IaaS Security Challenges: New Draft Guidance from NIST

The National Institute of Standards and Technology has come out with a publication explaining selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. The publication titled “TRUSTED GEOLOCATION IN THE CLOUD: PROOF OF CONCEPT IMPLEMENTATION (DRAFT) (NIST Interagency Report 7904 or simply IR 7904) describes a proof of concept implementation that was designed to address those challenges. The publication is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation. IR 7904 provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired.
From the publication, here’s how NIST explains the problems the draft guidance addresses:

    Shared cloud computing technologies are designed to be very agile and flexible, transparently using whatever resources are available to process workloads for their customers. But there are security and privacy concerns with allowing unrestricted workload migration.

    Whenever multiple workloads are present on a single cloud server, there is a need to segregate those workloads from each other so that they do not interfere with each other, gain access to each other’s sensitive data, or otherwise compromise the security or privacy of the workloads. Imagine two rival companies with workloads on the same server; each company would want to ensure that the server can be trusted to protect their information from the other company.

    Another concern with shared cloud computing is that workloads could move from cloud servers located in one country to servers located in another country. Each country has its own laws for data security, privacy and other aspects of information technology. Because the requirements of these laws may conflict with an organization’s policies or mandates – for instance, laws, regulations – an organization may decide that it needs to restrict which cloud servers it uses based on their location.

    A common desire is to only use cloud servers physically located within the same country as the organization. Determining the approximate physical location of an object, such as a cloud computing server, is known as geolocation. Geolocation can be accomplished in many ways, with varying degrees of accuracy, but traditional geolocation methods are not secured and they are enforced through management and operational controls that cannot be automated and scaled, and therefore traditional geolocation methods cannot be trusted to meet cloud security needs.

    The motivation behind this use case is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. The hardware root of trust is seeded by the organization, with the host’s unique identifier and platform metadata stored in tamperproof hardware. This information is accessed using secure protocols to assert the integrity of the platform and confirm the location of the host.

    NIST requests comments on Draft IR 7904 by Jan. 31. Comments should be sent to ir7904-comments@nist.gov, with “IR 7904 comments” in the subject line.


In News: 2013-Data Breaches & Cloud dramatically increase fraud levels in UK

Leading fraud consultancy UK Fraud (www.ukfraud.co.uk) has identified 10 key trends that will characterise the domestic fraud prevention market in 2013.

Bill Trueman, widely accepted as a leading fraud expert in Europe, has extensive experience in banking, insurance and financial services sectors. Turueman’s UK based consultancy, UKFraud, has an impressive international track record of eliminating the risk of fraud.

The trends are:

  1. With more high quality data becoming available to fraudsters than ever before, an economy forecast to contract and the UK’s benefits spend reducing, overall fraud levels will continue to increase dramatically across the UK and the rest of Europe. Fraud hotspots most likely to be affected in 2013 include: banks and card companies, insurers, online merchants, retailers and government be it HMRC, the universal credit scheme or local authorities.
  2. The types of fraud likely to see the biggest growth will be CNP (Card Not Present) card fraud, other forms of cybercrime, internal fraud, and supply chain fraud. Procurement fraud is also set to rise significantly. In contracting economies, evidence suggests that people inside this function can be put under pressure to defraud.
  3. Mortgage fraud is also set to surge in 2013, with credit rating experts pointing the finger at further rises in first-party fraud – i.e. where people misrepresent their finances whilst applying for mortgages. Once again the economic climate is a significant contributor in this. 
  4. Recent spectacular mass data breaches and suspicion of cloud security in some areas will continue. An increasingly greater emphasis will be placed upon PCI DSS and other data security and integrity issues. Already, the daily number of automated attacks on bank and retailer systems runs into the millions, which means that we will continue to see major high-profile data breaches both reported and otherwise.
  5. Solutions will be based around systems for acquirers, online merchants and PSPs, who are regularly the victims of CNP fraud – where fraud is growing fast in line with the growth in internet based payments. Increasingly, solutions will move to better and newer generations of screening, scoring and risk based monitoring, such as those based upon Bayesian based fraud detection systems. These will start to pose a real challenge to older systems based on ‘so called’ Neural Networks. 
  6. Most people feel that there could be a lack of unified central direction and strategy from government. The lack of a pan-European strategy will also prevail. The UK government’s response is divided between the NFA, the Cyber Crimes unit and the Cabinet Office’s FED (Fraud Error and Debt Initiative). Some believe passionately that the lack of a unified central government strategy will drive up fraud significantly in 2013. On the positive side, at least some of the civil servants who have been involved in the NFA since the beginning are starting to gain real experience of the sector and an appreciation of the enormous challenges they face. The DWP is also tendering to get some real-world fraud strategy skills into their midst too, which should prove invaluable given the changes due with the Universal Credit. 
  7. The USA is increasingly ready for a policy U-turn on the adoption of signature as the CVM of choice. The US market will find it increasingly difficult to evolve in a global payment systems world without the protections offered either by PINs – or a ‘next generation’ solution. As the rest of the world is moving (or largely has moved) in this direction already, 2013 could see this U-turn as fraud increasingly migrates to the US. 
  8. Major insurers will continue to develop a strong and very credible fraud prevention solution based around the ‘front end’ (underwriting stage of business) The emphasis on delivering a strong industry wide data-sharing drive will also continue to increase; although a whole re-think of the industry fraud register will be needed to address Data Protection Act requirements. 
  9. There will be a major shift in the presence, position and fraud service offerings of one or more of the major data-bureaux (such as credit reference agencies), as more solutions either move ‘in-house’ or move to systems developed by a host of new players in various fraud sectors. 
  10. And there will be some surprises as there always are – whether they are policemen ‘on-the-take’, another raft of politicians fiddling their expenses, or further high profile banks brought to their knees by (usually) rogue traders.

“The current economic climate is driving change and there is an evolution in the world of fraud prevention that we have not seen before,” Says Bill Trueman, CEO of UK Fraud. “However, if we are to stay ahead of the fraudster, we have to be able to read these trends and manage both our strategy and the risks accordingly. In highlighting what we see as the trends, we aim to contribute to the debate and raise awareness of the risks. By keeping this debate alive we hope that fraud prevention will shortly gain an even greater emphasis in key seats of power – be that in the boardroom or within key government departments.”

UKFraud is a leading UK based consultancy, with an impressive international track record of eliminating the risk of fraud. Its founder Bill Trueman is widely accepted as one of Europe’s leading fraud experts and a frequent commentator and writer on the issues involved. Trueman has extensive experience of the banking, insurance and the financial services sectors and is a thought leader at the forefront of many industry wide and international debates.

Singapore geared up to manage Personal Data Protection Act

Singapore’s Ministry of Communications and Information (MCI) announced yesterday that it would set up a Personal Data Protection Commission (PDPC) and a Data Protection Advisory Committee on 2 January 2013 to respectively administer, and advise on the Personal Data Protection Act (PDPA) which will come into effect on the same day.

Personal Data Protection Commission (PDPC) would administer and enforce the PDPA, the PDPC, supported by the Infocomm Development Authority of Singapore (IDA), will be established on 2 January 2013.

The PDPC will undertake education and outreach programmes to help organisations and the public understand the law, as well as issue advisory guidelines for organisations to comply with the PDPA, from the first half of 2013.

The Commission will also work closely with sectoral regulators such as the Monetary Authority of Singapore (MAS), as well as associations including Singapore Business Federation (SBF) and Consumer Association of Singapore (CASE) to help organisations adjust to and comply with the Act. It will set up the DNC registry in early 2014 for public registration.

Data Protection Advisory Committee will be formed on 2 January 2013, to advise the PDPC on matters relating to the key roles of PDPC, administration and enforcement of the Act.

According to earlier report, the act covers all private sector organizations engaged in data activities within Singapore. The commission can impose fines of up to 1 million Singapore dollars ( about 820,000 U.S. dollars) for every offense and penalties of 10, 000 Singapore dollars (8,200 U.S. dollars) for every unsolicited marketing call or message to a number in the “Do Not Call” registry. This move would be a major step in consolidating the data protection and privacy moves in Singapore.