All posts tagged Security

By Orlando Scott-Cowley on September 21, 2010

The realities of Cloud security, or the realities of due diligence?

This week Daniel Dern spoke to NeoSpire’s director of security, Sean Bruton in an Information Week SMB article about the realities of cloud security and the key questions to ask when assessing a cloud service-provider’s claims.

The interview, available here, is a Q&A session with Bruton, who talks about some the security issues and concerns that companies should consider before selecting an external hosting company or cloud service, or whether they elect to “keep things inside.”

Dern and Bruton identify some of the excellent Cloud adoption bonuses such as economies of scale and the importance of provider compliance. But, what sticks out to me is that the big question regarding security is really a question about due diligence. This blog has previously proposed the importance of customers due diligence on the Cloud, and Bruton’s comments only reinforce this.

There is no doubt that the security of your data in the Cloud is a hot topic at the moment, and most people have opinions regarding the subject – many start from a position of doubt or outright rejection, but some, generally those who have done the background leg work, are less skeptical. When I talk to customers and prospects security is often at the top of the agenda; but when I take the time to whiteboard and explain to them the controls we as a Cloud provider put in place you can almost see the reassurance on their faces; the discussion quickly moves on to how the cloud adds value to their infrastructure, and the network effect therein.

So really what the security of the cloud is all about is asking the right questions, making sure your vendor of choice is willing to discuss the finer points of their controls, and importantly realizing that in most cases the Cloud is only going to enhance the levels of security applied to your data.

Dern closes by asking; “So you have to understand what any cloud vendor means when they say Security” And, he’s right you do, but you must understand why you’re asking that question so the answers are meaningful. Any self respecting, genuine cloud vendor will be only too happy to discuss the security enhancements they are providing to your data; it they don’t your due diligence has hit a red flag.

Add your comment (0)

Orlando Scott-Cowley

CISSP, CCSK
Mimecast, North America.

Article Tags

Cloud, diligence, Security

By James Blake on August 11, 2010

Perspective: Are Customers today doing the right due diligence on the Cloud?

Jay Heiser of Gartner makes some interesting points in his recent blog post -especially regarding the suitability of existing security standards and certifications to evaluate vendors utilising what is a fairly new and evolving delivery model.

The work by Cloud Security Alliance and Cloud Audit are making good progress in delivering a set of recommended controls specific for the cloud, along with a mechanism for third-party evaluation of conformance but in the mean time customers just have to exercise caveat emptor on a case-by-case basis.

Customer due diligence is the key in choosing a Cloud provider, but this due diligence has to take into account what you actually do on-premise as a baseline and not have some utopian expectation.

As Mimecast’s CSO I can’t tell you the number of 300 – 400 hundred question RFPs we receive from customers who’ve searched for them on the Internet. On closer inspection of the customer’s current solution you find PST files scattered across their network, unencrypted archive databases, countless email and archive administrators, single points of failure and fragmented inconsistent administration across the multiple platforms that form their email infrastructure.

In these instances moving to the cloud is going to instantly deliver improvements over their existing security, but still these customers hold irrational fears because they are nervous about moving their data from a data centre where they can touch and feel the hardware to a service that abstracts it all away. They deliberately build a level of expectation that far exceeds their currently level of security as a mechanism to justify not moving to the cloud.

Security breaches are bad for cloud service providers: they elongate the sales cycle increasing the cost-to-sell; they impact renewal revenue, which is the means of survival for most cloud vendors; and breaches play into the hands of on-premise vendors using FUD to put customers off considering the cloud. Cloud vendors cannot get away with throwing a bunch of hardware and software into a customer data centre and disappearing for three years until the next upgrade is due.

Cloud vendors are judged day-in day-out by the performance and the security of their services. Due to this, most cloud providers take considerable effort to ensure their environments, platforms and services are secure.

Not all cloud vendors are created equal, and in fact many aren’t true cloud services. They are the latest incarnation of what were application service provider or management service provider platforms, re-purposing on-premise appliances or software by just creating a web front-end to these products which are often ill-suited to run in multi-tenant environments. Customer due diligence must identify these kinds of ‘cloud’ offerings and the risks that are inherent to these environments (for instance client separation; end-to-end encryption; chains-of-custody of data that may need to be used as evidence at a later date).

Email is a critical business tool, but also a commodity, which makes it prime candidate for outsourcing to a cloud provider. Cloud providers will often deliver immediate benefits in security, but potential customers must exercise the appropriate due diligence and weigh the results against their current environments as a baseline. Many customers will find themselves pleasantly surprised by decreased cost, increased functionality and increased security.

Add your comment (0)

James Blake

Article Tags

Cloud, Due Diligence, Security

By James Blake on August 4, 2010

Blackberry use at risk in UAE

The Telecommunications Regulatory Authority (TRA), the body responsible for the management of telecommunications and information technology industries within the United Arab Emirates is threatening to block critical functionality of Research In Motion’s popular BlackBerry messaging devices.

BlackBerries encrypt data between the handset and servers in the infrastructure, making it impossible for eavesdropping government agencies to easily intercept any emails, Instant Messages or other Internet traffic.

The TRA is asking RIM to provide access by October 11 2010, on request, to information on specific users’ activity and if RIM refuses to comply the TRA will limit the functionality of the Blackberry devices to voice and SMS messaging (which they can intercept through the carrier networks). This action would risk nearly a million BlackBerry subscribers in the UAE territory – not to mention visitors from overseas.

Some of the Emirates have already taken unilateral action. Etisalat, a Abu Dhabi-based mobile carrier part owned by Dubai governmentshipped a ‘service enhancement’ patch to 145,000 Blackberry subscribers in Dubai around this time last year that turned out to contain spyware.

Update- Saudi Arabia is also banning BlackBerries on the grounds of national security according to the WSJ.

Add your comment (0)

James Blake

Article Tags

BlackBerry, RIM, Security

By Orlando Scott-Cowley on August 2, 2010

Email Security: keep on running!

There is a race being run right now, a race that never ends, where the participants can’t stop for a breather, one of those races you keenly enter, but halfway through ask yourself why am I doing this again?

It’s the sort of race that appears to chase a point that is constantly moving with the horizon.

Running into the sunset

Enough of the race & horizon metaphor…

What I’m talking about is the constant cat and mouse game that we all play with the spammers, phishers, virus writer and general internet nasties. Almost every user who is exposed to the Internet understands the sort of problems that exist. Email administrators in particular have the tricky job of protecting their users and are best placed to understand the problem. But, keeping up with the ever changing threat landscape is a constant balance and battle, and takes dedication if you’re prepared to fight that fight yourself.

Research tells us that senders of malicious email, (by which I mean spam, virus, phishing and all the other junk out there) are trying to get each individual piece of malicious email into your inbox within 11 minutes of the time they release it to the wild. If it takes longer, they move on. Why is this? Because within those 11 minutes the security vendors of the world have detected the new threat and have started to issue updates to protect their client base against it.

As with most things the early bird does indeed get the worm, or in this case your inbox gets the worm (or spam, or phishing attack).

Many on-site security appliances and software solutions have these updates pushed down to them by their respective vendors, which is a great idea but strikes me as a little too slow. If this is all about speed, we really need to be thinking about the fastest and most efficient way of keeping up.

If I were a spammer…

…or virus writer, I would be depending on, and even taking advantage of, the slow reaction of you or your security vendor, I would be hoping that someone somewhere isn’t as alert as perhaps they should be.

Of course in my new dark world of spamming, phishing and viruses, the nature of my business is speed and money. The faster I am the more money I make. I will be praying on people who don’t think like this, people who are slower than I am.

Add your comment (0)