• The Budapest Convention is probably the best convention out there allowing a wide adoption of a harmonized legislation to fight Cybercrime internationally.
• A lot of countries outside the Council adopted or are in the process adopting the convention
• It balances the fight against criminals with the protection of Privacy and Human Rights.
• The willingness and the activities to collaborate internationally increase
• The idea of the Cybersecurity Agenda as a mechanism to land and integrate Cybercrime and Cyberscurity resonated extremely well

A lot of good signs. There are some caveats however:

• There are countries rejecting adoption mainly because Council of Europe does not have a global mandate or because it is called Budapest Convention. I guess the criminals like this approach
• The economical challenges esp. in Europe decreases the amount of money available for this. The call then was, that the private sector has to do more. We are committed continuing supporting these activities but typically if governments are financially challenged- well they are our customers as well
• Where is the private sector? I just meet a few companies at these events: Some security vendors, some credit cad companies and us. Where are the others? Where is Google? Where is Apple? What about IBM? Amazon? The big Telcos? Why do they not participate in addressing crime and helping governments to get better and carry the burden? Do they not care?

Roger

This discussion is over since a long time and most people probably accepted the fact that the world changed – the cheese moved. BYOD, Consumerization of IT or however you want to call it at the end of the day is a reality. They might have different forms: In our case at Microsoft it might be officially a pre-stage as internally we get the hardware but we can set it up the way we want as long as we are following the policies. But even this is not the complete truth as there are a lot of people buying their own hardware and using it to work. I am currently not only running my notebook with Windows 7, I am using Windows 8 Developer Preview on a slate as well – and as I want to understand how we can make it happen – I did not join it to the domain as I want to run the Consumerization of IT scenario. This immediately raises questions on security.

We most probably need mail (Outlook in my case), Lync and some documents on a slate. So, I need to have Outlook installed and connected to Exchange (including RMS-protected mail), Lync as well as OneNote and some documents I want to have with me while I am travelling. What does this mean for IT? What about me connecting to the corporate network? Let’s look at some of the scenarios and functionalities. I know that there are answers to some of the problems but lets look at the questions first:

• Authentication: As it is not a device IT controls, how is the user authenticated? So we might want to require a PIN or a password to unlock the device. This makes sense anyway but there needs to be more than a “only” a paper policy. For those of you who have seen the build presentations on Windows 8 might have seen a new way to authenticate: A user can have a picture and store three gestures to unlock. A great way to authenticate to a slate but does the policy allow for that? Even if it is not a domain authentication, it is the authentication to the holy grail – the mail.
• Lost devices: Typically these devices are cool – that’s the reason why our users buy them – no? So, the risk of them getting stolen – or lost as they are small – is fairly high. How is the data and how are the credentials on the PC protected? So, we talk of disk encryption first, remote wipe second.
• Disk Encryption: There are devices like Windows Phone 7, which have a very sound security model and a very good device security but unfortunately no encryption, yet. There are others with “encryption” built in, which is broken in minutes as the device can be jail broken easily. What is the policy there? On the slate there will be a need for disk encryption as well. Which user will use something like this without being told? Yes, I know. You will but you are definitely not a representative sample as security people. On Windows we can switch Bitlocker on and will have at least the ability to securely protect the disk.
• Wipe: I would want my device to be wiped after a few unsuccessful authentication attempt or – if I lose it – I want to be able to remote-wipe the business data if I am IT.
• Network Access: Now the device comes on our network. What happens if the devices does not have any anti-malware protection? It might spread all the dirt on your network. Not something we typically enjoy. There are solutions to that – since a long time we talk about Server and Domain Isolation Using IPsec and Group Policy which at least separated the trusted and the untrusted devices. But we basically want the devices on the network and have them accessing the data – if they follow certain policies. Therefore we need a way to do policy enforcement and health checks with the ability to quarantine.
• VPN Access: This might be easier as we can enforce the policies as mentioned above much easier as the machines come through a well-defined channel where we can check them but are we allowed to? Think about privacy implications as well.
• Mail: Finally talking of mail. Access to e-mail is probably one of the crucial areas to enable and manage as a lot of confidential information is buried somewhere in mail. Additionally, to access mail, the keys will be needed if the mail is encrypted. Thus a lot of critical information is on such a device.
• Data: As a user I want my data (or at least key part of my data) synced between my devices. In my case between the business notebook and my slate. This should be done in a secure and safe way. Do we as IT want to allow the use of technologies like Live Mesh, which can either do a peer-to-peer synchronization or a peer-to-peer-to-Skydrive sync. In other words, a copy of the data can be hosted in the public cloud secured with a LiveID password.

So, a lot of different problems/questions. However, they are only partly new as I have seen a lot of people taking data home to their own private PC – the one the kids are gaming on – to do their work. Taking home means USB or even sending the data to the private mail account.

Protecting such an environment can have different approaches and I would be interested in what you think and what you need:

• First and foremost we need policies clarifying what can be done and what not. For severe violations, there needs to be disciplinary action.
• We want to have some policy enforcement. Basically, the key functionality the user is interested in is often e-mail and therefore Exchange might be one of your key management point for this. Exchange is basically able to enforce the following policy options to your device (from Understanding Exchange ActiveSync): Remote Wipe, Device Password Policies (minimum length, characters, alphanumeric, inactivity time, enforce history, enable recovery, wipe device after failed attempts), device encryption. Therefore, it can be expected that the key requirements can be met. But there is a fair chance as well that not all devices fulfill all the requirements. Or even worse: The active sync client could simply lie to the server.
• Would it be an option for an IT organization to require a client installation? Would the policy “if you want to use your own device, you have to let us install a piece of software” something which can be implemented? I am not completely sure are the user will look at the device as his/her own and will refuse interference. On the other hand it is the company’s data. A fairly interesting conflict. If we are allowed to install a client, all of a sudden technologies like Network Access Protection become feasible as we have a trusted piece of software being able to check the health of a computer

But what else is needed? Do you need management? Inventory? What else would you expect in such a scenario from your technology? Let me know – I am interested in this debate.

Roger

An overview over DaRT can be found here. To prelude rants and questions: DaRT is part of the Microsoft Desktop Optimization package and cannot be downloaded from our website

Roger

If you think about it: Even if you know that you are on call for an incident response team, if you get a call from national intelligence telling you that something bad happens, how can you know that they are genuine? Just because they know the incident number? An interesting question we realized that we did not address it if the key people were not present. Now this is for a security-related IT incident.

Reading this article An Unsung Hero of the Nuclear Age scared me as it seems that this problem was not even solved launching nuclear missile. It asks a fundamental question:

How can any missile crewman know that an order to twist his launch key in its slot and send a thermonuclear missile rocketing out of its silo—a nuke capable of killing millions of civilians—is lawful, legitimate, and comes from a sane president?

So, even though the article is fairly long it is worth reading

Roger

Well, this is partly because of the mailbox sizes and DOS on mails, attachments are limited. But why do we not have an easy way to share public information (e.g. the presentation deck I need next week)? Guess, what happens:

Survey: 85% of Employees Under 25 Use Personal E-Mail Accounts for Work

A surprise? Really? Not for me…

The main reason these workers turn to personal email seems to be the attachment size limits of their official work email accounts. As we’ve reported, Palo Alto Networks found that Web-based file sharing such as Megaupload is also very popular in the workplace.

Do you like your files on public file sharing sites? Even public files? I do not.

…or…

…I also noticed that many employees used personal accounts for work because they didn’t have offsite access to their company email

Well, there is OWA or DirectAccess – no need for the clumsy and not-user-friendly VPN anymore…

And we feel so good with our policy not to allow these things… We block certain websites, without giving the user an ability to solve the business problem. The user circumvents security and the security people sleep very well as they have such a stringent policy.

This is definitely a wrong perception of security.

Roger

“We must push the envelope,” said James Williams, CIO at NASA’s Ames Research Center, which is developing the Nebula infrastructure as a service offering for the entire agency. “It’s not so much about making the cloud secure but about using the cloud to leverage best practices in security across an enterprise.”

Interesting! I recently had a discussion with our Chief Security Advisor in Australia and he told me how currently the Cloud comes into the play: Customers are not looking for a cloud solution but a way to improve their GRC processes. In parallel they have to reduce costs. Why not use the Cloud for this? Instead of trying to get ISO 27001 certified – we are. Instead of getting the ISO audit under SAS 70 Type II – we have. And the reason for that is fairly simple: We need to in order to help you to get compliant and then – it is our core business. Is running a datacenter in a compliant way yours?

So, the article above mentions four reasons, why you should stop worrying:

1. Sharing the cloud with strangers isn’t always a deal breaker.

[…]

Those risks are real, but they shouldn’t be deal breakers if proper steps are taken, especially given the potential financial rewards of multitenancy services. “You make a mistake if, in order to get security, you avoid co-tenancy entirely,” Rasch said.

There are ways to make such environments safer. At the Treasury Department, for example, officials are choosy about what they send to the cloud.

[…]

But Williams warned that cloud customers need to look below the surface. “Serious attention must be paid to crypto-implementation for processing and storage,” he said. He advises administrators to investigate each provider’s encryption strategy to answer the ultimate question: “Do you trust the algorithm as implemented by the vendor?”

It has to be about understanding your data and the classification thereof. If you do not understand your data, you cannot take the decision as described above. It reflects the last point in our paper on Information Protection. Additionally, trust leads back to certification. The encryption has to be FIPS certified.

2. FedRAMP is good start, but only the beginning.

Federal officials are optimistic that the budding Federal Risk and Authorization Management Program will simplify cloud security, but agencies shouldn’t let their guards down. Even after it’s finalized, don’t expect FedRAMP to relieve you of all security burdens.

I cannot (and do not want to) comment on FedRAMP. But what I keep saying (and again wrote in the paper), whatever you do with the Cloud, compliance and risk management remains your responsibility!

However, the interesting thing is that as soon as money is involved the discussions starts, which are the right standards to build something like that upon… I will not comment that further.

3 Outsourcing to the cloud? Don’t abdicate on security

Cloud computing increases the importance of a security best practice that every agency CIO might soon need to implement: continuous monitoring of IT resources and activities

See the point I made above. It is your responsibility. One thing is important to understand: If you are shooting for a public Cloud, you have to be aware of the fact, that this is a standard service, out of the box. The ability to customize it to your compliance needs is very, very limited as this is what the public Cloud is all about. You will have to trust the standards applied and the audits done by the Cloud provider. These audit reports have to be accessible to you if you are a customer (maybe under NDA). We are talking about economy of scale as you are looking for lower costs.

If you need tighter security, more controls etc. you might want to consider a private Cloud (on- or off-premise).

4. Off-the-shelf security terms are often negotiable.

Not all cloud security challenges are caused by still-evolving best practices and immature technologies. Some are the result of ongoing confusion about where a cloud service provider’s data management responsibilities end and the agency’s begin.

For example, don’t assume that the cloud provider will automatically back up data and store it on off-site tapes — a reasonable assumption under long-standing data protection practices. Similarly, a traditional intrusion detection system might not be included in a standard cloud contract.

“Those are services you can add, but if you don’t ask, you are not getting them oftentimes,” Cronin said.

Avoid unpleasant surprises and finger-pointing by diligently combing through cloud quotes to clearly understand what is being provided. And be ready to negotiate for anything that’s not spelled out in the document.

Therefore we ask customers to run a strong security and risk management team within their organizations. They need to be included in contract negotiations and I would definitely expect a Cloud provider to run the service in a professional way. At the end of the day, you have to be able to trust your provider.

And finally, there is a very interesting statement at the end:

“There is initially a belief that the cloud may not be as secure as [an agency’s] own infrastructure,” Cronin said. “But a cloud solution can be more secure than many federal systems that are on legacy infrastructures using legacy controls.”

If you are honest and try to get around your feelings: How good is your security? Really! Don’t get me wrong. I do not claim that security is bad everywhere and only Cloud providers know how to deal with it but I have seen a lot of very scary things, which cannot be changed internally because you are internal. If the best practices are applied by the provider you “have to” apply to these processes. This might be a great opportunity to increase your security.

And finally, there was an Australian KPMG report, which makes similar statements: Customer Experience: Security Can Improve in the Cloud

Roger