WHAT IS IN A NAME? - Community Descriptive “Tags”
First I want to proactively apologize to my technical readers for a less than stellar security topic. But this issue has puzzled me for a long time. I write to and about VARs for a living. One of my most difficult issues when doing a presentation or article is what to call the community? Seem strange issue? Well consider the four common names used today:
*Reseller
*Channel *VAR (Valued Added Reseller)
*Solution Provider

DESCRIPTIVE OF COMMUNITY FUNCTIONS: Least descriptive to Most:

Reseller--- Channel--- VAR--- Solution Provider

I assert that reseller implies community just takes orders for vendor products with no value added. Channel is simply a term which means indirect selling force to the vendor and nothing to end users. VAR does indicate that the buyer gets something of value from the community. But VAR as a description is very nebulous -is value installation or describing the product? Special Note: First time I heard VAR term was in early 80’s when IBM was describing vertical resellers. Solution provider indicates buyer got something that solves a business need or problem. So using the term solution provider seems best suited to describe what the community does for business. Community sells/implements something buyer desires to enhance their business.

DESCRIPTIVE OF COMMUNITY VALUE: Least Value to Most:

Reseller---Channel---VAR--- Solution Provider

Besides the community term being descriptive let’s examine community terms from potential value to a business or does the business buyer even want to engage them in a discussion? From value view buyer would probably contact vendor direct if possible vs. a reseller since why? Channel means nothing to business buyer and probably confuses them as to what this entity even does. VAR implies something besides reselling vendor product but will the buyer relate to value the entity adds? Again solution provider “screams” -“I enhance business or resolve your problems”. So as a buyer I would certainly engage a solution provider to see if they can resolve my problem or enhance my business value.
Some in the community may argue that they don’t want to be confused with Accenture or IBM. To that I say why not you do the same thing?--implement business solutions. If this bothers you call yourself a SMB Solution Provider to maximize both your business description and value to potential buyers.

Survey after survey continues to show clients’ number one concern of using cloud computing is security—over 50%. Some of the most often cited areas of concern:
• Securing data at rest and in transit
• Authentication of users
• Separation of data in the multi-tenant environment Legal and regulatory issues
• Incident response notification and roles
Given the compelling benefits of adopting cloud computing clients (especially small and mid-size clients) can’t wait until most of the security issues are resolved:
• Reductions in infrastructure and application costs
• Faster deployment of solutions
• Increased efficiency
• Increased flexibility and options
• Improve customer satisfaction

Bottom line cloud value---Data anywhere at any time in any volume.
Many clients won’t wait until the world declares cloud computing “safe”. In fact a recent 1/11 Ponemon Institute study shows Less than 50% clients evaluate security. The study also says that 22% of business-critical applications or services are already in the cloud. The adoption rate is outpacing the resolution of security issues. The task of a “trusted advisor” is to assist clients in evaluating meaningful security risks and the security of cloud providers.

Assess What And How Client moves to cloud
Put client assets being evaluated for the cloud in two groups:
• Data
• Applications/functions/processes

Then decide how sensitive/important the asset is to the client by assessing confidentiality, integrity and availability requirements. Types of information that may be too sensitive for the cloud: intellectual property, client’s financial information, health data, and employee records. Then evaluate whether risks of each deployment model are acceptable. Deployment models (with variations): Public, private, community, or hybrid.
Then focus on degree of risk control the client will have with each model. This is where security assessment questions are employed as you evaluate specific cloud providers. Then map out exactly if and how data moves in and out of the cloud deployment model you select. It is key to identify all major risk exposure points. You and the client should now understand both the importance and risk tolerance for what is being considered to move to the cloud under acceptable deployment models.

Low value assets need a lower level of controls and might not need –on-site inspections and complex encryption schemes. High value assets might require extensive audit and data retention requirements. If the asset isn’t subject to regulatory requirements you might focus on more technical security controls.

Cloud security requirements vary by client size, industry and service model

Client size- Larger international clients have special concerns like where their data resides and are subject to geographical regulations. Data ownership and portability are major security issues. Smaller clients have concerns around loss of control since data is outside their physical control. As a general premise cloud security will probably be enhanced the smaller the client is since robust security controls tend to have an inverse relationship with client size.

Industry – The level of security concerns will be higher for financial clients, medical clients (HIPAA/HITECH acts), utility/energy clients (i.e. FERC) and retail clients (PCI & state breach laws)

Service model -
Software as a Service (SaaS). Capability provided to the client is use of
the provider’s applications running on a cloud infrastructure. The applications are
accessible from client devices through a thin client interface such as a web
browser. Assessing a potential provider in areas of incident response, application security, and identity access management will be most important.
Platform as a Service (PaaS). Capability provided to the client is to
deploy onto the cloud infrastructure client-created or acquired applications
using programming languages and tools supported by the provider. The client does
not manage or control the underlying cloud infrastructure but has control over deployed applications. Assessing provider in areas of virtualization and application security will be most important.
Infrastructure as a Service (IaaS). Capability provided to the client is to
provision processing, storage, networks, and other fundamental computing resources
Where the client is able to deploy and run software like operating systems and applications.
Assessing provider in areas of data center operations, encryption and virtualization will be most important.

Key Security Assessment Questions by Domain/Area:
Now you are ready to review key security assessment questions developed by Cloud Security Alliance organization (http://www.cloudsecurityalliance.org/) to assess provider’s security profile vs. security controls the client considers critical. Then pose the questions deemed critical and use the answers to trigger further questions if not answered to client satisfaction. The CSA organization developed security assessment questions designed to be SPECIFIC to the cloud computing model to minimize duplication with other models like client server, hosted etc.

Summary


Cloud providers are moving aggressively to minimize valid security concerns and speed up adoption. As an example of reducing barriers to adoption due to security concerns the Payment Card Industry Council in issuing PCI DSS 2.0 last year expressively clarified that data could reside in a virtualized environment. Previously it was unclear but now payment data could be executed in a public cloud and be in compliance.
The reality is that many large clients have special concerns that make private/hybrid clouds more attractive in the near term. However, most of SMB clients will realize better security due to the public provider’s investment in robust security controls.
Assessment guidance exists (i.e. CSA) and is being enhanced rapidly to help you guide your clients through their cloud security concerns so they can realize the compelling benefits of this model now. 
 
 

Electronic Medical Records (EMR) Security Adoption Issues
First for those of you saying what EMR vs. EHR is let me give the simple difference. EMR is a single provider and patient record while EHR is a patient record shared with all providers involved in the patient’s care. The EHR is what the ARRA act and federal government really are after in the believe this will reduce health care costs.
A 2010 Comptia study showed practices with EMR started or fully deployed was 26% for solo practices & 55% for group practices—so adoption has begun. Better patient care & improved efficiency (read revenue) are the top drivers at 70 and 68% respectively. Notice the stimulus reimbursement is not at the top of adoption drivers—in fact it is turning out to be a negative since the physician community has major distrust to federal medical regulators. When the top security concerns of doctors are surveyed: HPAA compliance, unauthorized data access/use & external breach are top factors considered.
When approached your physician prospects/clients understand that when asked in same study what improvements they would like to see made in EMR solutions ranked 9th of 9 major areas. When asked what factors were inhibiting their EMR adoption one of top 6 reasons was security/privacy. So leading with a value of security probably won’t resonate. So it is recommended you lead with with the following:
• Regulations/penalties—Good old FUD still works when you explain financial and criminal penalties
• Discuss Patient record integrity – alterative or destruction –important to doctor’s profile
• Better Patient Privacy—Improves relationship between doctor/patient so they really care.
Below are the critical security issues to address as EMR gets adopted:
• Risk profile or assessment of your provider clients
• Secure authentication of anyone accessing patient records
• Secure data storage AND retrieve of archives
• Logging & access activity monitoring
• Secure data transmission and at rest—read- encryption
• A new thought to security community—NSAP(Network Security & Privacy) insurance for client and EMR vendor
As you begin to work with clients on EMR adoption save this blog and dust it off-it will help!

Survey after survey continues to show clients’ number one concern of using cloud computing is security—over 50%. So cloud providers are focused on this and are making continual progress. Some of the most often cited areas of concern:  

•             Securing data at rest and in transit (encryption & key management)

•             Authentication of users (Identity & access management)

•             Separation of data in the multi-tenant environment (using VM’s and hypervisors)

•             Legal and regulatory issues

•             Incident response notification and roles

 

Given the compelling benefits of adopting cloud computing clients, especially small and mid-size clients can’t wait until most of the security issues are resolved.

 

Bottom line cloud premise---Data anywhere at any time in any volume

Assess how, what & when client moves to cloud

Put client assets being evaluated for the cloud in two groups:

•             Data

•             Applications/functions/processes

 

Then decide how sensitive/important the asset is to the client by assessing confidentiality, integrity and availability requirements. This is similar to how you would assess the assets for outsourcing with more options to consider.                                                                                                                                   Types of information that may be too sensitive to put in the cloud: intellectual property, client’s financial information, health data, and employee records.                                                                                                                                                               Next evaluate whether risks of each deployment model are acceptable. Deployment models (with variations): Public, private, community, or hybrid.

Next focus on degree of risk control you will have with each model. This is where the security assessment questions we will discuss later are employed as you evaluate specific cloud providers.  Then map out exactly if and how data moves in and out of the cloud deployment model you select. It is key here to identify risk exposure points.

 

Service model -

Software as a Service (SaaS). The capability provided to the client is to use

The provider’s applications running on a cloud infrastructure. The applications are

Accessible from various client devices through a thin client interface such as a web

Browser.  Assessing a potential provider in areas of incident response, application security, and identity access management will be most important to the client. As a current example of how critical model selection is many solution providers are helping medical providers’ select Electronic Health Record solutions to meet federal guidelines. The SaaS vs. client server model must consider hacking incidents which alter or .destroy patient medical information and long term data management/retention issues. Vetting SaaS suppliers on their security profile around these issues is critical not just for security concerns but compliance with HIPAA and HITECH.

Platform as a Service (PaaS). The capability provided to the client is to

Deploy onto the cloud infrastructure client-created or acquired applications created

Using programming languages and tools supported by the provider. The client does

Not manage or control the underlying cloud infrastructure but has control over the deployed applications. Assessing provider in areas of virtualization and application security will be most important to client.

Infrastructure as a Service (IaaS). The capability provided to the client is

To provision processing, storage, networks, and other fundamental computing resources

Where the client is able to deploy and run software like operating systems and applications.

Assessing provider in areas of data center operations, encryption and virtualization will be most

 

Key Security Assessment Questions by Domain/Area:

Now review key security assessment questions by the domains developed by Cloud Security Alliance organization (http://www.cloudsecurityalliance.org/) to ask potential providers in assessing their security profile vs. security controls the client considers critical.  You should review with your client. Then pose the ones deemed critical and use the answers to trigger further questions if not answered to client satisfaction.  The CSA organization developed security assessment questions designed to be SPECIFIC to the cloud computing model to minimize duplication with other models like client server, hosted etc.

 

Summary

        Cloud providers are moving aggressively to minimize valid security concerns and speed up adoption. As                      an example of reducing barriers adoption due to security concerns the Payment Card Industry Council in issuing PCI DSS 2.0 last year expressively clarified that data could reside in a virtualized environment. Previously it was unclear but now it can be executed in the public cloud and be in regulatory compliance.

        The reality is that many large clients have special valid concerns that make private clouds more     attractive in the near term.  However, most of SMB clients will realize better security due to the public provider’s investment in robust security controls than they have themselves.

         Assessment guidance exists now and is being enhanced often to help you guide your clients through their cloud security concerns so they can realize the compelling benefits of this model now.               

 

 

VARs entering medical vertical need to understand vertical security issues to protect both you and your client

 
Industry surveys say over half data solution providers are not serving health care vertical clients. That will change dramatically with the “gold rush” of the Electronic Medical Records (EMR) initiative being pushed by the Federal government with “sticks” (reduced provider payments after 2014) and “carrots” (incentive payments for providers meeting federal “meaningful use” guidelines) for healthcare providers. If you are planning to “pan for gold” in this vertical (or are already serving the industry) there are some industry regulations and security actions/services you must be aware of to protect both your healthcare client and yourself (YES—your business).
Some of the industry regulations and summary points/issues to examine:
• HIPAA—The “do good & avoid evil” regulation since 1996 regulation had no enforcement teeth but that has changed (see HITECH). You should read the sections on administrative, physical, and technical “safeguards” to get summary of controls needed. Also ensure you meet the “business associate “requirements to protect yourself and give your client “safe harbor”.
• HITECH – The federal government finally put “bite” into HIPAA by making the Human Health & Services (HHS) responsible for administrating penalties and compliance audits. Breach notification rules are now in place along with significant escalating financial & criminal penalties.
• FTC Red Flag Rules – Designed to deal with identity theft most healthcare MSPs and care providers don’t even realize this regulation applies to them. A healthcare provider is a “creditor” under the act so read published guidelines for healthcare providers carefully.
• PCI-DSS – Most MSPs are aware of this credit card processing contract (not a regulation) requirement. But in addition to assessing your healthcare provider’s compliance level(1 thru 4) for compliance requirements be sure to remember you as “business affiliate “ must attest to being compliant for affiliate requirements to provide your client safe harbor. Be sure to look at “data at rest and in transit” requirements.
• STATE BREACH LAWS – There are 46 of them and all are different. My personal favorite—the requirement to call the New Jersey state police before anyone else when reporting a breach. Remember your state attorney general does the enforcement—read “publicity to ensure getting reelected! If an MSP serves multiple states what guidance does it offer clients? Answer: select the toughest state as compliance guidelines (remembering to note any quirks for each state) for all clients to simply your operations.
Once you have a business layman’s understanding of the healthcare regulations/contracts besides the standard security best practices and services you should offer make sure you offer at least these at a minimum:
• RISK ASSESSMENT—The client needs a risk profile to prioritize actions/projects to make them compliance and reduce risk. This will also serve as a framework to develop a security program unique to each client
• ANTIVIRUS/MALWARE/ETC MANAGEMENT -- Clients need more than individual desktop AV. To ensure regulation compliance you should offer a management service which includes customizing templates to optimize AV tool for them and ensuring minimum footprint on client operations.
• BACKUP/DR – While this may seem “duh” –if your client uses SaaS EMR solution and network availability is lost both offsite and onsite backup must be considered given potential life threatening client situations. Also HIPAA & HITECH require up to 6 years data related to patients. HITECH also requires your client produce who outside of doctor’s office received any medical info on a patient if requested by patient.
• END POINT SECURITY—This is more than vulnerability scanning (although required by PCI-DSS) since physician are increasing using mobile devices to obtain patient medical info. Mobile security management is a must which includes encryption.
• SECURE AUTHENTICATION – Given the legal and criminal risks of not ensuring compliance with generally accepted security practices it is time to look at 2 factor authentication. Biometrics have come a long way in terms of cost and false error rates.
To net this out —if you are just entering this vertical look at regs and minimum client security needs before you “pan for gold” since there are financial and criminal penalties if you and/or client are found in violation. If you are one of the 44% of resellers/providers that already found “gold” in this vertical and any of this information is new -“ run

I wanted to post a quick note here on the blog to let everyone know that I am very proud and honored to be recently named by MSPmentor as one of their top 250 guys for 2010. You can access the MSPmentor 250, 2010 edition right here.

The numerous state breach notification laws have been a business thorn for some time with a coherent national breach law needed to resolve the quagmire. There are 47 different state breach laws with 8 having data holder requirements to prevent a breach. As an example of how difficult it is to even know your business is in violation of a particular state’s breach law—I wonder how many businesses know they have to notify the New Jersey State Police Crime Unit before issuing a breach notification to its customers to be in compliance.

There are two federal laws on the books encompassing breach notification: Graham-Blight-Leach Law with financial institutions breach notification obligations and the FTC requires holders of data to have “ a reasonable” obligation to disclose breaches. And since 2-10 HIPAA requires data holders and their 3rd party providers to disclose breaches.  Currently there are 3 congressional breach notification  bills in process: HR2221(passed House in 12-09) , Senate bill 139 (reported from committee in 11-09) and the one backed by US Chamber of Commerce-Senate bill 1490 –reported out of committee in 12-09.

Comptia ( the major IT business association ) has begun to push for passage of a national law thru its Security Special Interest Group thru the Comptia public policy arm. Comptia membership is hoping to influence the final bill to include : what defines a breach for notification; requirements for data holder to remediate the breach issue; define liability for a breach besides just notification obligation.

The time to end this patch work negatively impacting commerce has come!  There seems to be the political will and push by business to make a National Breach Law a reality!  Let’s hope!

While I don’t subscribe to the view—“I am from the government and I am here to help you” I also fear an hysterical populist politician jumping up and down on a breach crisis involving a bank or oil company (great rabble rouser villains) and rushing thru a bad law. Remember—“never waste a crisis” political theory by current White House chief of staff.  If I thought the government would never pass a breach law I might live with the current maze of 45+ inconsistent State's statues but “sure as rain” they will get around to it.  So let’s be proactive and keep the features/policies the IT industry needs and can live with. Think “FinReg”!  Below are some of the most compelling arguments for a national law:

• 45-47 state law maze-no consistency
• Only 8 have requirements for processes to prevent breaches
• Populist congressman will overact to an incident with bad bill
• Use law to require awareness training of data holders employees
• “weapon” by our enemies to destabilize the economy
• Requiem encryption of PII data in transit at a minimum
• Mass penalty is $5k per lost record--$5m for 1000 lost records?
• Protect all citizens-5 states(AL,KY,MISS,NM, S DAKOTA) nothing
• Lowers cost of compliance-avoid same multiple tasks/audits)
• US avg breach cost 2x world avg(6.75m) due to notify when “think”
• Better prosecution/conviction by FBI linking attacks
• 44 states only require notification to their state residents

Now there are State’s rights issues and if I thought the Uniform Law Commission which involves 300 state officials from all 50 states could “harmonize the state laws" in less than 4 years, I would ask them to drive the issue, but while they do great work–herding cats takes time we don’t have ($6m for average US breach) .  So get the industry needs to get behind Senator Leahy’s S1490 which will have hearings this year(more about it in later blogs) and get a bill the industry needs and can live with.  Comments?

In the engagements I conduct for vendors fixing solutions to be attractive to channel partners I often get asked to recommend or deploy Helpdesk/NOC services. Drawing on my background running global NOC’s I use several “test” criteria:
• No Level 1 “jail” – Ensure clients are not frustrated by the classical Level/Level2 process so that experienced users aren’t frustrated by going thru Level 1 process which only provides solutions for common/known issues. Even if a NOC has a Level 1 structure there must be a way to “vector out” experienced users.
• Been there/done that staff – Not only should technical staff have the required technical expertise and experience but also they should have done some consulting/worked on site troubleshooting to understand the environment they are assisting.
• Context/dialect – Besides language/accent issues the Help desk/NOC personnel must have a cultural content provide the human touch to troubleshooting and not sound like preprogrammed robots. So North American based NOC’s are preferred.
• Clear Pricing – Complex pricing confuses both vendor/VARs and their clients. Simple pricing options with no surprises are a must.
Finding vendors with these attributes is not as easy as it seems so imagine my pleasant surprise when I was referred to check out a firm called LIVE Virtual Help Desk (www.livevdh.com) based in Vancouver.
• Their staff has been there “done that” serving not only enterprises but VARs and RMM vendors.
• Excellent initial contact model using Level 2 and above personnel who have the experience to assist even the most seasoned user.
• LVHD also uses a unique collaboration tool which allows them to have special client knowledge about user roles and the business environment. This is critical when dealing with nervous and upset clients in a critical support situation.
• Their fixed pricing model eliminates surprises for both vendors/MSPs and the end-user. In addition the pricing model provides reasonable profit to vendor/VAR at a market based price which meets end users expectations.
Now if they would just offer a service to train other Help desks/NOCs to improve the client experience this part of my job would be easy and make me a hero to my client. Check them out!

The Cobbler’s kids have no…security

I had planned to enroll in my local chapter of ISSA for years but for variety of reasons(life happens) I kept putting it off. ISSA has a well deserved reputation as a great organization to mingle with security types and keep abreast of latest profession issues. Recently my travel slowed down so I thought-now or never! I went to ISSA site and navigation was great on type of membership-which local chapter and application form. At end of form I hit submission button expecting an " OK pay us now page" to pop up. But nothing happened. So I concluded they probably send email with payment instructions.A week and half went by—I had called member support number to inquire if received my application since I never got an acknowledgement that “you successfully applied” But NADA! So I tried to fill out application again assuming it never was received but results were same. So I found local chapter management who escalated my issue within 1 hour and I got email from ISSA IT asking me to describe issue(broken link?) so they could rectify it. Next I got email with PDF form to fill out and submit until web site form issue could be fixed. Talk about service!  I became excited and chastised myself for not joining this best industry association earlier.
Then came the shock! As a security guy I almost cried and fell to my knees. ISSA THE SECURITY ORGANIZATION FOR PRACTICING PROFESSIONALS -asked me to submit credit card payment information in unencrypted form. Even worst I could mail or fax form to them! So my credit card info could be received by the cleaning lady emptying the waste baskets near the fax machine. Or An ISSA employee with maxed out credit cards would have a new lease on their available credit life! I am surprised they didn’task for my SSAN!
Maybe ISSA needs to hire one of its members to do a security assessment on ISSA corporate security policies and processes. This seems to be an embarrassment to the organization AND its members. Maybe my anal retentive personality needs to “chill out!”. Am I overreacting? Is it fair to criticize Corporate ISSA’s security policies and practices when all they were trying to was was help me? I would like your opinion. Maybe it will help me seek counseling for my problem!