suggests.  Well, in part is the rather cryptic answer to that one, I think.  There are some very good information security standards and control sets out there (COBIT, ISO/IEC27001:2005 and the UK government’s HMG Information Assurance Standards being just some examples).  However, every experienced information security professional will know or have known at least one organisation for which the having the standard is the means as well as the ends and that frustratingly they maintain a visage of information security competency when the assessor arrives for their next audit but that in-between audits security is just a byword for inconvenience.  So if

The sight of a Cloud services provider brandishing a given security certification is not sufficient assurance, what is?  We suggest these three steps to Cloud contractual heaven:

  1. The right to audit.  And then do it.  And don’t pick a service provider who is based a 36 hour flight away unless you – and your management – are prepared to send someone to their data centre to do the audit!
  2. Talk to prospective service providers about the threats above.  If they are coy, defensive, or babble techno-speak make sure you are content to receive the same level of effrontery when you have a query, business interruption scenario or concern about your data.
  3. Does the would-be service provider sub-contract out its storage, security, administration or anything else?  The very flexibility of Cloud-based services means your data or responsibility of your data can be syndicated out by your nominal provider in the blink of an eye.  You wouldn’t sub-contract out your office space so readily would you…?

On the point of standards, it is probably worth clarifying a couple of points for the unwary arising from the SC Magazine article:

  • ISO/IEC27001:2005 is the international (not just UK) standard for Information Security Management Systems.  ISO/IEC27002:2005 is the accompanying guidance for the implementation of the security controls listed in Annex A of ISO/IEC27001:2005;
  • Neither ISO/IEC27001:2005 or ISO/IEC27002:2005 mention Cloud computing however most of the 133 controls are or could be applicable to a Cloud computing environment.  The explicit inclusion of reference to Cloud services is amongst proposals for changes to the Standard in the future; and
  • There are already two approved international standards for Cloud-based technology relevant to security (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=53458 and http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=59388), though they are definitely for the propeller-heads amongst you!!

And what of Mr Churchward’s* assertion that “we need something externally policed, not self-certified, and a recognised industry body”?  Well, I am not sure we agree insomuch as regulatory, and enforcement bodies already exist for all sorts of activities relating to information security, Cloud-based or otherwise, and it seems an unnecessary burden to introduce another.  Bodies with an interest in maintaining and improving Cloud security include statutory regulators such as the Information Commissioner’s Office (ICO), and indeed the Irish Data Protection Commissioner is currently working with one well-known international Cloud operation (Facebook) to improve their compliance arrangements (http://dataprotection.ie/viewdoc.asp?DocID=1175&m=f).

So to wrap up, we recommend that organisations considering entering in to agreements with Cloud service providers:

Conduct appropriate due diligence before doing so, including a full risk assessment, considering the risks laid out above;

  1. Make sure that they have the right contractual security clauses in place falling out from the risk assessment (e.g. if data sanitisation is a major issue for your organisation, make sure it is robustly referenced in the contract); and
  2. Ensure that your external service providers, including Cloud operators, are part of your audit and assurance programme (this programme should also be risk based – looking at the higher priority areas more frequently and in more depth).

www.advent-IM.co.uk

*LogLogic CEO Guy Churchward – quoted in SC Magazine article