Python's most popular package manager is intent on securing the supply chain by requiring developers to enable two-factor authentication.

As part of the push to mandate two-factor authentication for critical projects, the Python Package Index will distribute 4,000 Google Titan security keys to developers.

PyPI, the largest package manager for Python libraries and software components, has decided to mandate two-factor authentication for maintainers of "critical" Python projects. Two-factor authentication must be enabled for developers to be able to publish, update, or modify their projects. This requirement would protect developers from account takeovers as a result of stolen credentials. There have been numerous instances of supply chain attacks where attackers took over code repositories and hijacked software libraries and modules hosted on popular package managers.

The "critical" designation is assigned to any PyPI project accounting for the top 1% of downloads over the past six months. According to the dashboard published by PyPI, over 3,800 PyPI projects and 8,200 user accounts have been identified as critical. There are currently 28,336 users who have voluntarily enabled two-factor authentication.

"Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users," PyPI's administrators announced.

The decision to mandate two-factor authentication is an attempt to improve the supply chain security of the Python ecosystem and echoes a similar decision by GitHub to mandate two-factor authentication earlier this year. Recognizing that attackers are increasingly targeting libraries on npm, PyPI's JavaScript equivalent, GitHub auto-enrolled maintainers of the top 100 npm packages with two-factor authentication back in February.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

PyPI Mandates 2FA, Plans Google Titan Key Giveaway

MINNEAPOLIS, July 12, 2022 /PRNewswire-PRWeb/ -- Core Security by HelpSystems, a leading provider of cyber threat solutions, today announced the addition of ransomware simulation to its penetration testing solution, Core Impact. Using an automated Rapid Pen Test, Core Impact users can now efficiently simulate a ransomware attack.

An Increased Need to Prepare for Ransomware Attacks

According to the 2022 Penetration Testing Report, ransomware is one of the top concerns for cybersecurity professionals. Also, a PhishLabs by HelpSystems report shows ransomware is booming, growing more than 100% year-over-year. The cost of ransomware attacks is also on the rise; the average ransom demand alone was $220,298 in 2021, with the recovery cost much steeper, averaging $1.8 million.

\- ADVERTISEMENT -

When employees open infected email attachments or click on malicious websites, they can inadvertently trigger a ransomware attack. With unwitting employees serving as one of the most common attack vectors, ransomware can be particularly difficult to avoid.

"Much like penetration testing, vulnerability management, and red teaming, ransomware simulation is an effective method of offensive (proactive) cybersecurity, helping organizations discover weaknesses before attackers find and exploit them," said Mark Bell, Managing Director of Infrastructure Protection at HelpSystems. "Adding ransomware simulation not only further enhances and centralizes the testing process, but helps employees better recognize ransomware infection methods. It can also uncover who is susceptible to these attacks, which can prompt additional training to teach employees how to be more vigilant before clicking another suspicious email.

"With ransomware here to stay, this simulation process should be considered a cybersecurity essential," said Bell. "The addition of ransomware simulation strengthens Core Impact's reputation as an all-in-one solution, providing multiple types of pen tests across vectors and other integrations."

For an in-depth demo of Core Impact and to see the ransomware simulation in action, visit: https://www.coresecurity.com/products/core-impact/demo-watch or visit: https://www.coresecurity.com/blog/core-impact-introduces-ransomware-simulation to learn more.

About HelpSystems  
HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at http://www.helpsystems.com.

Core Security by HelpSystems Introduces New Ransomware Simulator

July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.

Microsoft today released patches for 84 vulnerabilities across its product categories, including one bug now actively exploited and four that the company rated as critical severity.

The July security update also includes fixes for four elevation of privilege vulnerabilities in the company's perennially buggy Windows Print Spooler technology, and more than 30 bugs in its Azure Site Recovery disaster recovery service. At least 12 of the 84 flaws disclosed today enable remote code execution, 11 were information disclosure-related, and four enable bypass of security features. Most of the remaining flaws enabled elevation of privilege.

**Priority One: CVE-2022-22047**

Security experts who reviewed Microsoft's latest update said the vulnerability that requires immediate attention is an elevation of privilege vulnerability (CVE-2022-22047) in the Windows Client Server Run-Time Subsystem (CSRSS) that is currently being exploited. Microsoft itself assessed the vulnerability as "Important," giving it a severity rating of 7.8 on a scale of 10. According to the company, the vulnerability — like every other bug in July's update — has not been publicly disclosed. Even so, Microsoft described the bug as being actively exploited, but did not provide any further information.

"The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target," an analysis on Trend Micro Zero Day Initiative's blog noted. "Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system." Attacks of this type often leverage macros, which is why Microsoft's recent decision to delay blocking all macros by default — like it announced in February — is disheartening, the blog noted.

Chris Goettl, vice president of product management for security products at Ivanti, says organizations should not be lulled by Microsoft's characterization of the flaw as important. The fact that attackers are actively exploiting the bug makes it a priority, he says. "Organizations prioritizing using legacy rating methods could miss prioritizing the urgency of the OS update this month," he says.

**Other Bugs That Need Urgent Attention**

Other bugs in Microsoft's July update that security experts described as priorities: CVE-2022-30216, CVE-2022-22038, CVE-2022-30221, and CVE-2022-30222.

CVE-2022-30216 is a low-complexity tampering vulnerability in Windows Server Service that would allow an authenticated attacker to remotely upload a certificate to the Server service. Microsoft described the vulnerability as one that is more likely to be exploited because it requires no user interaction and low-level privileges. "While this is listed at 'Tampering', an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution," Trend Micro's ZDI said. "Definitely test and deploy this patch quickly — especially to your critical servers.”

CVE-2022-22038 is a Remote Procedure Call Runtime remote code execution vulnerability that could allow an unauthenticated attack to execute malicious code on a vulnerable system. Microsoft identified the bug as being complex to exploit because it requires an attacker "to invest time in repeated exploitation attempts through sending constant or intermittent data." Trend Micro's ZDI assessed the bug as having properties that could potentially make it wormable. "If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly," the security vendor noted.

CVE-2022-30221 is a remote code execution vulnerability in the Windows Graphics Component. An attacker can exploit the vulnerability by convincing a user to connect to a malicious RDP server. An adversary who succeeds in doing that would be able to execute code in the context of the affected system's user, Microsoft said.

"On the surface, this one looks nasty," Kevin Breen, director of cyber threat research at Immersive Labs, said in emailed comments to Dark Reading. Microsoft has marked the vulnerability as less likely to be exploited because an attacker would need to first run a malicious RDP server and then convince a victim to connect to it. "This is not as far-fetched as it first sounds, as RDP shortcut files could be emailed to target victims, and these file types may not flag as malicious by email scanners and filters," Breen said.

CVE-2022-30222 is another remote code execution vulnerability — this time in the Windows Shell graphical user interface. The flaw allows an unauthenticated attacker to execute code on a vulnerable system by interacting with the login screen in a specific manner, Microsoft noted. Attacks targeting the flaw likely involve little complexity and no user interaction.

"Whilst this is titled as a Remote Code Execution vulnerability, the description suggests that this is actually a Local Code Execution vulnerability," Breen said. It appears the flaw would allow an attacker to run arbitrary command from the login page as authentication is not required, he noted. "Microsoft has suggested this is less likely to be exploited. But if you use RDP, definitely prioritize this patch," Breen said.

**Windows Print Spooler Flaws Make a Comeback**

Microsoft's July update also contains fixes for four flaws in Windows Print Spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226). Flaws in Print Spooler have been a major problem for Windows users in recent years. One of the most notable recent flaws in the technology was PrintNightmare, a remote code execution bug that affected all Windows versions and prompted an advisory from the US government and others on the need for organizations to address it urgently.

"We have seen a steady stream of vulnerability disclosures in the Print Spooler Service since the original PrintNightmare flaws were disclosed in June (CVE-2021-1675) and early July of 2021 (CVE-2021-34527)," said Satnam Narang, senior staff research engineer at Tenable, in comments emailed to Dark Reading. The flaws that Microsoft has addressed in the technology are elevation of privilege flaws, which provide attackers the ability to gain system-level privileges on vulnerable systems, he said.

The risk with these four fixes is the potential to impact print functionality, Ivanti's Goettl says.

"Since PrintNightmare, there have been many Print Spooler fixes, and in more than one of those patch Tuesday events, the changes have resulted in operational impacts," he says. "This makes administrators a little gun-shy and warrants some extra testing to ensure no negative issues occur in their organization."

**Surfeit of Azure Site Recovery Bugs**

Goettl says Microsoft resolved 33 vulnerabilities in Azure Site Recovery that could allow attackers to take a variety of actions including remote code execution, privilege escalation, and information-stealing. None of the vulnerabilities have been publicly disclosed or are currently being exploited, but the concern is in the number of vulnerabilities that were fixed, Goettl notes. "They were identified by several independent researchers and anonymous parties, which means the knowledge of how to exploit these vulnerabilities is a bit more broadly distributed," he says.

And, resolution of these flaws is not simple: It requires signing into each process server as an administrator, then downloading and installing the latest version. "Vulnerabilities like this are often easy to lose track of, as they are not managed by the typical patch management process," he notes.

Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now

LONDON and BOSTON - July 12, 2022- Privitar, the leader in modern data provisioning, today announced it has acquired Kormoon, a software platform that helps organizations manage the complexities of data privacy regulations by analyzing data usage, assessing risk, and automating compliance. Kormoon’s powerful technology will be used to extend the functionality of Privitar’s market-leading data privacy and provisioning offerings, adding new capabilities to quickly enable organizations to understand and comply with the rules governing data.

“Using data in a lawful and compliant way is often complicated, slow, and expensive. Navigating the complex web of data privacy, data sovereignty, and industry-specific regulations is incredibly challenging,” said Jason du Preez, CEO and co-founder of Privitar. “With the acquisition of Kormoon, Privitar is reinforcing our commitment to helping organizations use all of their data safely, ethically and in a compliant manner. Kormoon makes navigating data compliance incredibly simple. By combining Kormoon with Privitar’s world-class data privacy and modern data provisioning solutions, we are enabling data executives to streamline and automate compliance to ever-changing privacy rules and regulations.”

Kormoon calculates, communicates, and automates the steps to comply with relevant data rules including data privacy and protection, data localization, and cross-border transfer requirements. These include data compliance rules and requirements from around the world including Europe’s GDPR, Brazil’s LGPD, USA’s HIPAA and CCPA, and also new and emerging laws in countries such as the UAE, Saudi Arabia, China, India, and beyond. Combining powerful automation technology and inputs from expert advisors to assess an organization's level of risk, the Kormoon solution provides a simplified workflow to ensure requirements are met. Kormoon’s prescriptive guidance makes it simple for users to provide details about the data an organization collects, where they collect, access, and use it, and the data’s purpose, then recommends clear steps and actions for achieving data compliance.

“Kormoon's platform aims to improve time and cost efficiency of providing data privacy and protection advice to businesses worldwide. We help organizations understand and keep on top of data compliance rules by providing them with a simple workflow, access to regularly updated knowledge, and a cost-effective way to understand what it is that they need to do,” said Paul McCormack, founder of Kormoon. “By uniting with Privitar, we are empowering organizations with a one-stop-shop that ensures that their data is safe, compliant, and accessible for decision making.”

**About Privitar**

Privitar empowers organizations to use their data safely and ethically. Our modern data provisioning solution builds collaborative workflows and policy-based data privacy and access controls into data operations. Only Privitar has the right combination of technology, domain expertise, and best practices to support data-driven innovation while navigating regulations and protecting customer trust.

Founded in 2014, Privitar is headquartered in London, with regional headquarters in Boston and locations throughout the US and Europe. For more information, visit www.privitar.com.

**About Kormoon**

Kormoon is a software platform that calculates, communicates, and automates the steps professionals need to take to comply with relevant data rules, including data privacy and protection, data localization, and cross-border transfer requirements.

Privitar Announces Kormoon Acquisition, Extending Data Privacy and Provisioning Capabilities

Data quality is key in an effective TDIR solution. Omdia's threat detection data life cycle highlights the considerations for effective data-driven threat detection.

Threat detection, investigation, and response (TDIR) solutions all rely on data to deliver accurate, consistent, and performant threat detection, prioritization, and analysis. Enterprises need good data from the right places, refined and applied in the right ways, to detect and ultimately mitigate threats.

For that reason, Omdia believes taking a data-driven life-cycle approach is the best strategy to ensure data-related elements of the TDIR process are effective.

Below is a brief review of the steps in the Omdia threat detection data life cycle, a multistage process through which enterprise cybersecurity operations (SecOps) leaders may consider the tactical implications of how data is utilized by their TDIR solutions for the purpose of threat detection.

*   **Acquisition:** Identify the relevant data types or sources pertinent to the threat detection process, confirm the location of the data, and identify the steps for acquiring this data, both technical and business.
*   **Ingestion:** Threat detection data must be confirmed as valid and permitted for the system where it will be utilized, and then ingested in streaming real-time mode or batched and ingested at intervals based on different factors.
*   **Processing:** Unprocessed logs are analyzed in detail to determine key characteristics, such as origin, source format or schema, and data values or elements. It is often necessary to reformat or parse the logs into a preferred format to ensure consistency and accelerate other steps in the life cycle. After parsing, data is validated to ensure it conforms to system parameters.
*   **Normalization:** Unnecessary, and redundant data is deduplicated, reduced, and/or removed; new solution-specific fields are added, and the output is further standardized with common metadata classifiers. Logs that enter the system with significant variances are adjusted to appear similar.
*   **Bypassing normalization:** Some threat detection data systems intentionally do not conduct a normalization stage. In this scenario, the normalization step is skipped, and data moves directly from processing into categorization.
*   **Categorization:** The contents of the data are further examined to identify which established system attributes should be assigned to the data. The purpose of categorization is to delineate the contextual relevance of the data during subsequent analysis.
*   **Enrichment:** New data is augmented with additional data attributes that add context or create logical connections to other data, system-defined attributes, or events. In nearly all instances effective enrichment is driven at least in part by analytics, technology that analyzes data over time, identifies patterns in the data, and creates a baseline of so-called "normal" or expected activity for a given use case.
*   **Indexing:** Data is added to an index that denotes where it is located within the storage system. An index exists to optimize the performance of the system when the data is accessed.
*   **Storage:** Data then enters the storage phase, typically for a definite period, based on policy. Contemporary TDIR solutions increasingly rely on cloud-based data-lake technology, residing either directly in a public cloud environment or in a third-party environment managed by the vendor or provider.
*   **Analysis:** Once added to the dataset, data is analyzed on an ongoing basis. Many TDIR solutions reanalyze the existing dataset when new data is added. Analysis also occurs on a per query basis, as well as for proactive threat hunting.
*   **Valuation:** Process by which the business value of all lifecycle data is evaluated on an ongoing basis in support of TDIR process improvement or desired business outcomes.

Omdia believes achieving different, better results from TDIR requires the implementation of different, better approaches within the threat detection data life cycle.

Though there are inherent challenges with the life cycle, especially in the areas of data processing and normalization, there are also fascinating innovations taking root, particularly customized categorization schemas (nonstandard indexing to accelerated data analysis) and security data lake-houses (storage environments that combine the best of data lakes and data warehouse).

Regardless, a process-centric approach to the threat detection data life cycle with careful attention to detail will provide better, more consistent TDIR results, and set the stage for further data life-cycle innovation.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Understanding the Omdia Threat Detection Data Life Cycle

Several pieces of Black Hat USA research will explore container design weaknesses and escalation of privilege attacks that can lead to container escapes.

In what's shaping up to be a summer of container escapes, a pair of talks slated for Black Hat USA next month will explore the kinds of architectural weaknesses in operating systems and in container platforms that can make it easy for attackers break down the barriers of container isolation and run roughshod over cloud infrastructure.

In one talk, "The COW (Container on Window) Who Escaped the Silo," the research will explore the inherent security architectural design problems in the way that Windows containers are isolated from the real host settings. Eran Segal, research team leader of SafeBreach, says he will delve into the technical details that show how Windows kernel architecture isn't built to handle containers with the same kind of native security capabilities as Linux kernel architecture. Some of the workarounds Windows has built in response to implement containers leaves Windows containers open to attack.

"Windows containers isolated as 'process isolation' are not isolated well and it is possible to impact the host from inside," Segal explains.

He's saving the technical details for his Black Hat presentation, but offers a tease that his demonstration will show how an attacker can create a malicious container with low privileges that can communicate with other containers and start wreaking havoc on the host.

"I can't share it before the talk, but I can say that I'll gain a permissions system inside the container, cause a DoS to the host, and manage to access the entire kernel memory, and it is highly possible that the kernel memory contains passwords," Segal says.

He hopes that the discussion will offer security practitioners and fellow researchers a glimpse into the mechanics behind how Windows containers are built, the vulnerabilities he found with them, and how to start rooting out flaws similar to the ones he'll recap.

"They will learn about the internals of process isolated Windows containers, the internals of the vulnerabilities I found, and a recipe for finding additional vulnerabilities such as the ones I found," he says.

**Attack Techniques**

The exploration of container escapes like the one Segal will demonstrate is not a new field of security research, but it is one that has been heating up considerably of late. Just last month at RSA Conference, executives with CrowdStrike detailed attack techniques that could take advantage of a bug they discovered in March in the CRI-O container engine that underpins Kubernetes. That demonstration showed how this cr8escape bug could be used by attackers to escape containers and gain root access on the host.

And last week, news broke of a flaw dubbed FabricScape that posed serious container escape risk from Linux containers within Microsoft's Azure Service Fabric technology. Discovered by security researchers from Palo Alto Networks, details of the flaw were released last week as a follow-on to Microsoft's patch that fixed the issue on June 14. The vulnerability was in a logging function with high privileges in Service Fabric's Data Collection Agent (DCA).

"The vulnerability could allow malicious actors to take over Linux hosting environments. It allows a compromised container to escape and take over the cluster running it," wrote Aviv Sasson and Ariel Zelivanski of Palo Alto's Unit 42 research team. “Containers could become malicious if they are broken into through either a known vulnerability or zero-day vulnerability, or through a supply-chain attack such as typosquatting or a malicious package."

Unit 42 researchers have been on a tear with container escape research this summer. A pair of researchers from the team, Yuval Avrahami and Shaul Ben Hai, will present the other big container escape talk at Black Hat next month. "Kubernetes Privilege Escalation: Container Escape == Cluster Admin?" will take a deep dive look into how attackers can abuse service account tokens in system pods to turn a single container escape into an attack that can take over an entire Kubernetes cluster. The researchers also will also present tools to help discover these pods within infrastructure and identify privilege escalation paths in a cluster. That will help security defenders better harden their container infrastructure from escapes and broader escalation of privileges on the host.

Don't Have a COW: Containers on Windows and Other Container-Escape Research

New data from security training provider shows half of untrained users in consulting, energy, and healthcare industries fall for phishing attacks.

Phishing attacks just won't die, and new data underscores their effectiveness among users who have not been provided security awareness training.

According to data pulled from security awareness training provider KnowBe4's clients, 32.4% of users will fall for a phish — clicking on a link or following a phony request — if those users have not had any official training. The disconnect is worse in some industry sectors, including consulting, energy and utilities, and healthcare and pharmaceuticals, where half of all untrained users fall for phishing attacks.

The data was pulled from 23.4 million simulated phishing tests conducted at more than 30,000 organizations, encompassing some 9.5 million users. According to KnowBe4, 90 days after monthly or more training, the number of phishing test fails dropped to around 17.6%, and to 5% after one year of regular awareness training.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

One-Third of Users Without Security Awareness Training Click on Phishing URLs

Chief information risk officers must have a keen understanding of — and interaction with — the business.

Twenty-five years ago, when I was the chief information security officer for Visa, my role was very technically focused. Times have changed, however, and so have the objectives that guided CISOs in the past. The CISO role is becoming broader and more complex. To address the evolving cybersecurity threat landscape, the role requires a deep understanding of risk and strong business acumen, as well as a firm grasp of what's important to the success of the business. Some have started calling this new brand of security leader the chief information risk officer, or CIRO.

There are five unique traits that CIROs will need to develop to differentiate themselves from their CISO predecessors and stay relevant in modern times.

**1\. CIROs Are Mission-Aligned**

CIROs will align their security mission with that of the broader business. To do that, CIROs must demonstrate keen awareness of the organization's value chain. When I'm doing CISO coaching, one of the first things I ask is, "What are the three goals your CEO has set for the year?" You'd be surprised how many don't know — and I think that information is absolutely essential for any security leader going forward. CIROs must tie their program back to the objectives the CEO has set for the year. How will the team help grow the business? If there are mergers and acquisitions coming up, how can security contribute to a safe and successful transaction?

**2\. CIROs Make and Own Their Decisions**

Modernity is all about developing critical thinking skills, as well as engagement with executive management. CIROs will spend more time managing up than managing down. They should be empathetic and transparent in their interactions, and own their decisions. I was a security leader in very large companies. I had a great middle management team that could manage the day-to-day workers or the operational side. My goal was more to manage the organization from the top down. I had to make great decisions and stick to those decisions, adjusting when necessary. No decision is perfect, but indecision is far worse. It's all part of being agile.

**3\. CIROs Value People  
**

The CIRO role requires the ability to manage people, mentoring them over time to develop their skills and responsibilities. CIROs also need to earn and maintain trust. Good CIROs have and understand people skills; great CIROs will master them.

**4\. CIROs Measure What Matters  
**

A CISO today might say, "We blocked 10 billion spam attempts last year." That's a really impressive number — too bad it doesn't really matter. CIROs need a short list of metrics that matter. And what matters is being able to communicate the value of the security program and to demonstrate that progress is being made quarter over quarter. CIROs must strive for continuous improvement and have numbers that back up their teams' efforts.

**5\. CIROs Are Part of a Community  
**

CIROs need to make sure they're talking to and working with all the different business lines within the company, but also with industry peers, partners, and third-party organizations. And, as industry leaders, CIROs should give back and participate in support groups like the Security Advisor Alliance. The benefits go both ways, of course, as this kind of collaboration helps CIROs better understand what's going on in the broader security industry.

**Security Evolution Starts at the Top  
**

Whether the title is CIRO, CISO, or something else entirely, the next generation of security leaders will be fluent in business. They will understand the adaptive strategies and initiatives that drive the business. They will be comfortable communicating with other executives across the organization to expand that understanding. And they will make efforts to map their risk management program back to those objectives. Tighter integration between security and business is coming, and that shared culture will help security teams know what they need to protect and how they can do a better job of protecting it.

5 Traits That Differentiate CISOs From CIROs

NEW YORK, July 11, 2022 /PRNewswire/ -- To help organizations adopt zero trust more quickly and efficiently, Deloitte is launching a new managed service – Zero Trust Access— that offers a cloud-native approach to securing communications between users, on any device, and enterprise applications, wherever they may reside.

The Zero Trust concept commits to removing implicit trust within an information technology (IT) ecosystem and replacing it with a risk-based approach to accessing organizational resources across identities, workloads, data, networks and devices. This trend is gaining momentum, given legacy approaches to security architecture are no longer suitable to secure the ubiquitous nature of the modern enterprise.

Part of the newly expanded Zero Trust by Deloitte, Zero Trust Access facilitates zero trust adoption and the evolving needs of organizations in protecting their applications, infrastructure, and data. Following the integration of recently acquired talent and technology into existing Deloitte services, the Zero Trust Access managed service connects users to applications through a frictionless cloud-native solution that is inherently scalable, resilient, agile, and secure. Further, the managed service is available standalone, integrated with other Deloitte offerings, or as part of a broader solution leveraging technologies from Deloitte's alliances ecosystem.

"As perimeter-based approaches are no longer suitable to secure the modern enterprise, many organizations are working to enhance protection for their IT ecosystems via zero trust," said Andrew Rafla, Deloitte Risk & Financial Advisory's zero trust offering leader and principal, Deloitte & Touche LLP. "Zero Trust Access was built as a turnkey managed service helping ourselves and our clients accelerate adoption of this transformative security framework. Our goal was to create a cost-effective solution that can be delivered standalone or complementary to a broader ecosystem and ultimately help decrease the burden on IT and security teams who likely need to manage multiple heterogenous solutions to achieve similar outcomes."

With innovative data protection leveraging device-level secure microcontainer technology, Zero Trust Access helps protect infrastructure while also enabling organizations to protect sensitive enterprise data and enforce least privilege through dynamic access control to enterprise assets. The managed service can replace remote access solutions inclusive of virtual private network (VPN), virtual desktop infrastructure (VDI), and desktop as a service (DaaS), all of which typically require significant capital expenditure for infrastructure, high operating costs, and technology management overhead.

Zero Trust Access includes features such as ephemeral connectivity built upon secure peer-to-peer (P2P) communication, conditional access and continuous authorization, as well as robust data protection for data at-rest, in-use, and in-transit are consistently applied to each session, regardless of the type or location of the applications being accessed (e.g., legacy hosted applications, software as a service (SaaS), thick-client, web-based applications). Implementation of Zero Trust Access can help organizations leverage outcome-based solutions that improve business agility, enhance user productivity, and reduce cost and complexity of security operations.

"Beginning zero trust adoption isn't simple, fast or easy for most organizations," Deborah Golden, Deloitte Risk & Financial Advisory Cyber and Strategic Risk leader and principal, Deloitte & Touche LLP. "We're launching Zero Trust Access as the first in many adoption-enabling services and solutions to come, so that our clients are better able to modernize their security programs, enable agile operations and confidently advance with emerging technologies and transformative risk management principles that can build more resilient security practices."

**About Deloitte**

Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today's marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's more than 345,000 people worldwide connect for impact at www.deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

SOURCE Deloitte

Deloitte Launches Zero Trust Access, a New Managed Security Service

Whether data's in motion, at rest, or in use, confidential computing makes moving workloads to the public cloud safer, and can enhance data security in other deployments.

It's a question every enterprise faces: How comfortable do we feel moving sensitive data to the cloud, bearing in mind the associated security and privacy risks?

Though global cloud adoption is expanding rapidly, security and privacy remain top concerns. For example, the Cloud Security Alliance survey last year showed security and privacy to be the leading worry for 58% of 1,900 professionals involved in cloud deployments.

That is why inside many companies, tension continues to simmer between development shops that see the scalable, flexible public cloud as an ideal innovation engine and security gatekeepers whose risk intolerance has earned them a reputation as the Department of No.

But what if organizations could have greater assurance that their data is protected from hackers and other prying eyes? What if reluctance about moving sensitive data to the cloud was alleviated?

Such is the promise of an emerging shift in data security: confidential computing.

Confidential computing not only reassures enterprises about the safety of moving more of their workloads to the public cloud, it also can enhance data security in any type of deployment and offer a host of business benefits.

An explanation of what confidential computing is must start with a description of the three stages of the data life cycle.

**Data in Motion**

When users send data, it is encrypted while transmitting across networks. Whether the user is someone in a company sending data to the cloud or a consumer sharing their credit card information with an online retailer, that's true. Standardized encryption technologies such as TLS protect the data during its journey.

**Data at Rest**

This is the designation for passive data that is not being computed on and is sitting in storage — records in databases, files on hard disks, etc. Organizations use disk encryption and other security technologies to safeguard data at rest.

**Data in Use**

This is where data is computed-on in some way. To do that, data must first be moved from the hard disk into system memory — aka RAM — and become unencrypted. At this stage, data becomes vulnerable to compromise due to a potential vulnerability within the millions lines of code that comprise the cloud provider’s system software operating system, hypervisor, firmware, or a cloud administrator. This is a large attack surface, and this is what consumers who move their confidential data from an on-premises setup to a public cloud worry about.

Confidential computing is an extra layer of security that extends encryption protection to data during runtime. It achieves this by running workloads in isolated hardware-encrypted environments, or trusted execution environments, that prevent unauthorized access or modification of applications and data while in use.

This eases a set of potential security threats in moving data to the cloud, such as a hypervisor vulnerability allowing other virtual machines to leak private data, or a rogue cloud provider employee with access to a company's physical machine backdooring a workflow.

There's a lot of industry buzz about confidential computing for a few reasons. The first is obvious: The rising number of cyberattacks is spurring a need for better data security.

Second, technologies that enable confidential computing, such as security features in operating systems and on CPUs, have achieved industrial strength, as with AMD-SEV and Intel SGX.

Third, the major public cloud providers, in particular Google Cloud Platform and Microsoft Azure, have been beefing up their confidential computing capabilities.

A note on that third point: Though much of the discussion about confidential computing has centered on its usefulness in securing sensitive data as it moves to the public cloud, its advantages are equally compelling and relevant for protecting data in use in many more environments, namely edge and on-premises deployments.

The space keeps heating up. For example, in May, AMD announced new confidential computing virtual machines for Google Cloud.

Confidential computing also has the support of a project community at the Linux Foundation, with commitments from nearly 40 member organizations and contributions from several open source projects.

Confidential computing has significant real-world benefits. Take financial services, for example. In that industry, business processes such as anti-money laundering and fraud detection require financial institutions to share data with external parties.

With confidential computing, they can process data from multiple sources without exposing customers' personal data. They can run analytics on the combined data sets to, say, detect the movement of money by one user among multiple banks, without introducing security and privacy problems.

By unlocking data computing scenarios that weren't possible before, confidential computing should be an important security and privacy advance for years to come.

Source

DARKReading