Tag Archives: Cloud security

Ethics and data protection

Why the Clinton data leaks matter

In the middle of a US Presidential election that will certainly become more contrast-focused (as politically correct Americans like to call mud-slinging), the Clinton data leaks are interesting and also worth investigation for their longer-term impact on the US economy,

Shaky ethics versus data protection

A friend who is a political science professor told me that Hilary was no different than other US politicians who walk the wrong side of the line of data protection.

But the Hilary Clinton private mail server, her flagrant disregard for protecting sensitive government communications and her dubious personal ethics on US State Department data security policies is much much more than a peculiarly American political issue that is news today and gone tomorrow.

Back in October 2015, the EU High Court struck down a the Safe Harbor agreement – a trans-Atlantic pact used by thousands of companies to transfer Europeans’ personal information to the U.S., throwing into jeopardy data traffic that underpins the world’s largest trading relationship.

The Safe Harbor executive decision allows companies to self certify to provide “adequate protection” for the data of European users to comply with the European data protection directive, and with fundamental European rights such as the right to privacy (under Article 8 of the European Convention for the Protection of Human Rights).

The Americans are just slow or maybe they don’t care about privacy

The Commission issued 13 recommendations for improving Safe Harbor in November 2013 (that is 2 years before the EUJ ruling ) but negotiations to rework the framework are still ongoing.

The ECJ’s judgement is the culmination of a 2013 legal challenge by European privacy campaigner Max Schrems who filed complaints against several U.S. Internet giants — including Facebook — in the Irish courts for alleged collaboration with the NSA’s Prism program. The Irish courts dismissed the complaint.

Why it matters to the rest of the world

A large number widely quoted  (4,700) of US companies rely on Safe Harbor to operate businesses in the region. It also affects those companies that outsource data processing of E.U. users’ data to the U.S.

However – many more than 4700 US companies are affected by Safe Harbor dismissal.    Any company with a US corporate presence will also be impacted.    We saw this recently with an Israeli biotech company with offices in Boston who was requested by a Danish hospital to provide alternate assurances for data protection.   This is a curious case where it is actually better to be Israeli rather than American.

The EU has recognized that the State of Israel provides an adequate level of protection for personal data as referred to in Directive 95/46/EC with regard to automated international transfers of personal data from the European Union to the State of Israel or, where those transfers are not automated, they are subject to further automated processing in the State of Israel.  See this EU ruling on Israeli data protection

You can see the full list of countries (not the US) that provide adequate data protection here.

Long term impact to US economy?

With Snowden, Prism, the contrasted  US Presidential elections, the Hilary Clinton data leaks and the attempts by the FBI to establish a dangerous anti-privacy precedent under the guise that they cannot hack an Apple iPhone – I would not expect resolution of Safe Harbor anytime soon.

The long term impact will be innovative technology / cloud / SaaS companies like our Biotech customer with Boston offices, taking their business out of the US to safer harbor places like Tel Aviv.

Which has better weather than Boston anyhow.

Tell your friends and colleagues about us. Thanks!
Share this
dilbert Data Security

3 things a medical device vendor must do for security incident response

You are VP R&D or CEO or regulatory and compliance officer at a medical device company.

Your medical devices measure something (blood sugar, urine analysis, facial anomalies, you name it…). The medical device interfaces to a mobile app that provides a User Interface and transfers patient data to a cloud application using RESTful services over HTTPS.

Sound familiar?

The Medical device-Mobile app-Cloud storage triad is a common architecture today for many diagnostic, personal well-being and remote patient monitoring indications.

We have numerous clients with the Medical device-Mobile app-Cloud storage system architecture and we help them address 4 key security issue –

  1. How to ensure that personal data and user authentication data is not stolen from the mobile medical app,
  2. How to ensure that the mobile medical app is not used as an attack pivot to attack other medical device users and cloud servers,
  3. How to comply with the HIPAA Security Rule and ensure that health data transferred to the cloud is not breached by attackers who are more than interested in trafficking in your users’ personal health data,
  4. How to execute effective security incident response and remediation – its a HIPAA standard but above all – a basic tenet for information security management.

How effective is your security incident response?

The recent SANS Survey on Security Incident Response covers the challenges faced by incident response teams today—the types of attacks they detect, what security countermeasures they’ve deployed, and their perceived effectiveness and obstacles to incident handling.

Perceived effectiveness is a good way of putting it – because the SANS Survey on Security Incident Response report has some weaknesses.

First – the survey that is dominated by large companies: over 50% of the respondents work for companies with more than 5,000 employees and fully 26% work for companies with more than 20,000 employees.    Small companies with less than 100 employees – which cover almost all medical device companies are underrepresented in the data.

Second – the SANS survey attempts, unsuccessfully, to reconcile reports by the companies they interviewed that they respond and remediate  incidents within 24 hours(!) with reports by the PCI (Payment Card Industry) DSS (Data security standard) Association that retail merchants take over 6 months to respond.       This gap is difficult to understand – although it suggests considerable variance in the way companies define incident response and perhaps a good deal of wishful thinking, back-patting and CYA.

Since most medical device companies have less than 100 employees – it is unclear if the SANS findings (which are skewed to large IT security and compliance organizations) are in fact relevant at all to a medical device industry that is moving rapidly to the medical device-App-Cloud paradigm.

3 things a medical device vendor must have for effective incident response

  1. Establish an IRT.  (Contact us and we will be happy to help you set up an IRT and train them on effective procedure and tools).  Make sure that the IRT trains and conducts simulations every 3-6 months and above all make sure that someone is home to answer the call when it comes.
  2. Lead from the front. Ensure that the head of IRT reports to the CEO.   In security incident response, management needs to up front and not lead from behind.
  3. Detect in real time. Our key concern is cloud server security.    Our recommendation is to install OSSEC on your cloud servers. OSSEC sends alerts to a central server where analysis and notification can occur even if the medical device cloud server goes down or is compromised.
Tell your friends and colleagues about us. Thanks!
Share this
Protecting your blackberry

Why Google is a bad idea for security and compliance

Dear consultant,

I worry because so many of the best practices documents I read say that we need to store data in the cloud in Canada if we do business in Canada. See page 19 here – Health privacy in Canada

Sincerely – consumer healthcare product manager

Dear consumer healthcare product manager –

First of all. Don’t worry be happy! Thanks for sharing.

Everyone uses Google to ask questions.  That includes security and compliance specialists in Israel for biomed like me (Danny Lieberman) and my company (Software Associates).

The problems start when clients start consulting with Google for their data security and privacy compliance affairs.   Unlike healthcare problems, where there are very large numbers of people asking and answering questions and wisdom of the crowds kicks in – data security and privacy compliance is a niche market and it’s very political.

The bottom line is that you do not have host locally in Canada – until they change the law.

There is no specific legal requirement in Canadian law for country-hosting (as in France).

Unfortunately – as elsewhere in the world – there is a certain amount misinformed, and/or politically-motivated media discussion following the Snowden affair.

People that write these documents like to point at the US Patriot Act as a reason for country hosting – by not bothering to note what the Patriot Act really is – a US law that is intended to Provide Appropriate Tools Required to Intercept and Obstruct Terrorism and intercept lone wolf terrorists.

The suggestion that the NSA will intercept depersonalized consumer health records that you collect in your application  as part of the war on individual terrorists borders on the absurd.

Suppose you have a user who is obese and/or has Type II diabetes and/or is pregnant and/or loves to dance Zumba.  Is that information part of the NSA threat model for lone wolf terrorists?

I don’t think so.

The document in question  makes an  absurd suggestion on Page 19 that individual doctor offices are more secure than in a Tier 1 Cloud service provider.

The data loss risk in a doctor office is several orders of magnitude higher than in Microsoft, Amazon or Rackspace cloud hosting facilities.

Since the document is misleading from a security and compliance perspective (misleading regarding the Patriot Act and incorrect regarding data loss risk) – we see that we cannot rely on it as a source of so-called “security best practices”.

In general – it is not best practice to use Google for security and compliance best practice.

Yours,

Danny Lieberman-Security and compliance specialists for biomed companies

Tell your friends and colleagues about us. Thanks!
Share this
selling security products with fear, ignorance and online marketing

The mistakes you will make on your next cloud project

Are you considering cloud security in the abstract or cloud security in your software?

Looking at cloud security issues in the abstract, we see 4 areas of concern:

  1. Mobility of Resources and multi-tenancy
  2. Identity and access management
  3. Data protection
  4. Incident response and assessment

When choosing a cloud solution for your business application, it is easy to get dragged into a low level engineering discussion of these issues.

However, we don’t implement things in the abstract; we implement real-life applications in the cloud.

Our decisions on implementing security countermeasures in the cloud should actually not be a function of  4 abstract security concerns but of  business and security management decisions:

  1. The cloud service model you choose. This is a business decision constrained by software engineering factors.
  2. How you detect and mitigate your application vulnerabilities. This is a security management decision.

The cloud service model is supremely important and is closely tied to your business requirements.  If you are a business unit manager at healthcare provider looking to implement a private social network for healthcare, you will be looking at SaaS alternatives.  If you are a VP engineering at a company developing business analytics, you will be considering PaaS or IaaS service models where the language support is one of your key drivers. If you are a Java shop and the BigTable key-value data model used by Google App Engine appeals to you, then Google App Engine may be your best fit.  On the other hand, if you are a Ruby shop, you may want to consider Heroku.

Once you choose a cloud service model, you should spend as much time as possible doing threat modeling of your software and estimating your value at risk.

Since buggy software is insecure software, and since most bugs are baked into the design, and since it’s cheaper to fix bugs in software at the beginning of the software life cycle – it’s about getting the software architecture right and then doing the implementation well and not about bolting on some third-party application security firewall rented out to you by your cloud service provider.

Service models

Mobility of Resources and multi-tenancy is are a core requirement for a cloud service provider. If he’s doing a good job, it’s his first order of business,  not your first order of concern.

Regarding  Incident response and assessment, if your cloud provider is proactive, that is a very good sign that Incident response and assessment will be handled properly.  If he waits for you to tell him that there is a hacking issue on your server, then it’s time to start looking for a different cloud service provider.

Identity and access management are part of your application. The architecture and deployment of your application is influenced by your choice of service model but it’s still your code running in the cloud.

Data protection is either some, not or all your responsibility depending on the service model and your software applications. This is why we need to do threat analysis on the software and consider data protection as one of the areas of concern.

Choosing the right cloud service model

The market is shaking out right now and in any given segment there are only 2 or 3 players you should be considering.

SaaS

High integration, low flexibility, high vendor lock-in Meant for end-users. Think SF.com

PaaS

Less integration, mid flexibility, medium vendor lock-in Meant for application developers. Think Google App Engine, Appforce.com, heroku, Azure

IaaS

No integration, total flexibility, low vendor lock-in. Good for engineers. Think Amazon WS, Rackspace Cloud

2 management mistakes you will probably make on your next cloud project

  1. Overengineering defense in depth and
  2. Ignoring or mis-estimating your application software threat surface

This is a situation we often see with product development companies that develop a cloud service using IaaS (infrastructure as a Service) where they  implement too many controls in too many layers and ignore or minimize  the threat surface of the application software for security and compliance breaches.

Overengineering defense in depth

You can over-engineer your  defense in depth strategy and implement Firewall, load balancers, IPS in multiple layers in the cloud: in the WAN, on the LAN, in the virtual machines  and in hardware appliances.  The more layers you have, the more things that can go wrong. You will be more vulnerable instead  of being more secure and you will have to deal with half a dozen new issues that you created your self:

  1. Patch management is hard
  2. Different management systems, since each layer has it’s own management
  3. Different administrators, since each management system has it’s own admin
  4. Visibility for the end user customer is impossible
  5. Almost impossible to audit

What things can go wrong when you ignore application threat surfaces?

Lots. DB exploits Connector vulnerabilities Shell script vulnerabilities SQL injection DDOS, information disclosure by malicious insiders.

Typical Web 2.0 attack scenarios

Here are a few you should be thinking about:

  1. Any kind of code injection
  2. Server or client returns invalid HTML
  3. Pages that contain dead links
  4. HTML forms that don’t match field types expected by controllers
  5. Client side code that makes bad assumptions about AJAX services
  6. Servers  that may attempt to execute invalid SQL queries
  7. Improper marshaling/un-marshaling between DB server to Web server DB server to application tier Web server to browser

Typical Web 2.0 vulnerabilities

Here are a few you should be thinking about:

  • Running a number of heterogeneous stacks guarantees too much chewing gum
  • Mixing  languages and frameworks may be problematic causing typing and interface issues.
  • PHP, Ruby, Python Flexibility, no static type guarantees
  • C#, Java Static typed, but only at Web server
  • Code complexity that increases application threat surfaces.
  • Redundant code on servers and clients
  • Redundant data on servers and clients

Summary

At the end of the day, the Cloud Security Control model looks great, but it doesn’t mitigate core vulnerabilities in your software or tendencies by system architects to over engineer. Once you choose the right service model and vendor, you should put aside the cloud security reference models and focus on hardening your own application software –

Remember – it’s your code that will be running in someone elses cloud.

Tell your friends and colleagues about us. Thanks!
Share this

Clinical trials in the cloud

Ben Baumann from Akaza and Open Clinica fame, recently blogged about clinical trials in the cloud.  Ben is pitching the relatively new offering from Akaza called Open Clinica Optimized hosting that offers quick startup using validated Open Clinica instances and resources on-demand on a SAS-70 compliant platform.

As Ben noted that in the clinical research field, putting together such an offering is not trivial. Open Clinica is the worlds fastest growing clinical trials software with an interesting Open Source business model of community-supported Open Source and revenue from enterprise licensing, cloud services and training.

Software Associates specializes in helping medical device vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments.  We have been working with a regulatory affairs consulting client for over 3 years now, using the Open Clinica application for managing  large multi-center, international clinical trials using Rackspace hosting and more recently using Rackspace Cloud.

I can attest that running multi-center clinical trails in the cloud is neither for the faint of heart nor weak of stomach.  Past the security, compliance and regulatory issues – there is also the issue of performance.

Although resources are instantly scalable on-demand in the cloud, resources are not a substitute for secure software that runs fast.

As I noted in a previous essay “The connection between application performance and security in the cloud“, slow applications require more hardware, more database replication, more load-balancing and more firewalls. More is not always better, and more layers of infrastructure increase the threat surface of the application with more attack points on the interfaces and more things that can go wrong during software updates and system maintenance.

If there is a design or implementation flaw in a cloud application for clinical trials management that results in the front-end Web server making 10,000 round trips to the back-end database server to render a matrix of 100 subjects, then throwing more hardware at the application will be a fruitless exercise.

If we do a threat analysis on the system, we can see that our No. 1 attacker is the software itself.

In that case, the application software designers have to go back to the drawing board and redesign the software and get that number down to 1 or 2 round trips.

The effort will be well worth it in your next bill from your cloud service provider.

 

Tell your friends and colleagues about us. Thanks!
Share this
Manuela Arcuri

Monica Belluci and Security

Trends –  security and movie stars, Manuela Arcuri and  Monica Bellucci, Verisign and Mcafee.

Information security and  risk analysis is complex stuff, with multiple dimensions  of people, software, performance, management, technology, assets, threats, vulnerabilities and control relationships.  This is why it’s hard to sell security to organizations. But, information security is also a lot like fashion with cyclical hype and theater: today – , HIPAA, iOS and Android security,  yesterday – Sarbanes-Oxley, federated identity management, data loss protection and application security firewalls.

Back in 2007,  I thought we might a return to the Age of Reason, where rational risk management replaces blind compliance check lists – I thought that this could happen  for 2 reasons:

  1. Compliance projects  can have good business value, if you focus on improving the product and it’s delivery.
  2.  Security is like fashion – both are cyclical industries, the wheel can also turn around in the right direction.

HIPAA compliance is a minimum but not sufficient requirement for product and process improvement.

Healthcare companies and medical device vendors that do HIPAA compliance projects, may be paying a steep price for HIPAA compliance without necessarily getting a return on their investment by improving the core features and functionality of their products and service offerings.

Compliance driving improvements in products and services is good for business, not just a mantra from Mcafee.

It could happen, but then again, maybe not. Look at the trends. Taking a sample of articles published in 2011 on the  eSecurityPlanet Web site we see that  mobile devices and cloud services lead the list, followed by IT security with healthcare closing the top 15. I guess cost-effective compliance is a lot less interesting than Android security.

  1. iOS vs. Android Security: And the Winner Is?
  2. 5  iOS 5 Enterprise Security Considerations – You can’t keep Apple out of the enterprise anymore so it’s best to figure out the most secure way to embrace it, writes Dan Croft of Mission Critical Wireless.
  3. PlayBook Tops in Tablet Security – Recent price reductions may mean more Blackberry Playbook tablets entering your organization, but that may not be such a bad thing for IT security teams.
  4. Android Security Becoming an Issue – As the Android mobile platform gains market share, it also garners a lot of interest from cyber crooks as well as IT security vendors.
  5. Which Browser is the Most Secure? – The ‘most hostile’ one, say researchers at Accuvant Labs.
  6. How to Prevent Employees from Stealing Your Intellectual Property -It’s the employee with the sticky hands that is the easiest and cheapest to thwart.
  7. Security Spend Outpacing the Rest of IT – High profile breaches and mobile devices are driving IT security spending.
  8. Public Cloud Keys Too Easy to Find -If you put the keys to your cloud infrastructure in plain sight, don’t be surprised if you get hacked.
  9. Zeus (Still) Wants Your Wallet – The antivirus community has failed to figure out this able and persistent piece of malware. It’s as simple as that.
  10. Spear Phishing Quickly Coming of Age – Even the security giants are not immune from this sophisticated and growing form of attack, writes Jovi Bepinosa Umawing of GFI Software.
  11. Penetration Testing Shows Unlikely Vulnerabilities – Enterprises need to dig deeper than just automated scanning to find the really interesting and dangerous cyber security flaws.
  12. Bank Fraud Still Costing Plenty – Bank fraud is and will continue to be an expensive problem.
  13. Do IT Security Tools Really Make You Safer? – Yet another suite of tools for IT security folks to administer and manage can actually have the opposite effect.
  14. Siege Warfare in the Cyber Age – In one the unlikeliest turn of events brought about by technology, it looks like Middle Ages’ siege warfare may be making a comeback, writes Gunter Ollmann of Damballa.
  15. Healthcare Breaches Getting Costlier – And it’s not just dollars and cents that are on the line – reputations are on the line, writes Geoff Webb of Credant Technologies.
Tell your friends and colleagues about us. Thanks!
Share this

Security is in the cracks

Yesterday I spent most of the day re-installing one of the  workstation in the office with Ubuntu 11.10. I like what I saw, but the Unity interface is not my cup of tea so I installed Gnome – what they call Classic Ubuntu.

In principle I shut down as many operating services as I can – especially those that call out and/or listen on the Internet but this is supposed to be a development machine with access to our private git repository and sending out email via a Postfix relay.

On our own  small scale of a lab with 6-7 machines for testing network and software security of customer applications, I  got  thinking that most system vulnerabilities live in the cracks of system integration of components and packaged software while most of the industry’s efforts in software security are directed towards new software implementations.

If you are preparing to implement a packaged application for financial management, CRM, data mining or ERP something in the back of your mind probably says that the vendor’s development organization is probably not a lot different than yours (although you hope they’ve thought through the security issues first)..

Here are a 2 ideas to help find the crud in the cracks:

  • Inspect and penetration-test the system; assess infrastructure components, database interfaces and Web applications for vulnerabilities using The Software Associates 6 step Business threat analysis methodology
  • You need to identify fault-prone modules in your particular operation and evaluate those modules with the most impact on system reliability and downtime.
Tell your friends and colleagues about us. Thanks!
Share this

Digital content protection

A customer case study – Digital content protection for VOD on a TCP unicast network

One of our most interesting projects recently was a digital content protection and secure content distribution software development projects  in the field of IPTV and video on demand.

We were called in at a critical stage in project delivery to help manage the development and design the encryption for the digital content protection.

Read more about the VOD IPTV solution

Tell your friends and colleagues about us. Thanks!
Share this

Message queuing insecurity

I met with Maryellen Ariel Evans last week. She was in Israel on vacation and we had coffee on the Bat Yam boardwalk.   Maryellen is a serial entrepreneur; her latest venture is a security product for IBM Websphere MQ Series. She’s passionate about message queue security and I confess to buying into the vision.

She has correctly put her finger on a huge, unmitigated threat surface of transactions that are transported inside the business and between business units using message queuing technology. Message queuing is a cornerstone of B2B commerce and in a highly interconnected system, there are lots of entry points all using similar or same technology – MQ Series or the TIB.

While organizations are busy optimizing their firewalls and load balancers, attackers can tap in, steal the data on the message bus and use it as a springboard to launch new attacks.  It is conceivable that well placed attacks on  message queues in an intermediary player (for example a payment clearing house) could result in the inability of the processor to clear transactions but also serve as an entry point into upstream and downstream systems.  A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade.

If these attacks cascade, the entire financial system could crash.

Although most customers are still fixated on perimeter security, I believe that Maryellen has a powerful value proposition for message queuing customers in the supply chains of key industries that rely on message interchange: banking, credit cards, health care and energy.

 

 

Tell your friends and colleagues about us. Thanks!
Share this

The connection between application performance and security in the cloud

I met with Avner Algom last week in his office in Herzliya. Avner is the director of the Israeli Cloud and Grid Technology Consortium – IGT – The IGT is a non-profit organization of leading industry companies, vendors, ISVs, customers, VCs and academia, focused on knowledge sharing and networking for developing Cloud computing/SaaS, Virtualization and SmartGrid solutions. It is open, independent and vendor-neutral.

It is significant that discussions of cloud security and performance focus almost exclusively on infrastructure issues such as virtualization or procedural issues such as infrastructure compliance with various security standards and frameworks.

I remarked to Avner in the course of our chat, that there is a close correlation between performance and security issues for Web applications running in the cloud.  Avner  asked me how I came to that conclusion.

Here is why cloud performance and cloud security have common issues.

Virtually all applications deployed in the cloud are either Web-based applications or smartphone apps for Android or IOS that use http/https as their application transport.

The current rich Web 2.0 application model is broken and it has nothing to do with the  serious and fundamental issues with Microsoft monoculture, Windows operating systems vulnerabilities and Internet Explorer non-compliance with IETF  standards.

It will not help if you use Ruby on Rails or CakePHP or Zend Framework either. The debate between the Ruby on Rails, ASP.NET and PHP camps is mildly interesting but irrelevant from a cloud security and performance perspective.

A deeper look at Web applications reveals that the current rich Web 2.0 application development and execution model suffers from a broken architecture that cannot be fixed by tweaking languages.

Further examination shows that data typing, message passing, redundant code, data and multiple tier issues that are security vulnerabilities for Web applications in the cloud are also root causes of application performance issues and latency that result in a poor user experience and high cost of operation for the application operator. Note that in a utility model where you pay for CPU cycles,  you pay more for inefficient applications. That is the dark side of the externally vivacious cloud service model.

The attached presentation examines some of the root causes of the currently broken Web 2.0 application development and execution model and shows that the same security vulnerabilities born out of Web 2.0 client/server architecture result in 10x poorer performance than a traditional client-server model based on stateful, TCP unicast socket communications.

See Web application security in the cloud

Tell your friends and colleagues about us. Thanks!
Share this