First Things First: Know Your Data



Baan AlsinawiIt’s been three years since the U.S. Office of Personnel Management’s (OPM) two data breaches shocked the country and spawned immediate cyber initiatives in response to the theft of millions of highly sensitive records –possibly now resulting in identity fraud, as reported by the Wall Street Journal. In the months that followed, the nation’s agencies were required to make an honest accounting of vital systems and the state of their security.

Although the new processes will not mitigate the full impact of the OPM hack, we now have access to a better process for identifying and managing critical assets or high value assets (HVA), which are defined as information systems, information and data so essential that unauthorized access, use, disclosure, disruption, modification, or destruction could cause significant harm to national security or interests, and to an organization’s business operations.

It is equally important to keep in mind that the single most important part of the process is to fully understand what makes up a high value asset, regardless of whether you are in the public or private sector. In talking to many CISOs over the last past few years, it is clear many organizations are still not sure what constitutes their most valuable assets and, as a result, cannot adequately protect their “crown jewels.”

As part of the risk management process, I encourage all my clients to take a step back, so they can truly see the big picture in understanding their critical data assets. While this seems rather fundamental, it is still very much a challenge for many security professionals today.

The key takeaway is that until organizations, public and private, have a firm grasp on what their most valuable assets are, it is relatively impossible to develop an effective security program. Both public and private organizations that move forward without this knowledge generally invest time and resources that are not based on a solid foundation where critical assets are identified, business impact analysis performed and risk-based decisions executed accordingly. The results may yield a false sense of security, especially since they are not based on risk modeling and situational awareness.

To its credit, the U.S. federal government has issued several informative security bulletins to address prioritizing risk based on the value of its information assets, including several worthwhile ones that give users a good place to start:

  • OMB M-16-04 details the Cybersecurity Strategy and Implementation Plan (CSIP).
  • OMB Circulars A-123, A-130 and OMB-M-13-13 outline requirements for identifying assets, maintaining inventories, performing risk assessments and addressing risks related to assets and
  • OMB M-17-09 lists additional agency obligations and introduces the Agency HVA Process for managing risk to HVAs across the enterprise.

In addition, the Department of Homeland Security, which is vested with the authority to define agency information security policies and practices, collaborated with NIST on an HVA Control Overlay. Risk management professionals, government or not, will find it provides valuable information on how they should implement critical security controls for their high value assets to mitigate against known threats and weaknesses.

As I tell my clients, always remember that compliance is a means to the objective of effective risk management. It’s so important to always take a step back and look at the big picture, so you can define and quantify the value of your assets and the business impact. Make sure the conversation is a business-focused one about what matters most to the board, agency heads and key stakeholders. Start by mapping critical assets to business priorities, beginning with an initial gap analysis that addresses the business impact. Then, identify the corresponding frameworks, and be on the path to effective risk management—all centered around your HVA.

When your foundation is solid, fulfilling the control requirements is much easier, and more importantly, you have the benefit of knowing that your sense of security is real.

Category: Risk Management
Published: 7/19/2018 3:07 PM



Dell EMC: 2U Integrated Data Protection Appliance DP4400 for Mid-Size Organizations


Dell EMC, part of Dell Technologies, announced its Integrated Data Protection Appliance (IDPA), the IDPA DP4400, providing converged data protection to help mid-size organizations transform IT while combatting data sprawl and complexity. Comprehensive data protection has been a challenge for mid-size organizations. enterprise products come with higher cost and complexity, while lower cost products that […]


Fujitsu 2U Eternus CS8050 NAS Appliance for Archiving


Fujitsu Ltd. adds a storage appliance for archiving to its portfolio. The ETERNUS CS8050 NAS provides competitively priced storage for the archiving needs – including SoftWORM (Write Once, Read Many) features for legal compliance, integrated archive replication and snapshot-based backup processes that ensure ongoing BC of medium-sized organisations. Archiving chunks of business data over long […]


Veeam Delivering Hyper-Availability for Nutanix AHV


Veeam Software, Inc. announced Veeam Availability for Nutanix AHV, a data availability solution for applications and data hosted on the Nutanix AHV Hypervisor. The combination of Nutanix Enterprise Cloud OS software and the Veeam Hyper-Availability Platform will deliver a hyper-available enterprise cloud that provides enterprise availability and scale-out capabilities, better enabling customers to focus on […]


Unisecure Data Centers Launches Cloud Storage Services Using NVMe for SSD


Unisecure LLC Data Centers announced servers for cloud storage products with using NVMe for SSD storage with additional feature snapshots in beta. NVMe is knows as NVM Express or Non-Volatile Memory Host Controller Interface Specification. It is an open device user interface in details for accessing NV storage media attached by PCIe bus. Why Unisecure […]


Brocade/Broadcom Assigned Patent


Brocade Communications Systems LLC, San Jose, CA, (acquired by Broadcom Ltd.) has been assigned a patent (10,015,113) developed by Yeung, Wing-Keung Adam, Saratoga, CA, Chadaga, Tejaswini, San Jose, CA, and Sakthivel, Sabarivel, Santa Clara, CA, for “techniques to restore multicast data plane from persistent storage.” The abstract of the patent published by the U.S. Patent […]


To Enhance Security, Head Into The Cloud



Cloud Security

As digital disruption continues to redefine what’s possible at an unprecedented speed and scale, organisations are increasingly turning to cloud-based capabilities to survive and thrive. The cloud has become critical not just to the day-to-day, but to enabling the IT innovation that will determine business success tomorrow.

According to The Cloud Industry Forum, nearly three-quarters (78%) of UK firms are now embracing the cloud, citing flexibility (77%), scalability (76%) and reliability (74%) as the leading drivers. Yet, despite the cloud’s obvious business benefits, it still carries a security stigma. Three-quarters of CEOs (77%) cite security as their main fear when it comes to the cloud. Security is also consistently named as one of the top three barriers to adoption, whether organisations are considering public (41%), private (21%) or hybrid cloud strategies (24%).

Given the marketing hype, media hysteria and regulatory complexity surrounding cybersecurity today, it’s no surprise that business leaders have fears over cloud security – but are they justified?

Myths & realities

When considering the cloud’s security credentials, the first question we should ask is: “compared to what?”. Is an organisation’s data at greater risk in the cloud than on-premise? According to Wieland Alge, VP and GM of EMEAR at Barracuda Networks, the answer is no: “almost all of the massive data breaches we’ve seen of late were within traditional on-premise IT”.

The leading cloud platforms have also made massive investments to resist cyberattacks. Microsoft, Amazon and other major cloud providers are not only highly motivated to ensure top-notch security for customers, they also have the funding, skills and technologies to make it a reality.

Individual enterprises simply can’t compete with these cloud providers on security – whether we compare the physical defences surrounding cloud data centres and office-based servers, or the quality of the cyber skills and tools protecting virtual systems. Simply put, securing on-premise IT is harder for enterprises because security isn’t their core business: a lack of time, money and cyber skills all hamper their efforts.

Perhaps most telling of all is the fact that the most security-conscious industries, including banking and defence, are now embracing the cloud. Senior executives in the financial sector have suggested that 30% of their IT requirements could be met by the public cloud within three years. Meanwhile, even the US Central Intelligence Agency (CIA) has partnered with AWS on a $600 million contract for cloud services.

While business leaders may feel more comfortable with the status quo inside their organisation, the reality is that on-premise IT is not as secure as they believe, while the cloud is more secure than they think.

Hybrid vigour

While cloud security may be superior to on-premise IT in general, adoption is likely to remain a gradual process. Today, most organisations (57%) are leveraging a hybrid approach that combines the security and performance of on-premise infrastructure with the public cloud’s agility, cost-savings and economies of scale.

However, such hybrid strategies raise the conundrum of how to best link on-premise and cloud-based workloads. While the major cloud platforms are secure, accessing them via the public internet brings both security and performance concerns. Not only can data potentially be intercepted by malicious actors, business performance also remains at the mercy of spikes in public internet demand.

By allowing organisations to place their on-premise infrastructure right next to the private access points to the most popular cloud platforms, colocated hybrid cloud offers an attractive solution. Direct fibre links to private cloud access points eliminate public internet exposure and its ensuing security and performance risks. Meanwhile, the best colocation providers also ensure unbeatable multi-layer physical IT security – including infrastructure cages, strict access controls, 24×7 security patrols and CCTV surveillance.

Colocation may also bring access to a broad mix of managed security service providers sharing the same facility. With these organisations just a cross-connect away, businesses can make informed investments in secure and cost-effective interconnections to address specific cyber challenges – from identity and access management, to DDoS protection.

For any organisation worried about cloud security, the path is clear: head into the colocated hybrid cloud.


Harnessing the Hacker Mindset



Keren ElazariEditor’s note: Keren Elazari, cybersecurity analyst, author and researcher, will give the closing keynote address at CSX Europe 2018, to take place 29-31 October in London, UK. Elazari recently visited with ISACA Now to discuss the hacking “ethos,” whether data privacy should be considered a right or a privilege, and more. The following is a transcript, edited for length and clarity.

ISACA Now: What prompted you to take an interest in cybersecurity research and analysis?
In one word: Curiosity. Always asking more questions, always poking fingers into things I don’t understand – I believe that is the quintessential hacker mindset and that is what has always defined who I am. Even as a child, I was always really interested in technology and curious about how things worked. I would break things, take them apart, crawl under the table to disconnect the cables and see what would happen if I put them somewhere else.

An important milestone for me was the movie “Hackers” that came out in 1995. I always talk about this movie as my inspiration, because it really gave me a context for hacking: hacking as a calling, a life choice. It showed me a hacker could be a hero of a story, and that hero could be a high school girl just like me! In the movie, it’s Angelina Jolie, pretty much the coolest person in the world from my point of view. Everything was exactly right for me in that cultural moment; it was exactly what I needed to see and hear to understand it was my calling. That’s why I am proud to call myself a hacker. My idea of a hacker is perhaps, somewhat romantic, but I consider the friendly and ethical hackers out there in the world as a vital part of culture, society and the economy, pushing forward the evolution of technology and acting as a much needed “immune system” for the information age.

I wear many professional hats: strategic advisor, business analyst, academic researcher and author. I’ve worked as a security architect, risk management consultant and product manager; yet in any role and organization, I’ve always held that hacker–hero ethos at heart.

ISACA Now: In what areas must the cybersecurity workforce make the most strides if organizations are going to be equipped to deal with the evolving threat landscape?
Despite widespread automation of technology and defensive security solutions, I do believe there always will be room for humans in the equation. As AI, big data, algorithms, automation, machine learning, and adaptable technology become more prevalent, 70-80% of cybersecurity tasks will be automated and drilled down to a science. That means defenders must become more like data scientists and feel at ease with managing and utilizing such tools and leveraging them to gain a better understanding of threats and the security posture of organizations.

It also means, that the hard-to-find, 20-30% of threats and security problems will become harder to identify. This is where the ART comes in. This is where the tasks human defenders will deal with become less methodical and more creative, more hacker-like, more innovative. In order to make the alchemy of science plus the art of security work in harmony, we must also harness the hacker mindset and invest in skillsets like digital forensics, incident response, threat hunting and red team testing. Those are the skills we should cultivate and in which we should invest today to be ready tomorrow.

ISACA Now: What are the biggest barriers that must be dealt with to improve diversity within the cybersecurity workforce?
First, I’d like to say that there’s no doubt in my mind that the community and the industry is changing and maturing, becoming more diverse and open to other voices and perspectives all the time. This is incredibly exciting to witness, as I still recall going to my first hacker event in Tel Aviv back in 1999 and being the only young lady in a set of 200 guys and one woman (who was the lead organizer). 

Now I see more and more women, more people from all walks of life, genders, backgrounds, ages, finding their place and their voice in this community. One metric of this change, and one way we can do even better, is by featuring and curating content from more diverse speakers at conferences.

Another aspect is for the HR departments and managements of organizations to find ways to create onramps, entry level programs and skill building initiatives – not just to get more women into the community and industry, but generally to create multiple pathways for more people to join our forces.

ISACA Now: What concerns you most about how cybercriminals can impact the world of politics?
While in 2018 it’s no surprise to anyone that criminals and certain nation-states have been using cyber-based capabilities and technology to influence and manipulate the geopolitical landscape, there is little being done to prevent this from happening again. This is a global, cross-border problem with very few organizations that can work together to prevent it.

Should it be dealt with by INTERPOL? Or the FBI? Perhaps NATO? I don’t have the answers to that. This is not just a US issue, as it’s not affecting just the US elections (we have seen such attempts, for example, during the 2017 French presidential elections, across Latin America, and elsewhere). In 2018, it should come as no surprise that politicians who wants to influence the world and have talented hackers in their country would try to harness them to use that power to shape the world to their liking. We shouldn’t be so shocked to know that; it’s a reality. What’s more urgent, in my opinion, is how to work together between nations and borders to protect democracy.

ISACA Now: Data privacy has emerged as a major issue not only in the EU, but worldwide. What aspects of data privacy do you expect will be most challenging for security practitioners as the number of connected devices in use continues to explode?
As we connect more elements of our lives and make them smarter, we also are allowing data collection about individuals to occur in a scope never before made possible. I believe we must reconsider our notions of secrets, of personal privacy and corporate transparency, and the way technology and big data fuels the next wave of innovation.

That means our future may be defined not just by our efforts to balance technology’s benefits against the risks it brings with it, but also by how we evolve our notions of privacy and digital access to information. I think we must ask ourselves: Is privacy a basic human right? Perhaps in the “information age,” we should consider privacy a privilege one must work hard to maintain.

Category: Security
Published: 7/18/2018 3:08 PM


IBM FlashSystem 9100 Multi-Cloud Solutions Deliver Cloud-Ready Software


IBM FlashSystem 9100 Multi-Cloud solutions deliver cloud-ready software with validated blueprints for data protection, data reuse, and BC The solutions extend the capabilities of this NVMe-enabled storage system to help clients on their cloud transformation journey. They bring new efficiencies to the multicloud environment by modernizing data protection, enabling data reuse for development, testing, and […]


Storbyte: Active On-Line HDD Storage System With 4U 96-Drives SBJ Series


Storbyte introduced its SBJ series of hardware-defined storage solutions that offer a 100% zero power, near-line/archive, tape on a shelf alternative, offering organizations a purpose-built solution delivering a verifiable data validation and protection plan capability that tape cannot provide. The SBJ 4:96 is a system that manages 100% zero power to an individual drive, individual […]