Covering the Cloud: How to Secure the Cloud

We have discussed the changing IT landscape as the age of digitisation gains traction and growth in connectivity continue apace. The cyber attack surface is increasing and so is the scale and sophistication of attacks as identified by Cisco in it’s latest annual cyber security report.

Security breaches will continue to happen because there is too much going on in the organisations’ systems to provide complete protection especially with the growing sophistication of threats. The approach to security needs to embrace an approach that provides not only for known but also unknown threats. The approach needs to address cyber security before, during and after a cyber attack.

Some of the key features that need to be addressed with this new cyber security approach include;

Visibility Control

Users will try to use whatever they can to get the job done. Organisations need visibility and control of what applications are being used in the cloud and remotely, especially with the growth of new SaaS applications. Visibility enables an understanding of what is being used in line with policy, what is out of policy and what is a threat. Visibility is the first step to controlling and securing the organisations environment based on what services should be provided.

Securing Cloud applications

As SaaS applications are increasingly being deployed in public clouds such as Amazon Web Services and Azure, it is vital to ensure that the cloud platform is secure. Even though the cloud providers will deploy their own security solutions, organisations also need to implement independent security systems to secure the user and the data as this is not the responsibility of the cloud provider.

Extend protection to the edge

As remote connectivity and branch networking trends increase in popularity, the security solution should be adaptable to extend the necessary features such as firewalling, threat management and anti-malware capabilities to the edge of the network as opposed to the current centralised deployment.

Virtualise the security architecture

The need for security is now pervasive at the client, the branch, the HQ as well as public and private clouds where SaaS applications are located. This necessitates the capability for a virtualised security architecture where the panoply of security functionality can be deployed easily at any location.

Threat intelligence

Most organisations deploy security components from multiple vendors. An intelligent approach to securing information and systems in the emerging environment must make use of threat intelligence. This is the ability to take intelligence feeds from other sources such as other security vendors feed and make context based threat assessments relating to your organisation and what it means for you. This assessment can naturally feed into automated protection mechanisms.

This roundup of security requirements and features is a summary of what we need to look for in our security approach as we hurtle towards digitisation and a predominantly cloud based environment. In our next installment, we will discuss some practical solutions and explain what is now being termed the Secure Internet Gateway.

 

What the Future Holds for Theatre and Digital

‘Prologue’

Live-to-digital is not only about the big wins. Items such as digital programmes can be an effective means of enhancing the in-theatre or pre-theatre experience, and such offerings have been well received by younger audiences. Moreover, by utilising such elements coupled with ambitious streaming strategies, the opportunity becomes more pronounced. Target an audience and create an immersive experience and your production could easily transcend international boundaries.

 

As much as technology allowing new distribution channels is influencing the industry, the introduction of immersive technologies could be on the cards as well. High-definition, virtual reality, 4D and binaural sound are just some of the features that today’s production companies are exploring. Expect these to become more widespread.

 

As a final step, it seems theatres, venues and producers may also share a common desire for more open dialogues between each other. Shared calendars and community-centric initiatives could help the category grow at both a local and national scale.

 

In the final scene of this four-piece epic, you will discover how the world of live-to-digital could play out in years to come. While no-one can claim twenty-twenty foresight, but the trends point in one direction – and that is a continually growing digital audience.

 

At no point in the journey has there been any sign of diminishing viewership as audiences clearly enjoy the distinctive qualities, as much as the novelty, of both the streaming and Event Cinema experience. So, as technology advances, it seems logical that attendances will grow – as will ambition – and it will remain a fascinating space to watch.

 

And not only for those with larger budgets.

 

As case studies suggest, even smaller productions can achieve great things with the right targeting and a positive, focused strategy. Much like the sport and music industries have grown via increased adoption of digital, expect the same in the nascent space of online, or big-screen, theatre.

 

In particular, dramas and musicals could dominate as the crowd have shown a clear preference for these two forms.

 

Enhancing a Performance: The Great and The Small

Though the opportunity is profound, theatres continue to look to the future with trepidation, unsure how to capitalise on emergent technologies. Although grander-scale projects may be unachievable for modest budgets, smaller wins do exist.

 

One of the surprise enjoyments among certain strata of the audience has been the introduction of digital programmes – either as a precursor, or supplement, to the performance. Sharing details of upcoming productions via digital means has been a reliable marketing technique for many theatres with the majority of viewers appreciating the ease of access alongside greater access to information.

 

Taking the concept one step further, when distributing digital versions of programmes to a live audience, the idea was particularly well-received amongst younger attendees, with some enjoying features such as director comments or commentaries to supplement the actual show.

 

While this may not be to everyone’s taste, it is essential to understand what audiences are looking for and to be both creative and accommodating when enhancing the overall experience. As the future evolves, who knows what role digital will play outside of streaming and event-based spectacles.

 

Beyond Event Cinema

 

 “It’s a risk-averse sector with an ostrich mentality – if they bury their head in the sand, digital is going to go away.”—Producer

 

An important outcome is that prospective participants are not overawed by the big-budget Event Cinema productions that dominate newspaper headlines. While they are indeed a force within an emerging industry, these channels only make up a corner of the wider landscape.

 

Where the barriers to entry in the Event Cinema market are prohibitive – be it budget, brand equity, capital or casting – the ongoing growth of streaming demonstrates there are multiple ways to explore new segments at a reasonable cost.

 

Taking cue from the Belarus Free Theatre – a politically-motivated production company who seek to connect with audiences across the Eastern Bloc – by being open-minded with capabilities, creative with distribution and proactive in forging partnerships through a focused tender process, the company was able to generate a live stream of each one of their recent performances; reaching an audience of thousands in upwards of 30 countries.

 

The lesson here is that if you know who you want to reach, as well as understand the style of production you’d like to achieve, anything is possible. In pursuing a number of leads and being open to suggestions when it came to the final production technique and streaming strategy, the company achieved impressive results for a modest outlay.

 

Of note amongst those who plan to offer live-to-digital experiences in the future, the majority will make use of their existing digital assets –  such as their own websites – to distribute content directly to their fan base. They are also looking to partner with third-parties within the industry to support widespread enjoyment of the arts.

 

It is clear from the mix of distribution channels that, while cinemas will remain the big-ticket venues of those with higher budgets, online channels offer a valuable outlet for those with constraints but who are eager to reach a broad, even international, audience. This space could likely grow at a significant rate.

 

 

A Different Kind of Reality

Adoption of new technologies in cinema is widespread, with augmented screenings commonplace across the majority of venues. While this works in the world of Hollywood, is there any suggestion it could transfer to live theatre? Given the virtual and augmented reality industries are expected to surpass $30 and $120 billion in revenues respectively by 2020, these avenues are worth exploring.

 

There are global production companies testing the limits with the LA Philharmonic Orchestra recently delivering a virtual reality performance to an LA-audience in underserved communities. Beaming a four-minute rendition from the Walt Disney Concert Hall, this was an exciting excursion for a not-for-profit who are keen on sharing their prowess with a wider world, showcasing the potential of such technologies.

 

As ever, the National Theatre Live remains a trailblazer in the context of digital with their 2015 broadcast of Hamlet being the first ever ultra-high-definition 4K multi-site transmission. The fastest-selling show in London’s theatre history, this could signal the desire for top-quality reproductions of at a national level. Moreover, there are even suggestions of supplementing such shows with physical effects – such as rain or vibration – bringing rumours of the pending arrival of 4D.

 

Such sophisticated technologies do have the same prohibitive cost as traditional Event Cinema, but one thing could help: the prospect of smaller organisations entering into short-term partnerships with larger productions to deliver condensed schedules of performances that generate interest among higher-profile players. Exactly how this might look is still open for discussion. However, it seems many are interested in exploring such avenues.

 

Poignantly, such technological advancements can also bridge the experience gap between live and digital. In the context of Complicite, they broadcast a production of The Encounter, which was the first ever performance to harness binaural sound – where the sound is recorded with two microphones to create a 3D audio experience. With both the live audience and those streaming (through YouTube and The Barbican’s website) wearing headphone sets, the sound created a vividly intense atmosphere equally enjoyed by those at the production as much as by those elsewhere.

 

As well as preserving the individualistic nature of the in-theatre experience, the distribution channels also allowed a large proportion of the audience to view the content online, logging in from locations as remote as Taiwan with the demographics representing a younger age group than Complicite would expect to attract.

 

At a modest cost of £50k, the live stream was a potent new marketing channel for a well-received production whose success suggests further opportunity awaits in the augmented arena.

 

Opening New Dialogues

As much as how the power of collaboration could propel the industry to new heights, a second quick-win could also be on the cards.

 

A resource such as a shared diary between participants would allow those in Event Cinema to see what is on the horizon in local areas, supporting scalable growth through avoiding unnecessary clashes while also empowering communities to develop localised artistic offerings.

 

“We are all aware of what is going on in terms of Event Cinema – but I don’t know, without digging quite deeply, what’s happening in regional venues… Say I want to put on an encore of the Audience, I don’t know what the local ‘live’ competition is. If there’s less relevant competition in the marketplace [during a certain period], I’m going to sell more.”—Exhibitor 

 

Opening a communication channel such as this could facilitate closer working relationships between entities, which would foster an atmosphere of enhanced growth as joint ventures evolve. Both venues and production companies could benefit from newfound transparency. Where cinemas continue to showcase a commitment to local communities, theatres could be more forthcoming in their own plans to establish initiatives that serve both personal and collective interests, evolving audiences and sharing information that helps develop the industry as a whole.

 

There is even talk of the digital-first tour with both live and online performances – that also include post-show discussions – beamed to multiple venues concurrently. As the focus shifts to more ecologically-minded ways of operating, this could be one direction that fosters significant support.

 

If nothing else, it could marry existing beliefs:

 “Digital is the new touring model.”—Artistic Director 

 

Once More unto the Breach

Now, to bring this to a close. These are exciting, if mildly unnerving, times for an industry in transition. As is visible elsewhere, technology has untold potential. However, it is a question of exploration if productions houses are to unearth its full potential.

 

With both streaming and Event Cinema proving compelling mediums for building an audience of a different kind, there are limited reasons to discount entering the live-to-digital category completely.

 

Establish a target audience, identify your channel and enjoy the exploration – it is only in doing that people can learn, and there is plenty of support on offer to support those who dare to forge new paths.

 

*End*

GDPR: 9 Steps to Implement a Security Mgmt Tool

Download the PDF Version (GDPR Get Prepared SIEM Checklist)

Background

The General Data Privacy Regulation (GDPR) officially known as REGULATION (EU) 2016/679, will come into force on 25thMay of 2018. The regulation covers the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation builds on existing data protection regulations such as the UK Data Protection Act 1998, the Belgian Privacywet, or the German Bundesdatenschutzgesetz (BDSG).

The regulation will affect the vast majority of businesses as most businesses today hold personal data, even if it’s only HR data. A significant change is that it will put data processors under significantly more legal liability if a breach occurs.

Breaches will need to be reported within 72 hours and must include information such as;

  • The nature of the personal data breach including, where possible:
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

 

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place. The following sections of this booklet outlines a checklist to implement a robust security and event management platform that will be a core component of a GDPR compliant security strategy.

 

  1. Implement a Security and Event Management Tool (SIEM)

A SIEM is a fundamental security tool for many organisations.

Implementation of a SIEM helps companies monitor all users and system activity to identify suspicious or malicious behaviour. This is achieved by centralising logs from applications, systems, and the network and correlating the events to alert where unexpected activity is detected.

You can then investigate the cause of the alarm and build up a view of what has occurred by determining if a particular attack method was utilised, looking at related events, source and destination IP address, and other details.

Article 30 of GDPR states that each controller, and where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

You must also take into consideration data stored or processed in cloud environments. If personal data is in the cloud, it is within the scope of GDPR, and therefore it is beneficial for the SIEM tool to maintain a record of activity across your public and private cloud infrastructure as well as on premises.

 

  1. Create a Log of Critical Assets that Store/Process Sensitive Data

GDPR covers all IT systems, network, and devices, including mobile devices, making it essential that you account for all assets across your infrastructure and understand where personal data is held.

It’s important to record all assets and locations that process or store personal data. It’s also worth noting that your company could be exposed to attacks and regulatory fines if employees process or store personal data on unapproved devices.

Without strong governance practices in place, it can be easy to lose track of assets.

It is important to sample your systems, networks, and data stores to determine if personal data is exposed outside your defined data flows and environments.

Keep in mind that this is a process. Records will need to be updated on an ongoing basis as your business and technology changes.

 

  1. Undertake Vulnerability Scanning

To identify where weaknesses exist that could be exploited

New vulnerabilities in systems and applications arise almost daily.

It is essential that your organisation stays on top of these weaknesses with regular vulnerability scanning.

These vulnerabilities may exist in software, system configuration, in business logic or processes. It is essential to consider all aspects of vulnerabilities and where they can exist.

However, simply finding a vulnerability is often not enough.

There are multiple factors that need to be considered such as whether the systems are in accordance with GDPR and what the business-criticality is, whether intrusions have been attempted, and how the vulnerability is being exploited by attackers in the wild.

Effective vulnerability assessment requires continuous scanning and monitoring of critical assets where personal data is stored or processed. It is equally as important to monitor cloud environments in addition to on-premises environments.

 

  1. Conduct Risk Assessments

To identify where weaknesses exist that could be exploited

The use of an information security framework can assist by providing a starting point for organisations to better understand the risks facing the business.

Article 35 of GDPR requires organisations to conduct a data protection impact assessment (DPIA) or similar. Whereas Article 32 of the regulation requires organisations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Existing frameworks such as NIST, ISO / IEC 27001, or similar standards can assist companies in undertaking and supporting the DPIA process.

While GDPR does not specify a framework for risk assessments or threat modelling, a company’s adherence to any well-established and internationally recognised standard will make demonstrating compliance with Articles 32 and 25 much more likely in the event of a breach.

 

  1. Regularly Test

To gain assurance that security controls are working as designed, GDPR asks for a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Assessing and evaluating the effectiveness of security controls is by no means an easy feat. Usually, the larger the IT environment, the more disparate the technology stack, and the more complex the environment. Thus, the harder it is to gain assurance.

Three broad techniques exist to validate the effectiveness of security controls:

  1. Manual assurance. This involves audits, assurance reviews, penetration testing and red-team activities.
  2. Consolidated and integrated security products, so that fewer point products need to be managed and reported on.
  3. The use of automated assurance technologies.

With these methods, you can gain a measure of assurance that your systems are secured as intended. However, it is worth remembering that assurance is not a one-time effort, rather an ongoing, repeatable process.

 

  1. Ensure Threat Detection Controls are in Place

To reliably inform you in a timely manner when a breach has occurred, GDPR requires organisations to report to the regulatory body within 72 hours of being aware of the breach.

For high-risk events, the controller must notify data subjects without any delay. The typical time-to-compromise continues to be measured in minutes, while time-to-discovery remains in weeks or months. In such circumstances, it’s essential to have comprehensive threat detection capabilities that can detect issues as soon as they occur.

Threats can occur internal to the company or externally and can be on-premises or in cloud environments. This makes it important to be able to collect and correlate events quickly as well as supplement the information with reliable threat intelligence to stay on top of emerging threats.

There is not one place or tool that will be suitable for all purposes. At times a threat is discovered on the endpoint, the perimeter, or by analysing internal traffic. In this case, controls should be placed accordingly in the environment to increase the chance of detecting threats as soon as they occur.

 

  1. Monitor Network and User Behaviour

To identify and investigate security incidents rapidly, GDPR is focused on ensuring that citizen data is gathered and used appropriately for the purposes it was stated.

Therefore, it is important to focus not just on external threats or malware, but also to detect whether users are accessing data appropriately. Context is critical when evaluating system and network behaviour.

For example, an abundance of Skype traffic in the network used by your inside sales team is probably a normal part of operations. However, if the database server that houses your customer list suddenly shows a burst of Skype traffic, something is likely wrong.

There are many methods that can be deployed to monitor behavioural patterns. One method is to utilize NetFlow analysis, which provides the high-level trends related to what protocols are used, which hosts use the protocol, and the bandwidth usage. When used in conjunction with a SIEM, you can generate alarms and get alerted when your NetFlow goes above or below certain thresholds.

 

  1. Have a Documented and Practiced Incident Response Plan

To comply with GDPR regulations, organisations need to have a plan in place to detect and respond to a potential data breach to minimise its impact on EU citizens. In the case of an attack or intrusion, a streamlined incident response process can help you respond quickly and effectively to limit the scope of the exposure.

If you have unified threat detection controls and processes established to alert you to an incident, your incident response plan should be able to quickly and accurately determine the scope of impact. You should investigate all related events in the context of other activity in your IT environment to establish a timeline, and the source of attack should be investigated to contain the incident.

Once you have controlled the incident, you should evaluate if a possible breach of personal data occurred and decide if reporting is required under GDPR. Then, you should prioritise and document all response and remediation tactics. Be sure to verify that your incident response activities have successfully remediated the issue. You will need to inform the regulator of all steps taken, and where necessary, inform any affected EU citizens.

 

  1. Have a Communication Plan in place to detect and respond to a potential data breach

In the event of a breach, your organization must report to the regulatory body within 72 hours of being aware of the breach.

For high-risk events, the controller must notify data subjects without undue delay (Article 31).

The notification given is required to at least:

  • Describe the nature of the breach
  • Provide the name and contact details of the organization’s data protection officer
  • Describe the likely consequences of the breach
  • Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.

Ask yourself:

  • Can I identify whether systems in scope of GDPR are affected in a breach?
  • Do I have the contact details of the regulatory body that I need to notify?
  • If need be, do I have a reliable mechanism to contact affected customers

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

GDPR: 12 Steps That You Can Take Right Now

So now we know what it is and what it means, this week we take a look at what we should do about it. A really useful starting point is contained in the Information Commissioners website which provides a range of resources explaining GDPR and how organisations can go about preparing to comply with it.

Their 12 steps guide covers the initial activities that can be started immediately and include;

  • Awareness of Decision Makers
  • Information Audit
  • Update Privacy Notices
  • Procedures for Individual Rights
  • Subject access requests procedures
  • Consent procedures
  • Under-age Consent Procedures
  • Privacy Impact Assessments
  • Data Protection Officer
  • International Implications

The guide is summarised below for convenience.

1. Awareness 

You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

 

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

 

3. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

 

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

 

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

 

6. Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

 

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

 

8. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

 

9. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

 

10. Data Protection by Design and Data 

Protection Impact Assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

 

11. Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

 

12. International

If your organisation operates in more than one EU member state (i.e you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

In our next blog we will discuss some of the technical implications borne out of GDPR compliance.

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

10 Quick Facts you need to know about GDPR

1. It is an EU regulation as of 27 April 2016. Which gives EU citizens additional privacy and rights

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

 

2. GDPR is legally enforceable from 25 My 2018

 

3. GDPR imposes higher fines – 4% annual global revenue or 20m euro, whichever is greater. Non-EU companies that process individual data will need to comply.

 

4. Key features

  • Obtaining permission for processing personal data must be clear and must seek affirmative response
  • Data subject has the right to be forgotten and records erased
  • Controllers must report data breach within 72 hours, unless it is low risk
  • Adequate contracts must be in place for processing data

 

5. Individual rights include

  • Correction
  • Consent
  • Access
  • Portability

 

6. Notification of Breach must include

  • How many records exposed
  • Any mitigating measures taken
  • Categories of data breached
  • Measures taken to prevent breach
  • Risks to individuals

 

7. What is a breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

 

8. GDPR will still apply despite Brexit

 

9. Regulator will have beefed up powers

  • Warnings
  • Reprimands
  • Compliance orders
  • Ban processing
  • Fines
  • Ban processing
  • Order suspension of data flows

 

10. You still have time – JUST

Start the process by auditing your data usage

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Nyetya Global Ransomware – actual costs

You may recall our recent blog post below which was posted in June.

A new ransomware virus variously named Nyetya, Petrwrap and GoldenEye has been spreading globally over the last 24 hours.


This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is evolving apace. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

This and other recent virus attacks serves to reinforce the need for a defence in-depth approach to security with comprehensive controls at all levels of an organizations IT infrastructure.

Some figures have been released about the actual financial damage caused by the virus

It cost the TNT division of parcel delivery company FedEx over $300m, losses are continuing and the company has not yet fully restored its systems. At one stage they had to resort to WhatsApp for internal communication because email systems were not useable.

Shipping company Maersk has announced damage around the $300m mark also.

Reckitt Benckiser the company behind household brand names such as Dettol and Durex have also taken a massive hit announcing potential attributable losses at a minimum of $140m. This figure is due to be updated when they announce results in October.

More details about these costs and impact on the businesses can be found in the BBC article below.

View the article

With such eye-watering figures from just a few selected companies who have been transparent enough to share the information, you really wonder the full scale of damage that this and other cyber attacks have caused.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.