Tag Archives: security

CipherCloud, cloud security, Cloud Security Alliance, CSA, Jim Reavis, News & Analysis, Pravin Kothari

CSA, CipherCloud look to standardise APIs for cloud access security brokerage

The CSA and CipherCloud are leading an initiative to standardise API implementation for cloud access security brokerage

The CSA and CipherCloud are leading an initiative to standardise API implementation for cloud access security brokerage

The Cloud Security Alliance (CSA) and cloud security vendor CipherCloud are forming a working group to jointly develop best practice around API deployment for cloud access security brokerage services.

Cloud Security Open API Working Group, which at its founding will include contributions from Deloitte, InfoSys, Intel Security, and SAP among others, will jointly define protocols, guidelines and best practices for implementing data security services – encryption, tokenisation and other technologies – across cloud environments.

The CSA said the working group plans to develop API specifications and reference architectures to guide cloud-based data protection.

“Standards are an important frontier for the cloud security ecosystem,” said Jim Reavis, chief executive of CSA.

“The right set of working definitions can boost adoption. This working group will help foster a secure cloud-computing environment – a win for vendors, partners and users. Standardising APIs will help the ecosystem coalesce around a universal language and process for integrating security tools into the cloud applications,” Reavis said.

Pravin Kothari, founder and chief executive of CipherCloud said: “Cloud is the killer app for security innovation. But currently, inefficiencies at the technical level in the form of custom connector protocols can hold back innovations in cloud security. Defining a uniform set of standards can enable us all to operate from the same playbook. As a pioneer in [cloud access security brokerage], we are excited to co-lead this initiative with CSA to accelerate security across clouds.”

The initiative may enhance the ability to integrate various cloud services securely according the Jeff Margolies, principal at Deloitte, and open up what is generally considered to be a fairly closed, proprietary-dominated space.

“Currently the cloud security ecosystem lacks basic integration standards for connecting third-party security solutions to cloud applications, platforms and infrastructure,” he said, adding that the working group may help consolidate standards among vendors and cloud customers.

Amit Walia, data privacy, Data security, Informatica, News & Analysis, Ponemon Institute

Close to 60 per cent of confidential cloud data can’t have risk levels assessed – research

UK IT professionals claim to be struggling with accurately assessing the risk of storing their confidential data in the cloud

UK IT professionals claim to be struggling with accurately assessing the risk of storing their confidential data in the cloud

Data from a recent Ponemon Institute survey commissioned by Informatica suggests UK enterprises are struggling to assess the risk associated with placing confidential data in the cloud, with respondents claiming they can’t determine the risk to 58 per cent of the confidential data they store in the cloud.

The problem seems particularly acute when it comes to cloud-based data specifically – enterprises said they faced the same challenge with 28 per cent of the sensitive information held on-premise.

The survey results, which include responses from 118 UK IT and IT security professionals with responsibility for data protection, hint at differences in the level of data management tool deployments for on-premise and cloud-based systems, which does seem to skew the results in terms of confidence in data risk allocation. About 46 per cent are using such tools for data on premise and 34 per cent for data in the cloud.

Still, less than half of respondents claimed to have common processes in place for discovering and classifying the sensitive or confidential data on-premise, and just a quarter said they have a process in place for data stored in the cloud.

About 54 per cent of respondents said they are not confident in their ability to proactively respond to a new threat in the cloud, and 30 per cent of the sensitive or confidential data located in the cloud is believed to be at risk according to respondents.

“The survey highlights that whilst organisations continue to fear cyberattacks, what really keeps them up at night is the unknown. Namely not knowing where data is and the associated risk to it,” said Larry Ponemon, chairman and founder, Ponemon Institute.

“Whilst businesses are more confident about having data on premise, the shift towards cloud computing is continuing to accelerate and organisations can’t afford to be held back by data security concerns. Instead, security practitioners need to get a handle on the classification of data so that they can feel more confident about the information that they are moving to the cloud. Regardless of whether information is held on premise or in the cloud, data governance protocols should be the same,” Ponemon said.

Informatica senior vice president and general manager, data integration and security Amit Walia said the results demonstrate the majority of organisations do not have a handle on their sensitive data, regardless of whether it exists on-premise or in the cloud.

He explained that as data volumes grow enterprises are leaning more on customised software and automated processes rather than manual processes to classify data risk and apply rules and policies, which is creating somewhat of a false perception when it comes to risk.

“Because businesses have less confidence in their understanding of sensitive data then they perceive more risk. To reduce threat exposure and improve breach resiliency, organisations need to invest in data centric security technologies, which enable businesses to enact the need-to-know data access policies that help limit the exposure of sensitive data,” Walia said.

Box, Network security, Networks, News & Analysis, NTT Com, VPN

Box to tap NTT’s VPN in Japan

Box is teaming up with NTT Com to launch Box over VPN

Box is teaming up with NTT Com to launch Box over VPN

Box and NTT Com have announced a partnership that will see the cloud storage incumbent offer access to its services through NTT’s VPN service. The companies said the move will improve confidence in cloud services among Japanese enterprises and expand the reach of both companies in the local IT services market.

Box also said the ‘Box over VPN’ scheme would improve network security for users and broaden the range of enterprise customers it caters to in the region, in particular enabling it to tap into government and financial services institutions.

“We’re thrilled to partner with NTT Com to help create transformative software for Japanese businesses in every industry,” said Box chief executive and founder Aaron Levie.

“This partnership will help more organizations to benefit from entirely new ways of working by elevating technology to enable secure collaboration and content management across geographical boundaries, while still meeting demands for robust control.”

Hidemune Sugawara, head of application & contents service, senior vice president of NTT Com, said: “By delivering added value based on NTT Com’s expertise in network security, we look forward to providing Box over VPN to a wide range of Japanese businesses. The partnership will enable Box to be combined with ID Federation1 and Salesforce over VPN2, both of which are provided by NTT Com, which will help to expand our file-collaboration businesses targeting large enterprises.”

Japan has one of the most mature cloud services markets in the Asia Pacific region, which as a whole is expected to generate about $7.4bn in 2015 according to Gartner.

Alex Hilton, APM Group, Cloud Industry Forum, Enterprise IT, News & Analysis, Richard Pharro

CIF: ‘Lack of trust holding back cloud adoption’

CIF: 'Cloud users are still citing the same inhibitors'

CIF: ‘Cloud users are still citing the same inhibitors’

Security, privacy and lack of control are still the leading inhibitors holding enterprises back from adopting cloud services, according to the Cloud Industry Forum’s latest research.

The CIF, which polled 250 senior IT decision-makers in the UK earlier this year to better understand where cloud services fit into their overall IT strategies, said when asked about their biggest concerns during the decision-making process to move to the cloud, 70 per cent cited data security and 61 per cent data privacy.

Both are up from the 2014 figures of 61 per cent and 54 per cent, respectively.

“Hybrid will be the modus operandi for the majority of organisations for the foreseeable future, being either not yet ready to move everything to the cloud, or unwilling to. There are a number of contributing factors here: fear of losing control of IT systems, security and privacy concerns, and lack of budget currently stand in the way of greater adoption of cloud by businesses,” said Alex Hilton, chief executive of the CIF.

“The primary issue relates to trust: trust that cloud-based data will be appropriately secured, that it won’t be compromised or inadvertently accessed, and that businesses will be able to retrieve and migrate their data when a contract terminates.”

About 40 per cent of respondents were also concerned they would lose control/manageability of their IT systems when moving to cloud, up from 24 per cent last year.

Richard Pharro, chief executive of APM Group, the CIF’s independent certification partner said cloud providers need to improve how to disclose their privacy and security practices in order to inspire more confidence among current and potential users.

“Some Cloud providers are opaque in the way that they operate. The prevalence of click-through licenses, some of which are littered with unrealistic terms and conditions,” Pharro said, adding that improving public disclosure in cloud contracts could go some way towards improving trust and confidence among customers.

Barracuda Networks, Brivo, Dean Drako, Eagle Eye Networks, M&A, News & Analysis, video surveillance

Eagle Eye Networks CEO Dean Drako acquires cloud access firm for $50m

Eagle Eye's CEO and former Barracuda Networks president is buying a cloud access and control company for $50m

Eagle Eye’s CEO and former Barracuda Networks president is buying a cloud access and control company for $50m

Dean Drako, president and chief executive of Eagle Eye Networks and former Barracuda Networks president has wholly acquired Brivo, a cloud access control firm, for $50m.

Brivo said its cloud-based access control system, a centralised management and security system for video surveillance cameras, currently services over 6 million users and 100,000 access points.

The acquisition will give Eagle Eye, a specialist in cloud-based video surveillance technology, a flexible access control tool to couple with its current offerings, Drako said.

“My goal was to acquire the physical security industry’s best access control system,” Drako explained.

“Brivo’s true cloud architecture and open API approach put it a generation ahead of other access control systems. Cloud solutions provide exceptional benefits and Brivo is clearly the market and technology leader. Brivo is also committed to strong, long-standing relationships with its channel partners, which I believe is the best strategy for delivering extremely high customer satisfaction.”

Though Eagle Eye will remain autonomous from Brivo, Drako will serve as the company’s chairman; Steve Van Till, Brivo’s president and chief executive, will continue serving in this capacity.

He said Eagle Eye will work to integrate Brivo’s flagship solution, Brivo OnAir, with its cloud security camera system, which will help deliver video verification and natively viewable and searchable video.

“We are extremely excited that Dean Drako has acquired Brivo and is serving as chairman. In addition to Dean’s experience founding and leading Barracuda Networks to be a multi-billion dollar company, he has grown his latest company, Eagle Eye Networks, to be the technology leader in cloud video surveillance,” Van Till said.

“We both share the vision of delivering the tremendous advantages of cloud-based systems to our customers,” he added.

Cloud Security Alliance, CSA, Daniele Catteddu, data protection, News & Analysis, Paolo Balboni

CSA tool helps cloud users evaluate data protection posture of providers

The CSA says the tool can help customers and providers improve their cloud data protection practices

The CSA says the tool can help customers and providers improve their cloud data protection practices

The Cloud Security Alliance this week unveiled the next generation of a tool designed to enable cloud customers to evaluate the level of data protection precautions implemented by cloud service providers.

The Privacy Level Agreement (PLA) v2 tool aims to give customers a better sense of the extent to which their providers have practices, procedures and technologies in place to ensure data protection vis-à-vis European data privacy regulations.

It also provides a guidance for cloud service providers to achieve compliance with privacy legislation in EU, and on how these providers can disclose the level of personal data protection they offer to customers.

“The continued reliance and adoption of the PLA by cloud service providers worldwide has been an important building block for developing a modern and ethical privacy-rich framework to address the security challenges facing enterprises worldwide,” said Daniele Catteddu, EMEA managing director of CSA.

“This next version that addresses personal data protection compliance will be of significant importance in building the confidence of cloud consumers,” Catteddu said.

The tool, originally created in 2013, was developed by the PLA working group, which was organised to help transpose the Art. 29 Working Party and EU National Data Protection Regulator’s recommendations on cloud computing into an outline CSPs can use to disclose personal data handling practices.

“PLA v2 is a valuable tool to guide CSPs of any size to address EU personal data protection compliance,” said Paolo Balboni, co-chair of the PLA Working Group and founding partner of ICT Legal Consulting. “In a market where customers still struggle to assess CSP data protection compliance, PLA v2 aims to fill this gap and facilitate customer understanding.”

Asia Pacific, Brendon Riley, Hacking, Network security, News & Analysis, Pacnet, telstra

Telstra’s recent buy Pacnet suffers IT security breach

Pacnet's IT network was hacked earlier this year

Pacnet’s IT network was hacked earlier this year

Telstra’s recently acquired datacentre and cloud specialist Pacnet suffered a security breach earlier this year whereby a third-party managed to get access to its IT network, the telco revealed this week.

Telstra was quick to point out that while the breach occurred on Pacnet’s IT network (which isn’t connected to Telstra’s) before its acquisition of Pacnet was finalised in April, it did do and has since done all it can to try and understand the reasons for the breach and its potential impact on customers.

The company has alerted customers, staff and regulators in the relevant jurisdictions.

Group executive of global enterprise services Brendon Riley said the investigation is ongoing, and that the company will apply its own tried and tested security technologies and techniques to Pacnet’s network.

“Our investigation found a third party had attained access to Pacnet’s corporate IT network, including email and other administrative systems, through a SQL vulnerability that enabled malicious software to be uploaded to the network,” Riley said.

“To protect against further activity we rectified the security vulnerabilities that allowed the unauthorised access. We have also put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks.”

He said the firm is alerting customers of the potential impact of the breach, and hopes that the extra precautions the company has put in place will restore confidence in the firm.

The company has so far declined to comment on the scope or volume of data exposed to hackers.

Telstra seems keen to pre-empt any privacy-related regulatory challenges, something the company has had to deal with in recent years – which, it was eventually found, was due in part to its own negligence.

Last year for instance the firm was fined by the Australian Information Commissioner for making the personal details of almost 16,000 customers accessible via the internet between February 2012 and May 2013 after several spreadsheets containing customer data dating back to 2009 was found through Google Search.

Asia Pacific, Brendon Riley, Hacking, Network security, News & Analysis, Pacnet, telstra

Telstra’s recent buy Pacnet suffers IT security breach

Pacnet's IT network was hacked earlier this year

Pacnet’s IT network was hacked earlier this year

Telstra’s recently acquired datacentre and cloud specialist Pacnet suffered a security breach earlier this year whereby a third-party managed to get access to its IT network, the telco revealed this week.

Telstra was quick to point out that while the breach occurred on Pacnet’s IT network (which isn’t connected to Telstra’s) before its acquisition of Pacnet was finalised in April, it did do and has since done all it can to try and understand the reasons for the breach and its potential impact on customers.

The company has alerted customers, staff and regulators in the relevant jurisdictions.

Group executive of global enterprise services Brendon Riley said the investigation is ongoing, and that the company will apply its own tried and tested security technologies and techniques to Pacnet’s network.

“Our investigation found a third party had attained access to Pacnet’s corporate IT network, including email and other administrative systems, through a SQL vulnerability that enabled malicious software to be uploaded to the network,” Riley said.

“To protect against further activity we rectified the security vulnerabilities that allowed the unauthorised access. We have also put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks.”

He said the firm is alerting customers of the potential impact of the breach, and hopes that the extra precautions the company has put in place will restore confidence in the firm.

The company has so far declined to comment on the scope or volume of data exposed to hackers.

Telstra seems keen to pre-empt any privacy-related regulatory challenges, something the company has had to deal with in recent years – which, it was eventually found, was due in part to its own negligence.

Last year for instance the firm was fined by the Australian Information Commissioner for making the personal details of almost 16,000 customers accessible via the internet between February 2012 and May 2013 after several spreadsheets containing customer data dating back to 2009 was found through Google Search.

27001, DropBox, Information security, ISO 27018, News & Analysis

Dropbox the latest to adopt public cloud privacy standard

Dropbox is the latest to adopt one of the first public cloud-focused data privacy standards

Dropbox is the latest to adopt one of the first public cloud-focused data privacy standards

Cloud storage provider Dropbox said it has adopted ISO 27018, among the first international standards focusing on the protection of personal data in the public cloud.

The standard, published in August 2014, is aimed at clarifying the roles of data controllers and data processors in keeping Personally Identifiable Information (PII) private and secure in public cloud environments; it builds on other information security standards within the ISO 27000 family, and specifically, is an enhancement to the 27001 standard.

ISO 27018 also broadly requires adopting cloud providers to be more transparent about what they do with customer data and where they host it.

In a statement the company said the move would give users more confidence in its platform, particularly enterprise users.

“We’re pleased to be one of the first companies to achieve ISO 27018 certification. Privacy and data protection regulations and norms vary around the world, and we’re confident this certification will help our customers meet their global compliance needs,” it said.

Mark van der Linden, Dropbox country manager for the UK said: “Businesses in the UK and all over the world are trusting Dropbox to make collaboration easier and boost productivity. Our ISO 27018 accreditation shows we put users in control of their data, we are transparent about where we store it, and we operate to the highest standards of security.

Earlier this year Microsoft certified Azure, Intune, Office 365 and Dynamics CRM Online under the new ISO standard. At the time the company also said it was hopeful certifying under the standard would make it easier to satisfy compliance requirements, which can be trickier in some verticals than others.

Brendan Hannigan, IBM, managed security service, News & Analysis, Software as a service

IBM claims strong traction with cybersecurity cloud network

IBM says its recently announced cybersecurity cloud service is gaining traction

IBM says its recently announced cybersecurity cloud service is gaining traction

IBM said over 1,000 organisations have now joined its recently announced cloud-based cybersecurity service, dubbed X-Force Exchange.

The service includes hundreds of terabytes of raw aggregated threat intelligence data and those that sign up to the service can upload their own data, so the more people join the more robust the service gets.

The initial data dump is based on over 25 billion web pages and images collected from a network of over 270 million endpoints, and includes data from over 15 billion monitored security events daily. But the company said participants have created more than 300 new collections of threat data since its launch.

“Cybercrime has become the equivalent of a pandemic — no company or country can battle it alone,” said Brendan Hannigan, general manager, IBM Security.

“We have to take a collective and collaborative approach across the public and private sectors to defend against cybercrime. Sharing and innovating around threat data is central to battling highly organized cybercriminals; the industry can no longer afford to keep this critical resource locked up in proprietary databases. With X-Force Exchange, IBM has opened access to our extensive threat data to advance collaboration and help public and private enterprises safeguard themselves,” Hannigan said.

Security isn’t a new area for IBM but offering real-time cyberthreat detection is, a move that has also put it in direct competition with a wide range of managed security service providers that have been playing in this space for years. Nevertheless, the company has a lot of clients so there’s a huge opportunity for the firm to harvest all of that data – particularly as it creates new partnerships with networking incumbents (like Cisco with VersaStack).