Cloud Hosting

Its been a week since the Canadian and U.S. governments moved from urging to pressuring organizations to make employees work from home rather than offices.

The sudden turn caught many firms off guard. Now, says a vendor, IT departments are coming to grips with the security ramifications of necessarily quick decisions.

Operationally, organizations had to follow management directives, said Greg Young, vice-president of cybersecurity at Trend Micro. The situation is a little different now. Now they are starting to wrestle with the security implications how to manage that, he said.

Its not a problem for the small number of employees who already use IT-supplied and managed laptops, tablets and smartphones. But it is for a larger workforce using personal devices whose level of security is unknown to IT. This is particularly worrisome as theres evidence threat actors are increasing their phishing attacks.

If they havent done so already, Young said, IT and infosec leaders should be sending home workers instructions on how to improve the security of personal devices used to connect to corporate assets as well as reminders.

Firms seeing a leap in remote access solution sales

First, if needed, make them download and install anti-malware security software for all internet-connected devices. This software may be covered by the existing enterprise licences. Employees must be told to make sure their operating systems, applications and hardware like routers have the latest security patches. That may include buying or leasing routers for staff working from home who have old devices that cant be upgraded. Staff have to be encouraged to make passwords on personal devices secure, including changing factory-set administration passwords.

If employees have to download sensitive corporate documents, have them confirm that their version of Windows supports full-disc encryption and encourage employees to enable it. Another strategy is giving staff enterprise-level cloud storage accounts, such as the corporate version of DropBox, which have security controls. Too often, Young said, staff use dodgy or free online storage with no controls. IT may already have licences for the enterprise-level services.

How IT leaders can prepare for COVID-19 challenges

While many malls, arenas, restaurants and other public places are closed in North America, staff still need to be reminded not to use public WiFi on devices that will connect to corporate assets.

Finally, send employees a refresher on security awareness, emphasizing the risks of downloading unfamiliar applications and clicking on attachments. Weve seen false COVID tracking websites distributing malware and [malicious] telework vouchers, Young said.

Internally, Young said, IT and infosec leaders should quickly evaluate the need to add cloud-based security to clamp down on the expected increase in threats from devices used by home workers. This includes secure gateway-as-a-service, sometimes called a cloud access security broker (CASB) to help better protect endpoints. In the corporate environment, we take that for granted. Data going out from the office goes through a secure gateway where bad URLs or known malware sites are blocked and attachments are opened in a sandbox. Working at home employees arent equipped that way unless they also have a secure gateway.

Gateway as a service is offered by IBM, BlackBerry, Citrix, Zscaler and others for access control and data encryption.

Another category of control to be considered is cloud-based mobile/enterprise device management from vendors such as BlackBerry, SOTI, MobileIron and others, which will block access to corporate assets to unsecure endpoints. This will be valuable, Young said, because the number of lost devices used by the new remotely-working employees will increase. Mobile device management applications allow devices to be remotely wiped, as well as enforce device encryption.

Some experts say adding network segmentation should be considered for environments that dont already have it. However, network changes at a time when IT staff may be stressed with other work may not be a good idea, warned Young.

Employees may have concerns that their personal surfing on personal devices may come under corporate surveillance, Young said. This can be alleviated by IT telling staff how to turn off secure gateways, for example, or simply telling staff that such activity wont be tracked.

Young also said that because of the increased security risks from home workers IT teams will have to step up network monitoring.

Whats important, he concluded, is that IT provide reasonable security measures. Try to make it easier for people to be secure. Humans will always try to evade [complex] mechanisms.

See the rest here:
Now that more employees are working from home because of COVID-19, time for IT to toughen controls - IT World Canada

Sponsored Firms in retail, manufacturing, logistics and more are embracing cloud computing in one form or another but its in the financial services sector where deployment is proving a particularly complex matter. The use of multi-cloud infrastructures is also disproportionately higher, driven by a range of business and technology considerations. That creates a number of challenges challenges that can only be solved in that most pervasive of environments: the hardware.

About 60 per cent of financial services businesses expect their IT environments to be multi-cloud according to 451 Research in its report, Multi-Cloud Fundamental to Financial Services Transformation. They focus heavily on public cloud-based infrastructure as a service (IaaS), which gives them access to virtualised computing resources at the machine level, along with private on-premises cloud systems. The third most popular piece of infrastructure is public cloud-based platform as a service (PaaS), which exposes computing resources at the service level, such as databases and storage services.

Multi-cloud, though, isnt simply a case or more than one cloud as the basis of your technology infrastructure, it can mean different types of cloud. It can mean public cloud services, private hosted cloud systems and on-premises infrastructure using cloud-based software.

Several factors are driving this. The first is regulation, as banks discover that strict sector rules on privacy, security, residency and other factors mean they cant store some forms of data in a public cloud setting. Whereas compliance and regulation was an impediment for 19 per cent of companies across various sectors, that jumped to 31 per cent for financial services, says 451.

Another driver is workload. It can be more expensive to run a private cloud for some jobs, especially volatile ones with irregular demand or that demand specialist accelerators for sensitive workloads that require low latency or high throughput. This can see firms shift some workloads to a public cloud environment that provides more computing resources as-and-when needed.

Connected to workloads is the idea institutions can take advantage of different cloud service providers' technical capabilities and commercial offerings. One provider might offer better automated cloud management services while pricing proves a more attractive lure for a specific workload.

Finally, multi-cloud becomes more of a factor the bigger the company. Those with a global footprint might prefer or be forced to pick thanks to data sovereignty rules specific cloud service providers in different geographies. For example, a bank using Azure in several regions might have used Azure Germany for its cloud operations there, relying on Microsoft's trusted relationship with T-Systems, a Deutsche Telekom subsidiary, to offer data storage beyond Microsoft's control.

But since that relationship ended, they might turn to another provider under local German control cloud storage, thereby creating another infrastructure for their multi-cloud environment. Intel has a deeper dive on the drivers and challenges to multi-cloud, here.

One of the most empowering technologies in the cloud is also one of the most problematic: containers. These small software packages are more nimble than conventional virtual machines, recasting an entire operating system in software from the kernel upwards. Unlike a virtual machine, a container only packages the bare essentials for an application to run; the application code, and any dependencies like software libraries. And it shares the host operating systems underlying resources such as the kernel with other containers.

That shared kernel creates a potential problem because you can no longer guarantee individual containers will be isolated. If an attacker can compromise the host operating systems kernel, it could compromise all the containers using that kernel.

To combat that, Intel developed Clear Containers that merged with OpenStacks Kata containers project. This container framework which retains full compatibility with Docker, with the Open Container Initiative (OCI) format, and with Kubernetes promotes hardware-level isolation by combining the advantages of containers and virtual machines.

Kata containers still share the host OS's kernel, but they also include a guest Linux kernel sitting atop a virtualized hardware layer. This isolates the network, I/O and memory in hardware. Moreover, it can use hardware-enforced isolation with virtualisation extensions in Intel Xeon named Intel Virtualisation Technology. This uses instruction extensions that are aware of the virtualised environment and that manage I/O, memory, graphics and network functions.

Container technology made it easier to move applications and workloads between clouds, but a bottleneck still remains: the data. Migrating large amounts of data between different service providers in multi-cloud is a challenge, and managing that storage when it's at its final destination takes a lot of planning.

Another challenge in storage for multi-cloud is the potential need to embrace object-addressable formats. Traditional on-premises applications relied on the block and file storage but cloud applications can mean the introduction of object storage mechanisms for unstructured data.

With financial institutions now using data lakes in multi-cloud, the race is on for higher-performance object storage systems that work across multiple cloud infrastructures. Intel has invested in MinIO, one of several companies focused on accelerating the performance of object storage and providing universal interfaces for accessing it.

Part of the value of MinIO comes in the way it implements a highly scalable integrity check mechanism, thanks to AVX-512. With critical systems moving into object storage this is something financial-services organisations care about. They need a system that provides effective performance at a good price and that is optimised to take full advantage of SSD and NVMe capabilities from Intel. MinIO brings further value because it provides a platform for financial institutions to build an object storage that is compatible with Amazons S3 instance, thereby obtaining the benefits of a data lake in the cloud but at a fraction of the cost.

Data protection is a complex problem to navigate and that problem inevitably translates to multi cloud. Companies must comply with region-specific regulations such as the General Data Protection Regulation (GDPR) and the Californian Consumer Privacy Act (CCPA). On top of this, there also exists sector-specific regulations that in certain cases might exist only at the US state level, such as the NYDFS Cybersecurity Regulation (23 NYCRR 500).

Managing data under this panoply of rules in multi cloud can become a costly and cumbersome exercise risky, too, should organisations fail in their duties and be found to be non-compliant.

Rather than tracking different laws and tailoring regionally-specific systems, it's best to build a system that satisfies data privacy requirements in all areas. It should also let them comply with these different laws and regulations by proving the privacy of their data in unequivocal terms. This may seem daunting, but it becomes more tractable if you do most of the work at the hardware level.

This should mean encrypting data both in transit and at rest. But these are perennial requirements, and more recently we've seen a third emerge: encryption in use. At some point, data encrypted on disk must be decrypted for processing. Industry regulations therefore say data must be protected at this point, too.

Intel has developed Software Guard Extensions (SGX) that use chip-level cryptographic isolation to protect data during processing. SGX protects the data from attack even if the operating system or virtualisation manager have been compromised.

We've started to see in-use encryption pop up in various cloud services. One good example of those providing services in this area is Fortanix that provides a run-time encryption platform. In-use protection is also available with Googles Asylo, Graphene and through the work of the Confidential Computing Consortium. Encryption in use, combined with encryption at rest and in transit, are part of a layered defence strategy that can help to protect a financial services company against human error. Even if processes or people fail, encryption at multiple points acts as a compensatory mechanism and therefore maintains the level of protection required.

There is, of course, one final challenge: proliferation of encryption keys. Keys inevitably become yet another thing to manage in this setting. Here, at least, enterprise data security provider Fortanix has created a Self-Defending Key Management Service (SDKMS), a key management system that supports key generation and lifecycle management, and which also draws on Intel SGX. SDMKS, which is FIPS 140-2 certified, works with a range of cloud service providers, meaning you can thereby use different suppliers yet manage them through the same system.

Multi-cloud isnt just a reality for those in financial services its a necessity. That necessity is driven by all the standard transformation drivers such as flexibility and price affecting other sectors but its compounded by the particularly stringent rules and regulations that govern doing business in financial services. The complexity of multi-cloud creates challenges not just in serving the business but in satisfying regulators. Only by tackling these challenges at the hardware layer, can institutions focus on building a native-cloud infrastructure that pleases everybody.

Sponsored by Intel

Sponsored: Webcast: Why you need managed detection and response

See the original post:
Complexity, what complexity? Bank on the hardware layer for multi-cloud success - The Register

FalconStor has announced StorSafe, a persistent data storage container for enterprises. The software integrates with legacy backup and archive software and processes, and is compatible with cloud- and S3 object-based storage architectures.

In effect this is a virtual container-based archive abstraction layer across the AWS, Azure, and Wasabi clouds, and also the Hitachi Content Platform and other on-premises (S3-compliant) archive stores.

StorSafe uses persistent virtual storage container (VSC) technology which enables disaggregation of the data from the system-level storage component. It features variable payload container storage deduplication over large storage containers reduces cost and storage capacity consumption, and accelerates data reinstatement from smaller storage containers.

StorSafe archives are portable between public clouds and on-premises systems. The software uses redundant array of independent clouds (RAIC) container distribution via multi-cloud erasure coding. This is claimed to deliver more than 7 nines (99.99999 + per cent) availability, even if a cloud provider goes dark.

Falconstors virtual container archive idea is novel. It will be interesting to see how this small enterprise storage supplier develops the technology.

FalconStor revenues peaked in 2009. The company has travelled a rocky road since the founding CEOs suicide in September 2011.

But last quarter there were encouraging signs and CEO Todd Brooks has more progress to report for 2019s fourth quarter.

His release quote said: The strategic decisions we made throughout 2019 to place additional commercial focus on our long-term archive retention and reinstatement product, within our core regions, delivered encouraging growth in those areas throughout 2019, and has created a focused and healthy foundation for continued growth in 2020.

Revenues of $4.1m were down 14.1 per cent on last years $4.8m but Falconstor made a profit of $101,590 its first profit after seven quarters of losses. The turnaround is slight the year-ago loss was $77,058 but it is a profit, achieved despite lower revenues.

Full year revenues were $16.5m compared to $17.8 million in 2018, and net loss was $1.75m (2018 $906,714).

FalconStors said the revenue fall in Q4 2019 was due mostly to an intentional decreased commercial focus in China. Operating expenses of $3.3m were 7.1 per cent down on the $3.6m in the year-ago quarter. Cash and cash equivalents of $1.5m were lower than the $3.3m reported a year ago. And Falconstor has executed a 10:1 reverse stock split of its common stock.

On the bright side it reported total year-over-year sales growth of more than six per cent in its core regions, meaning outside China. Sales of its long-term archive retention and reinstatement product grew 38 per cent year on year.

Link:
FalconStor intros container-based archiving - Blocks and Files

Theres a new bill in the works to fight against child sexual abuse material (CSAM) and other risky services on the internet but it could come at a cost to online privacy.

Eliminating Abusive or Rampant Neglect of Interactive Technologies (EARN IT) was proposed by the Senate Judiciary Committee and sponsored by senators from both sides of the aisle such as Lindsey Graham (R-SC) and Richard Blumenthal (D-CT). The bill is also supported by the National Center for Missing and Exploited Children and the National Center on Sexual Exploitation.

However, this bill is problematic for both freedom of speech and privacy online according to Riana Pfefferkorn, associate director of Surveillance and Cybersecurity at the Center for Internet and Society.

This bill is trying to convert your anger at Big Tech into law enforcements long-desired dream of banning strong encryption, argued Pfefferkorn in a blog post. Pfefferkorns detailed explanation says EARN IT appears less like a legitimate way to prevent the spread of child exploitation content and more like a covert attempt to ban end-to-end encryption, without having to ban it outright.

At the end of January 2020, a draft of the proposal was leaked and met with similar apprehension not only by Big tech juggernauts (Facebook, Google, etc.) but also their sometimes opposing counterparts, freedom of speech advocates.

Were concerned the EARN IT Act may be used to roll back encryption, which protects everyones safety from hackers and criminals, and may limit the ability of American companies to provide the private and secure services that people expect, Facebook spokesperson Thomas Richards said in a statement to the Washington Post.

Clearly, the issue could not be more sensitive. Patrick A. Trueman, president and CEO of the National Center on Sexual Exploitation, recently voiced this opinion, apparently advocating for EARN IT.

Right now, Big Tech has no incentive to prevent predators from grooming, recruiting, and trafficking children online and as a result countless children have fallen victim to child abusers on platforms like Instagram, Snapchat, and TikTok, said Trueman.

While everyone who has publicly condemned EARN IT has also stated a universal commitment to child safety online and in the real world, many say the bills far-reaching approach to content moderation could do more harm than good by essentially eliminating private conversations across the internet, particularly on social media platforms and messaging apps.

To fully comprehend what EARN IT proposes, one needs to understand the importance of two bills passed in the 90s. These laid the groundwork for how privacy and free speech are supposed to operate for U.S. citizens.

First, Section 230 of the Communications Decency Act (CDA), passed in 1996, allows for the continued development of the internet as a free market and universal good for free speech. Section 230 says that online platforms or providers of interactive computer services mostly cannot be held responsible for the things their users say or do on their platforms. It uses the term mostly instead of always because platforms are still liable for exceptions that violate intellectual and federal criminal law. Essentially, this means if someone is defamed for being a fraud, that person can sue their defamer, but they cannot sue the platform for providing the space for free speech.

Second, the Communications Assistance for Law Enforcement Act (CALEA), passed in 1994, requires telecom providers to make their networks wiretappable for law enforcement. However, it also ensured a carve-out for encrypted messages and information services where websites, email, social media, messaging apps and cloud storage fall out of CALEAs jurisdiction.

The purpose of these carve-outs was to reach a compromise between the competing interests of network security providers, privacy advocates, civil liberties, technological growth and law enforcement. In combination, Section 230 and CALEA prevent regulation from suffocating growth and development of the U.S. information economy.

Since the 90s, more regulation has passed to undo Section 230. Section 230 has been amended since it was passed: SESTA/FOSTA, enacted in 2018, pierces providers immunity from civil and state-law claims about sex trafficking, wrote Pfefferkorn. SESTA/FOSTA is currently being challenged in federal court being unconstitutional and doing more harm than good.

There is also already a regulatory reporting scheme for online providers combatting CSAM. Also, Section 230 does not keep federal prosecutors from holding providers accountable for CSAM on their services.

While the current reporting schemes success is questionable, there is reasonable evidence to believe that EARN IT is an attempt to regulate communication on the internet more broadly.

The so-called EARN IT bill will strip Section 230 protections away from any website that doesnt follow a list of best practices, meaning those sites can be sued into bankruptcy, writes Joe Mullin, a policy analyst with the Electronic Freedom Foundation.

Mullin is referring to how EARN IT would target CSAM. It proposes to do this by creating a federal commission to develop a list of best practices for preventing CSAM that online platform providers would have to follow or else lose their immunity under Section 230 meaning they could be sued into bankruptcy. This commission would largely be made up of law enforcement and allied groups such as the National Center for Missing and Exploited Children (NCMEC).

According to Mullin, The best practices list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption and guarantee law enforcement legal access to any digital message.

Although the word encryption does not appear anywhere in the EARN IT bill, Mullin is suspicious of how the federal commission might design best practices. For instance, in an earlier draft of the bill, the NCMEC Vice-President stated that online services should be made to screen all messages using screening technology approved by themselves and law enforcement, report what they find in messages to the NCMEC and be held legally responsible for the content of the messages sent by others.

In short, the commission could quietly give backdoor access to all U.S. hosted information services, undoing encrypted messages altogether.

Mullin, Pfefferkorn and other outspoken critics of EARN IT all agree that the bills proposed execution is opening the door for the elimination of encryption: the fact that it is never explicitly addressed is especially concerning..

According to Mullin, its also possible that the current draft of EARN IT will be amended to undo the damage it could do to online privacy. Could be as straightforward as putting a clause in[,] saying the bill doesnt apply to encryption, he writes.

However, until some amendment occurs, critics are wary of a federal commission consisting of fewer than twenty people, according to the latest reports, who would be making large-scale privacy and security decisions for the entire U.S. population.

Such a potentially big power grab would seem a bit ridiculous, but Pfefferkorn also acknowledged that EARN IT rides on a wave of resentment or techlash the U.S. population has begun to harbor against many internet-based companies. This animosity is directed toward both U.S. tech juggernauts, whose business models run off of surveillance capitalism and online free speech platforms which, for the average person, can feel like the concentrated font of human venality every time we open our phones, according to Pfefferkorn.

In general, free speech on social media platforms is already a nuanced and complicated topic. Even under Section 230, social media platforms can still censor content when they deem it inappropriate internally. For example, Twitter has a keyword blacklist and the protocol for how it works can change on a dime.

For Nozomi Hayase, social psychologist and writer, surveillance of encrypted messaging is a movement toward forfeiting democracy. By Hayases reasoning, privacy is a prerequisite for a kind of solitude that allows people to think and act independently and is, therefore, essential to a functioning democratic society.

Democracy requires sovereign individuals who are able to communicate with one another freely. This freedom comes with great responsibility, said Hayase, who recognized EARN IT as the newest installment of a dangerous trend toward online censorship. If we really want to have a truly democratic society, we have to accept the fact that it is the duty of each person to develop his or her own moral capacity to determine what is right and wrong, instead of depending on an external authority to tell us what we should or should not do.

Currently, EARN IT has been referred to the Senate Judiciary Committee. Citizens can contact their congressmen directly or take action through the Electronic Frontier Foundations website.

Read the original post:
EARN IT: The US Anti-Encryption Bill That Threatens Private Speech... - Bitcoin Magazine