Research

This is a new series on what security pros need to know about cloud file storage and collaboration (also called file sync and share). If you have feedback please leave a comment, or even track and edit the evolving paper over on GitHub. The rise of cloud file storage and collaboration Few technologies have invaded the enterprise as rapidly as cloud file storage and collaboration services. Typically called File Sync and Share, these tools originated as consumer cloud services to help people store, sync, and share files across computers and mobile devices. We hate to dip into hyperbole, but calling these tools groundbreaking is an understatement. Users can now access their files from any computer or device and share files with anyone, anywhere, with ease and simplicity never seen before. To many consumers, this is “the cloud”. These services so quickly proved their value that they inevitably made their way into the enterprise. Unfortunately few of them were architected to support the needs and security requirements of a business. In response, many organizations simply banned and blocked them, but as always happens when a tool provides demonstrable business benefit, use is inevitable – with or without support. In response, enterprise-class options emerged. But many security professionals still struggle to understand the implications of cloud storage and collaboration, and the differences between consumer and enterprise-grade services. Even though some of these services can offer superior security to traditional on-premise file storage. The market is evolving incredibly rapidly, with both new features and new competitors showing up constantly. We see continuous change as everyone scrambles for competitive advantage in this wide-open new market. The category is most often called file sync and share, but we prefer the term cloud file storage and collaboration because many of the services and tools offer much more than basic syncing and sharing. Cloud file storage and collaboration services are an unavoidable disruptive innovation. Security implications, but also significant benefits The risk is pretty obvious: pick the wrong service, or configure it incorrectly, and it is all too easy to effectively punch a hole in your firewall, allow all denizens of the Internet unfettered access to your files. Without centralized visibility and control, employees make mistakes and expose sensitive information. Choose an insecure service and you suffer the consequences of misplaced trust and exposed files. Practically speaking, file security is something most organizations have struggled with since long before the Internet. But cloud services enable us to extend our failures across the Internet. Tools vs. Services You will notice we tend to focus on cloud storage and collaboration services, rather than tools you implement yourself. While tools are available to create your own private file sync and share services, they don’t offer all the benefits of a true cloud service. Covering both would complicate this paper, and most of the concerns and questions we receive are about cloud-native services, not internal tools which offer similar functionality. But pick the right service and configure it properly, and you can realize security benefits that are impossible with traditional file storage. By centralizing all file storage security gains a choke point for complete control and visibility. You can track the full history of access to all files from all users and devices. You can set enterprise-wide policies for how files are managed and shared, both internally and externally. And unlike many other security approaches, you can do so while providing the business something they want and are highly likely to adopt. The alternative? Our existing troves of dozens, if not hundreds or thousands, of file repositories – all managed separately, with different policies, and usually without any real monitoring capabilities. This paper delves into the security implications of cloud file storage and collaboration services. It covers the security fundamentals (including risks and benefits), core security features, and some more advanced security features such as encryption options. We will separate out what you can expect from an enterprise-class service vs. a consumer offering – to help security professionals evaluate, select, and leverage the right options for their organizations. The trick is to ensure you understand the strengths and weaknesses of each service, and how best to enable security without disabling the business. Share:

Mike’s at the Jersey Shore, Rich is in Boulder, and Adrian is… baking in Phoenix in between tree-killing monsoons. This week we kept it simple with two topics. First up, China’s accusations that iOS and iDevices are a security risk. Which they should know, since they are all built there. Second is a discussion on security careers. How to break in, and what hiring managers should really look for. The audio-only version is up too. Share:

I have to admit, this is a bit of a first. I am participating in a cloud security webinar July 21st with Elastica, a cloud application security gateway firm (that’s the name I’m playing with for this category). It will be less slides and more discussion, and not about their product. This is a product category I have started getting a lot of questions on, even if there isn’t a standard name yet, and I will probably pop off a research paper on it this fall. But that isn’t the important part. Sometimes clients pony up an iPad or something if you sign up for a webinar. Heck, we’ve given out our fair share of Apple toys (and once a Chumby) to motivate survey participation. This time Elastica is, for real, giving away a Ducati Monster 696. No, I am not eligible to win. I thought it was a joke when they showed me the mockup of the contest page, but it is very real. You still have to pay delivery, title, insurance, customs, transportation, and registration fees. Needless to say, I feel a little pressure to deliver. (Good content – I don’t think they’d let me drive the Ducati to your house). Share:

Well, I did it. I survived over 6 months of weekly travel (the reason I haven’t been writing much). Even the one where the client was worried I was going to collapse due to flu in the conference room, and the two trips that started with me vomiting at home the morning I had to head to the airport. Yup. Twice. But for every challenge, there is a reward, and I am enjoying mine right now. No, not the financial benefits (actually those don’t suck either), but I ‘won’ a month without travel back in my home town of Boulder. I am sure I have written about Boulder before. I moved here when I was 18 and stayed for 15+ years, until I met my wife and moved to Phoenix (to be closer to family because kids). Phoenix isn’t bad, but Boulder is home (I grew up in Jersey but the skiing and rock climbing there are marginal). My goal for this month is to NOT TRAVEL, spend time with the family, and work at a relaxed pace. So far, so good. Heavy travel is hard on kids, especially young kids, and they are really enjoying knowing that when I walk out the door for ‘work’ and hop on my bicycle, I will be back at the end of the day. Boulder has changed since I left in 2006, but I suspect I have changed more. Three kids will do that to you. But after I ignore the massive real estate prices, proliferation of snooty restaurants, and increase in number of sports cars (still outnumbered by Subarus), it’s hard to complain about my home town doing so well. One unexpected change is the massive proliferation of startups and the resulting tech communities. I lived and worked here during the dot com boom, and while Boulder did okay, what I see now is a whole new level. I can’t walk into a coffee shop or lunch spot without overhearing discussions on the merits of various Jenkins plugins or improving metrics for online marketing campaigns. The offices that stood vacant after the loss of Access Graphics are now full of… well… people 10-15 years younger than me. For an outdoor athlete with a penchant for entrepreneurship, it’s hard to find someplace better to take a month-long ‘vacation’. As I hit local meetups (including speaking at the AWS meetup on the 22nd) I am loving engaging with a supportive tech community. Which isn’t a comment on the security community, but a recognition that sometimes it is extremely valuable to engage with a group of innovation-embracing technical professionals who aren’t getting their (personal) asses kicked by criminal and government hackers by the minute. I have always thought security professionals need to spend time outside our community. One of the ways I staved off burnout in emergency services was to have friends who weren’t cops and paramedics – I learned to compartmentalize that part of my life. If you can, check out a local DevOps or AWS meetup. It’s fun, motivating, and they have better swag. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mortman quoted in The 7 skills Ops pros need to succeed with DevOps. Favorite Securosis Posts Adrian Lane: Incite 7/9/2014: One dollar…. One of Mike’s best all year. Rich: Increasing the Cost of Compromise. This is the strategy of Apple and Microsoft at the OS level, and it is paying off (despite common perception). Economics always wins. Well, except in politics. Other Securosis Posts Trends in Data Centric Security: Tools. Open Source Development and Application Security Survey Analysis [New Paper]. Leveraging Threat Intelligence in Incident Response/Management. Trends In Data Centric Security: Use Cases. Incite 7/2/2014 – Relativity. Updating the Endpoint Security Buyer’s Guide: Mobile Endpoint Security Management. Firestarter: G Who Shall Not Be Named. Favorite Outside Posts Adrian Lane: Threat Modeling for Marketing Campaigns. Educational walkthrough of how Etsy examined fraud and what to do about it. Smart people over there… Rich: Ideas to Keep in Mind When Designing User Interfaces. I really enjoy user interface and experience design. Mostly because I enjoy using well-designed systems. This isn’t security specific, but is absolutely worth a read… especially for product managers. Research Reports and Presentations Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Top News and Posts Specially Crafted Packet DoS Attacks, Here We Go Again. Vulnerabilities (fixed) in AngularJS. DHS Releases Hundreds of Documents on Wrong Aurora Project. As my daughter would say, “Seriously?!?”. Microsoft Settles With No-IP Over Malware Takedown. Hackers (from you know where) crack and track shipping information. A great example of a target that doesn’t realize its value. Researchers Disarm Microsoft’s EMET. Mysterious cyberattack compromises more than a thousand power plant systems. Noticing a trend here? Share:

As they fight to keep the Firestarter running through Google outages, vacations, and client travel, our dynamic trio return once again. This week they discuss some of the latest news from a particular conference held out in Washington DC last week which Mike stopped by (well, the lobby bar) and Rich used to help run. The audio-only version is up too.   Share:

Mike is out on a beach this week sunning himself (don’t think to hard about that) so Rich and Adrian join up to talk about some interesting developments in Apple privacy, and how Apple may be using it to get some competitive advantage. The audio-only version is up too. Share:

Thanks to the cloud, mobility, and emerging practices like DevOps, I don’t think anyone would argue we aren’t in one of the most rapidly evolving IT eras since the emergence of the World Wide Web. Like it, hate it, or anywhere in between, everyone I speak with knows the winds have changed. Personally I believe these disruptions are more impactful than our first tenuous connections to the Internet but that’s fodder for another post. It is clear we don’t yet know fully how these advances will change existing IT practices across different kinds of organizations. That’s why we are partnering with JumpCloud to get a better sense of these evolving technologies; along with the impact of, and approaches to, internal practices and DevOps. This isn’t a vendor-licensed or -sponsored study. JumpCloud is on the operations side, Securosis on the security side, and we are both looking for a better idea of what’s going on out there, so we decided to partner up. You can take the survey here. As usual, we will release all the raw data (anonymized, of course) back to the community. We are also giving away cool stuff to random winners who complete the entire survey (and leave contact info). An Amazon Fire TV, Samsung Gear 2 Neo Smartwatch, or a Fitbit Flex. (We decided to change things up from the usual Apple giveaway). So please spread the word and take the survey. Share:

Rich here, When I grew up in New Jersey, summer didn’t really start until June 25th, the day we got out of school. It was weird to me when I moved to Colorado and school ended in May and started in August, but people also used the word “pop” to describe soda, so I figured it was a wacky cultural thing. These days I live in Arizona. Today is June 5 and the temperature should hit 110F. Yesterday it was over 90F by the time I finished breakfast. This. Is. Wrong. I think summer for us started somewhere around the end of January. We have since moved on to a fifth season I fondly call “Ohforfu**’ssakeum”. It isn’t in the books but I am working up a Wikipedia entry. Summer for my children will be very different than I what I grew up with. There’s no simple wandering around the neighborhood looking for your friends, because within a block their shoes will melt and adhere them to the middle of the street, only to be run over by an Amazon delivery truck or one of the 950 landscapers patrolling the area. They’ll get plenty of time at the pool but we need to keep a close eye on them and make sure they jump out every now and then to cool off in the air-conditioned bathroom. Arizona isn’t all bad. For most of the year the weather is about as perfect as you could want. Plus you save a lot on winter clothes. On the downside I miss sweatshirts, and the nearly 20 years I spent cultivating a fleece-based fashion identity is totally wasted. We will be spending a lot of time outside the state this summer. A trip to the Irish festival in Lawler, Iowa (no, I’m not kidding). Then the month of July in Boulder. Then Black Hat and DEF CON for me, and kindergarten for my oldest a week after I get back. But I’m sad for my kids. Summers growing up in Jersey could get pretty hot and muggy, but you could still wander around the neighborhood looking for other kids without having to refill your Camelback 8 times. Then again, rumor is no one lets their kids wander around and experience life any more, so I suppose it won’t make much difference that mine will do the same overly-structured activities as everyone else, but with better air conditioning. But if you make it up to the Irish fest, let me know, and vote for my kids in the Little Lass and Laddie contest. On to the Summary: A quick note: Our posting volume is down to balance some pretty insane demand for our services against family summer time. Don’t worry, we have cool things in store for you coming up. Besides, we still write more than pretty much anyone else who doesn’t get paid by page views. Webcasts, Podcasts, Outside Writing, and Conferences I wrote an article for Macworld on what I learned about upcoming Apple security from WWDC. Favorite Securosis Posts Adrian Lane: Firestarter: Sputnik or Sputput. Sputnik? Nyet! Mike Rothman: Firestarter – Even though I wasn’t there, the show must go on. And it did – admirably. Rich: Cloudera acquires Gazzang. Because it’s good analysis. And the only other thing we posted. Favorite Outside Posts Adrian Lane: Peek Inside a Professional Carding Shop. It’s a good read and I can’t help laugh at the clever use of the McDonalds meme. Mike Rothman: A Hacker Looks at 40. Really good post by Shack. Great to see gratitude, not whining. And there is no question Shack knows exactly who he is. Rich: Rob Graham asks Can I drop a pacemaker 0day? Very well thought out as usual, and hard questions society probably isn’t ready to deal with. Dave Lewis: John Oliver’s net neutrality rant may have caused FCC site crash. You really need to watch it – pure genius. David Mortman: Lego to produce female scientist minifig set. Finally. Gunnar Peterson: Adam Carolla versus patent trolls going after podcasters. Bonus outside link: it takes a minute, but pure awesome once you figure it out. Behold, this is the greatest GitHub software repository of all time. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts Another big OpenSSL bug. Violet Blue has good details. GameOver Zeus botnet disrupted by FBI. Network Security, Build To Fail. Mounties join crack down on Russian cyber crime. Pirate Bay Founder’s Computer Was “Hacked”, Investigation Reveals. US cybercrime laws being used to target security researchers. DARPA Cyber Grand Challenge Finale Set For DEF CON 2016. Share:

Mike is off giving a giant mouse all his money, so Rich and Adrian ran the Firestarter as a duo this week. The question of the day is: Are we in a Sputnik moment? Did the Target breach shake things up so much that security is moving up the chain? Or are these short-term reactions, which will fade with our memories of what happened? We keep these notes short, but here is a link to the Reuters article we mention. The audio-only version is up too Share:

Amazon Web Services dropped a security bomb this week when they announced the immediate availability of volume storage encryption. With one click, for free, you can encrypt any EBS (Elastic Block Storage) volume in AWS. For those who aren’t familiar with AWS, they are effectively virtual hard drives you attach to a running instance (virtual machine). I missed this one, but Contributing Analyst Gal Shpantzer picked it up and mailed it to us internally. I’m on a plane so I’ll keep this short and to the point: Encrypting a volume is a simple as checking a box when you create it, or making an API call. You cannot encrypt a boot volume. You can only encrypt additional volumes (extra “hard drives”, not the one you boot your operating system from). Amazon manages the keys for you. There are currently no provisions to manage your own key. Encrypting the volume protects it in snapshots, and as you make copies and move them around. This is similar to AWS encryption for S3, which has been out for a while. Here’s the context: Werner Vogels, Amazon’s CTO, has pretty much said the cloud is moving to encryption by default. This is another step in that direction. This is awesome for compliance. Technically it means Amazon (and thus a government) can see your data. However, Amazon has extremely strict segregation of duties internally and I strongly suspect it is nearly impossible, or even effectively impossible, for an employee to gain access to your key. But we cannot know this for sure until Amazon releases more details, and this does not protect you in case AWS receives a legal court order to access your data. The only real assurance you can have about complete control (privacy) for your data is control of your own keys (I consider CloudHSM a solid option, even though it is hosted in AWS). Before going too crazy with this… experiment with performance and file system requirements. My previous research showed there are always tradeoffs. They are pretty much always manageable, but only once you learn your way around the land mines. This will hurt some of the existing cloud encryption market, but not a lot. Many organizations encrypt to maintain high assurance, and this does not provide that. It does, however, knock out some compliance concerns; it also provides excellent basic data security if you don’t mind that Amazon could technically get your data in an extreme situation (such as legal discovery). It also doesn’t help with boot volumes. From now on I suggest you check this box by default once you complete performance testing. Where is this headed? Hard to tell. AWS allows customers to manage their own keys (using CloudHSM) for some services including RedShift and RDS. But they have yet to enable it for S3, even though that has been around for a while. In the long run I suspect AWS to enable CloudHSM management of S3 and EBS keys, but I have no idea of timing. Boot volume encryption is likely much further down the road, beyond the event horizon for analyst predictions. The cloud encryption market won’t take too much of a hit for a while. At the low end no one pays for encryption anyway. Above that, customer needs are beyond this. If you use AWS this is your easiest encryption option, but make sure you know what it provides: compliance, snapshot protection, and protection from single-point-of-failure access to your storage volumes. You will need to look at commercial alternatives if you want to encrypt boot volumes, manage keys consistently in hybrid or multiple-cloud deployments, assure Amazon can never see your data, or keep governments out. As always, hit me up with questions in the comments. Share: