One recent day a discussion that began with remote car starters, and quickly moved to smart phone insecurities and theft unearthed a phrase heard frequently in response to security suggestions. “I don’t care if they steal my phone and read my email, I have nothing to hide.”  Not caring is one thing, but thinking there is nothing worth stealing inside that phone is another.

The typical smart phone is not pin protected. The unlock instructions are clear and concise, and the actual lock is meant to prevent accidental pocket dials versus ensuring privacy remains. This means that all the SMS entries and personal photos are available for viewing. Calendar entries stating when others or even the phone owner are on vacation may be present. Contact information many times including addresses is trivial to extract as well. If the theft of the phone is an indication, a thief having an address and a known empty house should be a big concern. This brings up and interesting point about personal disclosure responsibility. An ethical discussion for later, but what about that email?

As this particular conversation unfolded, the recent Twitter hack was mentioned. How the password reset function was exploited through re-registering an old and unused address, and having the freshly reset password sent to this. The gears were starting to turn when the question of what email account is registered with your bank was posed. Yes, that is right, the security of your banking relies upon the “slide to open” bar on that iPhone.

Seeing the collateral impact of event is not always clear. The ripple effect is always in play which is why exercising even moderate best practices throughout the day can make a significant difference when it counts. Security is always as good as the weakest link. As the digital existence expands and blends more time needs to be spent on awareness. Far too many don’t understand the risks they face, and until they do, they will never properly protect themselves.

Massachusetts recently passed 201 CMR 17 which is titled the “Standards for the Protection of Personal Information of Residents of the Commonwealth”. This important piece of legislature, set to begin January 2010, is a big step in state and local compliance laws. Currently, most state laws are reactive. This means that they require disclosure in the event of a breach, but rarely mandate active or proactive protections.

It is interesting to watch these state laws develop. Despite the fact that the PCI DSS has laid out most of the ground work, the states are still reinventing the wheel. If the states simply replace the credit card values with Social Security numbers and PII, the framework is largely there. At that point it is simply a matter of choosing compliance dates and managing the fall out. (Not a trivial task necessarily.)

While 201 CMR 17 may be first, it will certainly not be last. We have been advocating clients for some time now to think about compliance several years out when building infrastructure and architecting new solutions. The idea is that if your state does not mandate it today, it will mandate it tomorrow, and being one step ahead will create a significantly reduced compliance effort.

In June of 2008 the PCI council required compliance to section 6.6 of the DSS. This section outlined the need for a third party code review, or the implementation of a web application firewall. The significance of these two options is that for many companies compliance can be extremely difficult and cost prohibitive.

The first option of code review, while thorough may prove difficult if the application is older and undocumented. Bringing in a third party to conduct a review of this nature can be time consuming and may result in overlooked issues. If performed properly however, this is an excellent road to choose, but it will require resources, time, and money.

The alternative path is to leverage the network level protections of a web application firewall or WAF. This technology sits in front of a web application and buffers it from attack. The cost and steep learning curve however can be a deterrent to small IT staff that may not have the time to dedicate towards setup and maintenance. With SaaS becoming increasingly common this does not have to be the case.

CT Infosec has designed and built a cloud based web application firewall offering allowing companies the protection of an onsite WAF without the burdens created by such a deployment. Keeping this layer in the cloud has several advantages such as 24/7 monitoring, reduction in maintenance, lowered bandwidth costs, and the expertise of full time Infosec staff. It has also been shown that a properly deployed WAF will protect against threats in the event that developers have not had their code reviewed before deployment.

Cloud computing is an excellent answer for today’s growing networks. The WAF SaaS model fits perfectly into today’s web and PCI compliance needs. For companies looking for quick, dependable and low maintenance solutions, they should pay strong attention to these offerings.

The number of articles on cloud computing security risks is growing daily. The recent Twitter compromise added fuel to the arguments against this shift in the industry. However, is cloud computing any different than traditional architectures in terms of risk exposure?

First, let’s clarify the definition of cloud computing to mean a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Let’s also mention that there are several flavors of this offering one of the fastest growing being SaaS and IaaS.

Taking away the dynamic scalability neither of these are new offerings. Spam filtering (SaaS) has been accepted as a commoditized activity for some time now. This is almost always done in the cloud today. Admins feel comfortable with this decision even though email may contain some of the most sensitive data sent within an organization. Infrastructure as a Service (IaaS) has been the mainstay for hosting companies, Co-lo’s and third party data centers for decades. So how is today different?

The difference is that admins are putting more reliance upon this cloud service, and in turn losing some control.  Recently VM Ware announced a cloud operating system, AWS has been engulfing web hosting for some time, and Google is putting the pieces in place to completely host PC’s in the cloud. In the short term, it will be difficult for an admin to review settings, and verify compliance and internal policy against an entity in the cloud. This will shift though as the demand and maturity of these products grows.

It is important to keep in mind that the premise of cloud computing is not flawed. By thoroughly vetting a vendor before conducting business with them, a cloud computing solution is often times more efficient, cost effective, and reliable than a traditional deployment. The right questions need to be asked as related to your environment and risk threshold. Questions such as how is the data protected against other customers? Who has access to the information? What does the architecture look like? Things that would be done as an internal discussion would now be shifted to the hosting provider.

Administrators should take care now to begin understanding the risks posed to their environment by cloud computing and what they can do to minimize them. At the same time they should start looking for ways to leverage the benefits of SaaS and IaaS. In the long term, this is a trend that is here to stay and one that we can all benefit from.