Nov 07 2022

Does your company need secure enclaves? Five questions to ask your CISO

Category: Cloud computingDISC @ 2:26 pm

Some of the biggest barriers to cloud adoption are security concerns: data loss or leakage, and the associated legal and regulatory concerns with storing and processing data off-premises.

In the last 18 months, 79% of companies have experienced at least one cloud data breach; even more alarmingly, 43% have reported 10 or more breaches in that time. Despite the clear advantages of cloud infrastructure, one of the main challenges that often gets overlooked is the need to: (1) trust that the infrastructure will be secure enough against threats and (2) that the chosen cloud provider won’t purposefully or inadvertently access the data processing on their infrastructure. When dealing with highly sensitive/confidential data (such as banking information or healthcare patient data), this becomes a major concern and a barrier to further cloud adoption.

Traditional approaches for protecting data have relied upon implementing access controls and policies and encrypting data at rest and in transit, but none are able to prevent the threat in its entirety because a fundamental challenge remains: keeping data encrypted when in use, while it is being processed. Confidential computing – projected to be a $54B market by 2026 – is emerging as a way to remove the need for trusting infrastructure and service providers by keeping data protected/encrypted even when in use.

Confidential computing technology uses hardware-based techniques to create isolated environments called enclaves (also known as Trusted Execution Environments or TEEs).

Code and data within enclaves are inaccessible by other applications, users, or processes colocated on the system. The enclave keeps the data encrypted even when in use – while in memory and during computation. With a secure enclave environment, multiple parties can collaborate on analytics and AI use cases without compromising the confidentiality of their individual data and exposing it to other parties.

According to a recent survey, using secure enclaves in the enterprise setting is attractive for implementing safeguards for the following scenarios:

  • Protect against insider threats. Data in the cloud is accessible to the database administrators of the cloud applications or infrastructure via direct access to the database, application logs, and device memory
  • Prevent platform software (i.e., a platform hypervisor) from accessing data
  • Protect data from adjacent workloads in a multitenant/user environment
  • Protect the integrity of crowdsourced ML models
  • Confidential data sharing and multi-party collaboration

If these scenarios apply to you and your business, but you’re unsure what you’ll need to know to get started, here are five questions to ask your CISO:

1. Will I need to deploy specialized hardware to keep our data protected?

Confidential computing technology is now available on all major cloud providers. This obviates the need to procure and maintain specialized hardware yourselves. Even though confidential computing and secure enclaves are still in the “emerging technology bucket,” organizations can easily adopt confidential computing through cloud vendors and ISVs. The cloud providers see the benefit of secure enclaves and their future potential as a transformative technology, and so have bought in.

2. Will we need to rewrite applications to use secure enclaves?

Some confidential computing technologies, such as Intel SGX, require application modifications before they can run within enclaves. Other technologies, such as Confidential VMs, provide more flexibility and can run unmodified applications.

But, from a security perspective, this has the downside of having to trust the entire software stack within the VM. So, depending on the use case and requirements, one technology may be preferable over the other. In addition, proper adoption of confidential computing requires orchestrating management of the other constituent technologies, such as remote attestation.

The enclave adoption process can be complex and engineering teams will have to take time to build these capabilities to get their applications up and running. While bandwidth may be tight at times, the ROI is worth it in the long run. A growing ISV ecosystem can also help in the seamless adoption of confidential computing for a rich variety of use cases.

3. Can I use secure enclaves to improve data collaboration with other teams?

Before data can be shared with other teams, organizations typically need to follow a cumbersome governance process to restrict access to sensitive data, eliminate data sets or mask specific data fields, and prevent any level of data sharing.

Integrating secure enclaves provides an opportunity for organizations to increase both productivity and security measures. Multiple data owners can individually encrypt their entire data (including PII), pool it together, and analyze the collective data set within enclaves. Done effectively, multi-party collaboration can drive faster business results by enabling new and higher-quality insights.

4. Will I need to add additional security expertise to the team?

Implementing confidential computing workflows can be difficult to do directly without using existing tools and software. One needs to make sure that confidential data is protected throughout its lifecycle. This can have a variety of moving parts – from integrating with existing key management systems to managing secure enclave infrastructure, rewriting applications, deploying code securely and verifiably to the enclaves, and keeping confidential data encrypted in storage and in transit in/out of the enclaves. However, there is a rich emerging ISV ecosystem of software that alleviates the complexities of confidential computing for a rich variety of use cases, making it easy to use and adopt by non-experts.

5. Will I need to lock myself into a single cloud?

The top CPU vendors all introduced secure enclave and confidential computing solutions in recent years. These were adopted by the leading cloud vendors, some of which now offer solutions based on the same underlying technology. Microsoft Azure and Google Cloud Platform, for example, offer solutions based on AMD’s SEV technology. As software solutions running on top of these cloud platforms evolve, application vendors will introduce cross-platform solutions powered by the common hardware layers.

Conclusion

Businesses considering adopting cloud technology can better do so with secure enclaves. By asking your CISO these five questions, businesses can move into the future, understand what implementing secure enclaves will look like, better secure their data, and create a more efficient analytics process.

This ongoing shift to the cloud will increase efficiency for companies and reduce human error – especially knowing 57% of businesses will move their workloads to the cloud before the end of the year. When secure enclaves are implemented properly, the crucial component of ensuring security is not sacrificed. All businesses working with data should consider integrating confidential computing into their models to allow for analytics and AI on encrypted data.

shield

Secure Processors Part I: Background, Taxonomy for Secure Enclaves and Intel SGX Architecture

Tags: cloud adoption, data protection, secure enclaves


Sep 02 2022

Researchers analyzed a new JavaScript skimmer used by Magecart threat actors

Category: Cyber Threats,pci dssDISC @ 8:33 am

Researchers from Cyble analyzed a new, highly evasive JavaScript skimmer used by Magecart threat actors.

Cyble Research & Intelligence Labs started its investigation after seeing a post on Twitter a new JavaScript skimmer developed by the Magecart threat group used to target Magento e-commerce websites.

In Magecart attacks against Magento e-stores, attackers attempt to exploit vulnerabilities in the popular CMS to gain access to the source code of the website and inject malicious JavaScript. The malicious code is designed to capture payment data (credit/debit owner’s name, credit/debit card number, CVV number, and expiry date) from payment forms and checkout pages. The malicious code also performs some checks to determine that data are in the correct format, for example analyzing the length of the entered data.

In this specific case, the researchers discovered that when a user visits the compromised website, the skimmer loads the payment overlay and asks the user to enter the payment information.

The skimmer is obfuscated and embedded in the JavaScript file “media/js/js-color.min.js”

Magecart skimmer

nce the victim has entered its payment data in the form, the JavaScript file collects them and then sends the Base64-encoded data to the URL included in the JavaScript using the POST method

Cyble experts noticed that upon executing the JavaScript, it checks if the browser’s dev tool is open to avoid being analyzed.

“Online shopping activity is constantly on the rise due to its ease of use, digital transformation, and the sheer convenience. Skimmer groups continue to infect e-commerce sites in large numbers and are improving their techniques to remain undetected.” concludes the report. “Historically, Magento e-commerce websites have been the most highly targeted victims of skimmer attacks. While using any e-commerce website, ensure that you only use known and legitimate platforms.”

Data Privacy: A runbook for engineers

Tags: data protection, JavaScript skimmer, Magecart threat actors


Mar 31 2022

Every Day Should be World Backup Day

Category: BCP,Security AwarenessDISC @ 1:09 pm

Modern Data Protection: Ensuring Recoverability of All Modern Workloads

Tags: Backup Day, data archive, data protection, data storage


Dec 31 2021

What is a Personal Firewall?

Category: Firewall,next generation firewallDISC @ 7:55 am

What is a Firewall?

A Firewall is the controller of incoming and outgoing traffic between your computer and internet network.

Who should use a Firewall, and for what?

  1. Those wanting to prevent unauthorized remote access.
  2. Those looking to block immoral content (such as adult sites).
  3. Online gamers – at a high risk for getting hacked in online games.
  4. Business owners and those working from home – at a high risk for getting hacked.
  5. Anyone not wanting to risk their data and privacy.

Why is a Firewall important?

A Firewall is important for several reasons:

  1. Promotes privacy
    A Firewall blocks or alerts the user about all unauthorized inbound or outbound connection attempts. It allows the user to control which programs can access the local network and internet.
  2. Stops viruses and spyware
  3. Prevents hacking
    A Firewall blocks and prevents hacking attempts and attacks.
  4. Monitors network traffic and applications
    It regulates all incoming and outgoing internet users as well as applications that are listening for incoming connections. Moreover, it tracks recent events and intrusion attempts to see who has tried to access your computer.

What’s the difference between a personal and business-grade Firewall?

• A personal Firewall usually only protects the computer on which it is installed, whereas a business-grade Firewall is normally installed on a designated interface between two or more networks (allowing for a greater number of computers to be protected).
• Personal Firewalls allows a security policy to be defined for individual computers, while a business-grade Firewall controls the policy between the networks that it connects.
• Personal Firewalls are useful in protecting computers that are moved through different networks (as the protection is per computer vs. the network). It can be used at public hotspots, allowing the user to decide the level of trust and the option to reconfigure the settings to limit traffic to and from the computer.
• Unlike business-grade Firewalls, many personal firewalls have the ability to control network traffic for programs on the secured computer. For instance, when an application needs to establish outbound connection, the personal Firewall will scan it for safety, block it if it’s blacklisted, or ask for permission to blacklist it if not known.
• Personal Firewalls may also help block intruders by allowing the software to block connectivity where it suspects an intrusion is being attempted.

Risks of not having a Firewall

  • Loss of data
  • Open access
  • Network crashes

Personal computer firewall

Tags: data privacy, data protection, Firewall, Network Security, Online Privacy, Online Safety


Nov 04 2008

Open Network and Security

Category: Information Security,Open NetworkDISC @ 7:54 pm

Made and uploaded by John Manuel - JMK{{#if: |...

Open networks are heterogeneous environment where users like to use all the applications and systems at any given time. In a heterogeneous environment, each department run different hardware and software, but you can control the protocols which will work on this environment.

Universities are famous for open network. Most Universities network is comprised of a Bank (To give loan to students), a restaurant, and a bookstore which have credit card processing ability. Students, alumni, researchers, employee and staff need access to utilize resources. Now how would you control access if same person assume all the roles mentioned above. Universities are basically transient communities, where users come back and plug-in their new devices and expect an immediate access to all the resources. Where the reputation of openness is challenge at every step of the way, now the question is how can they maintain reputation and yet control the environment based on security policies.

Reasonable security can be accomplished by focusing on a process rather than adding yet another security control. The process is based on risk assessment program where you assess your critical assets based on threat and vulnerability pair and measure the likelihood and impact of a threat if a given vulnerability is exploited.

The process start with knowing your assets – Network registration will detect when you plug-in your new equipment. Before you get an access, it detects a hardware address and username. You can also control common misconfigurations and noncompliance issues with network registration process. Some vulnerability management systems discover assets and perform vulnerability and security configuration assessment to proactively identify and prioritize risks. New vulnerabilities are accessed from trusted site on a regular basis and when vulnerabilities are identified, the management system needs to have an ability to remediate to comply with the information security policy.

Most of the departments in an open network contains different systems and applications and basically have different security appetite. Distributed IT Governance can address this issue where you develop policies and procedures which fit their needs and hand it over to the department to comply.
Open network requires pretty much open borders, Instead of securing the network/system emphasis should be on data protection.

[TABLE=9]

Recent news from AT&T to make its network open where customers can use any handset of their choice, perhaps a reaction to in response to recent moves from Verizon and Google to promote open network. Specifically Verizon announced that it would allow “any device” and “any application” to operate on its network. These open networks does provide flexibility for customers but at the same time burden lies on the shoulders of the corporations to provide right balance of security and privacy with availability of the network.

In an open network, reasonable security can be achieved by embracing ISO 27k standard and eventually acquiring ISO 27001 (ISMS) certification. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of an open network. ISMS as a process in-place provides reasonable security safeguard to your information and certainly help to minimize the liability in the court of law.

End-to-End Network Security: Defense-in-Depth by Omar Santos
httpv://www.youtube.com/watch?v=zTJSMjYd9c4

(Free Two-Day Shipping from Amazon Prime). Great books

Reblog this post [with Zemanta]




Tags: AT&T, Computers, Credit card, data protection, heterogeneous, impact, Information Security, Information Security Management System, isms, iso 27001, ISO 27k, ISO/IEC 27001, IT Governance, likelihood, Network registration, Omar Santos, Reasonable security, risk assessment program, security controls, threat, Universities network, Verizon, vulnerability, vulnerability management systems


Oct 13 2008

World Bank security breach and financial crisis

Category: Information Warfare,Security BreachDISC @ 1:56 am

The World Bank controls the World’s banking system, creates plans and strategies to develop economies to protect countries from financial turmoil. This information is a treasure trove of data which can be manipulated for huge monetary or political gain.

Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us a story that protecting consumers’ data during these crisis might not be the first priority for many suffering financial institutions.

World Bank Under Siege in “Unprecedented Crisis

“It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.”
“In total, at least six major intrusions — two of them using the same group of IP addresses originating from China have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. ”

The World Bank’s technology and security expert states that the incident is an “unprecedented crisis.” Some security experts are saying that this might be the worst security breach to date at a global financial institution. The hackers controlled around 18 servers for more than a month and World Bank admits that sensitive data could have been stolen but they are not sure about the total impact of the breach.

Alan Calder wrote about “Data protection and financial chaos” and mentioned that “When financial markets appear to be in free fall, many organizations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist anymore?”
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and we have to be vigilant and carry the load to protect our data. At the same time, this might become another reason for the financial institutions’ demise if they let their guards down now and do not make a priority to protect customers’ data.

During this turmoil, some financial institutions’ upper management doesn’t have to worry about their responsibility of securing the customers data adequately when they already know that eventually the taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are sometimes the result of unprecedented greed.

Glassner “I don’t know that the captain of the Titanic got a bonus for driving the boat into iceberg. They at least had the decency to go down with the ship” [quoted in ‘Wachovia’s Golden Parachutes” story in S.F. Chronicle of 10/10/08 pg. C1].

Bill Gates “I’m quite worried about the fiscal imbalances that we’ve got and what that might mean in terms of financial crisis ahead.”

Chinese hackers: No site is safe
httpv://www.youtube.com/watch?v=ovNVhk1rVVE&feature=related


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: china, consumers data, data protection, deeply penetrated, financial chaos, financial crisis, full access, hackers, inicident, monetary gain, restricted treasury, Security Breach, sensitive data, spy software, treasure trove, unprecedented crises, unprecedented greed