The world seems to be a buzz about GDPR.  If you’re not buzzing – you’re not in the know.  People want to know what it is, who has to deal with it, when do they have to take action, and where they can turn to for help.   Simply put, GDPR is the European Union’s (EU) latest attempt to ensure that it can control the data protection for all individuals within the EU.  GDPR stands for the General Data Protection Regulation 2016/679 and was adopted by the European Parliament on April 14, 2016, which goes into enforcement on May 25, 2018.   It is the most important privacy change in the last 20 years.  If you offer goods and services in Europe, have European employees, partners, or suppliers, you’ll need to comply with some form of GDPR.

So, what does ‘comply’ mean.  For entities (people and companies) that you deal with from Europe, it means that you’ll need to ensure you are transparent with them about the data you collect, why you collect it, and what you intend to do with the data.  Also, before you collect their data you’ll need to get their permission to use it (explicit consent).  You’ll need to ensure you only keep it for as long as you need it and that you’ll protect it while you have it.   If something happens to the data (it’s lost, stolen, or corrupted) you’ll need to tell the person whose data was effected and the authorities (Supervisory Authority in Europe).   It’s a really good idea to encrypt the data and if you can you should anonymize it; which means removing the identifiable information.  If a European citizen asks you what data you are storing or processing about them, you’ll need to tell them and if they ask you to delete their data, you’ll need to do this too.  There are also some additional record keeping functions like data mapping and Data Protection Impact Assessments (DPAI), which you will need to regularly perform and keep up to date.  Plus, there are some financial penalties if you don’t ‘comply.’

Not all of this is bad.  In fact, it might actually be good news as companies will need to review their practices and programs in order to determine exactly what data they are collecting and why they are collecting it. These efforts alone will increase their maturity in data handling and system design   As data breaches become more common, utilizing these improved processes can only be a good thing when the companies we entrust with our information have to follow more strict rules.  If you would like more information about GDPR or if you need help understanding the complexity of the compliance.

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

With the General Data Protection Regulation (GDPR) from the European Union (EU) nearing enforcement in May 2018, many still see it as a project.

Many enterprises still see GDPR as a project and not a privacy strategy. Here are some excerpts from conversations I have had with managers about GDPR:

• “Since Safe Harbor failed we’ll see what happens with GDPR.”
• “I don’t think it applies to us”, this was a SaaS based company.
• “We know this is very important, but we have so many other things to do.”
• “We really need help here; this is a very big deal.”
• “We have a project manager and myself, we need more help.”

GDPR implementations are still in their early days and time will tell on the impacts of non-compliance. However, it is clear that bringing together the regulatory and compliance sides of the enterprise with the mainstream product, marketing, and engineering sides is becoming more urgent. In an Agile culture of rapid delivery, integrated teams, and more intimate customer conversations, enterprises still struggle to fully incorporate their legal and compliance teams into the process. When was the last time you saw a lawyer in a scrum? Have your product owners ever engaged legal in defining a privacy model? It is hard enough to get security requirements into stories, how will enterprises incorporate privacy?

GDPR’s requirements around EU citizen rights will surely make an impact in how global enterprises handle EU citizen data. Many see this as a new default privacy model and embrace the change; others are still determining what it means to their organizations. In either case, GDPR shines a light on the opportunities for enterprises to integrate privacy, governance, and product in order to improve the quality of services we all consume.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

Why using automation is a better approach and more secure than using “Golden” Amazon Machine Images (AMIs)

A commonly used (“best”) practice is to utilize the AWS Amazon Machine Image (AMI) service to create and store the complete contents of an application server instance running on Amazon’s AWS Infrastructure-as-a-Service (IAAS) cloud. Typically, a DevOps engineer will stand up and configure an instance. When the instance is functioning as desired, the DevOps engineer initiates the creation of what we refer to as a “Golden” AMI. AWS then copies the server into a flat file image (the AMI).  This AMI can then be launched by AWS to create a new duplicate server instance up and running in mere minutes, with all accounts, services, and data ready-to-go. Any number of these instances may be launched with a click of a button.

The problem with this approach is that this new server is only as secure as the last time it was scanned and/or had updates applied, the image once created remains unchanged over time, and the only way to “update” it is to create a new image. New vulnerabilities continue to be discovered across the variety of OS programs & tools; as well as the software containers, platforms, and frameworks that comprise a modern fully-configured application server almost daily.

What might have been a fully secured application server, when the image was created, may very well be a target for hackers by week’s end; and while you can run updates to bring the server back into compliance, you’ve lost the real reason for utilizing the image in the first place — your server is not truly ready-to-go after launch.

A better practice is to treat the construction of the instances in the same way that software developers have built code over the past twenty plus years, in an iterative manner that includes testing, reporting, and notification, i.e. infrastructure as code. The approach here is to automate the creation and configuration of the server and then test it for both functionalities as well as security.

The DevOps team and/or IT SecOps should subscribe to and monitor the products and tools that are used by the organization’s application servers so that the automation can be updated ASAP. The scanning tools should be updated on at least a weekly basis to ensure that any new issues can be caught and remediated. Once the source of the automation is updated, it will be automatically applied in the future.

Every part of the server’s creation and configuration should be automated, using an orchestration server such as Ansible or Puppet, acting upon instructions stored in a Software Configuration Management tool such as Git and controlled by a tool such as Jenkins that ensures automated tests for functionality and security are executed and reported upon.

The automated creation of a new server would begin with the launch of a base OS AMI. Once the new image has completed its launch process, we’ll start with an update of the OS level programs (e.g. > sudo yum update -y) and install any software required to more easily work with the chosen automation tool (i.e. Ansible/Puppet). Next, apply security hardening scripts to limit the OS level services provided and install antivirus and firewall services. The organization’s DevOps automation account should be created and configured with the appropriate public SSH credentials installed and the default account should be removed. At this point, the server would be ready to begin the customization to support whatever tasks for which it was being provisioned.

After the application customization has been completed by automation, it is important that automated functional tests and security scans are run and reviewed. Any issues detected should be immediately corrected in the automation source and a new server creation process kicked off. The previous server can be terminated.

The benefits of this “Infrastructure as Code” approach are many, including:

Security:

• Ensures that servers are not built with known security issues and are verified with up-to-date scans.

Reliability:

• Because the “Infrastructure as Code” approach puts a focus on testing for both security and the functionality of the server itself, issues are more likely to be detected earlier, rather than after the server is put into service.

Flexibility:

• Many of these same automation instructions verified on one server can by used in the creation of others, ensuring that lessons learned once are applied to all. Because the complete set of instructions for the creation of the server instances are documented in SCM, they can be reviewed and audited.
• When launching new servers from “golden” AMIs, the specification of the capability of the server (number of processors and memory) is baked into the AMI, when using the automation approach, the selection is simply a configuration variable making it easy to modify if a different capacity server is needed.

Cost:

• Amazon charges you for the AMI’s that are created on your account, by using automation those charges are eliminated as well as giving you more control over the entire process.
• The time saved by using automation to create the instances is worth the time that is required to implement the automation. Issues fixed once don’t find their way into other servers reducing the time required to stand up new infrastructure.

Treat your infrastructure as code so that you can improve your organization’s ability to stay ahead of attackers.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. We can ensure your Agile delivery processes are secured and efficient, while maximizing your investments.

Are you ready for GDPR? Penalties, that is. The General Data Protection Regulation (GDPR) from the European Union (EU) has been announced and required for ANY company that sells to or monitors European citizens, since early 2016.

GDPR is an international law that has already been enacted. This law is intended to clarify and strengthen prior privacy laws and is extremely encompassing, and global in nature. It enforces that data is used in a lawful, fair and purposeful manner. It requires companies who use personal data to do so in a minimalistic fashion, ensure the data is accurate, protected, and durable. The responsibility for the compliance focuses on the use, or processing, of the data. The scope drives responsibility from the controller of the system down to the potentially multiple processors and sub-processors, making this thorough and inescapable for most businesses.

This law requires that EU citizens be given certain rights when they use software systems. These basic privacy rights are:

• Right of Access
• Right of Rectification
• Right of Erasure
• Right of Restricted Processing
• Right of 3rd-Party Notification
• Right of Data Portability
• Right to Object

Any company that is found to be in breach of these new requirements will be subjected to a €20 Million or 4% revenue penalty, whichever is greater. For those companies that have only started their analysis or partially through their implementation may face a €10 Million or 2% revenue penalty. This law has significant risk for smaller businesses who are not in compliance or only partially compliant.

There is no doubt that GDPR is the biggest change in recent privacy law. Taking a risk-based approach to your implementation will be important. Your implementation could be large, take years and cost millions, or it could be as simple as documentation, change of process and some new technology.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

If you are unsure if GDPR applies to you, or wish to investigate with an assessment, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialist can help you make sense of and comply with GDPR.

October is National Cyber Security Awareness Month and in keeping the National Cyber Security Alliance’s theme for week two, “cyber security in the workplace is everyone’s responsibility,” I’d like to share some thoughts from a recent interaction with a small business leader.

Last Friday, my colleague and I met with a startup CEO in Boulder to discuss her cyber risk needs. Like most executives, she had many things on her mind and was very busy – it was obvious from the two backpacks, coffee mug, notebook, and jacket she juggled as she entered the conference room. After we settled in and got into the conversation, her request was simple: how can she rationalize all the buzz about security and come up with a plan that is complete and becomes a part of her organization’s culture?

While security in the workplace is everyone’s responsibility, executives can delegate the authority to act but not the accountability. Risk reduction starts at the top and executives need to distill an ocean of hype into something reasonably actionable. But where should these leaders look to get a start?

A couple of weeks ago, I mentioned the Center for Internet Security’s (CIS) Guide for Small and Medium Size Enterprises (SMEs) as a good place to begin this journey: https://www.cisecurity.org/white-papers/cis-controls-sme-guide/ In fact, this is the very link I sent to the CEO’s tech person after the meeting. Based on our experience with SME’s and this body of work, our recommendation was that similar sized companies take the following actions:

• Create a managed list of those devices allowed on your network. Also create a list of those devices not allowed on your network. Whitelisting creates a map of devices that need to be defended on the network. Blacklisting is an easy way to quickly identify troublesome agents.
• Understand the software used by your organization. This is important to a) prevent shadow IT from creeping in and b) having a map of those packages that require security patching; patching can be the greatest defense against cyber intrusion. Additionally, this control is necessary for implementation of control number 4 below.
• Make sure your hardware and software are configured for security. Remove those default admin passwords, setup new accounts, implement role based authentication, enable multi-factor authentication, understand the security capabilities and align your use to the business needs.
• Patch, patch, patch. Implement a system to ensure your hardware and software are updated with the latest vendor patches. Equifax might have have prevented a lot of heartaches if this one control was followed.
• Create policies and a culture of least privileged access. This is probably the hardest to implement in the fast-paced environment of a small business. It’s also the control that will get you the most mileage when the bad guys get ahold of that password somehow.
  Train your team and make risk reduction a cultural tennet. Security Awareness is critical, but be sure to put it into context of your business systems in order to best educate your employees and suppliers.

These processes can be folded into everyday behavior in a small or midsized business if the corner offices are involved in creating and modeling the culture. They also provide a sound foundation for more quickly identifying threats, protecting against them, detecting when they occur, responding, and recovering. CEO’s need to recognize this is the most crucial part of their overall risk profile. It is said that “fish rots from the head”. Despite how busy our corner offices may be, best practices and a healthy environment of risk abatement starts at the head too.

I hope we helped simplify at least one of those items our CEO friend was juggling.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.