Enhancing Cybersecurity Awareness

Enhancing Cybersecurity Awareness: Unlocking the Benefits of FedRAMP

In today’s hyper-connected world, where data breaches and cyber threats have become increasingly prevalent, it has become critical for organizations to prioritize cybersecurity awareness. With the exponential growth of cloud computing, the Federal Risk and Authorization Management Program (FedRAMP) has emerged as a key player in ensuring the security of cloud-based services, particularly for federal agencies and their contractors. 

In this blog post, we will explore the importance of cybersecurity awareness and how FedRAMP can unlock numerous benefits for organizations.

Cybersecurity awareness plays a crucial role in safeguarding sensitive data. It involves understanding the common cyber threats faced by organizations and individuals and the techniques used by attackers. It also emphasizes the role of employees in maintaining a secure environment and highlights best practices for enhancing cybersecurity awareness.

Introduction to FedRAMP:

FedRAMP is a government program aimed at assessing and authorizing cloud service providers (CSPs) to ensure they meet stringent security standards. It offers different types of authorizations, including Provisional Authorization (P-ATO), Agency Authorization (ATO), and JAB Authorization. FedRAMP simplifies the compliance process by providing standardized security requirements and streamlining the procurement process.

Benefits of FedRAMP for Organizations:

FedRAMP offers several benefits for organizations. Firstly, it enhances the security posture by implementing proper controls and security measures. It also simplifies compliance efforts by providing standardized security requirements, reducing duplicative efforts. Additionally, organizations can save costs by leveraging FedRAMP instead of undergoing individual agency assessments. Having a FedRAMP authorization also enhances an organization’s reputation and builds trust with clients and stakeholders. Furthermore, FedRAMP provides access to federal agencies, opening up opportunities to work with government clients and tap into a vast market.

Steps to Achieve FedRAMP Compliance:

Achieving FedRAMP compliance involves several steps. Organizations need to understand the requirements, engage a third-party assessment organization (3PAO) for independent verification, and address any vulnerabilities or weaknesses identified. Ongoing monitoring and periodic assessments are also necessary to maintain FedRAMP compliance.

Cybersecurity awareness and FedRAMP complement each other in strengthening an organization’s defense against cyber threats. By prioritizing cybersecurity awareness and leveraging the benefits offered by FedRAMP, organizations can enhance their security posture, streamline compliance efforts, and tap into opportunities in the federal market. Together, they contribute to a secure digital landscape and protect sensitive data from potential threats.

Unlocking Your Post-Military Career: How Veterans Can Excel in Cybersecurity with Securitybricks

Transitioning from a military career to the civilian world can be both exciting and challenging. Veterans bring a unique set of skills, discipline, and experience to the table, but they often face difficulties in finding the right career path. One field that holds immense potential for veterans is cybersecurity, and SecurityBricks is here to help unlock that potential. In this blog post, we will explore how veterans can excel in the field of cybersecurity with the support of SecurityBricks.

The Value of Veterans in Cybersecurity

Military veterans possess a wealth of skills that are highly transferable to the cybersecurity industry. Here are some of the key qualities that make veterans stand out in this field:

1. Discipline: Military training instills discipline and attention to detail, which are essential in cybersecurity. Cyber threats require a meticulous approach, and veterans are well-equipped to handle this aspect.

2. Teamwork: Collaboration is a cornerstone of military service, and teamwork is equally vital in cybersecurity. Veterans excel at working together under pressure, a skill that translates seamlessly to the cybersecurity environment.

3. Adaptability: The military often requires personnel to adapt to changing circumstances quickly. In cybersecurity, the threat landscape evolves rapidly, and veterans’ ability to learn and adapt is invaluable.

4. Security Awareness: Military personnel are trained to prioritize security and follow strict protocols. This mindset aligns perfectly with the security-first approach of cybersecurity professionals.

5. Leadership:  Many veterans have leadership experience, which can be an asset in cybersecurity roles that involve managing teams or projects.

Bridging the Gap

While veterans bring an array of skills to the cybersecurity field, they may need additional training and certification to excel in this highly specialized industry. This is where SecurityBricks comes into play. SecurityBricks is a veteran-focused organization committed to helping military personnel transition into successful cybersecurity careers.

Here’s how SecurityBricks supports veterans in their cybersecurity journey:

1.Technical Skillsets: Securitybricks provides veterans with the technical training and knowledge necessary to excel in cybersecurity. Through specialized programs and hands-on training, veterans can develop the specific skill sets required for roles in this field.

2. Security Clearance: Many veterans possess security clearances gained during their military service. Securitybricks leverages this valuable asset by helping veterans transition into roles that require security clearances in the cybersecurity sector. This not only accelerates their career progress but also enables them to work on projects of national importance, contributing to the country’s security efforts in a different capacity.

3. Adaptability: The cybersecurity landscape is in a constant state of flux, with new threats and technologies emerging regularly. Securitybricks recognizes veterans’ adaptability, honed through their military experience, as a key advantage. Their ability to learn quickly, adjust to changing circumstances, and stay up-to-date with the latest cybersecurity trends positions them as highly effective professionals in this field.

4. Serving the Country in Another Way: For many veterans, the desire to serve their country doesn’t end with their military service. Securitybricks provides them with an opportunity to continue serving their nation by defending against cyber threats and ensuring the security of critical digital infrastructure. This sense of purpose and duty drives veterans to excel in their cybersecurity careers, knowing they are contributing to the broader national security mission.

Transitioning from the military to a civilian career can be a daunting task, but it’s also a chance for veterans to embark on a new and rewarding journey. Cybersecurity offers an excellent avenue for veterans to leverage their skills and make a meaningful impact in the civilian workforce.

SecurityBricks plays a crucial role in bridging the gap between military service and a cybersecurity career. With the right training, mentorship, and support, veterans can not only excel in cybersecurity but also contribute to the ongoing efforts to protect digital assets and information.

If you are a veteran looking to make your mark in the cybersecurity industry, consider exploring the opportunities offered by SecurityBricks. It’s not just a career change; it’s a chance to continue serving and safeguarding our nation in the digital realm. Unlock your post-military career with SecurityBricks and help secure our digital future.

Securitybricks Earns CMMC Third Party Organization Assessment (C3PAO) Status

Securitybricks’ C3PAO accreditation, along with its accelerators built on ServiceNow, enables Department of Defense contractors to meet CMMC requirements.

SAN FRANCISCO, CA, UNITED STATES, August 22, 2023/EINPresswire.com/ — Securitybricks announced today that it has earned accreditation as a Third Party Assessment Organization (C3PAO) from Cyber AB. This accreditation authorizes Securitybricks to perform Cybersecurity Maturity Model Certification (CMMC) assessments and certify any of the 300,000+ U.S. Department of Defense (DoD) contractors.

To earn the 3PAO accreditation, Securitybricks completed a comprehensive assessment conducted by Cyber AB, the authorized CMMC accreditation body authorized by DoD and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to verify technical competence and quality management compliance to support DoD in protecting sensitive unclassified information.

Securitybricks has also launched its CMMC accelerators in partnership with ServiceNow to automate the CMMC assessment while meeting contractual flow down requirements using NIST 800-171 framework.

“Securitybricks is one of 10 companies in the U.S. who have earned both a FedRAMP 3PAO and a CMMC C3PAO status. These accreditations demonstrate our expertise in cloud security and compliance with a commitment to help DoD and Federal agencies protect sensitive data.” stated Raj Raghavan, CEO of Securitybricks.


About Securitybricks, Inc.
Securitybricks, Inc., a firm focused on cloud security and compliance. Based in the U.S., its team members all U.S. Citizens, including military veterans, have over 15+ years of experience in implementing cybersecurity and regulatory compliance controls. https://securitybricks.io/.

About CMMC
The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework developed by the Department of Defense (DoD) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that the Department shares with its prime and subcontractors. All Defense Industrial Base (DIB) contractors with CMMC DFARS clause are required to be assessed by a C3PAO.

Learn more about how Securitybricks can help you achieve CMMC Compliance at the Cyber AB Marketplace here.

Raj Raghavan
Securitybricks, Inc.


Securitybricks Launches FedRAMP Accelerator on ServiceNow Platform

Securitybricks releases the first FedRAMP accelerator built on ServiceNow platform for the recently released FedRAMP Rev 5 controls.

SAN FRANCISCO, CA, UNITED STATES, July 25, 2023/EINPresswire.com/ — Securitybricks announced today that it has launched the first FedRAMP accelerator built on ServiceNow platform for the recently released FedRAMP Rev 5 controls. It is now available on ServiceNow Store as a free download.

As an authorized FedRAMP Third-Party Assessment Organization (3PAO) and a ServiceNow Build partner, Securitybricks combined its in-depth understanding of control testing by incorporating continuous monitoring capabilities with control automation for 80% of the FedRAMP controls. The accelerator will enable Cloud Service Providers (CSPs) to reduce time for FedRAMP Authority to Operate (ATO) assessment using various data elements within their ServiceNow platform.

The accelerator comes with 320+ controls needed for FedRAMP moderate assessment and questionnaire samples built on the ServiceNow CAM (continuous monitoring and authorization). Out of the box, the accelerator comes with FedRAMP Rev 5 control content along with ability to build authorization boundary, a SSP (system security plan) and POA&M management.

Securitybricks FedRAMP solution extends the free accelerator which includes:

– Complete citations and authority documents for FedRAMP Rev 5 controls
– Content for inherited controls from Azure and AWS
– Ability to build authorization boundary using cloud workload data
– SSP document along with required FedRAMP ATO artifacts
– Connectors to AWS Security Hub and Azure Defender for cloud configuration and vulnerability data
– Supply chain controls automation
– Continuous monitoring reporting including POA&M

“We are excited to bring the first automated FedRAMP ATO solution built on the ServiceNow platform. In addition, all our solution implementations are backed by a free ‘mock 3PAO audit’ to guarantee the ATO package meets FedRAMP PMO requirements.” stated Raj Raghavan, CEO of Securitybricks.


About Securitybricks, Inc.

Securitybricks, Inc. is a cybersecurity consulting firm focused on cloud security and compliance. Based in the U.S., its team members are all U.S. Citizens, including military veterans, with over 15+ years of experience in implementing cybersecurity and regulatory compliance controls. https://securitybricks.io/.

About FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All Cloud Service Providers (CSPs) seeking to offer services to the Federal government are required to be assessed by a 3PAO.

Learn more about how Securitybricks can help you achieve FedRAMP Compliance at the FedRAMP Marketplace here.

Raj Raghavan
Securitybricks, Inc.
email us here


Unveiling FedRAMP Revision 5

Recently, the Federal Risk and Authorization Management Program (FedRAMP) released its highly anticipated Revision 5 guidance, marking a significant milestone in cloud security compliance. With the release of FedRAMP Revision 5 (Rev 5), CSPs listed on the FedRAMP Marketplace are required to complete a delta assessment. This assessment ensures that existing CSPs align with the new control requirements by September 1st, 2023. Additionally, by October 1st, 2023, shared control information provided by cloud providers must be updated to adhere to the latest guidance.

What is new in FedRAMP Rev 5?

Expanded Control Set: FedRAMP Revision 5 introduces an expanded control set with 156 controls for Low, 323 controls for Moderate, and 410 controls for High impact systems. The testing of the Rev 5 controls is more threat based with a Risk Management approach. In Rev 5, there is a greater emphasis on aligning controls with the identified threats and risks that are relevant to the cloud service being assessed. This approach helps to ensure that the controls implemented by the cloud service provider (CSP) are designed to address the threats and vulnerabilities associated with their environment.

New Controls and Enhancements: Revision 5 brings forth 20 new base controls and 17 existing controls with enhancements. These additions include controls focused on privacy, such as PII data handling, data residency, and software supply chain management. These new controls reflect the growing emphasis on safeguarding privacy and mitigating risks associated with data breaches and unauthorized access. An example of these changes is the addition of supply chain risk management requirements. CSPs must implement controls to assess vendors, validate software integrity, and monitor the supply chain continuously. This includes ensuring software integrity and verifying the authenticity of hardware and software components as well as continuous monitoring of the supply chain to identify and mitigate potential risks and vulnerabilities. An updated list of inherited controls from cloud providers like AWS, Azure will also be released soon.

Transition Timelines – 09.01.2023 and 10.02.2023

CSP’s ATO JourneyDelta Assessment RequirementsAnnual or New AssessmentDeliverables to Agency or JAB
Starting ATO ProcessNoneTesting will be against Rev 5 unless CSP testing and package submission is completed by September 2023.Rev 5 FedRAMP Package
Engaged with JAB or 3PAO for ATO AssessmentA delta assessment needs to be performed with testing schedules by a 3PAO.Complete current ATO assessment in flight using Rev 4 base lines and templates if package will be submitted to the PMO no later than September 2023.Document implementation and testing schedules for delta between Rev 4 and Rev 5 including plans to leverage shared controls. SSP and POA&M documents need to be updated with the implementation plans for Rev 5. Implementation of the Rev 5 controls must be completed by the next Annual Assessment to support testing of the control implementation.
CSPs with ATO Listed on MarketplaceBy 09.01.2023 or prior to issuance of ATO (whichever is latest), a delta assessment needs to be performed with testing schedules by a 3PAO. By 10.02.2023, CSPs need to update shared controls implementation plans.CSPs whose reassessment is between Jan. 1st, 2023 – July 3rd, 2023, have one year from last assessment date to complete implementation of Rev 5 controls. For customers with annual reassessment from July 4th, 2023, to Dec. 15th, 2023, will need to complete all Rev 5 implementations no later than their next scheduled annual assessment in 2023/2024.Standard FedRAMP package for annual assessment with Rev 5 updates SSP and POA&M monitoring the status of the Rev 5 implementation.
Delta Assessment report and POA&M.

These milestones and activities are essential for successfully transitioning from Rev 4 to Rev 5 and ensuring compliance with the updated FedRAMP requirements.

Conclusion: FedRAMP Revision 5 represents a significant step forward in the realm of cloud security compliance. With an expanded control set, new controls and enhancements, and a focus on continuous monitoring and documentation, CSPs have a short timeline to complete delta assessments and implementation of new Rev 5 controls.

Securitybricks Earns FedRAMP Third Party Organization Assessment (3PAO) Status

This accreditation enables Securitybricks to validate that service providers have implemented the required cloud security measures to protect government data.

SAN FRANCISCO, CA, UNITED STATES, April 18, 2023/EINPresswire.com/ — Securitybricks announced today that it has earned accreditation as a Third Party Assessment Organization (3PAO) under the Federal Risk and Authorization Management Program (FedRAMP). This accreditation authorizes Securitybricks to assess and certify cybersecurity controls for Cloud Service Providers looking to do business with any of 400+ US Federal agencies.

To earn the 3PAO accreditation, Securitybricks completed a comprehensive assessment conducted, over a span of 2 years, by the American Association for Laboratory Accreditation (A2LA), the FedRAMP 3PAO accreditation body to verify technical competence and quality management compliance to ISO/IEC 17020:202 standard.

Securitybricks will leverage its domain expertise in cloud security and control compliance, and its thorough understanding of NIST 800-53 control requirements to provide a suite of approved 3PAO services. In addition, Securitybricks has developed an automation approach that can shorten a CSP’s FedRAMP readiness timelines and reduce certification costs by 40%.

“FedRAMP is the first step in Securitybricks’ commitment to the Public Sector market. President Biden signed the FedRAMP Authorization Act in Dec. 2022, that aims to facilitate and accelerate secure cloud adoption by providing defined security authorizations, which opens the federal market to CSP’s of all sizes…” stated Raj Raghavan, CEO of Securitybricks.


About Securitybricks, Inc.
Securitybricks, Inc., a firm focused on cloud security and compliance. Based in the U.S., its team members all US Citizens, including military veterans, have over 15+ years’ experience in implementing cybersecurity and regulatory compliance controls. https://securitybricks.io/.

About FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All Cloud Service Providers seeking to offer services to the Federal government are required to be assessed by a 3PAO.

Learn more about how Securitybricks can help you achieve FedRAMP Compliance at the FedRAMP Marketplace here.

Katalin Pesti
Securitybricks, Inc.

Hardening by using CIS – A Holistic Approach

System hardening refers to the process of securing a computer system by reducing its vulnerability to potential threats and attacks. This is achieved by taking various measures, such as configuring the system’s software and hardware components to eliminate known security weaknesses, disabling unnecessary services, limiting user privileges, implementing access controls and firewalls, and regularly updating and patching software to address known vulnerabilities.

System hardening aims to create a more secure computing environment that is less susceptible to unauthorized access, data breaches, malware infections, and other types of security threats. This is particularly important for systems that store sensitive or confidential information, such as financial data, medical records, and government intelligence.

System hardening is an ongoing process that requires continuous monitoring and maintenance to ensure that the system remains secure and up to date with the latest security patches and updates. It is an important aspect of cybersecurity that is essential for protecting sensitive information and maintaining the trust of users and customers.

The CIS (Center for Internet Security) benchmarks are a set of best practices and guidelines to provide a comprehensive framework of security controls and settings that can be used to harden various types of systems, including Cloud deployments. it is possible to apply the CIS (Center for Internet Security) benchmarks for tactical and operational levels. They cover various security areas, such as operating systems, applications, and network devices. The benchmarks are designed to be used by organizations of all sizes and types and can be customized to meet specific security needs.

At the tactical level, the CIS benchmarks can be applied to individual systems and devices to ensure that they are configured securely. For example, an IT administrator may use the CIS benchmarks to configure a web server or database server in accordance with best practices. This can help to prevent common security issues such as unauthorized access, data breaches, and malware infections.

At the operational level, the CIS benchmarks can be used to establish policies and procedures that govern how systems and devices are configured and maintained. This can help to ensure that all systems are configured consistently and securely across an organization. 

In summary, the CIS benchmarks can be applied at both the tactical and operational levels to improve security posture and reduce the risk of security breaches. The benchmarks provide a set of best practices that can be customized to meet specific security needs and can be applied to individual systems and broader organizational policies and procedures.

One of the main tools provided by CIS is the CIS-CAT Pro tool, which can scan and assess systems against the CIS benchmarks and generate reports on areas of non-compliance. The tool can also guide how to remediate any issues found and bring systems into compliance with the benchmarks.

In addition to CIS-CAT Pro, other tools and scripts can help automate system hardening based on the CIS benchmarks. These tools can help to streamline the process of implementing security controls and settings recommended by the benchmarks, reducing the potential for human error, and saving time and resources.

Automating system hardening using the CIS benchmarks can help to ensure that security controls and configurations are consistently applied across all systems and networks, reducing the potential for security vulnerabilities and improving overall security posture.

Reducing the attack surface is an essential goal of system hardening, and the CIS benchmarks can be a valuable tool for achieving this goal if cross-referenced by MITRE. Starting with Identifying the systems and applications that are most critical to your business and prioritizing them for hardening based on their level of risk. It’s important to remember that system hardening is an ongoing process. You should regularly review and update your security controls and settings to address new threats and vulnerabilities as they emerge.  So, create your security baseline first to reduce the attack surface.

Both MITRE and CIS are related to finding controls in the sense that they provide guidance on the controls that organizations can implement to enhance their security. MITRE’s ATT&CK framework can help organizations identify the techniques that attackers might use and provide guidance on the controls that can be implemented to prevent those attacks. Similarly, the CIS Controls provide a prioritized list of actions that organizations can take to improve their security posture. It is possible to use both MITRE and CIS benchmarks at the same time; Our approach for implementing holistic controls for our customers is that incorporate both frameworks, and that is what we do as consultants @ Securitybricks.

MITRE’s ATT&CK framework provides a comprehensive view of adversaries’ tactics and techniques to attack systems and networks. It provides a framework for understanding the different stages of an attack and the techniques that are commonly used at each stage. The framework can help organizations identify gaps in their defenses and prioritize their security investments to address the most critical risks.

The CIS benchmarks, on the other hand, provide prescriptive guidance on how to secure individual systems and devices. They provide a set of best practices for configuring systems to reduce the risk of common security issues such as unauthorized access, data breaches, and malware infections.

To implement a holistic set of controls that incorporates both MITRE and CIS frameworks, we use the MITRE framework to identify the tactics and techniques most relevant to their specific environment. We then use the CIS benchmarks to implement best practices for securing individual systems and devices in a way that addresses those specific risks.

CMMC 800-171 Solution on ServiceNow GRC Platform

Is your organization struggling to keep up with the complex requirements of Vendor Risk Management and the NIST 800-171 standards? You need Securitybricks’ innovative ServiceNow GRC Vendor Risk CMMC application.

I’m Donna, a passionate Risk, Compliance, and ServiceNow GRC expert, and I’m thrilled to introduce our latest project: a simple easy to use Vendor Risk Management application that streamlines compliance assessments of downstream vendors and suppliers in accordance with your organization’s CMMC Level.

Built upon the powerful ServiceNow Vendor Risk Management Module, our CMMC app is designed to make compliance easier for you. If you’re an existing GRC Vendor Risk Management customer, you’ll be able to integrate our app seamlessly into your current process. We built the app on ServiceNow to specifically address CMMC requirements for subcontractors. With a user-friendly Questionnaire and Assessment, it’s never been easier to launch your CMMC vendor compliance assessments. We offer two levels (Level 1 and Level 2) to suit your organization’s specific needs.  Installation is as simple as downloading from the ServiceNow Store, installing in your GRC Vendor Risk Instance and then, as the Vendor Risk Manager creating a CMMC Assessment leveraging the prebuilt CMMC assessment templates and assign to the vendor to complete.

We’re proud to offer this application to you for FREE, exclusively in the ServiceNow store. It will be available for download at the end of Q1 2023, and our Version 1 solution is designed to work with the latest ServiceNow Tokyo release and Utah. Our app uses out-of-the-box Roles for Vendor Risk Managers to create the assessments and Vendors to respond to them, making it simple and straightforward to use.

Not Your Keys, Not Your Coins

In the world of cryptocurrency, the phrase “not your keys, not your coins” is a reminder of the importance of maintaining control over your own private keys.

A private key is a secret code that grants access to a cryptocurrency wallet and the coins within it. Without the private key, the coins within that wallet cannot be accessed or transferred. This means that if you do not have control over your own private keys, you do not truly own the coins in that wallet.

This is where the concept of “not your keys, not your coins” comes into play. When you store your coins on a centralized exchange or with a third-party custodian, you are effectively giving up control of your private keys to that entity. While they may promise to keep your coins safe, they are also in control of the coins and can make decisions on how to use them without your consent.

In contrast, when you store your coins on a self-custodied wallet, such as a hardware wallet or a software wallet that you control the private keys, you always maintain control over your coins. This means that you are in full control of your coins and can make decisions on how to use them, such as transferring them to another wallet or selling them on an exchange.

When storing coins in your self-custodied wallet, you should also put a passphrase on it. You will have a key file or mnemonic phrase associated with your wallet. By using a passphrase, you’ll be able to provide more security for yourself and your funds. Tools such as Metamask are good for Ethereum, Polygon, and many other cryptocurrencies. Metamask will provide you with your mnemonic phrase when setting up your wallet, and this should be stored as if you were storing gold for Fort Knox. This phrase gives access to all your funds in your wallet.

Luckily if you believe to have been compromised, setting up a new phrase is easier than opening a bank account. You just set up a new account (on a non-compromised system) and transfer all your funds to the new wallet. The concept of “not your keys, not your coins” is especially important in the world of cryptocurrency because, unlike traditional financial systems, there is no central authority that can help you recover your coins if you lose access to them. If you lose control of your private keys, you may permanently lose access to your coins.

Self-custody of your assets means you are responsible for all your funds. This is a blessing for people who may have been affected by outages during huge volatility spikes on exchanges. Many notable spikes occur when cryptocurrencies like Bitcoin, Ethereum and Solana move 10% or more within a couple minutes. If you try and sell, you might be limited by the exchange as they try and keep liquidity available on the cryptocurrency and fiat side.

Other issues, like the recent FTX scandal show how your funds can be used in ways that you do not want to be used. This is also prevalent with the large lending coin scam of 2017-2018, the Mt. Gox scandal in 2013-2014 and many other similar events.

It is important to keep in mind that in the world of cryptocurrency, your keys are your coins. Maintaining control over your own private keys is essential for truly owning and being in control of your coins, and it is important to store your coins on a self-custodied wallet that you control the private keys.

How Secure is Your Data in the Cloud?

Have you moved to the cloud and think your data is secure because the cloud service uses encryption? This may be a false sense of security depending on the sensitivity of your data. There is much more to having secure storage of data than just the encryption algorithm that is used. Many companies have moved or are in the process of moving to the cloud for computing and data storage purposes. Overall, the cloud services are a less expensive environment for computing and data storage with the convenience of worldwide access from any number of devices.

Cloud services are inherently secure using encryption for data in flight to and from the cloud, and data at rest. This encryption is typically included in the base cost of the service, but is it as secure as the in-house datacenters that these companies once used? Even if the company did not employ encryption to protect the data there was a level of security in that the network was private that protected access from external advisories. When using a cloud service, companies loss control their data relying on the security of the cloud service and its personnel. The encryption employed by cloud services is used to protect the data in the event of a data breach which protects the service from undue financial loss. The encryption keys used are shared among the customer base and managed internally. How well these keys are actually protected is not easily assessed. Poor key management could allow internal access to their customers’ data.

When it comes to encryption It is not the algorithm that protects the secrecy of data, these are publicly known and widely distributed. The choice of an encryption algorithm is important in that some are stronger than others, however the security of encrypted data relies on the security and secrecy of the cryptographic key. Any entity that has access to cryptographic keys can decrypt the data.

For companies that have sensitive data that must be protected for business purposes may choose to use encryption where the cryptographic keys are unique to them. This is implemented as a second level encryption and most cloud services offer this. These companies must implement strong key management where split knowledge and dual control is enforced such that no one single individual has access to the encryption key. Split knowledge is where the key is broken up and distributed to separate individuals for safe keeping. Individual knowledge of these key parts does not reveal anything about the key itself. Dual control is a process where two or more individuals are required to perform key management functions which may include key recovery, distribution to other platforms or systems, internal use. Improper key management may result in the loss of keys or compromise of the key which exposes the data that was meant to remain secret.

Encryption key management is a critical part of using encryption to keep data secure and secret. Poor key management is like hiding the spare house key under the welcome mat of your house. If you don’t understand how encryption keys are managed, and more importantly know the people and systems that have access to the keys, your data may not be as secure as you think.  There are several ISO and ASC X9 standards that can help review key management processes as well as consulting firms that are willing to help.