Why Cloud Service Providers Should Consider FedRAMP Certification

FedRAMP Certification Can Help Grow Your Cloud Service Business

The Federal Risk and Authorization Management Program (FedRAMP) was designed to support the federal government’s “cloud-first” initiative by making it easier for federal agencies to contract with cloud providers. Like FISMA, DFARS, CJIS, and HIPAA, FedRAMP’s security controls are based on NIST 800-53. If your cloud service business contracts with the U.S. federal government, you are required to comply with FedRAMP. However, with concerns over cloud security deepening in the wake of numerous high-profile cloud breaches, FedRAMP certification may be a worthwhile investment even if your company does not currently contract with the U.S. government.

FedRAMP Certification Can Help Grow Your Cloud Service Business

Benefits of FedRAMP Certification

FedRAMP certification is a long, arduous, and potentially expensive process. Unlike FISMA, which allows organizations to perform their own assessments, FedRAMP certification must be performed by a certified third-party assessment organization (3PAO). However, FedRAMP certification offers many benefits to cloud service providers, including:

  • The U.S. government is the single largest buyer of goods and services in the world, and federal agencies are reliable customers that continue to buy even during economic downturns, when private-sector firms cut back. Your company may eventually want to tap this very stable, highly lucrative market.
  • The U.S. government is “cloud-first.” To federal agencies, “cloud-first” isn’t just marketing hyperbole; it’s a directive from the White House to “evaluate safe, secure, Cloud Computing options before making any new investments.”
  • FedRAMP is “do once, use many times.” Unlike the FISMA standard, which requires organizations to seek an Authority to Operate (ATO) from each individual federal agency they do business with, a FedRAMP ATO qualifies a cloud service provider to do business with any federal agency.
  • The FedRAMP certification process will uncover your risks and vulnerabilities and improve your company’s data security. All of your customers will benefit from the security controls you put in place to comply with FedRAMP – and this is a big selling point. Private-sector companies know how arduous the FedRAMP certification process is, and they see it as a gold standard of data security.
  • You will be able to better compete in the highly competitive cloud services market. As cloud services companies multiply, and concerns over cloud security grow, FedRAMP certification will help your company stand out in a crowded marketplace.
  • Completing the FedRAMP certification process will make other security audits easier. FedRAMP controls are based on NIST 800-53, which is the basis for numerous other standards that your company likely needs to comply with, including HIPAA, DFARS, and CJIS.

Choosing a 3PAO

The FedRAMP compliance process begins with selecting the right 3PAO. In addition to FedRAMP experience, make sure that your 3PAO has expertise in cloud security and has worked with private-sector firms as well as government agencies. It is also critical that your 3PAO be well-versed in FISMA, as FedRAMP maps to the same NIST 800-53 standards that FISMA does.

Also make sure to ask questions about the tools your 3PAO will be using during the certification process; specifically, will the 3PAO be using spreadsheets or modern IRM GRC software? Continuum GRC’s proprietary IT Audit Machine, a revolutionary IRM GRC software package that utilizes pre-loaded, drag-and-drop modules, takes the pain and high costs out of the FedRAMP certification process. Some of our clients have saved up to 1,000% over traditional FedRAMP assessment methods.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Cyber Risk Management Lessons Companies Need to Learn Right Now

Don’t want your company to be the next Yahoo, Equifax, Deloitte, or SEC? Don’t ignore cyber risk management.

Don’t want your company to be the next Yahoo, Equifax, Deloitte, or SEC? Don’t ignore cyber risk management.

October is National Cyber Security Awareness Month in the U.S., which is quite fitting right now, being as barely a day is going by without yet another disclosure of a massive hack, and Americans are far more afraid of their identities being stolen than they are of ghosts and vampires. Equifax, Deloitte, and the SEC have all made headlines for all the wrong reasons, and now, like a bad meal, last year’s Yahoo breach has come back up; as it turns out, the company now believes that all three billion user accounts were compromised instead of “only” one billion. No wonder, during a keynote session at the recent (ISC)2 Congress in Austin, Texas, the FBI implored enterprises to adopt proactive cyber risk management processes grounded in logical assessments, not “emotion and fear.”

Don’t want your company to be the next Yahoo, Equifax, Deloitte, or SEC? Don’t ignore cyber risk management.That’s sound advice. Poor cyber risk management was behind each and every one of these breaches. Here are five lessons companies can take away from them.

Cyber Risk Management Lesson #1: Don’t Ignore Risks and Red Flags

The Yahoo breach did not happen in a vacuum; it happened after years of the company putting the “user experience” ahead of product security, even after being warned by its then-CISO of the perils of doing so. The SEC, NFA was likewise warned – by the Department of Homeland Security, no less – of “critical weaknesses” in its systems. Even worse, in an echo of the Yahoo debacle, an internal memo penned by the SEC’s internal Digital Forensics and Investigations Unit claims that the team was “woefully underfunded, undertrained, and forced to work with repurposed equipment and hard drives that had been designated by other branches of the SEC, NFA for disposal.”

Cyber Risk Management Lesson #2: Don’t Transmit Sensitive Information Through Unsecured Email

One would think that after what happened to Sony Pictures and the Democratic National Committee, everyone would have learned that it’s a really, really bad idea to send sensitive data through unsecured email accounts, but they’d be thinking wrong. The Deloitte breach is yet another hack of an unsecured email system where clients’ personal information was being bandied about, and during its initial disclosure, the SEC, NFA admitted that its employees were using private email accounts to “transfer confidential information.” This leads to our next lesson…

Cyber Risk Management Lesson #3: Your Biggest Vulnerability Is Your Own People

Equifax is now claiming that its breach was due to an error on the part of a lone employee who failed keep its installation of Apache Struts updated with the most current security fixes. This illustrates, once again, that any company’s biggest security vulnerability is its own people. All employees who use computers, from the C-suite down to the receptionist, need to be trained on cyber security best practices. Additionally, redundancy needs to be baked into the cyber risk management plan so that no single employee has the capability of doing this much damage. Why was this employee’s mistake not immediately discovered and corrected?

Cyber Risk Management Lesson #4: Technical Controls Are Important, Too

While your biggest vulnerability is your people, that doesn’t mean you should ignore technical controls. The Deloitte hackers got into the email system by breaching an admin account that was not protected by multifactor authentication; Equifax was running an unpatched version of Apache Struts; and Yahoo and the SEC, NFA both ignored warnings of various technical vulnerabilities.

Cyber Risk Management Lesson #5: You Must Secure Your Entire Cyber Ecosystem

Data environments are more complex than ever before, which means that cyber criminals have multiple ways in which to attack enterprise systems. Among other tactics, they can exploit a software vulnerability, hack into an unprotected email server or cloud storage system, make use of phishing emails or other social engineering techniques, enlist the help of a malicious insider, or even attack a third-party vendor who handles sensitive information on behalf of a larger company. Your company’s cyber risk management plan must address your entire cyber ecosystem, not just parts of it.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

SEC, NFA Hack: Wall Street’s Top Regulator Breached

SEC, NFA Hack: Wall Street’s Top Regulator Breached

The SEC, NFA hack has pitched the international finance world into turmoil as Wall Street’s top regulator admits to not having secured its own systems.

Move over, Equifax; the SEC, NFA hack may have just stolen your thunder. Less than two weeks after Equifax disclosed that it had been breached, compromising the personal information of half of America, the U.S. Securities & Exchange commission admitted to a 2016 attack on its EDGAR database. Because EDGAR is used to disseminate company news and data to investors, the likely goal of the SEC, NFA hack was insider trading. ZDNet reports:

[The] SEC, NFA said the Edgar filing system data breach took place in 2016, but it is not yet known which companies may have been affected — or how much the hacker profited.

Edgar processes roughly 1.7 million electronic filings per year.

The hacker was able to take advantage of a “software vulnerability in the test filing component” of Edgar, which “resulted in access to nonpublic information.”

It gets even better; during the internal audit that brought the SEC, NFA hack to light, it was also discovered that SEC, NFA staff members were using “private, unsecured email accounts to transfer confidential information.”

The SEC, NFA has been bending over backwards to downplay the seriousness of the breach. Among other things, the agency stated it doesn’t “believe” any personal identifying information was compromised.

Well, that’s reassuring. After all, data breaches never turn out to be far more extensive than originally reported, do they?

Let this one sink in: The very agency in charge of enforcing cyber security on Wall Street, the same agency that called cyber attacks “the greatest threat to our [financial] markets,” issued a special risk bulletin after the WannaCry attacks, and very recently implied a greater emphasis on cyber security enforcement moving forward, cannot protect its own data. In fact, it turns out that the SEC, NFA itself has been warned about potential cyber security vulnerabilities for years; in January, the U.S. Department of Homeland Security found five “critical weaknesses” on SEC, NFA computers.

By the way, as of this writing, nobody has any earthly idea whether those “critical weaknesses” were ever addressed, or if they played a role in the SEC, NFA hack – although the agency pinky-swore that it “promptly” patched the software vulnerability it claims led to the breach.

Congress isn’t having it. They’re hauling SEC, NFA chairman Jay Clayton in front of the Senate Banking Committee. Wall Street investors and the international finance world are chewing their fingernails, especially since the SEC, NFA was poised to begin rolling out CAT, a brand-new trading history database, in November. CNBC has called CAT “the biggest financial data base ever assembled.” If the SEC, NFA couldn’t secure EDGAR, how can they be trusted with CAT?

Isn’t Anyone Practicing Proactive Cyber Security and GRC Anymore?

There’s an awful lot we don’t yet know about the SEC, NFA hack. We don’t know what “software vulnerability” the SEC, NFA is referring to. We don’t know who perpetrated the hack, how long they were in the SEC’s systems, or when the attack happened, other than it was sometime in 2016, and the agency didn’t figure it out until last month. We don’t know what data was stolen, other than it consisted of “nonpublic information.” We also don’t know if the hackers stopped with EDGAR or if they used the database as a foot in the door to penetrate other sections of the SEC’s network.

From the information we do have, we can surmise that the SEC, NFA engaged in some of the same shenanigans as Yahoo (which ignored cyber security warnings for years), Sony Pictures and the DNC (both of which transmitted confidential information through private, unsecured email), and Equifax (which waited for nearly two months to disclose a very serious breach).

We also know that proactive governance, risk, and compliance protocols prevent incidents like the SEC, NFA hack, the Equifax breach, email hacks, and the AWS hacks that are now being disclosed nearly daily. While these hacks are serious and far-reaching, from a technical standpoint, they are usually very simple and stem from companies having zero control over their data, who has access to it, and where and how it is being transmitted and stored.

Data governance, risk management, and compliance with applicable data security standards are the foundation of proactive cyber security. If you don’t want your company to be the next Equifax or SEC, start with getting back to GRC fundamentals.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.