Reducing the Risks Posed by Artificial Intelligence

To thrive in the new era, enterprise security needs to reduce the risks posed by AI and make the most of the opportunities it offers.

Artificial Intelligence (AI) is creating a new frontier in information security. Systems that independently learn, reason and act will increasingly replicate human behavior. Like humans, they will be flawed, but also capable of achieving great things.

AI poses new information risks and makes some existing ones more dangerous. However, it can also be used for good and should become a key part of every organization’s defensive arsenal. Business and information security leaders alike must understand both the risks and opportunities before embracing technologies that will soon become a critically important part of everyday business.

Already, AI is finding its way into many mainstream business use cases. Organizations use variations of AI to support processes in areas including customer service, human resources and bank fraud detection. However, the hype can lead to confusion and skepticism over what AI actually is and what it really means for business and security. It is difficult to separate wishful thinking from reality.

What Are the Information Risks Posed by AI?

As AI systems are adopted by organizations, they will become increasingly critical to day-to-day business operations. Some organizations already have, or will have, business models entirely dependent on AI technology. No matter the function for which an organization uses AI, such systems and the information that supports them have inherent vulnerabilities and are at risk from both accidental and adversarial threats. Compromised AI systems make poor decisions and produce unexpected outcomes.

Simultaneously, organizations are beginning to face sophisticated AI-enabled attacks – which have the potential to compromise information and cause severe business impact at a greater speed and scale than ever before. Taking steps both to secure internal AI systems and defend against external AI-enabled threats will become vitally important in reducing information risk.

While AI systems adopted by organizations present a tempting target, adversarial attackers are also beginning to use AI for their own purposes. AI is a powerful tool that can be used to enhance attack techniques, or even create entirely new ones. Organizations must be ready to adapt their defenses in order to cope with the scale and sophistication of AI-enabled cyber-attacks.

Defensive Opportunities Provided by AI

Security practitioners are always fighting to keep up with the methods used by attackers, and AI systems can provide at least a short-term boost by significantly enhancing a variety of defensive mechanisms. AI can automate numerous tasks, helping understaffed security departments to bridge the specialist skills gap and improve the efficiency of their human practitioners.

Protecting against many existing threats, AI can put defenders a step ahead. However, adversaries are not standing still – as AI-enabled threats become more sophisticated, security practitioners will need to use AI-supported defenses simply to keep up.

The benefit of AI in terms of response to threats is that it can act independently, taking responsive measures without the need for human oversight and at a much greater speed than a human could. Given the presence of malware that can compromise whole systems almost instantaneously, this is a highly valuable capability.

The number of ways in which defensive mechanisms can be significantly enhanced by AI provide grounds for optimism, but as with any new type of technology, it is not a miracle cure. Security practitioners should be aware of the practical challenges involved when deploying defensive AI.

Questions and considerations before deploying defensive AI systems have narrow intelligence and are designed to fulfil one type of task. They require sufficient data and inputs in order to complete that task. One single defensive AI system will not be able to enhance all the defensive mechanisms outlined previously – an organization is likely to adopt multiple systems. Before purchasing and deploying defensive AI, security leaders should consider whether an AI system is required to solve the problem, or whether more conventional options would do a similar or better job.

Questions to ask include:

  • Is the problem bounded? (i.e. can it be addressed with one dataset or type of input, or does it require a high understanding of context, which humans are usually better at providing?)
  • Does the organization have the data required to run and optimize the AI system?

Security leaders also need to consider issues of governance around defensive AI, such as:

  • How do defensive AI systems fit into organizational security governance structures?
  • How can the organization provide security assurance for defensive AI systems?
  • How can defensive AI systems be maintained, backed up, tested and patched?
  • Does the organization have sufficiently skilled people to provide oversight for defensive AI systems?

AI will not replace the need for skilled security practitioners with technical expertise and an intuitive nose for risk. These security practitioners need to balance the need for human oversight with the confidence to allow AI-supported controls to act autonomously and effectively. Such confidence will take time to develop, especially as stories continue to emerge of AI proving unreliable or making poor or unexpected decisions.

AI systems will make mistakes – a beneficial aspect of human oversight is that human practitioners can provide feedback when things go wrong and incorporate it into the AI’s decision-making process. Of course, humans make mistakes too – organizations that adopt defensive AI need to devote time, training and support to help security practitioners learn to work with intelligent systems.

Given time to develop and learn together, the combination of human and artificial intelligence should become a valuable component of an organization’s cyber defenses.

Preparation Begins Now

Computer systems that can independently learn, reason and act herald a new technological era, full of both risk and opportunity…[…] Read more »….

 

Trial Before the Fire: How to Test Your Incident Response Plan to Ensure Consistency and Repeatability

While many organizations go to great lengths to set up effective security operations incident response plans, few proactively test their processes to ascertain how they will work when faced with a real threat.

Fifty-nine percent of incident response (IR) professionals admit that their organizations follow a reactive approach, according to a report from Carbon Black. Essentially, teams assume their processes work reasonably well to address the incident at hand … until they don’t. While organizations must have IR plans in place, it’s even more important that they a) work consistently and b) are updated and improved over time.

Testing incident response processes within the security operations center (SOC) should yield two important results: a clear understanding of whether your plan is likely to work and a list of gaps that should be addressed. There is no point testing them if the findings will play no role in optimizing your processes.

Lessons learned from your tests must be properly documented for them to have real, lasting value for your security operations team. Plus, you don’t want to find out your emergency plans don’t work when disaster strikes. What makes sense on paper or the whiteboard often doesn’t work as planned when put into practice.

Schools run fire drills, so everyone knows what to do when the bells go off. So, why aren’t we applying this logic more broadly in cybersecurity?

What is incident response?

IR refers to the systematic response to and management of events following a cyberattack or data breach. It involves a series of actions and activities aimed at reducing the impact of such an event.

A typical IR plan includes six phases which help the affected organization recover from an incident or simply contain it once it occurs: preparation, identification, containment, eradication, recovery and lessons learned.

When building an effective IR plan, security teams should determine the following:

  • The purpose of the plan.
  • Details on how to use the plan.
  • Your ability to respond to different incident types – including unauthorized access, malicious code, denial of service and inappropriate usage – and whether your information assets would be affected by such events.
  • Event handling protocols for each incident type and how to respond. This should include a checklist of which playbook needs to be triggered in the event of a cyberattack or breach. (A playbook, also known as a runbook, is common to the SOC and defines the flow of activities associated with a specific security issue and subsequent investigation and response. The goal is to build a consistent set of activities followed in every case, no matter the analyst assigned to it.)
  • Your ability to set up a “war room” for critical decision makers to receive and share information across the organization.
Testing the waters

Once you have a clear, documented plan in place, you should periodically test it through simulations to assess effectiveness and make continuous improvements. So, how can you put your processes to the test? Most security operations teams today use three methods:

1)     Paper tests

The most theoretical and likely the first step for security operations teams who don’t have well-documented processes. However, paper tests leave too much room for error and should only be used to look for small process changes.

2)     Tabletop exercises

These scenarios consist of company stakeholders sitting around a, you guessed it, table and running through a mock security event. While these exercises may appear informal, you should prepare well in advance, make sure the right individuals participate from across the organization and that the scenario is as real as possible. Allow for up to half a day to put key processes through their paces and troubleshoot as you go.

3)     Simulated attacks

The most effective way to pressure test your processes is to simulate a real-world attack to see how your organization will respond.[…] Read more »

 

 

 

 

Digital Trust: More than Just a Business Buzzword

Last year, no business conversation was complete without someone using the words “digital transformation.” This year the essential phrase appears to be “digital trust.” But what does digital trust actually mean and how does it affect the cybersecurity landscape?

In simple terms, digital trust can be defined as the confidence people have in an organization’s ability to keep their digital data secure and to handle it with integrity and accountability. Digital trust is seen as critical to the long-term success of enterprises in a connected world.

What does digital trust mean for cybersecurity?

Cybersecurity has evolved around the need to protect data, devices, networks and processes in the digital world. For the industry, digital trust essentially means two things: a need to build trust in a company’s digital operations, and the ability to ensure they can enable digital trust for you.

Building trust

In the beginning, it was all about computer security confined largely to the IT team. As organizations became more digital and began to understand the value of data, protection evolved into information security, with business-literate security teams and Chief Information Security Officers. Now that connectivity is pervasive and embedded, security is all about trust and integrity, and your role is to build and maintain digital trust across the business and to manage risk and mitigate the impact of cyberthreats.

In other words, in today’s ultra-connected world, cybersecurity is no longer simply about protecting hardware and software, but about safeguarding your digital organization and the vast volumes of data it creates.

As a result, the role and responsibility of cybersecurity has changed. Security now sits at the very heart of a customer’s business, and you should trust your vendor.

Building trust in cybersecurity vendors

The journey to being trustworthy is inevitable in an online world increasingly challenged by uncertainty, headline making cyber-attacks and criminal scams. Regardless of the security provider your company chooses, you deserve to know that your important information is in safe hands.

For individual security vendors this requires they be open about products and processes, and being able to provide evidence of their integrity. This means making source and update code, processes etc., accessible for review by others, despite the potential risks. This gives external sources clear visibility, and strengthens trust for the vendor. We see a continuous and growing interest from businesses to learn more about how our security products work and how our data is processed[…] Read more »….

What Indicators Can I Reference to Gauge My Organization’s Security Posture?

Understanding an organization’s security posture will help to create a clear and present representation of what the cybersecurity capabilities of your organization are. Any information security program is evaluated on the integrity, availability, and confidentiality of the data within a designated secured environment. Several indicators can help to gauge where your organization belongs within the risk management structure, which can help to identify your organization’s security posture and what security challenges the business must confront.

Many cybersecurity information risk management programs suggest businesses should adopt the InfoSec security standards and implement cybersecurity as a key driver of business decision making. The scope of InfoSec is wide-ranging, but the aim is to continuously improve your organization’s information security, year after year.

What exactly should you look for? What are the indicators that will help describe your organization’s security posture? The following information will help you determine what your new approach to cyber risk management should be.

Is there a set budget for infosec?

Understanding if there has been a budget allocated for information security helps to identify if an organization is serious about cybersecurity. In-house cybersecurity can work out to be incredibly expensive; hiring highly-skilled, ethical security personnel is not easy. SecOps engineers are highly sought-after personnel and salary expectations are usually very high. The purchasing of software licenses and security hardware appliances is another considerable cost to consider.

Many organizations realize that the OpEx costs can be high, and many choose to outsource to a reputable cybersecurity service provider who can call upon teams of SecOps architects, engineers, and consultants when needed to install, manage, and maintain any purchased security infrastructure service.

Companies need a pragmatic approach for monitoring and assessing their cybersecurity landscape, and a security program that delivers a return on the security investment (ROSI). Security expenditure needs to be justified by successfully completing external audits that validate security processes are in place, such as:

  • Conducting external vulnerability scans
  • Planning for disaster recovery & incident response tests
  • Conducting phishing and social engineering tests
  • Conducting external penetration testing

Without a realistic security budget, there is a significant risk that an organization may fall short on these scenarios. This can lead to significant gaps and weaknesses in your organization’s cybersecurity policy.

The frequency and sophistication of employee training

Cybersecurity training should be made available to all employees. This is a key area to look for, as training is absolutely essential. Cybersecurity is a highly technical industry where relevant, important security information needs to filter down to every single employee. Security training strengthens employee’s knowledge and understanding of cybersecurity risk management putting each employee in the best position to uphold your organization’s cybersecurity policy.

Collaborating with a skilled cybersecurity vendor will ensure training compliance and improve team understanding of the latest risks and trends in cybersecurity, as well as knowing what the best practices are to reduce the risk.

Cybersecurity training in many industries, such as the financial sector, is mandatory and enforceable by the regulator. There are huge benefits of having teams who are aware of the latest cybersecurity trends and able to spot phishing, scam phone calls, malware and virus attachments.

Technical red flags

You may be surprised by the number of issues that are discovered with organizations that are missing even the most basic technical safeguards to protect the integrity, availability, and confidentiality of data. Reviewing the results of your malware scans is not enough, businesses need to be proactive in providing the basic security requirements:

  • Secure Networking – The network is the first line of defense in cybersecurity. Strong network authentication, encryption, restricting public internet traffic, and blocking common ports on the firewall are the first steps to improving security. Furthermore, network analysis and scanning using Intrusion prevention systems, content filters, email scanning tools, and isolating network assets should all be in place
  • Asset Management – It is important to identify all pieces of equipment owned by the business. An asset list will catalog servers, laptops, tablets and any other infrastructure device. Good asset management reduces waste, capital expenditure and above all else acts as a baseline for the support teams who will know what equipment is available and where it is located.
  • Patch Management – A regular patching schedule is the first step to securing software and operating systems. Vendors publish security patches that prevent exposure to the latest software vulnerabilities and exploits
  • Passwords – Securing a network using unique and complex passwords that are enforced company-wide will help to provide an immediate level of protection. Taking this further and testing user accounts and system accounts for weaknesses using penetration testing software such as Nessus or Backtrack will proactively scan for weakness and non-compliance. Processes can be drawn up to harden password policies or maybe offer training to the worse offenders

There are many further technical safeguards that can be implemented, but these basic first steps will help to prevent misconfiguration and backdoors into your environment. Credible cybersecurity providers recommend an annual internal audit and roadmap check-up is performed. This process will review existing technical safeguards, identify weaknesses, and then suggest recommendations based on industry best practice, as well as a roadmap on the best way to implement the changes […] Read more »

 

 

AR and VR: How Immersive Technology Is Bringing Cybersecurity Scenarios to Life

A PwC survey on corporate digital IQs found that there’s a disconnect between the skills and technologies that companies say matter most and what they’re investing in. With the rapid increase in emerging technologies disrupting every industry, enterprise leaders are feeling immense pressure to fill the resulting glaring void with employees who can pick up the skills necessary to implement this technology into everyday enterprise tasks. Aside from finding the right people, companies also need to ensure that proper training is in place. However, it’s no secret that a lack of engagement exists between employees and the less-than-awe-inspiring learning programs in use.

Just as I was finishing my tenure as the CSO of Dell, we introduced “Gamification” into our security and ethics training and noticed an uptick in the engagement it engendered amongst our millennials. Given what had been my 20-year “uphill” battle in the space of awareness training, this offered a welcomed glimmer of hope. Now add to that what augmented reality (AR) and virtual reality (VR) bring to the field and the prospects get even brighter.

When the phrases AR and VR started being tossed around, many of us could not even fathom how these technologies would impact our lives. Fast forward to today, and these technologies are right in the palms of our hands. AR and VR have opened new doors for innovation and created a more immersive user experience, especially for IT and security teams. While perhaps not the earliest adopters of these technologies, companies are beginning to use AR and VR to their advantage when it comes to providing cybersecurity training to their employees.

How exactly does AR training work? First, let’s break down what AR is in a broader sense. AR allows the user to see the real world with virtual objects superimposed or composited with their reality. Essentially, users can interact with on-screen digital objects within the scope of the physical world they see on a daily basis. Now imagine the use of AR in a corporate training environment. Not only does AR provide employees with a more interactive platform, but one that can be customized to accommodate unique learning needs.

For companies with a multigenerational workforce, this creates a profound opportunity to present their employees with training that is both more relevant and realistic. This is extremely valuable in high-touch industries like the cybersecurity sector, where the skills gap is already an area of concern. With AR, a new employee could be sitting at their desk and have a training system present various cyber threat scenarios through AR glasses, prompting them to identify the issue and solve the problem. It is interactive programs like this that will help employees remain more engaged in their training and generate better results overall.

And it doesn’t stop there. Companies like Inspired eLearning have made it their mission to provide training around security, cybersecurity and compliance with the help of VR. Called Security First Solutions, their product takes data from a multitude of tests and simulations to deliver an immersive training program on the latest and most popular cyber threats like phishing and SMiShing, all behind a VR headset. What’s more, immersive technology is also opening the eyes of young minds and showing them what a career in cybersecurity could entail […] Read more »….

.

Meet Michelle Hyde: Cloud Expert of the Month – October 2019

Cloud Girls is honored to have amazingly accomplished, professional women in tech as our members. We take every opportunity to showcase their expertise and accomplishments – promotions, speaking engagements, publications and more. Now, we are excited to shine a spotlight on one of our members each month.

October Cloud Expert of the Month is Michelle Hyde
Michelle Hyde, president and founder of Hyde Group, has been serving Pacific Northwest enterprises with excellence for more than 20 years. Her history of applying the right technology at the right time to critical business issues that clients face has propelled the Hyde Group’s success and advanced its reputation as a true client advocate. Hyde Group has a passion for finding solutions to client challenges during their digital transformation through teamwork and enablement of scalable solutions in cloud, SaaS and emerging technologies. Hyde currently serves on the Advisory Council for Cloud Girls and is a past member of its Board of Directors.

When did you join Cloud Girls and why?
I joined Cloud Girls right at the formation of the association in Jan of 2012 and helped with the formation of our monthly endeavor.  I then joined the board in Jan 2013 as the Operations Chair role until Jan 2018, and then took the Finance Chair and moved into the role of Advisory Council member after that in Jan 2019 where I still serve.  It was an exciting endeavor to be part of the founding members of what would become a true premier organization; creating vision, structure, process and growth over the years.

What do you value about being a Cloud Girl?
The Cloud Girls organization is a true point of pride for me, not just being a part of its foundation, but being aligned with such amazing women that have become sincere friends, endearing colleagues and so many that have guided and influenced me over the years.  I can honestly say that I would not be as far in my career or with such success without the aid of the women in this organization.

What is the biggest risk that you’ve taken?
The biggest career risk I have taken is certainly starting my own consulting firm 3 months after having a second child and right after my 39th birthday.  I chock it up to the fact my hormones were not all there postpartum, and having the mindset of “what could possibly go wrong here?”  Starting a business, a tangent from what I was doing at the time, thinking I knew more than I did, and simply wanting success and autonomy in my world seemed to be the right mix.  I did all that I could to establish myself and created an amazingly supportive network around me that wanted me to also have success.  There are certainly days and weeks over the last 10 years I have had to throw elbows around to get my voice heard or my point across, but I would not change a thing.  Now that nearly 10 years have passed, I am getting pretty comfortable in my skin and am ready to take it to the next level and start looking at greater risks to take!

What is the best professional/business book you’ve read and why?
With my drive to get to the next level in my business, I am reading a book called ‘Scale – 7 Proven Principles to Grow Your Business and Get Your Life Back’, and although I have listened to it on Audible, I have to get the book because the worksheets are essential here.  I am examining merging with 2 other companies and this book will directly pertain to us.  It identifies where we are at in the 3 stages, and the 7 principles of getting through the next stage(s) for a successful small business growth trajectory.  There are other books I am reading right now too, Getting Things Done by David Allen and Power Trips, by a friend of mine, Norman Rawlings and How to Train A Wild Elephant and Other Adventures in Mindfulness, by Jan Chozen Bays MD.  There is no shortage of things I want to read – my nightstand is stacked a foot high with desired reads […] Read more »…..

 

What’s the Real Role of AI and ML in Cybersecurity?

Artificial intelligence (AI) and machine learning (ML) are being heralded as a way to solve a wide range of problems in different industries and applications, such as reducing street traffic, improving online shopping, making life easier with voice-activated digital assistants, and more.

The cybersecurity industry is no different. However, we need to be careful of the “hype” around AI and ML. And there is a lot of hype out there! A simple Google search of the term “artificial intelligence” yields about 630 million results, and AI continues to dominate the headlines and has even made its way into mainstream TV advertising. However, the cybersecurity industry needs to set the record straight – contrary to popular belief, AI and ML will not solve all of our problems.

The industry needs to separate what is real from what is simply hype when it comes to AI/ML in cybersecurity. In particular, a key issue that enterprises need to be aware of is that AI/ML cannot do causation – meaning that AI/ML is not able to tell you why something happened. Understanding why is a key component of cybersecurity, especially as it relates to security incident investigations and analysis.

Judea Pearl, an early pioneer in the field of AI and one of its leading experts, discusses the problems with AI in his latest book, “The Book of Why: The New Science of Cause and Effect.” He argues that the AI permeating the tech industry today has been handicapped by an incomplete understanding of what intelligence really is. Pearl explains how the hyper-focus on probabilistic associations has led us to simply evolve into more advanced applications of the same simple reasoning that AI was doing in the early 1980s.

This problem is at the core of why AI is still not solving enough real problems for cybersecurity. Based on how AI is often marketed, many in the industry assume that AI-powered cybersecurity technology can simply replace humans. And while its ability to ingest and process vast amounts of information is important, AI’s lack of causal reasoning is why human intelligence – especially from experienced security analysts and incident responders – is still critical. Highly-trained security teams play an important role in detecting, identifying and protecting against a wide range of cybersecurity threats – and will continue to do so for a long time.

Other experts agree that misconceptions exist around AI. In a July 2018 article in Elsevier, Dr. Gary Marcus, a Professor of Psychology and Neural Science at New York University, and former CEO of the machine learning startup Geometric Intelligence (acquired by Uber in 2017) stated: “I think the biggest misconception around AI is that people think we’re close to it. We’re not anywhere near that…Humans can be super flexible – they can learn something in one context and apply it in another. Machines can’t do that.”

However, there are some important benefits of AI/ML, including its ability to correlate vast amounts of data from a variety of sources. This level of correlation is important for informing security teams about the incidents that they are investigating and making teams more educated and efficient at processing analytics. For example, AI/ML can provide details on potential incidents using anomaly detection and clustering. It can also assist with risk scoring of incidents needing investigation. This data can be used to better inform humans who are working to make decisions about security incidents. But AI/ML cannot make the decision for you […] Read more »….

What Do You Need to Know About the California Consumer Privacy Act?

When the General Data Protection Regulation (GDPR) was enacted more than a year ago, it was far reaching, and many organizations were caught off guard because they thought it didn’t apply to them. But in fact, it did. Now the California Consumer Privacy Act (CCPA) is about to go into effect (Jan. 1, 2020), and any enterprise that does business in the state of California will need to change the way they manage personal information.

California has the fifth largest economy in the world. In fact, it’s actually bigger than that of the United Kingdom. Why is this relevant? Well, given the size of California’s economy, this legislation will clearly have a considerable global impact. It will tip the scales on privacy around the world. To prepare for the CCPA and other future data security legislation, organizations must focus on identifying the types of personal information they have and evaluating the flow of that data coming in and going out of the organization. Getting a handle on the flow of your sensitive data is also a great early step toward avoiding a breach, regardless of the regulations you need to follow. More importantly, it is the foundation of a solid data privacy strategy, which should be the end goal for global enterprises.

CCPA is only one in a myriad of data security regulations that will come to pass in the next few years. No organization can afford to develop an entirely new strategy for each regulation, so now is the time to develop a comprehensive data privacy policy that ensures the safe handling of all data, and particularly sensitive data. A few baseline practices can set your organization up for safe data handling and help you avoid starting from scratch every time a regulation changes or a new one comes out.

The objective of these guidelines is to provide you with some pragmatic thoughts around preparing for CCPA. They are based on conversations we had with security and data executives at enterprises worldwide regarding what’s worked best for them to address CCPA and other pending data privacy regulations.

1. Break Down Data Siloes

As organizations mature, departmental silos naturally emerge as the business evolves and expands into different areas. As part of this evolution, each business segment develops its own way of generating, collecting and managing data. However, when it comes to data protection strategies and meeting privacy regulations, businesses must break down these internal walls to consistently protect data across the entire organization. Privacy is an organization-wide initiative and stakeholders need solutions that have an impact in all areas.

Data protection solutions themselves should not be siloed either. The most successful programs take advantage of the data security frameworks and processes that already exist in individual departments. For example, instead of simply focusing on identifying and categorizing data to help meet CCPA mandates, consider the security technologies already in place and how data categorization can integrate with them to drive further success from a security standpoint. Consider how data context through classification and categorization can be used in other areas of the business or to power existing security technology investments – such as cloud access security brokers, data loss prevention solutions, encryption technologies or next-generation firewalls.

Implementing a cross-departmental data security solution can also be a real boon to business. Who knows what useful data might be sitting over in another department? If security solutions are implemented in a siloed fashion, however, an organization will not only increase its risk of noncompliance but will also lose an opportunity to create deeper awareness about what data protection means for each aspect of the business.

2. Create Rich Metadata

Metadata is the glue that connects all data within an organization. Metadata enables organizations to flag sensitive information in files, documents and web pages but also provides a way to compile more detailed and useful data about that data. For example, the metadata for an Excel spreadsheet could include personal data, the type of personal data (name, address, etc.), and the author of the spreadsheet. From a data protection standpoint, this information can be used to better identify, classify and protect corporate data. From a data management or analytics point of view, it can help business leaders develop strategies for new initiatives. Ideally, metadata can bring together an organization’s data protection and data management strategies to protect and advance the business simultaneously.

When considering privacy regulations such as CCPA, security professionals must look holistically across the organization to create metadata that all security technologies and data management systems within the organization can take advantage of. For example, what does the firewall need to be more efficient? Could firewall policies benefit from file metadata that identifies that personal data is contained in the file?

People often associate metadata with just the identity of the data, but it can also be used to govern how long an organization should retain this data. We know a key aspect of data protection is identifying retention for the possible deletion of data and this can all be defined in metadata. After identifying how long the data should be held, organizations can action programs to ensure information is deleted or archived in a way that is in line with data privacy regulations. Do you really need to keep a document listing employee names and dietary restrictions captured ahead of the corporate holiday party or can that be deleted once the party has taken place?

3. Use Machine Learning to Understand Context

Numerous machine learning models in the market today have already been tuned for personally identifying information (PII). Solutions designed to help with CCPA and GDPR compliance should leverage those models when it comes to data detection. Data categorization tools with machine learning built-in make it easier to understand the context around data, which in turn helps determine how to handle different types of data. Rather than simply flag social security numbers or bank account numbers, tools that employ machine learning can help users identify personal information contained within the narrative of documents and emails, such as health history or employee review details, for example.

What’s more, machine learning enables organizations to automate their PII strategy. Data categorization tools with built-in machine learning capabilities allow organizations to focus on getting their arms around privacy. As confidence in the system grows, data handling policies can be applied automatically.

Because most organizations have ever-increasing, complex environments, leveraging technologies that offer machine learning capabilities are critical for implementing efficient and intelligent data identification solutions to help achieve CCPA and GDPR compliance goals.

4. Know Where Data Goes and Why

The act of identifying data is one thing but keeping track of said data and managing it to ensure that compliance as it moves throughout the organization is quite another. Most data protection solutions will come with some sort of out-of-the-box dashboard, but a more efficient and customized way of approaching this is to think about the broader organizational analytics strategy.

Security professionals must understand what types of data their organization collects and where it goes once collected. It’s also critical to understand how people interact with personal data. Is personal data leaving the organization? Understanding how data is created, collected and shared will help security executives develop information handling policies that work with business strategies while also protecting sensitive data. They may discover they need to change security policies to be more efficient relative to how people are using data.

Once information handling policies have been refined, security executives can find ways to leverage their company’s data analytics approach to put good monitoring practices in place. As mentioned earlier, the lines between data management (or analytics) and data protection are beginning to blur as data becomes central to business strategies and privacy becomes a top concern for consumers.

5. Evaluate Who has Access to Personal Data

A central aspect of any data protection strategy is understanding who has access to  personal information within the organization […] Read more »

Meet Ally Murtlow: Cloud Expert of the Month – September 2019

Cloud Girls is honored to have amazingly accomplished, professional women in tech as our members. We take every opportunity to showcase their expertise and accomplishments – promotions, speaking engagements, publications and more. Now, we are excited to shine a spotlight on one of our members each month.

September Cloud Expert of the Month is Ally Murtlow
Ally Murtlow serves as a National Account Manager on the North America Channel team at 8×8, a leading SaaS provider of voice, chat, video and contact center powered by one global cloud communications platform. Throughout her career, Murtlow has proven success leveraging her experience in marketing, direct sales and channel management. While previously at SingleHop/INAP and Rackspace, Murtlow developed deep channel relationships across the nation and a passion for the tech industry. Murtlow is a graduate of Indiana University with a Bachelor of Arts in Journalism. When she’s not delving into a new book, you’ll likely find her watching sports or planning her next trip – she grew up in London and has been to 18 countries and counting.

When did you join Cloud Girls and why?
I met Manon Buettner back in 2016 through my Channel VP, Mark Mercado. I had heard wonderful things from Manon and my peer and CG member, Tatiana Sebby, about both the Cloud Girls retreat and the learning/thought leadership opportunities offered – it was for those reasons that I was thrilled to join the group in 2017.

What do you value about being a Cloud Girl?
I value both the education and networking that come with the membership as well as the annual retreat. The retreat is the one time each year we are all able to come together, get to know each other, and discuss key issues in a relaxed and open environment.

What is the best career advice you’ve ever received?
“I have never accepted a job I knew with 100% certainty that I could do.”

What woman inspires you and why?
My mother. While she’s not in the tech industry, she did begin her career in a very male dominated field (engineering) and through endless hard work and unwavering integrity rose to become one of the few female CEOs in the electric utility industry. She will always be someone I can go to for career and life advice and I’m very grateful for that […] Read more »….

 

Futurizing IoT Security for Smart Cities

Many view smart cities as the future of urban living, promising to boost the efficiency and effectiveness of city services and the quality of life for residents while helping cities keep pace with growth and the associated pressure on aging infrastructures. To do this, smart cities must weave the Internet of Things (IoT) and interconnected devices into the existing technology infrastructure to bring entire communities online. However, this new wave of energy and excitement also brings new cyber risks that could impact the very existence of smart cities.

Smart cities are fast approaching mainstream, and for good reason: a 2018 United Nations study found that over 55 percent of the world’s population lives in an urban environment, and the top 33 cities all have populations in excess of ten million people. Across these vast urban landscapes, interconnected networks of IoT devices can do much to relieve congestion, reduce environmental impact, improve community health and safety, modernize city services and much more.

As connected devices proliferate, vulnerabilities in one area can extend into numerous other areas. In extreme cases, the consequences of a successful cyberattack could lead to disruption of crucial city services and infrastructure across health care, transportation, law enforcement, power and utilities, and residential services. Such disruptions could potentially lead to loss of life and breakdown of social and economic systems.

Cyber threats multiply

With the proliferation of IoT devices in smart cities, attackers now have countless entry points available to compromise a city’s systems. Making matter worse, many cities have chosen to deploy IoT sensors on top of existing systems. One example is sensors on established gas and water systems that are in turn connected to broader networks for data aggregation and analysis. Unfortunately, these sensors often have minimal security capabilities, and minimal ability to be upgraded over time as vulnerabilities are uncovered.

Another challenge is the lack of generally accepted standards governing the functioning of IoT-enabled devices. Even within the same city, various agencies and departments can select IoT devices from different vendors that use different communications protocols, different security models and generate data in different format. The outcome is that cities face a trade-off between interoperability and security. Fundamentally, every new device added to an IoT ecosystem adds a new attack surface or opportunity for malicious attack.

Integrated components

In addition to multiple layers of devices and sensors at the edge, a smart city also requires a network layer and a central core through which all data, communications and updates can be processed. To ensure success and maintain security across the network, it’s vital that all integrated components within the city’s IoT meet certain baseline requirements. These should include the following:

Scalable — Devices should be paired with other devices for increased functionality and security and should remain open and available for system-wide updates. Scalability also means that older IoT devices can be easily switched out over time with more efficient components.

Compliant — Systems and devices should be compliant with universal standards such as FIPS-2 or AEAD. Even though standards are no panacea, selecting compliant products can improve interoperability and reduce reliance on a single vendor.

Interoperable — Devices must be built to communicate and function with one another, across departments.

Crypto-agile — All communications within the IoT must be able to be encrypted, decrypted, and authenticated quickly to prevent availability issues and respond to threats quickly.

On-premises and cloud — On-premise hardware security modules (HSM)allow for data storage in tamper-resistant modules at a secure location, while storing data in the cloud allows for ease of access to information across industries. A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. Using both simultaneously or for different needs provides ease of access and secure backups.

In addition to the above considerations, one of the most important steps toward smart city security is a city-wide public key infrastructure (PKI). Multiple systems within the smart city cannot function securely without a PKI, including communication between devices and the authentication of messages in the IoT. Use of a universal standard for PKI compliance provide security and peace of mind for the entire smart city infrastructure.

As the smart city relies on a system of encrypted communications and sensitive data collection through IoT devices, the model should be secured via a PKI foundation of trust. Like the IoT, the use of PKI is vital in all sectors of the smart city, including transportation, environment, and business. PKI can be applied to a wide range of security solutions within the city infrastructure such as access control, device ID and lifecycle management.

Phased deployment

As cities begin to implement a smart infrastructure, they must enforce security requirements across every IoT device in the smart city ecosystem as well as the entire network. To prevent city-wide threats and disruptions, cities should have a comprehensive cybersecurity plan. Such a plan is complex and won’t happen overnight. Instead, most cities will employ a phased approach:

Phase 1, Initialization – As we see happening now, various city stakeholders are creating smart devices and systems that operate independently of one another, each with their own security solutions and standards. The risk is considerable without a central security and PKI model in place, but since the IoT network is often limited, the risk is somewhat moderated.

Phase 2, Connected — As smart IoT applications expand, new programs will be put into place to connect and secure both new and existing systems. A universal model will be defined for secure communication and older, less secure deployments will be updated or replaced.

Phase 3, Integrated – In this final phase, the IoT infrastructure is established city-wide to connect the smart city ecosystem together. With a universal cryptographic security plan in place, the city can begin to fully realize the benefits of smart city technologies while maintaining strong defenses against cyberattack […] Read more »