Understanding the concepts of an -AAS
In recent years, we have seen many transitions from the traditional ‘do-it-yourself’-concept towards a shared responsibility concept, where various parts of the infrastructure, server architecture or associated services are offered in a service model. Many organizations are already using storage as a service (SAAS), platforms as a service (PAAS) or infrastructure as a service (IAAS). The most recent popular concept, the virtual datacenter (VDC) includes elements from almost all these service offerings. It is only a matter of time until the traditional providers of more business-oriented services will start adopting their service offerings to business that have started to embrace the shared services-model. We see it for example already happening in monitoring, capacity planning, logistics and back office fulfilment.
One of the areas where recent developments are looming on the horizon is information security. Information security is often positioned within an IT-department, with the backing of management by having an information security officer. This CISO-role is normally broad but mainly oriented towards policy development and organizational support on the information security functions.
In the practical day-to-day operation, information security is positioned within the ICT-level in many organizations. Although all knowledge and execution power seems to be present at that level, one might argue that it may be awkward having a team testing itself. There is also a major risk that the operational practice of information security has to compete with resources to deliver the goals for the core business.
There is a practical solution to both meets the information security requirements, while keeping the resources for tending to the core business: the introduction of the virtual CISO. The virtual CISO is a security officer that teams up with the existing CISO and the existing IT-team in order to provide the security layer that many organizations are missing. It enables the existing CISO to stay informed, execute the necessary operational activities, mitigate risk and stay in control. On the other hand, the existing staff on IT-level will gain access to a knowledge base, practical advice and access to the experience that a virtual CISO has developed in all the organizations that use the service.
The main advantage of having a virtual CISO is that organizations have a knowledgeable and pro-active expert within reach that provides advice, whether asked or not, about information security. If an existing CISO wants to stay in control and be assured that his information security is taken seriously, it is vital to introduce such a layer within the organization.
A virtual CISO can help during different phases. On the drawing board, information security can be introduced in the architecture as soon as possible, but also topics like encryption can be addressed in an early stage. During the execution, many tasks need to be carried out, for example vulnerability scanning, base lining systems and creating and adopting hardening guides. A virtual CISO arranges the required resources and provides the documentation and knowledge to build a secure infrastructure. After deployment, the virtual CISO periodically benchmarks systems and networks using vulnerability assessments and penetration testing, but also provides feedback to the engineers on recent security developments or possible threats.
Security with cloud providers
The use of cloud providers for servers and infrastructure requires extra effort in enforcing security. It requires an organization to set standards and cooperate with a cloud provider in order to provide assurance of its information security. For a private cloud, the span of control is typically wide enough to enforce internal security standards to a cloud implementation. The use of a public typically involves purchasing services from a third party. This third party offers the infrastructure, virtual platform or service bus that is described as the cloud and also delivers this to other customers.
In order to make sure that data and resources are adequately protected, organizations ideally would lay down the proper guidelines and terms in a service provider agreement. This agreement typically lists the information security responsibilities, the classification of media and data, and the typical security measures that each party will address. For example, it should make clear who performs a daily check of log files and who can be contacted in the case of a security breach.
Of course, it is not always possible to draft such an agreement: the major public clouds are offering their services as-is. It is difficult to have them participate in customized provider agreements. This does not mean that these providers do not address security, but it requires a thorough due diligence from the customer in order to assess if the service offered matches the required security level.
A risk-based approach
The different challenges and tasks surrounding information security need to be addressed in an efficient and effective manner. As PCI-DSS QSA, we often see that a risk-based approach delivers the requested quality and actually increases information security. We firmly believe that a security exercise should be more than an exercise in ticking boxes and that a proper implementation of the right measures both helps provide compliancy and increases the information security. A virtual CISO can help in this process by providing intelligence and knowledge in order to stay in control.
New technologies and threats
New technologies emerge faster than any security standard can adapt to. And while the many standards are revised and reviewed at regular intervals, it is impossible to get head-to-head with current developments. A virtual CISO is equipped to be in the forefront on technology and provides adequate advice to its customers on technologies and threats. A good virtual CISO is comfortable working in an environment in which the applied techniques develop faster than the security standard. From our part, we continuously train our staff to support clients that base their success on the availability of cutting-edge technology. We also embrace technology as a potential enabler for both business and security use.
About the author:
Vincent Ossewaarde is CEO of Fortytwo security and a PCI QSA with over 20 years of experience in the field. Based in Amsterdam (The Netherlands), Fortytwo security is PCI-DSS QSAc and provides virtual CISO-services and offers security, PCI audits and consultancy. Fortytwo security serves clients in the fields of e-commerce, hospitality, financial services and media. The author is also part of the national advisory board on information security and works as a QSA and consultant in the payment industry.