Research

There is no free lunch. We need to be reminded of that over and over again. Apparently the Australian government wants to mandate telcos store customer data for 2 years. This is ostensibly to combat terrorism. The telcos don’t like this, so their PR spinsters are talking about how this would cost $500-700M/year, and those costs would be passed onto consumers to the tune of about $100/year. They even referred to this as a “surveillance tax”. FUD-tastic! Got to hand it to those spinsters – they know how to create a frenzy. Even better, the government is trying to extinguish the flames with calming statements like: “the public should not be concerned that there’s going to be gross misuse”. and even better: “I cannot understand why it is correct for all your privacy to be invaded for a commercial purpose, and not for me to do so to save your life,” ROFL. It is not okay for our privacy to be invaded by anyone. I guess these guys never learned that two wrongs don’t make a right. And then they have the voice of reason, who happens to be a dude indicted by the US for leaking info on the NSA. This guy mentions that collecting and retaining all that consumer data creates a huge and irresistible target for hackers. No kidding. What could possibly go wrong with any of this? At least I got my belly laugh in this Thursday morning. Photo credit: Shepard Fairey in London: Big Brother Is Watching YOU originally uploaded by tim rich and lesley katon Share:

I read Jim Bird’s blog consistently because he talks about stuff that interests me. He has a ton of experience and his posts are thought-provoking. And every couple months I totally disagree with him, which makes reading his stuff all the more fun. This week is one of those times, with Devops isn’t killing developers – but it is killing development and developer productivity. I think Jim flat-out misses the mark on this one. The metrics we use to measure productivity are broken. Always have been – stuff like number of lines of code and velocity. Software development metrics have always been crap. Do you really believe more code is better? Isn’t the goal to deliver quality products which include robustness, satisfaction of requirements, security, and so on? Measurements like velocity are made-up and irrelevant to our real needs. They don’t actually tell us what productivity is – all they do provide a trending indicator which sometimes tells us a change we made to the process is having an effect. If we had something better we would use it, but most development metrics are surrogates for real measures because we don’t have any good yardsticks for producing quality code. Which leads to the second point: DevOps spotlights just how broken these metrics are. It is specious to consider developer productivity as going down when the focus of developers and IT has changed to include test orchestration, deployment, and systems management. Developers scripting Chef, Puppet, Bamboo, or whatever are still working productively. Orchestration scripts are code – they are not wasting time handling operations. Writing tests scripts is still work (which developers typically don’t like) and part of the job. The goal is to automate tasks so you don’t need to manually repeat them over and over. DevOps is not the same thing Continuous Deployment. Continuous Deployment is part of it, but not the whole enchilada. DevOps allows developers to be more responsive to customer requests – not because they are chained to a pager answering support calls, but because automation and the infrastructure-first approach enables them to be. Sure, you can screw up priorities and clog the swim lanes with the wrong tasks, but that is a management issue – not a DevOps problem. I agree that not all developers like having to assume more programmatic orchestration of IT operations, and they aren’t necessarily good at it. But the key shift to take note of is that IT staff had better learn to program, or they will have a tough time finding work. The key to DevOps is automation, which means code and scripts… which is why IT needs more developer-centric skills. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian and Mort talk Big Data with George Hulme. Mort quoted in Communicating at the speed of DevOps. Dave Lewis: Digital Supply Chain (In)Security. Favorite Securosis Posts Gunnar: The Identity Cheese Shop. Direct from the ivory tower of identity architecture. David Mortman: Big Brother’s Price Tag. Adrian Lane: The DevOps-y Future of Security Engineering. Mike Rothman: Recruiting Across the Spectrum. Yup, this is mine. But I wanted to highlight it again because I think it’s an important discussion to have. We will need to start thinking unconventionally if security is going to scale to meet demand. Other Securosis Posts Incite 7/30/2014: Free Fall. All Good Things. The 2015 Endpoint and Mobile Security Buyer’s Guide [Updated Paper]. Favorite Outside Posts David Mortman: Multipath TCP speeds up the internet so much that security breaks. <– Ooops. Stateful firewalls break multi-homed BGP if you don’t architect correctly…. Dave Lewis: Canadian intelligence sweeps often intercept private data, spy document reveals. Adrian Lane: Banks Gain Scale with Cloud Issuance & Host Card Emulation. Kaushik Roy clearly articulates some of the issues around HCE and secure elements that have slowed mobile payments and mobile identity for the last few years. And I agree with his thrust that HCE will win out as banks adopt it to reduce fraud and have a viable roadmap for coming EMV standards. Mike Rothman: Symantec Endpoint Protection 0day. The guys at Offensive Security found a little issue with SYMC’s endpoint agent, allowing for privilege escalation. Though we shouldn’t beat up on Symantec too badly – it could have been anyone’s agent. These tools are supposed to reduce attack surface, right? Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts 0-days found in Symantec Endpoint Protection. Android “FakeID” security hole causes a pre-BlackHat stir. Google’s Android Has a Fake-ID Problem. CIA Admits Guilt, Apologizes for Accessing Senate Computers. Improving Malware Detection in Firefox. Vormetric And Rackspace Partner To Offer Encryption Services On Rackspace Cloud. Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System via Krebs. Digital Supply Chain Security: Partner Networks. Russia wants Apple and SAP’s source code over spying concerns. Incident Response Metrics. Breach index: Encryption used in 23 percent of Q2 incidents. Share:

We have talked a lot about how this cloud thing and the associated DevOps revolution will fundamentally reshape security. Probably not tomorrow, or even the day after that. But before you know it, everything you thought you knew about security will have changed. Rich documented a bunch of our thinking in his Future of Security paper, so you can start there. As with most new disruptive innovations, there are likely other folks already where you want to be – it is good to learn from them. So I was very interested in slides from Zane Lackey (who used to run security engineering for Etsy), from his talk on how to build a modern security engineering organization. A few key points from his presentation: Etsy pushed code into production up to 30 times a day. They surfaced security information to everyone, not just security folks. Communication is key to getting folks to work with security, rather than working around security. Expand your team by offering bug bounties. Use penetration tests to figure out how hackers will achieve their goals – not to just prove that your app can be pwned. Overall it is a good deck, which serves as a good reminder that our world is changing. Understand how, or wait to get run over. Share:

If you caught my weekend rantings on Twitter, I had some free time this past weekend. The Boss was on a girl’s weekend. The kids are away at camp. And I had a meeting with a client first thing Monday morning. So I could have stayed in the ATL and taken an evening flight out. Or I could fly out first thing in the morning and find a way to get my blood pumping. Shockingly enough, I chose the latter. There is nothing better to get your blood moving than pulling some Gs on a cool roller coaster. I love roller coasters. The anticipation of the drop. The screaming of the folks around you. That exhilaration is hard to match. At least for me. Until it isn’t. Maybe I was just very calm on Sunday. But my heart rate hardly moved on the first wooden coaster. It was fast. It was fun. But it wasn’t scary. The two-loop two-corkscrew ride barely moved the needle either. Maybe I am just numb to coasters. Sure it’s fun, but where is the rush? The stand-up coaster was cool. That was pretty exciting. As was the ‘flying’ coaster, where you ride on the outside of the track with your feet dangling. But there was still something missing. Then I saw it. The free fall ride. I am not a big fan of free fall rides. I’ll take loops, drops, and corkscrews every time. I rode the Tower of Terror at Disney with the girls, but that’s more because I needed to. I had to represent in front of my girls. Sure it was fun, but it’s not my favorite. But in need of an adrenaline rush, I figured it was time. Time to conquer my discomfort and just drop. So I stood in line and within a couple minutes I was ascending 200-something feet in the air. The view was beautiful. The 16-year-old running the ride started chirping something about the ride being broken. That we’d need to descend slowly. But I wasn’t born yesterday. I took a deep breath and got ready. Then I dropped. For 4 seconds anyway. It took my breath away, but I lived. My adrenaline spiked. My heart rate elevated. I felt alive! And I conquered the free fall. It was a good day. It’s not great to have to travel for work on a Sunday, but if you need to. at least make sure you have some fun. –Mike Photo credit: “Drop zone” originally uploaded by Alan Teo The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U The Imprudence of Clouds: The SNL skit “Common Knowledge” was a game show where the ‘right’ answer to a question was not the factual answer, but whatever popular answer the studio audience thought was right. That’s what ran through my mind when Robert Graham pointed out that the fact that Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source does not make it true. Rob’s good like that – poking at so-called “common knowledge”. And based on Sonatype’s just-completed open source survey, clearly developers believes this as well. I would not yet call it a cliche – only a couple years ago enterprises prohibited open source as untrustworthy – but Rob has a good point. In many cases open source code is not being reviewed, and while I see some open source code scanning, open code can be just as bad as commercial software: poor usability, bugs, and vulnerabilities. There is crap software all over the place. Whether you pay for it or not. – AL DDoS: Coming soon to an amateur near you: It was only a matter of time. But it looks like DDoS is about to hit the masses. Between folks using fake Googlebots to blast a site, packaged DDoS kits available for $500, and DDoS bots on Amazon taking advantage of a defect in ElasticSearch, DDoS attacks are becoming more accessible to hackers

I really like this story about ULTRA Testing, which hires folks on the autism spectrum to perform software testing. The CEO makes a great point here: As a result, he maintains, employers around the world are leaving huge pools of talent untapped because they don’t know where to look. Finding enough good people remains the bane of most CISO types. Everyone is looking at intern programs to find talented kids coming out of university. Everyone is recruiting military folks as they roll off their tours of duty. There still aren’t enough. As I have written a number of times, as an industry we need to be more creative. We must find high-potential folks and invest in them. ULTRA does this for their testing business, knowing that highly functioning people on the spectrum can do the job – given the right accommodations. This is especially true of the 400,000 autism spectrum members deemed to be high-functioning, meaning they have strong visual and spatial relations skills and average or above-average IQs. Research suggests they can have heightened abilities in pattern recognition and logical reasoning, but many adults living with autism and Asperger’s are thwarted by job interviews that test their limited social skills and workplace environments that are unprepared for their literal-mindedness and unrelenting attention to detail. Why can’t this work for security? Much the job is repetitious. Unless you want to be a senior person there isn’t much need to work with many folks. Instead of having your HR group say “that won’t work” because someone doesn’t check all the boxes on the job spec, maybe you can say “it’s worth a try.” Of course you would have to be willing to stick your neck out. You’d have to be willing to run interference for some folks who have issues in a traditional work environment. You would need the courage to make it happen. Not everyone is up to that, and that’s okay given the number of other battles you need to fight daily. But if you spend most of your time bitching about how you can’t fill your openings, maybe it’s time to start thinking across a broader spectrum. Just maybe. Photo credit: “Energy Saver Light Bulb” originally uploaded by James Bowe Share:

Side note: we are aware of the site issues and are working hard on them. There were major changes to the platform we use, and they conflict with our high-security setup. I think we should have it fixed soon, and we apologize. That’s what we get for having a non-DevOps-y legacy site. Right now it is 68F here in Boulder, with an expected high of 89F. A little toasty. It’s 92F in Phoenix, with an expected high of 109F. Yesterday they hit 115F, breaking the record. A little helly. Stupid humans and global warming. We are down to the last five days of our month in Boulder. Staring down 110F+ temperatures isn’t doing much to improve my enthusiasm about heading home. Then again, I’ll only be home for one night before I head off to nine days in Vegas for Black Hat and DEF CON. I think it might be a degree or two cooler there than in Phoenix, so I have that going for me. Which is nice. The end of a trip, especially an extended one, is always a melancholy time. I didn’t accomplish nearly everything I hoped, but still can’t complain. I caught up with most of my friends, enjoyed watching my girls take swim lessons at the pool I taught at 20 years ago, hit nearly all my favorite restaurants, and learned that there are a c**p-load of kid-friendly parks in Boulder. Kind of never noticed them pre-kids. On the downside I didn’t get nearly as many rides or runs in as I hoped. Some friends’ schedules simply didn’t work out. And although we snuck in a few family hikes, I really hoped to spend more time in the mountains. Then again, that’s sorta tough with 5, 3, and 1 year olds. I had two main goals coming into this trip, and completely accomplished both of them. First was to simply relax and let the mountain air reduce my stress level. Work-wise it actually turned into a pretty packed month, but something about this town helps me maintain my center. It isn’t anything metaphysical, just an effect of settling into a place where you feel completely comfortable. I also wanted to get my kids out of the heat, and give them a summer adventure with a lot of time in the outdoors. To build up good memories of a place that is so important to me. You know, blatantly manipulate my kids. It totally worked. But summer is coming to a close and it’s time to gear up for the fall sprint. The workload is looking pretty intense, but continues the trend of some of the most fulfilling projects of my career. It starts with our Black Hat cloud security training, where I have a bunch of new material for advanced students I am excited to try out. So I didn’t spend as much time at coffee shops playing aging hipster as I expected (thanks to JumpCloud for loaning me a desk during my trip), didn’t spend as much time wandering the hills, and missed a couple friends. But in the end everything went pretty much perfectly. I’m mentally refreshed and ready to attack, the kids have awesome memories and some new favorite places, and no one ended up in the ER this time, so I think we get to come back next year. All good. Assuming our air conditioning still works in Phoenix. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich did a webcast on cloud security (with a SaaS focus) for Elastica. Favorite Securosis Posts David Mortman: TI+IR/M: The New Incident (Response) & Management Process Model. Adrian Lane: Hacker Summer Camp. There is always something going on before Black Hat, and this year has its share of drama. Mike Rothman: Firestarter: Security Summer Camp. A little over a week out, and I’m starting to get fired up. Schedule locked down, liver primed, ready to descend on Vegas. Good thing I don’t need to worry about disclosures or anything… Rich: Cloud File Storage and Collaboration: Core Security Features. I am picking my own post because I could use some feedback on this one. Other Securosis Posts The 2015 Endpoint and Mobile Security Buyer’s Guide [Updated Paper]. TI+IR/M: Quick Wins. Cloud File Storage and Collaboration: Overview and Baseline Security. Incite 7/23/2014: Mystic Rhythms. TI+IR/M: The New Incident (Response) & Management Process Model. TI+IR/M: Threat Intelligence + Data Collection = Responding Better. Leading Security ‘People’. Favorite Outside Posts David Mortman: The Promises of DevOps. Mike Rothman: Losing my religion. Hadn’t thought about Silicon Valley as a land of zealots, but after reading Chris Shipley’s post I get it. Though in order to do the things you do at a start-up (or even a big tech company) you need to believe. And that’s certainly many folks’ definition of religion… Adrian Lane: This Box Can Hold an Entire Netflix. A surprisingly ‘server-hugger’ style approach to content delivery, from one of the most whole-hearted and innovative cloud companies out there. A very interesting read! Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts Threat Modeling: Designing for Security Anti-Surveillance Camouflage for Your Face Apple’s Legal Process Guidelines: U.S. Law Enforcement Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices. Slides. Apple’s support note on the tools mentioned in the presentation above. As expected, they have legitimate uses and don’t circumvent security controls. It will be interesting to see whether iOS 8 changes in response. Share:

In an uncommon occurrence we have updated one of our papers within a year of publication. As mentioned in the latest version of our Endpoint Security Buyer’s Guide, mobile devices are just additional endpoints that need to be managed like any other device. But it became clear that we needed to dig a bit deeper into securing mobile endpoints. Our updated and revised 2015 Endpoint and Mobile Security Buyer’s Guide updates our research on key endpoint management functions including anti-malware, patch and confirmation management, and device control. Additionally we dug a lot deeper into mobile security and managing BYOD. The reality is that securing endpoints hasn’t gotten any easier. Employees still click things and attackers have gotten better at evading perimeter defenses and obscuring attacks. Humans, alas, remain gullible and flawed. Regardless of any training you provide employees, they continue to click stuff, share information, and fall for simple social engineering attacks. So endpoints remain some of the weakest links in your security defenses. As much as the industry wants to discuss advanced attacks and talk about how sophisticated adversaries have become, the simple truth remains that many successful attacks result from simple operational failures. So yes, you do need to pay attention to advanced malware protection tactics, but if you forget about the fundamental operational aspects of managing endpoint hygiene the end result will be the same. To provide some context, we have said for years that management is the first problem users solve when introducing a new technology. Security becomes a consideration only after management issues are under control. This is the key reason we are adding a bunch of new content about securing mobile devices. Many organizations have gotten their arms around managing these devices, so now they are focusing their efforts on security and privacy – especially around apps running on those devices. What has not changed is our goal for this guide: to provide clear buying criteria for those of you looking at endpoint security solutions in the near future. Visit the permanent landing page Direct Download (PDF): The 2015 Endpoint and Mobile Security Buyer’s Guide We would like to thank Lumension Security for licensing this paper. Obviously we wouldn’t be able to do the research we do, or offer it to you without cost, without companies supporting our work. Share:

Gunnar and I frequently comment on the fragmented nature off-premise identity solutions. For example there is no Active Directory for mobile. Cloud IAM solutions commonly use bulk replication to propagate identity, while more elegant options are seldom considered. We pointed out how fragmented the market was a few months back when I wrote about the Identity Mosaic. When discussing the problem we wondered what vendors must say to customers looking for cloud or mobile identity solutions. It struck us that we’ve seen this act before: Monty Python’s Cheese Shop! Gunnar came up with his own take on the skit and we filmed it last week. It’s corny, and we couldn’t find a bouzouki player, but it was fun! So here it is: The Identity Management Cheese Shop. Share:

The best way to understand how threat intelligence impacts your incident response/management process is to actually run through an incident scenario with commentary to illustrate the concepts. For simplicity’s sake we assume you are familiar with our recommended model for an incident response organization and the responsibilities of the tier 1, 2, and 3 response levels. You can get a refresher back in our Incident Response Fundamentals series. For brevity we will use an extremely simple high-level example of how the three response tiers typically evaluate, escalate, and manage incidents. If you are dealing with an advanced adversary things will be neither simple nor high-level. But this provides an overview of how things come together. The Trigger Intellectual property theft is a common mission for advanced attacker, so that will be our scenario. As we described in our Threat Intelligence in Security Monitoring paper, you can configure your monitoring system to look for suspicious IP ranges from your adversary analysis. But let’s not put the cart before the horse. Knowing you have valuable IP (intellectual property), you can infer that a well-funded adversary (perhaps a nation-state or a competitor) has a great interest in that information. So you configure your monitoring process to look for connections to networks where those adversaries commonly hang out. You get this information from a threat intelligence service and integrate it automatically into your monitoring environment, so you are consistently looking for network traffic that indicates a bad scene. Let’s say your network monitoring tool fires an alert for an outbound request on a high port to an IP range identified as suspicious via threat intelligence. The analyst needs to validate the origin of the packet so he looks and sees the source IP is in Engineering. The tier 1 analyst passes this information along to a tier 2 responder. Important intellectual property may be involved and he suspects malicious activity, so he also phones the on-call handler to confirm the potential seriousness of the incident and provides a heads-up. Tier 2 takes over and the tier 1 analyst returns to other duties. The outbound connection is the first indication that something may be funky. An outbound request very well might indicate an exfiltration attempt. Of course it might not but you need to assume the worst until proven otherwise. Tracing it back to a network that has access to sensitive data means it is definitely something to investigate more closely. The key skill at tier 1 is knowing when to get help. Confirming the alert and pinpointing the device provide the basis for the hand-off to tier 2. Triage Now the tier 2 analyst is running point on the investigation. Here is the sequence of steps this individual will take: The tier 2 analyst opens an investigation using the formal case process because intellectual property is involved and the agreed-upon response management process requires proper chain of custody when IP is involved. Next the analyst begins a full analysis of network communications from the system in question. The system is no longer actively leaking data, but she blocks all traffic to the suspicious external IP address on the perimeter firewall by submitting a high-priority firewall management request. After that change is made she verifies that traffic is in fact blocked. The analyst does run the risk of alerting the adversary, but stopping a potential IP leak is more important than possibly tipping off an adversary. She starts to capture traffic to/from the targeted device, just so a record of activity is maintained. The good news is all the devices within engineering already run endpoint forensics on their devices, so there will be a detailed record of device activity. The analyst then sets an alert for any other network traffic to the address range in question to identify other potentially compromised devices within the organization. At this point it is time to call or visit the user to see whether this was legitimate (though possibly misguided) activity. The user denies knowing anything about the attack or the networks in question. Through that discussion she also learns that specific user doesn’t have legitimate access to sensitive intellectual property, even though they work in engineering. Normally this would be good news but it might indicate privilege escalation or that the device is a staging area before exfiltration – both bad signs. The Endpoint Protection Platform (EPP) logs for that system don’t indicate any known malware on the device and this analyst doesn’t have access to endpoint forensics, so she cannot dig deeper into the device. She has tapped out her ability to investigate so she notifies her tier 3 manager of the incident. While processing the hand-off she figures she might as well check out the network traffic she started capturing at the first attack indication. The analyst notices outbound requests to a similar destination from one other system on the same subnet, so she informs incident response leadership that they may be investigating a serious compromise. By mining some logs in the SIEM she finds that the system in question logged into to a sensitive file server it doesn’t normally access, and transferred/copied entire directories. It will be a long night. As we have mentioned, tier 2 tends to focus on network forensics and fairly straightforward log analysis because they are usually the quickest ways to pinpoint attack proliferation and gauge severity. The first step is to contain the issue, which entails blocking traffic to the external IP to temporarily eliminate any data leakage. Remember you might not actually know the extent of the compromise but that shouldn’t stop you from taking decisive action to contain the damage as quickly as possible – per the guidance laid down when you built designed the incident management process. Tier 3 is notified at this point – not necessarily to take action, but so they are aware there might be a more serious issue. Proactive communication streamlines escalation. Next the tier 2 analyst needs to assess the extent of

This is part 3 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper is available on GitHub as we write it. See also part 1 and part 2 here. Identity and Access Management Managing users and access are the most important features after the security baseline. The entire security and governance model relies on it. These are the key elements to look for: Service and federated IDM: The cloud service needs to implement an internal identity model to allow sharing with external parties without requiring those individuals or organizations to register with your internal identity provider. The service also must support federated identity so you can use your internal directory and don’t need to manually register all your users with the service. SAML is the preferred standard. Both models should support API access, which is key to integrating the service with your applications as back-end storage. Authorization and access controls: Once you establish and integrate identity the service should support a robust and granular permissions model. The basics include user and group access at the directory, subdirectory, and file levels. The model should integrate internal, external, and anonymous users. Permissions should include read, write/edit, download, and view (web viewing but not downloading of files). Additional permissions manage who can share files (internally and externally), alter permissions, comment, or delete files. External Users An external authenticated user is one who registers with the cloud provider but isn’t part of your organization. This is important for collaborative group shares, such as deal and project rooms. Most services also support public external shares, but these are open to the world. That is why providers need to support both their own platform user model and federated identity to integrate with your existing internal directory. Device control: Cloud storage services are very frequently used to support mobile users on a variety of devices. Device control allows management of which devices (computers and mobile devices) are authorized for which users, to ensure only authorized devices have access. Two-factor authentication (2FA): Account credential compromise is a major concern, so some providers can require a second authentication factor to access their services. Today this is typically a text message with a one-time password sent to a registered mobile phone. The second factor is generally only required to access the service from a ‘new’ (unregistered) device or computer. Centralized management: Administrators can manage all permissions and sharing through the service’s web interface. For enterprise deployments this includes enterprise-wide policies, such as restricting external sharing completely and auto-expiring all shared links after a configurable interval. Administrators should also be able to identify all shared links without having to crawl through the directory structure. Sharing permissions and policies are a key differentiator between enterprise-class and consumer services. For enterprises central control and management of shares is essential. So is the ability to manage who can share content externally, with what permissions, and to which categories of users (e.g., restricted to registered users vs. via an open file link). You might, for example, only allow employees to share with authenticated users on an enterprise-wide basis. Or only allow certain user roles to share files externally, and even then only with in-browser viewing only, with links set to expire in 30 days. Each organizations has its own tolerances for sharing and file permissions. Granular controls allow you to align your use of the service with existing policies. These can also be a security benefit, providing centralized control over all storage, unlike the traditional model where you need to manage dozens or even thousands of different systems, with different authentication methods, and authorization models, and permissions. Audit and transparency One of the most powerful security features of cloud storage services is a complete audit log of all user and device activity. Enterprise-class services track all activity: which users touch which files from which devices. Features to look for include: Completeness of the audit log: It should include user, device, accessed file, what activity was performed (download/view/edit, with before and after versions if appropriate), and additional metadata such as location. Log duration: How much data does the audit log contain? Is it eternal or does it expire in 90 days? Log management and visibility: How do you access the log? Is the user interface navigable and centralized, or do you need to hunt around and click individual files? Can you filter and report by user, file, and device? Integration and export: Logs should be externally consumable in a standard format to integrate with existing log management and SIEM tools. Administrators should also be able to export activity reports and raw logs. These features don’t cover everything offered by these services, but they are the core security capabilities enterprise and business users should have to start with. Share: