We believe that information security is fundamentally about managing risk. Membership of the society reinforces our commitment to providing our clients with expert information security advice by ensuring that our consultants continue to develop and maintain their risk management skills.

The CloudU (or Cloud University to give it it’s full title) is developed and curated by NZ’s own Ben Kepes and is provided by Rackspace (a leading Infrastructure as a Service (IaaS) provider). The certification is promoted as a vendor-neutral introductory programme designed for business owners and technical professionals who want to develop and strengthen their knowledge of the fundamentals of cloud computing.

The CloudU programme and exam are provided free of charge. The curriculum is broken down into 10 lessons that cover a range of cloud related subjects from the cloud computing stack, to security and the use of open standards. Each lesson consists of a downloadable whitepaper and a 60-minute webinar. Once you have completed reading and listening to the lesson material you can sit a test consisting of 10 multiple-choice questions and no time limit. You have to get 80% or higher to pass each test and once you have completed the 10 lessons and the test you can sit a 50 question multiple-choice exam (again there are no time constraints) which uses the same question pool as the lesson tests. Both the lesson tests and the final exam are easy to pass. However, candidates can re-sit the tests and exam as many times as they like to obtain a passing score.

CloudU covers the full range of cloud computing deployment (Public, Private, Community and Hybrid) and service models (Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). In doing so it uses the NIST definitions for cloud computing. These are widely accepted and provide a common language when talking about cloud computing. This is very important in my opinion as the term ‘cloud’ is used to cover a multitude of sins and some services do not actually meet the criteria defined by NIST.

As CloudU is only designed to be an introduction to cloud computing it doesn’t cover any subject in any real detail. The study material generally provides a pretty good primer for the given subject with the notable exceptions of Lesson 5 (security in the cloud) and Lesson 9 (the use of open standards to avoid vendor lock-in). Although the security lesson notes that both the cloud service provider and the customer have security responsibilities its main focus is on technological controls. In my opinion, this is a wasted opportunity as it would be more useful to give a high-level overview of the information security risks associated with the use of cloud services. Similarly, the lesson on open standards places a huge emphasis on the importance of open source software in the foundation and development of the Internet rather than discussing how and why selecting services that use open standards (for Application Programming Interfaces (APIs) and data formats) can reduce the likelihood of vendor lock-in.

Overall the CloudU certificate provides a decent basic introduction to cloud computing. Some of the material could clearly have been better written. Despite this I believe that the CloudU is useful for anyone looking demonstrate that they have a rudimentary understanding of cloud computing concepts. In conclusion, gaining the CloudU will not make you a cloud computing expert. However, I think that it will certainly help business managers (or any non-technical person) decipher the jargon that surrounds the ‘cloud’.

The Certificate of Cloud Security Knowledge (CCSK) has been developed and is provided by the Cloud Security Alliance (CSA). The CSA is a not-for-profit organisation whose mission is to promote the use of best practices (I hate the use of the term ‘best practice’ – see my blog post) to provide security assurance within cloud computing. The CSSK certificate is vendor neutral and focuses on the information security risks associated with the use of cloud services.

The CCSK curriculum and exam is based on two documents, the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 and ENISA’s Cloud Computing Risk Assessment. It is a little disappointing that the CCSK has not been updated to reflect version 3.0 of the CSA guidance. However, the CSA state that this is due to the fact that the material covered in the exam has not changed significantly between the two versions of the document.

70% of the questions are based on the CSA guidance, 20% of the questions are based on the ENISA report and 10% of the questions are applied knowledge that relate to the “best practices” in both documents. To pass the CCSK you have to get 80% or higher in a 50 question multiple-choice exam. Unlike the CloudU the exam is limited to 60 minutes. Although the CSA offers two CCSK courses they suggest that the best way to prepare for the exam is to read and understand the two documents that it is based on. I certainly agree with this assertion, the CCSK exam is straightforward providing you have read both documents and have a comprehensive understanding of the content.

The cost of sitting the CCSK exam is $295 USD. For this you get two attempts at obtaining a passing score. If you pass the exam on the first attempt the second attempt automatically expires. Additionally the CSA has indicated (in principle) that if it introduces a new version of the exam within 12 months of you passing the CCSK it will provide you with a free exam. As a result the price seem very reasonable to me.

The CCSK is broken down into 13 domains covering subjects from cloud computing models, and the data security lifecycle through to the security of virtual machines. Whether you plan on gaining the certification or not I strongly recommend reading both the CSA guidance and ENISA risk assessment documents. They provide useful information for anyone seeking to understand the security challenges of adopting cloud services.

I personally found the CCSK much more valuable than the CloudU (this is hardly surprising given that my area of interest is information security). The study material is really strong and provides a solid understanding of the risks associated with the adoption of cloud services together with some guidance on how they may be managed. It is a worthwhile certification for anyone who is responsible for helping their organisation or clients manage the security implications of moving to the cloud.

In conclusion, no certification will make you an expert on a given subject. However, what they do provide is evidence that you at least have a level of understanding of the subject. In my opinion both the CloudU and CCSK are valuable and although they are aimed at very different audiences they both achieve their stated objectives.

There is still very limited and contradictory information surrounding how the perpetrators compromised the payment processing system and who actually discovered the breach. However one fact is clear, Global Payments Inc. was compliant with the Payment Card Industry Data Security Standard (PCI DSS) when the breach occurred.

Although there may be other lessons that can be learnt from this the event if or when additional information is published the only one that can be drawn at this point in time is Compliant ≠ Secure (or Compliance ≠ Security if you prefer).

So what does this breach actually mean for organisations that must be able to demonstrate compliance with PCI DSS (or any other compliance standard for that matter)? Well it does not mean that standards such as PCI DSS cannot provide a useful framework for developing a structure for securing information. But overall it’s simple really. You need to actually manage the information security risks that you are exposed to, rather than merely demonstrating that you are able to meet your compliance obligations. That way you will at least be able to demonstrate that you had an appropriate controls in place should a breach occur.

Rod has considerable experience in providing information security consultancy and advice within a New Zealand government department. He specialises in implementing Information Security Management Systems based on the AS/NZS ISO/IEC 27001:2006 standard and risk management using the OCTAVE methodology.

• Confidentiality
• Integrity
• Availability

It’s been our mantra for a very long time that these are the three things that need to be achieved to obtain information security, but are they enough? I have had a niggling feeling for a while that they may be more. That is not to say that the CIA triad aren’t still relevant—they are still central. However, modern enterprises (including government) are making increasing demands on their IT departments to deliver real business benefit and return on investment.

For a while there used to be talk of non-repudiation being a new security objective. It’s a cumbersome word, for an idea that’s expressed in the negative, so it doesn’t appeal to me!
I suggest two extras:

• Trust
• Agility

Trust has been knocking on the door for quite a long time. Public Key Infrastructure (PKI) provides a mechanism that helps achieve trust. PKI helps us to trust the entity (person or system) that we are connected to is who it claims to be. It also supports non-repudiation (i.e. the initiator cannot claim that someone different sent the message or performed the transaction) and provides a method of verifying the integrity of a message or software package. However, the recent DigiNotar hack highlights that without appropriate CIA and other security basics, trust cannot be assured.

Agility has always been an objective of enterprise architecture. However, it should also be an objective of security architecture (both enterprise and solution). Virtualisation, SANs and Cloud Computing are all mechanisms whose big appeal is agility. These technologies can enable organisations to easily implement mergers, restructures, new alliances and supply chains and agency arrangements which are essential without compromising their information security posture.

Just as the original three goals were somewhat inseparable, with the addition of two new ones we must not suppose that they are entirely separable from each of the other four. However, I think each is distinct enough to justify its separate identification.

I’ve recently been working on a project that’s entire purpose is to provide trust. The solution manages the distribution of Public Key certificates. As the certificates are public, confidentiality is a non-issue. However, integrity is vital, because the certificates must be able to be relied upon. Availability is important, because dependent business processes will fail if this system is unavailable. Similarly agility is important as the solution will be expanded and evolved to provide additional functionality. It may even be migrated to a completely different platform.

Old information security thinking has tended to be pre-occupied with confidentiality (the NZISM is a great example of this). However, it’s important to see the whole picture, and recognise all five (are there more?) security objectives, not just the old three.

Michael has extensive experience in providing information security consultancy and advice to Australian government departments. He specialises in developing and implementing information security governance and compliance frameworks using national and international standards to help organisations improve their security posture.

I have analysed the differences between v1.0 and v1.01 and found that only two controls have been updated. There are a small number of minor corrections. The following provides a list of changes:

• A blank page has been inserted following the front page;

• The Foreword has been slightly reworded and signed by the new Director of GCSB;

• The table of contents no longer includes itself;

• p65 the double full-stop has been remove at the end of  the control How to report a cyber security incident to GCSB;

• p129 the last bullet point in the Context section has been reworded from “another DSD approved evaluation” to “Australasian Information Security Evaluation Program (AISEP) approved evaluation”.

• p130 the first sentence for the Recognition arrangements statement in the Context section has been changed from “DSD has a number of recognition arrangements regarding evaluated products” to “The AISEP programme has a number of recognition arrangements regarding evaluated products”. In addition to this the not in the second sentence has been made bold.

• p222 the Area security and access control statement has been changed from “Areas in which cryptographic system material is used should be separated from other areas and designated as a cryptography controlled area”  to “Areas in which cryptographic system material is used should be separated from other areas and designated as a controlled cryptography area”.

• p268 the last row of the table for the Firewall assurance levels statement has been changed so that agencies are required to use EAL4 not EAL2 firewalls to connect two networks classified at Top Secret in different security domains.

“Posting personal information on the Web

System Classification(s): R, C, S, TS; Compliance: recommended

It is recommended that personnel undertake a Web search of themselves to determine what personal information is available and contact an ITSM if they need assistance in determining if the information is appropriate to be viewed by the general public or potential adversaries.”

Obviously the NZISM applies to NZ Government departments and agencies and I doubt too many would have implemented a policy that requires staff to Google themselves on a regular basis. However, I am interested if anyone in either the public or private sector has implemented this control and whether it has actually revealed anything that resulted in an information security incident.

I configured a Google Alerts search that automatically searches for terms I have specified (e.g., my name and the company’s name) and sends me an email if it finds any matches. However, I must confess that I did this for marketing, not security, purposes after reading Mitch Joel’s Six Pixels of Separation.

So does your company require you to regularly “Google” yourself for information security reasons? And have you ever found anything posted about you that required you to take action to have the information removed?