One way to stop nefarious users from accessing your company's critical data in the cloud is to apply the OPSEC (Operations Security) methodology. This methodology's origins go back to the Vietnam War. Admiral Ulysses Sharp, Commander-in-Chief, Pacific established the Purple Dragon team to investigate how the adversary was able to get advance information on U.S. military operations.
At the end of the war, OPSEC was adopted in the private sector to determine how business competitors could obtain critical information. Competitors can observe in a friendly manner:
- What time, and how an executive goes to work;
- What time the executive gets home; and
- What cell phone or tablet the executive uses on way to work.
To protect critical information, OPSEC methodology uses analytic processes to:
- Identify critical information
- Analyze the threat
- Analyze your vulnerabilities
- Assess the risks
- Apply the countermeasures
1: Identify critical information
All classified material are critical. You need to decide which unclassified information you would send to or receive from the cloud is critical and should not be obtained by an adversary.
2: Analyze the threat
Find out which individuals, groups, or nation states might be your cloud adversaries. Analyze resources, knowledge, or capabilities they could use to get critical information. From the analysis, determine the threat level of getting critical information.
In a simplistic scenario, an adversary goes into a public coffee shop where his intended victim goes every morning at the same time during a work break. At a safe distance, the adversary turns on a small device hidden inside his coat to record loud conversations between the victim and his fellow workers. When the victim leaves to return to work, the adversary listens to the recording device and hears the product prices the victim downloaded from the cloud. Then the adversary offers competitive prices that his victim can't meet.
Since the adversary finds critical information very useful, the threat is rated as critical, meaning that the adversary has demonstrated both strong intent and high capability to act aggressively against friendly objectives.
If the adversary were not able to offer competitive prices, the critical information he obtained would not be useful. As a result, the threat rating is the lowest, meaning that the adversary doesn't have the intent or the capability to act against friendly or similar objectives.
3: Analyze your vulnerabilities
Analyze your organization's vulnerabilities from the point of view of multiple adversaries. Determine how the adversaries might use critical information to disrupt or defeat a friendly activity. The adversaries take advantage of inherent weaknesses of physical, email, and social engineering safeguards.
Rate each vulnerability on a scale from critical to low, using from the sample vulnerability rating criteria provided by the Interagency OPSEC Support Staff (IOSS).
- Criteria 1. A vulnerability is critical when it is proven that the vulnerability is exploitable by multiple adversaries.
- Criteria 2. A vulnerability is high when it is potentially exploitable by multiple adversaries.
- Criteria 3. A vulnerability is medium high when it is potentially exploitable by multiple adversaries with limited corroboration.
- Criteria 4. A vulnerability is medium when it is potentially exploitable by multiple adversaries with significant corroboration.
- Criteria 5. A vulnerability is medium low when it is potentially exploitable by one or two adversaries.
- Criteria 6. A vulnerability is low when the potential for exploitation is negligible.
4: Assess the risks
The higher the risk is, the greater the chance the vulnerabilities would get exploited, and the greater the resulting impact would have on your organization. Determine the risk on a scale from critical to low, as follows:
- Criteria 1. A risk is critical when an adversary has demonstrated they can exploit an existing vulnerability.
- Criteria 2. A risk is high when it is no doubt an adversary could exploit an existing vulnerability.
- Criteria 3. A risk is medium high when it is probable an adversary could exploit an existing vulnerability.
- Criteria 4: A risk is medium when it is possible an adversary could exploit an existing vulnerability.
- Criteria 5: A risk is medium low when it is unlikely an adversary could exploit an existing vulnerability. .
- Criteria 6: A risk is low when it is improbable an adversary would exploit an existing vulnerability.
5: Apply the countermeasures
A countermeasure is anything that effectively mitigates an adversary's ability to exploit vulnerabilities, according to the Operations Security Professional's Association. Apply cost-effective countermeasures to reduce the risk to low-impact level. The countermeasures for lowest risk are not necessary.
Repeat these steps, as necessary
If critical information, vulnerabilities, threat level, risk assessment, and countermeasures change over time, repeat the OPSEC analytic processes as outlined in this article.
Disclaimer: TechRepublic and CNET are CBS Interactive properties.
Judith M. Myerson is a Systems Engineering Consultant and Security Professional. She is the editor of Enterprise System Integration and the author of RFID in the Supply Chain. She has researched and published articles on a wide range of cloud computing topics, RFID, security, networking, and mobile. She was awarded a Master of Science degree in Engineering (Computer and Information Sciences). President of a toastmasters group, Judith was awarded her Advanced Communications Gold certificate. She is a member of The Operational Security Professional Association.