For those who thought data security was hard when business was primarily on-sitewelcome to a new age of complexity. Todays business is mobile with data stored everywhere in the cloud. However, one thing hasnt changed: customers are still demanding that organizations keep their data safe. Failure isnt an option, and non-compliance with todays strict regulations brings stiff penalties and, most importantly, the loss of customer trust, something no business can afford.

In this article we will examine the key components of cloud compliance frameworks, introduce examples, and explain why aligning your data security policies and procedures to these compliance frameworks is critical for organizations looking to protect data and maintain customer trust in a mobile world.

Cloud storage and SaaS solutions bring unprecedented speed, agility, and flexibility to a business. However, trusting third-party vendors with sensitive data comes with numerous inherent risks. Here are some challenges to consider when securing your data in the cloud:

Cloud deployments deliver accessibility, but they also create open, decentralized networks with increased vulnerability. This is where cloud compliance frameworks come in. Modern enterprises need the holistic guidance and structure provided by these frameworks to keep data safe in todays dispersed business landscape.

When an organization understands the inherent risks they are exposed to through the use of cloud services, develops policies and processes to manage these risks, and, most importantly, follows through on these policies and processes, they can have higher confidence in their security posture.

Cloud security experts have identified key control categories to mitigate the inherent risk of using cloud services. These are formalized through frameworks such as the Cloud Security Alliance Cloud Controls Matrix (CCM).

Below are the components compliance frameworks utilize to drive a higher level of security in the cloud.

Governance

These preset controls protect your sensitive data from dangerous public exposure. The following are essential areas of cloud governance:

Change Control

Two of the clouds biggest advantages, speed and flexibility, make controlling change more difficult. Inadequate change control often results in problematic misconfigurations in the cloud. Organizations should consider leveraging automation to continuously check configurations for issues and ensure successful change processes.

Identity and access management (IAM) controls often experience multiple changes in the cloud. Below are a few IAM best practices to keep in mind for your cloud environment:

Continuous Monitoring

The complexity and dispersed nature of the cloud make monitoring and logging all activity extremely important. Capturing the who, what, when, where, and how of events keeps organizations audit-ready and is the backbone of compliance verification. When monitoring and logging data in your cloud environment, its essential to:

Vulnerability Management

Effectively managing vulnerability starts with a comprehensive knowledge of your environments and identifying potential risks. Smart organizations analyze all software for known weaknesses and watch for the introduction of third-party entities with potential vulnerabilities. Identifying and remediating vulnerabilities is central to any security platform and plays a major role in meeting regulatory requirements.

Reporting

Reporting provides current and historical proof of compliance. Think of these reports as your compliance footprint and very handy come audit time. A complete timeline of all events before and after an incident can provide critical evidence should your compliance ever be questioned. How long youre required to keep these records depends on the individual regulation requirementsome want only a month or two, while others require much longer. Your team must keep all files in a secure, independent location in the event of an on-site system crash or natural disaster.

These frameworks speak specifically to cloud compliance requirements. Both cloud vendors and customers should be well versed on the specifics of these three frameworks.

Cloud Security Alliance Controls Matrix: This foundational grouping of security controls, created by the Cloud Security Alliance, provides a basic guideline for security vendors, boosting the strength of security control environments and simplifying audits. Additionally, this framework helps potential customers appraise the risk posture of prospective cloud vendors.

The Cloud Security Alliance has developed a certification program called STAR. The value-added CSA STAR certification verifies an above and beyond cloud security stance that carries weight with customers. This overachievers set of standards may be the best asset for customers looking to assess a vendors commitment to security, and a must for all organizations looking to cement customer trust. Further, The STAR registry documents the security and privacy controls provided by popular cloud computing offerings, so cloud customers can assess their security providers to make good purchasing decisions.

FedRAMP: Meeting this set of cloud-specific data security regulations is a must for organizations looking to do business with any Federal agency. FedRAMPs purpose is to ensure all cloud deployments used by the Federal government have the minimum level of required protection for data and applications. Be preparedbecoming FedRAMP compliant can be a long, detailed, and exhaustive process even for well-staffed organizations. A System Security Plan documenting controls must be submitted to the Joint Authorization Board (JAB), followed by an assessment and authorization. Organizations must then demonstrate continuous compliance to retain FedRAMP status.

Sarbanes-Oxley (SOX): We can thank well-publicized financial scandals like Enron for this set of financial regulatory requirements. SOX is a set of guidelines governing how publicly-traded companies report financial data to protect customers from errors in reporting or fraud. SOX regulations arent security-specific, but a variety of IT security controls are included within the scope of SOX because they support data integrity. However, SOX audits cover just a small portion of cloud security and IT infrastructure. SOX shouldnt be taken lightly, as violators can expect harsh penalties, including fines up to five million dollars or up to twenty years in jail.

Organizations handling sensitive data can benefit from adhering to the standards set by the following security-specific regulations. These frameworks provide the methodology and structure to help avoid damaging security incidents. Here are four frameworks that organizations should have on their radar.

ISO 27001: Developed by the International Organization for Standards, this international set of standards for information security management systems demonstrates that your organization operates within the best practices of information security and takes data protection seriously. Any company handling sensitive data should seriously consider adding ISO 27001 to their compliance resume. ISO 27002 supports this regulation by detailing the specific controls required for compliance under ISO 27001 standards.

NIST Cybersecurity Framework: This foundational policy and procedure standard for private sector organizations appraises their ability to manage and mitigate cyber-attacks. A best practice guide for security pros, this framework assists in understanding and managing risk and should be mandatory reading for those on the first line of defense. NIST Cybersecurity Framework is built around five core functions: identifying, protecting, detecting, responding, and recovering. Back in 2015, Gartner estimated that 50% of United States organizations will use the NIST Security Framework by 2020.

CIS Controls: The Center for Internet Security created this guideline of best practices for cyber defense. This framework delivers actionable defense practices based on a list of 20 Critical Security Controls which focus on tightening access controls, defense system hardening, and continuous monitoring of environments. The first six are described as basic controls, the middle ten as foundational controls, and the remaining four as organizational controls.

These frameworks can be considered best practice guidelines for cloud architects, commonly addressing operational efficiency, security, and cost-value considerations. Here are three for cloud architects to keep front of mind.

AWS Well-Architected Framework: This best practice guideline helps Amazon Web Services architects design workloads and applications in the Amazon cloud. This framework operates around a set of questions for the critique of cloud environments and provides customers with a solid resource for architecture evaluation. Five key principles guide Amazon architectsoperational excellence, security, reliability, performance efficiency, and cost optimization.

Google Cloud Architected Framework: This best practice guideline provides a foundation for constructing and enhancing Google cloud offerings. This framework guides architects by focusing on four key principlesoperational excellence, security and compliance, reliability, and performance cost optimization.

Azure Architecture Framework: This set of best practice guidelines assists architects constructing cloud-based offerings in Microsoft Azure. This guide helps maximize architecture workloads and is based on similar principles as those found in the AWS and Google Cloud Frameworks, including cost optimization to drive increased value, operational excellence and performance efficiency to keep systems functional, reliability to recover from failures, and security for data protection.

Customers want to know they can trust your organization to keep their data safe. If your organization wants to conduct business with the federal government, achieving certain cloud security certifications is the procurement gate.

Cloud compliance frameworks provide the guidelines and structure necessary for maintaining the level of security your customers demand.

Additionally, these frameworks will help you navigate a regulatory minefield and avoid the steep financial and reputational cost of non-compliance. Most importantly, implementing a compliance framework will allow your organization to verify your commitment to privacy and data protection. This will keep you out of trouble with regulators and boost credibility and trust with your customers.

Security and compliance, though different, are interrelated and have significant overlap. These areas of overlap can create dangerous gaps in your defense. Innovative, continuous compliance solutions, such as those provided by Hyperproof, can help organizations identify and manage overlaps between security and compliance risk mitigation strategies to create safer environments.

Hyperproof makes the process of gaining cloud security certifications (e.g. ISO 27001, FedRAMP) and maintaining them faster and easier . Our compliance operations software allows you to see and understand all the requirements of a compliance framework. You can create controls to meet the requirements and assign controls to your team to operate or monitor. Ultimately, this will help your compliance team save time gathering evidence to verify the operating effectiveness of internal controls so compliance and security leaders can spend more time on controls testing. Hyperproof also has a Crosswalks feature that clearly identifies the overlapping requirement areas across multiple security frameworks. This allows you to leverage your existing compliance efforts to achieve certification in additional frameworks faster. Hyperproofs compliance solution provides analytics and dashboards to run a continuous monitoring program to verify your compliance status and drive remediation efforts.

To see how Hyperproof helps you gain control of your compliance efforts, sign up for a personalized demo.

MarkKnowlesis a freelance content marketing writer specializing in articles, e-books, and whitepapers on cybersecurity, automation, and artificial intelligence.Markhas experience creating fresh content, engaging audiences, and establishing thought leadership for many top tech companies. He is based in the sunny state of Arizona but enjoys traveling the world and writing remotely.

Banner photo byChristina MorillofromPexels

The post Cloud Compliance Frameworks: What You Need to Know appeared first on Hyperproof.

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Hyperproof Team. Read the original post at: https://hyperproof.io/resource/cloud-compliance-frameworks/?utm_source=rss&utm_medium=rss&utm_campaign=cloud-compliance-frameworks

Here is the original post:
Cloud Compliance Frameworks: What You Need to Know - Security Boulevard

LOS ANGELES, Aug. 26, 2020 /PRNewswire/ --As widespread remote working places unprecedented strain on IT networks, reevert, an intelligent hybrid data backup and storage solution, announces powerful new features to help managers keep systems operating safely and efficiently. Designed to ITAR standards for defense contractors, reevert's new tools provide the highest level of protection against data loss and threats such as ransomware, which can cost companies millions of dollars in payments and lost productivity.

reevert stores, secures and backs up the data of high-profile organizations, including the Rose Bowl stadium and financial service and healthcare companies that require sophisticated security protocols. reevert'sclients can now benefit from features that include a new monitoring system that provides detailed information on any computer in a network and alerts IT managers to issues before they escalate. Also, an intuitive new secure VPN system protects devices when staff are working on unsecured personal WiFi, while back-end improvements enhance data upload speeds on slower home networks.

Ara Aslanian, co-founder and CEO of reevert, said the company had accelerated development and deployment of these new capabilities to meet the rapidly evolving needs of network managers and the growing list of cybersecurity threats caused by remote working.

"Companies know that their data is a competitive advantage and work hard to secure it," said Aslanian. "But the switch to remote working happened so suddenly that many firms had little time to prepare their networks. These upgrades will enable customers to protect themselves from cybercriminals trying to exploit vulnerabilities in remote workforces and help them maintain the integrity of the data on which their businesses depend."

reevert 1.14.4.0 highlights:

A complete list of upgrades and more information is available here. The enhancements are available immediately to reevert customers and on Amazon Marketplace.

About reevert:reevert is an intelligent hybrid backup and storage solution, designed from the ground up specifically to protect businesses against ransomware and data loss. It features fast hourly snapshots, safeguards your data and backups, and allows quick recovery. reevert can image servers and computers, protect network shares and local files, and offers offsite cloud data backups.

For more information please visit reevert.com

Media Contact:David PatersonVenture PR424-230-3770[emailprotected]

SOURCE reevert

https://www.reevert.com

See the original post here:
Reevert Unveils Advanced Tools to Enhance Network Security and Efficiency for Remote Workforces - PRNewswire

A botched Adobe Lightroom app update on iOS accidentally deleted users photos and editing presets. Adobe responded to the widespread-bug reports and issued a patch to fix it so others wont be affected, but it cant recover any of the lost files.

Adobe says some users may be able to restore a portion of their lost photos and editing presets if they have phone backups stored in iCloud. Give that a try if youre one of the unlucky users who lost their photo history, but the odds are slim this will work for everyone. Not to be too negative here, but I dont want to give anyone false hope.

Its a bummer, but the sudden data loss underscores why you need to backup your photos in multiple locations. If you have everything stored in two or three places, youll still have extra backups if one fails.

Frankly, external hard drives or SSDs are the best options; they have high storage capacities and can be kept on-hand for whenever you need them. The downside is, external media drives are expensive. Besides, if you primarily shoot and edit with your phone, saving your photos to a hard drive isnt easy. Youre probably not looking to pay tons of money to back up your files, either. Fortunately, plenty of cloud-based services let you backup your photos for free.

There are quite a few options, but we pared the list down to websites with the most generous uploading allowances for free users.

G/O Media may get a commission

The downside to free services is they cap your storage or impose upload restrictions. Those limits arent too severe for casual photographers but will be stifling to professionals and hardcore hobbyists. Unfortunately, the only way to get around those limitations is to use a paid service instead.

There are lots of paid options like Pixpa and ImageShackplus the premium memberships from the services listed above and a whole mess of cloud storage servicesbut I want to highlight a few that you might already be paying for without realizing it, and hopefully save you some cash.

[9to5Mac]

View original post here:
Where to Back Up Your Smartphone Photos Online (and Why You Should) - Lifehacker

Google Drive may have a way that can allow malware attackers to trick victims to install malware. Malware attackers can exploit an unpatched security flaw in Google Drive to distribute malicious files disguised as legitimate files that will allow attackers to perform spear-phishing attacks. Security researcher A. Nikoci told The Hacker News that a flaw in the manage versions feature in Google Drive can enable threat actors to swap a file with malware. He also reported this flaw to Google. The manage versions functionality allows users to upload as well as manage various versions of a file, and in the way, its interface offers a new version of files. It is important to note that Google is aware of this security flaw, however, it has been left unpatched.

Logically, the feature should let users update an older version of a specific file with a new version of that file having the same file extension, however, it turns out that this is not the case. According to A. Nakoci, the affected feature of Google Drive enables its users to upload a new version of a file with any file extension on the cloud storage. Nikoci also told that Google allows users to change the version of a file without checking if it is the same type. The cloud storage service does not even force the same extension type.

Nikoci shared demo clips, and according to those videos, a legitimate version of a file that has already been shared with a group of Google Drive users can be replaced with a malicious file. Furthermore, the online preview also does not indicate new changes or raise any alarm. However, when installed, the file could be employed to infect the systems.The approach could be used for highly effective spear-phishing attacks that trick people into compromising their systems. Spear-phishing attacks usually attempt to trick victims into opening malicious links. Those malicious links can also be used to get the victim to unknowingly install malware on their device that can provide the hacker access to the victims computer and other sensitive data. Currently, the best solution is to use an antivirus and be wary of Drive file update alerts. Recently, Google also fixed a flaw impacting G Suite and Gmail users that could have let threat actors send spoofed emails even when strict security policies such as DMARC or SPF are enabled.

Read next: Autofill with Google now allows biometric authentication for all Android 10+ devices

Featured Photo: Thomas Trutschel/Photothek via Getty Images

Read the original post:
A Security Flaw In 'Manage Versions' Feature Of Google Drive Could Allow Malware Attackers Trick Victims Into Installing Rogue Code - Digital...