Category Archives: cloud security

Cloud computing, cloud security, Cloud Services

Army Increases Its Cloud Computing Usage

The US Army has begun to use IBM’s hybrid cloud technology to process their transactions, the amount of which surpasses the amount of transactions performed on the New York Stock Exchange. This occurred last year when the Army switched its Logistics Support Activity system to a hybrid cloud.

 

The hybrid cloud system is used by more than 65,000 personnel to obtain, manage and maintain inventories of products needed by the troops out on the field. Utilizing a cloud to perform these functions allow the Army to better utilize the data it collects, which in turn will provide better insight and service to members. IBM claims that since the switch, the Army has seen savings of up to 50%.

 

CloudStrategy_announcement_slider

 

With the success of the use of a hybrid cloud, the Army has now set eyes on introducing new analytical services, such as data mining, that can be rolled out to all parts of the organization. Anne Altman, general manager for US federal at IBM, has said that hybrid cloud implementation has enabled the Army to keep its existing investments in on-premise technology while also benefiting from a hybrid cloud, such as security, scalability and being able to connect to existing infrastructure.

 

The Army has always been a progressive adopter of promising information technologies, and other agencies and organizations are following in their footsteps. For example, the Central Intelligence Agency (CIA) signed a $600 million cloud contract with Amazon Web Services, which IBM lost out on. After this loss, IBM went on to gain momentum in the federal space and signed other cabinet agencies and pushing forward with a cloud data center targeting defense department workloads. This center is housed in the Navy-owned Allegany Ballistics Laboratory in West Virginia.

The post Army Increases Its Cloud Computing Usage appeared first on Cloud News Daily.

Analytics, cloud security, Funding, Machine learning, News & Analysis, Norwest Venture Partners (NVP), Palerra, Wing Venture Capital and Engineering Capital

Cloud security vendor Palerra scores $17m

Palerra is among a number of cloud security startup combining predictive analytics and machine learning algorithms to bolster cloud security

Palerra is among a number of cloud security startups combining predictive analytics and machine learning algorithms in clever ways

Cloud security vendor Palerra has secured $17m in series B funding, a move the company said would help accelerate sales and marketing efforts around its predictive analytics and threat detection services.

Palerra’s flagship service, Loric, combines threat detection and predictive analytics in order to provide automatic incident response and remediation for malicious traffic flowing to a range of cloud services and platforms.

Over the past few years we’ve seen a flurry of cloud security startups emerge, which all deploy analytics and machine learning algorithms to cleverly detect perceived and actual threats and respond in real-time, so it would seem enterprises are starting to become spoilt with choice.

The $17m round was led by August Capital, with participation from current investors Norwest Venture Partners (NVP), Wing Venture Capital and Engineering Capital, and brings the total amount secured by the firm to $25m.

The funds will be used to bolster sales and marketing efforts at the firm.

“The dramatic rise in adoption of cloud services by today’s enterprises against the backdrop of our generation’s most potent cyber threats has necessitated a new approach. LORIC was designed to meet these threats head on and this new round underscores our commitment to deliver the most powerful cloud security solution in the industry,” said Rohit Gupta, founder and chief executive officer of Palerra.

“As the perimeter disintegrates into a set of federated cloud-based and on-premises infrastructures, effective monitoring becomes almost impossible, unless security controls are embedded in these heterogeneous environments. This will require enterprises to reconsider and possibly redesign their security architecture and corresponding security controls by placing those controls in the cloud,” Gupta added.

Alan Kessler, Andrew Kellett, cloud security, encryption, Enterprise IT, News & Analysis, ovum, Vormetric

Ovum: Cloud service providers need to double down on security

Enterprises would be more willing to use cloud if providers focused more on security, compliance

Enterprises would be more willing to use cloud if providers focused more on security, compliance

A recently published Vormetric survey suggests over half of enterprises globally are using cloud-based services to store sensitive data, and many of the IT decision makers polled by the firm said they felt pressured into using cloud services over legacy alternatives. But respondents also showed an overwhelming willingness to use cloud services to store or analyse sensitive data if service providers could guarantee some essential security and information governance capabilities and measures.

Vormetric, which worked with Ovum to petition 818 ITDMs globally on their use of cloud and big data platforms, said about 54 per cent of respondents globally were keeping sensitive information in the cloud. Interestingly, 46 per cent of all respondents expressed concerns that market pressures are forcing them to use cloud services.

And though databases and file servers were typically rated by respondents as top risks for storage of sensitive information, they are now also joined by big data environments – with big data (31 per cent) seen by ITDMs as slightly more at risk than file servers (29 per cent).

In the US specifically, respondents seemed most concerned about lack of control over the location of data (82 per cent), increased vulnerability of shared infrastructure (79 per cent), and “privileged user” abuse of the cloud service provider (78 per cent).

“The data shows that US IT decision makers are conflicted about their cloud deployments,” said Alan Kessler, chief executive officer of Vormetric. “Market pressures and the benefits of cloud service use are strong, but enterprises have serious security concerns around these environments. There is enormous anxiety over how sensitive data and systems can best be protected, with lack of control listed as the number one worry among US respondents.”

“For cloud service providers to increase their footprint in the enterprise, they must address enterprise requirements around security, data protection and data management. More specifically, cloud service providers need to provide better protection and visibility to their customers,” Kessler said.

Andrew Kellett, lead analyst for Ovum and author of the 2015 Vormetric Insider Threat Report said the results demonstrate “both hope and fear” when it comes to cloud and big data technologies, which could slow the pace at which enterprises refresh their technology platforms.

“But, there are steps enterprises can take and changes providers can make that will increase adoption. For example, more than half of global respondents would be more willing to use cloud services if the provider offers data encryption with key access control,” he said.

About 52 per cent also said they would be more likely to use cloud services if service level commitments and liability terms for a data breach were established, 48 per cent said the same if explicit security descriptions and compliance commitment were established.

Alan Kessler, Andrew Kellett, cloud security, encryption, Enterprise IT, News & Analysis, ovum, Vormetric

Ovum: Cloud service providers need to double down on security

Enterprises would be more willing to use cloud if providers focused more on security, compliance

Enterprises would be more willing to use cloud if providers focused more on security, compliance

A recently published Vormetric survey suggests over half of enterprises globally are using cloud-based services to store sensitive data, and many of the IT decision makers polled by the firm said they felt pressured into using cloud services over legacy alternatives. But respondents also showed an overwhelming willingness to use cloud services to store or analyse sensitive data if service providers could guarantee some essential security and information governance capabilities and measures.

Vormetric, which worked with Ovum to petition 818 ITDMs globally on their use of cloud and big data platforms, said about 54 per cent of respondents globally were keeping sensitive information in the cloud. Interestingly, 46 per cent of all respondents expressed concerns that market pressures are forcing them to use cloud services.

And though databases and file servers were typically rated by respondents as top risks for storage of sensitive information, they are now also joined by big data environments – with big data (31 per cent) seen by ITDMs as slightly more at risk than file servers (29 per cent).

In the US specifically, respondents seemed most concerned about lack of control over the location of data (82 per cent), increased vulnerability of shared infrastructure (79 per cent), and “privileged user” abuse of the cloud service provider (78 per cent).

“The data shows that US IT decision makers are conflicted about their cloud deployments,” said Alan Kessler, chief executive officer of Vormetric. “Market pressures and the benefits of cloud service use are strong, but enterprises have serious security concerns around these environments. There is enormous anxiety over how sensitive data and systems can best be protected, with lack of control listed as the number one worry among US respondents.”

“For cloud service providers to increase their footprint in the enterprise, they must address enterprise requirements around security, data protection and data management. More specifically, cloud service providers need to provide better protection and visibility to their customers,” Kessler said.

Andrew Kellett, lead analyst for Ovum and author of the 2015 Vormetric Insider Threat Report said the results demonstrate “both hope and fear” when it comes to cloud and big data technologies, which could slow the pace at which enterprises refresh their technology platforms.

“But, there are steps enterprises can take and changes providers can make that will increase adoption. For example, more than half of global respondents would be more willing to use cloud services if the provider offers data encryption with key access control,” he said.

About 52 per cent also said they would be more likely to use cloud services if service level commitments and liability terms for a data breach were established, 48 per cent said the same if explicit security descriptions and compliance commitment were established.

cloud security, Cloud Services

Cloud Security Alliance Announces Cyber Security Guide

The Cloud Security Alliance (CSA), European Agency for Network and Information Security (ENISA), and TU Darmstadt has published a step-by-step guide for the attainment and security of cloud services. This report stems from ENISA’s 2013 report on governmental cloud use. This report details framework modeled into four phases, nine security activities and fourteen steps. Every member nation who follows this guide will, according to its authors, define and implement a secure government cloud. The authors used four nations as case studies to base their recommendations on: Estonia, Greece, Spain and the United Kingdom.

 

The focus of this report is what type of security framework is suitable for government clouds and how to execute them. If an infrastructure is fit for government use, then it is also fit for private company use as well, so long as it does not cost an excessive amount of money. Currently, there are very few European Nations who have the ability to adopt and execute cloud computing. Many in the private sector however have already begun to implement the cloud, yet it will still be many years before full execution is achieved.

 

Governments that have already been working with the cloud have adopted several cloud deployment models. Community and private clouds are the most popular, with hybrid and public clouds also being utilized. Software as a Service (SaaS) and Infrastructure as a Service (IaaS) are the most common cloud service model, and Platform as a Service (PaaS) will likely become more important moving forward. Of the e-government services that use the cloud, email was at the top of the list with other services, such as backup and archive, Identity as a Service (IDaaS), office applications, and citizen participation, follow on the list.

 

Security and privacy are the two key technology requirements for the aforementioned services. The UK government has taken drastic steps to overhaul the security classifications for government data to make it easier for service providers to construct more secure systems. Many corporations have heavily invested in complex data classification systems that have become an inhibitor to business. Simplification could make it easy to build a secure system without complicating the data classification.

 

images (1)

 

However, security is not an easily resolved issue. For example, Germany has very strong privacy and security regulations. Because of this there has been quite a few service providers trying to build data centers there in order to hold German company’s data. The UK government has been making moves towards a similar position. A recent survey of parliament members in the UK found that many thought the idea of government data being stored in off-shore centers was inhibiting a greater use of cloud computing.

 

The next part of the guide covers the roles, logic model, and the plan, do, check and act phases of security framework. It points out how inputs, activities and outputs relate to risk profiling, architectural modeling and the security and privacy requirements. Many of these steps are no different than steps IT managers take when outsourcing systems or working with system integrators. However, in the guide the outsourcing focused on entire systems while cloud focuses on services.

 

The next section focuses on applying the steps from the previous section to government applications. They apply them to the four governments mentioned at the beginning of this article as a case study. The study proves that while in its simplest form, the cloud is about commoditization and common approaches, but in real applications there can be more than one way to solve a problem.

 

In conclusion, the report comes to some very important conclusions. The report does not say that it is urgent for the EU to adopt the suggested security framework. However without a coherent framework across all of the European Union, there will certainly be gaps in security that hackers can easily exploit. Also, this means that companies who wish to work in different EU nations need to continue to have a complex network, and sometimes even conflicting government requirements. It is now up to EU leaders to ensure than comprehensive standar

The post Cloud Security Alliance Announces Cyber Security Guide appeared first on Cloud News Daily.

cloud security, Cloud Technology

Microsoft Obtains ISO Cloud Privacy Certification

When it comes to cloud computing and services, privacy is at the front of every company’s mind. When the United States began to demand access to cloud-based data from Microsoft’s Ireland data center, customers recognized that their information might not be safe from privacy violations even if their information is not resident in the US. Many industry players, including Microsoft, have started to fight these demands. No matter what they decide to do, the EU or the US governments will not be happy.

 

Microsoft truly believes their customers own their own data, not the cloud providers who they store it with. Microsoft claims to be the first major cloud provider to adopt the ISO/IEC 27018. This is the first global standard for cloud privacy, and many of Microsoft’s programs have been evaluated for compliance by the British Standards Institute.

microsoft

The ISO/IEC 27018 establishes commonly accepted control objectives and guidelines for implementing measures to protect identifying persona information in accordance with the 29100 policy. Microsoft’s general counsel Brad Smith said that they are optimistic that this policy can serve as a template for regulators and customers as they both desire strong privacy protection. Adherence to this policy will ensure that customer’s privacy will be protected in many ways.

 

First, customers will be in charge of their data, and Microsoft will only process personally identifiable information based on what the customer wants. Second, customers will always know what is happening to their data, all returns, transfers, and deletion of data will be transparent. Third, there will be restrictions on how Microsoft handles personal data, including restricting its transmissions over public networks, storage on transportable media and processes for data recovery. Fourth, the data will not be used for advertising purposes. Lastly, Microsoft will inform their customers about government access to data. The standard requires law enforcement requests for data must be disclosed to the customers.

 

Adherence to this standard is an important move to reassure its enterprise customers that their information is safe. However, the execution of these promises is worth more than making the promises. There are still lingering concerns and fears about data privacy and security around shifting to the cloud, so Microsoft’s announcement is a step in the right direction.

The post Microsoft Obtains ISO Cloud Privacy Certification appeared first on Cloud News Daily.

cloud security

5 Cloud Security Practices

2014 could have easily been host to some of the biggest security breaches ever. Many hackers have adapted to the ever-changing technological advances, but current security practices and technologies can prevent these breaches. Many companies that fell victim to security breaches fell into the compliance equals security trap. This trap concludes that if a company goes to the trouble of being legally compliant, to any number of regulations, then it will be secure. But this is not the case.

 

Security is never a guarantee. However, there are some things that can be done to help prevent serious breaches of security and the consequences that come along with it.

 


cloudsecurity1220

 

-Continuous Visibility: Companies need to have complete and total visibility into their technology assets and services. You cannot secure what you cannot see. You need to be aware of what you have and what it’s doing at all times if you want to keep things secure. Visibility can be a challenge due to the automated, on-demand modern infrastructure.

 

-Exposure Management: Once transparency is achieved, companies need to eliminate obvious vulnerabilities that are known in their networks. Continuous monitoring tools, strong vulnerability and security configuration management technology and practices are key to mitigating exposure.

 

-Strong Access Control: This practice is often implemented incorrectly. Many companies implement access control, however they give excess access. Recent breaches involved valid access control ID’s being used to compromise systems that had nothing to do with its function in the network. The ID’s had access to a lot of information that they shouldn’t have. Limit the access users receive and monitor all user actions.

 

-Data Protection and Encryption: Once all the aforementioned steps have been taken, it is important to encrypt any sensitive information. Both data at rest and data in motion need to be encrypted if they have any sensitive material. Data protection is needed to ensure that even if data gets compromised, it will not get sent outside of the network.

 

-Compromise Management: Few companies actually have plans to deal with a breach and how to mitigate the damage caused. No matter what preventative steps you have taken, breaches can still occur. Companies need to implement courses of action and technologies that allow them to act fast. This includes being able to tell that you have been compromised. This includes file integrity monitoring, intrusion detection, and forensic data for analysis.

 

These steps represent that bare minimum of protection and are suggested for implementation to limit your vulnerability.

The post 5 Cloud Security Practices appeared first on Cloud News Daily.

Cloud computing, cloud security, two-factor authentication

Stay Safe in the Cloud With Two-Factor Authentication

The use of two-factor authentication has been around for years, but the recent addition of this security feature in cloud services from Google and Dropbox has drawn widespread attention.  The Dropbox offering came just two months after a well-publicized security breach at their online file sharing service.

Exactly What Is Two-Factor Authentication?

Of course, most online applications require a user name and password in order to log on.  Much has been written about the importance of managing your passwords carefully.  However, simple password protection only goes so far.

Two-factor authentication involves not only the use of something the user knows such as a password, but also something that only the user has.  An intruder can no longer gain access to the system simply by illicitly obtaining your password.

Authentication Tools

  • ATM Cards:  These are perhaps the most widely used two-factor authentication device.  The user must both insert the card and enter a password in order to access the ATM.
  • Tokens:  The use of tokens has increased substantially in recent years.  Most of these are time-based tokens that involve the use of a key sized plastic device with a screen that displays a security code that continually changes.  The user must enter not only their password, but also the security code from the token. Tokens have been popular with sensitive applications such as on-line bank and
    brokerage sites.
  • Smart Cards:  These function similarly to ATM cards, but are used in a wider variety of applications.  Unlike most ATM cards, smart cards have an embedded microprocessor for added security.
  • Smart Phones:  The proliferation of smart phones has provided the perfect impetus to expand two-factor authentication to widely used internet applications in the cloud.  In these cases, users must enter not only a password, but also a security code from their phone or other mobile device.  This code can be sent to a phone by the service provider as an SMS text message or generated on a smartphone using a mobile authenticator app.  Both Google and Dropbox now use this method.

Yahoo! Mail and Facebook are also introducing two-factor authentication using smart phones.  However, their methodology only prompts the user to enter the security code if a security breach is suspected or a new device is used.

So What’s Next?

Cloud security is a hot topic and two-factor authentication is one way to mitigate users’ well founded concerns.  As a result, development and adoption of two-factor authentication systems is proceeding at a rapid pace and should be available for most cloud applications within just a few short years.

The shift from token based authentication to SMS based authentication is also likely to accelerate along with smart phone use.

Two-factor and even three-factor authentication using biometrics will become more popular.   Finger print readers are already quite common on laptop computers.  Use of facial recognition, voice recognition, hand geometry, retina scans, etc. will become more common as the technology develops and the price drops.  The obvious advantage of these biometric systems is that the physical device cannot be stolen or otherwise used by a third party to gain access to the system.

As with any security system, two-factor authentication is not 100% secure.  Even token systems have been hacked and there is no doubt that there will be breaches in SMS authentication tools as well.  However, two-factor authentication still provides the best way to stay safe in the cloud and it’s advisable to use it whenever possible.

This post is by Rackspace blogger Thomas Parent. Rackspace Hosting is a service leader in cloud computing, and a founder of OpenStack, an open source cloud operating system. The San Antonio-based company provides Fanatical Support to its customers and partners, across a portfolio of IT services, including Managed Hosting and Cloud Computing.