QPC Security - Breakfast Bytes
Cloud versus premise
Episodes
Friday Oct 04, 2024
Friday Oct 04, 2024
In this compelling episode of Breakfast Bytes, host Felicia King delves into the complex world of cloud computing, exploring the intricacies of public cloud, private cloud, self-hosting, and premise servers. With insights from a newly recognized expert in the field, this episode promises to challenge conventional wisdom and offer fresh perspectives on hosting decisions.
Felicia unravels the hidden costs and maintenance challenges of managing workloads, whether in the cloud or on-premise. She highlights the significant financial implications and the importance of competent management, urging listeners to reconsider the assumptions surrounding the efficiency and cost-effectiveness of cloud solutions.
The episode takes a surprising turn with revelations from Dr. Eric Woodell, whose groundbreaking work questions the reliability of current data center practices. Felicia discusses how Dr. Woodell's findings, backed by Lloyd’s of London, cast doubt on the presumed dependability of cloud-hosted environments, drawing a startling analogy to the aviation industry’s safety standards.
As the narrative unfolds, Felicia emphasizes the critical need for effective vendor risk management and the pitfalls of relying on inadequate compliance certifications like SOC 2. She challenges listeners to rethink their approach to third-party risk management and the true value of certifications in ensuring data security and operational integrity.
Join Felicia King in this thought-provoking episode that not only informs but also inspires a reassessment of the assumptions driving today's cloud computing decisions. It's an essential listen for anyone navigating the evolving landscape of IT infrastructure and risk management.
Quick recap
Felicia discussed the importance of competent management and cost considerations in cloud hosting, and introduced Dr. Eric Woodell, an expert in physical data center and infrastructure industry. She also highlighted the high failure rate in the data center industry, the challenges of outsourcing workloads, and the limitations and misuse of the SOC 2 certification in the data center space. Lastly, she criticized the inefficiencies in vendor risk management processes and recommended a shift in focus towards real integrity processes.
Next steps
• IT teams to reassess their reliance on SOC 2 certifications for vendor and data center evaluations.
• Business leaders to review and update their Written Information Security Plans (WISPs) to ensure alignment with actual practices and legal defensibility.
• Organizations to develop more robust vendor risk management and counterparty risk assessment processes, considering factors beyond standard certifications.
Summary
Discussing Cloud Hosting and Legacy Workloads
Felicia discussed the topic of public cloud, private cloud, self-hosting, and premise servers, emphasizing the importance of competent management and the need to consider the cost of capital expenditure when comparing on-premise servers with cloud hosting. She highlighted the historical maintenance costs of legacy workloads, such as servers on-premise and in the cloud, and the potential cost-effectiveness of hosting physical servers in someone else's data center. Felicia also mentioned a newly recognized expert in this technology who is involved with a company that certifies cloud hosting providers for insurance by Lloyds of London.
Limitations of SOC 2 Audits and Expert Insights
Felicia discussed the limitations of SOC 2 audits, which are conducted by accountants (CPAs) who may not have the necessary expertise to assess data center operations. She introduced Dr. Eric Woodell, an expert in physical data center and infrastructure industry with extensive experience in auditing major organizations' assets in public clouds and colos. Dr. Woodell expressed his opinion that CPAs are not qualified to audit data centers and their operations, as they lack the ability to build and maintain them from scratch. He also shared his findings from years of audits, indicating that third-party vendors often fail to fulfill their maintenance obligations.
Data Center Industry Failure Rate Comparison
Felicia discussed the high failure rate in the data center industry, comparing it to the aviation industry. She used a metaphorical analysis from a speaker, who claimed that if the aviation industry had the same level of failures as the data center industry, there would be approximately 530 plane crashes per day. Felicia emphasized the significance of this comparison, noting that if people knew about these statistics, they might not use airplanes. She also mentioned that Lloyds of London, an insurance company, uses the speaker's certification program to assess data center risk. Felicia concluded that she believes in the speaker's numbers and calculations, and that the data center industry's failure rate is a cause for concern.
Outsourcing Workloads Challenges and Vendor Risk Management
Felicia discussed the challenges of outsourcing workloads, particularly in terms of reliability and support. She emphasized the importance of vendor risk management, counterparty risk management, and the underlying assumption of competency. Felicia also highlighted the need for workloads to be hosted where they can be supported by competent individuals. She mentioned the work of Dr. Eric Waddell, which has raised questions about the reliability of cloud-hosted services. Felicia also noted the shift in focus towards vendor risk management and third-party information security risk management, particularly in the insurance industry.
SOC 2 Certification Limitations and Misuse
Felicia discussed the limitations and misuse of the SOC 2 certification in the data center space. She highlighted that SOC 2 certifications are often conducted by CPAs rather than infrastructure architects, and thus may not be a reliable indicator of competency. She also pointed out that the certification is often used as a check-box exercise by business decision makers, rather than a genuine evaluation of a company's infrastructure. Felicia also touched on the HIPAA space, noting that the use of Business Associate Agreements (BAAs) is not always appropriate and can lead to unnecessary costs and risks. She emphasized the importance of third-party information security and risk management, and suggested caution when dealing with SOC 2 certifications and BAAs.
Addressing Vendor Risk Management Inefficiencies
Felicia discussed the inefficiencies in vendor risk management processes, particularly in relation to compliance certifications and the Written Information Security Plan (WISP) for tax preparers, accountants, and car dealerships. She argued that these processes often lack legal defensibility and do not align with reality, instead being mere theatre. Felicia also mentioned a class action lawsuit against a breached company, suggesting that the focus should shift to real integrity processes around vendor risk management. She recommended watching Joe Brunsman's YouTube channel for more insights on this topic.
Thursday Jan 18, 2024
Thursday Jan 18, 2024
Special guest Tobias Musser of MNS Group generously shares with the Breakfast Bytes audience his wisdom and insight into what is a challenging and nuanced regulatory landscape that has far reaching business implications.
https://mnsgroup.com/
A vigorous discussion of the implications of the latest DoD memo about DFARS 7012 FedRAMP or FedRAMP moderate.
FedRAMP Compliance Challenges and Hybrid Approach
Tobias and Felicia discussed the implications of a DOD memo mandating FedRAMP compliance for all products used by a DOD contractor or subcontractor. They explored the potential challenges, especially for small businesses, and the difficulties in achieving equivalence. They considered the idea of using on-premise solutions as an alternative, but noted the need for specific documentation and careful implementation. Tobias and Felicia also deliberated on the potential benefits of this approach, including the severability benefit of on-premise solutions. They discussed the challenges of finding cost-effective, user-friendly FedRAMP tools, noting their high cost and complexity. They also touched upon the implications of a recent memo that increased the requirements for FedRamp compliance and the potential security issues associated with it. Tobias emphasized the need for increased security to protect soldiers and the country. They concluded that a hybrid approach was necessary, but the current tools were not up to the task.
Thursday Oct 05, 2023
Thursday Oct 05, 2023
The process of determining how workloads should be hosted is very complex and not a decision that should be abdicated to the IT service provider. Business decision-makers must be involved in those decisions as only they are able to define the key criteria that all other factors are dependent upon.
Tuesday Sep 13, 2022
Tuesday Sep 13, 2022
Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off.
Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap.
Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to those who:
fail to follow required cybersecurity standards
knowingly provide deficient cybersecurity products or services
misrepresent their cybersecurity practices or protocols
violate obligations to monitor and report cybersecurity incidents and breaches
Just let that sink in for a second. So, is your IT service provider really meeting that standard? I sincerely doubt it.
01:23 The difference between vulnerability management and patch management
Holistic vulnerability management includes, but is certainly not limited to:
Software bill of materials analysis
Supply chain risk management
Third-party risk management
End-of-life software
Asset inventory up to date
Lifecycle management
Continuous vulnerability assessment
Frequency penetration tests
Tabletop exercises
Procurement policy
04:38 Cybersecurity insurance applications aren’t asking JUST about patch management
When did you have your last penetration test?
Do you have continuous vulnerability assessment in place?
How long are you going to go without having the patches applied in the environment?
If you think adequate patch management can be done for $50/mo/server, you are hallucinating.
So, what’s included in patch and vulnerability management?
05:34 Patch management
Patches are the building blocks that are improving the software that lives on the hardware. Without software, you can't interact with the piece of hardware unless it's purely mechanical, and even then there's still improvements of usage.
How do you manage and protect those tools of your business from threat factors?
09:20 Third-party patches & vulnerabilities
IT service provider proposals are telling business owners that they can patch their servers and their endpoints and automate Windows updates and some third-party patches. What are those third party applications? What about all your custom business line applications? Do you actually want your critical SQL server to have its SQL instance updated using automation? How much money does it cost you if that workload is down?
10:27 Asset management
Do you know what you have in your environment? Do you have accurate asset management and vulnerability assessments? Simply stated:
“You can’t secure what you don’t have an accurate inventory for.”
It is a regulatory requirement and cybersecurity insurance requirement to adequately document and understand software dependencies in your environment. That requires a proper inventory of your hardware, software, and subcomponents of the software. This is frequently referred to as SBOM - software bill of materials. And if you think your software vendor is going to provide that information, please go ask them for that information. You will probably get a blank stare. IS security engineers can figure it out on their own.
18:48 Implementing proper procurement policies
Does your procurement policy support your vulnerability management strategy? Does your software acquisition and implementation policy (if you even have one) support your cybersecurity insurance and regulatory requirements?
When business decision makers put pressure on an IT service provider or internal IT to implement new software without proper security protocols, vetting, and process documentation, vulnerabilities are nearly always introduced into your environment. Sometimes that comes directly from their insecure software. Sometimes it comes from the tools and connectivity they use to remote into your systems or things like API connectors that your IT is supposed to just blindly trust the software vendor to secure their software with zero validation or proof. A proper CISO on your team or through your ITSP will be able to directly vet the vendor and software itself.
You are required by cybersecurity insurance and Federal regulatory guidance to do so. It is also in your business's best interest to do so.
Be very careful looking for just certifications for someone who says they are a CISO. The majority of CISOs do not have technical chops. They are often compliance managers that cannot do the technical work. Those people have limited usefulness and will not be able to
All of the vCISOs at QPC are hardcore technical because we understand the essential nature of that skillset being a mandatory requirement to deliver effective CISO services.
20:24 Privileged access management and privileged password management
How do you know who has access to remote access to your systems? How many people will have access to your systems? Today, there are many IT service providers who are not disclosing their outsourced Helpdesks that are giving full administrative-level access to a customer’s back end to all those workers at the virtual live Helpdesk. Most ITSPs also fail to disclose the totality of the quantity of people that will end up with admin access to some or all of your systems.
Ask yourself. If you have 25 office personnel, why would it take 30 remote people to have admin access to your systems in order to provide competent support? Do you think it is actually possible to have a high security environment and magically keep 30 people fully up-to-speed on the exact correct configurations required in your environment and what the interaction effects are? It's not possible and will never happen.
24:27 A procurement policy can keep a business' IT costs stable
The number one thing that business owners complain about is the cost of maintenance. With a procurement policy in place and by working with their IT service provider and procuring anything that they do not have a full understanding of the total cost of ownership for – costs can be managed.
Does your procurement policy support your business strategy and needs?
34:22 Understanding the cost and time of device and software procurement
There's also a lot of other risks that the vast majority people don't think about; they tend to only think about the budgetary risk. However, getting the strategic input from a CISO or CIO to develop an understanding of the minimum pricing floor and how that affects the total cost of ownership, can save a business not only money but time.
SaaS can get you closer to a flat-rate cost but you may have inherited additional risk and vulnerabilities, depending on how the new technology interconnects with your systems. Additional risk factors are:
counterparty risk
structural increase in cost of doing business risk
accessibility risk (redundant access is then required and cannot be fully mitigated)
external software vendor attack vector risk that cannot be mitigated through Layer3 ACLs
takedown/contract risk
37:33 Cloud vs on-prem security
It's still a fallacy that having your systems in the cloud is better and cheaper, incorrectly thinking they can have as good security in the cloud as they can on premise. Going to SaaS can provide a lower and more predictable TCO if the counterparty risk you accept is worth it. But picking up your servers and hosting them on someone else's infrastructure will never be less expensive. IaaS cost savings are a fallacy for the majority of businesses. The exception being massive companies with heavy DevOps needs for spinning up and down workloads quickly. Most of those items are being migrated to Kubernetes and OpenShift.
46:48 IT/IS is not a utility
The electricity company, the water utility, garbage pickup, fire and safety, ISP – they are monopolies and uni-taskers. Whereas IT is far more complex. People tend to think that if it’s a utility, therefore it’s a commodity, and if it’s a commodity it doesn’t matter which service provider I choose.
Business decision makers are trying to manage budget risk without understanding their requirements. They also want to have budgetary control while abdicating their involvement upon outsourcing their IT to an ITSP.
An IT service provider can be a partner to success and can help businesses develop better business strategies IF there is regular and open communication.
This is part 1 of a 2-part series on vulnerability management. Listen to Part 2 at https://qpcsecurity.podbean.com/e/vulnerability-management-with-felicia-and-dan-part-2. To learn more about QPC Security, visit us at https://www.qpcsecurity.com/
This is another resource for vulnerability management information.
https://land.fortmesa.com/vulnerability-management-101
Saturday Jul 16, 2022
Saturday Jul 16, 2022
More than 80% of breaches occur due to credential theft. All organizations have compliance requirements to have org-owned password management systems and MFA enforcement on accounts used by employees and contractors.
Some other needs which must be met are:
Compliance attestation documentation
Proper use of the best MFA method on a per resource basis
Aligning business continuity objectives with cybersecurity objectives
Developing procedures for staff on how to use the company password manager system properly
Aligning procedures with information security policy
Developing/enhancing information security policy
End user awareness training around credentials, MFA, password management
and more
I wrote a 16-page educational guide for clients to help them understand the complexities and challenges of password manager solutions and why this is not an easy button project. This podcast is a supplement to that whitepaper.
See the following supporting podcasts for additional information.
https://qpcsecurity.podbean.com/e/requirements-for-premise-hosted-assets-cybersecurity-bcdr-and-more/
https://qpcsecurity.podbean.com/e/how-to-achieve-compliance-for-privileged-account-management/
https://qpcsecurity.podbean.com/e/avoid-cybersecurity-insurance-fraud/
Why buy from QPC
QPC provides managed clients staff onboarding and training documentation. As we update the documentation with new procedures or enhancements, we publish the new versions of the documents to the client’s IT Training SharePoint library. We also make them available through the QPC Security portal which all M365 users have access to.
QPC creates and maintains workflows for cybersecurity insurance and compliance attestation for managed clients. Compliance attestation and the maintenance of the reports and workflows to produce the compliance attestation are mandatory for cybersecurity insurance and some Federal or State regulatory compliance. As supply chain and vendor risk management becomes more prevalent, organizations will need to provide proof of these items to customers or prospective customers as part of contractual due diligence. Organizations can scramble to compile these items on their own. Managed clients benefit from QPC’s compliance preparedness.
Access to QPC’s password manager import/export/business continuity procedures. Our expertise in password manager conversions reduce friction to staff adoption of the system.
Support customized to client’s unique needs
Strategic guidance on how to best use the tool to meet the staff’s needs while being in compliance and alignment HR, information security, and company use of technology policies
Advanced security implementation services
Reduced implementation time compared to implementation by client’s in-house IT
Compliance attestation for cybersecurity insurance
HR policies which support use of the solution; employee use policies
QPC provided password security policy
Training for end users on how to setup what kind of MFA
QPC has systems for shared MFA even when OTP is not an option for a resource client staff are accessing.
Managed clients benefit from QPC’s existing R&D investment as well as ongoing enhancements of managed functionality.
No data loss or business continuity risk in doing so. At any point a client who wishes to separate from QPC can do so. This is covered in the separation area of this document.
QPC has a strong relationship with the software vendor where the feature requests we submit are typically integrated in the product in three months. We submit feature requests for functionality for managed clients.
QPC includes additional compliance modules in the subscription which are not part of the standard direct subscription. Keep this in mind when doing price comparisons.
QPC can co-term licensing for user additions
Direct software vendor support is not designed to be anything other than break/fix
Quicker response time than direct software vendor support
QPC is able to provide enterprise level support for the product whereas a direct customer would need to have a $25,000 per year support contract in order to receive a similar level of support direct from the software vendor.
QPC can be the compliance delegated admin for clients where desired. If not desired, then the client must assign and fully train the compliance manager delegated admin. Responsibilities and recurring tasks must be assigned to that person.
QPC works with managed clients to define staff user roles and assign security policies to them. Some employees should not be accessing the password vaults unless they are on company‑owned and secured systems. We define allowed platforms, security baselines, restrict data exfiltration and more.
QPC can implement additional technical controls to prevent employees from storing passwords where they should not be stored, such as browsers. We strongly recommend technical controls and ongoing cybersecurity awareness training backed by employee policies the reduce the opportunity for storing passwords related to company assets in an unapproved manner.
QPC can provide a separate end user support system for clients where they are able to contact the password manager support via email, chat, and phone. This service is not available for direct purchasers. Direct support includes only Level 1 help desk for basic user configuration or end‑user issues at the quantity of 25 per year. Free online documentation and videos is included of course.
Onboarding, new employee training, and configuration management support is not available for direct accounts.
Business continuity
Not only should all organization or company-related credentials be stored in a company-approved password management system, but at least two individuals in every department should have modify access to any shared credentials. Password management systems which meet the security requirements and are cloud-based tend to have zero trust storage methods.
Zero trust storage is a very important concept. It means is that if a second person was not granted access to that data, it may become irretrievable. It also means that unauthorized parties cannot see your passwords or the content you store with them. That includes your service provider and the password management system hosting provider.
Business continuity also comes from techniques. For example, individuals who share a job function should always have their own unique logins and MFA into a system where possible. That is the dual-‑admin approach. A great example of that is Constant Contact, bank websites, your company UPS account, marketing automation platforms, etc. Multiple people may be sharing a job function, but each person should have their own login IDs where possible.
In the cases where a website or resource does not allow for individual credentials for multiple individuals, the use of a password manager application with shared MFA allows the shared business function staff to have secure access to the same credential with MFA enforcement on the resource. This is a critical feature for security and risk mitigation.
Separation from IT service provider
In the case the client wishes to separate from QPC, they are able to convert to a direct paid account or able to migrate their licensing to another IT service provider. No data loss will occur as long as proper offboarding procedures are followed. The procedure is quite simple. First one must pay for separate licensing. Second, the master administrator account which is like a glass-break recovery account must be transferred to the new designated personnel. This is very easy to do since QPC’s standard business continuity protocol for configuration of a managed tenant involves the inclusion of this glass-break or master recovery account.
Friday Jul 01, 2022
Friday Jul 01, 2022
You should not put things in the cloud unless you can secure them there at least as good as a highly competent professional would have if they had that asset on premise.
Cloud hosted assets have additional risks.
Counterparty risk
Additional outage and accessibility risk
You have less control
You have less security over the human or governmental access to your content
Zero 4th Amendment protections over that data. It's fully subject to FISA searches that the provider is required to never tell you about.
Also do NOT get sucked into the scam that cloud hosting servers is more secure than if you did them on premise or somehow more cost effective. That is sheer lunacy.
SaaS can be more cost effective and more secure. Look at Office 365 as an example. That is clearly more secure, more cost effective, and more value than a premise Exchange server. SalesForce could be better for you than running your own CRM, but then you are also fully open to their crazy policies which could rip the rug out from under one of your most business critical systems.
There is no one right answer 100% of the time. Context and artistry of security strategy are exceedingly important.
This show is about these things as well as what you must have in place to have premise hosted secure assets. I describe a Tier0 asset scenario in specific and what can easily undermine it.
Premise hosted password managers
It is worth noting that extremely high functionality privileged access management and identity management systems are available in a premise hosted format which are a perpetual licensing model with very low annual software maintenance fees. These systems are exceptionally valuable to IT departments and QPC has extensive experience in these platforms. They are an exceptional value to IT management functions and IT departments.
However, most organizations, even those with full-time IT departments, will not meet the requirements for self-hosting. Why? In order for a self-hosted password management system to be successful, it relies upon many factors which must be in place and be fully executed with extremely high levels of skill and security. This level of skill is outside of the technical skill level of nearly all IT departments of companies with less than 5000 employees.
If the requirements are not fully met continually for the life of use of the platform, the platform and its contents are likely to be compromised. A compromise could consist of the data exfiltration of the entire password vault database which would be catastrophic to the organization.
Baseline requirements for premise password managers
Extremely tight supply chain risk network layer security rules and management
Ability to do offline upgrades for all software and systems involved
Extremely adept underlying server, network, power infrastructure management
Rapid patch management within 48 hours or less
Always on scanning for vulnerability assessment backed by active monitoring and remediation
Active monitoring
Multiple first line backups per day with multiple encrypted offsite backups per day
Two physically disparate sites with significant server, network, power infrastructure with automatic backup generator service and redundant internet
Proficiency at managing SQL server replication over WAN links in an active/active SQL server configuration
Proficiency at maintaining active/active application server configurations and automatic failover network configurations
Absolute rigorous discipline to adhere to documented standards for vault creation, password management system administration, application updates, database system updates, OS updates, third party app updates, network layer security management across the entire internal and site-to-site connected networksAny laxity in the discipline of the IT personnel managing the system will cause it to fail to deliver the security profile required for critical assets.
Minimum of two servers involved with the addition of more servers if internet facing roles such as mobile access are desired
IT personnel’s ability to implement and maintain complex privileged access management systems
Regular security compliance and audit report reviews. This will require a CISO and/or compliance officer with significant technical skill.