Category Archives: Cloud Computing

Maker Faire Ottawa

 

img_4118

This past weekend we participated in Maker Faire Ottawa which is an all-ages gathering of tech enthusiasts, crafters, educators, tinkerers, hobbyists, engineers, science clubs, authors, artists, students, and commercial exhibitors. The location for this second Faire was the Aberdeen Pavilion in Ottawa’s historic fairgrounds and this year we got a booth to demo Hive Sense.  As you may know we are helping Algonquin College with bee research and wanted to provide the community with an update on the project. img_4122

It was great to see so many people with knowledge of the problem and we enjoyed the dialogue we were able to have with so many local professional and amateur bee keepers. We are currently working on building out a new service infrastructure and web site for our project and hope to have four to five hives monitored prior to the snow flying. Once these hives are monitored we will announce it on all our channels so you can track the progress and see the data.

Maker Faire is, according to the organizers, the Greatest Show (and Tell) on earth so it was not surprising to have had lots of cool projects again this year. While there were many 3D printing demos and projects it was nice to see groups and clubs engaging kids in robotics and coding as this is a great way to start playing with open source technology at an early age. There were programs even for big kids so there was no need to feel left out or to worry lol.

We had many attendees drop by our booth to learn about the concept of our project. Many were not technologists, engineers, or even web savvy individuals but they dropped in to see what the project was all about. It was also nice to hear from all the people who remembered their grandfather’s hives or when they lived on a farm. We keep forgetting that about 40 years ago a big part of our economy was agriculture driven especially in the Ottawa Valley.

We are looking forward to the 2017 event and being able to show what we have learned and how to get involved with the project in the future so… stay tuned.

If you have any questions in the mean time please do not hesitate to reach out to us for this or other IoT projects.

img_4112

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 7: Selecting Cloud Service Providers

We hope you enjoy episode 7 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

  • What is the data that you are protecting or storing in the cloud?
  • Benchmarks to compare cloud service providers
  • Policies and Procedures – Implement an ISMS to ensure policies and procedures align to corporate objectives
  • Data Centre Evaluation ( location, service platform, what are their rules for data )
  • Access to Data ( who has access from provider side and your side, authentication )

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

IoT Security – Need Some Basics

With more and more IoT products and services being announced by the hour and new engineers and developers racing to get products out the door, security unfortunately remains the last consideration.

We need to ensure that IoT leads to a security by design model. While everyone considers this one of the critical issues for both implementation and adoption for IoT, not many vendors are talking about the security model being used for product/service creation.

Some of the key elements to consider when securely designing a new IoT solution are sensors, applications and servers. Get your developers thinking about the following:

  1. What is the threat model? Once you have your product concept you need to understand and develop this model. Only then can you determine what security controls will be required to secure your solution.
  2. Do you need secure communications to your sensor/actuators? What did your threat model identify?
  3. Remove all embedded authentication or testing backdoors. Or better yet, train your developers to not use them at all. I am still surprised at how many device manufacturers use admin:admin as the user id/password combination today.
  4. Ensure that code analysis is conducted at each major development coding stage. This will ensure that vulnerabilities are quickly identified and eliminated prior to shipment.
  5. Perform end-to-end pen testing of your solution, both in the lab and in the field, to ensure you’re finding the bugs before the hackers do…..because they will!

Start-ups can easily setup these process improvements to ensure a stronger security model and use them as selling features for their solutions. Don’t be afraid to educate customers on all the effort you have invested to ensure the products/services being created are secure. At a minimum, your organization should look to implement an SDLC based on ISO 27034 Application Security as this will help to implement all the elements recommended.

Facebooktwittergoogle_plusredditpinterestlinkedin

Mobile Security For the Small Co

Over the past few years we have helped companies to deploy mobile and BYOD implementations. While some of these company’s have lots of resources ($$$) for these projects, we have come to realized that smaller companies might not have the necessary financial resources to hire additional resources so we hope this approach will help.

Lets start with a diagram. It is a top-down model that shows how to look at this problem.

Mobile Security Approach

Data – What company data will be stored on this device? or even accessible from the device? From a worse case, if you competitor had this data what would that mean to you? This could include project plans or even a RFP bid. Stop and think about this and ask your staff what they store on their devices and the apps they use. You might be surprised. I know I have been….I though I have seen everything in this business.

Threats – This is one is more complicated but is based on your data and you business. Simply stated who can access this data, from where, and how? Do a search on mobile risk to get more details to technical details realizing you might have to call a security consultant to help. However, this should help reduce your cost and focus on what aspects of a consultants time you really need.

Mobile Device – We like all devices so we are not going to tell you which one to use. Use the one that best fits your organizations needs.

MDM – Mobile Device Management has matured as a technology significantly over the past 3 years and will for the next 3. Make sure you select one that supports not only the mobile platforms you will support today but ones you may consider in the future. Next, make sure that it reduces or eliminates the threats identified in step 2. This is typically accomplished by a policy that can be pushed to a mobile device.

Policy Violation Monitoring – This one is tough and can take a while to implement but is a must to identify when your staff might have a compromised device or a possible data breach has occurred. You need to be able to identify these and be able to react according.

Some points to consider:

1. Mobile Apps are not designed to be secure – don’t expect that developers have considered security controls when designing their solution. Many are former web developers who are bring lots of bad coding habits to mobile.

2. Cloud services and providers are not secure and could have been compromised previously. Unless they deal with financial information they are under no obligication to release this information nor advise you of the breach. Read the user agreement and security details if they are provided. If the details are thin so are the security controls deployed.

3. Talk to other small companies in your space to see what they are doing to protect mobile devices and their company data.

4. Finally, if the idea of deploying security for mobile is a bit too much reach out to a local security consultant who had worked in this field. They should be able to provide the necessary support and guidance for your deployment.

For your homework assignment please read Defending Data in iOS to get a better understanding of data risks of mobile and better understand some of the technical terminology used in this space. While it is iOS centric it does contain many considerations for mobile deployment. Don’t let it install fear but educate you on what is required to secure your data in mobile.

Facebooktwittergoogle_plusredditpinterestlinkedin

Does anyone consider whats under the Microsoft Surface?

So I recently read an article about how great the Microsoft Surface was for business. So, I am not going to talk about the benefits or lack there of using this device in a business context. Nor the benefit of this device over an iPad or other device.

What is worrying is that fact that you now can save all your data to your SkyDrive. So, as a security practitioner my first thought is why would I be giving my IP to Microsoft to manage? This is part of the crux of cloud computing and small/medium businesses who are using these services to save time/money but in the long run these can cost you money….hell they can cost your business.

This cost can include the following:

1. Exposing your customer data
2. Exposing your current contract or IP data
3. The fall out related to when the press or net realize that either a or b has occurred

If you don’t believe these points are important…..please do not read any further. However, if you never considered these before then you need to plan and prevent the compromise of your data.

Some things to consider when working on a document or digital asset that is stored in the cloud:

a. Could this document be damaging to me or my customer(s) if released to the public?
b. Could this document provide insight to the workings of my organization, to new technology or strategic projects? Could my competitors benefit from this data?
c. Does it contain an personally identifying information that is considered protected by law?

If you answer yes to anyone of these you need to reconsider your options to store this data on a cloud provider. What are your options:

a. Consider using a encryption overlay provider. These organizations provide secure connectivity and encryption layers to a cloud provider. This way you hold control to your data not the cloud provider.
b. Store data using a NAS that is local to your company network. Again this can be accessed via a VPN connection
c. If you are working remotely frequently especially in hotels and coffee shops consider a VPN service provider at a minimum. You can get these services for as cheap at $5/month.
d. Decide the content is just worth creating at this point and create it under more secure controlled environment.

Small business owners/managers need to realize that your competitors are watching you. Depending on the nature of your business this could include attempting to target your customers and IP. Don’t make it easy.

BTW If you want to see what your competitors are up to check this out. http://bit.ly/TIbupc. You can also use this to see the view that others have of your organization. Starting to get the idea of keeping thing private!

Facebooktwittergoogle_plusredditpinterestlinkedin

SAS70 does not cover it for cloud computing…WHY?

First of all, don’t get me wrong here, SAS70 does have its purpose and can help demonstrate the operational maturity of an organization. However, I do not believe that it should be the yard stick from which security is measured. I have recently discovered that more executives are being told that this is the way forward, and it concerns me. Why do I make these claims?

1. I don’t trust accountants to secure my network. This is not a dig at accountants, but I would prefer that security experts and engineers provide the basis for my network security controls especially given that cloud computing has some very specific requirements.
2. Standard IT controls don’t working in a multi-tenant architecture, in some instances these reside across geographic boundaries. This adds the extra layer of regulatory policy and in many cases privacy laws. There is nothing in a SAS70 that takes these critical factors into consideration.
3. Every cloud user could be using the cloud infrastructure for multiple use cases. An auditor must be able to determine the permutations of deployments that could exist and understand the risk scenarios. Not an easy task.

Do SAS70’s work?…Yes they do in IT shops. Cloud providers are akin to small carriers from an infrastructure perspective, with the larger ones having a global presence. How do we deal with this complexity? We are still learning, however some standards such as 27017 will help to make a cloud consumer more educated and a cloud provider better prepared to deliver a secure cloud experience.

Facebooktwittergoogle_plusredditpinterestlinkedin

Looking for Cloud Provider — What does your Security Policy Say?

Over the past several months as I get more engaged with Cloud Solutions and providers one interesting aspects seems to come up EVERY time. Specifically, when an organization seems to be looking to outsource a part or part(s) of their current operational environment they seem to quickly put a provider under a security microscope.

However, many don’t seem to have security policies or if they do they are buried in the sacred IT archives on punch cards {not a poke at companies but the sad truth in many cases}. My first question that seems to confuse people when they ask me about security postures of a solution provider is “what does your security policy state?”. I believe there is big disconnect to what should be in a security policy or ISMS program and requirements to leverage outsourced services in this case cloud computing. If a policy was created to  list the aspects such as authentication, audit, logging, etc for a service provider, it can easily be compared to the current known risks verses what a provider is willing/or able to provide.

Organizations need to use their  security policy to drive their security and organizational objectives. They should be updated yearly to match the targets for the organization and map out the risks the organization is will to take. In many organizations this is not the case unfortunately. Enough about the rant, what to do about it.

1. Create a security policy {it can be small to start}
– make sure it outlines the IT and organizational objectives at a high level i.e. – We want to grow our client services portfolio by 60% over 3 years – now what IT infrastructure and security controls will have to be implemented to support this target?
– Include at least one policy that outlines user acceptable behavior of network and other business owned resources
– Make sure an executive is aware and is the spokesperson for this document
– Update at least once/year, if not more often
– Advertise and promote this work in the organization – especially at the water cooler and lunch rooms
– Know the risk of your core data! — This is your lifeline and your reputation, do everything to ensure it is protected

Failure to complete one of these steps could result in utter frustration. Or worse a compromise of your core data.

2. Learn about cloud solutions
– Every aspects including deployment models, technologies, and architectures — There are lot of good blogs and providers with white papers on this topic. I would recommend at a minimum that you get to know the Cloud Security Alliance and their 13-domains that encompass the aspects of a cloud service provider.
– Perform the risk analysis based on your business model and requirements
– Look for posted policies on security and privacy these will provide the initial assessment of a service providers security risk/security posture
– Perform the cost analysis
– Make sure the “suits” see the numbers and the RISKs — remember they own this responsibility
– Evaluate at least 3 vendors and ask them for a pilot period – if they want your business they will make this allocation

As a minimum ask for theses {written into your contract}:
a. Ability to perform one audit annually – if any failures occur record the activities that followed to ensure that situation has been either eliminated or the risk has been reduced to an acceptable level
b. Notification of outages and possible compromises

3. Finalize your decision and monitor your provider — Don’t expect them to have your best interest at
heart — Sorry but that is the reality of the situation. They are looking for operational efficiencies and
cost reduction models and in many cases will not notify you of network modifications.

Facebooktwittergoogle_plusredditpinterestlinkedin