Subscribe to RSS - Cloud Security Alliance

Cloud Security Alliance

The first-ever Cybersecurity Women of the Year Awards

Infosec industry comes together to recognize innovators and leaders
 - 
08/01/2019

ROSEVILLE, Calif.—An influencer, a hacker, a top legal mind and a “barrier breaker” … sounds like the start of a very interesting joke or riddle, doesn’t?

Guiding IoT manufacturers to safer, more secure and private horizons

 - 
Wednesday, July 10, 2019

Featured in Time magazine’s “Top 10 Public-Service Announcements,” the popular one from the 1960s, 70s and 80s went something like this: “It’s 10pm … do you know where your children are?” Being the ripe age of 42, I vaguely remember the tail-end of this campaign where a celebrity or publicly known person — Joan Rivers, Jane Seymour, Darryl Strawberry, Paul Stanley, etc. —would appear on the TV screen at 10pm or 11pm, depending on location, and ask this almost sinister-like question of moms and dads waiting for their dose of the nightly news. During this time, several cities across the U.S. had adopted new curfew laws and this was the late-night reminder to parents. 

Since then, it’s been parodied several times: CNBC asks, “It’s 4 o’clock … do you know where your money is?” while Monster.com asks, “It’s 6 o’clock … do you know where your career is?” And, my personal favorite: “It’s 10am … do you know where your coffee is?” While these are fun and playful sayings and marketing tactics, there’s a lot of truth to be discovered by answering that simple, historical question that remains ingrained in society. So, I ask you, the IoT manufacturer, the security installer, the IoT user: “It’s 10pm … do you know what your IoT devices are doing?” If you can’t answer that question, you may have a security/privacy issue. 

In response to IoT devices, their security/privacy issues, and the lack of laws and governance of these little electronic baubles, several organizations have developed IoT “guidelines” to help developers create, manufacturers build, and consumers purchase and use more secure IoT products:

Security Systems Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Security Systems

By: National Institute of Standards and Technology (NIST) 

This publication, targeted toward security engineering professionals, provides principles and concepts, and how these can be effectively applied to the creation of IoT devices and other security-related device. It is recognized that no system can be engineered to by absolutely secure and trustworthy, but rather, the focus should be on “adequate security,” making sure the device address the users security concerns. 

With several free, downloadable publications related specifically to IoT security, the IoT Security Foundation is on a mission to “Build Secure, Buy Secure and Be Secure.” They offer a tool called “IoTSF Compliance Checklist” that helps IoT manufacturers create devices that are within contemporary best practices. The checklist opens as an Excel document, with tabs that take the person through the entire process of compliance, starting with assessment steps; includes device hardware, software, operating systems and interfaces; and concluding with issues such as encryption, privacy, cloud and network elements and device ownership transfer. 

IoT Security Guidance

By: The Open Web Application Security Project (OWASP)

With the familiar look of a Wikipedia page, this guide speaks directly to IoT manufacturers, developers and consumers, offering specific and general recommendations. It’s laid out in an easy-to-read chart and bullet point format. It addresses 10 key categories such as insecure web interface, poor physical security, privacy concerns and insecurity cloud interface; tells what security issues the manufacturer, developer and consumer should be aware of; and offers recommendations to remedy such issues. 

Future Proofing the Connected World

By: Cloud Security Alliance’s IoT Working Group

This PDF guide offers 13 steps to developing secure IoT products, but it also describes exactly why IoT security is needed and addresses some of the common security challenges for IoT users. The 13-step process starts with developing a secure methodology and ends with performing internal and external security reviews. 

IoT Security Guidelines and Assessment

By: GSMA

The goal of these guidelines and assessment is to help create a secure IoT market with trusted, reliable and scalable services. The guidelines include 85 secure design, development and deployment recommendations; security challenges, attack models and risk assessments, and examples while the assessment, based on a structured approach yet providing a flexible framework, address the diversity of the IoT market while addressing the whole ecosystem.

CSA publishes State of Cloud Security report

 - 
Wednesday, April 25, 2018

The Cloud Security Alliance (CSA), an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud-computing environment, recently released its State of Cloud Security 2018.

The report, authored by the CSA Global Enterprise Advisory Board, examines such areas as the adoption of cloud and related technologies, what both enterprise and cloud providers are doing to ensure security requirements are met, how to best work with regulators, the evolving threat landscape, and the industry skills gap.

“The state of cloud security is a work in progress with an ever-increasing variety of challenges and potential solutions,” Vinay Patel, chair of the CSA Global Enterprise Advisory Board and managing director at Citigroup, said in the announcement of the report. “It is incumbent upon the cloud user community, therefore, to collaborate and speak with an amplified voice to ensure that their key security issues are heard and addressed. We hope this document will serve as a roadmap to developing best practices in the establishment of baseline security requirements needed to protect organizational data.”

Key takeaways from the report include:

•    Exploration of case studies and potential use cases for blockchain, application containers, microservices and other technologies will be important to keep pace with market adoption and the creation of secure industry best practices.
•    With the rapid introduction of new features, safe default configurations and ensuring the proper use of features by enterprises should be a goal for providers.
•    As adversaries collaborate quickly, the information security community needs to respond to attacks swiftly with collaborative threat intelligence exchanges that include both providers and enterprise end users.
•    A staged approach on migrating sensitive data and critical applications to the cloud is recommended.
•    When meeting regulatory compliance, it is important for enterprises to practice strong security fundamentals to demonstrate compliance rather than use compliance to drive security requirements.

Noting that “innovators and early adopters” have been using cloud for years for quicker deployment, greater scalability, and cost saving of services, the report noted that the growth of cloud computing “continues to accelerate offering more solutions with added features and benefits, including security. In the age of information digitalization and innovation, enterprise users must keep pace with consumer demand and new technology solutions ensuring they can meet both baseline capabilities and security requirements.”

Interestingly, the report pointed out that increased adoption in cloud services has followed consumer confidence with the security of cloud providers, who continue to invest in the security of their platforms. CSA referred to a McAfee survey, Navigating a Cloudy Sky, which found that complete trust in public cloud offerings increased 76 percent in 2017.

As CSA noted in this report last year, technology is outpacing the skills sets within companies and businesses to adopt them, according to CSA’s report. “As organizations react to this demand to stay competitive, secure adoption of these technologies becomes an even greater challenge. With cloud and new IT technologies, the supply chain ecosystem needs to collaborate so that large enterprises and regulators can understand how to securely adopt new technologies and new features on existing provider technologies. Each party must play a role in securing customer data and sharing best practices for secure operations.”

Ultimately, education and awareness still needs to improve around provider services and new technologies for the enterprise. “Small-scale adoption projects need to be shared so that security challenges and patterns can be adopted to scale with the business and across industry verticals. This skills gap, particularly around cloud and newer IT technologies, needs to be met by the industry through partnership and collaboration between all parties of the cyber ecosystem.”

For the full report, click here.