Compliance, Ransomware and Privacy, Oh My!

Compliance, privacy, ransomware, and DevSecOps are common topics in the realm of cybersecurity. You may notice that these themes emerge from the topics covered each week. Join Jesse as he elaborates on each topic using common definitions. In the News: Malware is being used to spy on journalists, politicians and human rights activists! How does the new Colorado Privacy Bill stack up against California and Virginia? Detecting brand impersonation is becoming easier, yet more complex. Tune in for more in this week’s episode of Meanwhile in Security.

Links:

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.


Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.


Jesse: There are several larger topics within the realm of cybersecurity that come up constantly. Subscribers of MiS are likely seeing these emerge from topics I cover. Some of the most common themes lately are compliance, privacy, ransomware, and DevSecOps. So, we are all working from common definitions, let’s elaborate a bit on each.


Compliance is the process of meeting some list or lists of requirements, usually have an outside agency of some sort. Most people think about this in terms of laws like GDPR, SOC, HIPAA, FERPA, and others. These are great examples, but compliance includes meeting certification requirements like SOC 2, various ISO certifications, or PCI.


Privacy gets broad in terms of implementation, but at its core, it means the protection of information related to a person or organization. Basically, don’t collect or disclose things you don’t absolutely need to, and always ensure you have permission before any collection or disclosure of information.


Ransomware is the software that will destroy or disclose—or both—your data if you don’t pay someone. DevSecOps is the methodology of writing software with secure practices and systems in mind from the start. It’s that whole shift-left thing.


Meanwhile in the news. How to Bridge On-Premises and Cloud Identity. Identity and access management, or IAM, is difficult without introducing wholly different environments. We have to pick an IAM solution, so we choose what works across all our environments and services. Of course, ultimately, this means implementing Single Sign-On, SSO, of some sort as well.


Sophisticated Malware is Being Used to Spy on Journalists, Politicians and Human Rights Activists. Not all horrible software sneaking into our devices and systems are from hidden criminal or enterprises or nation-state sponsored groups. Some of it sadly comes from for-profit companies. Just like a hammer can be used for horrible things, so can some security software.


A Complex Kind of Spiderweb: New Research Group Focuses on Overlooked API Security. APIs run our whole cloudy world. They’re the glue and crossovers communication mechanisms rolled into one conceptual framework. However, while we may introduce security flaws in our use of the billion APIs we have to use, the APIs themselves might have security vulnerabilities as well. I’m interested in the output from this practical research group to see if this bolsters API use and implementation in general.


How AWS is helping EU customers navigate the new normal for data protection. Managing regulatory compliance is a circus act on a good day. On a bad day, it’s a complex web of sometimes conflicting and sometimes complementary solutions. Many organizations worldwide need to meet EU regulations, so be sure to know if you must as well.


Cloud security should never be a developer issue. I first thought this was the counterargument to the shift-left and DevSecOp movements, but this piece supports those movements. I like the view of supporting and protecting the developers to do better security. You don’t need to hire a bunch of security experts and teach them to code; that wouldn’t work so well. You can hire coders and teach them to code securely.


Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.


Jesse: Tool Sprawl & False Positives Hold Security Teams Back. Tool confusion and poorly tuned alerting systems plagues IT and security alike. Think about how you can streamline this by consolidating both IT and security management monitoring and alerting tools into a set of tools spanning use cases. Also, you need to read this because a source of the article is one of the most forward-thinkers in security today: Kelly Shortridge.


The What and Why of Cloud-Native Security. Sometimes we humans struggle with the transition to a new paradigm. Well, most of the time. Despite rapid and drastic shifts in technology constantly since computers were a thing, we still struggle as professionals. Many of us had just gotten cybersecurity figured out when this cloud thing started raining on us. Let’s get us all sorted out before we miss the rainy weather.


OSPAR 2021 report now available with 127 services in scope. If you think your compliance issues are complex, have you considered what a global cloud provider has to support? I’ve worked with compliance for over two decades and I still struggle to keep up with the pace of change. Thankfully, AWS breaks it down for you with the Outsource Service Provider Audit Report, or OSPAR.


Researchers Create New Approach to Detect Brand Impersonation. Brand impersonation is where someone puts up a site that looks just like yours, but it’s a ruse to collect passwords and other information. Having a better way to find these and alert us is amazing. It used to be, this type of thing wasn’t common because of the effort involved to do it. Now, it’s far easier, even though the technology underpinning things have gotten much more complex.


Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia? If you aren’t sure what privacy laws apply to your operations, you should consult legal advice and get on top of this quickly. There are laws being passed in many jurisdictions around the world tightening the requirements for storing, using, and reporting on people’s information and activities in your environments.


CISA Launches New Website to Aid Ransomware Defenders. Many of us don’t need to know the details about security things as long as they’re monitored and managed by people who do know cybersecurity. However, we all need to better understand ransomware because it’s a difficult-to-impossible problem to tackle without a concerted effort between multiple groups in our organizations. Check out the stopransomware.gov site for some help.


And now for the tip of the week. Compliance is often a messy thing. It shouldn’t be the burden it ends up being for most of us. Use the AWS Artifact service to understand AWS compliance. This service saves you hours of trying to figure out what reports to give your auditors for security compliance. Get in there and look around; it’s peace of mind, just one URL away. You can manage various compliance-related agreements in there as well, so it’s a fantastic resource. And that’s it for the week. Securely yours Jesse Trucks.


Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.


Announcer: This has been a HumblePod production. Stay humble.

Join the newsletter

Cloud Security For Humans

Got it. You're on the list!

Meanwhile in Security is a production of The Duckbill Group. Check out our other publications, Last Week in AWS, Screaming in the Cloud, and AWS Morning Brief.

© The Duckbill Group, 2021