Speaking of Security – The RSA Blog and Podcast

Gone are the days when it was thought that size of the company matters to the cybercriminals. The latest PwC Information Security Breaches Survey 2013 shows that there has been a significant rise in the number of small businesses that were attacked by an unauthorized outsider in the last year – up by 22%. Interestingly large organizations only went up by 5%. The cybercriminal has moved on to stealing intellectual property or corporate secrets as that’s where the real money is and small companies become easy targets as many do not have the resources or budgets to fully protect their information.

It’s time to understand the differences between corporate secrets and custodial data.

• 

In light of the recent events I’ve reflected on how valuable electronic health records (EHR) and health information exchange (HIE) participation can be in a time of crisis to immediately access critical life saving data on impacted victims. EHRs not only allow for first responders to quickly access victims’ healthcare information, but also allows for more accurate ambulatory, ER and clinical decision making in life or death situations.

• 

A through risk assessment should be adopted by customers to ensure that the benefits for moving on to the cloud outweigh the potential security threats. Techniques like privacy impact assessment (PIA) and ‘Plan, Do, Act, Check’ are recommended to ensure a moderate, but comprehensive change for them. Evidences shows that there may be issues involving customers meeting their legal obligations when their data are hosted outside of their local context. Hence, this will trigger issues relating to the effectiveness of existing risk governance frameworks. There should be more evaluations conducted to assess the true potential and apparent risks to protect customers and Cloud Service Providers (CSP).

• 

In mid-November, the PCI Security Standards Council released its Risk Assessment Guidelines as a supplement to the PCI Data Security Standard (PCI-DSS). Expanding on the requirements outlined in section 12.1.2 of the PCI-DSS, the new document provides further guidance on the techniques and methods organizations should consider when addressing this requirement of the standard. Checking the box on “Do you have a risk management program?” will not be as simple as before.

• 

According to a recent report by Icomm Technologies, 70% of cloud data centers keep customers in the dark about storage locations. To me that is a pretty scary statistic particularly as organizations are rapidly deploying cloud storage services and there doesn’t seem to be any evidence that organizations that have sensitive or confidential data are refraining from doing so. This statistic should set alarm bells going especially in the EU where organizations that store citizen’s data must have evidence of where their data is stored.

• 

Intel recently announced the Intel Xeon Processor Series that helps enable comprehensive and verifiable security and compliance in cloud environments. With these technologies Intel is providing a foundation to make cloud deployments suitable for increasingly sensitive workloads.

• 

Proving that physical and virtual infrastructure of the cloud can be trusted can be prohibitively difficult, especially when it comes to cloud services from external service providers. Verifying secure conditions in the foundations of the cloud is important for a simple reason: If organizations can’t trust the safety of their computing infrastructure, the security of all the information, applications and services running on top of that falls into doubt.

• 

Most of my friends and colleagues know that I like to cook so I will be doing a series of “recipes” in the next few weeks to address some of the key challenges based on conversations I am having with major organizations. So, to get started, here is part 1 on Creating a Trusted Cloud.

• 

Today’s security standards are based on historical, legacy information technologies and don’t necessarily address Cloud Computing environments in an effective manner. Attempts to update them are an improvement, but will be able to create a single or limited number of standards that will be viable across all borders and jurisdictions. So, it’s no surprise that the Cloud Security Alliance Summit at RSA Conference had a panel discussion on this topic. The panelists were Marc Crandall from Google, Baber Amin from CA, Christ Wysopal form Veracode and Ashvin Kamaraju from Vormetric.

• 

With great pleasure (and a lot of pride) we want to announce that Forrester Research Inc., an independent research firm, has ranked RSA Archer as a leader in both the IT-GRC and eGRC platforms! Not only is RSA Archer a platform leader in both categories but RSA Archer is the ONLY vendor ever to be named a leader in both IT and eGRC categories.

•