Cloud Hosting

Following the UK Cyber Security Councils Ethnic Minorities in Cyber Symposium and wider consultation with our members, the Council has been able to gather valuable insight into the key inhibitors to diversity in the industry and create what we have called the Diversity Process Flow.

Process flows are used across cyber to establish processes, predict outcomes and prepare against undesirable situations. By applying this same logic to diversity, we can analyse existing industry processes, from recruitment to talent retention, predict how these will impact diversity and prepare updated ways of working to break down barriers to diversity in the field.

As the cyber skills gap widens and we see increased demand for cyber expertise, it is the Councils mission to raise awareness of obstacles to entry in cyber and highlight key actions to address them.

Arguably, the first step of the Diversity Process Flow is to acknowledge the need for improvement. In a survey by the NCSC, 25% of respondents said they had experienced a career barrier related to diversity and inclusion, and the same research found only 15% of its respondents were from ethnically diverse backgrounds.

If cyber is to adequately support the UK governments goal to make the UK the safest place in the world to live and work online, fostering a culture of diversity within the industry to attract and retain diverse talent is paramount, and the Councils Diversity Process Flow is one step to achieving this.

As discussed at our Ethnic Minorities in Cyber Symposium, the technical language deployed in cyber is inherently complex and yet we choose to make life even more challenging through the use of inconsistent jargon and terminology with multiple interpretations, all woven together with a self-asserting if you know, you know mentality.

With this outlook, how can we expect those who are new to cyber to enter the industry on the ground level?

In a role where communication is vital, we need to make it as easy as possible for people to express themselves and understand each other. And the junkyard of jargon which litters the cyber industry isnt conducive to accessibility.

Without a clear and consistent approach to language across technical terminology, job titles and role requirements, we create a barrier.

Having identified this inhibitor to diversity, the Council has created useful documents such as the cyber security glossary and refers consistently to the 16 specialisms within cyber, but this isnt yet adopted industry-wide. Cyber as a whole needs to take stock of its use of language so we can clearly communicate the roles available in our field and the vital parts they play in the protection of our lives online.

Standardisation of qualifications in cyber is an ongoing challenge and one which the Council is beginning to address through the setting of industry standards and awarding of professional titles for those working in the sector.

However, with so many qualifications, certifications and accreditations out there in cyber, knowing which skills you need and at what level you need to operate to apply for a role in the industry can become something of a minefield.

Consider this landscape from the perspective of individuals studying in the UK from overseas. Add in five-year visa applications for a three-year course, security clearance challenges, extended wait times for recruitment and the UK residency required for many government roles. Is it really any wonder that cyber is failing to attract diverse talent?

An element towards addressing this labyrinth of qualifications is the Councils work on the standardisation of professional titles which will make entry into and progression through the industry much more streamlined. A universally acknowledged set of professional titles will also help simplify recruitment processes, as well as ensuring that individuals can access roles in which they will flourish and businesses can access individuals with the skills to adequately protect their organisation.

On top of this, the Councils career route map offers a valuable resource for those looking to navigate a career path in cyber. It's a flexible road map that individual practitioners - current or future - can use to plan out a possible career.

More widespread use of resources like this in schools, colleges and universities will help cyber to attract more diverse talent as it falls in line with professions such as medicine, law or accountancy, where careers are mapped out and progression routes are clear in a trusted industry.

So the saying goes, you cant be what you cant see.

If we are to encourage more people from ethnic minorities into our industry, we must champion those who are already a part of it. Something as simple as ensuring interview panels are diverse and inclusive can make a huge difference to attracting diverse talent.

Further to this, highlighting a variety of roles and showcasing multiple role models is advantageous in communicating the breadth of the cyber industry and the opportunities it offers.

Looking beyond roles such as penetration testing and ethical hacking will help to break down perceptions that the cyber industry involves only hacking, and will welcome a whole new cohort of potential cyber professionals with new skills which lie outsides of the realms of coding, hacking and troubleshooting.

The cyber security sector needs to take on the responsibility for removing obstacles to entry into cyber for those of all backgrounds and employ an honest Diversity Process Flow.

Areas for improvement need to be acted upon to ensure that anyone with an interest in problem solving, communicating, and computing, is encouraged to pursue a cyber career. And anyone working within other sectors can change career and thrive in cyber security without facing barriers related to diversity and inclusion.

But championing diversity means more than just hiring people from different backgrounds, we need to see diversity at every level, and ensure we retain talent. It should go without saying that the protection of our work and our lives on the Internet of Things (IoT) requires a globally inclusive approach, and it is the mission of the UK Cyber Security Council to help establish this.

Follow this link:
Discovering the Diversity Process Flow in cyber - ComputerWeekly.com

Data security is reinventing itself. As new data security posture management solutions come to market, organizations are increasingly recognizing the opportunity to provide evidence-based security that proves how their data is being protected. But what exactly is data security posture, and how do you manage it?

Data security posture management (DSPM) became mainstream following the publication of Gartner Cool Vendors in Data SecuritySecure and Accelerate Advanced Use Cases. In that report, Gartner1 seems to have kicked off the popular use of the data security posture management term and massive investment in this space by every VC. Since that report, Gartner has identified at least 16 DSPM vendors, including Symmetry Systems.

There certainly is a lot being marketed and published about data security posture management solutions themselves, but we first wanted to dig into what is data security posture?

Symmetry Systems defines data security posture as "...the current status of the capabilities required to protect data from unauthorized access, destruction, and/or alteration. Data security posture is an assessment of an organization's data store or individual data objects:

Data attack surface: A mapping of the data to the identities, vulnerabilities, and other misconfigurations that can be used as entry points to gain access to it.

Data security control effectiveness: An evidence-based assessment of the data security and privacy controls against industry best practices and organizational policy.

Data blast radius: A quantifiable assessment of the data at risk or the maximum potential impact of a security breach of a single identity, data store, vulnerability, or misconfiguration. This includes identifying the types and volumes of data that could be affected, as well as the estimated costs and predicted consequences based on current control effectiveness.

Overall, a robust organizational data security posture involves a comprehensive approach to managing the security of an organization's data, including continuous inventory and classification of data, ongoing assessment and improvement of data security controls, proactive rightsizing of access to data, and a commitment to continuous monitoring and response to unusual usage of data."

To maintain a good data security posture, organizations should do the following:

Inventory your data: A data inventorythat is a comprehensive list of all data stores and the sensitivity of the data within themis an essential first step in determining the current status of capabilities.

Monitor data activity and data flows: An important next step is to ensure you have visibility into activity and the flow of your data, because it improves your ability to detect and respond to any anomalies or indicators of compromise as you improve your data security posture.

Assess data security controls: Once you have this visibility and insight into your data, you can conduct an evidence-based assessment of your data security controls. This should include determining the level of encryption of the data, the validity of hashing and tokenization of data in certain environments, and most importantly the validation of cloud configurations and access controls, including authentication required to access data.

Reduce data attack surface: Organizations should have processes in place to use the results of this analysis to proactively identify and reduce the data attack surface. This should include ensuring multi-factor authentication is required for all identities with access to sensitive data and data stores that contain sensitive data and removing dormant accounts from the environment.

Minimize blast radius: Organizations must constantly assess the volume of data at risk and prioritize pragmatic steps to minimize the potential impact of a security breach of a single identity, data store, vulnerability, or misconfiguration. This should include removing sensitive data from inappropriate environments, identifying, and eliminating misconfigurations, and data minimization by archiving or deleting data or by deleting unused privileges from active accounts.

Symmetry DataGuard is a purpose-built data security posture management platform. Symmetry DataGuard doesn't simply augment existing SaaS platforms with data classification to claim DSPM coverage; instead, it was designed from the ground up to maximize the protection of data. The platform is typically deployed within the customer's cloud environment as a way to ensure that data never leaves the customer's control. This deployment model is well suited for dealing with data, regardless of sensitivity and various compliance regulations.

At its core, the Symmetry DataGuard platform has a deep graph of data objects, identities, and all permissions to and actions that are performed on the data objects. This interconnected graph is used to provide the elements needed for organizations to manage their data security posture. We reviewed the Symmetry Solution to see how it helps organizations address a few key areas.

Once installed and configured, Symmetry DataGuard gathers information from the cloud environments. This is made easier by installing within the customer's cloud environment, but as long as Symmetry DataGuard has appropriate permissions to query the data, it can aggregate information across your cloud environments. To avoid unnecessary data egress fees, Symmetry Systems recommends deploying Symmetry DataGuard in each cloud environment (i.e., AWS, Azure, etc.). Agentless discovery quickly collects information about:

Examples of the environment inventory data collected by Symmetry DataGuard are shown in the image below:

Information obtained here is used to kickstart sampling of the data within the identified datastores. The sampling approach is fully customizable. Symmetry DataGuard provides a robust catalog of prebuilt data identifiers that use a combination of keywords, regex pattern matching, and machine learning-based matching to identify and classify an organization's data within the identified datastores. Symmetry Systems works with their customers to build, customize, and improve the set of identifiers to increase the accuracy of their classification process.

This insight into the classification of data within each data store is added to the deep graph and provides organizations with searchable views and visualizations of their data inventory. Examples of this data inventory are surprisingly beautiful and shown in the image below:

As part of the discovery and ongoing monitoring of the environment, Symmetry DataGuard collects telemetry on all the data activity or data operations being performed on data within your environment. This includes failed and denied attempts. This telemetry is used to deepen the insight provided on who is accessing an organization's data and where that data is flowing to or from as a result.

This information is cross-correlated with the data inventory to help organizations pinpoint external data flows, failed attempts to access sensitive data, and a number of other interesting data-centric threat detection scenarios. An example visualization of these flows is shown below:

Operations are grouped into four high-level classes: creation, read, update, or deletion of data. This helps when prioritizing unusual or high-risk activity against specific data.

Symmetry DataGuard also assesses the data security and identity configurations and can raise alerts when configurations fail to meet defined policies or are changed. These configurations include, but are not limited to, determining whether:

Symmetry DataGuard has out-of-the-box compliance policies that are used to check for compliance with data-centric portions of the Center of Internet Security (CIS) benchmarks and other compliance frameworks. Examples of the compliance dashboard are shown below:

Each compliance check on the compliance dashboard contains information about the configuration that was checked and the remediation steps to address it. We expand one of the compliance checks and get the following detailed result:

With the compliance dashboard, organizations are able to check their data for misconfigurations and compliance with various regulatory frameworks (PCI DSS, SOC 2 etc.). The compliance checks done by Symmetry DataGuard are more precise than other compliance configurations performed at the cloud infrastructure and are crucial for organizations in heavily regulated industries.

A good data security posture reduces the attack surface and blast radius of your organization's data. Achieving and maintaining a good data security posture requires a detailed understanding of the data itself, the identities that can access it, the controls that protect it and monitoring of the operations being performed. A leading platform like Symmetry DataGuard is able to maintain data inventory, monitor operations and activity and check for secure data security configuration and compliance, and thereby provide evidence-based data security.

If you are interested in finding out more about Symmetry Systems and their data security posture management solution, Symmetry DataGuard, You can request a demo at Symmetry-Systems.com.

Found this article interesting? Follow The Hacker News on Twitter and LinkedIn to read more exclusive content.

1Gartner, Cool Vendors in Data Security Secure and Accelerate Advanced Use Cases, by Joerg Fritsch, Andrew Bales, Ravisha Chugh, Brian Lowans, Mark Horvath, 19 April 2022

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Hype Cycle and Cool Vendors are registered trademarks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

Originally posted here:
The Importance of Managing Your Data Security Posture - The Hacker News

Following the launch of the governments Rural Statement today, the government has also announced the appointment of Simon Fell MP as the UKs first Rural Connectivity Champion.

Taking up the role which was announced as part of the Wireless Infrastructure Strategy earlier this year, Mr Fellwill support rural businesses to access and adopt the digital connectivity they need to encourage commercial investment in 5G and support economic growth.

The Champion will convene rural businesses and the telecoms industry to support adoption of digital connectivity in sectors such as agriculture and develop, in partnership with rural businesses, a clear understanding of what connectivity is needed to drive innovation and growth up and down the country.

Simon Fell MP, Rural Connectivity Champion said:

I am honoured to have been asked to take up the role of Rural Connectivity Champion. Poor connectivity is holding back too many rural communities and businesses, as my own farmers and businesses in Barrow and Furness will attest.

If we hope to unlock growth, and to ensure that our rural communities are sustainable, then the government has got to work hand in glove with local government and the private sector to deliver better connectivity. I look forward to leading that work across government and the country.

As a key proponent for digital connectivity in rural areas, Mr Fell will also support rural communities and businesses in removing local barriers for the deployment of 5G, gigabit broadband and more, while driving local leadership and coordination into the local authorities that make development decisions.

Mr Fell comes to the role with a background in telecoms, and cyber security, representing a largely rural constituency in Cumbria, and is well placed to engage with rural businesses and support them in understanding how adopting new technology can make a real difference to their productivity, and help them continue to innovate.

The new Champion will jointly report to the Secretary of State for Science, Innovation and Technology and Secretary of State for Environment, Food and Rural Affairs.

The announcement of Simon Fell as Rural Connectivity Champion comes as the Government announces a new 7 million fund to test out new ways to bring together satellite, wireless and fixed line internet connectivity, helping support farmers and tourism businesses to access lightning fast, reliable connectivity in remote areas for the first time.

The results of the new approaches will also help rural businesses in trial areas make the most of new agricultural technologies by improving connectivity on their land, for example using newdrone technology to monitor cropsand livestockin real-time,support landscape and wildlife conservation efforts,or develop interactive experiences for tourists.

The new fundcomes alongside the governments commitment earlier this year to deliver improved,high-speed broadband via satellite connectivity for up to 35,000 homes in the most remote parts of the UK through an 8 million grant scheme, giving them a broadband connection that will be up to ten times faster than what is currently available to them.

It also builds on the progress made over the last decade to support connectivity in rural areas. Over 75% of UK premises can now access gigabit-capable broadband, up from 6% at the beginning of 2019, and over 730,000 premises have already been upgraded in hard-to-reach rural areas as part of the governments 5 billion Project Gigabit investment. Today government also confirmed plans to procure all regional contracts in England under Project Gigabit by the end of 2024.

Read the rest here:
First Rural Connectivity Champion announced to help drive growth - GOV.UK

Step-by-step guides (with illustrations) showing how cryptographic key pairs work in five different public key infrastructure (PKI) scenarios.

We know private-public key pairs are used in a multitude of ways (encryption, authentication, digital signatures, etc.) within an IT environment. But the ways theyre used differ dramatically for each use case. This may leave you wondering: how exactly does it all work under the hood?

If youve ever wanted to know the specifics of each use case in how theyre used, heres an overview of the five different use cases.

Lets hash it out.

The short answer? Not always. Yes, in most use cases, a public key is used to encrypt data while its corresponding private key is used to decrypt secrets. However, there are exceptions when it comes to certain processes. Well break all of this down for you in the following sections, taking a look at five very common use cases:

When you visit a secure website using HTTPS, every connection starts with a process called a TLS handshake. This process involves using public key encryption (i.e., asymmetric encryption) to exchange sensitive information before switching to symmetric encryption for the rest of the session.

Why bother switching? Because symmetric encryption requires less computational power than public key encryption does. Even though were talking about minuscule amounts of time (i.e., milliseconds), its more efficient for at-scale data encryption (i.e., for larger organizations with higher web traffic).

To encrypt your websites connections, you need to have an SSL/TLS certificate installed on your server. It also requires the client and server to introduce themselves and exchange essential information to create a secure encrypted session. This back-and-forth process is called the TLS handshake, of which most browsers support two varieties TLS 1.2 (most common) and TLS 1.3.

Heres an overview of how the TLS 1.2 handshake process works:

When it comes to the TLS 1.3 handshake, the process differs somewhat, particularly regarding the key exchange process. The idea is to streamline everything into a single roundtrip.

But the basic concept stays the same: the public-private keypair is used to securely exchange a symmetric key thats used for the actual data encryption.

Lets consider the uses of public-private key pairs in software security. The process for securing code, software, executables, etc. involves the developer or publisher using a code signing certificate to add a digital signature to their software executable. This process uses cryptographic keys and functions (i.e., hashing and encryption) to authenticate the developer/publisher who created the asset and validate that the file or code hasnt been modified since it was signed.

Remember toward the beginning of this article we said that its not always the case that public keys encrypt and private keys decrypt? This is what we were referring to.

But what does this process look like in terms of how and when each key is used?

So, where does the public key come into play? During the software verification process that happens on the client end:

When we talk about document signing, were not talking about signing the electronic form of your handwritten signature. (That can be easily spoofed!) Instead, were referring to stamping your verifiable digital identity to a digital file (Word document, PDF, etc.) so people know its authentic and hasnt been altered.

Fun aside: A digital signature is a type of electronic signature, but not all types of electronic signatures are digital signatures. A little confused? Check out my former colleagues article if you want to learn more about the difference between electronic and digital signatures. Now, back to the main topic at hand

As youve probably now guessed, to digitally sign a document, you must have a document signing certificate. So, whats the role of the public and private key in this affair? Frankly, its similar to what the private key does in the code signing process we described moments ago:

Now, its time to shift gears and move on to signing email communications.

Email signing is a process that enables an email sender to prove that they sent the email and that the message didnt come from an imposter. This process uses an email signing certificate (also called a client authentication certificate), which they install onto their device or import to their email client.

So, what does this email signing process look like, and where does a public-private key pair fit into the equation?

Once the message is received:

To learn more about certificate-signed emails, check out our Hashed Out article that will walk you through how to import and use an S/MIME certificate in Outlook.

Email encryption is the process of randomly scrambling the contents of the email (words, images/graphics, attachments, etc.) to transform it into an unreadable form before the user hits the send button. However, what it doesnt encrypt is the email header information.

Encrypting an email is akin to sealing secret, coded messages inside a secure cargo container; this way, its safe from being viewed in transit or while sitting at the arrival location (while sitting on the email server). This is why its sometimes called end-to-end encryption because its protected from one endpoint to the other.

So, whats this process look like in terms of how the public-private key pair is used? Its time to shake things up a bit. (NOTE: Both the email recipient and sender must have an email signing certificate installed on their devices.)

Image caption: An illustration that demonstrates how email encryption works and how the public and private keys are used within that process.

Want to learn more about how to send encrypted emails? Weve got you covered in this article that walks you through the process on three major email platforms.

Although you dont need to know the intricacies of how public-private key pairs are used in public key cryptography, it certainly doesnt hurt to learn. Cryptographic keys are essential to everything relating to security on the internet. Whether its securing the sensitive data submitted to your website or protecting the confidentiality and integrity of your emails, documents, and files, public key cryptography couldnt exist without the security of your public-private key pair.

Public-private key pairs help to enable the following:

That last sentence brings us to our next point. Digital trust, the foundation of which is public key cryptography, is at the heart of internet security. If you cant trust that the identity of the website, software developer, document creator, or email sender is legitimate, then how can you trust that any data you send or receive from them is safe and can be trusted? You cant. This is why its crucial to keep your private keys secure.

We hope this article underscores the importance of securely managing and storing your private keys. By keeping those critical assets secure, youre preventing all of your (and your customers) sensitive data from falling into the wrong hands.

See the rest here:
How Public Private Key Pairs Work in Cryptography: 5 Common ... - Hashed Out by The SSL Store