×

Tag: #securitybricks

How Secure is Your Data in the Cloud?

Posted on by Scott Spiker

Have you moved to the cloud and think your data is secure because the cloud service uses encryption? This may be a false sense of security depending on the sensitivity of your data. There is much more to having secure storage of data than just the encryption algorithm that is used. Many companies have moved or are in the process of moving to the cloud for computing and data storage purposes. Overall, the cloud services are a less expensive environment for computing and data storage with the convenience of worldwide access from any number of devices.

Cloud services are inherently secure using encryption for data in flight to and from the cloud, and data at rest. This encryption is typically included in the base cost of the service, but is it as secure as the in-house datacenters that these companies once used? Even if the company did not employ encryption to protect the data there was a level of security in that the network was private that protected access from external advisories. When using a cloud service, companies loss control their data relying on the security of the cloud service and its personnel. The encryption employed by cloud services is used to protect the data in the event of a data breach which protects the service from undue financial loss. The encryption keys used are shared among the customer base and managed internally. How well these keys are actually protected is not easily assessed. Poor key management could allow internal access to their customers’ data.

When it comes to encryption It is not the algorithm that protects the secrecy of data, these are publicly known and widely distributed. The choice of an encryption algorithm is important in that some are stronger than others, however the security of encrypted data relies on the security and secrecy of the cryptographic key. Any entity that has access to cryptographic keys can decrypt the data.

For companies that have sensitive data that must be protected for business purposes may choose to use encryption where the cryptographic keys are unique to them. This is implemented as a second level encryption and most cloud services offer this. These companies must implement strong key management where split knowledge and dual control is enforced such that no one single individual has access to the encryption key. Split knowledge is where the key is broken up and distributed to separate individuals for safe keeping. Individual knowledge of these key parts does not reveal anything about the key itself. Dual control is a process where two or more individuals are required to perform key management functions which may include key recovery, distribution to other platforms or systems, internal use. Improper key management may result in the loss of keys or compromise of the key which exposes the data that was meant to remain secret.

Encryption key management is a critical part of using encryption to keep data secure and secret. Poor key management is like hiding the spare house key under the welcome mat of your house. If you don’t understand how encryption keys are managed, and more importantly know the people and systems that have access to the keys, your data may not be as secure as you think.  There are several ISO and ASC X9 standards that can help review key management processes as well as consulting firms that are willing to help.

How the Emergence of Artificial Intelligence Will Affect Cybersecurity

Posted on by Kimberly Crichlow

The potential threats posed by cybercriminals remain on the rise. As a result, cybersecurity has become a major focus of businesses, government entities, and individuals alike. With so much valuable data at risk of being stolen or misused, organizations are looking for innovative solutions to protect themselves from cyber threats.  According to IBM’s, “Cost of a Data Breach 2022” report it takes a security team an average of 277 days to identify and contain a breach. Artificial intelligence (AI) has emerged as one of the most promising solutions for enhancing cybersecurity.

The introduction of Artificial Intelligence (AI) into the world of cybersecurity should be considered a game-changer. AI can help organizations protect themselves from cyber threats and also aid in incident response and investigation. AI will enable businesses to become more efficient and cost-effective by helping them quickly identify suspicious behavior, investigate security incidents faster, and accurately identify attackers.

First of all, AI will be used to detect malicious activity faster than ever before. AI-powered security systems will use sophisticated algorithms to quickly detect potential threats and malicious activity, giving companies time to act before a breach occurs. With the right system in place, companies can identify an attack almost as soon as it starts and act accordingly to stop it before any significant damage is done.

Second, AI will help improve incident response time. Currently, when a cyberattack takes place, organizations often have difficulty responding quickly because they must manually investigate each event individually. However, with the help of AI, they will be able to automatically investigate each incident at lightning speed without human involvement. This will enable them to react quickly and effectively if an attack does occur.

Thirdly, AI-powered cybersecurity solutions can provide more accurate identification of attackers. AI can learn how different attacks work over time and use that knowledge to more accurately detect when a new attack is launched against a system. It can then trace back its source to identify the attacker and their intent more accurately than ever before. This information can then be used for future protection strategies against similar attacks in the future.

Finally, AI-driven solutions are already being deployed in areas such as network security analytics which allows for the examination of network traffic patterns in real-time so malicious activity can be spotted much quicker than humans would normally be able to do so manually. These solutions are becoming increasingly advanced as they incorporate machine learning techniques which allow them to adjust their scanning criteria over time as new threats emerge making them even better at identifying possible threats before they even have a chance to do harm.

All in all, AI will bring unprecedented levels of efficiency and accuracy into cybersecurity operations as it becomes increasingly deployed across multiple industries worldwide. With its ability to scan huge volumes of data quickly while providing deep insight into network activity and possible attackers’ intentions, companies are poised to make greater gains than ever before against the threat landscape with minimal effort required on their part. This makes it imperative for businesses today to take steps towards implementing these innovative solutions if they wish to stay secure now and in the future.

The Cyber Compliance Market

Posted on by Raj Raghavan

Recently, someone asked me to quantify the federal cyber market. 

FedRAMP is now a law that underlines the Government’s Cloud first mandate. After years of ambiguity and excessive costs to become FedRAMP certified to demonstrate data protection controls based on agency’s needs, the law now sets a level playing field for mid-size service enterprises who want to tap into the Federal market. The new law puts a system of reciprocity which allows federal agencies to certify vendors and have the same level of data protection more easily. 

While this law is appealing, the certification rules have not changed. Readiness is still a mountain to climb even with an understanding of the intent of NIST 800-53 controls and the applicability to the service provider’s environment. While the NIST requirements are complex, the cloud security architects and DevOps ability to design and implement the service within an approved boundary with appropriate data controls is no small feat. The demand for these cloud security professionals is very high.

Once you are FedRAMP certified, the burden to provide continuous monitoring reports that include reporting on incidents, security events, and scan for vulnerabilities while ensuring the new product features don’t cause “significant change” is an ongoing program.  

“Let us do the numbers” from my favorite NPR show Marketplace by Kai Ryssdal.

  • While 2022 saw the federal government spend over $11B in cloud technologies, the new bill signed in Dec. 2022 increases the spending
  • The Federal market is a long-term revenue stream with a market of 440 agencies          
  • Government agencies in 10 states have adopted FedRAMP and renamed it StateRAMP
  • FedRAMP is the security gate that will open the gates to these agencies
  • FedRAMP requires validation from a pool of 40 3PAOs
  • The lack of cloud security and application security professionals will further strain service providers ability to get certified quickly

The numbers are interesting but, where do you start?

  • Does your compliance team or security team understand NIST security framework?
  • Is your commercial cloud deployment aligned to security benchmarks or regulations?
  • Don’t let 1000 controls of NIST intimidate you. These are common sense cyber hygiene controls that are broken into domains that your information security probably has implemented
  • 3PAOs can offer guidance, but your FedRAMP readiness team should have cloud security engineers who can map current security tools and processes to NIST requirements
  • While AWS, GCP and Azure offer “FedRAMP Ready” GovCloud, see if it makes sense to implement your cloud software in the GovCloud and continuously monitor it
  • This is not a security tool game or FedRAMP ready “blueprint” but an assessment of your security controls and process to meet a slightly higher security requirement

There is a small battalion of certified assessors who can provide guidance and certification. The shortage of certified auditors is increasing timelines as many of us are now getting ready for CMMC, a DoD mandate, that impacts 300,000+ DoD subcontractors in 2023.

FedRAMP Authorization Act

Posted on by Sarah Lange

https://www.linkedin.com/pulse/fedramp-authorization-act-securitybricks-inc

FedRAMP provides a standardized approach to security authorizations for Cloud Service Offerings within the Federal ecosystem and is a crucial cybersecurity certification that cloud service providers must obtain prior to working with U.S. government data. Gaining this certification in advance means placement in the FedRAMP marketplace, from which government divisions and agencies can choose a provider at the level of security they choose.

Cloud Service providers have a multi-billion dollar federal market to address with some clarity on security requirements.

President Joe Biden has signed a legislation that will reform the Federal Risk and Authorization Management Program (FedRAMP), a cybersecurity authorization program, as part of the National Defense Authorization Act (NDAA). The act is designed to promote the federal implementation of FedRAMP government wide.

The latest iteration of FedRAMP Authorization Act makes sure that the FedRAMP program has a board to continue improving the quality and shorten the time for a Cloud Service Provider (CSP) to attain an Authorization to Operate (ATO). The act also creates a new cloud advisory committee consisting of five representatives from cloud service companies with the specification that two of those positions will be filled by small cloud vendors.

Why is this important to cloud service providers (CSPs)?

There are hundreds if not thousands of cloud service providers who need to be FedRAMP certified and the journey for many has been long with millions of dollars in investment.  The old rules made it difficult to cross sell to federal agencies as each agency can have additional security requirements extending the sales process.

One of the most significant aspects of the FedRAMP reform language is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used by any federal agency without additional cost, or time increasing CSPs market size.

The cloud advisory board will have voice of the CSPs’ making the rules relevant and effective for continuous compliance and ensure highest level of data protection. The shortage of 3PAOs increased the assessment timelines and the single assessment approach will free up 3PAO’s to get more CSPs certified.

If a CSP wants to make a business case to pursue the Federal market, they can start with the NIST controls benchmark with approved FedRAMP services from GCP, AWS and Azure GovCloud instances.  Once they complete their readiness and demonstrate compliance to NIST 800-53 controls, they can now find a 3PAO to validate the controls and submit the package to FedRAMP board for approval.  Once approved, they are listed, and every Federal agency can now subscribe to the service. A FedRAMP certified CSP has demonstrated highest security control implementation and monitoring eliminating the need to chase less known commercial security certifications. FedRAMP has now millions of dollars in funding to market its program to State agencies.  Many states are adopting FedRAMP as their security framework and this only increases the addressable market.