Category Archives: Legal

Four Things You Need to Know About PCI Compliance in the Cloud

By Andrew Hay, Chief Evangelist, CloudPassage

Andrew HayAndrew Hay is the Chief Evangelist at CloudPassage, Inc. where he is lead advocate for its SaaS server security product portfolio. Prior to joining CloudPassage, Andrew was a a Senior Security Analyst for 451 Research, where he provided technology vendors, private equity firms, venture capitalists and end users with strategic advisory services.

Anyone who’s done it will tell you that implementing controls that will pass a PCI audit is challenging enough in a traditional data center where everything is under your complete control. Cloud-based application and server hosting makes this even more complex. Cloud teams often hit a wall when it’s time to select and deploy PCI security controls for cloud server environments. Quite simply, the approaches we’ve come to rely on just don’t work in highly dynamic, less-controlled cloud environments. Things were much easier when all computing resources were behind the firewall with layers of network-deployed security controls between critical internal resources and the bad guys on the outside.

Addressing the challenges of PCI DSS in cloud environments isn’t an insurmountable challenge. Luckily, there are ways to address some of these key challenges when operating a PCI-DSS in-scope server in a cloud environment. The first step towards embracing cloud computing, however, is admitting (or in some cases learning) that your existing tools might be not capable of getting the job done.

Traditional security strategies were created at a time when cloud infrastructures did not exist and the use of public, multi-tenant infrastructure was data communications via the Internet. Multi-tenant (and even some single-tenant) cloud hosting environments introduce many nuances, such as dynamic IP addressing of servers, cloud bursting, rapid deployment and equally rapid server decommissioning, that the vast majority of security tools cannot handle.

First Takeaway: The tools that you have relied upon for addressing PCI related concerns might not be built to handle the nuances of cloud environments.

The technical nature of cloud-hosting environments makes them more difficult to secure. A technique sometimes called “cloud-bursting” can be used to increase available compute power extremely rapidly by cloning virtual servers, typically within seconds to minutes. That’s certainly not enough time for manual security configuration or review.

Second Takeaway: Ensure that your chosen tools can be built into your cloud instance images to ensure security is part of the provisioning process.

While highly beneficial, high-speed scalability also means high-speed growth of vulnerabilities and attackable surface area. Using poorly secured images for cloud-bursting or failing to automate security in the stack means a growing threat of server compromise and nasty compliance problems during audits.

Third Takeaway: Vulnerabilities should be addressed prior to bursting or cloning your cloud servers and changes should be closely monitored to limit the expansion of your attackable surface area.

Traditional firewall technologies present another challenge in cloud environments. Network address assignment is far more dynamic in clouds, especially in public clouds. There is rarely a guarantee that your server will spin up with the same IP address every time. Current host-based firewalls can usually handle changes of this nature but what about firewall policies defined with specific source and destination IP addresses? How will you accurately keep track of cloud server assets or administer network access controls when IP addresses can change to an arbitrary address within a massive IP address space?

Fourth Takeaway: Ensure that your chosen tools can handle the dynamic nature of cloud environments without disrupting operations or administrative access.

The auditing and assessment of deployed servers is an addressable challenge presented by cloud architectures. Deploying tools purpose-built for dynamic public, private and hybrid cloud environments will also ensure that your security scales alongside your cloud server deployments. Also, if you think of cloud servers as semi-static entities deployed on a dynamic architecture, you will be better prepared to help educate internal stakeholders, partners and assessors on the aforementioned cloud nuances – and how your organization has implemented safeguards to ensure adherence to PCI-DSS.

 


Compliant Cloud includes all products, services required to keep cloud infrastructures compliant with PCI DSS, HIPAA, ISO 27001/2

Image representing ControlCase as depicted in ...

Image via CrunchBase

Compliant Cloud includes all the necessary products and services required to keep cloud infrastructures secure and compliant with PCI DSS, HIPAA, ISO 27001/2 and other regulations and standards.

US companies remain concerned over lingering data security risks with new cloud-based applications – and as a result, they lag behind Asia-Pacific and Latin American companies in the adoption of cloud computing by nearly two to one, according to a recent report in Forbes magazine. ControlCase has developed a solution to alleviate these security issues and allow US companies to confidently leverage the latest cloud-based systems.

ControlCase has partnered with leading cloud-based technology providers to make this elegant package of solutions complete and comprehensive; Skydera provides an easy-to-use management interface, while Amazon hosts the service securely and reliably.

The Compliant Cloud service is incorporated into ControlCase’s unique Compliance as a Service (CaaS) platform, the industry-changing solution that provides one convenient source for a complete and continuous suite of compliance and security services, including internal and external security testing, 24/7/365 data log monitoring and alerting, policy management, training and certification.

ControlCase’s development of the Compliant Cloud service represents the strength of the company’s broader vision to help organizations achieve compliance more quickly, more consistently. “With the proliferation of cloud usage, it is only natural that our clients worry about the security and compliance of their current or intended use of cloud-based applications,” explained CEO Kishor Vaswani. “ControlCase has made it easier for our clients to adopt these new technologies by solving the security and compliance needs of their cloud infrastructures.”

For more information about ControlCase and the Compliant Cloud service, visit www.controlcase.com or call 703.483.6383.


CitizenHawk Introduces Cloud-Based Online Brand Protection Platform

Image representing CitizenHawk as depicted in ...

CitizenHawk, a global provider of online brand protection and enforcement services, has introduced a powerful online brand protection tool that enables users to search the entire Web and detect use of trademarked terms and phrases, helping uncover instances of brand abuse ranging from counterfeiting to cybersquatting.

HawkDiscovery is a cloud-based technology platform that lets users monitor content on specific websites and produces alerts notifying them of new activity. HawkDiscovery features a fully integrated workflow and case management system that acts as a kind of Customer Relationship Management (CRM) system for brand protection. The system lets users analyze and assess particular instances of online infringement, determine appropriate responses, and manage remediation activities from initial detection through final resolution – with every action tracked, recorded and shared with appropriate personnel.

“Companies realize their brands are most precious corporate assets, and they invest considerable time and money promoting them to consumers, investors and others,” said David Duckwitz, CitizenHawk’s president and chief executive. “Unfortunately, well known and popular brands are particularly attractive to typosquatters and others seeking to exploit them on the Internet. Marketing, legal, compliance and IT professionals can now fight back with cost effective tools that not only can uncover such abuse, but effectively respond to it.”

CitizenHawk is also introducing an array of complementary online brand protection tools, each designed to detect a specific form of online brand infringement:

HawkTypos can generate literally thousands of domain-name permutations, confirm whether such domains are registered, and identify common ownership, notwithstanding efforts to obfuscate such ownership via asset shielding or inexpensive privacy services.

HawkImages is a powerful tool for determining how a company’s logo and other proprietary images are being used – or misused – on the Internet. HawkImages’ advanced pixelation technology can help confirm whether business partners are fully compliant with agreed-upon standards. It also can detect unauthorized use, such as false claims of affiliation.

HawkAuctions continuously monitors brands on the world’s top auction, exchange and classified advertising sites – 24 hours a day, seven days a week. Users can obtain real-time information to permit fast response; assess impact based on product identification, sales volume and pricing (e.g., unauthorized discounting); and detect sales patterns and identify sellers operating under numerous aliases. HawkAuctions’ automated processes fully support eBay’s VeRO (Verified Rights Owner) and NOCI (Notice of Claimed Infringement) programs.

HawkKeywords enables users to ascertain whether affiliate publishers are complying with the specific terms of marketing agreements. It also provides valuable competitive intelligence by showing where competitors rank in search paid placement, and provides insights on their keyword bidding strategies – including whether they are actually bidding inappropriately on trademark terms.

HawkSocial lets users monitor what people are saying about their brand(s) on the world’s most popular social networks, while measuring the sentiment of such communications. It can provide a fast, easy-to-read “footprint” of a brand’s social media presence, whether by geography or by specific social network.

HawkUDRP gives users a powerful tool for pursuing and winning UDRPs (Uniform Domain-Name Dispute-Resolution Policy). CitizenHawk, one of the world’s most successful filers of UDRPs, has taken advantage of its expertise to create an automated system that allows users to collect evidence, generate necessary documentation and complete the domain recover process quickly and cost effectively.

While each of these tools has a specific function and capability, they are all seamlessly integrated into the HawkDiscovery platform.

“While we offer extensive levels of customer support, we’ve designed these tools for ease of use, enabling virtually anyone to begin benefitting from them almost immediately,” said Duckwitz.


Nuix Launches Legal Hold Solution with Technology Partner Zapproved

Image representing Zapproved as depicted in Cr...

Nuix, a worldwide provider of information management technologies, and Zapproved Inc., developers of Legal Hold Pro, today announced a technology partnership to introduce Nuix Legal Hold. Nuix Legal Hold is a cloud-based legal hold notification and compliance tracking system that works with Nuix collection and eDiscovery solutions. Nuix Legal Hold is built on Legal Hold Pro, which has been enthusiastically embraced by Fortune 500 companies and government agencies because it is the fastest and simplest way to manage the legal hold notification and compliance process.

Nuix Legal Hold provides legal teams the ability to manage the electronic discovery process. The system streamlines the overall process of responding to anticipated litigation and satisfies the duty to preserve relevant information in a defensible, repeatable manner. With Nuix Legal Hold, legal teams now have a fully integrated electronic discovery solution that systematically tracks, notifies and analyzes data from custodians subject to litigation holds.

“Zapproved has developed an effective and efficient system for managing litigation holds and the preservation workflow, and we’re very excited to work together to offer Nuix Legal Hold as a valuable service for our customers,” said Nuix CEO, Eddie Sheehy.

“Nuix and Zapproved are both committed to introducing powerful solutions into the legal market that our users find simple and easy to use,” said Monica Enand, CEO and founder of Zapproved. “This partnership integrates two state-of-the-art solutions that empower organizations to take on managing eDiscovery in-house.”

Nuix Legal Hold is available now and will be showcased at LegalTech West Coast May 22–23 at Booth 312. For more information on Nuix Legal Hold visit www.nuix.com/legalhold.


Keynote Announces New 24/7 Web Privacy Tracking, Compliance Monitoring

Image representing Keynote Systems as depicted...

Keynote Systems today announced a new on-demand service for addressing growing Web privacy issues stemming from online behavioral targeting. The new service, called Keynote Web Privacy Tracking, goes beyond traditional monitoring and identifies third party tracking in violation of a site’s own stated privacy policy.

Keynote Web Privacy Tracking provides comprehensive insight into third parties that violate a company’s privacy policies across a website. Using a real browser, Keynote’s service monitors websites and records all of the tracking activity present, for example, cookies being placed on the browser. Keynote then matches that activity against a database of over 600 tracking companies and over 1,000 tracking domains, providing details on what privacy policies are being violated. Additionally, the Keynote Referrer Chain feature provides a detailed record for how the third-party violator came to be on the site, and an audit trail of each handoff in the ad request.

While there are already website privacy testing solutions on the market, Keynote Web Privacy Tracking is the first to apply a proven 24/7 monitoring technology to address the growing concerns over the impact of third party trackers on Internet privacy.

By monitoring websites around the clock from up to 70 geographic locations and covering 28 countries in the United States and Europe, Keynote Web Privacy Tracking provides an unmatched breadth of coverage for understanding the precise location and size of potential privacy issues, including risks arising from variations in how ad networks deliver geo-targeted content. Once privacy violations are found, Keynote goes one step further by providing detailed and actionable records that enable a site owner to manage policy violations with the ad network directly responsible for bringing a violator to the website. Keynote’s solution also features one-click analysis and reporting – once a site operator finds someone violating a company’s own stated privacy policy, with the click of a button a site operator can drill-down for further information.

Keynote Web Privacy Tracking has a comprehensive tracking database that provides site operators with detailed information for each third party tracker on their site. Site owners can then export the Keynote Web Privacy Tracking Report and share with co-workers and ad network partners to take immediate corrective action that reduces their exposure to privacy violations.

“Keynote Web Privacy Tracking is an ideal solution that site operators can begin leveraging immediately to address their lack of visibility into which third parties are violating the site’s own stated privacy policies,” said Vik Chaudhary, vice president of product management and corporate development at Keynote. “Our data will allow them to take very fast remedial action. Also, we believe our cutting edge 24/7 privacy compliance monitoring service will help address the increasing concerns of the many U.S. government agencies examining the issue. This includes the FTC, as well as government agencies in Europe, which may soon hold site operators legally accountable for ensuring consumer privacy on their website.”

“Online websites know that they need to publicize and enforce a strong privacy policy in order to comply with regulations, maintain goodwill with users, and ensure repeat traffic,” said Ian Glazer, research vice president at Gartner, Inc. “However those tasked with managing privacy within the organization often lack visibility into their potential privacy risk. Privacy professionals are engaging a new breed of tools to help them identify the continued risk that comes with third party cookies.”

Scott Crawford, research director with Enterprise Management Associates said, “With regulators and individuals alike becoming increasingly vocal about the responsible handling of sensitive personal data, organizations that develop and deploy Web applications must take those concerns more seriously than ever before.” Crawford continued, “Keynote’s new product provides organizations with more granular and precise insight into how sensitive information is used and privacy requirements met, not only by a business’s own applications, but also by those who provide services such as advertising placement, which could jeopardize the business’s relationships with its customers if private data is not handled properly.”

The results of an in-depth and comprehensive analysis of the online behavioral tracking on 269 Websites, to be publicly released by Keynote in the near future, found that 86 percent of the sites analyzed included third-party tracking of site visitors and, as a consequence of these third parties, over 60 percent of those sites violated one or more of the industry’s most common tracking-related privacy standards.

“The number of websites that allow visitors to be tracked by third parties may be surprising to some, but as consumers begin to understand that their online behavior can be recorded, website publishers will have to work even harder to ensure consumers’ privacy expectations are met,” said Ray Everett, Keynote’s director of privacy services.

Keynote Web Privacy Tracking detects the third parties collecting user information on each company’s site across all pages monitored by Keynote. Keynote then cross-checks each tracker against a database of over 600 ad networks and 1,000 tracking domains. Tracking companies that do not commit to an industry best practice for Web privacy are then flagged as a violator of the selected policy.

Policies checked by Keynote Web Privacy Tracking include:

  • Provide customers an Opt-out
  • Promise to Anonymize Data
  • Subject to Industry Overview from Recognized Organizations

“Ultimately, the burden of policing third-party trackers falls on the shoulders of website publishers,” Keynote’s Everett concluded. “A publisher is responsible for the content of their website, including the practices of the advertisers appearing on it. Monitoring the constantly changing advertising ecosystem is a daunting task, but the consequence of failure is the placing of your brand’s reputation at tremendous risk.”


Benefits of Cloud Based ECM Systems

Guest Post by Steve Williams

Smart businesses everywhere have begun to take advantage of Enterprise Content Management (ECM). This system helps companies organize, store and retrieve eDocuments. Encompassing a variety of different programs, ECM helps businesses to organize their work flow and be prepared in case of any future litigation. Moving the ECM to the cloud presents even greater benefits.

Benefits of the Cloud

  • Security. Prevent the loss of critical data with regular backups of infrastructure hardware and more.
  • Cost. A cloud solution costs a fraction of an on-premise ECM solution. The pay-as-you go nature of cloud services also make it scalable to your needs.
  • Reliability. Cloud solutions can offer high uptime and keep planned downtimes at a minimum Access. Access all your content remotely through any device (mobile, desktop etc.)

Top 3 Benefits of ECM:

1. Improve Organization

Without an ECM system, employees may find it difficult to access records held by coworkers or find older documents. With an ECM system, the business can reduce its volume of content up to 50%. In the event of litigation, having fewer documents to search through and a more organized system helps employees and lawyers to prepare. The ECM system manages all of the data throughout its lifecycle and keeps it in one central place.

The Advantages:

  • One central location to retrieve all content.
  • Ensures compliance with new standards and policies.

For larger companies, having a central location means lawyers do not have to rush around various locations and can easily carry out the discovery process. To facilitate the legal team’s work, employees should be trained on policies regarding the various regulatory requirements or the company’s internal policies.

Prior to having an ECM system, a company would have to go through files by hand to check and see if workers were complying with the regulations. In the case of a hospital, new policies may get missed by workers. A proper ECM system could alleviate the problem by electronically tracking which employees signed new policy forms and ensure that everyone at the company is on the same page. Numerous state and federal regulations exist—each business must ensure that their employees are complying completely. Without an ECM system to track employee training and policy updates, employers are left without the safeguard they need to make sure that everyone is kept up-to-date on new regulations.

2. Prepare for Litigation

No business plans on having court battles, but in the event that it happens, being prepared early on makes litigation easier. Various regulations like Sarbanes-Oxley require that eDocuments be kept for a certain length of time. The ECM can be set to automatically put documents on hold and store them for a defined period of time. This aspect protects the documents from being deleted on purpose or by accident.

Instead of hiring out help, companies can handle litigation internally and reduce their overall cost. The system seamlessly integrates real-time updates and records prior versions of the file. Although no one intends to have a court case, preparing in advance saves the company valuable time and money.

3. Save Money

Having double copies of a file makes it more difficult for employees to access, change and use data. An ECM system works to prevent this by organizing the volumes of information in one location and with an easily searchable system. A user merely has to type in a keyword in the search box to have their file and related documents popup. Instead of having to search through documents by hand or go to different networks to find data, users have one location that they can access. Overall, this saves the company time and money spent on wages.

The Bottom Line:

Creating an ECM will require some initial spending, but overall the company will see immense savings on labor and IT infrastructure costs by moving to the cloud. If any litigation takes place, the company will save even more money on lawyers’ fees and throughout the discovery process. By being able to easily access old files, the company is protected from any allegations that they violated regulations. This protects them legally and financially.

This system also gets employees out of low-value tasks and into a role that makes the company more money. No more faxing over documents or hand-picking through old files. With a cloud-based ECM system, the program is intended to do all the work so the company does not have to hire an employee to do it.

Across the board, having a cloud-based ECM saves the company money and makes doing business more efficient. It improves the company’s ability to manage information and comply with federal regulations.