London was again the venue for the 18th Infosecurity Europe conference last week. Along with over 100 other exhibitors, it was a busy three days for Mimecast – security workshops (summarized in our blog post last week), talking to crowds attracted to our eye-catching stand and some great conversations with media, customers and prospects.
As expected at the premier security event, security was hotly discussed with topics such as mobile security, cyber warfare, threat detection and prevention reoccurring themes.
Given security is a vital part of our offering, we’re most interested in the evolution of the security landscape and how it impacts communication technology in business. From this viewpoint, we noticed a clear point emerging from the conversations this year – we’re entering a new chapter in the maturation of how businesses consider cloud services.
Gone are the days of businesses questioning whether its data is safer in the cloud, now the focus is on issues such as whether a vendor truly believes in industry standards – for instance, there is an increasing expectation of vendors to be accredited against third party standards e.g. ISO 27001 and participate in transparency initiatives such as the CSA STAR registry.
In addition, IT teams are becoming increasingly sophisticated in testing whether vendors can stand by their SLAs. On this subject, one of our customers Paul Dryden invoked a vivid example in one of our workshops about how he evaluates cloud vendors – during a tour of the data centre he spontaneously asks the vendor to cut the power to see how the system reacts. Apparently, only one vendor has managed to perform the immediate simulated power cut for Paul and while this is one of the most extreme examples, we’ve encountered other customers and prospects that have indicated that they’re testing the SLAs of cloud vendors more rigorously.
With increasing pressure to comply with industry standards and more demanding tests around the strength and depth of their service, cloud vendors seem to be at a cross-road. Those services which have the scale and rigour to meet these growing expectations can look forward to growing recurring revenue, while the others will find themselves outside of the commercial conversation.
It’s possible that we’ll look back at 2013 as the year that there was a shake-out of the cloud service vendors, with security one of the key drivers for this change.
Spring finally arrived and ironically, the sun was shining in London at Infosecurity Europe with no clouds to be seen. The good news for us was this didn’t deter people from joining our Chief Scientist Nathaniel Borenstein and Technical Evangelist, Orlando Scott-Cowley to talk about the cloud. The session was so well received, we thought it’d be useful to summarize the content of the presentation (below):
Left to right: Orlando Scott-Cowley, Nathaniel Borenstein, Paul Dryden
They started by agreeing what the cloud is and what it means for security. There’s the public cloud (fully open and accessible), which many vendors use for customer’s data; private cloud (closed), which offer private, business-sensitive uses, and hybrid cloud, which combines features of both. Each allows you different levels of control and security.
“There’s plenty of cloud washing going on with many vendors claiming things to be in the cloud that aren’t.” — Orlando Scott-Cowley
The Cloud is now accepted as being more secure than your own network.
Putting your data in the cloud does give you an opportunity for better security, as cloud vendors’ security is usually a core part of their business. They’ll have more security and cloud expertise available to them, and are strongly motivated to do a great job – developing a reputation for poor security would likely destroy them. Generally, reputable cloud vendors have the resources to keep up to date with advances in technology and are highly motivated to do a good job and continue innovating.
But it’s also fair to say that cloud providers are bigger targets for attack. So a good place to start your assessment is taking a look at the vendor’s security reputation. If they’ve been around for a while (Mimecast has been here for over 10 years BTW) and you haven’t found any horrifying stories then as Nathaniel said they’re “…likely to be good at cloud security. Cloud vendors live or die by their security. The trick is really knowing whether or not a particular vendor is good at it”. Good cloud vendors are deeply committed to security and very open to talking about it.
So once you know you want a cloud how do you assess a vendor – what questions do you need to ask about them?
Talk to them about security standards. ISO 27001 accreditation is important. But assessing the scope of their compliance is vital – ensure the scope of the accreditation includes the production systems that process customer data, rather than unrelated systems like internal HR or billing platforms.
Also, the workshop discussed the CSA STAR registry from Cloud Security Alliance which allows customers to see detail on participating vendors’ activities and procedures, helping you to compare and evaluate how they protect your data.
Willingness to be open about security standards is an important test for vendors. If they’re happy to share this they have nothing to hide. (Of course, there are certain kinds of data that they don’t disclose because it would be a security leak to do so; passwords are just the most obvious example of this class of information.)
Where is my data?
Some customers also need to know where their data is housed and under what jurisdiction it sits. Assess what this means for your business. If this matters to you, then the cloud vendor should be willing to discuss this with you. This is not just a matter of legal concerns. Think also about connectivity – businesses in areas with poor Internet connectivity will often be much better off accessing servers that are nearby.
Will you get the service you want if the data is located somewhere you can’t guarantee the network performance you need? What continuity plans does the vendor have in place to keep their performance guarantees? It’s always acceptable to ask questions about the service – a good vendor will say ‘yes’ to allowing you to test the reliability of their service too. (However, if they’ve already been tested by several independent auditors that you’re inclined to trust, it’s not necessary that you burden them by repeating the tests.)
What do you take to the cloud?
When you’ve a service or application that is commoditized, it’s well suited to benefiting from the cloud. There’s also a whole set of apps, such as data mining, that largely can’t exist outside the cloud – they’re made possible by the characteristics of processing data aggregated in the cloud, or analytics for example. With older apps and services hybrid systems are often a good option – ask, ‘can you get the benefits of the cloud without going fully to the cloud?’
Nathaniel then laid out a list of questions customers should get answers to from all vendors – the questions that vendors “dread being asked.” The questions were:
How do you manage your cryptographic keys?
How do you handle change control in your software?
How do you handle patches to your OS and other key software?
How do you encrypt all client data at rest? Do you guarantee its integrity? What is my role in keeping it safe?
Are your development and operational platforms well separated?
What access do your administrators have to customer data?
What are BCPs on matters like testing, documentation etc?
How redundant is your data and how do you prevent/recover from outages?
Do your employees have constrained, granular roles that are easily configured?
How do you manage security incidents? What is logged? How long is it retained?
Who are your third party security auditors?
Do you do regular penetration testing and vulnerability scanning?
Is your platform and business IOS 27001 accredited? If not, why not?
By the end of the session, it was clear both that there’s a strong appetite for this kind of help in assessing cloud vendors, and that there are even more questions that belong on the list.
Watch this space for more on this as we will explore the questions in a future post.
If we’ve missed out a great question that worked for you we’d love to hear it – post the question here or email Orlando at email@example.com.
This weekend Evernote became the latest cloud vendor to have its systems breached; user data including passwords has been compromised. In case this is news to you, a quick recap – Evernote assured us that passwords were correctly hashed and salted unlike LinkedIn, who neglected to salt their passwords. Evernote didn’t tell us whether or not the salts were compromised too. The attack “follows a similar pattern” to others so we can assume some sort of long term APT style compromise.
There are a couple of interesting observations one can make as a result of this last hack.
The usual amount of your-data-in-the-cloud-is-not-secure media hysteria has been dished out; no doubt some Evernote users will be busy deleting their notes as a result, even though their contents are probably as interesting as the ingredients list on a bottle of water. Being an Evernote user (yes, I have reset my password) I can’t help but think this isn’t about data in the cloud, or about the cloud at all; this is more about a target. Evernote was the target in this instance, before them it has been LinkedIn, Facebook, Yahoo, RSA Security, New York Times, Iranian nuclear centrifuges, the list goes on. Once the target has been identified this sort of “coordinated attempt to access secure areas” is likely to succeed regardless of the data’s location. The data could be anywhere; in the cloud, a server on your LAN, one of your users’ laptops (Facebook), a mobile device, a filling cabinet (remember those) or even data left on someone’s desk – the attackers will use whatever means they need to compromise that data.
Secondly, if there is weak security protecting that data, again the location is unimportant. Putting the data in the cloud on a dedicated platform means, as in Evernote’s case, the breach can be monitored and contained by people who’s job it is to do that. There is very little one can do to contain the old school espionage attack that reads secure material from your desk or even from your rubbish bin.
Evernote did the right thing and alerted its users to the hack, emailing them to advise password resets. They did slip up slightly though, by providing a link in the same email that also suggests users should “Never click on ‘reset password’ requests in emails — instead go directly to the service”. But to be fair, this is the first time Evernote has had to deal with this threat.
What this sequence of events really means is that 2013 could be the year that cloud service providers will rebalance their priorities, so that preparedness for attacks will be as important as getting the latest app version out the door, and also that we as consumers realise the importance of our data regardless of where we leave it.
Mimecast is preparing to go through our ISO 27001 certification at the moment and it struck me quite how different it is to certify as a cloud service vendor rather than as a traditional company.
Excuse my over simplification of the ISO 27001 process for those not involved in it, but effectively there are four stages:
1. Define the organization’s acceptable risk
2. Work out what risk the organization is exposed to
3. Apply controls to reduce the residual risk to a level at or below the acceptable risk
4. Rinse, repeat
A common method is to conduct a risk assessment, perhaps using the methodology covered in ISO 27001’s sister publication ISO 27005, and then apply controls to manage the identified risks from another sister publication ISO 27002.