Cloud, Security and Technology

In this blog I wanted to take a quick look at how we should consider our adversaries today, and kudo's to a great report. The operation Cleaver report  put out by Cylance outlines how Iran has been actively targeting the world market and the Internet as a whole.  If you don't have time to read the entire report I'd recommend you review pages  32- 35 that discusses the initial methods of compromise. It's a good practice to understand how adversaries get into your network to know how to protect yourself. Here's a quick look at defenses you need to consider: Compromise 1  - SQL injection attacks -   This attack counts on administrators not setting up a SQL server with security in mind. Resolving this can be done by patching and maintaining SQL servers that are on your perimeter network. Make sure that you configure your edge with security in mind. Consider this guidance as a good practice: A quick Technet article on protecting against SQL injections

This blog let's look at an expansion of the concepts associated with staying anonymous on the internet. So let's look at how we can stay invisible from your ISP providers snooping. This can be done using a proxy vpn. There are quite a few providers in this market, a pretty complete list can be explored on http://vpnreviewz.com/ . How it works   I found this simple graphical explanation on www.hidemyass.com site showing how it works. How to choose your vpn proxy Make sure the price is right. Odds that you will find a service but throughput tends to be less than ideal. In my opinion paying a small fee for the service is a sound decision, and you get performance. Does the provider have gateways in the countries or locals that you care about. For instance I'm particularly interested in streaming from the UK. Turns out due to complex legal reasons streaming video is blocked. Latency can be a big issue. Since prox

Overall I don't consider myself an ultra-paranoid computer user, however there are times I like to consider my actions a bit more private and discreet. In the next few blogs I'll look at tools, and features that can help you accomplish private computing. Using in browser privacy In all modern browsers privacy can be managed a bit using the built in privacy features. These features are limited, as they only provide browser based anonymity, but they are quick and simple to use. The thing about these features is that they only provide privacy from snooping by the web host (server) at best. Here are IE (inprivacy), and chrome (incognito) features. Once the browser session is open browsing is private also, cookies and browser history will  be wiped once the session is closed. However its essential to know your browsing may be private, but if you dig deep there are footprints of the browsing session persevered on the computer. These artifacts can be di

After completing my blog on how you would move to the cloud I started thinking about some compelling reasons to adopt cloud computing. Here are 8 immediate cost benefits moving to the cloud for a start-ups or small or mid-sized company.  1. Established ISMS Information Security Management System:   Many companies talk about setting up an ISO27002 based ISMS but struggle. That’s because it take lots of people resources, and money. The major cloud providers have this already built out, and tested.  2. Gates, fortified walls, guards, fences Facility Security:   Cloud providers help restrict access by role, and by granting access to small sets of trusted staff members. Most cloud providers have well established facility security including gates, fences, guards, lighting, and many other security measures. 3. Tested backup and recovery solutions Data Retention Policy:   Cloud providers should have a plan for data retention and storage that includes redundancy can

In part 3 of my moving to the cloud recommendation, I address a new taxonomy of securing your cloud based network or - service oriented architecture (SOA). As companies embraces the cloud and BYOD they are also embarking on a journey where traditional IT security, and compliance measure will not work as effectively. Security and compliance require enabling effective people, process and technology solutions. Cloud based architecture requires new set of security processes and technologies. The new strategy starts by addressing your network design architecture that outline how you Identify your hosts, and perimeter points. Network and port scanners are not enough to outline your network devices anymore. Traditional network diagrams, do not provide enough detail to outline the boundaries of your network. More complex data flow diagrams (DFD) that focus on application layer design are needed in a cloud only service model.  The design can be complex but worth the effort.  I'd re

In part 2 of my recommendation I look at bring your own device (BYOD).  I'd consider my recommendation as a simple and somewhat sane method that also addresses a fair but low friction way to enable BYOD as a corporate device. In a recent Gartner  report, 80% of CIO's say they will  allow users to BYOD by end of 2016, making a individually owned devices a norm. This could be looked at as a risky proposition as these potentially unhygienic devices become welcome on your corporate network, and could cause havoc. On the other hand, BYOD maybe a way to save money, and increase your users satisfaction, and productivity. I've outline six simple steps to consider when you get ready to make the plunge to bring BYOD to your world. Step 1 -   Decide and understand your device ownership model. The two scenarios on ownership are corporate owned/managed, and user owned/managed.  Most likely if the device is owned by a corporation it will be managed by the c

Secureworld expo is coming in November (12-13), and I've have the privileged to present this year!. Come by and see my session, make sure you say 'hi' if you do.  I'll be presenting - Moving to the Cloud: How to Be Secure on the 12th at 3:00 PM Abstract - As cloud adoption skyrockets, key innovations mandate a new paradigm of security/assurance. Many organizations are required to follow compliance models such as PCI and ISO 27001. These models were created a decade ago, and they are showing their age even if they have been periodically updated. A new discussion is required. For instance - Did you know that, these regulations require network diagrams, firewalls, network monitoring, and security data aggregation (e.g. "SIMS")? Do these requirements address a cloud model? On top of that are these decade-old concepts the right way to protect your assets in the cloud? Oh and if you don't have a pass yet, I was given the following code to shar

Rapid adoption of cloud computing requires a clear understanding on what and how you will manage the move.  I had discussed that cost and trust are the key driving factors for cloud adoption in a previous blog. In this blog I'll expand on the key things companies should consider when moving to the cloud. A while ago, I had a room full of executives from a major mining organization. Our discussion was about cloud trust. In the discussion the CTO asked me a great question - "If you were working for me, what would you do to secure our environment as we adopt the cloud?"  Here's a digest of what I recommended: First I asked - Do you know what you are trying to protect? Problem most organization face is knowing what they should invest the most into protecting. In the cloud security trends report posted by Microsoft indicated that about 40% of organizations do not have a uniform classification methodology. As you see all industries that where surveyed in this

 Both infrastructure as a service (IaaS) and platform as a service (PaaS) services are ideal for third party developers to create service offerings or software as a service (SaaS) solutions ready for customers. For instance NetFlix, LinkedIn, and Salesforce are the services powered by PaaS, and IaaS core services but are delivered as a customer ready SaaS service.  As such a Netflix user does not contemplate how Amazon AWS makes their IaaS service work to ensure that they can watch a movie. Bottom line users watch their movies. This model is really the future of cloud services. However unlike the telecommunications companies that deliver our phone services end to end, cloud solutions like Netflix have a dependency model users should be aware of. Ultimately users should have the right to know who is touching, and managing their data. And providers should be required to expose the information. Let's consider this. The videos serviced by Netflix powered by Amazon AW

Cloud providers benefit statement boils down to only two variables that matters to you - COST + TRUST You may look at this and agree, say this seems obvious. Then again you might consider this model too simple and wonder what about flexibility, elasticity, feature/function and other cloud benefits that influence moving to the cloud. These are all important, but in my humble opinion, cost and trust are the most important two lynch pins for selecting a cloud provider, and you need to expect service providers to provide both effectively, be willing to provide both with equal fervor, and honestly disclose their position.  COST Moving to the cloud proposes the single best opportunity to reduce overall IT and operational costs. Today all organizations, from your gardener, hair stylist, and even big organizations like Nordstrom, Exxon, Starbucks, and even all the three letter government agencies are faced with the stark reality that cloud computing will reduce cost of their

Today I set out to do something simple….set up my outlook client software to use my outlook.com account. Simple right? Turns out this simple task was really not that simple. The reason my case was different than many, is because I use a custom domain for my email. What baffled me for several hours was that I needed a custom configuration, and like most consumer based solutions, outlook.com's documentation is quite incomplete. See the issue with my problem was that what I was doing was a result of an edge case . Def: Edge case - A condition or parameter not expected, or something that only happens rarely or occasionally. I'm a consumer, and edge case All too often you want to use tools in their simplest manner, but edge cases make them either unpredictable, or unusable. Also we want all our tech to be simple to use, but almost everyone has an edge case in their lives that software does a lousy job of addressing. Today, providers need to consider more an

Moving to the cloud is a  complicated process. In my prior career I advised fortune 500 companies on how and why you should use cloud computing. Now it's time I share my observations with you. This blog will look at cloud, technology and other tech passions I have such as compliance, BYOD, IOT, Big Data, ISRM, and other techno. that suites my fancy, and ultimately will  helps move you into the cloud. Stay tuned. Frank L:  linkedin.com/in/simorjay