Category Archives: Contributors

What Agency Can Benefit The Most From IoT/CSP?

What Agency Can Benefit The Most From IoT/CSP?

What Agency Can Benefit The Most?

I was recently giving a talk to some students when one of them asked me a question I hadn’t heard before. She said “How does the Internet of Things really impact the government? What agency benefits the most from IoT/CPS?” I paused for a moment, it is a great question and deserves a good answer.

My initial response was simple “it vastly improves physical security and extends physical security much further away from buildings using drones and other remote sensors. You can now have a supportable security parameter that is much larger than you could 5 or 6 years ago.”

It was the easy answer. I felt a little guilty for using it, but it was a tough question. But she wasn’t done “I’ve heard that one before, I wonder what the impact of IoT will actually be on the government.”

I thought back to the articles I had written here on CloudTweaks. The modular drone concept of a few months ago. The Pizza Drone concept, I could see an IRS tax collection drone following people around. The metallic voice blaring “you owe taxes, you owe taxes.”

taxes-drone

The huge IoT impact point in the next couple of years will be in the world of data. The production of, consumption of and analysis of data produced by sensors. Many government agencies have already embraced Cyber Physical Systems (IoT) and continue to push further and further into the world of data production, movement and analyses.

I doubt the IRS tax collection drone is coming soon. But I can see canary drones. A canary drone has air sensors built in and can either follow a group of people or lead them. For people doing volcanic research where poisonous gas can appear and poison you, a Canary Drone is a good safety system. We could paint them a bright yellow, just because of the name.

Safety and security wise there are a number of drone features that will be leveraged by government agencies. But beyond that, beyond the sensors we know about today what else is possible? Today I can grab a number of accelerometers and in having access to them remotely use that for ground movement verification. Want to see if somebody set off a nuclear bomb? Have access to all the accelerometers near the site of the test explosion. They will inform you quickly of ardent shaking.

I continued thinking about this. I discarded the espionage opportunities because that isn’t fun and has been beaten to death by television anyway. What else could CPS/IoT devices do for government? The Government’s job is to deliver services to citizens. What IoT/CPS devices actually deliver direct citizen services?

cloud-security-health

(Image Source: Shutterstock)

That got me thinking about the expanding world of healthcare devices that are out there. Final answer, government agencies can use IoT/CPS devices to capture more information than they are able to today and in so capturing (storing and analyzing) that data they will be able to improve the quality of the citizen services they deliver.

It’s a good, and true answer. The healthcare information alone will provide massive new insight to how humans react to illness, what happens when a sick co-worker decides to come to work anyway and the other components of the Internet of Illness. Using remote IoT/CPS health sensors will also provide the CDC, NIH and other government agencies with a massive amount of information as to how specific diseases actually move as they spread.

Many agencies created an internet for the many sensors they deployed long before there was an actual internet. The Unlisted States Geological Survey has had an internet of things for many years. Long before people even realized you should let alone could connect remote sensors to central systems. Packet radio networks and satellite connections were the quick way to data to the central processing system. As things get faster, they can deploy more sensors and get an even larger snapshot of geologic events.

The questioner looked at me for a second and smiled. I had answered her question. What government agency will benefit from IoT/CPS, all of them!

By Scott Andersen

Did The FBI Make A Mistake In Publicly Fighting Apple?

Did The FBI Make A Mistake In Publicly Fighting Apple?

Dropping The Gloves: The FBI vs Apple

Unless you live in a completely disconnected bubble, you’ve heard all about the recent battle between Apple and the FBI. You’ve heard the arguments from different sides —you’ve probably even debated on one side or the other. Some argued that Apple was right because nothing should come above privacy, while others maintained that some things outweigh the privacy expectations. Saying that the FBI wanted a backdoor is a stretch. Finally, there were some who believed the FBI was after setting a legal precedent than actually having Apple build a software.

The question that’s debated less frequently is whether the FBI made a mistake in fighting Apple publicly and then just as publicly announcing its triumph — that is, finding a hack without Apple’s help. It’s a question that goes deeper than simply personal privacy vs. national security.

Privacy and Encryption

To recap, the FBI needed to unlock the iPhone of one of the two shooters who left 14 people dead and 22 injured last December in San Bernardino. Because the phone was encrypted, after 10 failed passcode attempts, the data would self-erase. According to Apple, FBI’s request — which ended up in court — was to “make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation.” The request for this backdoor, Apple argued, would create software — which doesn’t currently exist — that could fall into the wrong hands and allow anyone to physically unlock any iPhone.

Apple began encrypting iPhones when it introduced iOS 8 in 2014. In a nutshell, it works like this: The iPhone encrypts the data by scrambling it so it can’t be read without a 256-bit “key.” The key, a unique identifier for each specific device, is “burnt” into the silicon, can’t be bypassed and is not logged anywhere outside of the application processor.

Cybersecurity professionals have been advocating for encryption of data at rest as well as in transit as a way of protecting personally identifiable information, and not just on devices. With encryption, data stolen by cybercriminals in a breach would be useless since a key would be required to read it. The U.S. government, at the same time, has been growing concerned because encryption hinders the access of law enforcement agents just as much as it does for criminals. Even worse, from the point of view of agencies like the FBI, it gives criminals and terrorists a leg up because they can “go dark.’

Shadow-cloud

Although in the most-recent case the FBI said the iPhone would be a one-time hack, Apple and other privacy advocates argued this would set a precedent not only for the U.S. government but also for foreign ones, including those in oppressive countries like China.

The encryption discussion is not unique to the United States. China passed a law last year requiring tech companies to hand over encryption keys for government requests of information. The United Kingdom proposed a bill last year that would have required intercept capabilities for encrypted communications. On the other side of the spectrum, Germany has been promoting encryption, even offering all its citizens a free email service that encrypts messages.

Apple vs. the FBI

Apple’s refusal to comply with FBI’s request led the Justice Department to request a U.S. District Court order forcing the company to comply. In the weeks preceding a scheduled hearing, the matter played out in the court of public opinion. The dispute became increasingly public as Apple revealed how it had offered the agency other solutions for obtaining the phone’s data, while the FBI insisted it was not trying to set a precedent for other cases.

DataLock-cloudtweaks-comic

There was no shortage of reaction from the media, other major tech players, advocacy groups, lawmakers and former intelligence officials. There was also plenty of speculation — including on Apple’s part — as to whether the National Security Agency already had the capability to break into an iPhone, considering its advance surveillance capabilities.

And if NSA could do it, why wouldn’t the FBI request the assistance, Apple asked. But according to Reuters, not all federal agencies support FBI’s side. A Reuters report said that there was no consensus within the government itself, and that some NSA and Department of Homeland Officials took Apple’s side.

Despite FBI’s insistence that only Apple can offer a solution, the agency recently revealed it’s working with one of the many outside parties that had offered to help hack the phone, and the court hearing was postponed.

FBI’s Tactical Mistake

Despite the FBI’s insistence that it wasn’t asking for a precedent and the case was all about a specific phone, it’s clear that there’s much more going on. In fact, according to Apple, the agency has made similar requests on several other occasions. The San Bernardino case is only different because it’s much tougher to argue against fighting terrorism — but compliance with the request would, without a doubt, open the floodgates for future court orders.

The FBI, after all, has been trying to make its case against encryption for a while. FBI Director James Coney stopped short of telling Congress that a backdoor should be required of tech companies but did suggest a “front door” approach (which, like the proposed UK law, would mandate “intercept solutions”). And, as documents leaked by Edward Snowden revealed, the FBI deliberately influenced weaker cryptography standards recommended by the National Institute of Standards and Technology that are used both by the private and public sectors.

The security community has been divided in this fight, but it’s fare to say that the FBI overplayed its hand by trying to force Apple — especially publicly— to compromise its own products and to bet on its “fight against terrorism” card. The agency could have just as easily and quietly requested the assistance of other third parties without dragging Apple through the mud. Not to mention if it believes so strongly that this fight is justified, it should instead use the U.S. Congress to advocate for new laws.

And now that the whole world knows what only some may have suspected — that the iPhone is not the fortress Apple’s marketing makes it out to be — who really loses in the end?

Consumers may lose in the short run, considering that the method will likely be leaked by the vendor and the FBI would also have to share it with local law enforcement agencies. At the same time cyberattackers, including nation-state sponsored ones, will be very interested in getting their hands on the vulnerability that allowed the FBI to get in, and they’re very crafty when it comes to getting what they want.

Apple may not be in the losing corner for long, however, even it its PR takes a hit. It will, instead, emerge as a winner because it will be able to figure out the flaw and patch it. The FBI’s victory in the end will be short-lived since not only will Apple fix the backdoor but it will also look for new ways to make its devices even more secure. So in the long run, consumers win too, because all this fist-fighting will result in more secure software.

Hopefully one thing that sticks in everyone’s minds, when the dust settles, is why building a backdoor into any security product is not a good idea. Even with robust security that’s built into a product such as the one built by Microsoft, a backdoor would negate all the efforts to create better security in the first place.

The FBI is certainty not the first federal agency attempting to use a good story and make a case for giving up individual privacy in exchange for perceived security. But this is a reminder that the tradeoff will always be up for debate. One thing is clear though: in breaking into the iPhone that was touted as impenetrable, the FBI has sent a strong signal to tech companies and their reverence for encryption. So the lingering questions remains: was this battle, after all, about nothing but principles, from either side?

By Sekhar Sarukkai

How the Internet of Things will change your life

How the Internet of Things will change your life

Internet of Things Day

This Saturday 9th April, it’s global Internet of Things day. A day where people around the world come together at events to talk about and debate the future and what the Internet of Things means for us all

What does the future hold for us? Well here are just a couple of areas that we can see changing in the coming years.

Medical / healthcare

There have already been some huge leaps forward in recent years in the field of medtech, this invention from Google making some of the bigger headlines last year. But there is much more possible, even just looking at today’s technology, we can see a number of things developing, such as:

  • Smart pill bottles – these bottles monitor your pill usage, not only making sure that you’re taking the right doses but also letting your Doctor know when you may need more.
  • Smart pills – not just the bottle, but the pills themselves can become smart, providing your Doctor with better insights into your health and the effect their treatments are having.

Transport

Like in the medical industry, we’re already seeing glimpses of what’s possible when it comes to the Internet of Things and transport. A few developments we could see include:

  • Self-driving and parking cars – Tesla are pushing this a lot at the moment but lots of companies see the potential here.
  • Parking apps – there are plenty of apps out there that are gathering data on local car park facilities and using this to tell drivers where a free spot is available. It’s not that unthinkable to connect this data directly to a car with self-parking ability and potentially for that car to find a space and park itself without any input from the driver.

It goes beyond cars too, cycles are getting the Internet of Things treatment too!

There is a huge amount of information out there and the team at RS Components have put together a simple visualisation showing what the Internet of Things is and importantly, what it could mean for our future. You can take a closer look at the visual below.

IOT_6.3-Infographic

By Heidi Walker

Automation of Access Management Means a Happier IT Staff

Automation of Access Management Means a Happier IT Staff

Automation of Access Management

One of tasks that your IT department probably really dislikes is managing the in-house and cloud user accounts and passwords for all of the employees in the company. Though this is usually an easy task, it is extremely mundane and time consuming, especially for a company that has frequent movement of employees. For a highly technical employee, who has a great deal of knowledge, having them handle account management is a waste of a resource for the company. These employees should spend their time focusing on more technical issues and complex projects for your organization.

password

(Image Source: Shutterstock)

So how can you get your IT department to mind when they are asked to perform tasks related to a user’s account or password? Many solutions are out on the market that can assist with this process and allow the IT department to focus more of their time on technical issues and projects. The following are a few ways to if not love user management then at least like it a bit more.

Allow for account creation and overall management from one single place

Probably one of the most frustrating parts of account management is setting up a new account for an employee in each and every in-house and cloud application. The admin needs to access each application enter the employee information and set their access rights. Chances are that the new employee will need numerous accounts to start their job, and will be left waiting for a few days for the correct access.

An identity and access management (IAM) solution allows for this process to be completely automated. By automating, an individual only needs to enter the employee information in the HR system, check off which applications they should have created for them and voila, new accounts. These solutions work seamlessly for both in house and cloud applications, so any type of application or system your company uses can be easily integrated.

No more headaches from time sensitive requests

The other frequent request is for additional access, accounts or resources created for an employee. An employee often needs to contact a manager or admin if they need access to an application or to make a change to their account. If this request is time sensitive, the employee may continually contact the manager to check up on the progress and see if the change is being implemented. Now imagine these emails coming in from more than one employee saying they need a change as soon as possible.

This process can also be automated and streamlined. Workflow management in an IAM solution allows a workflow to be set up for all of these requests. As an example, an employee needs access to certain application for a project they are working on. They simply make the request in the employee portal and it is routed to the correct person. That person can either accept or deny the request. If accepted, the change is automatically made and the employee will have immediate access. This eliminates the need for anyone to contact the IT department or an account admin to request the change. Workflow works seamlessly with in house and cloud applications so changes can be easily made to both.

Then, if an employee wants to check on their request, they can view the progress in their portal instead of contacting the admin directly. So, admins no longer need to be repeatedly contacted to ask if the change has been made.

Frequent calls for the same issue

What about all of the password issues that the IT department is usually asked to help with? Many IAM solutions also work seamlessly with password management so that these issues can also be drastically reduced. Employees often call in to have their password reset for one or more of their applications when they forget them or are locked out of their accounts. This, like the account change request, is very simple to fix, but becomes time consuming when many employees are requesting fixes for the same issue.

employees

The most popular fix to these issues is to implement password management solutions. Solutions such as a self-service password reset software have been adapted to be helpful to those using cloud or in house applications. This type of solution allows end users to reset their own passwords without having to contact the help desk. Employees can reset their passwords at any time, from any location — even from their mobile devices such as smartphones and tablets.

With all of the accounts that employees need to access every day, they may find it difficult to remember several sets of complex passwords. Single sign-on solutions have also been adapted to work in conjunction with cloud applications. SSO allows users to login in once with a single set of credentials and thereafter gain access to all other applications they are authorized for, easily resolving the issue of needing to remember multiple passwords.

These solutions allow the IT department to focus on actual technical issues within the organization so that they don’t keep getting asked to perform mundane easy tasks that might be taking up a large percentage of their time. With IAM solutions these tasks can be easily automated making the process better for everyone involved, and resulting in a happy IT department.

By Dean Wiech

SaaS Freemium Models and the Hidden Cost of Free

SaaS Freemium Models and the Hidden Cost of Free

SaaS Freemium Models

We’ve all been lured into sexy “try before you buy” freemium models that provide just the right amount of functionality to get you started. Yet, it’s not quite enough to complete the job. “Getting the job done” often requires stepping up to a paid or premium version that provides more functionality, capabilities and rewards.

As much as we’d like to believe to the contrary, the old adage is time tested. “There is no free lunch.”

lunch-time

(Image Source: Shutterstock)

Free” more often than not implies trade-off. The trick is to balance these tradeoffs to ensure that your purchase delivers a net positive for your business. Anything less than “free” becomes a misnomer.

For the consumer, this model makes sense for apps that aren’t mission critical. You can preview and buy. If the full version doesn’t meet your needs then you shut it down and move to another application that works better. Switching costs are low. No harm. No foul. No one (but you) is the wiser.

Lately, and somewhat surprisingly, “free” or close to it, has also been applied to larger ticket items – like enterprise software solutions – that have far-reaching and deeper functional capabilities than the latest gee-whiz game or social application. To entice you, some vendors are offering a “free” one-year license or subscription. In these cases, buyer beware of a wolf dressed up in sheep’s clothing.

Do Your Diligence

Before committing to a “free” solution, it’s worth conducting some due diligence.

Here are some questions that every buyer should ask:

  • When free isn’t free: What are the additional costs involved? What are the implementation hours, integration costs, migration costs, operational costs, and opportunity costs? In a typical enterprise project, licenses or SaaS subscription cost is only a portion of the overall expense. There is implementation and integration, training and roll out. More importantly, there is opportunity cost. Will your business run better with this solution or with another that is not “free”? Finally, which solution maximizes your time to market the competitive edge you are attempting to gain?
  • There’s more than meets the eye: Ask about hidden costs like professional services charges, forced requirements that requires your business to conform to basic capabilities, lock-up, and switching costs. And, will the product still meet your needs after the initial “free” term has expired? Will you have more options and greater flexibility with another solution?
  • A look behind the strategy: When companies are selling a “free” or “free-for-a-year” solution they are planning to do one of four things:
  1. Use the “free” portion as a loss leader, banking on your long-term success for increased contract values and back-end revenue.
  2. Working to gain market momentum with a flurry of new logos and win announcements.
  3. Lock you into their solution because the implicit and/or explicit change cost makes switching a hassle or worse.
  4. Compete on things other than the solution’s benefits, quality, and value. What do these strategies say about their business and their long-term business goals? And, where does each strategy leave you?
  • Free” isn’t a guarantee of happy-ever after: Purchasing an enterprise solution is like getting married. You want a partner who will be with you for the long term, who will support you, enable you, and grow with you as your needs change. Careful that your “free” solution isn’t a 1 night stand that leaves a six Tylenol hangover. Enterprise solutions need to work over the long term. You are investing not only in software, but in a company that needs to perform over the long haul. Make sure the company is someone you want to partner with and that the “free” product is worth the long-term investment. As Neil Sedaka reminds us, “Breaking up is hard to do.”

Free is rarely free. A “free-for-now” solution might look appealing but initial attractions can run thin after repeated attempts to fix problem areas.
The rule in painting (gardening, remodeling, and countless other DIY projects) can also be applied here: It’s 90% preparation and 10% application. Do your homework upfront. In the end, it might just save you from a costly change order.

By Tom Dibble

Even Companies With A “Cloud First” Strategy Have Lingering Security Concerns

Even Companies With A “Cloud First” Strategy Have Lingering Security Concerns

Lingering Security Concerns

Considering the cost and time-to-market advantages of SaaS applications in particular, it’s no surprise that companies are looking to the cloud to meet their business objectives. But what happens when a ‘cloud first’ company must also put security and compliance first?

In a recent Bitglass survey report from a cloud access security broker (CASB), CIOs and other IT leaders shared their views on cloud computing and information security. More than half (55%) say their organization has adopted a “public cloud first” strategy in 2016. That is, when they are considering the use of new applications for managing their data, they will first see what’s available in the public cloud.

removing-cybercrime

While interest in SaaS applications is high, organizations looking at this option still have some security concerns. Respondents to the survey listed the following as their biggest cloud security challenges for 2016:

  • Controlling downloads of company data/information (36%)
  • Evaluating cloud security providers’ security controls (24%)
  • External sharing of company data/information (21%)

Many companies fear they will lose end-to-end control over their data records and informational documents once they go into a cloud application. IT leaders need to ask their SaaS (or CASB) providers some serious questions about what security measures can and will be applied as information goes into and out of the cloud application, as well as when it sits at rest in storage.

CIOs are disinclined to use cloud applications that offer minimal security. This is the very reason why the CASB market was born and has grown so quickly. CASB vendors provide organizations with a gateway application through which data flows on its way to/from SaaS applications in order to apply security mechanisms such as encryption or data loss prevention (DLP).

Security First, SaaS Second

Many SaaS applications have been built around rich features and functionality—but not on the premise of securing information throughout its lifecycle. Thus there are legitimate concerns about information being inappropriately downloaded to personal or mobile devices, put on an inherently insecure file share, attached to an email going outside the company, or accessed by an administrator for the cloud service provider. If there is even a hint of a possibility that one of these things may happen, the cloud solution may be ruled out by the CIO or CISO of an organization for lack of proper controls.

cloud-comic3

Many organizations are looking for a secure means to enable work collaboration and the sharing of highly sensitive documents both internally and externally with select business partners. There is no margin for error concerning the protection of their documents, but fears can be diminished by adopting the following:

  • Cloud providers must operate with the philosophy that security is the core and the file sharing and collaboration features are architected into it. Providers should also provide multiple levels of encryption and allow customers to own the keys if they desire it, By providing granular security on a file by file basis, security can also be embedded into each file for its entire lifecycle. Moreover, businesses’ solutions don’t need “bolted on” security mechanisms from third party providers like CASB vendors. Customers’ trust is sacrosanct, and should not be handed off to partners.
  • Cloud providers must allow their audit team to take an in-depth look at data center security practices, not just on paper. Teams should do an annual on-site visit to determine if a company’s security, privacy and data sovereignty controls and practices match their own. Once a company receives a final report after each assessment, customers’ concerns can then be addressed and security postures continuously built stronger.

To the IT leaders who want to be “cloud first” but still have security concerns about public cloud applications, and who worry about controlling downloads and external sharing, I recommend evaluating your SaaS provider’s controls. Get in touch with a secure collaboration and file-sharing provider. They’ll help you implement your “cloud first” strategy for business collaboration in a safe and secure manner.

By Daren Glenister

Four FinTech Trends To Look Out For

Four FinTech Trends To Look Out For

FinTech Trends

The fintech industry witnessed an enormous growth in 2015. Around $7.6 billion were invested in fintech companies last year, a substantial increase from the $4.7 billion in 2014. There is no doubt that this momentum will continue this year. The growth of capital being invested in fintech companies illustrates how technology and the web are changing the very nature of financial services and how money is being handled.

Below are four fintech trends to be on the look out for:

Trend 1: The Impact of Millennials

Millennials, those born between 1980 and 2000, is the largest generation in American history and is shaping the fintech industry as we know it. According the Millennial Disruption Index, banking show that 68% of respondents say they see the way one accesses their money will change in the next five years, while nearly half are counting on tech start-ups to overhaul the way banks work. They believe that innovation to banking will not come from within, but from outside. Millennials are looking towards fintech start-ups to disrupt the banking industry.

shutterstock_369809309

(Image Source: Shutterstock)

These companies are sitting up and taking notice. Many of these fintech startups emerging on the scene are relying on millennials for their success and are leveraging technologies popular among young adults, such as mobile apps and social media. Since 2010, startups in the digital banking sector have attracted more than $10 billion. Many of these hottest fintech startups geared towards this demographic are mobile-app only – to include Acorn (an investment platform), Robinhood (analyzes stock information), and Earnest (offers merit-based loans). There is no question that it is an exciting time to be a financial start-up.

Trend 2: The Role of Digital Transformation

Digital transformation goes well beyond providing simple technological solutions; it requires a deep understanding and analysis of an organization’s culture and business model. More importantly, going digital requires customer first thinking. Banks are facing a new reality where the ever changing consumer preferences and rapidly evolving financial technologies are dictating how business should be conducted. If properly implemented, digitization is one way for banks to remain relevant in an increasing competitive and fast-changing industry.

According to a study on digitization by A.T. Kearney, there are three areas that separates digital banking leaders from the rest of the pack: they understand the importance of mobile in a digital strategy, they are developing models that are more agile, and they have handled the need for internal cultural shifts. A number of fintech players are paving the way when it comes to digital banking. Instead of focusing solely on financial services and products, these companies are offering enhanced user experiences by leveraging technology and design.

Trend 3: InsureTech

There has been a massive outpouring of innovation and investment spread throughout the financial sector – from mobile banking to business lending. However, there is one glaring area ripe for innovation and that’s insurance. The insurance industry, one of the largest in terms of revenue, is a bit tricky to break into as it is heavily regulated. Nonetheless, it presents a huge opportunity for financial disruption.

shutterstock_377224795

There have been a few players that have attempted to take a crack at the insurance market, such as Lemonade, Oscar, and Metromile. Lemonade wants to offer insurance via a peer-to-peer platform, effectively acting as a middleman. Oscar aims to revolutionize health insurance and improve the customer experience through technology, data, and design. Metromile, on the other hand, sells pay-per-mile car insurance. These organizations offer an accessible user interface as well as consumer-friendly business models.

In essence, blockchain is a public record of every bitcoin transaction that has ever happened and it is believed that blockchain technology will significantly alter the financial services infrastructure. Earlier this year, NASDAQ claimed it documented a private security transaction that was successful via its ledger platform Linq. This apparently was the first real use case of blockchain technology.

Last year was considered as the year of the blockchain app; this year will usher in further innovation and rapidly evolving technology. One company that is capitalizing on the growing interest in blockchain technology is San Francisco-based Blockstack.io. Their platform offers four functions: 1) asset insurance to represent real-world assets; 2) a private ledge that is optimized for high transaction volume; 3) transaction management allowing users to describe transaction flows between parties; and 4) multi-signature wallet security. Blockstack.io is just one in a new wave of blockchain-first tech firms looking to partner with various financial institutions to utilize blockchain technology.

Joya-ScarlataBy Joya Scarlata

Joya is a senior analyst at InterraIT, a San Jose-based technology solutions and services company, working in the areas of market research and marketing. She loves tracking current technology and marketing trends.

You can follow her on twitter at @jetsetterjoya.

Insider Threats and Sensitive Data in the Cloud

Insider Threats and Sensitive Data in the Cloud

The Age of Sensitive Data in the Cloud

A recent survey report conducted by the Cloud Security Alliance (CSA) revealed that cloud security had reached a tipping point: 64.9% of respondents (which included IT security professionals from enterprises across all industries and regions) believed that the cloud was as secure or more secure than their on-premises software. This is a watershed moment given that the single most influential item holding back cloud adoption has been the security concerns surrounding data stored in the cloud. However, in our latest Cloud Adoption & Risk Report, we found an alarming number of sensitive files that employees were storing in the cloud. This speaks both to the growing trust in the security capabilities of cloud service providers as well as potentially careless employees storing inappropriate data in the cloud.

According to a recent Gartner report, “through 2020, 95% of cloud security failures will be the customer’s fault.” The statistics regarding sensitive data stored in the cloud backs up this assessment. Across industries, companies have a responsibility to protect sensitive data from being hacked or accidently exposed. However, in analyzing cloud usage, we discovered that 15.8% of all documents uploaded to cloud-based file sharing applications had sensitive information.

58.4% of the sensitive files were a MS Office file type. 18.8% were adobe pdfs, and the remaining 22.8% were a mixtures of files types ranging from CAD diagrams to Java source code. All told, 29.2% of all files containing sensitive data were Excel files, 16.7% were MS Word files, while another 10.1% were Power Point files.

Q4-2015-CARR-Sensitive-Data-in-Cloud-961

Of the 15.8% of documents that contained sensitive data, 48% were confidential files (including financial records, business plans, source code, trading algorithms, etc). 27% of documents containing sensitive were those that had Personally Identifiable Information (PII such as social security numbers, tax ID numbers, phone numbers, home addresses, etc). 15% of files containing sensitive data were one which are regulated by the Payment Card Industry Data Security Standard (PCI-DSS), while a startling 10% contained data regulated by the Health Insurance Portability and Accountability Act (HIPAA-HITECH). One of the mandates of HIPAA is that if more than 500 individuals’ data gets hacked/leaked, the health care provider is required to inform the individuals as well as the press about the data loss. This can have far reaching impact both in terms of monetary fines as well as long term loss of trust and reputation.

One of the more alarming trends we uncovered was the naming convention of files that are being stored in the cloud. Cybercriminals are always looking for the types of data that can be sold in the darknet. The most valuable type of data is healthcare data, but anything from account credentials to credit numbers are common forms of data on sale in the darknet. It’s clear employees aren’t helping themselves or the organization they work for given the types of names uncovered for files stored in the cloud.

The average enterprise has 1,156 files with the word “password” in the file name. If these files gets breached, the hackers would essentially have the keys to the kingdom. A whopping 7,886 files stored in file sharing services contain the word “budget,” while 2,217 files contain the word “confidential.”

Q4-2015-CARR-Whats-in-a-Name-550

Internal and External Threats

Owing to the large amounts of sensitive data being stored in the cloud, the average organization experienced 19.6 cloud-related security cases each month. These may include anything from insider threats which may be accidental or malicious, privileged user threats, stolen credentials, or attempts to exfiltrate data using the cloud.

Sadly, nearly every company (89.6%) experiences at least one threat caused by an insider each month, which lends credence to the earlier Gartner quote regarding the role the organization itself will play in cloud security breaches. At the same time, 55.6% of organizations become victims of stolen login credentials each month. The average organization is hit by an unauthorized user attempting to exploit a compromised account a total of 5.1 times each month.

Detecting and preventing insider threats

If 95% of cloud security incidents are expected to be caused by an employee within an organization, then protecting data from within becomes one of the most important goals of the IT security team. However, the most difficult part of detecting insider threats is sifting through a sea of false positives to pinpoint an actual insider threat incident. As an analogy, credit card companies must detect suspicious credit card charges accurately or else the end user will be irritated by constantly having to verify their identity with the credit card company every time a “suspicious” transaction takes place. They’re mandated by their customer base to minimize false positives.

The solution that credit card companies have employed is called User Behavior Analytics (UBA), where they use machine learning to build a baseline for what is considered real credit card transactions. For example, they’ve realized that during the holiday seasons around Christmas time, both the amount and the frequency of credit card transactions increase for most individuals, so they use contextual clues to create the baseline normal behavior. The number of data points that is used is vast and can only be correlated using high performing computer algorithms. However, once this baseline has been established, they can accurately pick out fraudulent transactions, much like successfully finding the needle in a haystack.

Chasing false positive insider threats would be a major waste of resources, so IT security teams need to employ the same thing when attempting to detect and thwart insider threats. Every user’s cloud usage should be profiled and a baseline should be established that takes into account the location, device, time of the day, cloud service being used, and anything else visible to the security team in order to accomplish this.

You can find the full CSA report here.

By Sekhar Sarukkai

CloudTweaks Comics
Cloud Infographic: The Future of File Storage

Cloud Infographic: The Future of File Storage

 The Future of File Storage A multi-billion dollar market Data storage has been readily increasing for decades. In 1989, an 8MB Macintosh Portable was top of the range; in 2006, the Dell Inspiron 6400 became available, boasting 160GB; and now, we have the ‘Next Generation’ MacBook Pro with 256GB of storage built in. But, of course,…

15 Cloud Data Performance Monitoring Companies

15 Cloud Data Performance Monitoring Companies

Cloud Data Performance Monitoring Companies (Updated: Originally Published Feb 9th, 2015) We have decided to put together a small list of some of our favorite cloud performance monitoring services. In this day and age it is extremely important to stay on top of critical issues as they arise. These services will accompany you in monitoring…

Low Cost Cloud Computing Gives Rise To Startups

Low Cost Cloud Computing Gives Rise To Startups

Balancing The Playing Field For Startups According to a Goldman Sachs report, cloud infrastructure and platform spending could reach $43 billion by 2018, which is up $16 billion from last year, representing a growth of around 30% from 2013 said the analyst. This phenomenal growth is laying the foundation for a new breed of startup…

A New CCTV Nightmare: Botnets And DDoS attacks

A New CCTV Nightmare: Botnets And DDoS attacks

Botnets and DDoS Attacks There’s just so much that seems as though it could go wrong with closed-circuit television cameras, a.k.a. video surveillance. With an ever-increasing number of digital eyes on the average person at all times, people can hardly be blamed for feeling like they’re one misfortune away from joining the ranks of Don’t…

Cloud Infographic – What Is The Internet of Things?

Cloud Infographic – What Is The Internet of Things?

What Is The Internet of Things? “We’re still in the first minutes of the first day of the Internet revolution.”  – Scott Cook The Internet of Things (IOT) and Smart Systems are based on the notions of Sensors, Connectivity, People and Processes. We are creating a new world to view and measure anything around us through…

Cloud Infographic – The Future (IoT)

Cloud Infographic – The Future (IoT)

The Future (IoT) By the year 2020, it is being predicted that 40 to 80 billion connected devices will be in use. The Internet of Things or IoT will transform your business and home in many truly unbelievable ways. The types of products and services that we can expect to see in the next decade…

Cloud Computing – The Real Story Is About Business Strategy, Not Technology

Cloud Computing – The Real Story Is About Business Strategy, Not Technology

Enabling Business Strategies The cloud is not really the final destination: It’s mid-2015, and it’s clear that the cloud paradigm is here to stay. Its services are growing exponentially and, at this time, it’s a fluid model with no steady state on the horizon. As such, adopting cloud computing has been surprisingly slow and seen more…

Cloud Computing Services Perfect For Your Startup

Cloud Computing Services Perfect For Your Startup

Cloud Computing Services Chances are if you’re working for a startup or smaller company, you don’t have a robust IT department. You’d be lucky to even have a couple IT specialists. It’s not that smaller companies are ignoring the value and importance of IT, but with limited resources, they can’t afford to focus on anything…

The CloudTweaks Archive - Posted by
Infographic Introduction – Benefits of Cloud Computing

Infographic Introduction – Benefits of Cloud Computing

Benefits of Cloud Computing Based on Aberdeen Group’s Computer Intelligence Dataset, there are more than 1.6 billion permutations to choose from when it comes to cloud computing solutions. So what, on the face of it, appears to be pretty simple is actually both complex and dynamic regardless of whether you’re in the market for networking,…

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

Why Businesses Need Hybrid Solutions Running a cloud server is no longer the novel trend it once was. Now, the cloud is a necessary data tier that allows employees to access vital company data and maintain productivity from anywhere in the world. But it isn’t a perfect system — security and performance issues can quickly…

The Rise Of BI Data And How To Use It Effectively

The Rise Of BI Data And How To Use It Effectively

The Rise of BI Data Every few years, a new concept or technological development is introduced that drastically improves the business world as a whole. In 1983, the first commercially handheld mobile phone debuted and provided workers with an unprecedented amount of availability, leading to more productivity and profits. More recently, the Cloud has taken…

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Infrastructure-as-a-Service Security It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure. The many perks of cloud services, such as the ability to quickly scale resources without the upfront cost of buying physical servers, have helped build a multibillion-dollar cloud industry that continues to grow each…

Achieving Network Security In The IoT

Achieving Network Security In The IoT

Security In The IoT The network security market is experiencing a pressing and transformative change, especially around access control and orchestration. Although it has been mature for decades, the network security market had to transform rapidly with the advent of the BYOD trend and emergence of the cloud, which swept enterprises a few years ago.…

Data Breaches: Incident Response Planning – Part 1

Data Breaches: Incident Response Planning – Part 1

Incident Response Planning – Part 1 The topic of cybersecurity has become part of the boardroom agendas in the last couple of years, and not surprisingly — these days, it’s almost impossible to read news headlines without noticing yet another story about a data breach. As cybersecurity shifts from being a strictly IT issue to…

Do Not Rely On Passwords To Protect Your Online Information

Do Not Rely On Passwords To Protect Your Online Information

Password Challenges  Simple passwords are no longer safe to use online. John Barco, vice president of Global Product Marketing at ForgeRock, explains why it’s time the industry embraced more advanced identity-centric solutions that improve the customer experience while also providing stronger security. Since the beginning of logins, consumers have used a simple username and password to…

Cloud Security Risks: The Top 8 According To ENISA

Cloud Security Risks: The Top 8 According To ENISA

Cloud Security Risks Does cloud security risks ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way. So what are the most important risks? The European Network Information Security Agency did extensive research on that, and…

Using Private Cloud Architecture For Multi-Tier Applications

Using Private Cloud Architecture For Multi-Tier Applications

Cloud Architecture These days, Multi-Tier Applications are the norm. From SharePoint’s front-end/back-end configuration, to LAMP-based websites using multiple servers to handle different functions, a multitude of apps require public and private-facing components to work in tandem. Placing these apps in entirely public-facing platforms and networks simplifies the process, but at the cost of security vulnerabilities. Locating everything…

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Out-of-the-box Cloud Solutions Although people may argue that data is not safe in the Cloud because using cloud infrastructure requires trusting another party to look after mission critical data, cloud services actually are more secure than legacy systems. In fact, a recent study on the state of cloud security in the enterprise market revealed that…