Cloud Security Alliance EMEA preconference seminar

The Cloud Security Alliance held its 2013 Congress here in Edinburgh – and I had the privilege of attending the pre-conference symposium on 24 September which focussed on the specific risks that exist within the public and private sectors in the UK. The event aimed to integrate activities and to outline the opportunities and risks that exist within Cloud infrastructures.

This is quick and dirty blog post that summarises my notes, so bear with me. These are my notes – and may reflect my misunderstanding of what the speaker was saying. If something sounds wrong, it’ll be my mistake.

I’ll just run through the speakers in turn. If I’ve got anything wrong – please tell me and I’ll make the fixes! Or post a comment…

Cloud: the future, risks and training

First up was Bill Buchanan (@billatnapier), Professor of Computing at Edinburgh Napier University.

Bill introduced the day by talking about the evolution of the cloud from standalone technology, and the new security issues it raises. He praised the strength of the IS sector in Scotland.

He sees issues arising from the emerging ecology of mobile, cloud, personal cloud, identity provision devices and services – and the big data resources that these create. Companies have to be aware of the risks involved – and how they would be managed and balanced against requirements: new cloud-based risks include exposure to international criminals and also hacktivism (for controversial companies).

However, security training is still weak – as often is engagement from industry and law enforcement bodies, often due to lack of access to resources. This is why Edinburgh Napier University is looking at creating a community cloud which can allow sharing of application licenses for training in cloud security – and which would also allow remote training. Funding for Edinburgh Napier to provide this is coming – more announcements soon.

During questions, discussion turned onto ethics: to Bill, part of developing the students is to change attitudes from the idea of being a “hacker”, to an awareness of the need to work within clear boundaries.

Security: are we in the cloud

DI Eamonn Keane of Police Scotland explained that the police are working in the context of difficulties obtaining evidence to support criminal prosecutions – for blackmail or robbery. Two recent great examples of the need for this are the Santander and Barclays cyber-raids.

It’s important to be clear about the distinction between cybercrime – crime focussed on the technology, ie manipulating equipment or systems – and cyber-enabled crimes, which use technology to assist what have always been crimes such as robbery and blackmail – and child abuse. In an environment of shrinking budgets, there’s competition for resource with colleagues dealing with ongoing conventional law and order issues – such as street crime.

A big challenge for policing is organised crime – this is no longer (just) local drug dealers but international fraud or attacks. Cloud is relevant here: Cybercrime as a Service is starting to emerge. There is also still a feeling that the police are playing catch-up with the new generation of digital natives (a “lost generation”) in teaching them the values that help them navigate the online world safely and lawfully.

On the other hand, from the point of view of the police, it is not all bad: Facebook can provide key information to help investigations. And (importantly) big companies are now starting to work with the police.

Police Scotland is working with Edinburgh Napier University and other bodies to encourage employability and soft skills – eg running Cyber Security Challenge in Scotland; apart from anything else, this helps promote Scotland PLC.

Cloud security and privacy

Alan Jewsbury focussed on the areas that had not yet been covered. He started by discussing the implications of the trust of third parties that’s inherent in Cloud services – these networks of interactions create new areas of uncertainty and risk.

One (probably the most sensible?) business response is to operate in an “assumed state of compromise” – the question is then, how is this managed and the risks contained. Both technical and business processes have to be considered.

A key stat: Half of organisations with externally hosted services believe these are critical – and still need controlled. But instead of having direct access to the system, management now has to be through a contract – which means businesses don’t have direct management of the controls over their key information assets and have to resort to legal/administrative processes.

Clearly, information security can’t be an excuse to block or stop development but at the same time, risk management is needed and should cover the four areas of commercial risks, information security risks, governance risks and (this is new) risks from the transition of data to/from the home network.

This often implies a blurred line and loss of control. There is a lot of unstructured, uncontrolled (and shared) data out there  in an organisation – never mind in the cloud. How to manage uncontrolled cloud sprawl? How to manage the legal issues?

A different approach to assurance is needed – and it needs to work for SMEs as well as the corporates. (I guess more risk-based).

Update 7 October:

Cloud security – exploring the risks associated with use of the Cloud

David Stubley (@DavidStubley),  is CEO of 7Elements and part of Scottish governments’ council of advisors. To him, the key risks to cloud are associated with amongst others:

  • Availability (can you connect, are you at risk of DoS/blackmail)
  • (who does but shouldn’t have) access (eg to maliciously create chargeable activity)
  • Location, jurisdiction and legal issues (Interesting aside: do Americans appreciate the legal implications of transferring data from EU to the USA?)
  • Ensuring destruction of old data.

As an example of the issues that can arise, David discussed a model of a private cloud service that automatically scales up to use Amazon EC2. Although easy to write, this sort of application doesn’t take into account risks with data or app being served – such as confidentiality or EU Data Protection/Safe Harbor issues.

Another good example of the sorts of issues that cloud services raise: Dropbox has very recently been demonstrated to be scanning all uploaded Word documents; this is only for producing document thumbnails they say, but the implications are obvious. It is possible to encrypt files (eg using BoxCryptor) but businesses should also be aware of implications from filenaming convention. (This is similar to Gmail reading by Google for advertising purposes – Google bans encrypted content from its free services).

For me, the highlight of the talk was was David demonstrating the result of a scan of GitHub for private keys (they found 216000!) – and then using them (potentially) to access AWS servers: malicious exploitations could range from bring up/tear down scripts to create huge fees for the target to (worse). GitHub could also be exploited by  backdooring the development code though unauthorised submissions.

Update 4 October: David Stubley has blogged on contents of his talk on the 7Elements site here

Insider threat detection authentication and other novel applications of computer usage data

John Howie (@JFCHowie), COO of CSA and visiting professor at Edinburgh Napier University’s IIDI , spoke in his role as an academic and researcher at University of Arizona.

He started by talking about the fallout from Snowdon’s NSA leaks. From the NSA’s corporate perspective, Snowdon was a security-cleared consultant working as a contractor for an outsourced Booz Allen company. He was given sysadmin rights and broke the trust placed in him. Similarly Bradley/Chelsea Manning had misused access to diplomatic cables as a result of post-2011 Total Information Awareness decision and removal of controls over access to data.

I would argue that leaks and whistleblowers are inevitable (eventually) in organistions that operate in an ethics- and compliance-free environment (both leaks were motivated by a desire to highlight illegal activity). But this wasn’t the point John was trying to make. John sees whistleblowers in terms of “insider threats” not ethical or governance failures. But back to the plot:

Anyway, some stats: two thirds of security failures are due to insiders, around half of the failures are accidental – but half are malicious  – and it takes average of 416 days to find the breach (2010, US Secret Service).

So what to do to find these malicious insiders (in a US context at least)? Polygraph is not the answer – people can be trained to fool it – and  it’s fooled by stimulants like caffeine! Tech solutions like log analysis don’t work either, except for post-hoc forensics investigation into what went wrong.

Polygraph tests are very expensive (4 hours long) so in effect used once only: once you’re employed. Background checks are generally not repeated, even at risk points (such as promotion).

Howie’s answer: the ADMIT project which monitors a user’s mousing behaviour while answering an online quiz – which gives companies benefits in reduced costs and risks from employees.

A possibly more interesting extension of the idea is as a continuous authentication tool: a users’ interaction with computer can uniquely identify individuals – detection takes about 1 week before level of certainty is high enough. The tool can also pick up deviations from normal behaviour, though John admitted it is difficult to distinguish stealing data from coming out of a bad meeting. There are medical opportunities too: for instance, it is possible to pick up early stages of a motor-neuron disease or diabetes insulin shock.

In questions, John confirmed that this technology is seen as similar to polygraphs, so raising no new ethical questions. I’m not so sure.

IPv6 security in the cloud

Neil Anderson of Farrpoint (@NeilTAnderson) talked about a long-brewing issue (it’s up there with climate change). Although most operating systems are now IPv6 aware, the internet is still (after almost 20 years!) in the early days of the migration, with individual nodes moving to IPv6 based on their business requirements. At some point though, IPv4 will cease to be the default, and cloud infrastructures need to be prepared for this.

Growth of IPv6 in the UK is very low – especially in comparison to Germany, France and the USA. This is down to lack of (UK) government support and low interest by service providers. The result is it’s difficult to get native IPv6 connectivity – even for large consumers like the Scottish Government which has been trying to procure a IPv6-based WAN. Instead of moving to IPv6, ISPs are moving to carrier grade NAT which allows thousands of users to share a single IPv4 address – unfortunately it can appear like a DoS attack to the serving.

Cloud providers such as Amazon don’t support IPv6 either. People are nervous because the internet is now business critical and venders are afraid of failure.

Security toolsets are now being developed for IPv6, which has support for IPSec and related security standards. Meantime, IPv4 tunnelling has (security) performance impact as data needs to be inspected twice.

There is one positive IPv6 cloud-related story: it’s possible to use virtual networks to test management of IPv6 configurations.

Confession: if I skipped over some of the more technical points Neil was making, put that down to my ignorance of TCP/IP. 

Update 26 September: Farrpoint have now posted their own version of this here.

PDF of the presentation: Neil Anderson – IPv6 Enabled Clouds – Security Considerations and Opportunities

Looking beyond the silver lining: a pragmatic look at cloud security

The final talk was by Rafe Pilling of Dell SecureWorks. I had run out of typing mojo by this time, but some points:

  • One impact of the integration of cloud services is the disappearance of the network perimeter: As organisations outsource the ownership and operation of hardware and software stacks they need to place primary focus on securing and protecting their data. Moving from a hard shell / soft centre (Armadillo) model to a soft shell / hard centre model (Avocadoes)
  • Consider the Cloud a less than benign place and think about how your data is and should be protected. That is, cloud adoption moves places even greater emphasis on risk assessment, auditing, secure development and security testing to allow organisations to gain assurance that their data is safe.
  • Incident response and digital forensics can be significantly more challenging with Cloud providers in the mix and this should be thought out and explored before an incident arises
  • Bad guys use Cloud as much as enterprises.  Cloud provides a whole range of opportunities from Cyber-crime business models to Cyber-espionage and Intellectual Property theft.
  • By compromising corporate email accounts bad guys can gain access to a range of Cloud SaaS offerings using password resets.  Light touch on the victim organisations infrastructure means there is a very limited opportunity to detect this before it is too late.
  • Bad guys over SaaS models for exploit hosting and delivery, malware distribution, web traffic delivery, botnets, spam distribution and DDoS attacks
  • Prevention means focusing on the vulnerabilities and exposures in how the enterprise uses cloud services.  Being aware of blind spots and taking steps to collaborate with cloud provides to ensure security is addressed at all layers of the stack.

Rafe pointed out that Amazon sets a good example for security testing of cloud services: it allows use of most tools other than DoS or other resource exhausting tests. It just needs a simple form to be completed in advance.

PDF of presentation: Rafe Pilling – Clouds beyond silver lining 

This section was updated with content from Rafe on 4 October.

Reflections

Every talk had something new or challenging for me to consider. I came away from the seminar with two major thoughts:

First: there is clearly a need for a whole new sets of ways of thinking about risks in the that confront the issues the transition to and from the cloud. Everyone has their own framework… students will need to be able to navigate the language and concepts involved.

Second: is the importance of ethics – not just for individuals (students transforming into responsible professionals) but at the corporate level – creating an organisation with a secure environment implies that the stakeholders have to share common positive (ethical) values.

I hope the main congress is as interesting. I wish I had the free time to attend!

Update 4 October: There related IIDI news item has some further links.

Posted in Audit, Daily Links, Europe, Security, UK | Tagged , , , , | Leave a comment

ECI4all sytem: Replacement of OCS announced – but who are they?

ECI Campaign

You may be aware that the European Commission has been supporting the development of an online collection systems for online signatures for the European Citizens Initiative – it’s called OCS and hosted on the JoinUp platform. Now, the OCS has a number of issues which have been documented recently by the ECI campaign here.

It seems a new kid is on the block: a group/person called ‘ECI4All‘ has announced that they/he/she are “working on a product which aims to be a are replacement for the current Online Collection System for ECI”. 

I’ve had a quick look at it and, well, there are some concerns…

But let me start by saying I like the idea of re-implementing the code in PHP, and the use of SourceForge to host the project is fine – though JoinUp and the EUPL would have maybe been a more politically sensitive approach.

First issue: I’m not an expert on GPL3 – but it can be quite restrictive in terms of reusing the code. For instance, you’d not be allowed to change any of it to EUPL even after adjusting it. (In fact I’ve come round to the opinion that a BSD/MIT type licence is the best option because it’s legally so much more simple, but that’s another story.)

Come out, whoever you may be

More serious issue is the anonymity of the developers. In my experiounce it is not normal for serious open source projects to be so secretive about the participants

The author(s) of the ECI4All code seem to go out of their way to maintain anonymity, which is a concern when you’re developing an application which in the end is capturing and verifying a mass of personal contact details.

There is a slight clue when committed code – some of the files are created by another SF user ‘allura’. Allura’s claimed name is Krishna and ‘he’ has been registered since 2004. But there’s not much to be found out about ‘him’ on SF – the two projects linked to the username seem to be dead or  dormant.

Other clues are that the Twitter account which looks legitimate, if new (first tweet 15 January); it claims to be based in Luxembourg. A comment on the blog was signed by someone called ‘Klaus’ (with no profile)

So – I am a little  suspicious! Frankly, it should not be so difficult to work out who we’re dealing with here. What’s the business model or motivation for all this work?

This puts potential users of a system using the ECI4all  code in the position of having to review the code very carefully for any backdoors before having the system go live[*]. Potentially, once the code has been reviewed, it would then be logical to fork it – ie making another GPL3 project which starts from the ECI4all code but retaining transparent control over further development.

A much better solution would be for ECI4all to come out from behind the wall of anonymity and join the active online ECI community!

Posted in e-participation, Europe | Tagged , , , , | 9 Comments

Peter Cruickshank:

Great blog by Heather Burns on the implications of the low level of digital engagement we found amongst Community Councils in Scotland in our recently study.

Originally posted on Blog @ Idea15 Web Design :

This summer the Edinburgh-based researcher Peter Cruichshank, assisted by volunteer intern Bruce Ryan, carried out the first-ever study of online presence and engagement amongst Scotland’s 1370 Community Councils. Their work has now been completed and published to the world.

View original 781 more words

Posted in Daily Links | Leave a comment

The resistible rise of Facebook

On a completely different subject: it’s interesting to compare the almost complete dominance of Facebook now with the situation as I found it a couple of years ago.

From the Next Web, 10 June 2012:

Facebook is eating the world, except for China and Russia:

Facebook now rules every country that aligns itself with the USA, and a few that don’t. Even Orkut has been knocked off its perch in Brazil.

For comparison, this is what Europe looked like only 5 years ago:

Pupular SNS Sites – June 2007

Posted on by | Tagged , , | Leave a comment

What are community councils doing online in Scotland

Over the summer, I have been working with a volunteer intern Bruce Ryan (@mycelliumme). Bruce has been carrying out a survey of the public internet presences of community councils across Scotland . We’re getting to the data analysis and report drafting stage, so now seems a good idea to start sharing our progress.

In 2006, Edinburgh Napier University’s e-Community Council project showed how providing website tools and training could noticeably increase communication between CCs and their communities (Report – PDF). One major hurdle was that Community Councillors often didn’t know how to create and maintain websites. Also websites generally don’t allow two-way conversations between CCs and their constituents.

Social media have since exploded into the public consciousness. Tools such as WordPress and Facebook allow people to interact online, without needing to know anything techie. Such tools are available on smartphones, so online two-way conversations could happen anywhere, any time: you wouldn’t need to go to your local library to find out what your CC is doing and then get involved.

What has made this project particularly interesting is that Bruce was treasurer of St Andrews Community Council in 2004-5, and learnt a bit about how Community Councils (CCs) function, and occasionally malfunction.

Developments in the community council landscape

There have been a few other background developments which make this a topical area for research.

Late in 2011, the Scottish Government set up a short-life working group on CCs. It is now conducting its own research into what CCs do in general and who the councillors  are.

In 2012, the Association of Scottish Community Councils folded, and the status of the National Network of Community Councillors in Scotland remains uncertain.

Recently, both Reform Scotland (Report – PDF) and the Jimmy Reid Foundation (Report – PDF) published reports on the state of local government in Scotland. Both recommended that CCs be given increased powers and status to make up for the remoteness of Scottish local authorities (the biggest in Europe) from their citizens.

So, we wanted to update the picture of what CCs are doing online, and whether they’re using social media to have two-way conversations with their constituents.

Results so far

The extent of the problem

So far, we have found that there are potentially around 1400 CCs. However, only around 1100 are active and about two-thirds of them have some kind of online presence. Only half of these (around 300) are actually up to date, by which we mean had updates in May-July 2012.

We have also identified and categorised CCs’ online presences according to type (such as full website) and content (such as whether they have minutes or planning information).

What’s next?

Finding out what’s happening is only the first step. Bruce has been interviewing a small number of Community Councillors to begin to find out why CCs choose certain ways of being online, and why other active CCs don’t do online at all. Of course this is their choice – we do not intend to tell CCs what they should be doing.

We are not working for the Scottish Government but we have been talking with them to make sure that this research will complement and inform theirs, not duplicate it.

We will publish a detailed report later this year, and will also share our conclusions with the Scottish Government’s working group. Above all, we are aiming to produce some research that enables decisions to be based on facts!

Update: Changed initial paragraph to highlight the amount of work Bruce is doing.

Posted in e-democracy, e-government, Project Diary, UK | Tagged , , | 3 Comments