Tom Olzak

Archive for the ‘Cloud Computing’ Category

Shadow IT: Treat the cause, not the symptom

In Application Security, Business Continuity, Cloud Computing, Critical Infrastructure on July 8, 2015 at 04:00

I just posted an article at Toolbox.com about the business risks associated with shadow IT.  Many organizations see shadow IT as a disease to be cured.  However, as I write in my post, shadow IT is a symptom of a deeper issue.  It is this issue, related to IT remaining stuck in the past, that must be addressed.

Facebook employees should know better

In Business Continuity, Cloud Computing, Computers and Internet, Data Security, Insider risk, Java on February 15, 2013 at 20:27

While I believe that posting any private information to a social networking site is… well… nuts, I also believe we should have a reasonable expectation of privacy.  This means companies like Facebook must do a good job of protecting themselves from potential attacks.  So why were laptops used by Facebook employees targets of a recent zero-day attack?

Yes, it was zero-day.  We can’t foresee all possible attack vectors.  The threat agent used a hole in Java to infect the laptops.  Further, the Java exploit was setting on a developer site.  Doh!  Didn’t see that coming, Facebook?  You should have.

Java is full of holes.  It is an exploit waiting to happen, and it is not the first time attackers circumvented the Java sandbox to get at the underlying platform.  Some, like Andrew Storms at nCircle Security, believe Java needs a complete overhaul (via Gregg Keizer, Computerworld).

 “Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it…”

Apparently, Facebook didn’t get the memo.  Why would a social network company allow its employees to visit risky sites and then connect back to a network where customer and other sensitive data reside?  Why would any organization?

For more information on end-user device security, see Chapter 6 – End-user Device Security.

Home users create security gaps: Fill them

In Access Controls, Application Security, Business Continuity, Cloud Computing, Computers and Internet, Insider risk, iPad, Mobile Device Security, Network Security, Policies and Processes, Policy-based access control, Risk Management on February 13, 2013 at 20:13

In Phishing attacks target home workers as easy ‘back door’ – Techworld.com, John Dunn writes that users fear becoming targets when working at home.  This should surprise no one.  With the rapid growth of BYOD (bring your own device), organizations struggle to close security gaps as they attempt to meet new business requirements of anywhere/anytime delivery of information and business processes. (See The BYOD Trend.)

Smartphones, tablets, and privately-owned laptops are not adequately controlled in most organizations.  Traditional access controls, especially authorization constraints, fail to mitigate risk sufficiently.  One important change organizations can make is to context- or policy-based access controls.  (See Securing Remote Access).

 

 

Should you run away from Dropbox?

In Access Controls, Cloud Computing, Computers and Internet, Data Security, Piracy Legislation, Privacy, Risk Management, Security Management on June 21, 2011 at 15:26

For a long time, I’ve recommended Dropbox to colleagues, friends, and family.  However, recent revelations and events made me look for a more secure and less risky solution.

First we learn that any employee at Dropbox has access to our data. According to the Dropbox site,

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

The problem I had with this was the lack of communication to customers that this was the case.  Many of us understood that NOBODY could access our data.  Well, no problem.  I simply used TrueCrypt to encrypt sensitive data.  This was inconvenient and caused some performance issues.

As regular listener of Security Now, I decided to try the highly recommended Carbonite.  Not only does it back up all my data, but all my Office files and PDFs are available via my iPad and iPhone.  In addition, nobody can access my files but me…  Finally, the cost is pretty low: $59 per year for unlimited storage.

After testing Carbonite, I wasn’t yet ready to drop Dropbox.  However, today I read that they left all files available to the public for four hours yesterday.  (sigh).  I guess it was too much to expect a great cloud file respository to actually be secure, too.

SAS 70 replacement: SSAE 16

In Business Continuity, Cloud Computing, Data Security, Government, Network Security, Policies and Processes, Regulation, Risk Management, Security Management, Vendor Management on February 28, 2011 at 22:24

I’ve never been a big fan of SAS 70, even though it seemed to many  like a great way for an organization to tell the board and its auditors that it practiced due diligence.  You know, ” hey look, I got a SAS 70 from the service provider.  See, they’re secure.”  Not so fast, bucko.

The SAS 70 was never intended to be a test of the effectiveness of an organization’s security controls.  Rather, it simply checks to see if controls are in place–controls as defined by the audited organization’s own management.

In the article, SAS 70 replacement: SSAE 16 – CSO Online – Security and Risk, CSO’s Bill Brenner takes a look at something that may strengthen SAS 70… a replacement.

 

%d bloggers like this: