Archivo de la etiqueta: security

Google says trade agreement amendment hinders security vulnerability research

Google says the US DoC amendments would massively hinder its own security research

Google says the US DoC amendments would massively hinder its own security research

Google hit out at the US Department of Commerce and the Bureau of Industry and Security this week over proposed amendments to trade legislation related to the Wassenaar Arrangement, a multilateral export control agreement, arguing they will negatively impact cybersecurity vulnerability research.

The Wassenaar Arrangement is a voluntary multi-national agreement between 41 countries and intended to control the export of some “dual use” technologies – which includes security technologies – and its power depends on each country passing its own legislation to align its trade laws with the agreement. The US is among the agreement’s members.

As of 2013 software specifically designed or modified to avoid being found by monitoring tools has been included on that list of technologies. And, a recent proposal put forward by the US DoC and BIS to align national legislation with the agreement suggests adding “systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices” to the list of potentially regulated technologies, as well as “technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.”

Google said the US DoC amendments would effectively force it to issue thousands of export licenses just to be able to research and develop potential security vulnerabilities, as companies like Google depend on a massive global pool of talent (hackers) that experiment with or use many of the same technologies the US proposes to regulate.

“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” explained Neil Martin, export compliance counsel, Google Legal and Tim Willis, hacker philanthropist, Chrome security team in a recent blog post.

“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages – even some in-person conversations! BIS’ own FAQ states that information about a vulnerability, including its causes, wouldn’t be controlled, but we believe that it sometimes actually could be controlled information,” the company said.

Google also said the way the proposed amendment is worded is far too vague and proposed clarifying the DoC-proposed amendments as well as the Wassenaar Arrangement itself.

“The time and effort it takes to uncover bugs is significant, and the marketplace for these vulnerabilities is competitive. That’s why we provide cash rewards for quality security research that identifies problems in our own products or proactive improvements to open-source products. We’ve paid more than $4 million to researchers from all around the world.”

“If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit,” it said.

Verizon tries to woo CSOs with managed security offering

Verizon is boosting its managed security practice

Verizon is boosting its managed security practice

Verizon is throwing its hat into the managed security services ring this week, launching a managed cybersecurity and incident monitoring service targeted at large enterprises.

The Unified Security Services includes a pre-configured set of features managed by Verizon directly and designed to protect the network edge.

Verizon said it will provide service event monitoring, device alerting and 24/7 security support as well as patch management as part of the suite.

“With Unified Security Services, we have bundled together technology, human expertise and deployment services into one convenient offering,” said Mike Denning, vice president of Global Security at Verizon Enterprise Solutions.

“This solution is aimed at helping organizations — with little to no internal staff — better safeguard their networks, without adding complexity or more resources to their IT teams,” he said.

The suite will initially be rolled out in the US with plans to offer hosted versions globally in 2016.

The launch would suggest its partnership with Deloitte, announced in the Spring, is bearing fruit. In April the companies announced a partnership to deliver a comprehensive set of cybersecurity and risk-management solutions to enterprises.

As part of that deal Verizon said it would leverage its experience in digital forensics and managed services and Deloitte its cyber risk advisory services to deliver end-to-end incident response services.

CSA lends prototype compliance tool to six-year cloud security project

The CSA is part of the STRATUS project, a six-year cybersecurity project

The CSA is part of the STRATUS project, a six-year cybersecurity project

The Cloud Security Alliance (CSA) said this week that it is lending a prototype data auditing and compliance regulation tool to the STRATUS initiative, a six-year multi-million dollar cybersecurity project funded by New Zealand’s Ministry of Business, Innovation, and Employment.

STRATUS, which stands for Security Technologies Returning Accountability, Transparency and User-centric Services in the Cloud, is a project being led by the University of Waikato intends to develop a series of security tools, techniques and capabilities to help give cloud users more control over how they secure the cloud services they use.

As part of the project the CSA showed how cloud data governance could be automated by applying auditing guidelines (CSA Cloud Control Matrix, ISO standards, etc.) and compliance regulations using a recently developed online tool.

The organisation, which is leading the data governance and accountability subproject within STRATUS, said it would also help support STRATUS’ commercialisation efforts.

“STRATUS’ approach to research commercialisation is different from typical scientific research grants,” said Dr. Ryan Ko, principal investigator of STRATUS, and CSA APAC research advisor.

“STRATUS understands that for cloud security innovation to reach a global audience, it will require a platform which will allow these cutting-edge cloud services to quickly align to global best practices and requirements – a core CSA strength given its strong research outputs such as the Cloud Controls Matrix and the Cloud Data Governance Working Group,” Ko said.

Aloysius Cheang, managing director for CSA APAC: “We have developed a prototype tool based on our work so far, that has received positive reviews. In addition, we are working to connect STRATUS and New Zealand to the CSA eco-system through our local chapter. More importantly, we are beginning to see some preliminary results of the efforts to connect to dots to commercialisation efforts as well as standardization efforts.”

The organisation reckons it should be able to show off the “fruit of these efforts” in November this year.

Salesforce bakes security, compliance into native apps with Shield

Salesforce has launched Shield in a bid to improve confidence among highly regulated cloud adopters

Salesforce has launched Shield in a bid to improve confidence among highly regulated cloud adopters

Salesforce this week announced Salesforce Shield, a portfolio of “drag and drop” security and compliance assurance services that developers can bake into native Salesforce apps.

The Shield services include field audit trail and data integrity tracking, data encryption, archiving and event monitoring.

Salesforce said the services are already in use by some of the company’s clients in the financial services and healthcare services sectors.

“While many companies are leveraging the cloud to build apps at the speed of business, those in regulated industries have struggled to take full advantage of the cloud due to regulatory and compliance constraints,” said Tod Nielsen, executive vice president of Salesforce1 Platform, Salesforce.

“With Salesforce Shield, we are liberating these IT leaders and developers, and empowering them to quickly build the cloud apps their businesses need, with the trust Salesforce is known for.”

Salesforce said the move will help provide assurances to more heavily regulated sectors including developing applications with the Salesforce platform, particularly those that are learning more heavily on mobile platforms.

That said, mobile security has been a big focus for the firm in recent months. In April the company acquired Toopher, a Texas-based mobile authentication startup, and towards the end of last year the company joined Verizon’s dark fibre cloud interconnection service to give its customers more secure options for linking to its cloud platform.

Security as a service firm Crowdstrike bags $100 from Google, Rackspace

CrowdStrike secured $100m in funding this week from Rackspace, Google among others

CrowdStrike secured $100m in funding this week from Rackspace, Google among others

Security SaaS provider CrowdStrike completed a $100m round of funding led by Google and Rackspace this week, which the company said would be used to bolster its international expansion.

The funding round, in which Accel and Warburg Pincus also participated, brings the total investment secured by the firm to $156m.

CrowdStrike offers a range of threat intelligence, endpoint protections and cybersecurity services including a cloud-based software offering and a security operations centre -as-a-service.

The company, of which Rackspace is a customer, claims to have trebled billings revenue and employees year on year.

“It’s extremely gratifying to bring in a high-caliber investor like Google Capital which shares our passion for innovation and sees the opportunity to completely transform the security industry,” said George Kurtz, CrowdStrike’s co-founder and chief executive officer.

“As we continue to experience hyper-growth, this capital injection will help us firmly establish our SaaS-based endpoint protection platform as the leading solution to address today’s sophisticated attacks and will allow CrowdStrike to further accelerate our domestic and international expansion.”

The cloud-based security services market is growing along with enterprise adoption of cloud services in part because they can be deployed more quickly and flexibly than on-premise solutions, and because the architectures tend to be quite complimentary. Large cloud providers also see value in funding them because security services are quite capitally and operationally expensive – they require huge investments in code, infrastructure, monitoring and support staff – which means it’s challenging for these large IaaS providers to offer these services themselves. According to MarketsandMarkets the cloud security market is forecast to grow nearly 16 per cent CAGR from $4.2bn in 2014 to $8.7bn in 2019.

Adobe under renewed pressure to kill Flash following security issues

Much of the world's digital video content is still served up on Flash

Much of the world’s digital video content is still served up on Flash

Adobe Flash, the video and graphics platform that was once almost ubiquitous across computing devices is coming under increasing pressure after a series of security vulnerabilities, reports Telecoms.com.

Such has been the severity of these vulnerabilities that Mozilla has added all versions of Flash to the block list for the Firefox Browser. In addition the new Chief Security Officer of Facebook used Twitter to call for Adobe to announce an end-of-life date for Flash.

This probably marks the end game for a piece of software that was once considered central to the consumption of multimedia content, both on PC and mobile. The first and probably most damaging Emperor’s New Clothes moment was in 2010 when the late Apple boss Steve Jobs addressed a furore around Apple’s diminishing support for Flash.

An Adobe-affiliated blogger has even gone so far as to demand Apple screw itself, and Jobs saw fit to put the Apple view forward.  Among Jobs’ criticisms of Flash was its security, saying: “Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.”

A couple of years later Android followed suit and the industry on the whole has been looking to reduce its exposure to Flash ever since, with tech such as HTML5 being of significant assistance in this regard. The writing appears to be on the wall for Flash, and it will be interesting to see if Adobe is capable of pulling the plug on it in a sensible and dignified way.

Cisco to acquire OpenDNS to strengthen cloud security for IoT

Cisco plans to acquire OpenDNS for $635m

Cisco plans to acquire OpenDNS for $635m

Cisco is to acquire cloud-based network security provider OpenDNS for $635m.

OpenDNS’ offering combines DNS services with a managed network security service that tracks devices and traffic and helps mitigate malware or denial of service threats. But it also adds predictive intelligence capabilities by using big data analytics to metabolise real-time behaviour and machine learning algorithms to automate mitigating action.

Cisco said the acquisition would strengthen security services portfolio, a core element of its Internet of Things (IoT) strategy.

“As more people, processes, data and things become connected, opportunities for security breaches and malicious threats grow exponentially when away from secure enterprise networks,” said Hilton Romanski, Cisco chief technology and strategy officer.

“OpenDNS has a strong team with deep security expertise and key technology that complements Cisco’s security vision. Together, we will help customers protect their extended network wherever the user is and regardless of the device.”

As part of the deal, which is expected to close sometime in the first quarter of next year, the OpenDNS team will join the Cisco Security Business Group led by David Goeckeler, the division’s vice president and general manager.

Targeting the network has become an increasingly important component of enterprise IT security, particularly with the explosion of malware and denial of service attacks – and will continue growing in importance as the IoT brings vast volumes of automated connectivity and data transaction.

The trend has seen more emphasis place on cloud-based security services, which can act as a security perimeter without needing to install anything with a datacentre. According to Gartner, the cloud-based security market with grow from $2.1bn in 2013 to $3.bn this year.

CSA, CipherCloud look to standardise APIs for cloud access security brokerage

The CSA and CipherCloud are leading an initiative to standardise API implementation for cloud access security brokerage

The CSA and CipherCloud are leading an initiative to standardise API implementation for cloud access security brokerage

The Cloud Security Alliance (CSA) and cloud security vendor CipherCloud are forming a working group to jointly develop best practice around API deployment for cloud access security brokerage services.

Cloud Security Open API Working Group, which at its founding will include contributions from Deloitte, InfoSys, Intel Security, and SAP among others, will jointly define protocols, guidelines and best practices for implementing data security services – encryption, tokenisation and other technologies – across cloud environments.

The CSA said the working group plans to develop API specifications and reference architectures to guide cloud-based data protection.

“Standards are an important frontier for the cloud security ecosystem,” said Jim Reavis, chief executive of CSA.

“The right set of working definitions can boost adoption. This working group will help foster a secure cloud-computing environment – a win for vendors, partners and users. Standardising APIs will help the ecosystem coalesce around a universal language and process for integrating security tools into the cloud applications,” Reavis said.

Pravin Kothari, founder and chief executive of CipherCloud said: “Cloud is the killer app for security innovation. But currently, inefficiencies at the technical level in the form of custom connector protocols can hold back innovations in cloud security. Defining a uniform set of standards can enable us all to operate from the same playbook. As a pioneer in [cloud access security brokerage], we are excited to co-lead this initiative with CSA to accelerate security across clouds.”

The initiative may enhance the ability to integrate various cloud services securely according the Jeff Margolies, principal at Deloitte, and open up what is generally considered to be a fairly closed, proprietary-dominated space.

“Currently the cloud security ecosystem lacks basic integration standards for connecting third-party security solutions to cloud applications, platforms and infrastructure,” he said, adding that the working group may help consolidate standards among vendors and cloud customers.

Close to 60 per cent of confidential cloud data can’t have risk levels assessed – research

UK IT professionals claim to be struggling with accurately assessing the risk of storing their confidential data in the cloud

UK IT professionals claim to be struggling with accurately assessing the risk of storing their confidential data in the cloud

Data from a recent Ponemon Institute survey commissioned by Informatica suggests UK enterprises are struggling to assess the risk associated with placing confidential data in the cloud, with respondents claiming they can’t determine the risk to 58 per cent of the confidential data they store in the cloud.

The problem seems particularly acute when it comes to cloud-based data specifically – enterprises said they faced the same challenge with 28 per cent of the sensitive information held on-premise.

The survey results, which include responses from 118 UK IT and IT security professionals with responsibility for data protection, hint at differences in the level of data management tool deployments for on-premise and cloud-based systems, which does seem to skew the results in terms of confidence in data risk allocation. About 46 per cent are using such tools for data on premise and 34 per cent for data in the cloud.

Still, less than half of respondents claimed to have common processes in place for discovering and classifying the sensitive or confidential data on-premise, and just a quarter said they have a process in place for data stored in the cloud.

About 54 per cent of respondents said they are not confident in their ability to proactively respond to a new threat in the cloud, and 30 per cent of the sensitive or confidential data located in the cloud is believed to be at risk according to respondents.

“The survey highlights that whilst organisations continue to fear cyberattacks, what really keeps them up at night is the unknown. Namely not knowing where data is and the associated risk to it,” said Larry Ponemon, chairman and founder, Ponemon Institute.

“Whilst businesses are more confident about having data on premise, the shift towards cloud computing is continuing to accelerate and organisations can’t afford to be held back by data security concerns. Instead, security practitioners need to get a handle on the classification of data so that they can feel more confident about the information that they are moving to the cloud. Regardless of whether information is held on premise or in the cloud, data governance protocols should be the same,” Ponemon said.

Informatica senior vice president and general manager, data integration and security Amit Walia said the results demonstrate the majority of organisations do not have a handle on their sensitive data, regardless of whether it exists on-premise or in the cloud.

He explained that as data volumes grow enterprises are leaning more on customised software and automated processes rather than manual processes to classify data risk and apply rules and policies, which is creating somewhat of a false perception when it comes to risk.

“Because businesses have less confidence in their understanding of sensitive data then they perceive more risk. To reduce threat exposure and improve breach resiliency, organisations need to invest in data centric security technologies, which enable businesses to enact the need-to-know data access policies that help limit the exposure of sensitive data,” Walia said.

Box to tap NTT’s VPN in Japan

Box is teaming up with NTT Com to launch Box over VPN

Box is teaming up with NTT Com to launch Box over VPN

Box and NTT Com have announced a partnership that will see the cloud storage incumbent offer access to its services through NTT’s VPN service. The companies said the move will improve confidence in cloud services among Japanese enterprises and expand the reach of both companies in the local IT services market.

Box also said the ‘Box over VPN’ scheme would improve network security for users and broaden the range of enterprise customers it caters to in the region, in particular enabling it to tap into government and financial services institutions.

“We’re thrilled to partner with NTT Com to help create transformative software for Japanese businesses in every industry,” said Box chief executive and founder Aaron Levie.

“This partnership will help more organizations to benefit from entirely new ways of working by elevating technology to enable secure collaboration and content management across geographical boundaries, while still meeting demands for robust control.”

Hidemune Sugawara, head of application & contents service, senior vice president of NTT Com, said: “By delivering added value based on NTT Com’s expertise in network security, we look forward to providing Box over VPN to a wide range of Japanese businesses. The partnership will enable Box to be combined with ID Federation1 and Salesforce over VPN2, both of which are provided by NTT Com, which will help to expand our file-collaboration businesses targeting large enterprises.”

Japan has one of the most mature cloud services markets in the Asia Pacific region, which as a whole is expected to generate about $7.4bn in 2015 according to Gartner.