Welcome!

@CloudExpo Authors: Yeshim Deniz, Elizabeth White, Liz McMillan, Pat Romanski, Charles Araujo

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Microsoft Cloud, Agile Computing, Cloud Security

@CloudExpo: Article

Proverb: When a Door Closes, Just Make Sure You Don't Leave a Window Open

Not every employee leaves a company with a gold watch and a handshake.

Earlier this month I attended a local cloud developers group, and I met a gentleman who consults with companies to engage in deep dive forensic examinations of their networks. He looks for the virtual fingerprints of misdeeds, fraud, and misdoings that can be used for e-discovery in legal cases. He essentially gets down to the bits and bytes of how much information flows to certain IP addresses to ascertain whether or not proprietary data has been tampered or stolen.

He confirmed something that I long believed to be true. One of the greatest threats to an organization comes from within. Not everyone who exits a company leaves with a handshake and a gold watch. Often time there are hard feelings; that the employer wronged the former employee and that employee will exact a matter of revenge or feel justified to extract some sort of perceived compensation. This includes everything from the outright theft of sales leads and databases, to accessing their company email account to send “nasty-grams” to customers and other employees, to malicious sabotage. I am aware of several specific incidents where someone knowingly introduced malware into the company network.

Now this isn’t meant for you to look sideways at the person sitting in the next cubicle. However, access policies  needs to be a part of any company’s  internal risk assessment and security policy.

One of the easiest ways to prevent the disgruntled employees is to bar their access. Seems straight-forward enough, right? If it were the case, it really wouldn’t continually rank as one of the top threats to networks. The problem is that there are so many moving parts to properly dismiss an employee.  Sure there’s someone watching them pack up their physical belongings and making sure they don’t leave a little goodbye gift on the network on their way out. But if the tap is left on, the employee can come in hours, days or weeks later and create unnecessary havoc.

And the more diverse the enterprise (multiple divisions, brands, franchises, etc…), the harder it is to keep tabs on the coming and going of legitimate employee access.

Case in point:  I know of a national enterprise that franchises their individual locations to independent operators. Each franchisee is free to hire and fire their own staffs. Every staff member has a corporate email account and is allotted certain access to corporately managed applications. So, we are talking thousands of employees with a large enough churn rate to raise some issues with corporate headquarters.

There is a definitive need to promote franchise autonomy while still assuring adherence to corporate access and usage policies. The quick answer is a policy of provisioning and de-provisioning. There are plenty of solutions that accomplish this. Identity management and access management is not a new concept…even via the cloud. The trick is to create an easy-to-use, cost effective process to create self-service that allows the franchisee to add new employees and automatically give them certain rights based on their role. Conversely, when an employee leaves the company, there must be an equally simple way to retire the account and prevent anyone from using that account to access corporate information.

The key word is automatically.

So before the termination paperwork reaches the headquarters in Fort Meyers, Florida, the franchise manager in Rhode Island or Honolulu can inactivate the employee’s access via self-service. With a single keystroke in the IDM solution and their access to email ceases; their ability to get on the network and access files is blocked; their accounts to every application is removed. Even if  a manager forgets, the central system can take steps to assess usage. If an account is dormant for 10 days or 3 weeks (examples not hard and fast rules), it is marked for inactivity and retired.

But bolting the door behind them, doesn’t mean they don’t know how to pick the lock. This is part of our cautionary tale that keeps the forensic investigator busy.

This is also where the benefit of unified security comes into play. You’ve used your IDM investment to remove the credentials, but that doesn’t mean the motivated insider won’t try. Because of continuous monitoring practices (in real time) you can generate alerts if anyone tries to access retired accounts, tries to change a password, or generates multiple login failures in a short period of time. A system that leverages IDM with SIEM and log management, not only receives the alert, but sees the IP address (and other identifying attributes) of who is attempting access.

Now for argument’s sake, let’s say they were particularly bright and used some shadow IT shenanigans to back door into your network. Real time monitoring will still catch the access attempt and also recognize if any proprietary asset is changed, downloaded or modified. In that it is real time and not simply logged, gives you a strong chance to repel or immediately respond to the attack. As I have said in several blogs, unless you have the budget, the IT sophistication and the resources, having all of these concurrent initiatives can be seen as a luxury—unless you package them as a security as a service platform from the cloud. The ability to leverage a variety of capabilities—have them “talk” to one another across multiple information silos, physical locations, various applications and divisions. When you can centralize them, it creates a unique advantage that strengthens your position to ensure  a former employee cannot take advantage of your sensitive data and proprietary assets.

And before I forget…make sure in your written employment policies you address BYOD. That way you retain the option/right to completely or partially wipe their personal devices upon termination of employment.

I’ll leave you with another old proverb: “The key that opens is also the key that locks.”

Kevin Nikkhoo
Auto-provisioner

Cloud Access

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@CloudExpo Stories
FinTechs use the cloud to operate at the speed and scale of digital financial activity, but are often hindered by the complexity of managing security and compliance in the cloud. In his session at 20th Cloud Expo, Sesh Murthy, co-founder and CTO of Cloud Raxak, showed how proactive and automated cloud security enables FinTechs to leverage the cloud to achieve their business goals. Through business-driven cloud security, FinTechs can speed time-to-market, diminish risk and costs, maintain continu...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities. In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, posited that disruption is inevitable for comp...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
The next XaaS is CICDaaS. Why? Because CICD saves developers a huge amount of time. CD is an especially great option for projects that require multiple and frequent contributions to be integrated. But… securing CICD best practices is an emerging, essential, yet little understood practice for DevOps teams and their Cloud Service Providers. The only way to get CICD to work in a highly secure environment takes collaboration, patience and persistence. Building CICD in the cloud requires rigorous ar...
Sanjeev Sharma Joins November 11-13, 2018 @DevOpsSummit at @CloudEXPO New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
HyperConvergence came to market with the objective of being simple, flexible and to help drive down operating expenses. It reduced the footprint by bundling the compute/storage/network into one box. This brought a new set of challenges as the HyperConverged vendors are very focused on their own proprietary building blocks. If you want to scale in a certain way, let's say you identified a need for more storage and want to add a device that is not sold by the HyperConverged vendor, forget about it...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
Deep learning has been very successful in social sciences and specially areas where there is a lot of data. Trading is another field that can be viewed as social science with a lot of data. With the advent of Deep Learning and Big Data technologies for efficient computation, we are finally able to use the same methods in investment management as we would in face recognition or in making chat-bots. In his session at 20th Cloud Expo, Gaurav Chakravorty, co-founder and Head of Strategy Development ...
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, C...
In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
Containers are rapidly finding their way into enterprise data centers, but change is difficult. How do enterprises transform their architecture with technologies like containers without losing the reliable components of their current solutions? In his session at @DevOpsSummit at 21st Cloud Expo, Tony Campbell, Director, Educational Services at CoreOS, will explore the challenges organizations are facing today as they move to containers and go over how Kubernetes applications can deploy with lega...
In their session at @DevOpsSummit at 21st Cloud Expo, Michael Berman, VP Engineering at TidalScale, and Ivo Jimenez, Engineer at TidalScale, will describe how automating tests in TidalScale is easy thanks to WaveRunner. They will show how they use WaveRunner, Jenkins, and Docker to have agile delivery of TidalScale. Michael Berman is VP Engineering at TidalScale. TidalScale is developing a scale up compute and resource architecture for customers to perform big data exploration and real time anal...