By Andrew Wild, CSO, Qualys
January 28, 2012 has been designated as "Data Privacy Day". This is an internationally recognized day established to increase awareness of privacy and the challenges that our technologically advanced, "big data" analytical world pose to our notions about privacy.
It is entirely appropriate that everyone should take a few minutes to consider the issue of privacy on Data Privacy Day. Technology and the significant changes to how we communicate and share information in the Internet age have fundamentally altered our understanding of privacy. The two greatest threats to our privacy today are extensive online social networking, and significant improvements in data analytics.
There are many different types of information that most of us would consider to be privacy information for which we would should know how and when this information is shared with others.
Some examples of privacy information could include:
- home address
- telephone number
- birth date, age
- photographic images
- physical characteristics (height, weight, hair color, eye color)
- personal financial information
- personal spending information
- health information
- physical mail
- voice conversations (POTS, Mobile/Cellular, VOIP, face to face)
- web browsing history
- online purchasing history
For many people that take advantage of Internet social networking like Facebook, Google+, LinkedIn, Twitter and many others, these tools are an essential way to develop and maintain important personal and professional relationships. The social networking tools provide an easy and efficient way to share information. However, with these advantages come some significant differences from the traditional interpersonal communication methods. It is important for users of Internet social networking tools to understand how information they share is controlled. Social networking tools have configurable privacy settings, and the configuration options can change, so users should frequently check the settings as well as the options available to ensure they are set in accordance with the user’s preferences.
In addition to information that we freely share with others through social networking sites, there is also information that we are sharing with others through the use of the Internet. Internet systems that we visit collect information about us and our computers. Some of this information is provided by us to the websites as part of a registration process to use the website. However, there are also many types of information that are in many cases collected without our full understanding. Websites collect technical information about our computers including IP address information which can be used to determine your location. It is also possible for websites to collect information about our activity on the website, and the Internet. The majority of this information is collected with the use of browser cookies, flash cookies, web beacons, and google analytics. It is important to understand the options available to manage some of these through the web browser configuration.
Finally, it is important to understand the profound effect the advances in data analytics have upon our privacy. In the past, we might not have given any thought to the information shared by us through the routine parts of our daily lives: telephone calls, store purchases (both online and physical), television shows watched, movies seen, air travel, library books borrowed, highway tolls, video surveillance and many others. While each of these actions, on its own may seem insignificant, the aggregate of all of these activities may constitute an image of us that we may not be comfortable sharing. It is quite possible that the collective sum of all this information could be used to predict our future actions. This is the threat that data analytics pose to our privacy. The advances in data analytics are used for good reasons in most cases, such as detecting fraud, and allowing companies to better understand their customers. It is important for governments to understand the threats to privacy from data analytics and to legislate appropriately to ensure this information is not used inappropriately.
In conclusion, each of us should spend some time to think out our privacy and the steps we should take to safeguard something that many of us take for granted, even in the face of increasing threats. Data Privacy Day 2012 is an excellent day for this. The National Cyber Security Alliance website is a great place to learn more: Data Privacy Day at StaySafeOnline.org
Just released – "Dummies Guide to IT Policy Compliance" in conjunction with publisher John Wiley & Sons. This handbook provides a quick guide to understanding IT policy compliance in plain English. It surveys the best steps for preparing your organization’s IT operations to comply with laws and regulations – and how to prove compliance to an auditor.
In this book you will discover what IT policy compliance is all about, how laws and regulations govern compliance, ten best practices and how automation can ease compliance and save money. This book is co-authored by Qualys' Jason Creech and Matt Alderman.
To download a free copy, visit http://www.qualys.com/forms/ebook/itpcfordummies/.
Missed Wednesday’s RSA keynote? Check out Philippe Courtot’s keynote in it’s entirety as he discusses "Changing Security as We Know It: Our Destiny is in the Cloud"
BT’s SecureThinking: SecureCompliance blog features a new article from Qualys VP of Product Marketing Terry Ramos titled "PCI Compliance is Still a Myriad of Tough Choices on the 'Journey' Towards Compliance." The article discusses how organizations that process, store or transmit credit card data must employ a continuous process to achieve and maintain PCI compliance.
Guest author: Virtualization and Security Expert Alessandro Perilli discusses the future of cloud computing and its security implications.
By Alessandro Perilli, CISSP
Founder and Chief Editor, virtualization.info
The data centers of tomorrow will be computing clouds – massive aggregations of resources that are served inside geographically dispersed computers. A new server is plugged in and the cloud grows, stacking up new resources on top of the existing ones.
As vendors put their applications into these clouds, they don’t have to figure out where the actual hardware is or what happens if a machine has a failure at a point. They can offer reliability out-of-the-box, without even thinking about developing fail-over or clustering components.
As customers put their data into these clouds, they don’t have to buy the software to manipulate and process their data anymore. They just pay for the time the cloud is used to perform a certain task with their data. But who will secure these clouds? This piece will discuss the future of computing and its impact on security.
There are many forms of cloud architectures. Today, the industry recognizes three of them, with a common definition for each: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).
- In the IaaS model, the computing cloud serves empty virtual machines, which can be filled with anything a vendor or a customer wants, from the operating system to the CRM solution of choice.This model abstracts the physical hardware and so it’s a computing cloud in the sense that more CPUs, memory modules, hard drives, network switches can be added to the resource pool transparently, no matter where their containers -servers and storage arrays – are in the world.
- In the PaaS model, the computing cloud serves application frameworks that understand one or more programming languages, which can be filled with software that wasn’t originally developed for the cloud and doesn’t know how to scale to be cloud-ready. This model abstracts the operating system structures and so it’s a computing cloud in the sense that there are no problems like OS upgrades, patches, libraries incompatibilities and related downtimes.
- In the SaaS model, the computing cloud serves applications, which can be used to perform all tasks customers perform today with on-premise software, uploading data in the storage part of the cloud and downloading it on demand. This model abstracts everything below the application level. There’s no hardware to maintain, no operating system to patch, no software conflicts to avoid. It is the computer over the web.
Looking at current trends, we can see a future world where the SaaS model will prevail and web applications are the norm, not the exceptions that we have to refer to with special names like "Web 2.0."
Virtualization vendors are spending a huge amount of effort to abstract the hardware layer and decouple the applications from the operating systems. This makes sense because software vendors that want to deliver their products to the largest possible audience simply cannot develop for the overwhelming amount of server, desktop and mobile platforms we have today. But what’s the need for virtualization (which requires that customers adopt yet another product, which is ultimately a massive waste of money) when we already have a common, ubiquitous operating system which millions interact with every day and that can be used to deliver applications on any device, from the desktop to the smart-phone? Of course I’m talking about the web.
Until 10 years ago we failed to realize the potential of the web as an operating system. Then the plethora of startups generated what we call today the Web 2.0 momentum, demonstrating that we could solve our application delivery problems in a new way without using new tools.
Google is evangelizing a SaaS world, proving its viability with applications like Gmail or Apps. Maybe those are not yet as good as the on-premise solutions we are used to, but they are already viable and even desirable in some circumstances. The Microsoft conversion to the cloud, including the upcoming Office Online, or the just launched PaaS cloud called Windows Azure, is a confirmation that a SaaS world makes sense.
So it’s not that unlikely to imagine that, over time, the existing, on-premise applications will be slowly replaced by web-based counterparts. And that the mass adoption of mobile devices like the Apple iPhone or the Google Android handsets, and the overwhelming amount of tablet PCs that will come out during 2010, will have a major role in accelerating this process.
Before the time SaaS will be ubiquitous anyway, IaaS and PaaS models will have their moments of glory.
The world will not turn to SaaS in a day. SaaS has been around for more than 10 years now, and it hasn’t changed much. Such things require a lot of time and a radical change in mindset. And sometimes a new mindset requires new generations of people to become decision makers. IaaS and PaaS will lower the cost of entry for vendors that want to offer SaaS. So while tomorrow, most end users will just look at SaaS versions of the applications they use today, vendors selling those SaaS products will likely adopt IaaS and PaaS technologies behind the scene. IaaS and PaaS will also make the transition to SaaS smoother. Both will need to contain and move to the cloud, in a semi-transparent way, the legacy applications that are not developed with computing cloud in mind.
However, this transition will not last forever: over time IaaS and PaaS will become niche solutions, commoditized in a way or another, and used only when there’s no SaaS alternative.
Security – the Key to Embracing the Cloud
Now, a key aspect to evaluate before embracing this vision and jumping on the cloud computing bandwagon is security. Is today’s cloud computing secure enough to hold our corporate data? Is it more or less secure than on-premises data centers? It depends.
The elastic nature of the cloud makes it easier to counter things like Denial of Services (DoS) attacks while the structure of cloud computing facilities makes other things like physical breaches less likely. Additionally, because of the scale of clouds, most providers will develop automated procedures to handle some security tasks, like basic platform hardening and software patching, dramatically reducing the mistakes that manual intervention implies.
Nonetheless, achieving the same level of security of today’s on-premise data centers, or even surpass it, may be extremely complex. Above all, there is the entirely new class of threats that are related to the multi-tenancy nature of the cloud: escaping the software jail and breaking into another customer application pool; accessing incomplete deleted data from shared storage facilities; intercepting and manipulating the over-the-Internet access to the cloud control panel, are just some of the problems we didn’t have before.
Even those procedures that are considered normal in a traditional data center may turn into expensive extra efforts in a full resource sharing environment. For example, it’s a challenging task to keep isolated audit logs and allow customers to access them on demand.
Other security issues arise simply because cloud computing is so new. Compliance, for example, is one of the hardest goals to reach because industry standards don’t contemplate cloud computing yet, and regulatory requirements may be just too demanding to fit a cloud model.
When a customer owns his data center, he’s accountable for its security. He can be very good or very bad, but he basically has control and can work to improve the security level.
When a customer embraces the cloud, the responsibility to secure the infrastructure is basically offloaded to the cloud provider. This doesn’t mean that there are no more risks, it just means that most risks have been transferred somewhere else. The cloud provider can be very good or very bad in security, just like the customer, but if it is very bad, it may be hard to discover at the time of signing an agreement. Once the faults become evident, it may be a pain to move from the insecure cloud to something better.
In cloud computing, we lose IT governance, and we must fully trust the provider. Some of them may want to bet on security to differentiate their offering in a booming market, and clouds may be more secure than on-premise data centers. What must be clear is that not every provider will be able to invest the money that top vendors like Google, Amazon and Microsoft can invest to secure their clouds.
To lower the cost of entry, some of them may decide to embrace open standards to build their infrastructures, and this will provide an inherited higher level of security, but it’s unlikely that all the providers will be able to fulfill all the security requirements that customers may have all by themselves.
For example: the customers' data can be spread across multiple data centers in the world, and some sensitive information may end up being stored in a country where the law prohibits its presence.
Or, just because the data is replicated to multiple, geographically dispersed repositories to maximize resiliency, when a customer asks to remove something from the cloud, he must be 100 percent sure that his information is really wiped out from every hard drive of every SAN of every cloud node in the world.
Thus, auditing a cloud infrastructure is a complex, time consuming and very expensive operation, certainly more challenging that auditing on-premise facilities.
Smaller cloud providers will need some external help to do so and customers may want to have this in their SLAs, as a guarantee that clouds don’t turn into a giant black box where nobody knows what really happens (or can happen) to the corporate data.
Additionally, compared to what we are used to, security in the cloud era has to become a cost center, because just the idea of storing sensitive information outside your own property requires extra reassurance that the information is in capable hands.
So who’s going to control the clouds? Angels?
Vendors that have embraced this computing model long time ago had to secure the infrastructures behind it by themselves. Those are the companies that have developed most experience and that may have a relevant position in the SaaS world of tomorrow.
Qualys is a security company that offers automated security audits. And it has delivered its products through a SaaS architecture for years. If there’s a company that can become the cloud security auditor, Qualys has the experience and the technology to do so.
The market is not going to avoid cloud computing because of the security challenges. Simply put, cloud computing represents a fantastic opportunity to rethink security and implement it in a more efficient way. It’s just a matter to find the right partners to do it in the right way.
I believe that the SaaS and Cloud Computing revolution holds the potential to benefit everyone in the software industry, and all who rely on it for their business. For instance, we in the industry are well aware that software is evolving too quickly to keep up. It’s a never ending process of software enhancements, upgrades, security fixes, and new installations. And, few would disagree that there are too many vulnerabilities affecting too many applications. In this disorder, most of the burden has fallen on the shoulders of organizations that have had to dedicate extraordinary resources to patch and mitigate the security holes. Here is an interesting statistic that reveals the magnitude of the challenge. According to Qualys' The Laws of Vulnerabilities 2.0 research, companies take an average of 59 days to patch their vulnerabilities. Five years ago, that number was 60 days. That’s a reduction of one day in the past five years. When one considers all the effort and automation that has gone into patch management in the past five years, that’s not much in the way of improvement. And this shows not just how steep the challenge is, but just how broken the current ecosystem of traditional software is.
The SaaS approach
Fortunately, the SaaS and Cloud Computing models are positive disruptions on the infrastructure of both private networks and the Internet. Unlike when individual organizations patch (work that must be duplicated for every installation), when SaaS vendors update their software applications, all of their customers are patched instantaneously as well. Because of this simple fact, many of the security problems that plague today’s business technology systems – such as patches and software misconfiguration issues – are solved. Thus, in this, and many other ways, the burden of maintaining a secure application largely is transferred from the software user to the provider. The effect of proper patching is amplified throughout all the IT systems the SaaS and cloud providers touch. For many years it was thought that SaaS would be destined just for SMEs, but today we know that this isn’t so; the advantages of cost reductions in staff and infrastructure are as valuable to the large corporate as the small or mid-sized business, particularly in the current economic climate. Cloud Computing offers a delivery model that scales and can reach out to millions – that’s the power of the Internet. Once the infrastructure or data centre has been built the cost of adding additional services is minimal and hence the service provider can offer aggressive prices because the overall cost of the infrastructure and the specialist personnel to man it can be amortized over a large number of users. Another massive advantage for customers of SaaS is that it puts the power in the hands of the buyer. They can 'try and buy' solutions with ease and of course they are at liberty to switch vendors if their services don’t come up to scratch. What’s more whilst vendors have traditionally focused on the enterprise as the customer for hardware and software, the data centre owners will gradually become key customers for the future.
Resistance is Futile
Some still are fighting the shift to SaaS and Cloud Computing. But, I don’t believe that resistance to the transformation of on-premise business IT to cloud-based computing is a viable option. Not for long. The business benefits, cost savings, and reduction in complexity are just too compelling for businesses to overlook. Actually, today, the strongest resistance we see is emanating from IT departments, and IT security staff – mainly out of fear of what might happen if one were to lose control of data. But the reality is that businesses have already lost control of data, as evidenced by the constant security breaches that we read about in the media on an almost daily basis. By putting the data in one place it is easier to control access to it. Security in the cloud will follow the pattern of banking where we are comfortable to withdraw our cash from the convenience of an ATM, over the Internet or via our mobile and leave its security to be dealt with by the experts. Nevertheless, despite reservations from IT, businesses will march forward, because the business has no choice but the path that simplifies many of today’s IT complexities. And in this, the primary – and strategic – role of IT security will be successfully and securely managing the privacy and security risks associated with data living in the cloud.
While the visible shift to Cloud Computing to date has been the movement of applications and data to the cloud, it’s not going to stop there. Soon, the day will come when companies outsource not only their software but their network infrastructure, as well. One day, almost everything we do on private networks – manage information, applications, infrastructure, and services – will be accessible instantly and securely from anywhere and from any Web browser. It’s time to prepare.
Cloud Cover by Matt Vilano
Data security used to be all about spending big bucks on firewalls to defend data at the network perimeter and on antivirus software to protect individual computers. Internet-based computing, or cloud computing, has changed all that, at the same time expanding exponentially the chances for data thieves and hackers.
The cloud creates other opportunities too: a handful of security vendors now deliver security as a service–a one-two punch of hardware and software that monitors and manages an enterprise’s data security and bills customers only for the computing power they use. "For years, security was about big companies pushing technology to their customers," says Qualys CEO and founder Philippe Courtot. "Now it’s about the customers pulling precisely what they need and providing them with those resources on demand."
Under the old paradigm, according to Courtot, enterprises overspent for stand-alone security devices that became unruly and difficult to operate over the long term. He says Qualys attacks the flaws in this strategy by streamlining security and tackling most of the service delivery through the cloud. "We control the infrastructure, software updates, quality assurance and just about everything in between," he says.
Much of the company’s current revenue–sales topped $50 million last year–is being driven by a set of standards established by the Payment Card Industry Security Standards Council (PCI SSC), a trade organization composed of credit-card companies. The standards were created in 2006 to help organizations that process card payments prevent fraud by tightening controls around customer data. One of those controls: a quarterly audit for network vulnerabilities by a firm from a list of approved vendors that includes Qualys. Analysts estimate that the PCI standards have generated at least $2.5 billion for security vendors in the U.S. "It’s been a major driver of business for all of them, especially Qualys," says Avivah Litan, a vice president and analyst at market-research firm Gartner. "When everyone has to comply, there’s a lot of work to go around."
Qualys aims to increase the depth of its vulnerability-scanning services, reaching further into networks by auditing servers that host and operate certain Web applications for self-propagating virus programs known as malware. It released a special QualysGuard module in April 2008 to achieve this objective. After a series of acquisitions this summer, an improved version will probably be forthcoming in the next 12 to 18 months. "Because of the Internet, the enterprise network is disappearing, and companies need to be ready to protect what’s left," Courtot forecasts. Security as a service, it turns out, is a pretty legit business.