Directors Report June 2017: Cloud Security Analysed For Management (£)

Synopsis

Companies around the world are moving core enterprise systems to the Cloud. What was quite recently a complicated and expensive in-house IT system can now be outsourced and the implementations now appear relatively simple and less expensive in the Cloud. 

This reduction in cost and complexity is causing an explosion of Cloud services and Cloud service providers.

With multiple cloud services, many companies are losing track of the who, what, where, when and why of their data. 

With multiple environments and services, it is easy to lose track of what data goes into which environment, and who has access to the data. Not all cloud services are the same — failure to monitor and enforce security levels and access limitations could lead to disastrous results.

Below, we outline potential issues involved in having multiple cloud services and service providers, along with a proposed action plan to stay on top of your growing cloud services environments.

Worldwide spending on public Cloud services and Infrastructure will reach $124.5 billion in 2017, representing an increase of 25.4% over 2016.

In terms of company size, nearly half of all public cloud spending will come from large businesses (those with more than 1,000 employees) while medium-sized businesses (100-499 employees) will represent more than 20% of cloud expenditure.

Sixty-four percent, of enterprises are using different types of Cloud and aspects of the Internet of Things (IoT) without properly and continually securing sensitive data.

Cloud Computing defines a model of networked computer power where an application, or electronic program, runs on a series of connected servers outside of your organisation’s boarders, rather than on your local system and computing devices. 

In the simplest terms, Cloud Computing means storing and accessing data and programs over the Internet instead of via your own computer's hard drive. The Cloud is just a metaphor for the Internet.

The Cloud has the potential to not only become a defining technology of the twenty-first century, but also as defining utility, just as electricity was for the twentieth. This involves the sale of computer software and hardware as services, which an organisation can rent instead of purchase. 

There are many reasons to switch to Cloud Computing, including the ability to save considerable amounts of money while improving productivity and efficiency. However, there are some security issues that need to be recognised and monitored and this Report will discuss and analyse these Cloud Security issues. 

Security Issues with the Cloud

However, organisations often engage with the Cloud without taking sufficient management understanding and security precautions. 

Perhaps the biggest concerns about Cloud Computing are still the security and privacy issues. The idea of handing over important data to another company rightly concerns some managers. 

Therefore, corporate executives are often hesitant to take advantage of a Cloud Computing System because they feel unsure of their company's information security.

  • Some of the security questions regarding Cloud Computing are more philosophical. 
  • Does the user or company subscribing to the Cloud Computing service own the data? 
  • Does the Cloud Computing system, which provides the actual storage space, own it? 
  • Is it possible for a Cloud Computing company to deny a client access to that client's data? 

Many companies, law firms and universities are debating these and other questions about the nature of Cloud Computing and some of these discussions and arguments can be found by searching the Web.

There's a growing concern in the IT industry about how Cloud Computing could impact the business of computer maintenance and repair. If companies switch to using streamlined computer systems, they'll have fewer IT needs but less understanding of the results. 

Some other industry experts believe that the need for IT jobs will migrate to the back end of the Cloud Computing System.

The pressure on the IT Directors, and CIO, not only to deliver a successful migration, but also to accurately predict the financial benefits of the move, is enormous. 

As the cloud evolves these important new capabilities, what IDC calls 'Cloud 2.0', the use cases for the cloud will dramatically expand.

Cloud Security

What you need to know when choosing Cloud Storage Services

Most cloud storage breaches were actually facilitated by users who gave away their passwords, often as the victims of phishing. The most common terms you’ll see when shopping for a cloud storage or backup provider.

HTTPS

HTTPS stands for Hypertext Transfer Protocol Secure. HTTP (without the “secure”) is a standard of messaging that all Web servers use to transfer Web pages to browsers. HTTPS adds a layer of security to these procedures and it is the bedrock of ecommerce. It’s the system that protects your credit card details when you pay for things online.

SSL and TLS

SSL means Secure Socket Layer and this protocol contains the procedures that put the “S” in HTTPS. In 2008, after running for a while, SSL was discovered to have some security weaknesses.

The protocol was open to “spoofing,” which means that hackers were able to forge the security certificates that formed the heart of the SSL verification system. These certificates contain the encryption key that the client is supposed to use in order to secure connections. Soon after, Transport Layer Security (TLS) protocol was designed to replace SSL.

Further weaknesses were discovered over the years and they caused the International Engineering Taskforce to “deprecate” the protocol in 2015, which effectively told everyone not to use SSL for security. Although no one implements SSL any more, the term is still often used: in reality, services that say they use SSL actually use TLS.

Two-Factor Authentication

Although banks used to rely on HTTPS for security when they provide online banking, most have kicked their privacy features up a notch with two-factor authentication, which you often will see written as 2FA.

As with most logins, you need a username and a password, but 2FA requires some other method of identification on top of that. This should be something that only the user has and it can be a physical possession, or a secret piece of information. Some banks give clients a special card reader which generates a second pass code, while others will send you an access code by SMS.

iCloud uses a keychain device that generates a code. However, that keychain fob quickly disappeared when Apple integrated 2FA code generation into their standard products.

The Advanced Encryption Standard (AES)

The US National Institute of Standards and Technology commissioned the creation of the Advanced Encryption Standard, or AES, to create a secure method of encryption that could be used by government agencies.

The encryption process involves transforming blocks of numbers by organising them into a series of grids and then adjusting each number in the grid by applying a cryptographic key. The specifications for AES allows for different lengths of encryption keys. The shortest key used for encryption is 128 bits long and is often used for encryption on mobile devices. The most common length of key for cloud storage data encryption is 256 bits.

The length of the encryption key is important because the specifications of AES are publicly available. That means that anyone who knows the formula could crack the encryption simply by guessing the key.

Blowfish

Those who worry about an encryption system that was created for the US government should look out for cloud storage systems that use the Blowfish security standard. This is older that AES and it had never been cracked until 2016 when the Sweet32 birthday attack was created. Even now, Blowfish is still thought to provide strong enough security for files smaller than 4GB.

The encryption system specification was published in 1993. As with AES, the definition allows for a range of key lengths, which each developer can choose from. The key specs range from 32 bits to 448 bits in length. As with AES, the longer the key, the stronger the security, so check out this stat when selecting a cloud storage provider, like CrashPlan, that uses Blowfish.

RSA

Both AES and Blowfish are symmetrical key systems. That means that the cipher used to encrypt the data is also needed to decrypt it. You may already have thought of a flaw with these methods when used for communicating data. How do both sides in a connection get the same key? If one sends the common key to the other, then that message cannot be encrypted because until it has the key, the corresponding computer would not be able to decrypt it.

The answer to this problem lies with asymmetric key systems, such as RSA. These encryption methods are also known as “public key.” The key that decrypts the protected message is not the same as the one that encrypts it.

It does not matter if a hacker gets hold of the encrypting key because all they will be able to do with it is encrypt messages that only the holder of the corresponding private key could ever decrypt. You cannot derive the private decryption key from the public encryption key.

RSA is named after its creators, Rivest, Shamir and Adelman. Most Internet encryption systems use a public key system to distribute the encryption ciphers needed for symmetric key systems, such as AES and Blowfish. RSA is the most frequently used private key system used for key exchange and it is used for key distribution in TLS methods, including HTTPS.

RSA has a 1,024-bit key, which is four times longer than the most commonly used AES key length of 256 bits and eight times longer than the minimum-length AES key of 128 bits.

Perfect Forward Secrecy

Internet-based encryption systems rely on client software that communicates with the server. The server is the remote computer that holds the files, the cloud storage facility. The client is at the other end of the connection. In the case of your access to cloud storage, the client is your computer.

When you sign up for a service such as Dropbox, the first thing that will happen is that the website will download an installer file for you to run. This installs the client software. Some Internet security systems will include the key for communication with the server in this download.

A potential problem with keys that are reused is that once someone learns that key, they can decrypt all the communications that your computer has with the server and get access to your private files. Perfect Forward Secrecy (PFS) is a methodology by which a new encryption key is used for each session.

If anyone out there has a system to snoop on your connection and capture the encryption key, they would be wasting their efforts because the next time you connect they would have to start their tasks all over again to get the new key.

Perfect Forward Secrecy adds an extra layer of protection to your privacy because it limits the amount of disclosure that any single security breach can deliver.

Zero-Knowledge Encryption

The specialist storage providers now operate zero-knowledge encryption. You may search the Web and discover information on the Zero Knowledge Protocol. That is something else: zero knowledge encryption simply means that all of the encryption of your files takes place on your computer before they are uploaded to the cloud.

The client software uses a separate process to scramble the files using a key that is resident on your computer. Files are then transferred using a standard method, such as TLS.

The employees of a zero-knowledge provider can never get to the raw files, only the encrypted version. As they also could not get access to the key, you are better off with zero-knowledge encryption than with ciphers that are applied during the transfer or when the files reach the server.

Further Security Measures

Zero-knowledge encryption is still not good enough for some. The security-conscious argue that the encryption software and keys all originate from the cloud storage provider, so there is still one central location that is vulnerable to attack.

If anyone wanted to get into all the files on a server that operates a zero-knowledge system, they would just need to hijack the key distribution stage.

If the software on your computer uses an encryption key that the hacker knows, then it really doesn’t matter where the encryption takes place, he can still get access to all the files on that cloud storage server.

If you install encryption software from another company on your computer, you increase your privacy. You can encrypt all of your files manually and then let the cloud storage client software re-encrypt and transfer the data. That way, if some miscreant has got into the cloud storage server’s encryption system, all she can do is decrypt a file to reveal another layer of encryption beneath.

Cracking a security system like that would entail breaking into every encryption software company in the world and manipulating their key distribution procedures. No one has the resources to achieve such a feat.

Final Thoughts

The degree of privacy that you need for your files greatly depends on the type of information you are storing. There is a wide range of cloud storage options out there and they vary from consumer-friendly free services, such as Dropbox, through to business systems that even the NSA could not crack.

Hybrid Cloud

Of all the challenges facing businesses today, two rise above the rest: increasing profits and increasing agility. Cloud computing, whether private, public or hybrid, is helping to do both. 

When considering implementing cloud-based solutions, it is prudent to ask whether the timing is right, which applications to migrate first and which aspects concern IT managers. These questions were answered recently by IT and business man- agers who participated in a survey conducted by IDG Research.

According to the respondents, the hybrid cloud model offers the most flexibility and scalability, and the time for implementing cloud solutions is now. Respondents also stated that the challenges businesses face in moving to the cloud, while considerable, can be overcome by working in partnership with the right cloud services provider.

Cloud Overview

Three cloud “types” exist: private, public and hybrid. In a private cloud, the entire physical IT infrastructure and data store lie inside the corporate firewall (regardless of physical location), providing the highest degree of control. In a public cloud, servers, storage and applications from one or more third-party providers are offered on a pay-per-use or subscription basis, with infrastructure usually shared by multiple subscribers. A hybrid cloud combines two or more clouds, private or public, into a custom solution that provides scalability and agility while allowing the business to maintain selective control over data, operations and other components.

The hybrid cloud model continues to grow in popularity, offering the best combination of agility, flexibility and security. Servers and other resources can be provisioned and spun up in minutes, rather than the months it often takes to acquire, install and deploy resources in a traditional IT infrastructure. 

Of the IT and business managers surveyed, 21 percent already have implemented a hybrid cloud. More than half (53 percent) plan to do so within the next 12 months. According to a recent NTT Communications report, cloud budgets within the Information and Communications Technologies (ICT) sector are expected to increase 20 percent by 2018. 

But even with that substantial increase in cloud spending, the report found that up to 10 per- cent of applications, primarily in highly regulated and mechanized sectors, may not be candidates for migration. 

As migration to the cloud broadens, it is inevitable that a corresponding scaling back of traditional corporate IT infrastructures takes place. Nearly half (45 percent) of the IDG survey respondents indicated they currently operate on-premises, non-cloud, physical servers, but expect that level to drop to just 36 percent within a year. In the process, a variety of services are moving to cloud- based infrastructures. Those most likely to be migrated include groupware (cited by 52 percent), database and Web servers (48 percent), directory services (39 percent) and mail servers (35 percent). Groupware, by its very nature a collaborative experience, is an ideal match for the cloud, itself a platform designed for collaboration and sharing. 

Implementing a cloud platform, often complemented with mobile apps for smartphones and tablets, provides businesses with new avenues for reaching customers and employees. To lever- age that capability, nearly half of survey respondents plan to expand their cloud e orts globally, with the European Union and South America being targeted first. 

Conquering Concerns

No major technology transformation comes without challenges, and cloud computing is no exception. Profoundly different from traditional centralized IT with its on-premises data centres, the road to cloud migration is not always smooth. Recognizing these impediments is the first step in overcoming them. 

Of the ICT decision-makers surveyed by NTT, 38 percent believe cloud has not yet lived up to its potential within their organization. This result is likely a misalignment of perception with expectation. While many organisations vastly reduce their server footprint, others attain a more-modest success. 

“In some cases, organisations have tried to migrate their applications to the cloud and not had much success,” says Indranil Sengupta, Senior Director of Cloud Service Development at NTT America. 

“One reason for this is the age of the application. Many applications as recently as three to five years back were written as ‘stateful’ applications, which means the application code directly inter-faces and interacts with the physical environment. These are very difficult to migrate. One has to convert these applications into ‘stateless’ applications first.” 

Three other challenges stand out, according to survey respondents. Half of those surveyed cited the initial integration and design of the hybrid cloud environment as either extremely or very challenging. Once beyond that point, 40 percent noted challenges regarding the transfer of data to the new environment. Finally, 33 percent said that operation with multiple contact points is a concern. Certainly in IT, where multivendor infrastructures and services have long been the norm, this is a familiar challenge. Navigate beyond these three impediments with a knowledgeable cloud services provider, and the journey quickly eases. 

Partner Choice Is Key 

As the migration of existing on-premises infrastructure and applications to a flexible hybrid cloud platform becomes increasingly mainstream, the challenges and critical criteria faced by IT are clearly defined. To surmount these factors, the choice of an experienced cloud service provider that functions as partner, technical facilitator and advisor is essential for success in businesses both large and small. With operational effectiveness and cost optimisation cited by respondents as key criteria when considering cloud-based IT, a provider with demonstrable process maturity is best-positioned to create a comprehensive, cohesive overall experience. 

NTT Communications is the long-distance and international communications and ICT solution provider of NTT, one of the top three telecom companies in the Fortune® Global 500 NTT’s approach to providing cloud-based solutions is built on a foundation of five key considerations: security, compliance, migration, integration and change management. 

Whether it is enterprise- class Infrastructure as a Service, cloud-migration, Backup/Recovery as a Service, global virtualization or content delivery, NTT offers system consultation that includes a survey of the current system, design of a cloud ICT infrastructure, and clear implementation plan and execution. 

__________

References

Computerworld

Infosecurity

Computerworld:

Cloudwards

CloudRealityCheck:

For further information or Cloud assistance please contact Tim Heath at Cyber Security Intelligence.                     

_____________

 

 

« What We Know About The WannaCry Cyberattack So Far
Attitudes To Facebook Are Changing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alert Logic

Alert Logic

Alert Logic delivers unrivaled security for any environment, delivering industry-leading managed detection and response (MDR) and web application firewall (WAF) solutions.

RU-CERT

RU-CERT

RU-CERT is the CSIRT / CERT team of the Russian Federation.

Maryville Online - Cybersecurity Program

Maryville Online - Cybersecurity Program

The Cybersecurity Program at Maryville Online is designed to help students reach opportunities in cybersecurity leadership and management through an entirely online curriculum.

mnemonic

mnemonic

mnemonic helps businesses manage their security risks, protect their data and defend against cyber threats.

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

T-ISAC Japan coordinates information sharing and activities related to ISP/telecommunications network security in Japan.

APT Search

APT Search

APT Search is a recruitment company specialising within the Legal Technology, Cybersecurity and Privacy sectors.

Scythe

Scythe

SCYTHE is a next generation red team platform for continuous and realistic enterprise risk assessments.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

LocateRisk

LocateRisk

LocateRisk provides more efficiency, transparency and comparability in IT security with automated, KPI-based IT risk analyses.

Deeper Network

Deeper Network

Deeper Network represents the world's first decentralized blockchain network for building a truly private, secure and fair Internet.

Drumz

Drumz

Drumz plc is an investment company whose investing policy is to invest principally but not exclusively in the technology sector within Europe.

ClearShark

ClearShark

Since 2001, ClearShark has been a go-to adviser in the U.S. Public Sector for creating customized and integrated solutions for the most secure of networks.

Zitec

Zitec

One of Europe's largest and most prominent full-cycle software development services companies, Zitec is the digital transformation partner to companies in the EU, UK, USA, Canada and ME.

Strategic Technology Solutions (STS)

Strategic Technology Solutions (STS)

Strategic Technology Solutions specialize in providing Cybersecurity and Managed IT Services to the legal industry.

Red Maple Technologies

Red Maple Technologies

Started and run by engineers from the UK Intelligence and Defence communities, Red Maple is a technical consultancy and product company.

IS4IT Kritis

IS4IT Kritis

IS4IT is your partner for the successful planning, introduction and implementation of company-specific information security concepts.