Posts

Compliance and the Cloud: Debunk the Myths

It is no secret that the benefits of the cloud are enormous. The cloud enables scaling, rapid deployment and provisioning, all of which means that users can enter new markets more quickly and integrate acquired companies easily. And they can do all this while reducing waste, shortening deployment times and more importantly, lowering costs.

But despite the growing numbers of businesses that are adopting the cloud worldwide, there are still some companies that are reluctant to move their workloads to the cloud. This is sadly due to the fact that there are still many negative myths which surround the cloud and compliance in the cloud. It is important to point out that most standards of compliance which govern IT management are not designed with cloud in mind. For example, compliance standards are mostly concerned with maintaining the integrity of data and not locking down entire virtual environments. So, it’s quite easy for companies who look forward to adopting cloud services to be confronted with many questions regarding compliance in the cloud, which sadly remain unanswered…that is, until now.

MYTH #1: Security is Security After all!

When talking about IT infrastructure, security is usually at the top of the list, and for good reason. But when it comes to a regulated environment, you soon find out that there is no such thing as being “good enough”. This is the reason why companies who look to adopt the cloud need to ensure that their data is properly protected. This also means making sure that your network is kept safe from malware and from the prying eyes of cyber criminals.

Apart from keeping your antivirus software up-too-date, businesses also need to address the security behavior of their entire organization. This means keeping track of what and how information is being shared? Who has access to data and how that data is being protected from unauthorized access? Do you have network segregation and are you using VLAN tagging? VLAN tagging allows parts of the network to be compartmentalized into distinct VLANs, which enables users to create small quarantine zones between machines and consequently reduces data exposure. When it comes to security, it’s important that you leave nothing to assumption. Here are some tips to make sure your data remains safe on the cloud.

  • Use a commercial firewall.
  • Use a managed switch which will be able to handle VLANs.
  • Invest in a good anti-virus software.

MYTH #2: Get Compliant Capabilities with a Single Vendor

With the increasing interest in compliance in the cloud, many service providers are ready to offer a wide array of compliant capable products. But, unfortunately, the truth is that it is not possible for a single vendor to address the many requirements of various regulatory mandates. In other words, there is really no silver bullet when it comes to compliance in the cloud. So, rather than relying solely on a single vendor (or product), businesses should turn towards implementing a more holistic approach to their security strategy which focuses on the big picture when it comes to the regulatory requirements regarding compliance and the cloud.

It is important to remember that the consumers and not the cloud providers, have to deal with the burden of compliance. And while there might be some grey areas when it comes to regulatory services, it is important for businesses to not hinge their compliance status on a provider who claims to be 100% compliant. Here are a few tips to make sure you get the most bang for your buck when it comes getting compliant cloud services.

  • Develop a feasible plan that will help you address any gaps in compliance.
  • Work closely with providers and 3rd party vendors to understand the elements of an audit and who those audits are addressed.

No matter how large or small a business, the protection and integrity of data is of utmost importance. Compliance issues in cloud services could lead to loss in sales, fines, and disrupted operations which is the reason why compliance is necessary to thrive in the cloud.

USPS Data Breach: Neither Snow nor Rain nor Heat nor Gloom of Night Keeps Intruders from Their Appointed Rounds

Employment with the US Postal Service was once considered the benchmark of job security. The same cannot be said of the security of their personal employee data.

According to USPS officials, a recent breach affects the entire staff of 800,000 postal workers. The data exposed includes “names, dates of birth, Social Security numbers, addresses, dates of employment and other information”. Fortunately, “other information” does not include credit card numbers, though as a precautionary measure, USPS employees will be given one free year of credit monitoring.

The only compromised customer data involves “customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014 and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, e-mail addresses and other information for customers who may have provided this information.” In a formal statement, the USPS asserts that “we do not believe that potentially affected customers need to take any action as a result of this incident”. USPS officials emphasize that no financial systems within USPS facilities or USPS affiliates were affected (such as USPS.com, Click-N-Ship, the Postal Store, PostalOne!, FedEx or UPS) .  Lastly, Passport application data was not compromised.

Unlike other recent breaches involving retailers Home Depot and Target, the suspected instigators of the breach are the Chinese Government, who (along with the NSA) are notorious for their intrusion attempts on government information systems (they deny the accusation). James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies, states that “they’re just looking for big pots of data on government employees” as “a way of building their inventory on U.S. persons for counterintelligence and recruitment purposes”. He also notes that “China would be interested in amassing large sets of data that can be analyzed for previously unknown links or insights”. Lastly, Lewis notes that the Chinese Postal services, unlike the USPS, holds large amounts of data on its citizens, and that they may have incorrectly assumed the same of USPS and overestimated the nature and type of data available.

The USPS has come under fire for their reporting of the breach – particularly the fact that the breach occurred in August but was not reported until recently. House Oversight and Government Reform Committee Chairman Darrell Issa (R-CA) and House Oversight Committee Subcommittee on Postal Service Chairman Blake Farenthold (R-TX) are leading the charge. The committees released a joint statement using terse language: “…the Committee understands the Postal Service has known about this attack since September and presented this information to Congress several weeks ago, but did so as a classified matter. The Committee will be seeking information about why the Administration waited two months before making the news of this attack public and preventing victims from taking proactive measures to secure their own information. We have not been told why the agency no longer considers the information classified.”  In a letter addressed to Postmaster General Patrick Donahoe (himself a victim of the attack) ranking committee member Rep. Elijah E. Cummings (D-MD), went as far as to say that “The increasing number of cyber attacks in both the public and private sectors is unprecedented and poses a clear and present danger to our nation’s security.” In reply to the critics, the USPS states that “Communicating the breach immediately would have put the remediation actions in jeopardy and might have resulted in the Postal Service having to take its information systems offline again” (the latter statement refers to The Postal Service taking systems off-line on November 8-9 as part of their intrusion mitigation efforts).

Joining the USPS in the Incident Response are the Federal Bureau of Investigation, Department of Justice, the USPS Office of Inspector General, the Postal Inspection Service and the U.S. Computer Emergency Readiness Team. The FBI, in their own statement, urged the public to “report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.” An FAQ (Frequently Asked Questions) document is available from the USPS at http://about.usps.com/news/fact-sheets/scenario/customerFAQs_Final.pdf

Dropbox Software Glitch: Lost Files May be Restored, What About Lost Confidence?

Mr. Murphy (of Murphy’s Law fame) has a way of seeing to it that data is lost when you need it most, and he is apparently undeterred by the Cloud Computing Revolution.

Still reeling from the iCloud breach, the Cloud Computing industry faces another PR hit – lost files due to a software glitch in the popular Dropbox application. The glitch is the latest in a series of incidents involving Dropbox, including an August 2012 security breach in which customer email addresses were stolen from Dropbox employee’s accounts, and recent concerns about Dropbox’s approach to addressing security vulnerabilities and notification of breaches.

Kudos to Dropbox for their response to this latest incident: a prompt mea culpa, a succinct explanation of the problem and who is affected, a quick software patch, and a free upgrade to the Dropbox Pro product. According to a company post on Hacker News, the file loss occurs if you use the Selective Sync features and the application is shut down or restarted when a selective sync is in progress. Dropbox has patched the desktop client, retired older versions of the Dropbox client, and ensured that users have the patched version. Affected users may receive a free one year subscription to the Dropbox Pro product which offers basic collaboration features and 1 TB of storage (normal pricing is $9.99 a month or $99 a year).

Some users report years of lost data. One case in particular has gone viral; that of Jan Čurn, co-founder and CTO at photography software platform VirtualRig Studio. Čurn has used Dropbox since 2009 and reports losing 8,343 files stored over that five year period. While the whereabouts of Čurn’s files have yet to be determined, Dropbox has been able to restore some user files, contacted affected users, and provided listings of restored files. It remains to be seen how much data can be restored.

It is important to note that the software bug is not related to security or malicious hacking, and that the bug affected personal users and not business users. Cloud storage products for Business Use require flexible user and file permissions setup, state of the art encryption standards, history logging, and remote administrative features. An example is the Secure.Share product from ComputerSupport.com. Aimed at small to medium sized business, it offers military grade, 448-Bit Blowfish encryption. Data is encrypted both in transit and at rest using SSL, and two factor authentication can be utilized. Accounts are managed from a single dashboard, and versioning and update notification features similar to Microsoft SharePoint are available for document collaboration. Additional security and administrative features include File History Sharing and remote data wiping.

Unfortunately for the affected Dropbox users, many used Dropbox as their sole document repository. The takeaway (painfully learned by the affected Dropbox users) is that personal cloud storage is not a substitute for regular backups.  You’ve heard it before (and like me, have ignored it and paid the price) – regularly back up critical data and ensure it is two separate locations. This was true in the era of 5 ¼” inch Floppy Disks and is true today.

Evaluating Your IT Department? Take This Checklist!

The role of information systems professionals in the modern workplace is rapidly evolving as cloud solutions provide more affordable options. Businesses of all sizes are now evaluating their IT needs in order to determine whether they are operating as efficiently and effectively as possible.

IT expertise is more important than ever, since businesses rely on their applications and devices to conduct business each day. But automation has also made it possible to operate with minimal staff, which is good news for smaller businesses with limited budgets. As you work to evaluate your own IT department, here’s an all-inclusive checklist for your consideration.

Security and Network Support

The security of your data, applications, and websites is crucial to your success as a business. One data breach can cost your business thousands of dollars in fines and loss of customers, as well as damaging the reputation you’ve worked so hard to build. As you evaluate your IT department, take a careful look at your security as a top priority.

„       Anti-malware measures—Are measures in place to make sure your servers and devices are safe from malware and hacking attempts?

„       Employee education—Does your business actively work to educate employees on the importance of responsible online behavior and password management?

„       Disaster recovery—Is a Disaster Recovery Plan in place to protect your business?

Application Support and Security

If your employees access in-house applications in the course of conducting their work, those applications must also be protected and supported.

„       Password management—How are passwords issued and managed for your applications? Is immediate help available when employees need a password reset or issued?

„       Training and support—Is training available for new employees? If an employee has a problem using the application, is that help available? Are employees satisfied with the level of support they’re receiving?

„        Upgrades and bug fixes—Can employees report issues with the application? If so, how quickly are they resolved?

Desktop Support

Once the backbone of an organization’s IT department, desktop support has dwindled in recent years. Thanks to remote desktop software, support can be outsourced and conducted by phone or live chat. Is this support sufficient?

„       Problem resolution—If an employee experiences difficulty with a system, how is support provided? Are employees satisfied with the quality and turnaround time of this service?

„       On-Site support—When new equipment must be set up or hardware problems are reported, is on-site support available? Are employees satisfied with the quality and turnaround time of this service?

This checklist can help you determine what changes you need to make in your IT department, if any. Whether you decide to maintain current staffing levels, to outsource, or to increase the quality or quantity of your IT staff, a checklist can help decide where you’ve been and where you should go next.

The Cloud is Ubiquitous – and so is its security

Of course you’re concerned …

The tabloids are abuzz with tales of hackers stealing salacious celebrity selfies stored on the Cloud, and of course the furor dies with next week’s issue of People Magazine.  The thought of Cloud based business data being compromised is a different matter, and you’re right to be concerned about ubiquitous computing resulting in ubiquitous hacking attempts. Fortunately, efforts to secure the cloud are maintaining the pace of the unprecedented growth of the cloud itself.

Now for the good news

The need to modify infrastructure to meet the alphabet soup of compliance regulations (SOX, GLB, HIPPA, FISMA) is already a reality to the vast majority of enterprises, and valuable time and resources are used that take away from their core business efforts. The good news is that security is one more IT function outsourced to your Cloud Service Provider, and that the provider has more resources to deal with security than your business.  The learning curve that comes with the design, implementation, and maintenance of data security (which most enterprises already are involved in) are the responsibility of the service provider, who deals with them on a daily basis.

The benefit of delegating this responsibility to the Cloud Service Provider will increase in value as regulation becomes more exacting in implementation and scope. According to a survey by the nonprofit Cloud Security Alliance, 73% of respondents call for a Global Consumer Bill of Rights concerning Data privacy. Anyone who has dealt with modifying their infrastructure for data privacy knows the value of outsourcing the details of this effort!

Who’s setting the standards?

As cloud technology matures, so do best practices and standards. The Cloud Security Alliance promotes “the use of best practices for providing security assurance within Cloud Computing”. The Board of Directors includes CXOs of Microsoft, Coca Cola, Sallie Mae and Zynga. The CSA’s Cloud Controls Matrix contains 269 standards covering every aspect of Cold Security implementation, operation and maintenance, including Data Security, Audit Assurance, Business Continuity, and Access, Threat & Vulnerability Management.  The standards document is available at https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/

What Questions should I ask of a Cloud Service Provider?

In short, your expectations for a Cloud Provider are the same as those you are expected to implement in the traditional IT space. The Financial Times of London recommends asking the following:

Where is the Physical location of the data?

Who has access the data?

How is data encrypted and authenticated?

What policies are in place to handle security breaches?

What are your procedures for transferring service to another provider should that be necessary?

In Conclusion

The evidence of the benefits of Cloud Computing are overwhelming, and the marketplace has responded. According to iCorps Technologies, 2014 is the first year the majority of computing workloads take place in the cloud (51% versus 49% in the traditional IT Space).

If you are working in the tradition IT space, you are already dealing with security issues, and with the pain of a learning curve. As Cloud computing becomes the rule and not the exception, security issues will migrate to providers with resources and expertise beyond that of most organizations – and give you one less thing to worry about.

What Can You Learn from JP Morgan’s Data Breach

On the heels of the Home Depot data breach comes another case of customer data being compromised, this time from the largest bank in the United States. JPMorgan Chase reported that information from more than 76 million households and 7 million small businesses may have been compromised when hackers gained access to its systems on an administrative level.

Account holder names, addresses, phone numbers, and email addresses are thought to have been revealed, as well as internal notes about those account holders. JPMorgan Chase asserts that there is no evidence that information like account numbers, passwords, birth-dates, or social security numbers was leaked in the breach.

What This Means for Business

As TechTarget pointed out, in both the Target and JPMorgan Chase data breach, no full-time Chief Information Security Officer (CISO) was overseeing operations. In the wake of these breaches, businesses are beginning to realize the important role risk management and security play in business today. In the coming years, businesses will likely see the CISO role become a very important specialty in the field of technology, attracting higher salaries and the best talent in the field. For small businesses, these duties will be entrusted to the provider, who will staff the best and brightest to oversee cloud servers for a large number of clients.

How to Protect Yourself

Without information like social security numbers and birth-dates the collected information isn’t enough in itself to risk identity theft, experts say. However, a JPMorgan spokesperson points out that consumers should always keep an eye on their accounts. The biggest problems may come from the email addresses that were compromised in the breach, with this information potentially being used to launch phishing attempts. Through these attempts, information such as social security numbers and account passwords could be obtained. Small businesses should remind users to never click on links or download attachments from unknown parties. When they receive an email about an existing account instead of clicking on the link on that email, users should always go to the site on their own and update any information there.

Safeguarding your business’s applications and systems is your business’s top priority, since securing your own customer data is an important part of your long-term success. By ensuring that your employees keep their own passwords as secure as possible by avoiding phishing attempts, you’ll be taking a vital first step. When working with a cloud provider, be sure to ask questions about the role they take in preventing hacking attempts and keeping your data safe.

Tired of Passwords? These Technologies Aim to Help!

Tired-of-Passwords--These-Technologies-Aim-to-Help

With the average user dealing with at least 40 separate online accounts, it’s no wonder many Americans are feeling password fatigue. To try to make things less complicated, some users have chosen to use the same password and username for every account, but this can pose a security danger to both consumers and businesses. Another alternative is to make a list and keep it locked away somewhere, but there’s no guarantee that list won’t become compromised someday.

Technology is offering several different solutions to the problem, making it easy for users to maintain dozens of passwords without risking a data breach or hacking attempt. Here are a few current technologies that could make password management easy.

Smartphone via NFC

With 74 percent of consumers now owning a smartphone, these devices could provide the answer to the world’s password woes. Using Near Field Communication or SMS messaging, a device owner’s smartphone can communicate with a nearby PC using Google’s tap-to-unlock.

Smartphone via Token

With services like Ping Identity, users are authenticated through a one-time token that is sent to a device. A swipe of the finger unlocks the token and lets the user log into any service or system. The technology is targeted to the enterprise environment.

Biometrics

Using fingerprints or iris scans to authenticate users sounds very sci-fi, but the technology is already in use in some places. Fingerprint technology has taken off, appearing in mobile devices and laptops already, but iris scanners are still slow to take off. Both technologies haven’t been proven to be 100 percent foolproof, but consumers love the ease-of-use of both methods.

Digital Tattoo

In the future, a tattoo could be something more than a way to show your personal taste. A digital tattoo is a sticker that lasts a limited number of days and communicates directly with your mobile device. Motorola’s Digital Tattoo costs $1 and lasts up to five days, but experts wonder if consumers will be willing to wear a sticker all day for the luxury of avoiding passwords.

Password Pill

With the password pill, you actually swallow an electronic device that can send signals through your skin. While the pill can make authentication effortless, it’s unlikely most consumers will be comfortable ingesting a device that communicates with their electronics.

Voice Printing

Through voice recognition, a user can simply speak a passcode and unlock a system. VoiceKeyID from Porticus is available for mobile devices and embedded platforms.

Brainwaves

Imagine being logged in by merely thinking your password. That is exactly what brainwave authentication aims to do. The technology was demonstrated at the University of California Berkeley School of Information, but the user has to wear a headset for it to work.

Major Software Bug Could Affect Your Business

Shellshock

A vulnerability discovered in some Linux and Apple operating systems could put your business’s computers at risk. The bug was found in a software component called Bash, which is part of many instances of these operating systems. Once exploited, this vulnerability could be used by hackers to gain access to your individual systems.

About Shellshock

Going by the name Shellshock, the bug is found in Bash, a shell command line tool in Unix-based systems. Hackers have been able to remotely control users’ systems, with reports stating that exploits are currently under development to take advantage of the open access to so many systems. These exploits will allow hackers to gain user passwords and install DDoS bots.

While Windows-based PCs aren’t among the list of affected devices, businesses should be concerned about their servers, since many servers use Apache. Apache contains the Bash component. In total, experts estimate 500 million machines could be vulnerable to Shellshock.

What Can You Do?

If your machines are behind a firewall, you already have a major protection in place. Apple has assured its users that the vast majority are safe from the vulnerability, since OS X systems are safeguarded by default. Those users who have configured advanced UNIX servers may be vulnerable, however. Apple is working on a patch to safeguard those systems.

Experts are concerned that as users rush to patch affected systems, hackers will make the most of the short window of opportunity to wreak havoc on systems. The most vulnerable systems are likely those servers and applications that are running Bash without administrators being aware of it. For that reason, server administrators must take the extra effort to protect their servers.

Vendor Patches

The first thing a business can do is check with its vendors to see if a patch is available for their products. In the instances where data is stored with a third-party cloud service, businesses should be proactive in ensuring their data and devices are safe from attack. If you’d like to check to see if your computer is running Bash, this article should help.

As more information becomes available about Shellshock, businesses will be equipped to deal with the issues. For small businesses, turning server operations over to a highly-experienced cloud services provider can be a great way to ensure your systems are safe whenever vulnerabilities like Shellshock emerge. Because applications are often built by vendors, however, many businesses are often left uncertain about what technology their systems is actually running when news about vulnerabilities like this one emerges.

Should Your Business Accept Bitcoins?

You’ve probably heard of bitcoins.  But what are they, really?

There’s an old saying that everything is worth what its purchaser will pay.  Bitcoins are a great example of that.  They first started trading a few cents apiece.  As of May 23rd, 2013 they are trading at $126 to one bitcoin.

So the real question is: should your business accept them?  In my personal opinion, I’m going to have to say no.  Recently in the news, bitcoin exchanges have been shut down .  Also, because the volatile nature of bitcoins, you may end up worrying about the market rate rather than running your business.

On the other hand, most businesses that accept bitcoin see such transactions as a very small percentage of their total revenue.   However, the fact that bitcoins are untraceable currency from the ether (most currencies are) attracts less than upstanding citizens.

Is Cloud Accounting Right For You?

Everything seems to be going up into the cloud.  Is accounting in the cloud for you?  Should your books be accessible from anywhere?  Here are a few things you should know before answering those questions.

So Who Owns What?

Unlike desktop versions of software, cloud based products tend to be subscriptions based.  People still run their old versions of Quickbook and Word that ran on Windows 95.  This won’t be the case with cloud based software.  The advantage of this is that with cloud based software like Office 365, you can pick and chose what features you want.  Desktop software tend to come out in one format or a tiered system.  Now you can pick and chose what you pay for.

Where Is Your Data?

If you’re using a cloud based software, then your data is stored offsite.  It’s not on your local hard drive.  It’s some where out there, in the cloud.  So is it secure?  Well, you paying another company to store your data and give you access to it all the time.  This is the biggest crux that the cloud community has to deal with.  But think about your ATM.  You could have all your money stored locally, like in a shoe box under your bed.  Or you give it to your bank and they give you access to your money via tellers, ATMs, etc.

Who Is It for?

In my opinion, cloud based software is really for the medium guy.  If you’re a tiny business and you can count your daily sales on one hand, then this isn’t for you.  A simple double ledger spreadsheet in Excel would do you better.  If you’re a mega-corporation then you would build or higher your own accounting department and have an in-house system.  However, the medium business that is always on the go and in flux will have use for a cloud based accounting system.  As your business grows and changes the cloud is more apt to scale.  It’s going to be easier than making that tough choice to spend a whole lot of money on a software upgrade.