Last week I attended a joint conference of the International Association of Privacy Professionals (IAPP) and the Cloud Security Alliance (CSA) in San Jose, California. Cobranded as the Privacy Academy/CSA Congress, the joint conference recognized the increasing importance and interdependence of the two disciplines, cloud security and privacy. The barely three day event was filled with nearly 100 sessions, including six keynote speakers and nine preconference workshops. Choosing which sessions to attend was almost as hard as defending the cloud from cyber-attacks; there were just too many interesting topics.
Sessions were divided between privacy and security with about a third of them delving into both. Even though it seemed a very dry area, I did attend a pre-conference workshop on contracting in the cloud and it was worth the investment in time. I walked away with some juicy tidbits. Oh? You want me to share. I suppose I can, a little.
- Calculate the total cost of ownership (TCO) of a solution. When considering a cloud solution, figure in the cost of vendor monitoring and exposure risks of the solution. Only this way can you get a fair comparison to in house solutions (with their own security costs and risks);
- Make sure your vendor understands the ecosystem in which they operate and has the appropriate level of understanding commensurate with the privacy and security needs of their target customers;
- The European Union takes a dim view on companies pointing fingers or blaming “take it or leave it” contracts. Imbalance of negotiating powers is not an excuse to ignore privacy and security obligations.
How to Manage Shadow IT
One of the more interesting sessions talked about Shadow IT, a definite problem for any IT security group trying to control information leaving the corporate network. However, the speakers positioned it as an opportunity rather than a problem. By examining network traffic they were able to discern some interesting statistics. First it helped bolster the argument for their CIO to get a bigger budget. Why? Because they could demonstrate the demand for services getting paid out of budgets not under IT. Secondly, by showing what types of services were being procured, they could find bottlenecks in company processes. Are developers spinning up Amazon Web Service instances? Maybe they aren’t being given the proper tools when they need them to do development and testing. Security can still play a role in this examination. While employees taking a break from the daily drumbeat may surf Pinterest to day dream, upload traffic to Pinterest suggests something different is going on. In the experience of one of the speakers, it turned out an employee was hiding corporate IP in images using steganography, and uploading those images to Pinterest for exfiltration from the company network.
The Future of Incident Response
At the conference’s close, noted security luminary Bruce Schneier made a keen observation during his keynote address. During the 1990s the push in security was prevention. Firewalls and anti-virus protection burst on the scene. It was all about protecting the corporate perimeter. After 2000, the trend was in intrusion and data leakage detection. While firewalls protect you from the outside, once a nefarious actor is on the inside (say a disgruntled employee), you need to detect what they are doing.
Bruce noted that he hadn’t been a fan of the term Advanced Persistent Threat (APT) for many years. But as evidence mounts that state actors and well-funded cyber criminals are targeting specific businesses, he has warmed to the notion that if someone with enough money and enough resources has you in their sights, you will be hacked. In that case, you need to prepare. You need to have a response plan. You need to be prepared to execute that plan. This, he said, is the decade of response.
One other nugget I picked up at the conference: There is no longer a corporate perimeter. Your company’s data is spread among a hundred cloud services. It is in your employees’ and contractors’ mobile devices. It is traveling on airplanes, in the mail, traveling over wires, crossing borders — both physically and electronically. Your goal is to protect the content, not the network. Secure the data wherever it resides.
I encourage you to explore on your own. Many of this year’s presentations are posted on the IAPP website. In addition, the CSA and IAPP have already announced that the honeymoon (i.e. next year’s conference) will be held in … drum roll please … Las Vegas. Remember, what happens in Vegas, stays in Vegas.