Are You Outsourcing Your Security With a Cloud Application?

You finally decided to use cloud services for your organization? Great! There are definitely many advantages. Your objective was also to outsource the security to the provider? Sorry, not quite. The security of your information will always be your own responsibility. You will still have some shared responsibilities with the cloud provider. True, you will probably manage less technology controls but still many administrative ones.

As with any partnerships, you have the responsibility to perform due diligence on your future business partners. And it is definitely valid for your third-party vendors, including cloud providers. This is only an introduction on the subject when it’s time to discuss a new cloud project.

Company

It should be obvious for many people but do you even know the organization behind the cloud solution? Is it a one-person organization managed from a basement? Is it even a legal entity? Any insurances? Are you able to find a few reviews online? It is beyond the basic security scope but it definitely helps to have a big picture on the situation. It could be the best solution but it is maybe a risk that your organization is not able to accept.

Compliance

It is important to keep in mind that a cloud provider that is compliant is not necessarily secure. However, it will allow you to have a reasonable assurance on its security processes and internal controls. You should mainly look for a SOC 2 Type 2 report, PCI DSS attestation, or ISO 27001 certificate. Be careful to validate that scope includes services currently used with the provider. You should go through all conclusions and confirm that there are no major deficiencies.

For the following security domains, it is possible to validate the cloud provider responsibility with controls within a report. What about your side of the responsibility?

Physical Security

The physical security is mainly related to the data centre where your provider hosts the IT infrastructure used to support the cloud services. For example, the actual physical access to the infrastructure or the environment controls e.g. HVAC, generators, UPS, network connections, etc. 15 years ago, it was not rare to deal with a provider with servers within its offices with a room that somehow could look like a servers’ room. At the end, it was probably more a closet, but different topic. These days, all serious cloud providers will use a well-known data centre to host its infrastructure e.g. Equinix, Cologix, OVH, etc. Or, be itself on a cloud provider such as AWS, Azure, Google, etc.

A well-known external firm should audit all the physical security measures of the data centre. If you are dealing directly with a data centre, you should be able to receive a copy of this report. However, if your cloud provider is the direct client, maybe you will not be allowed to receive a copy… You will have to ask more specific questions to your cloud provider.

Human Resources

Your cloud provider should perform background checks before and during the employment for everyone with a direct or indirect access to the production environment. It is important for an organization to have a clear picture on the past of its employees. This will be the first step to trust them. Employees and consultants should also receive security awareness. This could be an annual training but even better, training in continue according to the job positions. For example, developers should receive training on best security practice in development to avoid most common vulnerabilities. However, you should do the same within your organization, even with employees not related to technology positions. There are many attacks’ vectors initiated by an unaware user that could lead to a security breach.

Access Management

There are so many organizations that manage credentials for cloud solutions as an ad hoc process. Procedures for access management should also include all access modifications to cloud applications. For example, for a cloud marketing application, someone should still be responsible for approving new access before the creation. An access review should occur at least once a year for all accounts on the cloud application. When there is a departure, the organization must confirm that they are no accounts left on cloud applications. For many organizations, previous employees are still able to log in many months later into the cloud application.

You are also responsible for configuring the cloud application with best practices. Many cloud providers will offer the possibility to activate a two-factor authentication (2FA) on the application, for all users or specific roles e.g. administrators. However, the organization must take the decision since this feature is often disabled by default. Many cloud applications targeted for enterprises also offer a single sign-on (SSO) feature, often with SAML.

Business Continuity

All cloud providers will assert they have the best redundancy and implemented backup strategies. They probably have infrastructure distributed within many data centres. Again, you are still responsible for your own data and you unfortunately can’t rely only on the provider. They will do anything to avoid downtime or lose any data. This situation would be difficult on their business. But, in the fine prints, they are often not responsible for any data or financial loss for your business. You also have to account for the situation where the provider could simply shut down their operations. In any cases, you need to prepare and backup data to a different site than your cloud provider. This will probably be a manual export with most cloud applications but better that than lose all data. For more critical applications, you should negotiate or select a provider where it’s easier to perform backup.

Log Management

The cloud providers will surely implement the required logs for the infrastructure. These logs are rarely shared with customers considering the multi-tenant environments. However, you should still have access to basic logs within your administrative interface. For example, you should be able to see the latest connections, users’ changes, configurations’ changes, etc. With some enterprise solutions, it is possible to forward logs to your own server. Even if these logs are available, they are not always monitored since this is your organization responsibility.

Keeper Security and Random Deactivation

Keeper SecurityWe trust cloud services to keep our data secure. But we don’t always think about the impact in the event where the service would have some downtime. Even less in a situation where the provider would decide to disable the service. Well, I had the last situation with one provider, Keeper Security.

Context

All started in June 2017 when I subscribed to a 14-day trial period for the business edition. There is a sale representative who reached out to me toward the end of the trial period. He extended the trial period for 1 year; thus, until June 2018. It was a great offer and did enjoy the service for 11 months. In May 2018, someone from Keeper Security called me and left a message on my voicemail. He said something about the trial period that would expire soon. He was also not so sure why I got that 1-year trial period to start with. He was not able to confirm since the previous sale representative left the company. But he also confirmed that the trial period would expire only in a few weeks and to call him back.

Up to now, everything is good. I was planning to subscribe to the service and obviously to pay for it.

What happens?

Back home, a few hours later, I am ready to purchase a subscription and I login on my account… Then, I receive the error message “This account is expired”! The worst part is that it is not even possible to make a purchase or export the data when the account is not active. I had all my passwords lock in the vault without any warnings for a few hours. It was not even possible to unlock the vault through the browser extensions where I thought my passwords were saved on the local drive. The support team was at least able to quickly reactivate my account for a few days. But it was still a few hours where I thought I had to reset all my passwords.

Finally

As soon as I got access again to my account, I simply exported all my data. And, unfortunately, definitely closed my account with Keeper Security. Even if they have an interesting service, I can’t trust them anymore. This is not a situation directly targeted to this company. However, it did make me think twice about how I use some cloud services. It took me a very long time before trusting a cloud password manager…

I usually have a data export with my most important cloud services but it was not the case with this one. Back to the “old school” way. I have a local software password manager installed on my laptop with my data. KeePassXC, a fork of KeePassX from the well-known KeePass

Your Hosting Provider is PCI DSS Compliant and You?

PCI DSSPCI DSS is probably one of the most misunderstood compliance obligations among IT professionals. It is in fact the Payment Card Industry Data Security Standard (PCI DSS) governed by the PCI Security Standards Council (PCI SSC) founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard and Visa. These organizations are still on the PCI SSC’s executive committee. However, there is also a board of advisors from organizations such as Amazon, Citigroup, Microsoft, PayPal, Square, Starbucks, Wells Fargo, etc.

Who must be compliant to PCI DSS?

All entities who store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). These entities can be merchants, processors, acquirers, etc. There are in total 12 high-level requirements and each one has many controls:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Identity and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

A PCI DSS requirement is simply a control in audit terminology where there are testing procedures for each one. There are more than 200 requirements/controls within PCI DSS.

If you have an application where users are able to pay with a credit card, this application must be PCI DSS compliant. Even if you don’t have so many transactions. Even if you just transmit credit card information without even processing any transactions. The required requirements would be different depending on what you are doing with the cardholder data. For example, when cardholder data is only processed and transmitted but not stored by an organization, many controls would not necessarily be applicable.

Hosting Provider and You

Many developers and sysadmins think, hope, that since the hosting provider is PCI DSS compliant, they have offloaded the responsibility to the hosting provider. Unfortunately, it is really far from the truth.

Hosting providers are PCI DSS compliant for specific requirements. The responsibility is often shared between the provider and the client for many controls. Other controls, the client is the solely responsible.

For example, a more traditional provider such as a data centre, could be PCI DSS compliant. But it will be mainly for controls within the requirement 9 related to the physical security of the hosting environment. The goal here is to provide compliance on the environment controls where clients can’t perform themselves an audit.

However, with a cloud provider, it could be a little more complicated. A provider such as AWS would often share a responsibility matrix for each requirement. For example, AWS implement security groups on each virtual server which is like a firewall. However, the client has the responsibility to configure the firewall adequately. This is a shared responsibility. The same for penetration tests. AWS will perform penetration tests on their infrastructure. But the client still has to perform penetration tests on their applications and servers.

In any cases, it is important to remember that compliance such as PCI DSS is not always related to technology but also people and processes. You will always have a responsibility of being compliant for your organization.

Are You Really receiving a Penetration Test Report?

There are more and more organizations interested in a penetration test, or simply a “pentest”, on their infrastructure. However, there is a requirement for specific skills and this expertise is not often available within most organizations. It is also a good idea to have an external opinion, someone who will be impartial and doesn’t know too much about the current configuration. Thus, it is often necessary to hire a security firm to accomplish this task. Unfortunately, there are still many security professionals who are not well qualified to provide this service. It could be intentionally or not. But many clients are easily fooled by consultants, even more when it is a question of IT security mandates. Clients need to be careful and be able to recognize what the report should look like.

Vulnerability Scan != Penetration Test

There are many phases performed during a penetration test. I will describe these phases in more details in an upcoming post. However, it is important to know that there is always an active recognition phase where the professional will use automated tools. For example, Nmap, Nessus, OpenVAS, Nexpose, etc. These tools will allow to scan one or more IP addresses for open ports and well-known vulnerabilities. There are often false positive items in these reports and the professional should validate these findings. For example, a Nessus report and Nmap output. This is an important phase to help the professional to gather information about the target.

The problem is the fact that some security consultant will sell these reports as penetration test. To run vulnerability scans can be a valid service offered by a consultant who will filter findings and rank them according to the exposed risks. However, it cannot be introduced as a penetration test report.

A complete penetration test report will include many other phases. After the previous phase, the security professional will manually look for other vulnerabilities with different methods without the use of automated tools. Finally, the main objective is to retrieve confidential information from the target that someone should not have access and to gain a remote access to the target. To achieve that, the security professional will actually try to exploit vulnerabilities previously found.

Things to look for

Duration

It is not possible to perform a well-done penetration test in only a few hours. Someone told me recently about a consulting firm who consultants will perform two or more penetration test reports during the same day. It is impossible to have great results in these conditions. Obviously, it is often a question of cost. So it is important to validate the duration of a penetration test. It should be in days but always depends also on the scope.

Scope

If there is only one target with no public service running on it, there is not so much someone can do. But probably also worthless to have a penetration test in this context. The line can be thin between a too limited scope where it will not represent what an attacker would have access, and a larger scope where an attacker will lose time on low risk targets. Should it be performed from the Internet or from the internal network? On the other side, if you receive a penetration test report from a third-party vendor, be sure to validate that the included infrastructure and applications are the one that supports the received services.

Expertise

Even a professional with an impressive background in information security is not necessarily the best pentester. I often see job positions related to “ethical hacking” where a certification like the CISSP or even the CISA would be a requirement. No, I don’t have words for that, just, no. If you are really looking for a certification, the best in this field would be the OSCP. But even then, I have it, and I would not recommend myself to perform a penetration test. Why? I did the exam and never practiced anything related to that field afterward. Someone who is passionate about this field and compete at different CTF will be the best one for this task.

Update: CISA Certification and Frequently Asked Questions

CISA logoIn August 2014, I published a post about my experience with the CISA exam and the required experience. Even 3 years later, it is still the most popular post here and not so long ago, I was always seeing more requests after the exam dates. However, it seems that exams are not on specific dates anymore but within 3 specific testing windows throughout the year. I am still surprised by the number of comments I received on this post and I wanted to do an update with some recurrent questions.

Exam Before the Required Experience

It is absolutely possible to pass the exam before having the required experience. I would even recommend it to show your interest toward this field. Your current or future employer will recognize the effort invested in passing the exam. However, you have to keep in mind that you will have to obtain the required work experience and send your certification application within 5 years from the date of the exam. If you really need 5 years of experience and it is not possible to have any waiver, maybe the timeframe is unfortunately too short. But if you only need 2 to 3 years of experience, it is a good plan, in my opinion.

Even if you can’t introduce yourself as being CISA certified, it will definitely be an advantage to mention during an interview that you passed the exam. You will also receive a letter from ISACA with your passing score that you can use as a proof.

Substitutions and Waivers

You will need a minimum of 5 years of work experience in order to obtain the certification. It goes without saying that you need to pass the exam too with a score of 450 or higher. However, it is possible to obtain 1 to 3 years as substitutions and waivers of this experience. In any case, you will always need at least 2 years of work experience related to CISA domains.

  • One year : Any work experience in information technology (IT) or any work related to auditing. For example, financial auditing or compliance work experience such as SOX would be a valid auditing experience.
  • One year : For 60 completed university credit hours which are normally 2 years as a full-time student. The credit hours could be for an undergraduate and/or graduate degree. There is also no mention that you actually need to have obtained the related degree, as long as you have proof that you have completed the courses. It could be from any recognized university, on-site or distant learning.
  • Two years : For 120 completed university credit hours which are normally 4 years as a full-time student.
  • One year : With a master in information security or information technology.
  • One year : With a bachelor or a master degree that enforces the ISACA-sponsored Model Curricula.

Experience

The easiest way to obtain the work experience for the CISA certification is obviously to be an IT auditor. But it is not always possible for everyone and it is definitely not a requirement. It is important to carefully read all the job practice areas including the task and knowledge statements. There are many candidates who are surprised by these statements. The CISA practice areas include many work fields in IT and not only IT audits.

CISA Application

You will have to get the work experience 10 years before the certification application or within 5 years from the date of the exam. You only have to send your application to ISACA when you actually have all required experience. In any case, you absolutely have to submit your application within 5 years from the passing date of the exam.

Financial to IT Audit

If you are already performing financial audit with a CPA designation, it is absolutely possible to do the transition to IT audits. You could simply ask to be more involved with IT controls. You will already have the advantage to have an understanding on how audit works. There are many IT General Controls (ITGC) that don’t require advanced IT knowledge in order to be adequately audited. The Big 4 use an army of interns to audit these IT controls.

Jobs

There are many more jobs related to the CISA than being an IT auditor. Many positions related to IT risk and compliance, even information security. However, there are other certifications if you want to work in information security and a candidate with the CISA would not be my first choice. I would recommend doing a search on a job posting website such as Indeed.

Worldwide Recognition

ISACA and the CISA certification are well recognized worldwide. A quick search on a job posting website and you will probably have many results. Furthermore, there are more than 200 local chapters worldwide.

CPE

When you are officially awarded with the CISA certification, you will then have to complete your continuing professional education (CPE) credits. The ISACA membership is not a requirement. However, I would recommend it to have access to many free resources in order to obtain your CPE credits.

ISACA Website

All information provided here could change anytime and the reference must always be the ISACA website. The page “How to Become CISA Certified” is mainly the reference about common questions related to the CISA certification. If you are unsure about your experience and possible waivers, I would recommend validating directly with ISACA and/or your local chapters. Each application is different and they are the only one able to validate your application.