Archive for the ‘Security’ Category

 

Security Alert: OpenSSL Bug Needs Prompt Attention

Tuesday, April 8th, 2014 by

A major vulnerability with the OpenSSL libraries was announced this morning. According to PCWorld, “The flaw, nicknamed ‘Heartbleed’ is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol. The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday [April 7].”

Heartbleed

We want to ensure all our customers are aware of this vulnerability so those impacted can take appropriate measures. The following description of Heartbleed is from http://heartbleed.com:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

GoGrid has already performed an extensive audit of our environment and has determined that none of our customer-supporting sites—including our management console, wiki, and secure signup—is exposed to this vulnerability.

If you are permitting SSL/TLS traffic to your servers, however, a firewall won’t block against this attack. This is a serious vulnerability with the ability to significantly expose your environment. GoGrid recommends you review the National Vulnerability Database CVE-2014-0160 as soon as possible to determine if the OpenSSL vulnerability applies to your organization and then take corrective action based on your specific security policies, if necessary.

Infographic: Keep your patient health info secure in the cloud

Wednesday, January 22nd, 2014 by

Maintaining data security in the healthcare sector is hard. Although all businesses worry about securing confidential data, it doesn’t compare to the burden of companies managing personal health information that must comply with the Healthcare Insurance Portability and Accountability Act (HIPAA) and other relevant regulations. Unfortunately, the sensitive nature of these assets makes them even more desirable to cybercriminals. The result: Patient health information is being targeted more frequently and more aggressively than ever before. Fortunately, the evolving IT landscape has provided a way to address these threats: proactive security monitoring to identify and mitigate potential risks and encryption to protect the data itself.

Outside attacks are only one aspect of the problem, however: Negligent insiders are also putting their organizations at risk. Studies have shown that roughly 94% of healthcare firms have experienced at least 1 data breach within the past 2 years. Because these incidents cost the industry upwards of $7 billion per year, administrators must proactively seek strategies that cut down the chances of unwanted security problems.

Financial repercussions of a data breach

Due to the regulations governing personal health information, the reputation damage and bottom-line costs of a data breach are often exacerbated by compliance fines. What is more troubling is that these costs are only increasing in frequency and severity. Experts believe that the financial repercussions of data breaches have increased by $400,000 between 2010 and 2012, with more than half of companies losing $500,000 or more in 2012. With the price tag expected to rise 10 percent year-over-year through 2016, businesses must plan ahead to reduce these challenges.

To illustrate the effect of data breaches on healthcare organizations and the magnitude of the response required, we’ve put together the following infographic, “Keep Your Patient Health Info Secure in the Cloud.” Part of our series of 60-second guides, the graphic will show you in only a minute why the cloud is powering new ways to secure some of the most personal information available: details about our health.

GoGrid_HIPAA_Compliance_72_F

(more…) «Infographic: Keep your patient health info secure in the cloud»

Does it take a village to ensure security (or just hard work)?

Monday, January 6th, 2014 by

I watched an interview this morning where Snapchat’s CEO was discussing the recent exposure of its users’ phone numbers and names and something he said stood out for me: “Tech businesses are susceptible to hacking attacks. You have to work really, really, really hard with law enforcement, security experts, and various external and internal groups to make sure that you’re addressing security concerns.”

image

I have to agree with him: It takes a lot of effort to keep up with the latest security threats and vulnerabilities, to continuously assess existing security safeguards, to open channels of communications with security peers in other organizations, and to work with local and federal law enforcement to solve common security problems. Even companies that spend millions on security like Target are clearly challenged every day to identify and remove vulnerabilities to protect their customers’ data.

The rapid growth of cloud services and cloud service providers has only added new areas of concern for organizations hoping to leverage the benefits of the cloud. Organizations must perform their due diligence in identifying the right cloud service provider for their needs—preferably one that’s had time to develop security best practices based on firsthand experience and hard-won expertise. Securing a company’s production environment requires a cloud partner that is mature and has dedicated resources to provide robust security services and products.

Consider the recent DigitalOcean security revelation that its customers can view data from a VM previously used by another customer. According to one reporter, a DigitalOcean customer “noted that DigitalOcean was not by default scrubbing user’s data from its hard drives after a virtual machine instance was deleted.” Why not? DigitalOcean confided that the deletes were taking too long to complete and resulted in potential performance degradation of its services.

I recognize that challenge because GoGrid addressed this same issue years ago. All our deleted VMs go through an automated secure scrubbing process that ensures a previous customer’s data isn’t inadvertently shared with a new customer—and we do so without impacting our production environment. Was that easy to accomplish? No, it wasn’t. In fact, it took a lot of engineering work and resources to develop the right way to secure our customers’ data without impacting performance. Taking technical shortcuts when it comes to security often results in unexpected consequences that can affect an organization’s overall security—and ultimately, its reputation.

(more…) «Does it take a village to ensure security (or just hard work)?»

Get on the Road to HIPAA Compliance with GoGrid’s New Solution Bundle

Thursday, October 10th, 2013 by

If your company deals with protected health information (PHI), thinking about HIPAA-compliant IT is something you can’t afford not to do. But achieving HIPAA compliance requires sound security practices, robust technical solutions, and expert security support. That’s a lot to manage, even with a dedicated IT team, which is why we’ve created a turnkey solution to get you started on the road to compliance.

HIPAA-graphic

Bundled Services Streamline Time to Compliance

GoGrid’s HIPAA Solution Bundle is designed to be highly available out-of-the-box and includes a recommended set of infrastructure components, managed security monitoring, and reporting. Our Solution features application and database server isolation, breach monitoring and vulnerability assessment reporting, and failover services.

We developed our new HIPAA Solution Bundle to provide a secure cloud solution to help our customers with their HIPAA compliance without requiring they spend their annual IT budget in the process. We also engaged an external HIPAA audit organization to assess the new Solution Bundle and ensure it met the new HIPAA Omnibus Rule objectives.

Naturally, any GoGrid HIPAA customer should carefully study the new HIPAA Omnibus Rule to develop and to deploy the right set of controls to safeguard PHI. Ultimately, no cloud provider can absolutely guarantee a customer’s HIPAA compliance because each organization faces unique business challenges and risks. (more…) «Get on the Road to HIPAA Compliance with GoGrid’s New Solution Bundle»

The Top 3 Private Networking Use Cases for CloudLink

Tuesday, April 2nd, 2013 by

Public clouds are fantastic for a majority of infrastructure use cases. And interconnectivity between clouds enables myriad solutions to empower businesses to have multiple synchronized points of presence across the world. Companies can easily set up connections that traverse the public Internet as a means to transmit and potentially synchronize data between cloud data centers. But these connections need to be reliable and more often than not, private.

CloudLink private network between cloud data centers

CloudLink private network between cloud data centers

With public network connections between clouds, users are at the mercy of hops and latency. For example, data may take one route with a particular number of hops, and a second later, may follow a completely different path and take a longer or shorter amount of time based on the connection.

In terms of securing the transport, some companies rely on point-to-point VPN connections using a hardware or software solution or some combination of the two. However, these solutions are also constrained by the connection and have limited speeds.

There are some scenarios or use cases that warrant using dedicated private networking to join geographically dispersed clouds. This is where GoGrid’s CloudLink service comes into play.

GoGrid’s CloudLink is a data center interconnect product—a redundant 10 Gbps pipe that is isolated to GoGrid traffic only. CloudLink enables private network traffic between different servers in GoGrid’s US data centers. As part of our “Complex Infrastructure Made Easy” mission, we designed this service to be basic yet powerful and still meet the needs of demanding organizations. Because this is a private network, much like the private network within GoGrid’s standard cloud infrastructure, there are no bandwidth costs. You simply decide on the connection speed (10 Mbps, 100 Mbps, or 1 Gbps), configure your connection, and pay for just the dedicated connection. (more…) «The Top 3 Private Networking Use Cases for CloudLink»