regulations
2 TopicsWhat To Expect In 2017: Security And Government Regulations
The government and cloud security's relationship is surprisingly hands off. Current regulations already extend their umbrellas over our data in flight and rest regardless who's IaaS/SaaS you're using. For us traditional enterprise administrators, the regulations are established and and we follow them to because we're all perfect and deserve raises. But when it comes to "the cloud" we've introduced developers and application admins releasing services to the general public with great hates; sometimes without the checks and balances needed for compliance. The results are mixed. Increasingly popular scan-all-the-things method of finding vulnerable systems are weeding out quite a few unprotected cloud-connected data sets. Even the smallest vendor needs to validate their compliance requirements and implement them at the same pace they're implementing publicly available applications. HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) completed enforcement of security policies on personal health care information (PHI) in 2006. HIPPA includes polices related from control and auditing to intrusion prevention and alerting, data validation, authentication practices, and risk analysis and remediation plans (and a host of other things we admins don't care as much about). We know we're getting compliance wrong because as of January 31st of 2017, the Office of Civil Rights has received since 2003 over 148,292 complaints of violation (complaint != violation). 2017 will see more and more companies deploying cloud services that will start to gray the area between basic PII and PHI. Think Strava recording your epic bike ride or your Garmin tracking your last run... all store data relevant to you and how it relates to your physical condition. What's more interesting to investigate is what are your rights to your last bike ride's information? Can it be sold with only basic de-identification? The boundaries between PHI and PII are blurring from our desires to connect our selves so expect a lot of angry people when an insurance provider is found denying a claim based off "acquired" Fitbit data. SOX Thanks ENRON (and Tyco/WorldCom) for getting the Sarbanes-Oxley (SOX) Act of 2020 thrust onto all publicly traded companies. SOX regulates financial practices and corporate governance divided into 11 titles most of which are related to enforcing basic ethics we apparently take for granted. Section 802 is a whole different InfoSec ball game regulating data retention, classification, and records keeping to ensure the shredder doesn't get used too much. And the cloud has made complying with 802's requirements much. Data governance tools, DLP, and enhanced record keeping tools are being introduced into all of our favorite cloud apps from Office 365 to Slack. It's assumed SOX will play a requirement for many cloud applications so the needed technologies should exist out of the gate. FIPS The Federal Information Processing Standards (FIPS) standardizes government use in computer systems by non-military agencies and contractors. Most people are familiar with FIPS 140-2: Security Requirements for Cryptographic Modules because it's so cool and interesting. FIPS 200: Minimum Security Requirements for Federal Information and Information Systems will be more prevalent as federal providers are encouraged/forced to use authorized cloud resources to migrate off existing internal government IT disasters and deprecating systems. The massive failure of the Office of Personnel Management and the years-blame game still underway is making private could resources more attractive to existing government entities. FIPS 200 will play a vital role for those Iaas/Saas providers to ensure they can receive those federal dollars. It's going to happen, it's already happening; maybe we can stop being embarassed by the federal fire hose of data breaches. FERPA The Family Educational Rights and Privacy Act (FERPA) is not well know to us outside of educational service branches but your child's data is just as important as your PHI information. Specifically targeted at protecting student records, FERPA puts the students data into the governing parent/guardians control and approval. However, the infrastructure responsible for data handling are sometimes the same systems Ferris Bueller hacked into and changed his absentee violations. Like FIPS, educational providers are migrating to the cloud in lieu of massive IT budget shortfalls to upgrading existing infrastructure. Cloud providers are few and far between to slap on a FERPA compliance sticker. Given the coverage provided by other regulations, there shouldn't be too much adjusting for the cloud providers new to the educational market. EU-US Privacy Shield You want to do business with any European Union corporation? You want to build an office in any of those countries? Unless you want to spend the next 100 years working with different data privacy laws enacted by disparate governments, join the EU-US Privacy Shield program. When an org joins the EUUSPS they'll self-certify with Department of Commerce and commit to the existing and future framework requirements. This has massive impact to the larger providers and services living in those geo-located clouds. You essentially become an international data steward who agrees to abide by a larger protection clause than one defined for U.S citizens. It's a good thing. That's what they tell me. EU NIS Directive The Directive on security of network and information systems (EU NIS Directive) was enacted July 6th, 2016 to provide a minimum compliance for data security against cyber-bad things for any country operating in or applying for European Union membership. This was to create a strong "weakest link" for countries with poor infrastructure policies and practices from being penetrated by nation states close to those countries. This directive was created in response to growing shady nation state cyber practices, worrying existing western block EU members. 2017 will test the strength of these policies and their violation penalties. None of this should be of any concern to existing cloud providers as they're operating in developed InfoSec countries. For the increasingly talented developer pool in the eastern EU, this still may be new and a potential stumbling block. Similar to new developers in the U.S. screwing up their PCI-DSS compliance, language barriers and InfoSec may be stumbling blocks exposing private EU citizen data. This is just a summary of some of the regulations that will see more-than-normal impact to the next generation of IaaS/Saas providers and their clients in the coming months. It's apparent from the too-numerous to name breaches, that our data isn't secure and the more we utilize the cloud in our personal lives, the more we're willing to expose. For enterprises though, the alarm is not as needed as we're already seasoned to regulations and how to protect our data. Balancing the agile world of DevOps does threaten stable security practices but your InfoSec team should make you well aware before the fed comes-a-knockin.243Views0likes0CommentsThe Internet of Me, Myself & I
What happens when the gadgets you wear also control the things around you? No doubt you've heard of various internet-connected things like light bulbs, coffee makers and thermostats making their way into our homes. And no doubt, you've probably heard of such devices that you wear (or insert) to track your fitness, sleeping or even blood sugar levels. But when that sleeping monitor can alert the light bulb and coffee machine that you are about to wake up, that's called the Internet of Self. Data from your body that is used to control the objects around you. Your body controls the your environment, without you even knowing. Cool and for me, a bit unnerving at the same time. A ComputerWorld article talks about all the amazing ways this is going to change our lives. For example, there is sleep monitoring technology that can alert a light bulb to turn on gradually as if it is a sunrise, based on your own sleep patterns. Forget those eye squints when the calm darkness suddenly disappears with the flip of a switch. The light is now taking commands from your body. Automakers are installing technology that monitors your face & eyes and if you start doing the doze-dip with your head, it'll alert you to pull over or even pull you over itself. Even your home security cameras can take a look at your face, compare it to a database, and unlock your garage and doors. The unlocking of the door tells the kitchen or any other room to turn on the lights. Your biometric data is controlling the things around you. Clothing will have stress meters, cars with breathalyzers, belts that auto extend after a big meal. You get the picture. Congress also has some concerns. Reps. Darrell Issa, (R-CA)., and Suzan DelBene, (D-WA) have formed a new Congressional Caucus on the Internet of Things to educate members about the issue. This is to educate members so they can make more informed policy decisions about this technology. The big issue is protecting consumer's privacy as more sensitive personal information is being sent and received by a growing number of these things. Hacked data and the prying eyes of the government and other entities are tops on their list. The FCC has asked that they hold off on any legislation tied directly to IoT since it is evolving so fast but did recommend that a data breach bill requiring 30 day consumer notification of a breach be passed. People have already been infiltrated through their thermostats and there was news yesterday that certain smart-TV's will capture and send your private conversations - if picked up by the voice recognition - to a third party data processor. Add to that, robots are already attacking within the home. Forget zombies, vacuums are the real threat. The ComputerWorld article make this IoSelf seem so easy with just an app and a device - it's just 'easy to create software.' Not exactly. While some apps, I'm sure, are easy to create, there is much more than just an app and device going on...like an actual application in a data center for the app &/or device to communicate with and the proper security protections for such transactions. The article seems to gloss over any cautions and there is no mention of privacy, security or any of the potential risks involved with the Internet of Self. Do I really want my various biometrics stored in some third-party cloud somewhere just so I can unlock my front door with a wink? Probably not. For now, I'm happy to pull out my physical keys, hand turn the knob and use my index finger to disable the alarm. I know it is I who did it, not some reasonable facsimile thereof. ps Related Here comes the 'Internet of Self' Congress sees security risk in 'Internet of Things' 70% Of Internet-Connected Appliances Are Vulnerable To Hacking How hackers could slam on your car's brakes Cybersecurity in the Age of Intelligent Energy: Putting the Nest Thermostat ‘Hack’ in Context Top 5 Smart Home Devices We Expect To Emerge In 2015 A robot vacuum tried to eat its sleeping owner's head Technorati Tags: f5,iot,things,privacy,self,biometrics,smart homes,regulations,security,silva Connect with Peter: Connect with F5:336Views0likes2Comments