Feature Article: Maintaining IT Compliance in the Post-Firewall Era

By Dan Rojas and Rob Barnes, Directors, Coalfire

Post Firewall era?  Firewalls obsolete? Diminishing in relevance?  A few short years ago, the firewall, while not the whole security solution, was a cornerstone of enterprise security.  Surrounding sensitive data with a safe, hardened perimeter was the definition of information security.  Sensitive data resided on the safe side of the firewall and was protected by security staff and infrastructure within the established perimeter defined by the firewall.  Firewalls are still essential to a sound security practice. However, contrast the relatively static environment a firewall can protect  with today, where 4 out of 5 doctors use personal mobile computing devices to access ePHI and store that data locally, unencrypted, out of the purview of enterprise IT staff.  The consumerization of IT has enabled end users to store company data on service provider platforms like Google and Dropbox without consideration of IT governance.  Firewalls are being bypassed and company risk assessment programs are not yet effectively considering the impact of the migration to the cloud.

The next generation of computing has begun.  In fact, the shift from web services to mobile computing is not a migration.  It is a stampede.  We can hear whispers of the post-Microsoft era but that does not go far enough.  Apple, Samsung, Qualcom, iStore, Android and Google, are supplanting big names like Intel, HP, Microsoft, Sun and Dell.  The chasm between legacy PCs and laptop computers with mobile devices is accelerating at a pace not seen since the early Internet age (circa 1996) or the PC landslide (circa 1988).  The inevitable migration to mobile computing supported by cloud services will provide a new generation of capabilities that continue to drive adoption at a fast rate, even without some basic controls.  These systems are already bypassing traditional security controls like firewalls, log management, data protection, policy requirements and even some access controls.  We are truly entering a new post-firewall era.

The number of smartphone users alone has expanded by almost 500 million in 2011 according to IDC.   This represents over 65% of all new subscribers.  With 1.2 billion of the 6 billion mobile subscribers already on mobile broadband connections, we could soon see mobile applications and transactions exceed web-based activity within 24 months.  While the overall mobile migration is impressive, the adoption by business users is even greater.  Some studies indicate that over 90% of all business users have adopted smartphones with broadband connections.

The trend towards mobile computing is clear and users are blissfully unaware of risks as they access sensitive company data from uncontrolled mobile devices.  However, the failure of businesses to recognize the impact on enterprise applications and data is puzzling.  Very few of the new mobile devices are provided to users by employers. This resulted in an initial determination that the Bring Your Own Device (BYOD) to work would save money but subsequent reviews have found that the support costs and risks may offset the initial capital cost savings.  Very few organizations have adequate policies that enable effective control over the use of mobile devices when interacting with sensitive company data or even email. Even fewer organizations have deployed mobile management, or even cloud management systems, to mitigate known risks.  The result is that many organizations are no longer adequately reducing risks or operating in compliance with a wide range of IT regulations.

The post-firewall era is not a poor reflection on firewall technology.  The reliance on outdated perimeter security strategies has produced a significant number of healthcare data breaches resulting from mobile computing device loss or theft.  This points to the need to change security programs to address the emerging risks due to tectonic shifts in computing platforms.  The old access controls, perimeter security, encryption, configuration management and logging solutions are not aligned with a mobile computing environment.  We still need those early-generation infrastructure-level controls, but they need to be deployed in a way to protect data in a multi-tenant environment.  More importantly, the users of mobile computing platforms must demand that their service providers integrate data and application-level security into the DNA of these new mobile devices and cloud platforms.  

A shift in computing platforms does not have to result in a lower level of data protection, system integrity or IT compliance.  We have to re-evaluate our risks and take justified actions to update security programs.  Once the security programs are updated, organizations will be enabled to update compliance validation testing and reporting programs.  Since “security does not equal compliance”, organizations should update both programs to address the new computing environment.

Cloud Migration
The migration to mobile computing was fully exposed when I took my seat for a recent flight to New York.  An executive sitting next to me was frantically pounding on the virtual keyboard of his new iPad.  I had to ask why the frantic typing.  He admitted that he was late in preparing a board briefing that was due in a few hours.  He was working from a personal iPad, which was NOT registered with his company and was accessing sensitive sales data hosted by an outsourced CRM service from the airline Wi-Fi (no firewall) to prepare a strategic sales update.  When the update was done, it was emailed (and cached on his iPad) from the plane’s Wi-Fi network.  

Some of the most critical intellectual property and sensitive reporting for a public company were processed without a firewall, no company access controls, no logging, no antivirus protection or end-point security, and no encryption to protect the sensitive data.  While the sales executive was finished with his highly productive report, it made me wonder what the Director of Internal Audit or the CISO would report at that same board meeting.  Would the Internal Audit Director report to the board that the IT controls established a few years ago are managing only 60% of the company activity today?  The other 40% is uncontrolled.  Will that status be reported, and how well will that report be received?
Examples for other sensitive transactions range from the use of healthcare records on doctors’ iPhones to mobile banking or even to buying pottery in a city park from a vendor processing your credit card on that same iPhone.  The key is that this migration is actively underway now and we should be taking appropriate actions to mitigate new risks before the first major mobile event is uncovered.  That first event will likely contribute the face for mobile security negligence.  The CEO of XYZ company will have to explain to customers, shareholders, regulators and even the industry why mobile controls were not integrated into new platforms when the risks were known.

New Mobile / Cloud Risks
While the risks associated with cloud service delivery and mobile computing are known to the professionals within the industry, they may not yet be commonly known to all users of the devices and responsible executives to protect company assets.  The Open Web Application Security Project (OWASP) is a widely recognized industry organization that develops application-level security programs and policy considerations and they recently published known risks associated with deployment of cloud services. The following summary of risks combines the OWASP analysis with some insights developed by the Coalfire team as it works with its clients across regulated environments:  
 

OWASP Application Risks Governance, Infrastructure and Network Risks
  1. Insecure Data Storage
  2. Weak Server Side Controls
  3. Insufficient Transport Layer Protection
  4. Client Side Injection
  5. Poor Authentication and Authorization
  6. Improper Session Handling
  7. Security Decisions via Untrusted Inputs
  8. Side Channel Data Leakage
  9. Broken Cryptography
  10. Sensitive Information Disclosure
  1. Limited visibility into devices on the network or accessing data
  2. Lack of effective Data Protection (primarily encryption)
  3. Lack of logging and monitoring or both access and security events
  4. Lack of end point security (configuration management, vulnerability management and malware protection)
  5. Limitation of application deployment (no white list or black list of applications to prevent malware)
  6. Outdated Policies
  7. Ineffective change management processes
  8. Bypassed remote access controls by mobile users and thrid parties
  9. Lack of integration into governance and oversight


Risk Management Strategies
The first step in the process is to get informed and connect with your workforce.  The short-term risk mitigation steps require cooperation between systems users and data owners.   Even so, these risk mitigation steps may not allow each organization to achieve security objectives or maintain regulatory compliance in the financial services or healthcare sectors.  However, the following steps should help organizations avoid claims of negligence.

  • Conduct a risk assessment for each critical data source and application.  Understand the mobile risk on the server side and restrict access to mobile devices accordingly.
  • Select an updated and justified matrix of controls to mitigate risk on mobile devices and the server side of the connection.
  • Publish  mobile device policies to include the following baseline controls:
    • Require that user access credentials be entered prior to accessing enterprise applications and data.
    • Require devices to be registered with the organization and permission granted to remotely wipe the device if it is lost or stolen.
    • Prohibit the device from being jail broken or rooted to reduce risk of vulnerabilities and prohibited applications.
    • Periodically inspect the devices for unauthorized settings and applications. If these exist, restore the device to the default setting or prohibit access.
    • Enforce configuration and security policies via a MDM or other configuration policy manager to protect corporate data. These configuration settings should include:
      • Enforcing of complex passwords on the mobile device.
      • Enforcing only secure connectivity via Wi-Fi WPA2, SSL, Certificates, or VPN.
      • Enforcing use of corporate credentials where possible via LDAP, Active Directory, etc.
      • Enforcing a data retention policy for corporate data, i.e. shared files, email, etc.
      • Locking down device capability while accessing corporate network resources, including disabling of Bluetooth, unprotected Wi-Fi, built-in camera, etc.
      • Enforce audit logging on the mobile device where applicable.
  • Enhance Mobile Device Management in accordance with company policies.
  • Develop and enforce third-party or vendor controls required to serve or host applications and data to your users.  An increasing number of cloud service providers are building security and compliance into their solutions but only provide them to clients who ask for them.  There may be an additional charge to get the “secure” version of cloud services but the increased cost may be worth it.
  • Enhance system monitoring for those systems that allow mobile access.  The monitoring should be tuned to collect date and time of access, the individual accessing data, and types of data accessed, if possible.  This monitoring will be essential to avoid data breach notification upon loss of a device as well as monitoring rogue access by a device user.
  • Update Incident Response Plans to accommodate event analysis for a stolen device, defined incident declaration, and investigation procedures to determine the potential for data loss.  (This step may require hiring a third party to perform device forensics or analysis of stored data from server logs.)
  • Implement an awareness campaign and train your employees on the risks of using mobile devices in the workplace (malware, appropriate vs. inappropriate use, etc.).

Compliance Program Changes
We all understand that achieving regulatory compliance does not always result in an effective security program.  The opposite is also true.  For regulated industries, adequate security programs may not achieve compliance with specific compliance requirements. The migration to cloud services and mobile device usage also introduces challenges to compliance validation.  The following section summarizes the Top 10 Cloud Compliance Challenges and provides recommendations to overcome those challenges.

Top 10 Cloud Compliance Challenges Remediation Recommendations

1. Scope and Cloud Boundaries

  • Map data flows and identify the full scope of the environment to include all backup systems and facilities
  • Ensure a secure logical and physical perimeter is established to protect critical systems and sensitive data
  • Characterize systems to enable identification of appropriate test procedures that include cloud service providers and mobile users
  • Determine size and consistency of the environment to select an appropriate sample size for testing and control validation

2. Updated Test Procedures and Testing Skills

  • Establish a baseline reference architecture for cloud deployment
  • Establish effective test procedures to determine compliance to the baseline
  • Ensure all active and dormant systems Virtual Systems are included in the testing if the in-scope systems share the same Hypervisor

3. Mobile and Cloud Policies

  • Update policies for cloud and mobile computing
  • Train users on new mobile security responsibilities

4. Cloud Server and Mobile Device Configuration Management

  • Require users to register mobile devices
  • Establish configuration standards for dedicated platforms (physical and logical) , mixed mode and multi-tenant environments

5. Logging and Monitoring

  • Require all virtual systems and mobile devices to deploy logging solutions
  • Establish a process for secure log collection, review and storage where full transparency of the events and alerts that are generated
  • Maintain a log archive on a physical or virtual systems that cannot be accessed by operators to support incident investigation and compliance validation testing (at third party or at your facility)
  • Verify that you have access and authorization to correct issues and address events

6. Access Controls

  • Establish a central identity verification and access authorization system
  • Require “granular” authentication to enforce limitations in access authorizations (even on virtual systems and mobile devices at the OS and application levels)

Especially watch the level of remote access and administrator access by third parties who may not have the need or authority to access sensitive data

  • Demand access to logs to verify users accessing systems and data
  • Maintain logs from virtual systems or mobile devices to enable incident investigations and compliance validation testing
  • Integrate cloud and mobile devices access log reviews and alerts into Incident Response Plans

7. Vendor Management

  • Identify all vendors and third-party services providers who have physical or logical access to systems and data
  • Verify that all third parties are operating in compliance to regulatory requirements
  • Are the third parties audited …. To those requirements?
  • Confirm that all third party contracts include right to audit or review audits

8. Data Protection / Encryption (at rest and in transit)

  • If an ISOLATION strategy has been deployed to protect sensitive data, map data flows and access limitations to ensure isolation can be maintained in a virtual or mobile environment (typically, it cannot)
  • Establish an encryption program designed for the virtual environment deployed
  • Ensure key management procedures and key custodian designation does not allow unauthorized access to sensitive data

9. Data and Device Disposal

  • Maintain an inventory of all virtual systems or mobile devices that access or maintain copies of sensitive data
  • Establish a process to ensure all systems are securely wiped or properly disposed
  • Establish a process to securely wipe storage on all lost or stolen mobile devices

10. Training

  • Identify new skills required to support the environment or controls to secure the environment
  • Establish a training program to train users, administrators and assessors to effectively maintain controls and conduct compliance validation testing

 


Readers will quickly understand that “your mileage may vary”.  Every environment includes its own unique risks and almost every cloud service and deployment of mobile devices include the top 10 challenges listed above.  As part of your annual risk assessment process, it would be important to not only identify the risk but establish the measurable controls justified to mitigate those risks.  Those measurable controls could then be integrated into your compliance validation testing and program reporting.

Conclusion
While current controls may not be adequate to fully secure mobile devices, and support cloud infrastructure, specific risk mitigation steps will dramatically reduce claims of negligence or issues with maintaining IT compliance.  In the near future, organizations should carefully consider a migration to “SECURE and VALIDATED” cloud services as a replacement for current enterprise applications.  Much like the migration of federal systems to the cloud are being managed by the FedRAMP where security will be tested and validated by third parties prior to authorizing the migration, each commercial entity should consider working with their internal development teams and vendors to develop secure mobile applications that leverage new security features designed into the next generation of smartphones.