What are the key takeaways from the Cloud Security Alliance (CSA) EMEA Congress 2013 in Edinburgh on September 25 and 26?
According to Jim Reavis Executive Director and co-founder of the Cloud Security Alliance, the security industry’s need for innovation will grow rapidly. In fact, the widespread use of connected objects and new information technologies are projected to increase the total volume of data stored in the cloud by a factor of 20 or 30. But this won’t lead to a 20 or 30 fold increase in security budgets, so we need to innovate in security.
Another trend is the design of cloud services through the growing use of APIs to connect services with each other. We can expect to see some new players in cloud service assembly, which should bring along a few new security tools and methods (the trend seems to be moving toward decentralizing security features). It’s an exciting topic and I’ll come back to it in a subsequent article.
Lastly, although current audit systems and security certifications are moving in the right direction (cf. this release on CSA STAR Certification), they’re not scalable and often come with exorbitant price tags. In the future, we’ll probably see new systems based on self-regulation by cloud service users. This means social media can serve as “circles of trust” for cloud service providers and users.
the impact of NSA/PRISM on the cloud ecosystem
PRISM, the NSA’s surveillance program, has evidently given the cloud a bad name: it has encouraged governments and cloud service providers alike to respond with isolationist solutions nationally. Many people underlined that this kind of response goes against the basic philosophy behind the internet, which is meant to be independent of national borders and the geographic locations of any infrastructure.
Aside from this new isolationism or “Balkanization of the cloud,” American tech companies and cloud service providers have also run up against a loss of confidence among users, including fears of covert data gathering, backdoors, and more. For now, users are showing a preference for services and technologies that are seen as less vulnerable to surveillance by the United States and its close allies. As the world is still extremely (perhaps excessively) dependent on the US from a tech standpoint, this will prove difficult.
The recent uncovering of massive surveillance by the US government should serve as a clear sign that cloud service providers and tech companies need to rethink security to better consider and manage these “massive government spying” threats. This holds true not only for the US, but also for any other government spying programs.
cybercrime: government spies, cloud & Bitcoin ransomware
A lot has changed in the cybercrime world. New players have arrived on scene and new trends are giving everyone a reason to be constantly on the lookout.
The biggest surprise is that governments should now be numbered among the cybercriminals. They fall somewhere between cybercriminals (who cause large-scale and indiscriminate disruption of computer networks for financial gain) and activists (who aim to defend their opinions). What sets governments apart is their extremely precise targets and highly advanced expertise in attack techniques.
For most people, “traditional” cybercriminals remain the most commonly known threat. According to Mikko Hypponen (Chief Research Officer for F-Secure), we will soon see “digital hostage taking” attacks (ransomware), which target data stored in the cloud. These attacks involve encrypting data located on a cloud service and demanding a ransom for its decryption. It’s enough to make you break into a cold sweat when you consider the recent boom in cloud storage services, such as Dropbox, Box and Skydrive!
Another trend touched on by Mikko Hypponen as well as Jean-Dominique Nollet (Head of Unit, Forensics, Research, Development at the European Cyber Crime Center, EC3) is the emergence of new digital currencies, the forerunner of which is Bitcoin.
But this cryptocurrency, which can be used to cloak underhanded financial transactions and launder suspicious funds, has also generated new ways of using botnets and other cloud infrastructure for Bitcoin mining. There’s no doubt that connected objects will also be hacked and misappropriated for this kind of activity.
Concerning future threats, Interpol’s EC3 center recently published a document outlining all anticipated threats between now and 2020 (“Facing Future Cyber Threats,” September 25, 2013). This is the perfect initiative to help us open our eyes and look at things from a new perspective. According to Mr. Nollet, this is the first time in history in which crimes can be committed with no direct connection to a geographic crime scene. This makes locating and tracking cybercriminals an especially difficult task and renders cooperation between all parties absolutely essential.
Daniele Catteddu, Managing Director EMEA - Cloud Security Alliance
spotlight on a few Cloud Security Alliance activities
The 2013 edition of the EMEA Congress offered an opportunity to discuss progress made on the Cloud Security Alliance’s various activities and initiatives.
The launch of the CSA STAR Certification for security in cloud services particularly caught my attention. This certification is based on ISO 27001 specifications along with several Cloud Control Matrix (CCM) controls. This is definitely a step in the right direction: the certification will help promote cloud service providers that set up Information Security Management Systems (ISMS – cf. ISO 27001) based on a standard set of security controls (CCM – an ISO 27002 specification combined with special controls developed for cloud services).
In other news, CCM Version 3.0 was also announced. This document lists all the security controls applicable to cloud services and organizes them into 16 main categories. New categories were added to organize controls relating to encryption and key management. In addition, security controls are also organized by group or functional area to simplify searches and implementation.
As for Big Data, the Cloud Security Alliance published “Big Data Analytics for Security Intelligence,” which explains how Big Data technologies can be used to improve security. The new document adds to the existing literature on Big Data risks (including risks tied to infrastructure as well as risks posed to individual privacy and freedom).
the security approach taken by major cloud players
In addition to learning about research work and hearing speeches by experts, we also had the chance to attend presentations given by major players such as Amazon, Microsoft and Adobe. Each company outlined how its cloud strategy integrates security challenges and compliance.
One thing is now certain: every major company now natively integrates security into its services with approaches such as Microsoft’s Security Development Lifecycle (SDL and PrivacyByDesign or Adobe’s Secure Product Lifecycle (SPLC). From now on, we will all remember to take security into account from the outset and not as an afterthought.
All three companies use an operational maintenance system to ensure systems are permanently secure and regularly updated. I was especially interested in Adobe’s three-step approach presented by David Lenoe (Adobe Director of Product Security): good hygiene, rapid anomaly detection and rapid response.
Some may see nothing out of the ordinary here, and they would be right. The hard part is figuring out how to manage everything over time and consistently for all services. Most issues arise from not doing one or the other. Overall, Amazon and Microsoft’s presentations left me with a lingering “too good to be true” feeling. I definitely preferred the direct, open and level-headed attitude of Adobe’s David Lenoe.
protecting personal data: USA vs Europe
The roundtable discussion on protecting personal data was especially interesting. To sum up, European players are waiting on Europe-wide regulations to take effect, while US companies are taking the opposite approach.
In the US, it’s the market and business above all else. In Europe, protection has to be taken into account early on and any use of personal data has to be regulated. For this reason, the representatives from the CNIL (France’s Commission nationale de l’informatique et des libertés) (Gwendal Le Grand, Head of IT Experts Department) and Google (Eran Feigenbaum, Google Apps Director of Security,) were clearly on different wavelengths, but discussions remained courteous and polite. :-)
Everyone seems to be anxiously awaiting the upcoming European regulations on the protection of personal data. Let’s hope they get here soon.
what are the key takeaways from these two days on cloud security?
First of all, cloud providers now need to adapt their strategies to integrate risks related to government activities: since the cloud centralizes data and its treatment, it’s obviously a focal point of government interest.
Cloud service providers need to increase their transparency efforts and initiatives: certification processes such as CSA STAR Certification are a step in the right direction. But they’re only a step, because a more permanent approach, such as real-time compliance monitoring, should be the goal in the long run.
Protecting personal data is already a hot-button issue, but the Internet of Things will make this an even more urgent concern. Let’s hope governments can find a middle ground that satisfies both cloud service providers and users.
All in all, 2013 was a great year for the Cloud Security Alliance’s EMEA Congress. And, as an added bonus, Orange Business Services sponsored this year’s event.
Jean-François Audenard (aka Jeff)
This post was originally published in French here.
Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens