Are you a risk to your customers?

In the past weeks I have been talking to a number of small software providers. Most software these days is no longer shipped (CD-ROMs are really oldskool, aren’t they?), but is delivered as a service over the internet.

These software providers are starting to realize that this means they are a SaaS provider. This also means that they have to do risk management like a cloud provider.

Among the companies I work with are an email/shopping cart provider and an e-learning provider.

With these companies I started by going through the CSA “Treacherous Twelve” list of top cloud risks. It does not matter much if you are a provider or a consumer, all risks can be relevant to both sides. The consumers have to protect themselves, and the providers have to enable them to do that.

In working with them I came across a number of interesting observations.

One guy stated: “only after reading through the Treacherous Twelve did I gain a more solid understanding of risks”.

Another guy said that he now started to understand how his security was essential to his customer’s security. In fact, being more explicit on what he did on risk management and security could actually be a selling point towards his customers.

He also said that the investors in his company would probably worry about this.

These companies start to realize that their customers are actually outsourcing some IT to them, and that these customers require some governance and risk management support. A simple case of that is that there is often some personal data of the customer’s employees or clients involved. If the provider messes up in managing that sensitive data, the customer gets burned.

At the same time, these software providers are often cloud consumers themselves, as they outsource their hosting and other services to other cloud providers. So the risk analysis cuts both ways.

Does some of this apply to your company? In that case you might want to look at the Treacherous Twelve study yourself. To dive deeper into that or if you need help, you might consider my cloud security training, which can also earn you the Certificate of Cloud Security Knowledge.

How the NSA hacks you, and what cloud can do about it

At the recent Usenix Enigma 2016 conference, NSA TAO chief Rob Joyce explains how his team works. By the way, TAO means Tailored Access Operations, which is a euphemism for hacking. See the full presentation here.  Rob explains their methods, but between the lines he implies that other nation states are doing the same, so in a way he is here to help us. For that reason he also explains what makes their work hard.

After Snowdon I should not need to explain the extent of what is going on here.

In summary, the NSA’s method of operation is: “reconnaissance, initial exploitation, establish persistence, move laterally, collect and exfiltrate”.

In this article I won’t go in more detail on each of these. But here are a couple of rephrased quotes for illustration.

  • Reconnaissance: “We aim to know your network (i.e. infrastructure) better than you do”
  • Initial exploitation: “Zero day exploits are hardly ever necessary”
  • Lateral moves: “Nothing frustrates us more than being inside, and not able to move”

What is the implication of this for cloud security? Of course, if you replicate your legacy infrastructure into a cloud provider, it is not going to be more secure. So you need to do some more.

Cloud to the rescue?

Can the cloud model actually help with security? I think it can, and here are a few examples. They hinge on the cloud essential characteristics of self-service provisioning and rapid elasticity, which enable security automation.

Know your network. A good IaaS provider allows you to fully and automatically take stock of what you have provisioned. A very small proof of concept is on my github project ‘state of cloud’, which just lists all running EC2 instances in your AWS account across all regions. You can then do all kinds of reporting and analysis on your infrastructure, and in particular check for vulnerabilities like rogue machines and open ports.

Code exploits. Why should you use zero day exploits, if organizations are months or even years behind on patching? Why are they behind? Because it is labor intensive. So automate it. Whenever an instance boots up, it should be patched automatically and then tested. All without manual intervention. This requires cloud automation.

Lateral moves. A typical organization has a hard shell, and a soft inside, so to say. Once passed the firewall, the attacker is like the fox in the henhouse. To counter this you need hyper segregation, in particular of security groups and user credentials. You can have a security group per machine, and individual credentials per task. Only cloud automation enables you to do this at scale.


Hacking is an arms race. Automate and scale up your response or lose. Cloud computing might help.
Want to know more about cloud security? See the course calendar

Just did the CCSP exam

(update: I passed! Click here for in-company CCSP training)

Yesterday I took the CCSP exam. Certified Cloud Security Professional is the new certification launched by ISC2, and is supposed to be complementary to CCSK. I must have been one of the first, as it only opened last Tuesday. I think I did pretty well, but my results won’t be available for the next couple of weeks. This appears to be the normal situation with a new exam.

My overall impression is that the exam covers the field of cloud computing and cloud security pretty broadly with significant detail, though little attention is given to cloud applications such as Big Data and DevOps. The questions are clear, by and large, and mostly relevant to cloud computing. I have seen other so-called cloud exams that are more like classical technical IT security exams.

I know how hard it is to make good questions, as I do that for the CCSK trainings I deliver, and this set of questions is pretty decent. Of course, there are some questions that have weird language, and I filed an incident report against them.

At 125 questions this is a significant exam. I took more than an hour to answer them all, and took the rest of two hours reviewing my answers. You are allowed 4 hours in total.

I still think CCSK is a good basis for working your way to CCSP, as CCSP is more extensive in coverage. It is also a more formal exam that you have to take in a controlled testing center. In contrast, CCSK is an open-book on-line exam. This does not make it easier though, as is witnessed by that fact that it is failed regularly by students.

CCSP has 6 domains that cover cloud computing and its risks. Unsurprisingly, the first domain is about cloud architectural concepts and its impact on risk. Second is about data security, arguably the pivotal dimension in cloud computing. The third domain elaborates on the cloud infrastructure stack, which covers business continuity as well. The fourth domain covers application security and identity management, while the fifth domain is about operations in a cloud world. Finally, the last domain is about legal and compliance.

CCSP is designed to be a 5 day course, but I currently think that it is very dependent on the background of the attendants. I am not sure if this format is a good way to study for CCSP. In any case there is also a lot of reading to be done.

Post Scriptum. I now also deliver CCSP courses that train you for the exam. Here is what one of my clients wrote:

Tony Richards, CTO, Securestorm, London UK:

“The training was well paced and covered all the topics. Peter is a knowledgeable and interesting trainer who used his extensive experience with excellent effect. He guided us into very productive group discussions so that we could link what we learned to our work experiences.

As a result our entire team has been able to pass the CCSP exam.”

Sign up here for a one page overview of the differences between CCSK and CCSP.

First name

E-mail address

Encrypting your cloud data for extra protection

Encrypting data is one of the best ways of protecting your data as it moves to the cloud. The only thing better than encrypting your data, is not storing your data at all.

Let’s first look at the case of using file sharing applications such as Dropbox. If you are the only user of the files you store there, you can encrypt these files, or entire folders, with tools such as 7-zip or TrueCrypt before you move them to the cloud service.

However, it is likely that you want to share the files with somebody else. That means that these people should have the same encryption software and have access to the keys. So you have to figure out how to share the keys safely and protect them as you store them.

The hard thing about using encryption therefore is not so much the technology (although ‘under the hood’ encryption is really complicated), the hard thing is to understand what it protects against, and what the new risks are that encryption brings. Then you can start designing at which location where you encrypt, where you store your encrypted data, and how you are going to store and manage the encryption keys.

Let’s have a look at each of these.

In the file sharing example, you encrypt to protect your data as it is ‘at rest’ at the cloud provider. You may trust the cloud provider, but you may want to prevent a search warrant forcing the provider to surrender your data. The encrypted data is stored at your own laptop or computer and at the file sharing service provider. The keys could be memorized or written down. Losing those keys is a new risk, by the way.

For a different example, let’s have a look at an enterprise customer relationship management system such as Salesforce. The data at rest includes a lot of customer data, which might bring in privacy concerns.

So in order to protect that, you might want to prevent that data going to the cloud unencrypted. There are a number of solutions in the market for that. One solution involves a separate cloud provider who filters all your CRM traffic and replaces customer data with encrypted customer data. When you then access that data, it will be decrypted by the same encryption provider. You still need to put some trust in the encryption provider, but they will no longer store your unencrypted data, so the risk of any loss of data at rest there is pretty small.

Now if you are a software developer, you might be using Infrastructure as a Service. That means your software runs on a virtual machine at a cloud provider. What kind of risks do you have there that encryption might be able to reduce?

To start with, your virtual machine has a virtual disk on which your data is stored. Of course, there is the risk that the staff of your cloud provider could access that. More realistically, that disk could be cloned by an insider and taken away for further inspection.

That risk can be addressed by encrypting the hard disk in the operating system, very much in the same way as you can encrypt the hard disk of your laptop. In most operating systems this is fairly easy. The biggest remaining issue is how to get the encryption key to the virtual machine as it boots up. That can be done, but it’s a little outside the scope of this article.

So far we have looked at data at rest. We should also look at data in motion. That’s a bit easier. An example of protecting data in motion is through using HTTPS for web traffic. Other cases of data in motion are file transfers such as with FTP and terminal traffic using Telnet. These are really old protocols that don’t encrypt anything, not even passwords. It is best to get rid of these as soon as possible and start using SFTP and SSH. You guessed it, the letter “S” in these protocol names stands for “Secure”.

Finally, we need to put things into perspective a bit.

Did you know that most data breaches last year were the result of hackers breaking in to user computers and point-of-sales devices (as in the case of Target Supermarkets), and not by hackers breaking into cloud providers?

All encryption in the cloud leaves the users’ computers unprotected. Did you know that 1 in 20 laptops go missing in their lifetime? And still most people don’t encrypt their hard disks!

So please look at the lock on your backdoor before you start putting an extra lock on your front door.

Note: this article appeared first on CloudTweaks.

Simple SaaS security tips

Most people and companies are now using a significant amount of SaaS solutions. Companies are running sales support software, file sharing, collaboration, e-mail and a lot more in the cloud.

But that usage also leads to concerns about the security of those solutions. How safe are they? What risks do we run?

Here are a couple of tips to increase the security of those applications.

The biggest risks to handle in using SaaS are leaking data and losing control. And the top way to control theses risks is simple: watch your passwords, and know how to survive a cloud provider exit.

If you look at famous data breaches in the past year, such as the i-Cloud celebrity hack, you will find out that most of them have to do with weak passwords and password reminders.

Improving the protection that passwords offer is often fairly easy. Security experts recommend using so-called two-factor authentication. This basically means that you use more than one way to prove your identity. Examples include security tokens or dongles, and fingerprint scanners.

This used to be inconvenient for the user, but in the past years a number of usable scenarios have been developed. It does not have to be a daily hassle, and you don’t have to fear being locked out.

For example, you can configure your Dropbox account to ask you for an SMS confirmation when you use it on a computer you have not used before. Check it out, they have really thought this out well, and there is absolutely no excuse to not use this. You will find it under Account -> Settings -> Security.

Gmail too allows you set up security like this, and once you have done this it will alert you of suspicious activity. Like with Dropbox, the easiest thing is to use your mobile phone, but they also support additional extra tools. No need to be scared if you lose your phone.

Other services that you use might have some of these features as well. Go explore.

If you are the administrator of a cloud service this is even more important because you will be the prime target of any hacker.

As a cloud service administrator there are a few other basic things to do too. If feasible you should first create a secondary administrator account to do day to day work with. If that account gets compromised, you will have the first account to fall back onto.

Another basic cloud service administrator task is to apply hygiene on your user list. Regularly review if the users are still active in your company or project, and that they don’t have more rights than they need to have. (In larger organizations this is better done by ‘identity federation’, so you don’t have to do this on a service by service basis.) You don’t really want former employees or contractors to still have access.

I ran into a simple example the other day on a Google Docs document. It was not mine, but I could totally edit it. They may have wanted to give me some access, but it would be better to give me “Comment” or “Review” access.

Losing the provider or the data that is stored at the service is the other big risk. And preparing for losing all your data can also protect you against losing some of your data.

There are so many reasons why a provider may stop servicing you. They could have a hiccup, they could suffer from a disaster, they could go out of business, or they go in a direction that you don’t like. In all cases it makes sense to have an ‘exit plan’ or ‘plan B’: a plan to move to a different provider.

If you don’t have an exit plan, you are basically saying that you accept the risk of losing the data that is at that provider and the capability to use that data. This could be a valid decision. I am not that interested in my Doodle archive, for example, so making a backup of that is not a big concern.

At its most basic, an exit plan describes how your most valuable data is stored in a secondary place. For example, my Gmail mail archive is also on my laptop as it is automatically downloaded by my mail program. Moving to a new mail provider, should I want to get away from Gmail, is not something I have spend much time thinking on, but with the mail and contacts safely stored elsewhere I am confident that a new provider will help me do that migration.

For my customer management system I make regular copies of the entire customer database and contact details. Again, moving to a different provider will be a hassle, but not impossible.

If your business really depends on it, you may want to have a cloud system on ‘hot standby’. However, most of the times, this is not very easy with SaaS, because no two SaaS providers are alike.  You are better off to first think about which data to save to a secure location. If and when you want to move, your functional requirements will have changed anyway, and there are likely to be new SaaS providers as well.

For a deeper dive into cloud security issues and controls, have a look at the research that the Cloud Security Alliance is doing.

New cloud security certification CCSP to complement CCSK

Cloud security certification is getting a new dimension.

In 2015 the Cloud Security Alliance and (ISC)2 announced a new cloud security certification: Certified Cloud Security Professional or CCSP for short.

Read the official announcement here and here.

CCSP is supposed to be a more extensive certification than CCSK with a more formal exam and a requirement for 5 years in IT; at least three of which must have been spent in security, and at least one year in cloud computing.

While (ISC)2 (who also run CISSP; arguably the most relevant IT security certification) coming to the game underlines the relevance and maturity of cloud security, there will be some questions left for people who either have or are pursuing  CCSK certification.

The important question is: what is the relevance now of CCSK?

Rest assured that this has my interest as well, as CCSK training is a significant part of my business. That is why I contacted Jim Reavis directly, whom I have met a number of times personally. His answers are reflected in the FAQ that you can find on the (ISC)2 website on CCSP.

Here is a quote from that FAQ:

“The typical cloud security professional will likely achieve the CCSK first, and then the CCSP credential. Attainment of the CCSK also can be substituted for the one year of cloud security experience”

Other text in that FAQ document suggests that CCSK can be seen as somewhat of a broad base, on top of which CCSP is built as a deeper and more focused certification.

So if you are currently thinking of getting CCSK, should this be a moment to reconsider? It does make sense to evaluate your options. If you spend time on a certification, you might as well spend it wisely.

Getting to CCSP is a path with a lot of unknowns at this time. So here is one thing to consider: participants in my CCSK training report that it helps them  in their day jobs now, even more so if they take it as a team. CCSP will take a few months to iron out. Try book CCSP training now, and you will see what I mean.

On the other hand, if you are already very knowledgeable and experienced in cloud and cloud security, CCSK may not add much to your current business value other than public recognition.

In any case, should you want to know more about the value of CCSK, I suggest you judge for yourself. One approach is to join my free course: “Understand the CCSK cloud security certification”.

Finally, if you want to know more about my training options, visit, and register at the sidebar for updates.

Cloud computing can make you more secure

The number one concern cited for avoiding cloud computing is security. And there is a reason for that. Cloud providers have demonstrated some spectacular failures in the past, including Amazon’s near total shutdown of an entire region, Dropbox’s authentication snafu, and innumerous cloud providers that go belly-up.

However, in the long run, cloud computing is destined to become more secure than in-house IT. I will briefly describe two dynamics in the industry that point in that direction, with substantiating evidence.

First, good cloud providers are getting better, as they have more staff available to do security, and bigger economies of scale, allowing them to sustain more security processes. Here is a case in point. Security people are, by nature, pretty paranoid. However, some are more paranoid than others. At a cloud security training I recently conducted, one of the attendants had created an Amazon Web Services account solely for the training. He terminated the entire account on the last afternoon. Just before the training was over, he showed me a message on his smartphone. Within an hour after he terminated the account, his LinkedIN profile was visited by somebody from the Amazon compliance department. Apparently his behavior was suspect. Either that, or they played a game on who can be the most paranoid.

Take a look at my Cloud Security training and get certified by the leading industry coalition and make cloud computing more secure!

As another example, does your IT department track rogue resource usage and credential leakage on a systematic basis? Some cloud providers do this for you, as this story of API credential leakage demonstrates.

Second, while the previous examples show that cloud providers can become better than the average IT department across the board, in specific areas specialized services are already way ahead of the competence and resources of the average IT department. This is nowadays called ‘Security as a Service’, or SecaaS (another example of an acronymic cloud nonomatopoeia), but the trend has roots that go back quite a while. Basically the idea is that a lot of security functionality is done in a better way by taking advantage of cloud computing essential characteristics such as elastic scalability and resource pooling.

Examples of SecaaS that you may be familiar with or are actually using are: Email spam and malware filtering, blacklist and other reputation services, DDoS mitigation and monitoring (i.e. performance). We are also seeing companies using cloud services as a component of a disaster recovery strategy. Innovation in this field is strong.

So, in conclusion, the market is nearing a ‘tipping point’ where the cloud may actually be more secure than on-premise IT.

For more information, visit CCSK Cloud Security Training.

How does secure software development in the cloud work?

The typical software development model of develop, deploy and run (with security often as an afterthought) does not work very well in a cloud environment.

The two biggest reasons are feature velocity and operational assurance. In a cloud provider environment, functional features come (and sometimes go) on a daily basis. At the same time, both the code and the sizing of the machinery have to adapt to rapidly changing usage patterns. This leads to automating more of the deployment process. That deployment then becomes code that somebody has to write.

Hence the integration of Dev and Ops: DevOps.

Interestingly, security can be integrated as well. Security also requires feature velocity, though in this case it often is a negative feature: stopping some kind of exploit. And the most thorough security comes from automating security controls, for example by baking them automatically in the virtual machines that run the new code at deployment time.

For a little more discussion I would like to refer to a blog post by my friends at Securosis. These guys have an awesome IT security blog, lots of solid research, and they are very knowledgeable on cloud computing as well. In fact, they wrote the CCSK training that I am delivering. In the blog post you see a mention to one of their CCSK sessions. It all feels a lot like my sessions.

So here is the link to DevOps, Cloud, and the Death of Traditional IT.

Why cloud computing is the third big disruptive innovation in my entire IT career

or: what would General Eisenhower say about PRISM.

Last week, I was asked to present at Campus Party Europe, a big event focused mainly on young digital entrepreneurs and start-ups.

For this audience, it felt appropriate to present an overview of IT, so young entrepreneurs can use those lessons to find the next disruptive innovation. But there is also a moral choice involved in dealing with huge quantities of personal information.

Here is my presentation on Youtube.

I must say, the audio and video are not spectacularly good. This is partly my fault as I was stepping out of the light repeatedly.

In addition, the speech was not very well rehearsed. Nevertheless, the topics go to my heart, and I got a lot of good feedback on it.

I wonder what your big take-away from this presentation is. What will you do differently now? Please use the discussion area below to contribute.

CCSK training in Kuala Lumpur – trip report

Last week I delivered a two-day CCSK (certificate of cloud security knowledge) in Kuala Lumpur. The typical structure of this training, as suggested by the Cloud Security Alliance, calls for a day of lecture followed by a day of practical exercises.  However, I mixed lecture with case study and exercise, because I have experienced that this works much better. If the examples have been worked through by the individuals, it becomes easy to refer back to them in the lectures.

It was good to be back in KL (the last time I taught Cloud Essentials and Virtualization Essentials).  I really like the Asian atmosphere, the multicultural vibe of Malaysians, Chinese, Indian and even some European people. All of these were represented in my course too. It was great working with them, even though we sometimes have to get used to our accents.

Cloud security as a topic is pretty new, but interest is already growing rapidly. I am happy with my KL partners and hope to be back in November for more cloud courses. To have a look at my courses and the course calendar visit my list of cloud courses.