Advertise

Cloud

7/2/2014
03:15 PM

John Klossner
Cartoon Contest

5 comments
Comment Now

Cartoon: Cloud Conundrum

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal. Web site: ... View Full Bio

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

ChatGPT: Defending Your Business Against AI-Supercharged Ransomware

The Biggest Network Security Threats of 2023 & How to Combat Them

More Webcasts

White Papers

Learn Infrastructure as Code: Step-by-Step

Causes and Consequences of IT and OT Convergence

More White Papers

Reports

Shoring Up the Software Supply Chain Across Enterprise Applications

Addressing the Security Challenges of the New Edge

More Reports

//Comments

Threaded | Newest First | Oldest First

[close this box]

Marilyn Cohodas,
User Rank: Strategist
7/8/2014 | 10:52:07 AM

SOC v CSP: Chicken or the egg?

The chicken or the egg metaphor is a great analogy for the cloud security debate. So I ask you all, when it comes to cloud security, who's bears the greatest resposible? the CSP or the SOC team?

aws0513,
User Rank: Ninja
7/8/2014 | 12:45:09 PM

Re: SOC v CSP: Chicken or the egg?

In my experiences, the following rule always applies:

"The data owner is responsible for protecting the data they manage and use for their business operations."

This means that no matter where the data is stored, the data owner must ensure that necessary security controls are in place to help protect the data. If the choice is to use cloud services of any kind, they data owner must validate (accredit) and audit the cloud services that will be utilized... on a consistent and continuous basis.

The hard part is that cloud services often tout their product as a secure environment without providing security control implementation specifics. I have yet to see any cloud service provide a security control "mapping" to NIST (or other framework) controls in detail that was sufficient. They will brush some sales lines on a few common security controls, but I am still waiting on that "comprehensive" security control implementation documentation.

I am currently working with my employer (government entity) to establish a common security requirement "checklist" approach to cloud services assessment. We plan to tell data owners within the organization that if a cloud service is going to be used for any solution our organization establishes, the service will be reviewed as if it were an extension of the organization and subject to the same auditing requirements. In general, for us this means that NIST controls will need to be mapped to the cloud service equivalent where applicable. The cloud service vendor(s) will need to provide an acceptable control implementation/solution for each required control that our risk assessment team (management) has deemed necessary to protect the data. If there are any issues with how the cloud service supports or provides a specific controls, along with how they will be audited and monitored, they will likely not get any of our business unless our management can establish compensating controls or assume ownership of the control requirement. Risk acceptance is a reality as well, but it is our hope that we can reduce the risk on all points possible before any risk acceptance takes place.

I know that what we are trying to do will very likely make things difficult for cloud service vendors to get our business, but the glaring fact is if there is an unauthorized breach of our data environments, all the finger pointing in the world would not take my employers name out of the newspapers and very likely will not protect my employer from legal filings unless the risk assumption is fully documented in the contract with the vendor. Even if the contract is specificially established, my employer would still get a black eye in the reputation arena.

So... big foot stomping hint to you cloud vendors out there.... Make it easier for organizations that handle sensitive or regulatory affected data to know EXACTLY how security controls are implemented in your environments... from the physical to the virtual. A to Z... top to bottom. And be prepared to provide auditing capabilities that are verifiable via 3rd party were necessary.
I suggest NIST SP800-53 as a starting point. Be ready to talk to other risk management frameworks (ISO anyone?).
And NO... a fancy letter from an external auditing firm does not come close to acceptable. The devil is in the details... so break out all the details as much as possible for your potential customers. You want extra points? Provide verifiable case documentation of security events that your environment identified and/or thwarted. Full disclosure is a good thing!!

Marilyn Cohodas,
User Rank: Strategist
7/8/2014 | 4:59:55 PM

Re: SOC v CSP: Chicken or the egg?

Thanks for your thoughtful and detailed reply @aws0513. I hope you will tell us how your checklist approach works to cloud services assessment works. When do you thnk you will see some results?

Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:29:24 PM

Re: SOC v CSP: Chicken or the egg?

This actually applies to a lot of things in security, so it's a wise joke well-taken.

freespiritny25,
User Rank: Apprentice
8/1/2014 | 4:24:57 PM

Re: Cartoon: Cloud Conundrum

LOL so true- pointing the blame!

Editors' Choice

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry

David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP, 7/9/2021

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Robert Lemos, Contributing Writer, 7/7/2021

It's in the Game (but It Shouldn't Be)

Tal Memran, Cybersecurity Expert, CYE, 7/9/2021

Live Events

Webinars

Emerging Cybersecurity Technologies - A Dark Reading Mar 23 Event

Black Hat USA - August 5-10 - Learn More

Black Hat Asia - May 9-12 - Learn More

More Informa Tech Live Events

White Papers

Evaluator's Guide for Managed Detection and Response (MDR) Services

Making Cybersecurity Mesh a Reality

2022 State of OT Cybersecurity Report

Cloud Journey Consideration Stage: 2022 Cloud Security Report

The Five Fundamentals of Cloud Security

More White Papers

Cartoon

Latest Comment: I've heard of people walking right out the front door with entire servers...

Cartoon Archive

Current Issue

The 10 Most Impactful Types of Vulnerabilities for Enterprises Today

Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

How Enterprises are Developing Secure Applications

Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.

Download Now!

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2023-1172
PUBLISHED: 2023-03-17

The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...

CVE-2023-1469
PUBLISHED: 2023-03-17

The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the â€&tilde;pec_coupon[code]â€™ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...

CVE-2023-1466
PUBLISHED: 2023-03-17

A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...

CVE-2023-1467
PUBLISHED: 2023-03-17

A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...

CVE-2023-1468
PUBLISHED: 2023-03-17

A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]