RSS

Category Archives: Regulation

Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK) Now Available

Today the Cloud Security Alliance announced that their new Certificate of Cloud Security Knowledge (CCSK) was now available.   This exciting certificate tests awareness of cloud security threats and best practices for securing the cloud.  The material covered in the one-hour, 50-question examination is largely encapsulated in two documents: “Security Guidance for Critical Areas of Focus in Cloud Computing” by the Cloud Security Alliance and the European Network and Information Security Agency (ENISA) whitepaper “Cloud Computing: Benefits, Risks and Recommendations for Information Security”.

Among the companies planning to certify their employees as CCSKs are eBay, ING, Lockheed Martin, Sallie Mae, Zynga, CA, CaseCentral, HCL Technologies, Hubspan, LogLogic, Fiberlink, McAfee, Ping Identity, Novell, Qualys, Solutionary, Symantec, Trend Micro, Veracode, VeriSign, Vordel, WhiteHat Security and Zscaler.

 

Posted by on 2010-Sep-09 in Cloud, Regulation

Comments Off

Cloud Escrow: The Ability to Choose and Change Your Deployment Model

In a recent TheRegister post entitled “The cloud’s impact on security”, Tony Lock provides a definition for the groundbreaking concept of “Cloud Escrow”.

“…if you are using external cloud resources, look at how the data and any intellectual property invested in the processing engines employed to manipulate data can be moved to other third party cloud providers, or back into the enterprise, if you need to do that. You could call this ‘Cloud Escrow’.”

Readers of DivConq and other cloud technology blogs are probably already familiar with the term “Cloud Portability” – the ability to move cloud applications and data between different cloud providers or to receive the same services from multiple cloud providers at once.

However, what Lock does with his “Cloud Escrow” definition is remind people that the ability for companies to redeploy entire sets of cloud-deployed applications or data back into company-owned systems or private clouds is extremely important in case:

  • a merger or divestiture impacts IT service delivery
  • a regulatory change or legal ruling requires quick action
  • currently contracted cloud vendors are acquired by a questionable owner or are unable to meet their service level agreements (SLAs) with current ownership

DivConq applauds Lock’s contribution of “Cloud Escrow” to the ongoing discussions being held at every level about the appropriate way to deploy resources into the cloud.   The answer, as always, is to have a realistic fallback plan in case conditions change in a hurry.

 

Posted by on 2010-Jul-07 in Cloud, Regulation

Comments Off

Google Joins Microsoft In GeoPolitical Private Cloud Deployment

While attending the RSA conference in San Francisco this year I wrote a brief article for another blog about Microsoft establishing a geopolitical private cloud for U.S. government use.  At that time I wrote:

As noted by Gavin Clark in The Register:
http://www.theregister.co.uk/2010/02/27/microsoft_government_cloud/
“Among the features (in Microsoft’s latest U.S. government cloud offerings) are secured and separate hosting facilities access, to which is restricted to a small number of US citizens who have cleared rigorous background checks under the International Traffic in Arms Regulations (ITAR).”

In other words, Microsoft has defined a large private cloud segment that will never span political boundaries.   However, not every Federal process must comply with ITAR or even the higher levels of FISMA.  It will be interesting to see whether other cloud vendors follow suit with their own private offerings or if private government clouds restricted to and maintained in a single country are just a niche.

As predicted, Google has taken Microsoft’s lead here.  TheRegister’s Cade Metz notes this in  today’s article entitled “Google Apps rubber-stamped for use by US gov”.

The new service segregates Gmail and Google Calendar data in a section of Google’s back-end infrastructure that’s separate from services used by non-government users, and all the data centers housing these segregated applications are located in the continental United States. Google says that in the future, it will segregate other applications in this way.

So…that’s two major cloud vendors getting behind permanent private clouds delineated by geopolitical boundaries.  Who’s next?

 

Posted by on 2010-Jul-07 in Cloud, Other Organizations, Regulation

Comments Off

Six Months Left for SHA1, Two-Key Triple DES and SKIPJACK

In a Discussion Paper titled “The Transitioning of Cryptographic Algorithms and Key Sizes” NIST summarizes which cryptographic algorithms will no longer be allowed in secure applications once 2010 is over.

Encryption Algorithms

Two-Key Triple DES and SKIPJACK will be disallowed on January 1, 2011.

Three-Key Triple DES and AES will continue to be allowed.

Signature Generation

New signatures generated in support of data authentication or software and firmware tests which are less than 112 bits in length will be disallowed on January 1, 2011.

In addition to these changes, NIST will be looking for a number of other stringent requirements (as spelled out in NIST 186-3) for new validations once the year turns to 2011.

Random Number Generation

New validations must conform to SP 800-90 (HASH, HMAC, CTR, DUAL_EC) on or after January 1, 2011.

Key Agreement

New validations may no longer depend on non-tested Diffie-Hellman (DH) or MQV primitives on or after January 1, 2011.  Instead, new validations must use SP 800-56A primitives or one of the specifically approved key derivation functions (KDFs).

Hashes

Unless keyed in the manner of a digital signature (see related section above), the use of SHA-1 hashes is disallowed on January 1, 2010 and beyond.  Instead, digital signatures (essentially “keyed hashes”) or stronger hash algorithms such as SHA-224, SHA-256, SHA-384 or SHA-512 must be used.

 

Posted by on 2010-Jul-07 in Cryptography, FIPS, Regulation

Comments Off