New CISO Role – What to do first?

So i am going to summarise some of the key things you will want to do first:

Reconnaissance / Collecting your info

  1. Understand your current estate (in terms of assets and how the business operates)
  2. Document your findings (maybe only you know)

Target

  1. Ask yourself do you know what the target state looks like (you should have an idea)
  2. Define the capabilities, requirements, tools and a strategy of how you will get there

Continual Improvement

  1. Do you know what ‘good’ looks like? Then you need to know how to measure that, especially for any deviations. Let the data tell the story!
  2. “Security is a practice” and it should be continually improving with no destination only improved layers of maturity.

To find out more have a read of this blog

Identity – Back to basics

aad
who am I?

Lets understand that office 365 and Azure are tied together by Azure Active Directory (Azure AD or AAD).

So to manage identity you are splitting the management across Azure and Office 365.

Office 365 uses the cloud-based user identity and authentication service Azure Active Directory (Azure AD) to manage users.

Take care when deciding on how best to manage your identity as identity is the building block to your entire cloud environment and link to your on-prem.  Making changes at a later stage can be very very painful and costly.  So getting it right is worth the investment for a much better cloud experience.

 

Azure Active Directory (AAD)

Azure Active Directory comes in three editions: Free, Basic, and Premium.  The Free edition is included with an Azure subscription. The Basic and Premium editions are available through a Microsoft Enterprise Agreement, the Open Volume License Program, and the Cloud Solution Providers program.

Azure AD Premium is also included in the Enterprise Mobility and Security (EMS). EMS is a cost-effective way for organizations to use Microsoft Intune, Azure Rights Management (Azure RMS), and the Azure AD Premium services together under one licensing plan

There are 3 main options:

  • Cloud Identity
  • Synced Identity
  • Federated Identity

Cloud Identity

Azure AD Only. With the cloud-only model, you manage your user accounts in Office 365 only. No on-premises servers are required; it’s all handled in the cloud by Azure AD.

The cloud-only model is typically a good choice if:

  • You have no other on-premises user directory
  • You have a very complex on-premises directory and simply want to avoid the work to integrate with it.
  • You have an existing on-premises directory, but you want to run a trial or pilot of Office 365. Later, you can match the cloud users to on-premises users when you are ready to connect to your on-premises directory.

Synced Identity

This component (of ADConnect) is responsible for creating users, groups, and other objects. It is also responsible for making sure identity information for your on-premises users and groups is matching the cloud

Password hash sync with seamless single sign-on

Manage your users on-prem. The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud.

Pass-through authentication with seamless single sign-on

More secure. Hashes don’t get sent to AAD.  Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users’ passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.

Federated

Good for large complex environments with complex authentication requirements. Requires an existing AD  on-prem by using federated authentication to manage authentication and identity services for your users in Office 365. on-premises directory objects are synchronized with Office 365 and users accounts are managed on-premises. This federated authentication model can provide additional authentication requirements, such as smartcard-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.

Hybrid Configuration

Tool of choice is ADConnect. Check out these guides: You can also use the Azure AD advisors: the Azure AD Connect advisor, the AD FS deployment advisor, and the Azure AD Premium setup guide.

Reference:

AAD Premium – https://portal.office.com/onboarding/azureadpremium#/

 

How To Deliver Cloud MVP

Digital Transformation

Gone are the days of questioning whether it’s feasible to host your services in the cloud.  No matter what vertical your Digital Transformationbusiness may be Media, Telecommunications, Construction, Energy etc.  The Cloud has already catered for it.  There are a long list of customer use cases who can demonstrate this e.g. AirBNB, Slack, ASOS, BMW to name but a few.   These companies decided to run their business in a more modern and efficient way.  They burst into the markets rapidly scaling with the huge business demands.  It’s hard to think whether this would have been as successful if their infrastructure was traditionally implemented.

“Going Cloud” Is The New Normal.

Start-ups typically build their infrastructure or applications directly in the cloud with no physical presence.  This is so they can compete with the bigger organisations especially as they don’t have any of the pre-existing technical debt that more traditional organisations have.

Traditional larger organisations often have their own incentives to ‘go cloud’ as they simply struggle to compete with modern businesses.   Cloud services are compelling as it offers the ability to move quicker, fail faster, scale up and scale out!

Cloud Offers The Modern Approach

cloud table of pros

By opting for a cloud 1st approach you are taking advantage of the new way of thinking which is to ‘save on capital expense’ and adopt the new ‘operational model’ of ‘usage-based billing’.  This improves operations and reduces capital expense with the added benefit of being more efficient and more agile than traditional methods.   It’s far better to know what your spend is rather than estimate what it may be for future usage.

No need to purchase any physical tin any more.  Simply provision or de-provision services as demand requires.  With cloud you have so much more scale and agility than traditional methods.

It really depends on what your background is which determines whether your best suited to opt for a Cloud 1st approach or not.  Some systems are simply better off OnPrem for various reasons. Most customers adopt a hybrid model as they are coming from an onprem presence.  Hybrid offers you the best of both worlds.

Cloud Is A Continuous Delivery

Many IT partners perform ‘cloud deliveries’ but speaking from experience you never deliver it and that’s it.  Cloud is a continuous delivery.  Unlike traditional methods the rate of change is rapid almost under daily development.  When a cloud project is delivered it is important to ensure the appropriate functions are in place to ensure continued operations and development to enhance what is currently there.

Often cloud projects are delivered as a minimum viable product (MVP).  Very quickly the business sees the benefit and begins consuming the MVP cloud services.

MVP Pitfalls

pitfallThe problem here is that the environment often does not have the foundational pillars in place such as monitoring, management, availability or backup.  In addition, standards, governance and operational control may not have been defined or implemented.  Lastly as part of MVP project delivery there should be a section that includes operational service.  This is to ensure the environment continues to be maintained and that there are appropriate responses for specific events i.e. security.

When these areas are not considered at MVP it often leads the environment to suffer massive inconsistencies and incur huge costs.  Often organisations only realise this after many months later where the work required to remediate is quite substantial.  These areas are key to a successful delivery so it’s vital they are addressed at the early stages of MVP.

 

MVP Must-Haves

To consider moving your MVP delivery to the next stage you MUST have the following areas in place preferably BEFORE you add production workloads.

  • Monitoring (Security)
  • Management
  • Backup
  • Availability
  • Standards
  • Governance
  • Operational Controls
  • Desired State
  • Operational service wrapper

Of course some of these ‘Musts-haves’ may change to ‘Should-haves’ depending on the business requirement and the intention of the MVP environment.

To learn more contact Cloudmovement.

 

What you need to know when securing the cloud

Those companies considering adopting the cloud and those companies that already leverage the cloud should know one thing when it comes to security. There is no single cloud security approach.

Collectively there are a small number of companies that are not ‘ready’ to adopt their mindset of ‘cloud first’ as yet but having said that 80% of them have plans to increase investment in cloud adoption within the next couple of years. I think it’s fair to say cloud is not going away. Both Infrastructure-as-a-service (IaaS) and Software-as-a-service (SaaS) are two of the most used cloud services with an aspiration for Platform-as-a-service (PaaS) if possible.

Each cloud service offers a separate strategy model when it comes to security. I work with many different clients from public to private and health to finance sectors and one of the most common daily challenges I come across is the coming to terms with sharing your datacenter with the cloud provider (Microsoft, AWS etc) where you as the client now have a shared responsibility.

This is more of shift in mindset and requires education as to what you are responsible for and what the cloud provider is responsible for and typically what they are responsible for you must just ‘trust’ that they are protecting your services accordingly. Of course they do have a number of international and industry-specific compliance stands.

For example Microsoft Azure say

“Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards, such as Australia IRAP, UK G-Cloud and Singapore MTCS. Rigorous third-party audits, such as by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate.”

and Amazon Web Service say

“The infrastructure and services provided by AWS are approved to operate under several compliance standards and industry certifications. These certifications cover only the AWS side of the shared responsibility model; customers retain the responsibility for certifying and accrediting workloads that are deployed on top of the AWS-provided service. We Demonstrate our compliance posture to help you verify compliance with industry and government requirements. We engage with external certifying bodies and independent auditors to provide you with considerable information regarding the policies, processes, and controls established and operated by us.”
Standards include: CJIS, CSA, HIPAA, FedRAMP, FIPS, SOC 1, SOC 2, SOC 3, ISO 27001,ISO 9001, IRAP etc.

 

Final words.

It’s important to evaluate the security capabilities of the cloud provider’s native tooling before you go to the market place in search for other products.  You have to remember it’s more likely the cloud provider will have more scope in terms of coverage of their own product and any new features that come about than any 3rd party tooling.  As it stands no one product covers both Azure and AWS in terms of security in their entirety and believe me I’ve looked.  Therefore it’s important to set out appropriate skills within the security operations and information and risk teams so they know how to manage incidents and how to configure appropriate logging and monitoring alerts etc.

GDPR Readiness – In The Cloud

GDPR IN THE OFFICE

 “While the overwhelming majority of IT security professionals are aware of GDPR, just under half of them are preparing for its arrival, according to a snap survey of 170 cyber security staff by Imperva.”

Many of you would have had that initial conversation about your company having to adhere to the new GDPR regulations around protecting personal data and identity tracking etc.

WHAT’S GDPR?

GDPR stands for “General Data Protection Regulation (GDPR)” and will be enforced from 25 May 2018. It was put together by the European Commission to reinforce data protection and give people more control over how their personal data is used. Companies like Facebook and Google etc swap access to people’s data for use of their services so it’s now essential to have methods to protect our data and offer visibility over where our data is located. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that.

 GDPR REASONING

Having said that GDPR should also offer companies a clearer and simpler legal environment in which to operate making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).

By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.

While your business tries to understand the legal implications of the new legislation it is up to I.T to incorporate robust technological solutions in place to meet the GDPR obligations.

 “nearly a third said they are not preparing for the incoming legislation, and 28% said they were ignorant of any preparations their company might be doing.” – Imperva

WHY SHOULD I BE INTERESTED?

There are two main reasons why you should be sweating the deadline for GDPR compliance.

  1.  The potential for high cost on achieving GDPR compliance
  2. The potential loss of customer data as the fines can be as high as 5% of your companies annual revenue! Enforcement will be extremely expensive. That’s why the fines for non-compliance will be enormous — to pay the salaries of those monitoring, investigating and enforcing the regulations.

HOW DO I GET READY FOR GDPR IN THE CLOUD?

When working with Cloud Service Providers (CSP) such as Microsoft Azure, AWS, Google, IBM etc it is important to note that there are some responsibilities that you own as the customer and some responsibilities that the CSP owns. It is important to know what in the realms of GDPR you are responsible for and what is covered by your CSP.

There are about 4 steps to the process of preparation that include:

  1. Discover – Find out what personal data you have and where it’s located
  2. Manage – Control how personal data is used and accessed
  3. Protect – Enforce security controls to prevent, detect and respond to vulnerabilities and data breaches
  4. Report – Keep required documentation, manage data requests and provide breach notifications.

Whilst I work with customers to help educate and direct them to become “GDPR ready” it’s important to note that with a combination of processes and tooling you can become GDPR ready within your own organisation.

Get started now by incorporating strategies around Data Security, Access Management and Data Protection.

Deadline 25 May 2018

Cloud based security adoption – Web Application Firewalls

WAF Security

Cloud based WAF Security

So you are planning to move infrastructure services to the cloud or you are already operating in the cloud and require extra security provisioning around your web application services (http/https) traffic.  You have come to the conclusion you want a Web Application Firewall (WAF).  This is  a good start as some customers often think they are protected with only a Firewall which they are but not to the level of a dedicated Layer 7 Web Application Firewall.  Then there are the customers that simply don’t know the difference between the two.  Let me explain briefly:

Cloud based Firewall

Put simply a cloud based firewall (aka Firewall virtual appliance) protects a group of computers on your network against unauthorised traffic by means of using a set of policies and ensuring traffic that passes through the firewall adheres to these rules else the packets are blocked.  A firewall operates on layer 4 at the packet level.

Web Application Firewall (WAF)

A WAF on the other hand is another type of virtual appliance that operates on a layer 7 level and should be deployed in front of your web applications / web sites where it inspects and monitors your http and https traffic to those backend servers.  All access to your web applications will pass through your WAF where the traffic will be inspected to determine whether the traffic should be passed through or blocked according to a core rule set that’s taken from the OWASP 3.0 or 2.2.9 rule sets.  OWASP is made up of a set of detection rules that protect against the top 10 common threats such as SQL injections, Remote Code Execution, Cross Site Scripting etc.

To be considered a WAF adhering to OWASP should be considered an essential.

Consider this when evaluating your vendors.  There’s plenty more to consider which is further expanded on here: Comparing Cloud Web Application Firewalls 

Choosing a WAF

Now we know what a WAF is it’s time to think about what is important when deciding on one.

There are approx. 3 things that differentiate a cloud based WAF from a traditional on-prem firewall.  That is scalability, extensibility and availability.

  • Scalability
    • Being a cloud based virtual appliance means WAFs can scale according to business demand far greater than the traditional on-prem.  This is common amongst most cloud service providers.  From an enterprise perspective this scale comes into play when the bandwidth increases unlike on-prem devices that would require a device replacement to cater for the increased traffic.  Traditionally if you were under a DDOS attack and the throughout from the attacker was so great that it maxed out the support levels of your WAF would still result in your backend web servers being attacked because the WAF would be crippled by the overload. this is exactly what you don’t want.  It is far easier to manage this when opting for a cloud based WAF as scale is far easier to implement (behind a load balancer).

 

  • Availability
    • Cloud based virtual appliances such as a WAF mean vendors can offer SLAs such as >99.99% high availability because the underlying infrastructure consists of fully redundant power, network services and backup and DR strategies particularly as the underlying services are hosted by big players such as Microsoft and Amazon cloud services for example.

 

  • Extensibility
    • One of the fundamental benefits of hosting services in the cloud is the luxury of being able to provision your virtual appliances anywhere where you have a protected communication path.  Traditionally deploying your physical on-prem WAF device would incur upfront capital expense and require both room in the datacentre and out-of-band-management access.  Cost would be increased for HA of of course.

 

 

What your business needs to know about Cloud security

It’s time.

Time we evolve and move with the times.  Regardless to whether your I.T services are on-prem or in the cloud or hybrid it’s time to take note before it’s too late.

Time to protect our businesses and organisations from the ever growing cyber attacks.  We’ve seen it in the news affecting NHS we’ve seen it cause serious disruption at large firms including the advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.  It’s held no mercy on affecting public and private sectors across the US and Europe.

The pace and frequency of the attacks have developed momentum and now become a highlight in main stream media.  Clearly disruptive it goes to show these types of attacks cannot be ignored.

 

It’s important to have your IT Services risk assessed now.

It’s important for your organisation to distinguish critical data and provide protection against such threats.

It’s important to know that in the event of an attack that your systems can identify and detect abnormal behaviors around your cloud applications and files etc.

This type of granular detection sits on top of your already deployed intrusion detection system and intrusion protection system….intrusion what?…..

 

Make the discovery before it’s too late and move with the times to save lives and your business.

 

It doesn’t have to cost a lot for you to save a lot.  Cost is not everything when you compare the sensitivity of your data.  For the NHS this data can save a life and by losing data you are risking life.

Without a doubt whether the public sector likes it or not they will be forced / bullied into the evolution of their I.T services by such attacks.  They will only continue for as long as they remain vulnerable.

Be warned, make the discovery.

Reference: https://blogs.technet.microsoft.com/enterprisemobility/2017/07/12/ransomware-detection-with-microsoft-advanced-threat-analytics-and-cloud-app-security/

 

Cyber security in Healthcare

Healthcare organisations have increasingly been targeted where initial attacks commonly go unnoticed.  It is no surprise to many hospitals lack new technologies and best practices to defend against such threats which is what makes them the perfect victim.

This can leave organisations vulnerable to losing highly sensitive information, costing you time, money, patient satisfaction, and valuable resources.

 

Cyber-attack’s have been seen to lock staff out of their computer systems, resulting in many hospitals having to cancel or delay treatment for patients.  I’m referring to the recent Ransomware attack that affected many British National Hospitals.  This is only one method of a Cyber attack and there will be a steady increase i imagine.

 

I’m keen to encourage organisations to move to the cloud it is important for me to educate organisations especially healthcare organisations to make them aware of the risks so I can help them identify and reduce threats to data security and privacy across their infrastructure.

 

Devising a framework is the first step to help protect devices, Operating systems and sensitive data against ransomware attacks, malware and cyberattacks.

 

With the steadily increasing attacks on the public sector it is vital that the patients and healthcare users can be confident that their information is protected from such cyberattacks.

 

3 B’s is a strategy i use to focus my efforts around that include:

 

Block – The first point of defence is to block attacks that reach your perimeter.  Tools such as Exchange Online Advanced Threat Protection (ATP) & Microsoft Active Protection Service (MAPS).  By enforcing these technologies you raise the complexity for cyber attackers and can prevent breaches.

 

Barricade – In the event an attack gets past your perimeter it’s critical where possible to contain the attack.  To protect administrative access you can leverage Secure Privileged Access (SPA) as well as using Windows Defender as the anti-malware capabilities for real-time analysis and response.

 

Backup  – In an effort to ensure business continuity it’s important to ensure correctly configured backups are in place where Microsoft can further protect in their own datacentres rending the data inaccessible to attackers.

 

Healthcare often measure their IT strategy based off their local regulatory compliance check list however it’s about time they go beyond the compliancey checklist and expand into the following areas to help mitigate vulnerabilities and risk:

 

This list has been extracted from Microsoft and serves as a best practice framework to measure the Cybersecurity plan within the public sector or healthcare organisation:

 

  • Develop a “where used” matrix (“Do you know where your data is?”)
  • Employ a data backup and recovery plan for all critical information
  • Perform and test regular backups and isolate critical backups from the network □ Include recovering from a cyberattack in disaster recovery plans
  • Use a different communication mode if breached (hackers may be listening on the current system)
  • Employ an end-to-end data encryption strategy; control your encryption keys □ Ensure business associates are working with your security and compliance needs
  • Employ analytics in your security (behavioural, machine learning, partner information, advanced □ threat analytics) □ Work to minimize “Shadow IT,” still a major challenge □ Whitelist apps to help prevent malicious software and unapproved programs
  • Keep software up-to-date with the latest patches and support
  • Keep anti-virus software current □ Apply the “least privilege” principle to all systems and services
  • Educate users, patients, affiliates, and others
  • Restrict permissions to install and run unwanted apps