With the General Data Protection Regulation (GDPR) from the European Union (EU) nearing enforcement in May 2018, many still see it as a project.

Many enterprises still see GDPR as a project and not a privacy strategy. Here are some excerpts from conversations I have had with managers about GDPR:

• “Since Safe Harbor failed we’ll see what happens with GDPR.”
• “I don’t think it applies to us”, this was a SaaS based company.
• “We know this is very important, but we have so many other things to do.”
• “We really need help here; this is a very big deal.”
• “We have a project manager and myself, we need more help.”

GDPR implementations are still in their early days and time will tell on the impacts of non-compliance. However, it is clear that bringing together the regulatory and compliance sides of the enterprise with the mainstream product, marketing, and engineering sides is becoming more urgent. In an Agile culture of rapid delivery, integrated teams, and more intimate customer conversations, enterprises still struggle to fully incorporate their legal and compliance teams into the process. When was the last time you saw a lawyer in a scrum? Have your product owners ever engaged legal in defining a privacy model? It is hard enough to get security requirements into stories, how will enterprises incorporate privacy?

GDPR’s requirements around EU citizen rights will surely make an impact in how global enterprises handle EU citizen data. Many see this as a new default privacy model and embrace the change; others are still determining what it means to their organizations. In either case, GDPR shines a light on the opportunities for enterprises to integrate privacy, governance, and product in order to improve the quality of services we all consume.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

Why using automation is a better approach and more secure than using “Golden” Amazon Machine Images (AMIs)

A commonly used (“best”) practice is to utilize the AWS Amazon Machine Image (AMI) service to create and store the complete contents of an application server instance running on Amazon’s AWS Infrastructure-as-a-Service (IAAS) cloud. Typically, a DevOps engineer will stand up and configure an instance. When the instance is functioning as desired, the DevOps engineer initiates the creation of what we refer to as a “Golden” AMI. AWS then copies the server into a flat file image (the AMI).  This AMI can then be launched by AWS to create a new duplicate server instance up and running in mere minutes, with all accounts, services, and data ready-to-go. Any number of these instances may be launched with a click of a button.

The problem with this approach is that this new server is only as secure as the last time it was scanned and/or had updates applied, the image once created remains unchanged over time, and the only way to “update” it is to create a new image. New vulnerabilities continue to be discovered across the variety of OS programs & tools; as well as the software containers, platforms, and frameworks that comprise a modern fully-configured application server almost daily.

What might have been a fully secured application server, when the image was created, may very well be a target for hackers by week’s end; and while you can run updates to bring the server back into compliance, you’ve lost the real reason for utilizing the image in the first place — your server is not truly ready-to-go after launch.

A better practice is to treat the construction of the instances in the same way that software developers have built code over the past twenty plus years, in an iterative manner that includes testing, reporting, and notification, i.e. infrastructure as code. The approach here is to automate the creation and configuration of the server and then test it for both functionalities as well as security.

The DevOps team and/or IT SecOps should subscribe to and monitor the products and tools that are used by the organization’s application servers so that the automation can be updated ASAP. The scanning tools should be updated on at least a weekly basis to ensure that any new issues can be caught and remediated. Once the source of the automation is updated, it will be automatically applied in the future.

Every part of the server’s creation and configuration should be automated, using an orchestration server such as Ansible or Puppet, acting upon instructions stored in a Software Configuration Management tool such as Git and controlled by a tool such as Jenkins that ensures automated tests for functionality and security are executed and reported upon.

The automated creation of a new server would begin with the launch of a base OS AMI. Once the new image has completed its launch process, we’ll start with an update of the OS level programs (e.g. > sudo yum update -y) and install any software required to more easily work with the chosen automation tool (i.e. Ansible/Puppet). Next, apply security hardening scripts to limit the OS level services provided and install antivirus and firewall services. The organization’s DevOps automation account should be created and configured with the appropriate public SSH credentials installed and the default account should be removed. At this point, the server would be ready to begin the customization to support whatever tasks for which it was being provisioned.

After the application customization has been completed by automation, it is important that automated functional tests and security scans are run and reviewed. Any issues detected should be immediately corrected in the automation source and a new server creation process kicked off. The previous server can be terminated.

The benefits of this “Infrastructure as Code” approach are many, including:

Security:

• Ensures that servers are not built with known security issues and are verified with up-to-date scans.

Reliability:

• Because the “Infrastructure as Code” approach puts a focus on testing for both security and the functionality of the server itself, issues are more likely to be detected earlier, rather than after the server is put into service.

Flexibility:

• Many of these same automation instructions verified on one server can by used in the creation of others, ensuring that lessons learned once are applied to all. Because the complete set of instructions for the creation of the server instances are documented in SCM, they can be reviewed and audited.
• When launching new servers from “golden” AMIs, the specification of the capability of the server (number of processors and memory) is baked into the AMI, when using the automation approach, the selection is simply a configuration variable making it easy to modify if a different capacity server is needed.

Cost:

• Amazon charges you for the AMI’s that are created on your account, by using automation those charges are eliminated as well as giving you more control over the entire process.
• The time saved by using automation to create the instances is worth the time that is required to implement the automation. Issues fixed once don’t find their way into other servers reducing the time required to stand up new infrastructure.

Treat your infrastructure as code so that you can improve your organization’s ability to stay ahead of attackers.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. We can ensure your Agile delivery processes are secured and efficient, while maximizing your investments.

Are you ready for GDPR? Penalties, that is. The General Data Protection Regulation (GDPR) from the European Union (EU) has been announced and required for ANY company that sells to or monitors European citizens, since early 2016.

GDPR is an international law that has already been enacted. This law is intended to clarify and strengthen prior privacy laws and is extremely encompassing, and global in nature. It enforces that data is used in a lawful, fair and purposeful manner. It requires companies who use personal data to do so in a minimalistic fashion, ensure the data is accurate, protected, and durable. The responsibility for the compliance focuses on the use, or processing, of the data. The scope drives responsibility from the controller of the system down to the potentially multiple processors and sub-processors, making this thorough and inescapable for most businesses.

This law requires that EU citizens be given certain rights when they use software systems. These basic privacy rights are:

• Right of Access
• Right of Rectification
• Right of Erasure
• Right of Restricted Processing
• Right of 3rd-Party Notification
• Right of Data Portability
• Right to Object

Any company that is found to be in breach of these new requirements will be subjected to a €20 Million or 4% revenue penalty, whichever is greater. For those companies that have only started their analysis or partially through their implementation may face a €10 Million or 2% revenue penalty. This law has significant risk for smaller businesses who are not in compliance or only partially compliant.

There is no doubt that GDPR is the biggest change in recent privacy law. Taking a risk-based approach to your implementation will be important. Your implementation could be large, take years and cost millions, or it could be as simple as documentation, change of process and some new technology.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

If you are unsure if GDPR applies to you, or wish to investigate with an assessment, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialist can help you make sense of and comply with GDPR.

October is National Cyber Security Awareness Month and in keeping the National Cyber Security Alliance’s theme for week two, “cyber security in the workplace is everyone’s responsibility,” I’d like to share some thoughts from a recent interaction with a small business leader.

Last Friday, my colleague and I met with a startup CEO in Boulder to discuss her cyber risk needs. Like most executives, she had many things on her mind and was very busy – it was obvious from the two backpacks, coffee mug, notebook, and jacket she juggled as she entered the conference room. After we settled in and got into the conversation, her request was simple: how can she rationalize all the buzz about security and come up with a plan that is complete and becomes a part of her organization’s culture?

While security in the workplace is everyone’s responsibility, executives can delegate the authority to act but not the accountability. Risk reduction starts at the top and executives need to distill an ocean of hype into something reasonably actionable. But where should these leaders look to get a start?

A couple of weeks ago, I mentioned the Center for Internet Security’s (CIS) Guide for Small and Medium Size Enterprises (SMEs) as a good place to begin this journey: https://www.cisecurity.org/white-papers/cis-controls-sme-guide/ In fact, this is the very link I sent to the CEO’s tech person after the meeting. Based on our experience with SME’s and this body of work, our recommendation was that similar sized companies take the following actions:

• Create a managed list of those devices allowed on your network. Also create a list of those devices not allowed on your network. Whitelisting creates a map of devices that need to be defended on the network. Blacklisting is an easy way to quickly identify troublesome agents.
• Understand the software used by your organization. This is important to a) prevent shadow IT from creeping in and b) having a map of those packages that require security patching; patching can be the greatest defense against cyber intrusion. Additionally, this control is necessary for implementation of control number 4 below.
• Make sure your hardware and software are configured for security. Remove those default admin passwords, setup new accounts, implement role based authentication, enable multi-factor authentication, understand the security capabilities and align your use to the business needs.
• Patch, patch, patch. Implement a system to ensure your hardware and software are updated with the latest vendor patches. Equifax might have have prevented a lot of heartaches if this one control was followed.
• Create policies and a culture of least privileged access. This is probably the hardest to implement in the fast-paced environment of a small business. It’s also the control that will get you the most mileage when the bad guys get ahold of that password somehow.
  Train your team and make risk reduction a cultural tennet. Security Awareness is critical, but be sure to put it into context of your business systems in order to best educate your employees and suppliers.

These processes can be folded into everyday behavior in a small or midsized business if the corner offices are involved in creating and modeling the culture. They also provide a sound foundation for more quickly identifying threats, protecting against them, detecting when they occur, responding, and recovering. CEO’s need to recognize this is the most crucial part of their overall risk profile. It is said that “fish rots from the head”. Despite how busy our corner offices may be, best practices and a healthy environment of risk abatement starts at the head too.

I hope we helped simplify at least one of those items our CEO friend was juggling.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.

Have you moved to the cloud yet? Why not, the security is great up here?

With all of the cloud survey’s out there it is easy to see how the adoption of cloud computing has risen over the past 10 years. A hybrid cloud seems to be the most commonplace approach for most enterprises, and Amazon, Microsoft, and Google are the largest Infrastructure as a Service (IaaS) providers, in that respective market share order. We even see Docker being used by over 30% of Cloud consumers.

However, not everyone is in the cloud yet and the resistance is deep-rooted. With all the challenges to moving existing workloads off-premise such as planning, new architecture design, the actual move and downtime, explaining the change to your customers, and change management, there is still one very large challenge: Security. “Will I be as secure or more secure in the cloud?” The answer is “Yes!” and even more so if you make intelligent decisions about your controls and processes.

The Cloud, in general, is advanced enough that it enables a solid platform of control for any company. Each IaaS vendor provides a definition of responsibility and specific controls for the enterprise to manage, and are the largest enablers to security. Not only is an enterprise afforded more controls but these new controls are also transparent and auditable. Most IaaS providers are SOC1, SOC2, SOC3, and ISO-27001 certified. The controls and IT services allow for a least privileged model of implementation, which is critical for new enterprise adoption. There are services to enable network segmentation, as well as services for Disaster Recovery, DDoS mitigation, and service elasticity. The use of micro services is now commonplace, allowing for an even closer relationship between customer consumption of services and the financial models of the enterprises. Two of the most important features from IaaS providers are the ability to centralize and automate service management. By leveraging centralized management of services we gain an ability to create a homogeneous deployment footprint based on hardened templates. This then allows for an approach to manage a library of templates, which we find easier to scale the services and ensure a common baseline. Centralization also allows for easier growth and lower costs. Automation services are readily available from the top IaaS providers as well. These services can span the entire software supply chain from development, test, staging and production environments. Automation can ensure these templates are deployed correctly, specific modifications are managed, rollback with purpose and burdens to change management are eased. By coupling automation and centralization we create an extremely secure foundation which most organizations can leverage for their business agility, in a secure fashion.

We all know it is cheaper up here in the cloud, but we also now need to realize it can be safer too.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.