ISF congress post 4: Keynote session: The view from the advisory board

This was a panel discussion session so flowed around quite a bit, and wasn’t always focussed.  The below covers most of the main points that were discussed;

Focus no longer on China.

Focus more on what enterprises can do to protect data and work with their customers securely.

Snowden affair, and global information security / assurance – living in a globally surveyed world.


I’ve been following the Snowden debacle in the news;

  • Is this something we need to pay attention to?
  • Tell me three key actions we need to take.


  • US has the ‘right’ to monitor all network traffic that goes via it or US companies from ‘foreigners’.  Doesn’t sound to bad until you realise we are nearly all foreigners (around 97% of the global population isn’t American!).  This has huge ramifications.
  • Snowden affair – nearly all the leaks from this have been of ‘Top Secret’ classification, this hardly ever happens, most leaks are of much lower classification.
  • However – Remember, just because we are looking at the NSA, China has not gone away.  Remembering this is critical to your security posture.
  • Everything is stored forever!  Whether NSA or Google, or other email / search service, all your emails etc are likely stored forever, and probably in several places.
  • On the opposite side, many industries are rightly moving to more openness and sharing data with more people and the right people
  • Other nations likely better then the US at sharing the findings of their industrial espionage with national companies – French and Japanese apparently very good at sharing espionage data with companies based in those countries.  NSA surveillance may be pervasive, but questions about how much it shares.  Board members and CEOs need to be aware that this espionage is a reality.
  • Supply chain security is a key factor to consider.
  • Emerging economies have a huge security impact – what they are doing with us, and how we interact and integrate with them.
  • International treaties around how intelligence agencies work abroad around monitoring each other are needed and being worked on.  In democratic countries at least – no comment on what is happening in dictatorships such as Russia and China.
  • Outsourcing data to third parties for processing etc. has been going on for years such as through the use of mainframes.  Cloud services are not a new concept, however the accessibility of these services to many people and the accessibility of the data in them has been a dramatic change.
  • Encrypting data if you own the process end to end can ensure data is securely stored.  Doesn’t really help with processing in the cloud.
  • Who reads the full terms and conditions of the services they use?  How much security and privacy are we inadvertently giving up?
  • We must not confuse Security and Privacy – these are different things.



The internet is a global platform, do you think it will become more balkanised?

  • It was set up by the military, and now they want it back 😉
  • It is already there on many layers – who makes the kit it runs on? Which governments have access to the data or any controls over the data flows?
  • Governments ignored the internet for years, now they all want some control over it, and government agencies all want to monitor and spy on the data on the internet.
    • There is a ‘war’ around who controls the internet occurring right now.
  • The internet and technology are changing very fast, nations / governments are struggling to keep up.



Cloud – is it new or isn’t it?

  • Yes and no.
    • Concept of sharing compute resource and allowing users or companies access to compute resource they couldn’t otherwise afford is not new.
    • Concept of data being anywhere / everywhere, and access to cloud compute and storage is new and the game changer that cloud is advertised to be.
      • Creates many issues
        • Where is your data?
        • Who controls your data?
        • What about international interception / access laws and capabilities?
    • Cost and scale benefits driving use in many businesses
      • How do you best secure this use case?
      • How do you ensure only the right ‘stuff’ gets into the cloud?
      • Do you have the right policies in place?
      • Do you have the right knowledge and skill sets for secure cloud use?
      • Vet staff and people in key positions both in your business and the cloud provider.
      • Encrypt your data – this is true, but I have serious issues around this one based on what sort of processing is required – can Tokenisation or Homomorphic encryption be leveraged?  What other ways do you have to mitigate the risk of data being unencrypted for processing?
    • Cloud is an innovator – gives businesses more opportunities, and also gives us new area to learn to secure.
    • Be proactive – be ready for the cloud, go to the business rather than them coming to you.


Security as a Service Implementation Guidance documents published!

The Security as a Service working group implementation guidance papers have now all been published and are available for free download from the Cloud Security Alliance website.

These provide a great overview of, and guidance around the 10 categories of security as a service that we identified last year.  The 10 documents have all been created using a standard template to ensure they are easy to use and understand.

Each document contains the following sections;

1. Introduction; Brief overview of the service, along with intended audience and the scope of the document.

2. Requirements Addressed; An overview of the business / security requirements that the service can address.

3. Considerations and Concerns; Details of areas to consider and potential risks / concerns when implementing the cloud based service.

4. Implementation Guidance; This section is the meat of the document providing guidance for anyone looking to implement the service usually including diagrams of example architectures or architecture components.

5. References and Useful Links; References used in the creation of the document and useful links for further research.

The documents and their download links are shown below;

Category 1 // Identity and Access Management Implementation Guidance;

Category 2 // Data Loss Prevention Implementation Guidance;

Category 3 // Web Security Implementation Guidance;

Category 4 // Email Security Implementation Guidance;

Category 5 // Security Assessments Implementation Guidance;

Category 6 // Intrusion Management Implementation Guidance;

Category 7 // Security Information and Event Management Implementation Guidance;

Category 8 // Encryption Implementation Guidance;

Category 9 // Business Continuity / Disaster Recovery Implementation Guidance;

Category 10 // Network Security Implementation Guidance;

If you are planning on implementing and of the Security as a Service categories, need to evaluate them, or just want to know more, please feel free to download these documents.  I hope you find them interesting and useful.

If you have any feedback for the documents don’t hesitate to provide it either via the comment section of this blog, or directly via the CSA website.  If you are interested in getting involved and contributing to the next steps of this research we are always looking for more volunteers!

Get involved via the ‘get involved’ link;


Homomorphic Encryption – Saviour of the cloud? Ready for prime time?

Homomorphic encryption has been around for a while (in fact it has been debated for around 30 years), but most systems that are Homomorphic are only partially homomorphic thus limiting their use in enabling real world distributed, including cloud based, systems.

I’ll start by briefly describing what the term homomorphic means when used to describe a cryptosystem.  If a mathematical operation can be performed on the encrypted data to produce an encrypted output that when decrypted gives the same result as if the operation had been performed on the plaintext.

I’m sure you can see how this removes one of the main barriers to the adoption of cloud computing.  If an efficient, proven and thoroughly tested homomorphic encryption system would potentially revolutionise the view of cloud computing security.  Currently it is easy to send data to and from the cloud in a secure encrypted manner, however if any computation is to be carried out in this data it has to be unencrypted at some point.  When the data is unencrypted in the cloud the risk that employees of the cloud provider, and potentially other customers, could access the data becomes a real concern.  It is this risk that is one of the key road blocks to companies moving their data to the cloud.

Additionally some legal / regulatory rules prevent certain unencrypted data types, such as personally identifiable information (PII), leaving countries / regions such as the EU.  A system that enabled data to remain encrypted would potentially get around these regulatory issues and allow data to be housed in the cloud (many cloud providers have data centres located in various global locations and can’t guarantee where data will reside.   In fact this is one of the benefits of the cloud – the high level of redundancy and resilience provided by multiple data centres in geographically diverse locations).

Some existing algorithms are partially homomorphic, this means that they are homomorphic with regards to one or maybe a couple of operations.  For example the RSA algorithm is homomorphic with regards to multiplication.

IBM has published some research in this area in 2009 they proposed fully homomorphic systems that are linked to from here;

Currently fully homomorphic systems are too new and not yet practical enough to be implemented for production systems.  For any cryptographic algorithm to be recommended it requires considerably more time to be peer reviewed and tested by security and encryption researchers to allow a reasonable level of assurance that there are not attacks that could be used to unencrypt the data.  In terms of practicality currently proposed homomorphic encryption systems, the complexity of the system grows enormously as the number of actions you need to perform on the encrypted data increases.  This leads to a massive increase in the computational power required to run the system, this is a non-trivial increase that will not be solved by Moore’s law anytime in the near future.

So homomorphic encryption has now been proven to be possible which is a huge step forwards, and the work done by people like Craig Gentry and the guys at IBM and MIT must be hugely applauded.

Microsoft researchers published a paper in May of this year (2011) titled ‘Can Homomorphic Encyption be Practical’ that can be found here;

This provides an overview of a proposed partially homomorphic implementation along with thoughts on how it could be made fully homomorphic and how the efficiency could be improved.  The page also contains some useful links to cloud and lattice based cryptography.

However the reality is that we need several more years for a broader range of cryptographers to examine the cryptosystem to be assured it is secure, and for further work to go into making the system much more efficient.

These are definitely interesting times, and over the next few years I would hope to see homomorphic cryptosystems removing some of today’s key barriers to the adoption of cloud computing services!


Cloud; Barriers to adoption

My second post relating to cloud computing will focus at a high level on what seems to be the current major barrier(s) to the wider adoption of cloud use by businesses.

Future posts will likely go into more detail around technical threats such as side channel attacks (e.g. trying to connect to the target guest server from another guest known to be on the same host) and cartography (“mapping” the target environment by methods such as traffic sniffing and analysis), but this one will focus on providing a high level overview of the risks and fears around moving to the ‘cloud’.

It is already clear that in many instances the elasticity (ability to scale up and down on demand), resilience and cost vs. hosting services internally can offer clear benefits to businesses.  So why then are many businesses reticent to move completely or even partially into the cloud?

Outside of any general resistance to change the main concern is with security and regulatory requirements.

When infrastructure and applications are hosted internally you intrinsically feel that your data, and that of your customers, is safer.  Outside of potential ‘insider’ threats, data on your servers in your server room is inside your companies perimeter, no matter how porous this may be, protected by your firewall(s), AV(Anti Virus), DLP (Data Leakage Protection) tools, trusted staff and company policies.  Even when the data leaves site it is likely on managed, and hopefully encrypted, tapes or via a managed, and hopefully encrypted, network link to a DR / BCP site.

Now when you move to using the cloud in some way your systems and data are hosted elsewhere, potentially moving across multiple physical servers or even datacentres outside of your control.  This movement along with the environment being shared by other companies (e.g. multiple businesses may have guests on the same physical host) are the primary drivers of fear around the security of systems in the cloud.  Using the cloud also obviously shares various concerns with other forms of hosting / co-location around third party access to data etc.

Hand in hand with security are regulatory / compliance concerns that also stem from the above features of using the cloud;

–          Who can audit the systems and overall cloud?

–          Does the data move across state boundaries (e.g. does it leave the UK or the EU?)

–          Who could potentially access the data?

–          What happens in a disaster recovery scenario?

–          How can you move to another provider? (Vendor lock in concerns)

–          How is the data deleted from the cloud (data retention / incomplete deletion concerns).

Various measures exist to mitigate the risks, these include –

–          Procedural; Ensuring due diligence is carried out prior to engaging the vendor and contracts are in place to ensure adherence to legal / regulatory requirements.

–          Security checks; Regular penetration tests and other security checks of the vendors systems and facilities should be carried out, and any issues identified remediated within agreed time frames

–          Encryption; ensure all sensitive data (ideally all data if possible) is encrypted in transit and at rest – this prevents prying and mitigates risk of data not being deleted

–          Authentication; ensure all systems in the cloud utilise strong authentication methods to prevent unauthorised access.

The ENISA (European Network and Information Security Agency) report titled ‘Cloud Computing Security Risk Assessment’ neatly sums up the benefits of cloud and the security concerns;

The key conclusion of this paper is that the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective.