This post is only available in Spanish
This post is available only in Spanich
According to data provided by INCIBE (Spanish Cibersecurity National Institute ), Spain was the third most attacked country in the world in 2017 with 120,000 incidents, only behind the United States and the United Kingdom; and everything seems to indicate that 2018 has exceeded this number, since By the end of August, 88,677 incidents had been managed, of which 83,165 (94%) corresponded to citizens and businesses and 5,512 (the remaining 6%) to the academic network and critical operators.
This increase in threats together with the pressure exerted by General Data Protection Regulation (GDPR) compliance , in force since May 25, 2018, has forced companies to become aware of the need to manage cybersecurity and define responsibilities regarding it.
In this cyber risk and regulatory compliance scenario, business organizations should appoint new managers such ...
The title may seem pretentious, but several of the presentations during the 3rd Annual Third Party & Supply Chain Cyber Security Summit, which was held on 7 and 8 February in Barcelona, have shown the motivation that took Antonio Ramos a few years ago to create the referential of controls and methodology of qualification that gave origin to LEET Security.
Still young, this third edition has had more than 75 participants from 15 countries. With the presence of international companies such as Bank of America, BBC, IKEA, Freddie Mac, KPN, Galp or Swisscom, as well as Caixabank, Santander Group, Banco Sabadell or Amadeus; and LEET Security, which has participated as a sponsor, along with Bitsight, NormShield, One Trust and SIMS Recycling Solutions.
We were especially struck by the presentation of Marc van Kasteren ...
Cyberattacks such as NotPetya or WannaCry and individual incidents such as the Equifax data breach in september 2017, or the cyberattack that caused the US pharmaceutical company Merck damages of 260 million dollars, have caused companies of any size to start to consider the option of contracting a cyber-risk insurance as a measure to mitigate the economic losses caused by a information cyber incident.
The threat involved by a cyber risk is as real as physical threats to a company's tangible assets. This is why it is understandable that companies consider transferring the risk they can´t control; for example by hiring a cyber insurance
The estimation of both, the technological risk, which affects to the business processes continuity, and the cyber risk related to intangible aspects of the ...
In Spain, as everybody knows, most of the business fabric is made up of SMEs. According to data provided by the Ministry of Employment and Social Security in June 2018 in Spain we have 1,312,813 companies. Of which, 87% turn out to be micro-SMEs (1 to 9 employees), 11% are small companies (10 to 49), 1.9% are medium-sized (50 to 249 employees). And only 4,578 are large companies with more than 250 employees.
Studies by recognized entities in this field, such as the Ponemon Institute, mean SMEs are increasingly vulnerable to cyber attacks. In the report published by this organization in 2017, it is shown that up to 64% of the companies interviewed declared having suffered a cyber attack, of which 54% would have concluded with information leaks. And only 55% of the respondents in the ...
Currently this entry is only available in Spanish
As we discussed in the previous post, the European Banking Authority (EBA) in its report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process, includes a section describing how to inspect technology risk management within the framework of global operational risk management.
This assessment will be obtained from different sources, including activities, reports and results of the entity's risk management, risk self-evaluations and ICT controls, periodic reports on ICT risk, specific information on incidents, and results of internal and external audits related to ICT
EBA defines its ICT Risk Assessment method including some controls matching other information security frameworks, but adapting to the financial institutions distinctive features. For which it establishes 4 stages:
It obtains a first approach of the impact produced by the ICT risk on ...
The European Banking Authority (EBA) published in May 2017 the guidelines to be followed by the competent authorities (Bank of Spain in the national territory) in the exercise of the supervision of the ICT strategy and government, as well as the evaluation of technological risk exposure.
These Guidelines have been developed by the EBA on its own initiative and in accordance with the provisions of Article 16 of Regulation (EU) No 1093/201. Being mandatory from January 1, 2018 for those competent authorities, such as the Executive Commission of the Bank of Spain, which decided to adopt them on November 7, 2017
In short, we are facing the governance and ICT risk management rules by which European banks are assessed, including spanish banks. It is important to note that in these Guidelines the proportionality principle applies to the scope, frequency ...
This content is only available in Spanish.
Sorry, this content is not currently available in English
According to the study "Organizations and Cybersecurity" recently published by LEET Security, 87% of spanish managers are concerned about the cybersecurity of their companies. And they don´t lack reason since almost 60% of these companies claim to know they have suffered a cyberattack.
Until a few years ago, many of these managers were relaxed because they didn't consider their business to be of special interest to cybercriminals. But the exponential cybercrime growth in recent years and its widespread dissemination in the media, together with the growing dependence on business processes regarding technology (digital transformation) have made companies more concerned about the economic losses derived from the services unavailability , and almost 70% of the General Direction is involved in this matter.
When we observe other studies, like the New Threats, New Mindset: Being Risk Ready in a World ...
I remember that it was to Julio Linares, in a remote Telecommunications Meeting in Santander, the first person to whom I heard the expression "Internet of things", which at that time sounded tremendously shocking to me. Now, IoT is one of the most frequently used acronyms in technological environments. According to the ENISA definition, the Internet of Things is a cyber-physical ecosystem of interconnected sensors and actuators that allow decision-making
Today, The Internet of Things is an intelligent infrastructure enabler that provides advanced functionalities to business processes, and facilitates the provision of higher quality services. In this sense, it is important to understand that the IoT means something more than gather, transport and analyze information. IoT projects have a direct impact on the processes improvement and the decisions that directly affect the business; which results in a obvious improvement in ...
In response to the need of service providers to accredit the security level to their customers, in 2011 the American Institute of Certified Public Accountants (AICPA) created the Service Organization Controls (SOC) framework, which replaced the old SAS 70. Its objective is to help IT service providers to build trust in their processes and in the security assessment controls that they apply.
SOC encompasses three report types, which we referred to in a previous post. The reports are written by independent and external auditors, and their objective is the certification of the quality and effectiveness of the selected and applied controls.
Regardless of its effectiveness as an evaluation mechanism, the SOC 2 Type II report is not easy to read by someone unaffiliated to the service. That is because it requires a thorough knowledge of its internal operation, and always ...
Looking backwards on some of the most notable cyberattacks that have taken place in recent history, we are led to reflect that even today many companies, specially some very relevant ones, still don’t apply efficiently the minimum security measures, let's say " the basics ", which should be included in any cybersecurity program.
Reviewing the security breaches found in two of the cybersecurity incidents with the most media coverage in recent years, we observe the following:
The Panamanian law firm Mossack Fonseca suffered the exfiltration of 11.5 million internal documents, bringing to light the involvement of a large list of international personalities in opaque company registration, and in tax evasion.
Weaknesses pinpointed in the IT infrastructure were the following:
• Every firm's services were hosted on the same server: customer documentation access, public website, and ...
Among the actors involved in the new RGPD regulation, the controller and the processor (usually third party suppliers) stand out for having a more active role and for their direct action on personal data.
It is interesting to observe the difference between both figures because, although they have different tasks within the data processing, they are often confused. While the controller is the ultimate responsible for guaranteeing the security and privacy of personal data, the second actor is the one who directly operates the data processing. The processor always acts on behalf of the controller, and must be chosen in such a way that it offers sufficient guarantees to apply appropriate technical and organizational measures.
Service outsourcing is a widespread practice in all kind of organizations. This practice has many well-known advantages, but in the case of the personal data ...
In this second post in our blog about the contribution of LEET Security to the efficient compliance with RGPD, we discuss an aspect that will be of interest to those who must provide security by design (how?) to the data processed.
The Regulation establishes that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate” (Art 32.1). This is a consequence of the accountability principle, which exudes all the regulation. But, unlike the well-known LOPD, it leaves in your hands, and without any reference model, the determination of which are those appropriate measures.
The flexible control framework by LEET Security offers an unbeatable tool for controllers and processors when applying both the organizational measures ...
Published final report with recomedations
Following the European Banking Supervisors guidelines on outsourcing (CEBS directives), and in accordance with Article 16 of Regulation (EU) No 1093/2010, the European Banking Authority (EBA) published on December on 20th 2017 the final report with the recommendations on the outsourcing cloud services. The recommendations will apply from 1 July 2018.
Within the package, security measures constitute a key aspect for risk management. These include the need to identify the appropriate level of protection to ensure confidentiality, integrity, availability, and traceability of data, the right to audit and the development of contingency plans.
Next, see a summary of the recommendations:
Another relevant aspect addressed by EBA recommendations is the risk associated with chain outsourcing. In this line, the service provider should only subcontract with a third party that meets all the requirements.
How can ...
Publication on Januray 30th of Commission Implementing Regulation 2018/151 defines the technical and organizational controls that digital services providers (aka. online marketplaces, online search engines and cloud computing services) have to adopt following article 16 of NIS Directive (2016/1148).
It is a really simple document that only have 5 articles, of which, discounting the objective and the entry into force, we are only left 2 articles settled to evaluate incident impact for notification effects and 1 [yes, one, you are right] for the security measures that digital service providers have to implement (article 2. Security elements); which is the focus of this post.
Obligations that this article defines for this kind of providers in Euroe are the following:
Last December, 6th finished the feedback period that European Commission opened on September, 13th to its proposal for regulation about ENISA and ICT cybersecurity certification (reference COM(2017)477). Finally, 32 organizations have given their feedback, as can be consulted in the Cybersecurity Package website. The objective of this post is to share our feedback but, before that, we would like to highlight that, of the 32 opinions submitted, there are 11 submitted from Belgium (since is where many lobbies and european organizations are based), but after those, 5 opinions have been sent from France, 3 from UK, USA and Germany, and only 1 from the rest of countries (Poland, Portugal, The Netherlands, Denmark, Finland, Czech Republic and Spain)... So our first reflection would be, as the opportunity is given to provide feedback about upcoming regulation, why not being more ...
We continue today with the section named #ratingenthusiasts in which we include the opinion of relevant people we have talked to in relation with #securityrating.
In today post, we have Eduardo di Monte. Eduardo is Cybersecurity and Business Continuity Chief of Agbar Group (Suez Spain), for Spain and Chile. Eduardo is Telecommunications Engineer and MBA by EuroMBA Consortium, he is specialist on industrial cybersecurity (IoT) and business continuity. With more than 13 years of experiencie, he has spent the last 8 years working hard on cybersecurity aspects of automatization and industrial control systems, specially on processes soported by critical infrastructures. He has combined this dedication with crisis coordination and implementation of resilience and business continuity models for critical process in industrial environments.
1. Is it typical the outsourcing of services in your organization?
Besides that every IT department has limited ...
(This entry is cross-posted in CERTSI_ blog)
As explained in the first post of this series dedicated to the C4V model, the cyber security level of outsourced services is key to assess the cyber security capabilities of any organisation: It is no use increasing the cyber security levels of an organisation if their suppliers’ levels are not as high, because -it goes without saying that- "security is as strong as its weakest link".
In this sense, the C4V model is based on the same idea as the other ENSI elements: providing CERTSI users with tools to improve the protection level of critical infrastructures.
So, how is C4V used to protect the value chain? As the model itself shows, C4V is expected to be used as part of the risk-supplier management model that the operator has to implement. For those not ...
(This entry is cross-posted in CERTSI_ blog)
The outsourcing of processes is not something we can consider new. In fact, the contrary is true. And in particular, in terms of how it applies to ICT (Information and Communication Technology), it is common for at least part of our systems to be accessed by third parties or managed directly by third parties. The range of options is broad, encompassing maintenance of equipment, remote operation-administration, on-site and remote support, maintenance of applications and all of this without taking into account other types of third parties (whom we could refer to as unrelated) who, without access to our information systems, do store and/or process information on their own systems (consultants, auditors, general consultants etc., etc.).
Even critical operators are not alien to this phenomenon, considering that, moreover, many industrial environments are affected ...
Recently, ENISA has published version 1.0 of a document that seems highly interesting, title "Indispensable baseline security requirements for the procurement of secure ICT products and services" (link).
It is a document elaborated by a group of experts named by different Member States (in particualr, by Austria, France, Germany, Czech Republic, Spain, The Netherlands and Finalnd) that is applicalbe to service providers.
Before mapping security requirements listed in the ENISA document with LEET Security methodology, let us introduce some reflections about it:
ENISA has poblished in December 2016 the report "Challenges of Security Certification in emerging ICT environmets" [PDF] in which they analyze certification scenario in five sectors: energy, water transport and rail transport, ICT and health care.
The objectie of this post is comment on some of the conclusions of that report:
"...without an EU approved standrd, harmonised testing and corresponding certification..."
It is clear that the possibility of a certification issued in one Member State can be used in another one should exist. Nevertheless, the approach that we should use is not that all Europeans speak esperanto, but considering that many languages are going to coexist in Europe, we are able to translate French into English, this into Spanish and, then into Italian.
In this way, instead of trying to reach a global agreement -which is going to be really ...
This entry is only available in Spanish
In the past number 4 of ISACA Journal, the article "Managing Cloud Risk. Top Considerations for Business Leaders" written by Phil Zongo was published. Among other references, the article echoes of a document from Australian Prudential and Regulatory Authority (APRA) that raises a concern about the reporting to Board of Directors of cloud risks in regulated entities because it focuses on benefits forgetting about associated risks. For APRA, it is fundammental that BoD analyzes if the risk is alligned with business strategy and risk appetite in the Organization.
This balance between cloud risk and risk appetite needs to take into consideration information like:
Last 17th of May, we have the opportunity to participate in the cybersecurity event of reference for the governmental administration of Poland, CyberGOV2016. This event brought together almost 340 participants and the keynote speaker was Vladimir Nowak, Plenipotentiary Minister of Ministry of Digitalization that advanced the creation of a national CERT to coordinate the incident response at national level and to coordinate with the rest of Europe (in relation to the NIS Directive). Related with this Directive, also Jakub Boratynski from European Commission also took part in the event (remotely from Brussels) making a summary of the Directive text and its main implications for Member States.
Another moment of great interest was the presentation of the review made during the past year of cybersecurity situation in six public organisms by the Supreme Chamber of Control that shows that Polish State ...
Yesterday, April 3rd 2016, a TV station and a digital newspaper brought breaking news with the initial details of what will be a much wider reporting: after almost a year of "investigation" by ICIJ (international Consortium of investigative journalists), brought to light the "Panama Papers", to show the secrets about the creation of companies in tax havens.
We write investigation in quotes, not as a question to all the journalistic work, on the contrary, is is really impressive to read that nearly 400 journalists from a hundred different media have been working together and well synchronized to obtain and publish all the information that they are anticipating now.
What does this have to do with cybersecurity? Of course, journalists are not hackers ... or they are? In this case, they tell us that ...
Those of you that have analyzed ISO/IEC 27017 (or even if you are certified on it) have seen that it is a standard that, based on controls repository on ISO/IEC 27002, adds additional controls specific for cloud computing.
Besides, it has the peculiarity that controls added have into consideration customer and provider roles, in order to provide guidance to one or both of them in how to implement all its controls.
Anyway, we will like to analyze the control 14.1.1 Security requirements analysis and specification. In this control, the standard includes different functions for the previous roles:
(Article originally posted at Red Segurid@d - only in Spanish)
That NIS Directive will mean a significative advance in cybersecurity in Member States as it gets past is doubtless. An intengral approach all over EU, the need to report to national authorities (that should be name) the security incidents or the setting-up of a network of Computer Security Incident Response Teams (CSIRT) are its main elements.
But, by contrast, it will only require measures for improving resilience against attacks to organizations providing essential services (essential services operators) -which includes digital services like search engines, online shops or cloud services- and, besides, exclude SMEs, according to definition included in European Commission Recomendation 2003/361/EC, it means, those entities invoicing less than 10 millions euros and up to 50 employees.
This scope definition has a problem: It forgets that small or ...
Uptime Institute Certification for Data Centers are between most recognized in the market, and, often, are exhibited by holders with proud. Who do not have heard something like: "Our DC is Tier III / III+ / IV certified! So it is really secure…”
And, obviously, to this statement, how raise any doubt? Well, at least, we must have one, what type of certification do you hold? In fact, Uptime Institute issues four types of certifications:
Planning certifications take into account availability, reliability, capacity and performance requirements, together with growth horizon, analyzing business drives and, also, location selection, architecture, mechanic and support infrastructures.
Design certifications confirm functionality and capacity identified in engineering and architecture specifications. These certifications assure that plans have been defined to meet availability goals through analysis of mechanic, eletectric, structure and location elements following ...
Sorry!! This post is only in Spanish
A few days ago, our founding partner, Antonio Ramos, visited IDGtv, being interviewed by Marlon Molina, Director of Computerworld University.
This time we will not say anything, but invite you to spare a few minutes to watch the video with quick and easy explanation of LEET Security, and what we bring to market, closer understanding of cybersecurity and facilitating the procurement of services, both for customers and suppliers of the same.
Here is link to the video in IDGtv. We invite you to view and share.
Thanks to Marlon and IDG for this opportunity to talk about our security rating.
ISACA Madrid Chapter hosts next October, 28th its 38th Technical Event (Hotel EXE Puerta de Castilla from 17:30 to 19:30) about How Minimize Risks in Client/Provider Relationships that will be sponsored by LEET Security and AUDISEC - GlobalSuite.
Antonio Ramos (@antonio_ramosga), founder partner of LEET Security,will open the event introducing attendes the concept of ICT services security rating. Next, José A. Lorenzo, General Manager of IDC España, will explain the market vision of Cyber Analitycs with a specialized talk.
Next, as central part of the event, there will be a Expert Panel about risk reduction between clients and service providers. A real good opportunity to know in first hand the opinion and knowledge from BBVA, Aiuken, BT Global Services, Rural Servicios Informáticos (RSI) and Virtual Care.
Security rating as a key tool to drive companies to "digital transformation"
Duncan Brown (@duncanwbrown), Director of Cybersecurity Analysis for Europe at IDC, has published a report on how security rating of services builds trust and confidence in the digital transformation era that we are experiencing.
The report has a clear meaning and a message: the information security is an increasingly worrying aspect of our economy, and companies are being forced to undertake a series of processes and activities, which were previously in second plane (if not ignored), in order to control the inherent risks when hiring services with external suppliers.
IDC analysts have repeatedly stressed that uncertainty about aspects of security is the main factor of concern when adopting cloud computing services (although these growth is 27% in 2014 -2018).
As a knowledgeable expert in both product and services ...
IDC and IDG bring the new 2015 edition of the CIO Directions event. It will take place next 29th september, under the tittle: “The new role of the CIO and the IT Organisation”.
According to IDC, this new role comes from the increasing direct responsibility of the business lines in the technological decisions of the company. According to a recent analysis carried out by IDC, 43% of the business managers being interviewed declared that they feel comfortable with IT projects within technological environments. Thus, Business lines are financing 61% of these projects (in the scope of the survey) – with or without the participation of IT.
Today we start a new blog section called #ratingenthusiasts for showing the opinion that very important people have aobut #securityrating.
[Interview only available in Spanish]
Llorenç Vives Ramis es Ingeniero Técnico en Informática de Gestión por la Universidad de las Islas Baleares, certificado CISA, CISM y CGEIT por ISACA y CCS-G por la Agencia de Certificaciones de Ciberseguridad. Actualmente desempeña las funciones de dirección del área de Planificación y Control de IT en Meliá Hotels International siendo responsable de la gestión y contratación de servicios IT a nivel global, así como del control y desempeño económico de los servicios IT recibidos y prestados a las unidades de negocio a nivel global. Además ha desarrollado las funciones de IT Security durante 10 años en la compañía, siendo durante ...
The right to complaint is, at the end, what we have after a successful cyberattack (of course, I mean success from the point of view of the hacker that carry out it).
And this what executives of Ashley Madison are doing with their press release published on 18th August, explaining that the data breach they have suffered is not a case of "hacktivism", but a criminal attack. In fact, nobody can doubt that it looks a criminal act, but the result is, spite of them, 10 GB with information of the last 8 years including clients data like telephones, adresses, transactions... including from written off clients (without considering aftermaths, true or not, that multiply this quantity).
Now they claim that there is people that knows the authors and they invite to report them. But, in the end, and independently of ...
Financial sector is one the main investors in cybersecurity without doubt. And this is because, financial sector is one of the main affected by cybercrime. This situation leads to European Central Bank, leaded by Mario Draghi, to be specially worried about the cybersecurity capabilities of european financial entities to fight against cyberthreats.
During last months, european financial entities have had to answer a (quite) long questionnaire sent by ECB about cybersecurity that includes questions related with what mechanisms financial entities have implemented to prevent data theft from malicious (internal or external) users or what controls they have to detect cyberattacks. And even, and this has been what more has call our attention because it is close related with LEET Security activity, what mechanisms are financial entities addopting to assure that third party providers are compliant whit security measures wrote down ...
As stated in the note published by Adif, yesterday at 06:00 there were detected “intermitten failures in traffic management operating processes" that led "delays rail traffic [...] of Barcelona and Girona provinces and part of Tarragona and Lleida. The incidence has affected both main system and two redundants ones that are activated in case of incidents in the main system. This has led to momentary traffic stops, selective suppresion of trains and delays in the service". This incidence has made Adif to open an expedient to company that provides the technology for the Barcelona Centralized Traffic Control, Schneider-Telvent.
We have consider relevant to analyze this piece of news because it shows an issue LEET Security thinks that is essential in client-provider relationships: As service provided is a client responsibility, it is essential that the client has supervision mechanisms that allows ...
Some days ago, a column titled 'Trust in Cloud' was published at Cinco Días [Spanish]. In this column, it is highlighted something we completely agree on: "Cloud service and provider selection is an strategic option that impacts on companies' business".
For this reason, the author suggests considering the following aspects before taking the decission:
Between all of them, a half (availability, security, financial estability and compliance) are elements included in leet security rating and the rest, except physical location, are operational aspects (connectivity, performance and service maturity) that, obviously, have to be considered by the potential cloud customer.
For this reason, we consider that using rating is a tool that simplifies the use of cloud services due ...
Deception. That could be the word that summarize our feelings after having contributed to the Cloud Standards Coordination (CSC) Working Group of ETSI (European Telecommunications Standards Institute) that was launched in December, 2012 in a meeting in Cannes with the objective to help the European Comission to "cut through the jungle of standards" and "to identify a detailed map of the necessary standards".
And why deception?
Basically because of two reasons:
It has been some time since the last post and it was time to post again. We have been working hard, so it has been difficult to find the time needed to come back to post. In fact, last weeks we have been contributing to some very interesting initiatives that have keeped us completely busy:
Following our tradition of analyze security documents that could apply to cloud computing, in this post it is the turn of Jericho Forum(R) "Self-Assessment Scheme" (PDF). We find this scheme interesting because it applies a rating system, in this case, with two levels.
This scheme is applicable for evaluating how a system meet Jericho Forum eleven commandments throuhg a self-assessment carried on by the own system provider, without validation for any third party (unlike leet security methodology that implies a validation from the rating agency).
But, conceptually, we applies the same way of evaluating rating levels:
And we, both, also agree in the way of assigning rating levels:
Following our post about "EU Cyber Security Strategy", we have analyzed the proposed European Directive on Networks and Information Security that was published simultaneously.
Our general conclusion is that, if approved as it is, we will be in front of a qualitative step ahead in the way we understand information security in the EU that will pose us as a reference in this field.
Nevertheless, in our opinion, there is some room for improvement that we would like to highlight in this post.
Proposed text does not consider organization besides "market operators" and public administrations and, explicitly, microenterprises. In our opinion, in a defense scenario like the one we are trying to improve, this means to leave weak links in the security chain that, could affect the overall level [security level is not an average, is the minimum of ...
Sometimes we are asked about the failures of rating agencies and if a rating system could be a good approach for security evaluations. We have posted about it some time ago, but we think it is interesting to comment about the article titled "How Certification Systems Fail: Lessons from the Ware Report" (pdf), where Steven H. Murdoch, Mike Bond, and Ross Anderson give us a fantastic view of the reasons that make certification systems fail.
This article based on the report, "Security Controls for Computer Systems" (pdf) (commonly known as the Ware Report, after the chair of the task force - Willis H. Ware), summarizes the facts identified in that report from 1970 (!!!!) that explains the failures in certification systems.
Basically, there are three main reasons:
DG Connect launched some weeks ago a web-based Public Consultation regarding the definition of future research priorities in Cloud Computing, Software and Services, ahead of the H2020 ICT Work Programme. From leet security, as developers of a security labeling system based on rating, we have sent our comment that is attached below:
In addition to technical mechanisms that contribute to reduce lock-in and to improve interoperability, cloud services need a efficient way to negotiate security conditions of services between users and providers.
Traditional ways of audit and certification have shown to be necessary but not sufficient to build trusted relationships (they are expensive, complicated and not compatible between users).
One option could be a security labeling system that helps users to understand the security measures implemented by the providers, and to the providers to show what security measures are they ...
The objective of this post is to think over how the Guideline published byPCI Security Standards Council to clarify the compliance with PCI-DSS when using cloud computing services (" title="pdf del guideline" href="https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf" target="_blank">pdf) affect the ICT services security rating.
First, we would like to remember that actual security rating methodology includes special levels in confidentiality dimension to show compliance with PCI DSS. Those levels can be distinguished by the an asterisk (*), it means, services with a rating C*-- or higher are suitable to store, process or transmit cardholder data according to PCI DSS.
Once said this, we highlight the contributions that rating makes to those that, using cloud services, needs to comply with PCI DSS:
Recently, the European Commission has just published the Cybersecurity Strategy of the European Union (pdf) in which, Catherine Ashton, High Representative of Foreign Affairs and Security Policy recognizes how important is this issue.
We bring this document into our blog because it includes a concept that we consider of high importance to the security model we push from leet security as rating agency. We are talking about service labelling.
In particular, the Cybersecurity Strategy of the European Union includes an activity to be developed by public and private stakeholders called "Develop industrial and technological resources for cybersecurity" and more specifically in the chapter devoted to "Promoting a Single Market for cybersecurity products":
Develop industry-led standards for companies' performance on cybersecurity and improve the information available to the public by developing security labels or kite marks helping the consumer navigate the ...
Today is Data Protection Day in Europe and, as security rating agency, we want to contribute to the acts organized, in Europe but, also in Spain. It is sadly to say that privacy protection and doubts about vendor compliance levels are, evidently, stopping cloud services adoption by the industry. For this reason, we have thought that our contribution to privacy today should be remember how using a security rating servie could help us to solve these doubts. As we have commented before (link), to help potential cloud users to choose the service that better fits their needs, leet has included specific ratings that serve to show data privacy legislation compliance (at present, only with Spanish Law). These ratings can be identified by the '+' character. In this way, services with a rating in confidential security dimension of:
In some occasions, specially when the issue we want to analyze or study is complex or very new, it could be useful to use analogies. We say that because, to explain the use of the security rating model we propose, we like to draw upon a very daily analogy: We compare cloud services with an hotel room.
You could tell us that we are crazy and that they do not have anything in common, but if we think again about it, in both cases:
For those or you who do not know, we will start explaining what are SOC 2 reports (sucessors to the famous SAS 70 reports). To begin with, SOC means Service Organization Controls and there are three types of them:
The difference between SOC 2 and SOC 3 reports is that, while the former includes a detailed understanding of the design of controls at service organization and tests performed by the service ...
As part of ISACA Series about cloud computing, we find the document "Security Considerations for Cloud Computing" (link) with the objective of provide a practice guide and facilitate the decision process for IT and business professionals when taking the decision of moving to the cloud.
We have thought that it could be interesting to analyze it because one of the main advantages of rating systems as the one proposed by leet is, precisely, facilitate this decision making. ISACA document is organized in four big chapters that collect, besides the explanation of the own document, a brief summary of what is cloud computing, a general vision of risks and threats related specifically with the cloud and, finally, the guide regarding how to evaluate cloud potential as answer for business needs (providing decision trees and checklists). We agree with ISACA that the ...
The study collects opinions from 252 organizations of all types (users, service providers, integrators, and consultants) in 48 countries (mainly in North America and Europe), and concludes that, in one side, IaaS and PaaS are in their infancy and that they will need three years to be in the growth stage, while SaaS are almost in growth, where they will arrive in two years.
But, as study states, "users need to be able to trust that services will meet their needs and provide a stable foundation [...] to better serve their stakeholders" and the ten issues that most erode this confidence in participants opinion are the following (from more to less importance ...
Following our tradition of commenting schemes similar to security rating for helping to understand it, we are going to analyze the aforementioned certification scheme developed by EuroCloud Germany (EuroCloud Deutschland_eco e.V.).
We must say in first place that we have carried out this analysis based on documents published in its web, in particular, "General product information and pricing" (pdf) and "Quick Reference" (pdf) because auditing guides are not public, existing a confidentiality agreement with clients covering audit guide and scope [what surprised us a little] and that is commented through workshops organized by EuroCloud with a price of 600€ (which is deducted from the audit price, if ordered in the following 6 months).
Below we will explain the similarities and differences that have been detected along both documents:
We feel a great success the fact of ...
We have published today a post at INTECO blog (in Spanish) about the certification proposed by Cloud Security Alliance (CSA) together with British Standard Institution (BSI) for cloud services security based on CSA's Open Certification Program. The goal of this post is analyze this certification from our perspective as security rating agency.
We are glad to see that the use of levels as mechanism to provide information is becoming common in the information security field. In this case, the CSA - BSI certification proposal also uses three levels (auto-assessment, third party audit and continuous audit), although levels depend on the evaluation rigor more not on the security controls as we do in security rating.
Considering CSA mission, proposed certification is focused on cloud services, being the security controls evaluated those included in CSA research material (basically ...
Following our trend, we are going to comment FFIEC (Federal Financial Institutions Examination Council) cloud computing public statement published past July, 10 (pdf). First, we would like to highlight some ideas that we also support:
And, secondly, we have extracted FFIEC statements and analyzed how security rating addresses them. We have summarize the analysis in the following table with three columns:
Some of you have asked us about similarities between the rating scheme and Consensus Assessments Initiative (CAI) launched by Cloud Security Alliance, so we have decided to write down this post to explain similarities and differences between them.
First of all, the Initiative is part of what is called GRC stack that includes other "pieces" like the very famous Cloud Control Matrix (CCM) or the Cloud Audit Project.
Secondly, we must say that the Initiative has involved the development of a questionnaire (used as base of STAR - Security, Trust and Assurance Register) that we will explain in further posts.
The questionnaire that should be accomplished by vendors is divided into 11 areas that are subdivided in 100 groups of controls and 197 questionas about specific controls traced to very well known standards, and guidelines as CobiT, HIPPA, ISO27001 or FedRamp ...
This is the title of the new ISACA document in relation with cloud computing that has been published last July. It addresses ROI calculating issue in order to evaluate in a right way an investment in this kind of service, considering all the costs and gains involved.
We would like to highlight some aspects of this document from our perspective as security rating agency that helps to simplify ICT services procurement processes, in general, and cloud computing services, specifically.
Last July 1st, Article 29 Working Group published opinion 05/2012 on cloud computing (pdf). We think it was interesting to analyze it in detail from our perspective as rating agency considering the importance of these "opinions" and the relevance of their findings, specially, the undoubtedly support it means for trusted third-party services, such as security rating from leet security. We have divided the content of opinion document in five parts: 1. Data protection risks Document considers two main types of risks: lack of control over personal data and insufficient information about data processing. Contribution of rating: As we have mentioned before, being rating, basically, a transparency mechanism, it helps with the last identified risk, providing information to clients (data controller) about security measures implemented in provider (data processor) processes. 2. Key drivers Document identifies three key drivers: Security, Transparency ...
Se trata de un documento que recoge de manera bastante sucinta la historia y las particularidades de las agencias de calificación (prefiero esta denominación a la de rating para evitar términos ingleses siempre que sea posible) o ECAI (por su denominación técnica en inglés, External Credit Assessment Institutions).
Como bien recoge el documento, la importancia de estas agencias nace con el requerimiento de la SEC a los bancos en 1936 de invertir en bonos que no sean especulativos según estas agencias y de la utilización de dichas calificaciones a partir de 1975 para calcular los recursos propios de la banca, o que ...
Thanks to INTECO-CERT, we have analyzed the document published by Fraunhofer Institute for Secure Information Technology regarding security in cloud storage services (link).
Basically, the document is a basic analysis of security characteristics of a sample of this kind of services (specifically, CloudMe, CrashPlan, Dropbox, Mozy, TeamDrive, Ubuntu One y Wuala). We consider it a basic analysis because it only analyze aspects related with the registration process, information transport and encryption, sharing mechanisms, deduplication, legal considerations, and only from the client perspective (without analyzing server security).
Main conclusions of the report are that:
Regardless of these conclusions we would like to analyze the document from its methodological perspective:
La pasada semana tuvimos la oportunidad de participar en el II Encuentro del CSA-ES, en concreto, en la mesa redonda que cerraba el encuentro.
Como nos quedamos sin tiempo para clarificar algunos puntos, me gustaría hacer aquí los comentarios que se me quedaron en el tintero:
La pasada semana se publicó el informe "Cloud Computing. Retos y oportunidades" (enlace) realizado por el Observatorio Nacional de las Telecomunicaciones y de la Sociedad de la Información - ontsi. Es un estudio tremendamente interesante que analiza, por primera vez en España, el impacto de la informática en la nube en las PYMEs.
El objetivo de esta entrada es analizar dicho estudio desde la perspectiva de una agencia de calificación que trabaja en facilitar la contratación de servicios TIC mediante la generación de confianza a través de la transparencia.
Antes de nada, algunas citas del informe:
"La mayoría de las empresas consultadas que son usuarias de cloud (55%) se encuentran preocupadas por la confidencialidad y la seguridad de los datos corporativos gestionados. Este problema es el principal factor que hace que las PYMEs ...
Ayer publicamos en el blog de INTECO una entrada titulada "Gestión de riesgos en la cadena de suministro TIC". En dicha entrada, comentábamos un informe de auditoría del GAO estadounidense sobre los riesgos existentes en la cadena de suministros TIC (tanto software como hardware, como servicios).
Dicho informe pone de relevancia que, si consideramos la provisión de servicios de cualquier organismo como una cadena de valor, existen eslabones que son provistos por empresas TIC externas (proveedores / suministradores) y que, evidentemente, un error o fallo o una actuación malintencionada de éstos puede acabar afectando al outcome del proceso. Es decir, que los riesgos de esos proveedores, pueden llegar a ser nuestros riesgos, si no prevemos esta situación y creamos los cortafuegos adecuados o, si esto no fuera posible, establecemos los mecanismos alternativos necesarios. Estos conceptos ...
Elegir el servicio con el nivel de calificación más elevado (AAA) es una tentación, sobre todo para los profesionales de la seguridad, que siempre buscan (instintivamente) asumir el menor riesgo posible. Sin embargo, no es, en absoluto, la decisión óptima.
¿Y cuál es entonces la mejor decisión? Pues algo que nos posibilita la calificación: elegir el servicio con las medidas de seguridad (o en otras palabras, con la calificación) que mejor se adecuen a nuestras necesidades. Es decir, deberemos entender para qué queremos usar el servicio TIC que vamos a subcontratar para identificar qué requerimientos de seguridad le son exigibles (en función de las normativas o las políticas internas que le sean de aplicación) y, en consecuencia, qué calificación es la más acorde a nuestras ...
FedRAMP (Federal Risk and Authorization Management Program) es el instrumento creado por el gobierno americano para facilitar la contratación de servicios en la nube por la administración americana. Este programa ha sido promovido por los departamentos con responsabilidad en esta materia: DOD (Defensa), DHS (Interior) y GSA (Administración de Servicios Generales) mediante la creación de un órgano conjunto denominado JAB (Joint Administration Board) que vendría a ser algo similar al Payment Card Industry Security Standard Council ya que ejerce funciones semejantes, es decir, fundamentalmente:
Antonio nos proponía en su blog hace un par de días un ejercicio para definir lo que hacemos de una manera curiosa... mediante un pseudo-haiku con la estructura: ¿A quién ayudamos? / ¿qué hacemos por ellos? / ¿por qué nos necesitan? que proponían originalmente en the [non]billable hour. Nosotros también nos hemos atrevido y aquí va nuestra propuesta:
Ayudamos al mercado de TI a simplificar procesos de contratación de servicios mediante la transparencia que aportamos
¿Qué les parece? ¿Lo hemos conseguido?
La pasada semana, la Agencia Europea para la Seguridad de la Información y las Redes (ENISA) ha publicado este documento que lleva por subtitulo "Una guía para la monitorización de los niveles de seguridad de servicio para contratos en la nube" [pdf] y que, como su propio nombre indica recoge las pautas para ayudar a los que quieran contratar este tipo de servicios a definir la forma en la que se realizará esta supervisión.
El documento identifica ocho grandes capítulos...
Along with exciting new opportunities, cloud computing presents new challenges for both IT professionals and business managers. The former have to change their mindsets from an internally provided service to an outsourced one, and the latter have to consider security issues in their decision about moving to the cloud.
But both parties share one request: due diligence in the process of service selection.
Due diligence will help organizations considering the cloud to clarify their risk posture, choose the cloud service that best meets their needs and avoid surprises down the road.
However, the due-diligence process is not an easy one. We should consider security measures implemented by the vendor, but also service-level agreements, compliance with different regulations, and a host of critical aspects regarding the potential vendor—financial stability, long-term strategy, experience in the field, human-resources policies, guarantees in case ...
En el pasado volumen 6 de 2011 del ISACA Journal aparecía un artículo titulado "Developing a Unified Approach to Information Security in Business Associate relationships" (solo para asociados de ISACA) que nos parece interesante comentar, puesto que analiza en detalle la contratación de servicios TIC. Sus autores Michael R. Overly, Chanley T. Howell y R. Michael Scarano de la firma Foley & Lardner LLP, proponen tres herramientas para reducir las amenazas que pueden suponer los nuevos socios, asegurar una adecuada diligencia (documentada) y proporcionar remedios en caso de compromiso:
Lo que nos gustaría resaltar es que los autores incluyen, entre la información a obtener en el proceso de selección, datos como responsabilidades corporativas, cobertura de seguros ...
Hace unos días, en Seguridad y Gestión, el blog de Joseba Enjuto, compartía una entrada titulada "Ceder la seguridad a la nube" que nos ha parecido muy interesante. En dicha entrada, Joseba plantea las dudas que existen habitualmente en cuanto a la contratación de servicios en la nube y lo que va a pasar con la seguridad de esos servicios.
En nuestra opinión, la opinión de Joseba refleja de manera clara la situación con la que se enfrentan ahora mismo los proveedores de servicios en la nube cuando se acercan a sus clientes. Además, como muy bien dice Joseba (opinión autorizada como experto en seguridad que es), se produce una situación de desconfianza. Desde nuestro punto de vista, esta situación de desconfianza no implica que la seguridad de los ...
Gracias al blog de Infosec Island hemos llegado al "Informe sobre el estado de seguridad en la nube" (pdf) que, recientemente ha publicado Alert Logic y que, según los autores, tendrán un carácter semestral.
En dicho informe, se analizan los datos relativos a 2,200 millones de eventos y más de 62.000 incidentes gestionados por Alert Logic en sus clientes para comparar la situación entre los proveedores de servicios y las instalaciones in-house, todo ello con el objetivo de responder a la pregunta típica de, ¿qué es más seguro, llevar la gestión de los sistemas internamente o en la nube?
Pues bien, las conclusiones de este primer informe son claras: "Los entornos en proveedores de servicios muestran menores tasas de ocurrencia para todas las clases de incidentes analizadas" y eso que ...
Todos aquellos familiarizados con la protección de datos personales, saben que la subcontratación de servicios no es algo trivial. Y es que las tareas se pueden delegar, pero no así la responsabilidad: La responsabilidad no se puede delegar. Y para los que tuvieran alguna duda, el artículo 20.2 del Reglamento de desarrollo de la LOPD (pdf) no deja lugar a dudas:
"Cuando el responsable del tratamiento contrate la prestación de un servicio que comporte un tratamiento de datos personales sometido a lo dispuesto en este capítulo deberá velar por que el encargado del tratamiento reúna las garantías para el cumplimiento de lo dispuesto en este Reglamento"
De esta forma, no queda lugar a dudas de que, en caso de subcontratar, el responsable del tratamiento debe realizar una adecuada selección del proveedor ...
Last week, Amazon announced the Amazon Web Services GovCloud, a new cloud service that steps up "the security and access features of its cloud services in an effort to attract more government agencies as customers". This is a clear example of a tendency that, in our opinion, is going to be the normal evolution of cloud services.
At this moment, clients face a very standard set of cloud services and very few options to adapt the service to their needs (image yourself entering into your car dealership and not having the ability to choose different colors, tires, engines...). In particular, this is very important related to security issues, so we think that rating could be a very useful option for providers willing to segment their offer.
Thanks to rating, a provider could arrange basically the same service but with different ...
ISACA acaba de publicar el libro "IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud" (pdf solo para socios, el resto tendrá que comprarlo) en el que analiza como utilizar los materiales ya publicados previamente (COBIT, RiskIT, ValIT y BMIS) de modo específico a la problemática de la computación en la nube.
Nos gustaría resaltar algunos aspectos del documento que tienen relación con nuestra actividad como agencia de calificación de servicios.
En primer lugar, al analizar los retos de la computación en la nube, se mencionan algunos en los que la utilización de la calificación de los servicios podría tener un efecto muy positivo. Nos referimos concretamente a:
En estos tiempos que corren y después del protagonismo que han tenido las agencias de calificación de riesgo de crédito en la situación financiera actual, muchos se preguntan si la calificación continúa siendo un método adecuado para introducir transparencia en los mercados.
La opinión de leet es que no debemos confundir los errores que se hayan podido producir en la implantación del mecanismo con la validez del propio mecanismo. Digamos que sería como decir que los bancos ya no son una forma adecuada de canalizar las inversiones en el sistema financiero, más bien, habría que decir que hay que cambiar los mecanismos de incentivos y las reglas de los mercados.
Video of talk in the past rooted con where we explained how the rating system can be applied to the acquisition of ICT services: Antonio Ramos - La asimetría en el mercado de la seguridad (Rooted CON 2011)