Thursday, October 20, 2011

Security Still an Issue in Cloud Development Projects

At a recent conference, IBM and Amazon executives debated one of the biggest issues around the cloud - the extent to which users can rely on security built into the services of the provider. Amazon made the point that users should recognize that they are moving into a platform with a lot of security already built into it. IBM countered with the point that you can't rely on that - that each user and each applications contains its own needs and issues.

Both are right. There is some security there, but users need to go some steps further in order to make sure the security meets their needs. This might involve obtaining SSAE 16 reports (the old SAS 70), but should probably go further than that and include a through review of the security structure to make sure that it is adequate. That means involving the auditors in the development process - an old saw, but still a true one.

Here's a report on the debate at the conference.

Thursday, October 13, 2011

Security Professionals Face Serious Challenges

Recently, the International Information Systems Security Certification Consortium, Inc., (ISC)² sponsored a study carried out by Frost & Sullivan of more than 10,000 security professionals around the world.
Some of the key findings of this study can be summarized as:

  1. Application vulnerabilities represent the number one threat to organizations.
  2. Mobile devices were the second highest security concern for the organization, despite an overwhelming number of professionals having policies and tools in place to defend against mobile threats. 
  3. Professionals aren't ready for social media threats.
  4. A clear skills gap exists that jeopardizes professionals' ability to protect organizations in the near future. 
  5. Information security professionals weathered the economic recession very well.
  6. Cloud computing illustrates a serious gap between technology implementation and the skills necessary to provide security.
  7. Developing countries illustrated opportunities for growth with an experienced and more educated workforce.
  8. The information security workforce continues to show signs of strong growth. 

The study can be downloaded free of charge from this website.

Friday, October 7, 2011

Web Application Security: Business and Risk Considerations

ISACA has a White Paper on its website with the above title. The paper is an excellent resource for those interested in cloud risks and how to address them. That includes a lot of people!

One of the interesting parts of the paper is the table listing the various types of vulnerabilities encountered in the cloud. These include SQL Injection, Cross-site scripting and Insecure Direct Object Reference, among others. The paper goes on to list some areas of security to focus on, including some specific guidance on the old stand-by's of executive support, training and support.

The paper concludes with assurance considerations, including the use of Cobit to strengthen controls.

An excellent paper. You can download it through this link.

Tuesday, October 4, 2011

Social Media's Growing use for Cyber Crime

The FBI recently issued a report pointing to the growing use if Social Networks for criminal purposes. The report points to the traditional techniques of Phishing and Data Mining of Social Media sites as continuing serious problems. The report also points to the use of false persons being used to attract honest site users and therefore gain access to information that could be sensitive. Examples are setting up phony Facebook accounts to attract military personnel and then extract information they might have or information about their location.

Of course, corporate information could be at risk in such scams, and it is important for companies to have tightly drawn policies on the use of social media by their employees. One of the difficulties in such policies is that a company cannot interfere in the personal life of their employees, yet they can be duped through their personal activities into revealing sensitive information. A clear demarcation between business and personal use of social media is nevertheless a critical element of a security policy.

For more on the FBI report, see this link.