In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
Security Operations in the Cloud – the AXA experience – Webinar 24 June 2020
24 June 2020 – Cyber Security Coalition
How to make solid security a valued companion on a cloudification journey? In the fifth webinar of the Cloud Security focus group, Mathias Claes, Information Security Officer at AXA Belgium, chronicled the process of introducing cloud services, as Azure and Amazon AWS, in the transformation of AXA’s IT solutions. Including solid advice on ‘do’s’ and ‘don’ts’.
As the consumption of cloud services undeniably will explode, AXA instituted a cloud strategy, based on group wide input and a broad study of attackers’ opportunities (e.g. leaks of cloud credentials). It requires changes in security approach, security event management and a culture shift (with security brought close to devops). He described necessary organizational changes, based on the principle of “you build it, you run it, you secure it!” A cloudification team provides support in this to product teams. He presented a simplified evaluation flow for AWS as an illustration of how things work.
From a security point of view, he listed several key controls with need of extra consideration (IAM, auditing, networking, monitoring and back up), as well as the need to define a minimum technical security baseline (mapped on the 27K framework at AXA).
Obviously, there are still plenty of challenges ahead, with in particular the need to acquire additional overall cloud expertise (e.g. regarding incident handling). This includes the need for good management of multiple clouds. Also, companies must find a balance between speed and control, preventing projects to continue too far without considering security aspects. And important, one must strongly object to exceptions being made.
Finally, Mathias Claes listed several helpful resources by Enisa, the Cloud Security Alliance, Azure (e.g. Azure Security Compass) and AWS.
Other blog posts
Ransomware – today’s universal cyberworry – is but one aspect of a crime: cyber extortion. Orange Cyberdefense provides some insights into this scourge, based on its ‘Security Navigator 2022’-report.
The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.
It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.
On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.