Risk | Bach Seat

Tag Archive for Risk

RB | October 13, 2011

Cloud Computing Risks

Cloud Computing Risks Cloud computing is a term even non-IT folks would have heard about at least once by now fueled by the concept of Software-as-a-Service (SaaS) and virtualization. The idea is that IT services and processing capabilities could be more efficiently housed in a data center and delivered over the Internet based on demand.

Dr. Dobb’s, editor-in-chief Andrew Binstock told FierceCIO that the primary advantage of relying on cloud providers is that their combined expertise on the security and reliability front is in all likelihood better than that of most SMBs and even some larger IT shops.

Bob Violino at Internet Evolution writes that cloud computing offers some clear benefits for organizations: lower costs, automated software updates, greater flexibility, and the ability for IT staff to focus on more strategic projects and not day-to-day maintenance tasks.

It’s easy to get caught up in the cloud excitement with major IT vendors such as Amazon (AMZN), Apple (AAPL), Dell (DELL), Google (GOOG), HP (HPQ), IBM (IBM), and Microsoft (MSFT) pushing the concept and rolling out cloud offerings. But organizations looking into cloud computing need to consider some key risks as well.

Larry Ellison, the chief executive of Oracle, told shareholders in 2008 that Cloud technology is a fad that lacks a clear business model. “I think it’s ludicrous that cloud computing is taking over the world,” Ellison said. “It’s the Webvan of computing.”

Richard Stallman, the founder of the Free Software Foundation, sees cloud computing as a trap that will result in people being forced to buy into locked and proprietary systems that will only cost more over time. He told The Guardian: “It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign.”

Some of the cloud risks are well documented, but as the push for cloud services continues, a few risk points are starting to come into focus:

Data Privacy. When it comes to the U.S., the Fourth Amendment states that people should “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” But web-hosted applications and cloud services are too new for the courts to have been able to offer far-reaching guidance on data privacy online. Data stored outside of the country makes data privacy issues even more complex.

Information security. A report from the World Privacy Forum discusses the issues related to cloud computing and the privacy and confidentiality of information. According to the report, “for some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared.”

Even when no laws prevent a user from disclosing information to a cloud provider, the report says, disclosure may still not be free of consequences. “Information stored by a business or an individual with a third-party may have fewer or weaker privacy or other protections than information in the possession of the creator of the information.” A cloud provider’s terms of service, privacy policy, and location may significantly affect a user’s privacy and confidentiality interests, the report states.

Data Security. There are many threats to data online. The application or service provider could go belly up, hackers could attack or just be locked out of your account. The good news is that data portability and security policies are being scrutinized closely by several organizations.

Mr. Binstock observed that no cloud storage provider will promise that they will not access your data under any circumstances. It is also common to find explicit clauses that allow law enforcement agencies access to your data.

Believing that this is acceptable because there is nothing incriminating in one’s data storage, is, in his words, “intensely naïve.” The obvious problem, notes Mr. Binstock, is that any government agency examining your data is under no contractual obligation to you to keep them safe, or even delete copies that were created.

Chenxi Wang at Forrester noted that an effective assessment strategy must cover data protection, compliance, privacy, identity management, and other related legal issues. “In an age when the consequences and potential costs of mistakes are rising fast for companies that handle confidential and private customer data, IT security professionals must develop better ways of evaluating the security and privacy practices of the cloud services.”

Network. The idea of putting the network health in the hands of the ISPs is very troubling. Have you ever tried to work with an ISP to find out why your round-trip latency times are so high? can your organization confidently define: The bandwidth requirements of your apps? The end-to-end throughput needs? Where will your data really be? Will it take the same path today and tomorrow? Who will pick up the phone when you call to say “the cloud is slow?” Will you be able to understand them?

Complexity. As cloud computing evolves, “combinations of cloud services will be too complex and untrustworthy for end consumers to handle their integration,” according to a report from Gartner Inc.. Daryl Plummer, chief Gartner fellow notes:

Unfortunately, using [cloud] services created by others and ensuring that they’ll work — not only separately, but also together — are complicated tasks, rife with data integration issues, integrity problems and the need for relationship management

Finances. Cloud computing changes the way software is purchased. The model for purchasing software one time and then choose to opt to buy the newer version a few years later maybe on the way out. With cloud computing, the vendor can just raise the prices the following month. It requires a different mindset, of subscription fees as opposed to purchase. We will see how the public takes it.

These are some of the issues that must be addressed if companies are to decide that cloud computing offers benefits that exceed the ROI of providing similar services in-house without increasing risk.

rb-

Sure, “the cloud” will work for most people most of the time, but if there are a lot of users, there will be a lot of errors. With 100,000 users, 10% having problems over 10 years is 10,000 unhappy users.

Cloud computing and the Internet part II (ecrimeexpertblog.wordpress.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2011, AAPL, Amazon, AMZN, Apple, Cloud computing, Dell, GOOG, Google, IBM, Larry Ellison, Microsoft, MSFT, Risk, SaaS, Software as a service

RB | June 19, 2010

Comments Off

Supremes Rule on Sexting Case

Supremes Rule on Sexting Case On Thursday (June 17, 2010) the U.S. Supreme Court ruled on the City of Ontario, California v. Quon case. I wrote about this sexring case earlier and its implications for corporate technology acceptable use policies (AUP). The case involved the use of text pagers issued to officers by the city police department. The city issued the pagers for City use, under a general acceptable use policy. The officer in question consistently went over the allotted limit on messages which caused his supervisors to get stored text messages from the service provider. The City discovered that many of the messages were not work-related but were “sexting” or sexually explicit personal text messages. The officer claimed that the search violated the Fourth Amendment.

The Supreme Court ruled unanimously that the police department’s actions were reasonable, and thus did not violate the constitutional rights of the police officer. Justice Kennedy’s opinion ruled narrowly, to avoid a final definition of electronic privacy.

Prudence counsels caution before the facts, in this case, are used to establish far-reaching premises that define the existence, and extent, of privacy expectations of employees using employer-provided communication devices. Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior. At present, it is uncertain how workplace norms, and the law’s treatment of them, will evolve.

According to the Center for Democracy & Technology (CDT), the Supreme Court faced an opportunity to curtail workplace privacy (or electronic privacy generally) in this case. However, the Court applied the O’Connor v. Ortega (1987) precedent, that government employees generally retain their Fourth Amendment privacy rights, and it assumed that government employees may have a reasonable expectation of privacy even in communications they send during work hours on employer-issued devices.

The CDT says the message to government employers is that the courts will continue to scrutinize employers’ actions for reasonableness, so supervisors have to be careful. Unless a “no privacy” policy is clear and consistently applied, an employer should assume that employees have a reasonable expectation of privacy and should proceed carefully, with a good reason and a narrow search, before examining employee emails, texts, or Internet usage.

rb-
As we always try to tell our clients, make sure that there is a clear statement of no privacy in all policies and policy enforcement actions and as part of their policies, companies should discourage employees from using personal accounts to conduct company business.

Category: Uncategorized | Tags: 2010, AUP, Constitution, Fourth Amendment, Policy, Privacy, Risk, SCOTUS, Supreme court, Wireless

RB | June 15, 2005

One comment

The Secret Life of Copiers

-Updated – 05-11-2007- Most digital copiers manufactured in the past five years have disk drives to reproduce documents. As a result, the seemingly harmless machines that are commonly used to spit out copies of sensitive information can retain the data being scanned.

Digital copier manufacturer Sharp issued a warning about photocopier vulnerabilities in conjunction with tax season. The company warned that it isn’t just people who make copies of their tax returns who are at risk.

A few years ago Sharp was among the first to offer a security kit for its machines. The security kit would encrypt and overwrite the images being scanned. Overwriting the data ensures it isn’t stored on the hard disks indefinitely.

In many cases, a central administrative or IT department monitors an entire fleet of copiers using each machine’s Internet Protocol (IP) address. What they forget is that, because the copiers are managed remotely, other people could get access to them. Firms can take action in several ways.

One option is to close IP ports. When a copier is being installed, the IT staff should close IP ports to ensure there is only one access point to the machine. Another option would be to use media access control (MAC) filtering. MAC filtering sets rules to accept commands only from specified MAC addresses such as the help desk, restricting outsiders.

The Secret Life of Copiers, CFO Magazine May 01, 2004

Last fall, reports began circulating that a large university in the Northeast had uncovered an illegal music-file-swapping service on campus. The music files were stored in a spot nobody would ever think to look: a copy machine. The students were actually transferring MP3s to and from a hard drive on a copier, The machine’s hard drive was designed to capture and store scanned documents. Apparently, a member of the school’s IT department stumbled on the plot after noticing a remarkable amount of traffic going to and from the networked copier.

While the technology for making copies has changed little in the past 50 years, most copiers are now full-blown IT devices, with network and E-mail server connectivity. employees typically have unfettered access to copiers — and thus any information stored on them. This makes copy machines perfect targets for hackers or, since the drives are usually removable, thieves.

Enterprise appliance security could prove to be of real importance in the new era of privacy (for example, the Health Insurance Portability and Accountability Act of 1996, or HIPAA) and document management (the Sarbanes-Oxley Act of 2002). That’s doubly true if a company uses copiers to scan sensitive personal documents such as medical records, birth certificates, or financial forms. Louis E. Slawetsky, president of Rochester, N.Y.-based research firm Industry Analysts Inc said, “People don’t think of copiers as a vulnerability … That’s a problem since they have hard drives and can store whatever has been copied for an indefinite period of time.”

This creates a potential security problem: customers have access to a machine connected to the bank’s network. mitigates the danger by placing the machine behind two firewalls and making the copier password-protected. Security consultants say potential buyers of new copiers should almost always look for machines with encryption or overwriting capabilities.

Hard-copy security is also an issue — you don’t want the wrong person picking up someone else’s copy job. Hence, experts advise prospective buyers to stick to machines that come with password protection. That way, says Larry Kovnat, systems security program manager for Xerox’s office group in Rochester, N.Y., “no one can inadvertently see documents or pick them up.”

Despite the improvements in copier-machine defenses, one security hole still has not been addressed: E-mail. Although copiers generally can keep track of who is E-mailing a document (through passwords), it is nigh impossible to put limits on what can be sent or where the E-mails can be sent. This could change, however, as copier hard drives and network connections become more sophisticated.

The Fed Single-Handedly Keeps Xerox And HP Alive (zerohedge.com)

Category: Uncategorized | Tags: 2005, Copiers, Fax, HIPAA, MAC address, Photocopier, Printer, Risk, Security, Sharp, SOX, Xerox

RB | June 3, 2005

Comments Off

Network Security Layering

Most companies are prepared for threats to their networks from the outside world. However, security breaches from within the corporation often pose the biggest concern. In this post-Enron world of increased corporate governance, IT managers must deal with both technical and human challenges to meet their companies’ security requirements. New legislative mandates, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the Graham-Leach-Bliley Act, also exist.

When considering securing a network, it’s essential to take a holistic approach, from the physical layer to the application layer. Thorough security policies, appropriate authentication mechanisms, and effective user education must complement the technologies implemented within the network.

The security-layering concept allows for variable-depth security. Variable-depth security occurs when each security level builds upon the capabilities of the layer below, resulting in more stringent security moving up through the layers. This can help protect organizations from security breaches that may come from within, as layering provides multiple measures of security controls.

The first security layer: VLANs

At the first layer, essential network compartmentalization and segmentation can be provided by virtual LANs. This allows various business functions to be contained and segmented into private LANs. Traffic from other VLAN segments is strictly controlled or prohibited. Several benefits may be derived from deploying VLANs for small to midsize businesses across the company’s multiple sites. These include the use of VLAN “tags.” VLAN tags allow traffic segregation into specific groups, such as finance, human resources, and engineering. It also prevents the separation of data without “leakage” between VLANs as a required element for security.

The second layer: Firewalls

The second layer of security can be achieved with perimeter defense and distributed firewall-filtering capabilities at strategic points within the network. The firewall layer allows the network to be further segmented into smaller areas, monitors it, and protects against harmful traffic from the public network. In addition, an authentication capability for incoming or outgoing users can be provided. The use of firewalls provides an extra layer of protection that’s useful for access control. The application of policy-based access allows the customization of access based on business needs. Using a distributed firewall approach affords the added benefit of scalability as enterprise needs evolve.

The third security layer: VPNs

Virtual private networks, which offer a finer detail of user access control and personalization, can be added as a third layer of security. VPNs offer fine-grain security down to the personal user level and enable secure access for remote sites and business partners. With VPNs, dedicated pipes aren’t required since the use of dynamic routing over secure tunnels over the Internet provides a highly secure, reliable, and scalable solution. VPNs with VLANs and firewalls allow the network administrator to limit access by a user or user group based on policy criteria and business needs. VPNs give more robust assurance of data integrity and confidentiality, and strong data encryption can be enacted at this layer to provide more security.

The fourth layer: Solid security practices

Best practices by the IT security team are yet another level in a layered network security strategy. This can be achieved by ensuring that operating systems are protected against known threats. (This can be accomplished by consulting with the operating system manufacturer to get the latest systems-hardening patches and procedures.) In addition, steps must be followed to ensure all installed software is virus-free.

Securing network management traffic is essential to ensuring the network. To protect HTTP traffic, it’s preferable to encrypt all management traffic at all times using the IPsec or Secure Sockets Layer protocol. Encryption is a must even if traffic travels on the local-area network.

Category: Uncategorized | Tags: 2005, Best practices, Encryption, Firewall, HIPAA, IPsec, LAN, RADIUS, Risk, Security, SNMP, SOX, SSL, VLAN, VPN

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Bach Seat