Get My Score


aws outage

The Benefits of a Hybrid Cloud

Having different workloads on both public and private clouds embraces a hybrid cloud strategy that is increasingly becoming popular with IT and CISOs. In essence, this strategy means avoiding the proverbial “putting your eggs in one basket”, which is the best way to invite risk and breaches to your data.

We got a glimpse into the vulnerability of the cloud last week when Microsoft Azure’s South-Central US data center region was down for a while after a severe lightning storm disrupted their cooling system.

According to a TechTarget article, Azure Outage Spotlights Cloud Infrastructure Choices, “the surge hit the power cooling systems, and subsequent rising temperatures triggered automatic hardware shutdowns.  Nearly three dozen cloud services, as well as the Azure status page, bore the brunt of the storm”.  The article cited that “much of the problem lies in how Microsoft has built out its public cloud architecture, where most Azure regions are comprised of a single data center”.  Additionally, there are so many risks of failures from many events, when workloads are solely stored on single data centers. To avoid this happening in the future writer James Montgomery at TechTarget said, “Microsoft must also modify its software to accommodate a multi-availability-zone architecture”.

This Microsoft incident points out, once again, that a cloud first strategy opens up an organization to service outages and downtime.  According to analytics firm Cyence, a startup that models the economic impact of cyber risk, the four-hour AWS outage in 2017 caused S&P 500 companies to lose approximately $150m.  It’s crazy to think how much could be lost if a major cloud provider is offline for days.  Lloyd’s, the specialist insurance and reinsurance market, in partnership with the risk modeler, AIR Worldwide put out a report in January that calculated an "extreme" cyber-incident -- one that takes a top cloud provider offline in the US for three to six days -- would result in industry losses of $15bn. 

Azure Outage, AWS downtime

A hybrid cloud infrastructure provides organizations more control of their critical workloads, which could mean everything if a cloud provider is unfortunate enough to be pushed offline for hours/days.  Check out our eBook, The Enterprise Journey to the Hybrid Cloud, which walks you through the steps required to building a world-class Hybrid Cloud infrastructure from setting goals and developing consensus to building and deploying secure hybrid workloads.




Actions to Take and Verifying Your Readiness

This is part 2 of a two-part series on CCPA readiness.  Read Part 1.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

What action should you take?

The GDPR and now the CCPA seem to be part of a wider trend towards greater individual data privacy and so it would be wise to prepare for further legislation and reassess your strategy with regards to personal data collection.

Begin by fully mapping all the personal data you collect and make sure that you know precisely how it is collected, how it’s used, who it’s shared with, and where it’s stored. Interrogate the reasons behind your data collection. If there’s no clear business benefit, then you may want to reconsider collecting that data in the first place.

Put processes in place so that your systems can securely handle data requests in a timely manner. Remember that you’ll need to provide access to data, delete data when required, and share specific information on the sharing or sale of any personal information. Allowing opt-outs on the sale or sharing of data may also require tweaks to your existing systems and/or end-user agreements.

The law requires that the business provides consumers with two or more designated methods for submitting requests for information.  A minimum requirement is a toll-free telephone number and if the business has an Internet Web Site, a website address.  In addition, the business must update its online privacy policy, and/or any California-specific description of consumer’s privacy rights and these updates must be done at least once every 12 months.  The Business is required to provide a clear and conspicuous link on the Business’ Internet homepage titles “Do Not Sell My Personal Information” that allows the consumer, or a person authorized by the consumer to opt out of the sale of the consumer’s personal information for 12 months (Note: Business can require the consumer to opt out after every 12 months).  The law requires that the request be submitted through a password-protected account maintained by the consumer if the consumer maintains an account with the business or that the business allow information request through the business’ authentication of the consumer’s identity.

Businesses and their data service providers will be required to implement technical safeguards and business processes that prohibit reidentification of the consumer to whom the information may pertain.  This will be a major burden to organizations that do not already have these controls in place.

Verify your readiness

Along with redesigning your data handling rules and systems you should update all policies pertaining to data and be prepared to train any employees who might be responsible for data. It’s not enough to ensure compliance internally, you also need to reach out to third parties and partners to ensure they follow suit.

Expect to update your systems and applications to implement additional data controls and/or monitoring of data access.  Implement new technical safeguards and business processes to prohibit reidentification of the consumer who has opted out.

Greater transparency in how personal data is collected and used is a good thing for consumers, but it also presents security challenges, so make sure you factor that in. With new policies, systems, and training in place, it’s advisable to complete a full audit that encompasses internal and external systems. Test for different scenarios and ensure that you’re in compliance with the new rules well before they come into effect.

If the Business plans to continue maintaining consumer personal information, then it would be best to have all the data encrypted at rest with the ability to de-identity the data if requested.

Expect to move from a compliance validation framework to a continuous security monitoring approach to establish your CyberPosture that can be reported daily.



California Privacy Act

Does the CCPA Apply to You and Consumer Rights

This is part 1 of a two-part series on CCPA readiness.  Read Part 2.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

The dust has barely settled on the GDPR and businesses have new legislation to worry about. The California Consumer Privacy Act (CCPA) stipulates that California residents should have greater access to and control over personal information held by businesses (Note: this excludes financial services, healthcare, and/or other regulated businesses).  The law seems targeted to online social media firms.

Non-compliance carries civil penalty fines of up to $7,500 for each violation for any person, business, or service provider that intentionally violates this law.  Individuals can claim up to $750 per incident in damages (minimum is $100) if the business/service provider transgressor does not rectify any issue after being given 30 days to rectify the issue (the "business" can request additional time to resolve the matter).  Note: All legal actions need to be brought by the California Attorney General and only if there is no action after six months can an "individual" bring their own legal action against the transgressor.

INTERESTING FACT: This law formally places responsibilities and liabilities on the data service processors as well.  This is a major change.  Traditionally, non-regulated data service processors were required to comply based on business contract language while this law codifies their role.  Note: Financial Services data processors do have FFIEC defined responsibilities but does not have defined consumer liabilities.

CCPA is due to come into effect on January 1, 2020, so now is the time to assess exposure and start working towards compliance.

Does the CCPA Apply to you?

The new legislation applies to you if you have a for-profit business (sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) that does business in the State of California and that falls into one of these categories:

  • Annual gross revenue more than $25 million;
  • Process the personal information of 50,000 or more California residents, households, or devices every year (Note: Definition of a device is any physical object that is capable of connecting to the Internet [directly or indirectly] or another device – i.e. think of a USB stick; mobile phone; vehicle diagnosis information; etc.);
  • Derives at least 50 percent of gross revenue by selling personal information; or
  • Any entity that controls or is controlled by a business that has the power to exercise a controlling influence over the management of a company.

It doesn’t matter where your business is located, but there are some exclusions pertaining to information that’s already covered by other Federal laws such as GLBA (mainly Financial Services firms); HIPAA or CMIA for health data; and/or CA Driver Privacy laws.

The definition of personal information for the CCPA is quite broad and covers anything that “could be reasonably linked, directly or indirectly, with a particular consumer,” so it’s best to take a cautious approach and cover as much data as possible.

This law does not require the business to retain any personal information if there is only a single, one-time transaction, and the information is not sold or retained by the business.

Third parties that purchased consumer data are restricted from selling the personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.

If a business collects consumer data but is unaware of the consumer’s age then the business is considered to know the consumer age and be required to have the consumer to opt-in for usage of the data.

New Consumer Rights

The new law enshrines a few fundamental rights for consumers to access the information that companies hold on them and to control what is collected, stored, and shared within the previous 12-months (Note: This can be done twice in any 12-month period at no cost but after that the "company" can charge for additional requests). Consumers can find out exactly what data a business has collected, they can prevent the sale of that data, and they have the right to delete it (Note: There are defined purposes that allow the company to maintain your data even if you request that it be deleted – example: Data Breach investigation).

The law was very specific of the identifiers included: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, e-mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers.  The other items that may be new to businesses:

  • Products and/or services purchased, obtained, or considered or other purchasing or consuming histories or tendencies;
  • Biometric information that includes an individual’s physiological, biological, or behavioral characteristics, including an individuals deoxyribonucleic acid (DNA), that can be used singly or in combination with each other or with other identifying data, to establish individual identity, In addition, Biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein pattern, and voice recordings from which an identifier template can be extracted; keystroke patterns or rhythms; gait patterns or rhythms; sleep, health or exercise data that contain identifying information;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and
  • Education information that is not publicly available personal information per the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

The law also restricts the business from storing personal information a consumer when the consumer is in California then collecting (extracting) that personal information when the consumer and the stored personal information is outside of California.  Examples: Mobile Phone, Tablet, Electronic Reader, etc.

Businesses will also have to inform consumers when they intend to change data collection processes, share details on which categories of third parties have access to data, and elucidate on the business or commercial reasons for collecting it in the first place.   In addition, this law limited the usage of the consumer data to the stated purposes.

The legislation also introduces a strict opt-in requirement for minors, so businesses need to obtain parental consent to sell personal information belonging to anyone aged 16 years or under. There’s also protection against businesses trying to get consumers to sign waivers or otherwise discriminating against consumers who decide to opt out of any future sale of their personal data.

Note: The Business can charge the consumer a different price or rate, or provide a different level of quality good or service if the difference is reasonably related to the value provided by using the consumer’s data.

IMPORTANT: Sales of personal information to or from a consumer reporting agency (i.e. Equifax, Trans Union, Experian, etc.) is excluded from this law.  This is cover under Federal Law (Fair Credit Reporting Act).


Black Hat 2018

Everything CISO and Cybersecurity During Black Hat 2018

Black Hat celebrated its 21st anniversary this year, bringing together over 15,000 cybersecurity professionals to learn and network in Las Vegas.  At the Cavirin booth, people flooded to get their “Got CyberPosture” t-shirt and learn how the Cavirin CyberPosture Intelligence platform provides “credit like” scoring, with actionable insights, helping enterprises align their security resources to more effectively address pressing threats of cyber attacks in their hybrid environments (multi-cloud, containers, and on-premise). 

Additionally, BrightTALK was at the heart of the action, streaming live panel sessions and engaging in conversations with some of the world's top security leaders. These panels offer a collaborative atmosphere, enhanced by speaker presentations and insights. Cavirin’s CSO, Joe Kucic participated in two of the thought-provoking panels:  Key Factors for CISO Success & Managing Your Cyber Risk!  If you were unable to join us in Vegas, we highly recommend tuning into these two panels available on the BrightTALK website. Here is a little more information about the webinars: 

The Key Factors for CISO Success was a Part 1 of 2 CISO panels during Black Hat. This panel was an in-depth focus on the ever-changing role of the CISO and the factors influencing their success. There was also a focus on why identifying your organization’s security culture matters. With the huge shift to cloud services, CISOs are needed to recruit, develop, and retain strong security talent.  Today’s cyber threats and the introduction of the hybrid cloud is forcing CISO’s to build a new arsenal of talent and tools to accommodate its present complexity. Kucic believes that CISO’s are beginning to adapt the continuous security model to address the frequency and acts of today’s threats.  CISO’s are required to know what their levels of exposures are based on different assets. Further, they must be able to prioritize the remediation actions that help improve the overall security posture of an organization.  Taking that data and being able to present it to leadership is key for a CISO’s success.   Lots more great insight from Joe and other members of the panel: Mark Weatherford (vArmour), Azi Cohen (WhiteSource) and Mark Whitehead (Trustwave).

The second panel that Cavirin’s CSO, Joe Kuicic, was featured on was Managing Your Cyber Risk lead by ITSPmagazine, based on detecting and responding to threats within your organization. This panel was a Q&A based around managing security risk. The key takeaway was that every company has it whether they want to acknowledge it or not. Kucic says that “risk management has evolved to be a business enabler, a differentiator if they do it right.  It allows companies to move quicker with technologies and go to market faster than their competitors if they look at it the right way and not just as a compliance requirement”. Continuous visibility is important because risks and breaches are ongoing and not just a single occurrence.  Finally, he adds that remediation and mitigation are things that companies continue to struggle with today.  Both webinars are available on BrightTALK for free! Tune in for the full coverage.

Overall, Cavirin’s participation at Black Hat was awesome due to the relationships built, conversations enjoyed, and insights gained this year. To continue the BH momentum, if you want to see a demo of our CyberPosture Intelligence Platform, This email address is being protected from spambots. You need JavaScript enabled to view it.!  We would love to keep the connections going! We even might be able to get you the hot “Got CyberPosture” t-shirt.  See you soon.


vote tampering


Looking ahead to this fall’s elections, I won’t dwell on the ‘who’, be it Russia, China, North Korea, or someone closer to home, but some entity, somewhere, will  ‘meddle’, and the best we can do is to minimize the impact. 

 We’ve read that the Russians have moved beyond simple (ok… not so simple) vote tampering, and social networks are old hat.  So what can we control?

The very integrity of the data, an assurance that what is stored within the enterprise or in the cloud is unaltered;  has not been tampered with.  Here is where cloud security comes into play.

Over the past few years, we’ve witnessed way too many instances of data stored in the cloud compromised, including marketing data, political party data, health records, etc.     With the rush to the cloud, pressures from our CFOs, and a bit of groupthink, we’ve become sloppy.  The same precautions we’ve taken for our on-premise data centers – access controls, both internal and external, encryption, and even record keeping – some of us have forgotten, with negative impacts that shouldn’t be a surprise.  But posting the data across the internet is only the first salvo.  Hackers now have the tools to alter the data at-rest, and without proper checks in place, the source of truth becomes elusive. But the solution is not difficult, and doesn’t require a string of esoteric certifications.  Just common sense.

The public cloud providers offer a number of services designed to monitor your accounts – your controls, services, and applications – while at the same time providing notifications if something is amiss.  In parallel, software vendors like Cavirin offer powerful security tools that pick up where the cloud provider leaves off.  Cavirin provides real-time visibility and remediation of hybrid infrastructures so that governments can identify gaps in their defenses and take immediate action to more effectively address pressing threats they might/will face.

As part of making your move to the cloud, understand your exposure and the tools available, both CSP and 3rd party, to mitigate.  And put in place and execute a plan before moving any critical workloads or data to AWS, Azure, Google Cloud, etc.  Looking forward to November, this should serve as a call-to-action.

In the same way that GDPR forced the privacy issue, and even in the US had a positive impact such as the CCPR in my home state of California, we can take it upon ourselves to make sure that our clouds are in order… are secure and free from tampering.  We’re at 90 days, so put in place a plan!


© 2018 Cavirin Systems, Inc. All rights reserved.