Source: Kate’s Comment.
Tag Archives: security
nCircle Gets Additional Patent for Their Security Services
nCircle today announced the award of its second PureCloud patent by the U.S. Patent and Trademark Office. nCircle’s intellectual property portfolio now includes 11 patents. nCircle’s patents cover a wide range of security innovations and represent the company’s significant, ongoing investment in security technology research and innovation.
nCircle PureCloud is a cloud-based security services platform that requires no hardware or software to be installed or managed. nCircle PureCloud dramatically reduces the cost and complexity of a wide range of security services — including vulnerability scanning, PCI scanning and web application scanning — making these practices easily accessible to small and medium businesses.
“Attackers are targeting smaller businesses that typically have fewer security resources than larger companies,” said Tim ‘TK’ Keanini, chief research officer for nCircle. “The breakthrough technology in nCircle PureCloud helps level the playing field by making enterprise class security tools accessible to all businesses, regardless of size.”
Infographic: Cloud and Mobile Adoption Increases IT Security Risks
How Tough are the Final HIPAA Privacy, Security Rules?
Online Tech is hosting an educational webinar on the new final HIPAA omnibus rule, No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules Thursday, January 31 at 2 P.M. ET. The webinar will discuss how the latest HIPAA modifications affect the healthcare industry and healthcare vendors.
Dickinson Wright’s Brian Balow will lead the No More Excuses webinar with April Sage, Director of Healthcare Vertical for Online Tech. On January 17, 2013, the Department of Health and Human Services released its long-anticipated modifications to the Privacy, Security, Enforcement, and Breach Notification Rules under HIPAA/HITECH.
These modifications leave no doubt that covered entities, business associates, and their subcontractors must understand the application of these Rules to their operations, and must take steps to ensure compliance with these Rules in order to avoid liability. To find out more about the webinar and register via GoToMeeting, click here.
Data Security Concerns With Cloud Technology
Cloud computing in the 21st century promises to be what electricity was in the 20th century; cheap, plentiful and always available to compute resources to fulfill your every need. With any new technological advance however, there are always risks which could be exploited by those with malicious intent.
If you’re fortunate enough to have the resources within your organization to build and operate your internal private cloud, most of these risks would have been mitigated already as you still retain an element of control. Many other businesses are not in this position however, especially those in the small and medium sized sector, who are shredding documents to move to the cloud.
All of the security concerns we’ll be discussing below are not deal-breakers as such; the benefits of the cloud far outweigh any data security risks entailed in the transition to utility computing. As a decision maker, however, it is important to think about these issues before securely shredding everything and embarking on cloud migration, and finding out from prospective cloud providers how they will safeguard your data operations should be a key deciding factor on choosing your public cloud provider.
Data storage
Data should be securely encrypted when on your cloud provider’s servers, and also when in use and being processed by the cloud service. Forrester, a leading technology market research company, warns that few providers are currently able to guarantee data security and protection whilst it is being used within the application, and also what they do with the data after processing is complete.
Data transfer
Communications over the internet must be secured in any cloud transaction. On a browser, look for the “https” URL header when you connect to your cloud provider. In addition, always ensure traffic is authenticated and encrypted using industry standard protocols, developed specifically to secure internetworking, such as the Internet Security Protocol (IPSec).
Secure APIs
Also be aware of the software interfaces or application programming interfaces (APIs) that are employed in cloud services. The Cloud Security Alliance (CSA), an industry trade group, recommends learning about how your cloud provider integrates security throughout its offering, spanning activities such as monitoring and alerting services, data authentication and access control techniques.
Access control and data separation
You no longer have any personnel controls over people that have access to your data stored on the cloud provider’s servers. Make sure you consider the sensitivity of such data first to make sure that it is appropriate for release into the cloud. Gartner, a leading technology research and advisory company, also suggests asking for profiles of people who manage your data and the level of access they have.
AlienVault Unified Security Provides Security Visibility for Amazon EC2
AlienVault today announced its latest 4.1 release, which aims to resolve the biggest challenges associated with traditional SIEM solutions including cost, complexity and difficult deployments. AlienVault Unified Security Management (AV-USM) platform 4.1 simplifies and speeds SIEM deployments and provides intelligent security incident response guidance. AV-USM 4.1 also extends AlienVault’s best-of-breed security monitoring capabilities to Amazon EC2 to enable greater control over hybrid environments.
“Lack of security visibility and control is a primary concern when businesses move workloads to the cloud,” said Russ Spitler, VP of Product Management at AlienVault. “Traditional SIEM solutions are extremely limited in their ability to monitor cloud environments, leaving companies with siloed assets and glaring holes in their security risk posture. By enabling the AV-USM platform to monitor Amazon EC2, AlienVault customers can lower their costs, optimize their IT environments and get security wherever they need it to be, without sacrificing visibility in their own private datacenters or the public cloud.”
New features in the AlienVault Unified Security Management platform 4.1 include:
- Support for Amazon EC2: “Instant-on” essential security
capabilities match the elasticity of the EC2 cloud environment and
enable unified security monitoring whether assets are in the cloud or
data center. - Auto-Deploy: Automatically identifies potential data sources
upon deployment with integrated discovery capabilities and removes the
“guesswork” common with traditional SIEM deployments. - Dynamic Incident Response Templates: Extends SIEM functionality
past the alert by providing customized, contextually relevant
workflow-driven response procedures so that analysts know exactly what
to do next. - Suricata IDS Profile: Provides an alternative to the SNORT IDS
engine with enhanced threat detection, analysis and performance.
Based on the open source project OSSIM, the AV-USM platform combines more than 30 of the best security technologies and provides security analysts with five essential security capabilities including asset detection, vulnerability assessment, threat detection, behavioral monitoring and security intelligence capabilities in a single, unified solution and management console. The AlienVault Open Threat Exchange™ is the largest community-sourced threat database and intelligence feed, and is built into the AV-USM platform and OSSIM to provide security analysts with real-time collaborative defense.
“Since our business is completely built on IaaS providers, we need to find a way to get reliable security visibility in this environment,” said Fredrick Lee, Lead Security Engineer for Twilio. “A lot of traditional security solutions fall short when facing the challenges of deploying in the cloud. AlienVault USM provides a great way to deploy the security capabilities I find essential – IDS, vulnerability assessment, SIEM – quickly and completely.”
AlienVault has also launched a new documentation portal, the AlienVault Repository of Knowledge (ARK), which complements the support forum and provides access to interactive assets, product documents and how-to videos for the larger OSSIM community.
The latest version of the AlienVault Unified Security Management platform 4.1 is available now.
Six Degrees Group Achieves PCI DSS Compliance
Six Degrees Group, a provider of integrated managed data services, today announces that following an official audit its datacentres and security systems are now fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).
The confirmation of PCI DSS compliance complements Six Degrees Group’s ISO27001: 2005 certification for information security, which emphasises the Group’s commitment to protecting and securing clients’ data.
PCI DSS is a set of comprehensive standards for ensuring the security of financial payment data that was developed by the founding payment brands of the PCI Security Standards Council including Visa Inc., American Express and MasterCard Worldwide. As a result of this certification, Six Degrees is now on the approved global Visa Merchant register.
Mike Ing, group business operations director of Six Degrees Group, stated: “These standards globally govern all organisations that store, process or transmit cardholder data. Achieving this compliance provides our customers and prospects with the reassurance that Six Degrees Group is committed to the security and confidentiality of sensitive data by meeting the physical security requirements of the PCI standard.”
Virtustream Adds Cloud Database Encryption, Key Management
Virtustream today added software-based “data at rest” encryption to its cloud services portfolio through a partnership with Vormetric, a leader in enterprise encryption and key management. With this extra protection, Virtustream’s xStream cloud management software and Virtustream cloud IaaS services provide highly secure and compliant solutions that enable enterprises, governments and service providers to safely run mission-critical applications in private, public and hybrid clouds.
The company will now offer Vormetric’s database and file encryption solution to customers needing an additional layer of security to satisfy internal sensitive data policies and compliance mandates regarding business data. For enterprises required to comply with regulatory guidelines and compliance frameworks such as NIST 800-53, DIACAP, FedRAMP, FISMA, ICD503, G-Cloud, CSA Recommendations, ISO27001, HIPAA/HITECH, PCI, SSAE16/SAS70 and other industry standards, this new service provides a sophisticated approach to protecting highly sensitive data in the cloud. Virtustream’s new data encryption offering allows enterprises mandating full data life cycle encryption to take advantage of the cloud.
The addition of Vormetric Data Security adds to the enhanced security measures in Virtustream clouds which include layered physical/virtual security, cloud-to-cloud encryption, core servers equipped with new Intel CPUs that support Advanced Encryption Standard New Instruction Set (AES-NI) for optimal encryption efficiency, hardware-level authentication (Intel TXT), encrypted VPN (IPSEC and SSL), Key Escrow using Data Security Modules (DSMs), encryption in archive, GRC tools, two-factor authentication, and various additional security and compliance measures and reporting.
“File-level encryption is the most effective and flexible approach to cloud data security for enterprises concerned with regulatory compliance, protecting their IP and meeting contractual obligations around customer data,” said Bruce Johnson, vice president for worldwide sales and service operations at Vormetric. “By offering Vormetric Encryption through a pay-as-you-go model, Virtustream is providing comprehensive, built-in and transparent security for any database, that can follow customer data—whether it is in the cloud or a datacenter.”
As the Virtustream team evaluated security and encryption software to pair with its cloud solution, it found that many of the larger vendors focus primarily on end-user computing and encrypting whole drives, which only protects against specific threats and could not support a variety of deployment modes. Vormetric’s solution quickly emerged as the leader in enterprise class security, as it emphasized encryption at the file/folder level, transparently across all major database platforms. It also enables very granular separation of duties to allow for a variety of support models from zero client touch, to co-managed operations, to full key management by clients. Vormetric encryption ensures that there is no unauthorized data access from inside or outside an organization. In stress testing, Vormetric exceeded Virtustream’s performance expectations with a virtually indiscernible impact on application response time, excellent manageability and detailed logging of file access for Database Access Monitoring requirements (DAM) and Data Leakage Prevention (DLP) reporting.
Virtustream now stands as the first cloud provider to offer the Vormetric solution in a SaaS model with elastic, consumption-based pricing—services are priced per virtual CPU of each database server, as opposed to traditional perpetual licensing models.
“It can be challenging to get large enterprises to trust the cloud, so this partnership with Vormetric provides a significant security measure required to overcome that concern,” said Pete Nicoletti, director of security and compliance at Virtustream. “With Vormetric’s solution, we now have a database encryption security option suitable for customers who are required to comply with executive mandates or compliance frameworks but have not yet deployed encryption at their database or application layer. Adding this capability will make moving mission-critical data to the cloud a more feasible option for any enterprise looking for immediate risk reduction and cost savings.”
With this encryption service, Virtustream also offers and manages encryption of client databases at their location in the client’s datacenter before they even move the workload to the Virtustream cloud. This is a unique capability and allows customers that are concerned with protecting personally identifiable information (PII) and other sensitive information to achieve regulatory compliance and avoid potential data breach costs.
“By partnering with Vormetric, we are able to combine its nimble and powerful security solution with our cloud solution for increased data protection with high performance and low overhead,” said Mike Olson, vice president of operations and service delivery for Virtustream. “Together we offer customers a more secure, compliant cloud environment with reduced infrastructure costs, and increased performance and uptime.”
Toshiba Announces Cryptographic-erase, Self-encryption Features for New Enterprise SSD, Mobile HDD
Toshiba Corporation today announced new enterprise SAS solid state drives (SSD), mobile SATA hard disk drives (HDD), including self-encrypting drive (SED) models in both product categories, and new enterprise-grade SATA SSD supporting cryptographic-erase. Select drives will start to ship in January with other models following later in the first quarter.
PX02SMQ and PX02SMU series enterprise SED (eSED) deliver government-grade Advanced Encryption Standard (AES) 256-bit self-encryption and offer Trusted Computing Group (TCG) Enterprise SSC protocol self-encryption and cryptographic-erase support. These high-performance, 2.5 inch enterprise models with SAS interface, target high-end servers and data center applications and provide capacities ranging up to 1.6TB[1].
The PX02AMU value line of SATA eSSD models and the PX03ANU read-intensive line of SATA eSSD models, both for enterprise applications, feature cryptographic- erase for fast and secure media sanitization.
For mobile computing, the MQ01ABU***W series provides self-encryption, cryptographic-erase and TCG-Opal SSC protocol support in a slim 7mm height with up to 500GB[1] of storage capacity. The MQ01ABU***W series also supports Toshiba’s innovative Wipe technology, which adds security features that allows system designers to automatically cryptographic-erase sensitive user data if an unexpected host attempts to access the HDDs or if a defined number of authentication failures occurs.
Toshiba is also reportedly working on FIPS 140-2 certification[2] for select SED products to meet government-class security requirements.
Five IT Security Predictions for 2013
Guest Post by Rick Dakin, CEO and co-founder of Coalfire, an independent IT GRC auditor
Last year was a very active year in the cybersecurity world. The Secretary of Defense announced that the threat level has escalated to the point where protection of cyber assets used for critical infrastructure is vital. Banks and payment processors came under direct and targeted attack for both denial of service as well as next-generation worms.
What might 2013 have in store? Some predictions:
1. The migration to mobile computing will accelerate and the features of mobile operating systems will become known as vulnerabilities by the IT security industry.
Look out for Windows 95 level security on iOS, Android 4 and even Windows 8 as we continue to connect to our bank and investment accounts – as well as other important personal and professional data – on smartphones and tablets.
As of today, there is no way to secure an unsecured mobile operating system (OS). Some risks can be mitigated, but many vulnerabilities remain. This lack of mobile device and mobile network security will drive protection to the data level. Expect to see a wide range of data and communication encryption solutions before you see a secure mobile OS.
The lack of security, combined with the ever-growing adoption of smartphones and tablets for increasingly sensitive data access, will result is a systemic loss for some unlucky merchant, bank or service provider in 2013. Coalfire predicts more than 1 million users will be impacted and the loss will be more than $10 million.
2. Government will lead the way in the enterprise migration to “secure” cloud computing.
No entity has more to gain by migrating to the inherent efficiencies of cloud computing than our federal government. Since many agencies are still operating in 1990s-era infrastructure, the payback for adopting shared applications in shared hosting facilities with shared services will be too compelling to delay any longer, especially with ever-increasing pressure to reduce spending.
As a result, Coalfire believes the fledgling FedRAMP program will continue to gain momentum and we will see more than 50 enterprise applications hosted in secure federal clouds by the end of 2013. Additionally, commercial cloud adoption will have to play catch-up to the new benchmark that the government is setting for cloud security and compliance. It is expected that more cloud consumers will want increased visibility into the security and compliance posture of commercially available clouds.
3. Lawyers will discover a new revenue source – suing negligent companies over data breaches.
Plaintiff attorneys will drive companies to separate the cozy compliance and security connection. It will no longer be acceptable to obtain an IT audit or assessment from the same company that is managing an organization’s security programs. The risk of being found negligent or legally liable in any area of digital security will drive the need for independent assessment.
The expansion of the definition of cyber negligence and the range of monetary damages will become more clear as class action lawsuits are filed against organizations that experience data breaches.
4. Critical Infrastructure Protection (CIP) will replace the Payment Card Industry (PCI) standard as the white-hot tip of the compliance security sword.
Banks, payment processors and other financial institutions are becoming much more mature in their ability to protect critical systems and sensitive data. However, critical infrastructure organizations like electric utilities, water distribution and transportation remain softer targets for international terrorists.
As the front lines of terrorist activities shift to the virtual world, national security analysts are already seeing a dramatic uptick in surveillance on those systems. Expect a serious cyber attack on critical infrastructure in 2013 that will dramatically change the national debate from one of avoidance of cyber controls to one of significantly increased regulatory oversight.
5. Security technology will start to streamline compliance management.
Finally, the cost of IT compliance will start to drop for the more mature industries such as healthcare, banking, payment processing and government. Continuous monitoring and reporting systems will be deployed to more efficiently collect compliance evidence and auditors will be able to more thoroughly and effectively complete an assessment with reduced time on site and less time organizing evidence to validate controls.
Since the cost of noncompliance will increase, organizations will demand and get more routine methods to validate compliance between annual assessment reports.
Rick Dakin is CEO and co-founder of Coalfire is an independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington D.C. and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire’s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, HITRUST, NERC CIP, Sarbanes-Oxley, FISMA and FedRAMP.
