There are clear benefits to adopting cloud services, such as improved availability and cost optimization. Cloud also offers an opportunity to update legacy systems and processes that may have been on the risk register for a long time with no clear mitigation strategy in place.

Common Misconceptions About Cloud Security

IDC predicted more than 80 percent of enterprise IT organizations will implement hybrid cloud architectures by 2017. IT executives remain concerned about operating model changes, however, and many are wary of the perceived security challenges and increased operational complexity of cloud solutions.

Below are some common misconceptions related to cloud adoption.

Cloud Computing Is Less Secure

This should not be the case if done correctly. Security risks vary depending on the deployment model, but a clear assignment of ownership and accountability between the organization and the cloud service provider (CSP) can provide adequate security for the migrated workloads. The homogeneous operations and management practices applied by CSPs in their IT and operating environments can actually improve your security posture.

Cloud Security Is Too Complex

Cloud security poses a new challenge since it is managed as an extension of the current controls environment. However, a comprehensive security framework can prioritize areas of control enhancement and inform investment decisions. Added focus on data security and privacy may compound the complexities from a compliance perspective.

Cloud Security Is Difficult to Maintain

Many IT professionals are concerned about transparency and assurance. Establishing strict governance backed by metrics and enforceable service-level agreements (SLAs) can assist in measuring a CSP’s performance.

Frequently Asked Questions

Taking the first step on a journey to cloud adoption can be daunting. Some common questions to ask at the beginning of this process include:

Which Framework Do We Use?

Multiple standards are available, each with different benefits, depending on circumstances and the environment. It is critical to establish a comprehensive cloud security controls framework that leverages industry best practices and aligns with the organization’s risk appetite.

It is also important to recognize key sets of security controls and delineate roles and responsibilities clearly. This will drive performance measurement against the SLA if the CSP is appointed as a vendor.

What Are the Regulatory Implications?

Cloud offers a new set of challenges in terms of data transfer and protection, especially with new regulations coming down the pipeline. The European Union’s General Data Protection Regulation (GDPR), which will take effect in May 2018, adds to the list of concerns. To remain secure and compliant, organizations need a holistic view of the regulatory landscape.

Will I Have Full Access to the CSP’s Security Environment?

Typically, this is not the case, but some CSPs provide more security transparency than others. This should be clearly identified as part of the vendor due diligence phase. Transparency requirements must be satisfied before agreeing to the vendor’s terms and conditions.

What Workloads Can I Put on the Cloud?

This depends. Some organizations experience scope creep in cloud adoption, leading to the unplanned migration of more sensitive workloads onto cloud and negligence of the initial security principles. Such issues must be monitored to avoid a mismatch of expectations.

Where Do I Start?

Security needs to be at the heart of your cloud strategy and design. An effective cloud strategy must match the workload with the appropriate controls framework to provide assurance and protection. This approach ensures that the security capabilities offered and managed by the CSP align with the organization’s risk appetite. The framework should also consider regulatory, legal and compliance requirements that are relevant to the organization.

A Dynamic Framework

IBM utilizes a unique cloud security framework that breaks down the domains into eight categories: governance, metrics, cloud security optimization, data security, application security, network and system security, secure operations, and identity and access management.

Screen Shot 2016-09-28 at 15.24.37

Security teams can use governance and metrics to measure and audit the security capabilities in place. The domains consist of cloud-centric categories as well as business-as-usual security. For these domains, fundamental changes relate to maturity in service integration and the manner in which roles and responsibilities are defined within a clear ownership structure.


A successful transition requires a clearly defined cloud strategy. That strategy should identify the target state and provide prioritized road map considerations that may lead to a consolidation of cloud activities within the organization.

A paradigm shift in operating models comes with many challenges. By clearly defining the workload sensitivity and controls framework, security teams can enable efficiency, agility and trust when it comes to cloud security.

Register for the 10/6 webinar: Demystifying Cloud Security Transformation

Security Intelligence

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Repercussions of the massive Yahoo breach
Yahoo has announced on Thursday that they have suffered a breach and that account information of at least half a billion users has been exfiltrated from the company’s network in late 2014.

Review: Boxcryptor
Storing your data in the cloud comes with both positive and negative aspects. Boxcryptor is a solution that helps with this by encrypting your data on your device before it gets synchronized to the cloud storage provider of your choice.

(IN)SECURE Magazine issue 51 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

How ransomware is impacting companies in six major industries
BitSight analyzed the security ratings of nearly 20,000 companies to identify common forms of ransomware and to determine which industries (amongst Finance, Healthcare, Education, Energy/Utilities, Retail, and Government) are most likely to experience attacks.

Why DNS shouldn’t be used for data transport
Malicious DNS tunnelling is a big problem in cybersecurity.

Basic file deletion increases exposure to security risks
The use of improper data removal methods and the poor enforcement of data retention policies have created the perfect storm for confidential, oftentimes sensitive data to be lost or stolen.

US elections and the hacking of e-voting machines
As the day when US citizens cast a vote for their preferred presidential nominee quickly approaches, the issue of whether the actual voting process can be tampered with is a topic that interests many.

Malicious torrents management tool uncovered
Researchers have uncovered Raum, a tool that is used by Eastern European organized crime group “Black Team” to deliver malware to users through malicious torrents.

Xiaomi smartphones come equipped with backdoor
If you’re a computer science student with an interest in cybersecurity like Thijs Broenink, you can reverse-engineer pre-loaded apps and discover for yourself what they do.

Chinese researchers hijack Tesla cars from afar
Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

We have to start thinking about cybersecurity in space
With all the difficulties we’ve been having with securing computer systems on Earth, the cybersecurity of space-related technology is surely the last thing on security experts’ minds – but it shouldn’t be.

HDDCryptor ransomware uses open source tools to thoroughly own systems
HDDCryptor (aka Mamba) is a particularly destructive piece of ransomware that encrypts files in mounted drives and network shares, locks the computers’ hard disk, and overwrites their boot disk MBR.

Biometric skimmers: Future threats to ATMs
Kaspersky Lab experts investigated how cybercriminals could exploit new biometric ATM authentication technologies planned by banks.

US gets federal guidelines for safe deployment of self-driving cars
The public is welcome to comment on the new policy, and the Department of Transportation intends to update it annually.

880,000 users exposed in MoDaCo data breach
Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

UK: Financial fraud soars
More than 1 million incidents of financial fraud – payment card, remote banking and cheque fraud – occurred in the first six months of 2016, according to official figures released by Financial Fraud Action UK. To compare, in the first six months of 2015 there were a little over 660,000 cases.

Should you trust your security software?
Recently, Google’s Project Zero security research team uncovered a bunch of critical vulnerabilities in two dozen enterprise and consumer antivirus security products from Symantec and its Norton brand.

BENIGNCERTAIN-like flaw affects various Cisco networking devices
The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products – and they found one.

Connected devices riddled with badly-coded APIs, poor encryption
Ignoring cybersecurity at the design level provides a wide open door for malicious threat actors to exploit smart home products.

Help Net Security

As part of its campaign to make the web more secure for users, Google will enhance Chrome browser security to start flagging websites using HTTP to transmit passwords or credit card information.

Because web traffic transmitted over HTTP is not encrypted, it can be monitored -- or even changed -- by an attacker. Google's announcement is part of a long-term strategy to motivate users and content providers to migrate away from transmitting unencrypted web content.

"Beginning in January 2017 (Chrome 56), we'll mark HTTP sites that transmit passwords or credit cards as nonsecure, as part of a long-term plan to mark all HTTP sites as nonsecure," Emily Schechter, a product manager in the Chrome security team, wrote on the Google Security Blog. "Chrome currently indicates HTTP connections with a neutral indicator. This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."

The plan to move away from HTTP is ongoing. "In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as 'not secure' in Incognito mode, where users may have higher expectations of privacy," Schechter wrote. "Eventually, we plan to label all HTTP pages as nonsecure, and change the HTTP security indicator to the red triangle that we use for broken

Previous steps in the campaign to improve Chrome browser security included Google's launch of its Certificate Transparency Report. Google -- and other leading browser providers -- has also been removing support for other deprecated or insecure protocols and algorithms, including SHA-1, RC4 and SSLv3.

"Google is taking a great step toward improving security on the web by alerting users to websites that are using weak encryption that endangers security and privacy. It remains to be seen if users will pay attention," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, based in Salt Lake City. "Unfortunately, many organizations are struggling to keep up with Google's efforts to increase authentication, confidence and privacy. Many organizations still blindly trust all encrypted traffic, even though we know that cybercriminals have been able to subvert encryption in a variety of cyberattacks. As far back as 2012, a broad range of industry voices, including Gartner, started sounding the alarm on this topic, but, so far, most organizations have been less than responsive."

In other news:

  • The FBI has arrested two more of the "Crackas with Attitude," who last year managed to create a stir after they hacked CIA Director John Brennan's AOL account. The U.S. Attorney's Office of the Eastern District of Virginia announced in a press release that two North Carolina men had been arrested in connection with their alleged roles in the hacking of several senior U.S. government officials and U.S. government computer systems. According to charging documents filed with the court, the two conspired with other members of the group from about October 2015 to February 2016, using "'social engineering' hacking techniques, including victim impersonation, to gain unlawful access to the personal online accounts of senior U.S. government officials, their families and several U.S. government computer systems. In some instances, members of the conspiracy uploaded private information that they obtained from victims' personal accounts to public websites; made harassing phone calls to victims and their family members; and defaced victims' social media accounts. At least three other members of the conspiracy are located in the United Kingdom and are being investigated by the Crown Prosecution Service."
  • According to research from the German security consulting firm SEC Consult, millions of internet-facing devices are still sharing private keys, and the problem has gotten 40% worse over the past nine months. The research discovered millions of routers, modems, internet gateways and other embedded devices use secret keys and certificates that have been improperly baked in to firmware images to allow access to SSH and HTTPS for remote management of devices. "The number of devices on the web using known private keys for HTTPS server certificates has gone up by 40% in the last nine months (3.2 million in November 2015 vs. 4.5 million now)," SEC Consult wrote.
  • Google finished patching four vulnerabilities, collectively dubbed Quadrooter, in Android devices using Qualcomm chips. Two of the four vulnerabilities (CVE 2016-2503 and CVE 2016-2504) were patched in Google's Android Security Bulletins for July and August; the last two (CVE-2016-2059 and CVE-2016-5340) were patched in the September bulletin. As many as 900 million devices were vulnerable to the flaws, which were presented by Check Point researchers at DEF CON in Las Vegas this summer. According to Check Point, the flaws could be exploited by an attacker using a malicious app. "Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing."
  • Dell finally swallowed EMC in the final chapter of the $ 60 billion deal that included the acquisition of RSA. RSA President Amit Yoran wrote in a blog post that the new ownership would not change RSA's mission, stating: "There will be no changes to our product strategies, sales models, customer support interactions, processes or resources that we are not driving." EMC bought RSA in 2006 for $ 2.1 billion. At the time, many questioned the wisdom of EMC's purchase of RSA.

Next Steps

Find out more about using the Let's Encrypt open certificate authority.

Learn about the benefits and limitations of switching to HTTPS.

Read about how HTTP Strict Transport Security enhances application security.



Find more PRO+ content and other member only offers,
SearchSecurity: Security Wire Daily News