Thursday, May 25, 2017

How Large Enterprises Can Protect Their Data from Increasing Ransomware Attacks

Ransomware attacks are increasingly making headlines as hackers find ways to access platforms to infect data. Experts worry that new and emerging data platforms provide low-hanging fruit to ransomware attackers.

Nitin Donde, CEO at Talena notes, "By their very nature, Hadoop and NoSQL databases are complex distributed systems with many moving parts, which while making it easy to manage and scale them independently, has also opened them up to the possibility of security attacks at multiple points of vulnerability.

"Most large enterprises deploy several of these systems and as a result, large enterprises are at a significantly increased risk of ransomware attacks. We have seen a spate of recent ransomware attacks on MongoDB, CouchDB and Elastic. By some estimates, the number of systems affected is in the thousands, which is a huge drain on the both capital and time."

In order for enterprises to mitigate and nullify these modern security threats to their business critical data platforms, Nitin recommends companies take the following steps to safeguard their data:
  • Instill the same level of policy rigor that can be taken for granted in traditional record-of-truth platforms such as RDBMSs, email servers and data warehouses. Some of the security frameworks such as Kerberos are complex to implement and maintain for big data platforms, but they will deter and prevent attacks right when they happen.
  • Making timely backups of the data in an efficient and scalable manner is paramount. With the landscape of security threats constantly changing, data backups are an enterprise’s insurance against loss of time and capital as they let you travel back in time in the event of a disaster.
  • Intelligent machine learning: With increasing volume and variety of data, it’s not humanly possible to constantly scan modern platforms for security threats. Intelligent machine learning-driven approaches must supplant humans for detecting anomalous behavior in both the acquisition as well as storage phases of data lifecycle management.

Tuesday, May 16, 2017

Cloud Encryption: Bring Your Own Key Is No Longer Enough




Encryption key management systems are now essential for all companies needing to lockdown data in the cloud, says Matt Landrock, Executive Vice President, Cryptomathic

‘Trust’ can be both a terrific enabler and a severe inhibitor in cloud services adoption. Keen to benefit from the cloud’s promise of flexible and scalable on-demand computing, businesses everywhere continue to migrate increasing volumes of critical data off-site and into the hands of third party cloud service providers. Each time this happens, however, they must answer the same question: what guarantees do I need before I can trust this provider to protect my data? 

Who holds the power to access a firm’s private data in the cloud is a big and thorny issue. Hosting services operate, by definition, across borders whereas the regulations that grant nation states and other third parties power-of-access, do not. Governing authorities around the world therefore vary in their ability to compel cloud service providers to sacrifice customer privacy and comply with their access demands. 

As a result, encryption now has a major role to play in the security process. Companies that trade in confidentiality, banks for example, commonly use encryption as a defense against third party intervention from nation states and cybercriminals alike. When rolled into their cloud provider’s managed service contract, however, encryption actually does relatively little to reassure: if the provider can already be strong-armed into granting access, surely they can also be compelled to relinquish their encryption keys, making life pretty awkward for everyone involved. Nonetheless, a study from Ponemon Institute & Thales[1], revealed that 37% companies worldwide still rely on their cloud providers to generate and manage both the keys and the encryption process. 

‘Bring Your Own Key’ (BYOK), where the end-user independently generates, backs up and submits its own encryption keys, neatly addresses this concern. If the service provider doesn’t have access to the key in the first place, it can’t be compelled to hand it over, meaning that the user’s data will remain encrypted no matter who tries to access it. Sadly, BYOK creates another set of problems. Assuming sole control over an encryption key, however, is a hefty responsibility. Loss or error could prevent a business from decrypting its own data, resulting in paralysis. Theft of the encryption key puts the entire security operation in jeopardy, meaning that the user’s back up process must itself be subject to high-security measures. What’s more, if the key is lost or stolen, help is very hard to come by. The service provider, having already been relieved of their key liability, is powerless to assist. In many ways BYOK replicates the problems associated with more traditional usernames and passwords. Key ubiquity, like password ubiquity, replaces one security headache with another:  should there be a key to all the keys? How is that key secured? And so on.

BYOK poses operational challenges, too. Once the user’s key has been created and submitted to the service provider it can’t be retrieved, or at least not easily. Security best practice also dictates that each individual cloud service should have its own unique key. Where vast stores of data are concerned, risk mitigation policies encourage firms use a variety of keys and to spread their data between several providers, each of which will have its own unique blend of encryption engines, protocols and messaging formats. This situation is worsening too: Forrester predicts that the practice of blending multiple cloud models will increase in 2017 and calls on companies to take specific steps to secure their whole environment.[2]
 
When combined, these factors add up to a complex and multi-faceted BYOK challenge, of which nothing less than bullet-proof management is acceptable.  

Fortunately, demand for what could now be called ‘Manage Your Own Keys’ (MYOK™) can be well supported by specialist software, purpose-designed to put users back in the driving seat. These platforms enabling users to control and manage the entire lifecycle of their own, unique portfolio of keys; generating, storing, deploying, retrieving, backing-up, restoring, revoking and updating as they go. 

Such systems also arm users with the capability to expand their use of encryption. Today’s large enterprises invariably use a host of different cloud models – public, private and hybrid amalgamations of the two. MYOK™ systems enable users to address them all with cryptography, creating and managing keys regardless of their required shape, form and destination. This is democratizing what has, until now, been regarded as a complex and highly technical security process.
This is just the beginning. The number and variety of uses for encryption keys is exploding. Having begun life in network management and financial services, encryption and other cryptographic functions are fanning out rapidly, to secure data created by smart devices, connected cars, intelligent building systems and all manner of other connected consumables that together comprise the Internet of Things.  

There is little doubting the level of enthusiasm for cloud-based data storage and transmission services. The big problem has been that major stakeholders have had a hard time balancing their need to guarantee security, control and confidentiality with the huge gains that the cloud can deliver in terms of flexibility, scalability and operational agility. Key management platforms enable this balance to be struck, reducing time to market for those delivering cloud-dependent products and services while, at the same time, ensuring they remain the sole proprietors of their data, regardless of where it is kept or how it is transmitted.

If the encryption industry is to avoid replicating the mistakes of the username and password model, it must promote an approach that has secure key management at the center. Only then can the full promise of the cloud be realized, finally unburdened by issues of trust.


NB: MYOK™ is a registered trademark of Cryptomathic Inc.

Monday, May 15, 2017

Special Interest Groups’ Use of Social Media as a Weapon

There are hundreds of special interest groups involved in a wide variety of interests ranging from commerce, health, or art, to community development or religion. There are also groups that are involved in political and social causes. This excerpt from Social Media Warfare: Equal Weapons for All examines well-established special interest groups and the various types of special interest groups, as well as issues related to these groups: health care; guns, hate, and social media warfare; abortion debates and violent acts of extremists; environmentalists and eco-terrorists; lesbian, gay, bisexual and transsexual (LGBT) rights and social media warfare; and religious bias and discrimination in social media warfare.

Monday, May 8, 2017

National Constitution Center Releases New White Papers on Impact of New Technologies on Privacy, Surveillance, Cybersecurity, and Law Enforcement



LEADING SCHOLARS AND THOUGHT LEADERS RELEASE WHITE PAPERS ON IMPACT OF NEW TECHNOLOGIES ON PRIVACY, SURVEILLANCE, CYBERSECURITY, AND LAW ENFORCEMENT

Authors will convene to discuss the white papers at the National Constitution Center
on Wednesday, May 10, 2017
                 
Philadelphia, PA (May 8, 2017) – The National Constitution Center released a white paper series – entitled “A Twenty-First Century Framework for Digital Privacy” – addressing the impact of new technologies on privacy rights, government surveillance, cybersecurity, and law enforcement. The papers examine the challenges that new technologies pose to the existing legal framework and propose solutions. The authors – which include some of the country’s top scholars and thought leaders on the issues of national security, law enforcement, and digital privacy – will gather at the National Constitution Center on Wednesday, May 10 at 6:30 p.m. to discuss their findings and explore the future of the Fourth Amendment in the digital age.

“The National Constitution Center is thrilled to be able to bring together such a diverse group of scholars and thought leaders to discuss one of most important legal challenges of the digital age—how to protect privacy and security in the era of cloud computing,” said Jeffrey Rosen, President and CEO of the National Constitution Center. “This new white paper series reflects the Constitution Center’s commitment to presenting the best available arguments on all sides of the constitutional issues at the center of American life. It will help us address the crucial challenge of how best to translate the Constitution and key privacy laws in light of new technologies.”

Synopses of each white paper are included below. Authors and titles for each paper include:

  • Jennifer Daskal, Associate Professor of Law at American University: "Whose Law Governs in a Borderless World? Law Enforcement Access to Data Across Borders"
  • Jim Harper, Vice President of the Competitive Enterprise Institute: "Administering the Fourth Amendment in the Digital Age"
  • David Kris, former Assistant Attorney General for National Security: "Digital Divergence"
  • Neil Richards, Thomas and Karole Green Professor of Law at Washington University: "Secret Government Searches and Digital Civil Liberties"
  • Christopher Slobogin, Milton R. Underwood Chair in Law at Vanderbilt University: "Policing and The Cloud"


White paper authors Harper, Kris, Daskal, and Slobogin will convene for the event on Wednesday, May 10, at the National Constitution Center. The program will be moderated by Thomas Donnelly, National Constitution Center Senior Fellow for Constitutional Studies, and will include a keynote speech entitled “What Would Brandeis Do in the Digital Age?” by Jeffrey Rosen, National Constitution Center President and CEO. The event will be livestreamed on the National Constitution Center’s website at constitutioncenter.org/live.

WHITE PAPER SYNOPSES

Author: Jennifer Daskal, Associate Professor of Law at American University
Synopsis: It is not simple to translate the traditional rules governing searches and seizures to the world of digital evidence. There are, after all, key—and highly relevant—distinctions between digitalized evidence and its more tangible counterparts. Data can move across borders and around the world instantly, can be held in multiple places at once, and can be accessed remotely from across the globe. Our failure to adequately account for these differences is having increasingly negative consequences for our security, our privacy, and our economy. Today, legal rules covering government access to data focus on data location. A better rule would shift the focus to a variety of other factors, including target location and nationality, the location of the provider, and the strength of the government’s interest. These factors better reflect the interest at stake in cross-border data dispute, including privacy, security, and sovereignty.

Author: Jim Harper, Vice President of the Competitive Enterprise Institute
Synopsis: Modern Fourth Amendment jurisprudence is a muddle, and it is sorely challenged by advances in information technology. Our entry into the Information Age demands a new, higher respect for data, information, and communications as common law property. Courts should reject an approach to the Fourth Amendment that focuses on society’s “reasonable expectations of privacy” and should instead adopt one that hues closely to the Fourth Amendment’s text and recognizes data, information, and communications as a key form of property. Simply put, if there was a “search” or “seizure,” if it was of protected things, and if it was unreasonable, then the Fourth Amendment has been violated. That is how to administer the Fourth Amendment. This approach would place judges back in the familiar position of applying the law to the facts of a specific case.

Title:Digital Divergence
Author: David Kris, former Assistant Attorney General for National Security
Synopsis: This paper addresses the effects of advances in technology on statutory and constitutional law and challenges the view that balancing privacy and security is a zero-sum game. Technological advances increase (what the paper calls) “digital divergence,” making it easier for informed and motivated individuals, groups, and governments to defeat surveillance, commit misconduct, and avoid attribution, but harder for everyone else to protect against such misconduct and to control their own personal data. Digital network technology has brought enormous benefits, but digital divergence threatens both privacy and security. This trend has the potential to upset many of our established rules and practices—not in a single burst of new law created intentionally by elected officials, but through a rapid and radical transformation of the environment underlying the old laws fueled by commercial motives.

Author: Neil Richards, Thomas and Karole Green Professor of Law at Washington University
Synopsis: This paper explores the issue of “secret government searches”—namely, instances of government surveillance that remain a secret to the search target. It attempts to put the rise of secret government searches into context—historical, technological, and most importantly constitutional—and argues that these searches are unprecedented, historically and technologically, and inconsistent with key constitutional values, including freedom of thought, freedom of expression, and freedom from unreasonable searches and seizures.

Author: Christopher Slobogin, Milton R. Underwood Chair in Law at Vanderbilt University
Synopsis: It is now a commonplace that virtually everything we do is memorialized on databases. These databases—the servers of Google, Netflix, and Apple; the memory banks of phones, closed circuit cameras, “smart cars,” and satellites; the computers in commercial establishments and government agencies—track an astonishing range of our intimate daily activities, including financial transactions, internet connections, travel routes, tax information, and medical treatment. But when should the government be able to gain access to this wealth of personal information for law enforcement and national security purposes? Private and government databases are full of information that can enhance law enforcement’s ability to detect and investigate crime and terrorism. However, given the personal nature of the information stored in The Cloud, law enforcement shouldn’t be able to access it at will. Instead, the challenges of the digital age require an approach that is sensitive to the context of the specific government action or request. While a warrant may not be appropriate in all circumstances, a mere subpoena may not be sufficient, either. In crafting the right approach, the goal should be to construct rules that will allow government to harness The Cloud’s investigative potential, while also limiting the opportunities for government abuses.

The National Constitution Center and the authors of these papers maintained editorial independence during the production of “A Twenty-First Century Framework for Digital Privacy.” The series was produced with support from Microsoft.

About the National Constitution Center
The National Constitution Center in Philadelphia inspires citizenship as the only place where people across America and around the world can come together to learn about, debate, and celebrate the greatest vision of human freedom in history, the U.S. Constitution. A private, nonprofit organization, the Center serves as America’s leading platform for constitutional education and debate, fulfilling its Congressional charter “to disseminate information about the U.S. Constitution on a nonpartisan basis.” As the Museum of We the People, the Center brings the Constitution to life for visitors of all ages through interactive programs and exhibits. As America’s Town Hall, the Center brings the leading conservative and liberal thought leaders together to debate the Constitution on all media platforms. As a center for Civic Education, the Center delivers the best educational programs and online resources that inspire, excite, and engage citizens about the U.S. Constitution. For more information, call 215-409-6700 or visit constitutioncenter.org.