Roger Halbheer on Security » People

Cloud Security in Office365

Roger Halbheer — Fri, 15 Jul 2011 08:12:29 +0000

You heard about the launch of Office365 recently and I hope you read the blog post on the application of the Cloud Computing Security Considerations to the private. cloud. If not, here it is: Security Considerations in a Private Cloud

To complete the series now, we released an additional paper on how these considerations can be applied to Office 365. It is not about the security features of Office 365. It is about how a the responsibilities between the customer and us can and shall be split. This is a really interesting paper in my opinion: Addressing Cloud Computing Security Considerations with Microsoft Office 365.

Additionally, we took a deeper look at the Cloud Security Alliance’ Cloud Control Matrix (CCM) at provided an answer for each question/control raised in this document: Standard Response to Request for Information – Security and Privacy.

These are all steps to provide you with the necessary transparency to get into the public cloud and on Office 365!

Roger

Security Considerations in a Private Cloud

Roger Halbheer — Fri, 24 Jun 2011 14:31:38 +0000

I am talking a lot about Cloud Security. There are a few observations I made:

Even though a lot of people are talking about the Cloud, there is still not too much knowledge about it. What is a private Cloud versus a public Cloud? What is Infrastructure as a Service, Platform as a Service, Application as a Service? And where are the key differences when it comes to risks?
A lot of businesses look at it as an all or nothing. This is simply a massive mistake. There are workloads (like your identity management) you will wait a really long time until you move it to the Cloud and keep on premise. There are others, you might want to move immediately to the public Cloud and some of it will stay in a private Cloud.
There is a lot of fear out there and not a lot of frameworks, which can help with to bring the whole discussion to rational level. Actually, there is a lot of material out there but not a lot, which is simple to read and consume.

That’s the reason, why Doug Cavit and me wrote the Cloud Computing Security Considerations about an year ago. We came up with 5 points to be considered, when looking at the Cloud from a security perspective:

Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.

Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.

Endpoint Integrity: As cloud-based services originate–and are then consumed–on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.

Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.

These five considerations are very well received and seem to work well for the customers to address part of the points above. The number 1 question I got, however, was: How can apply this to the different scenarios?

Therefore I am happy to announce, that we just released a paper to the web called: Addressing Cloud Computing Security Considerations with a Partner Private Cloud.

We show you how to split responsibilities between the partner and the customer and what the considerations mean for both sides – as always, your feedback is more than welcome!

Finally, stay tuned: In a few days, we will do the same with the public Cloud. This time, however focused on Office365. As soon as we go live with Office365, we will publish it.

Roger

Ten Immutable Laws Of Security (Version 2.0)

Roger Halbheer — Thu, 16 Jun 2011 08:56:14 +0000

You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support.

There is now a version 2, which is still as important as version 1 was. The 10 Laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn’t practically achievable, online or offline.
Law #10: Technology is not a panacea.

Just make sure that you keep them in mind – there is no “patch” for them . The whole set of explanations can be found here: Ten Immutable Laws Of Security (Version 2.0)

Roger

Internet Personalization–and How I Never Looked at It…

Roger Halbheer — Wed, 15 Jun 2011 14:09:39 +0000

This is actually a great speech but very, very, very scary:

and the scariest part is that I never looked at it that way but he is right

Roger

NSA – Best Practices for Keeping Your Home Network Secure

Roger Halbheer — Mon, 09 May 2011 17:06:15 +0000

A good paper: NSA – Best Practices for Keeping Your Home Network Secure

Roger

Chris de Burgh: People of the World Stand Up for Freedom

Roger Halbheer — Tue, 05 Apr 2011 07:59:28 +0000

This is one of the rare more private posts on this blog and this time has nothing to do with security at all.

Since ages one singer was always part of my wife’s and my live: Chris de Burgh. And even if it is uncool in our kid’s world, they love him and his songs – and it is a very good way for learning English as a side effect.

Yesterday he was live in Zürich. As always it was a mixture of old songs like the Spaceman or Spanish Train and new ones from his latest album called Moonfleet. As most often, he uses a few of his songs to make you think about the consequences of war – normally focused on World War II.

This time however, one of the probably most impressive songs was “People of the World Stand Up for Freedom”. He introduces this song this way:

On June 20th 2009, during a demonstration in Tehran against what many felt was a fraudulent election result, a young woman called Neda Agha-Soltan was targeted and shot to death by a sniper. An innocent bystander, and some distance away from the protest, her dying moments were filmed and seen by millions around the world.
In Persian, her name means "voice", "calling" and "divine message", and she has become a powerful and iconic symbol for those who struggle against brutality and repression, seeking only freedom and truth. Neda, this song is for you.

And it is just impressive to see thousands of people standing up in such a concert immediately after the first time he sings this…

On YouTube you find a video of his concert in Georgia:

People of the World Stand Up for Freedom – something easy to say from where I live but important to do from what I learned over time

Roger

Mutual Authentication in Real Life–Launching a Nuclear Missile…

Roger Halbheer — Wed, 30 Mar 2011 16:25:33 +0000

A few years ago, I wanted to run an exercise with our incident response team in Switzerland. A customer, the government and me came together to develop the goals and the scenario. One of the key question we tried to answer together with the university, which we wanted to use as observers was, whether we would be able to ramp up the communication channels and keep them up even if bad things happen (like the building has to be evacuated). By ramping up the channels, I was not necessarily interested in the technical side but in the people side. Especially as the key leaders of the incident teams were the ones running the exercise. So, you had the people who knew each other for years sitting there and just listening in.

If you think about it: Even if you know that you are on call for an incident response team, if you get a call from national intelligence telling you that something bad happens, how can you know that they are genuine? Just because they know the incident number? An interesting question we realized that we did not address it if the key people were not present. Now this is for a security-related IT incident.

Reading this article An Unsung Hero of the Nuclear Age scared me as it seems that this problem was not even solved launching nuclear missile. It asks a fundamental question:

How can any missile crewman know that an order to twist his launch key in its slot and send a thermonuclear missile rocketing out of its silo—a nuke capable of killing millions of civilians—is lawful, legitimate, and comes from a sane president?

So, even though the article is fairly long it is worth reading

Roger

Aligning Security with the Business

Roger Halbheer — Tue, 01 Mar 2011 16:25:53 +0000

Do you know the feeling? You should share a large file with somebody outside your organization. The file is too big to be sent by e-mail. What can you do? Well, you might have a service by internal IT (we have one) which is not really user-friendly, hard to use and – as you do not need to too often – you are never able to remember, where this single e-mail is which describes how to use the service. Right?

Well, this is partly because of the mailbox sizes and DOS on mails, attachments are limited. But why do we not have an easy way to share public information (e.g. the presentation deck I need next week)? Guess, what happens:

Survey: 85% of Employees Under 25 Use Personal E-Mail Accounts for Work

A surprise? Really? Not for me…

The main reason these workers turn to personal email seems to be the attachment size limits of their official work email accounts. As we’ve reported, Palo Alto Networks found that Web-based file sharing such as Megaupload is also very popular in the workplace.

Do you like your files on public file sharing sites? Even public files? I do not.

…or…

…I also noticed that many employees used personal accounts for work because they didn’t have offsite access to their company email

Well, there is OWA or DirectAccess – no need for the clumsy and not-user-friendly VPN anymore…

And we feel so good with our policy not to allow these things… We block certain websites, without giving the user an ability to solve the business problem. The user circumvents security and the security people sleep very well as they have such a stringent policy.

This is definitely a wrong perception of security.

Roger

The New World of Work

Roger Halbheer — Fri, 28 Jan 2011 21:08:09 +0000

The world got small, didn’t it? This afternoon I decided to leave home early and go to the mountains. However, I had some conference calls tonight, where we usually use Lync (successor of Communicator).
So, as I do not have a fixed line there, I dialed in with my 3G card, which gave me enough bandwidth for audio and even desktop sharing – we did not try video though .
When I say that consumerization of IT and anywhere access is a reality and has to be taken into consideration when planning your risk management, this is the cool reality.
And finally, I am writing this post on my Windows Phone 7
I love technology
Roger
Posted from WordPress for Windows Phone

Is the online world more dangerous?

Roger Halbheer — Tue, 05 Oct 2010 06:34:27 +0000

I often hear statements that the risk of losing your identity or being a victim of fraud is much higher online than offline. From my point of view it is more about the feelings of the consumer: In the real world, we know the risks – at least we learned them over the ages from our parents and we learned to live with them. For the average consumer, the Internet is probably 10-15 years all and there is no common sense yet. There is no “we learned to live with the risks” – yet.

We published a paper called Myth vs. Fact: Online and the Real World (this link point to the more secure version in XPS but if you want pdf, here you go ), which I think is worth looking at. If you want to leverage it, feel free.

Roger