Industry News Round-up – Cloud Security

Posted on

Today let’s look some recent articles around cloud security including SoftLayer in the film industry, making cloud security less “foggy” and state cloud priorities.

SoftLayer in the Movies

Ever underestimate your server needs and then think now what? Darlyn Pereira gives an example on Thoughts on Cloud. In his example a visual effects post-production company underestimated capacity by 50% and called their service provider looking for a solution – a solution within 3 days.  The service provider looked to IBM’s SoftLayer. SoftLayer provided them the latency, scalability and flexibility they needed while also meeting the companies security goals. Mr. Pereira explains, “The SoftLayer solution safeguards the visual effects company’s intellectual property. After the business finishes using SoftLayer servers during its busy season and scales back its infrastructure, the servers are scrubbed and the customer receives certificates attesting to the removal and destruction of all data.” SoftLayer is making a difference “backstage” so-to-speak in the film industry.

Remove the “fog” from your cloud security

“Cloud environments present both unique IT outsourcing opportunities and considerable cloud security challenges that promise to change the economics of how you manage your resources,” writes Stephanie Stack of IBM’s Security Intelligence. In fact, your company may be exposed to more cloud than you think through employee use of public cloud services (with or without permission), mobile device use and shadow IT.  Industry expert G. Mark Hardy recommends developing a defined protocol for cloud security and even creating a centralized team, known as security operations center (SOC). What he doesn’t recommend is operating “ad hoc” in a cloud world. Take time today to think about where you are in terms of your cloud security management. Are you also managing in an adhoc way? What would it take to centralize and formalize your cloud security?

Public Sector Cloud Priorities

According to Kenneth Corbin of Thoughts on Cloud, “In a recent survey, state CIOs named security and risk management as their chief priority for 2016, followed by developing a framework for implementing cloud services.” Data security at all levels has actually been a top priority for survey takers for the past three years and also plays a role in their cloud adoption. Mr. Corbin reports that more states have moved beyond “if” when it comes to adopting cloud to “how.”  Another trend, state CIOs are moving away from the mindset of having to provide every service and are considering cloud services as a way to improve overall operations.

What cloud security conversations and questions are popping up in your organization?

Applying a Datacentric Security Model to Cloud

Posted on

Vinay Wagh of The Datacenter Journal recently discussed why “secure public cloud” is not an oxymoron. In his article he points out that cloud data security is still a large barrier for many enterprises.

Traditionally security has been all about physical control, but that is not the case in the world of cloud. Mr. Wagh comments, “security and IT organizations must come to terms with the fact that they no longer have direct control over the physical infrastructure of their cloud operators when it comes to securing their assets, apps and—most important—data that is now distributed among private cloud, public cloud, SaaS, PaaS, IaaS and MSP environments accessed by millions of end points.” Not only is data distributed but cloud service providers and enterprises work in a shared-responsibility model.

Mr. Wagh prescribes a datacentric security model for cloud data management. He highlights the following capabilities needed for this cloud data security model:

  • Ability to create an independent virtualization layer that isolates applications and data from other tenants
  • Ability to enforce security policies across any boundary consistently
  • Offer programmability, Mr. Wagh defines as “essential security services—such as automated network configuration policies to ensure that no resources can ever be launched in an Internet-facing mode—must be logically “baked into” software. Doing so ensures that all data is opaque and inaccessible, even to the underlying public-cloud provider, while still allowing enterprises to fully employ the capacity offered by cloud operators”
  • Ability to offer always on, always enforced security measures that are in many ways transparent to the user
  • Ability to define and establish “trust anchors” that allow the enterprise to enforce security across platforms

Mr. Wagh summarizes, “security measures must move with the data while giving enterprises full independence from the underlying infrastructure provided by cloud service providers. In addition, these security measures must provide cloud customers with a root of trust under their direct control, as well as consistent security policies regardless of where data resides.”

Share your thoughts.

Data Security Tips

Posted on

Data security both on-premise and in the cloud are important topics in the news. Today let’s take a look at a couple viewpoints to help better protect your data.

Mr. Sameer Bhatia provides tips to better ensure security within your cloud computing system for Data Center Knowledge:

  • Strong data security features. Mr. Bhatia writes, “Your cloud system must be designed to utilize antivirus programs, encryption controls and other features that help protect data.” You must have transparency and be able to monitor the inflow and outflow of your data.
  • Cloud back up. Be sure to understand when and where the cloud back up will take place and who is responsible for executing
  • Testing. Just like with a disaster recovery plan it is important that you test periodically your cloud security systems to ensure they are operating correctly. Mr. Bhatia even points to hiring ethical hackers that use hacking activities to help identify weak points.
  • Tiers of data access. Even in a small company not all people should have access to all data. Think through who needs what data to get their jobs done well and ensure your systems can handle different types of data access.

 

In another article Sue Poremba of Forbes talks about ways to improve your data security policies:

  • If you have a data security policy in place make sure it is “fluid” – reviewed and changed as needed to deal with upgraded systems and new threats
  • Make sure your data security policy is simple and automate data security guards when possible
  • Policy makers should be in-tune with actual cloud, BYOD and other data and networking services use within the company
  • Don’t forget security threats are both external and internal. Too often we might be focused on someone “getting in” but many times breaches are caused by simple human error on the inside.

She adds, “true, a security policy won’t prevent a data breach or other cyber security incident. But having an information security policy will help ensure that employees better understand their role in preventing (or causing) a data breach, and make certain there is a plan in place in case the worst happens.”

Share what tips and steps are working well at your company to ensure a more secure data environment.

Common Security Awareness Mistakes

Posted on

Taylor Armerding writes for Network World, “To err is human, but to err in cyber security can cause major damage to an organization. It will never be possible to be perfect, but major improvement is possible, just by being aware of some of the most common mistakes and their consequences.”  In his article he highlights nine common security awareness mistakes:

  • Falling for phishing scams
  • Unauthorized cloud used (shadow IT)
  • Weak or misused passwords
  • Transferring company files to a personal computer
  • Disabling security controls
  • Posting too much on social media channels
  • Poor mobile security
  • Too many network privileges
  • Failure to update or patch software

To avoid making these common mistakes first think about training. Do employees understand what phishing scams are? Do they know it is OK to call IT if they suspect or have a question about a particular link or email? Do your employees understand the very real risks of a weak password or of sharing or reusing passwords? Is your training just once a year – a couple of click through slides – or is it ongoing and engaging?  Security training for employees should be a regular event and delivered in multiple formats.  Keeping company data and systems secure is not just the job of IT; all employees are on the front lines when it comes to security.

Next, balance the need for speed versus the need for security.  All too often some of the security mistakes made, such as shadow IT, personal computer use, poor mobile security and disabling security controls, are made in the name of speed or ease of use.  Unfortunately they can weaken your company’s security. It is important to have open dialogues between IT and business and end users. IT needs to be open to the concerns of end users and the “headaches” they are facing.  End users need to be aware of the security risks and potential fallout. Developing a true “partnership” between IT and end users will help to mitigate many of these common security mistakes.

With Experience: Changing Cloud Concerns

Posted on

Joe McKendrick contributor to Forbes Magazine published an interesting article titled “Cloud Security Fears Diminish with Experience, Survey Shows.” Here is what he found:

A survey of 1000+ companies – 25% had no cloud experience and 22% were experience cloud users – showed that one third of respondents who do not use cloud computing site security as their top concern.  But, the survey found that as users gained more experience with the cloud, security moved further down the list of concerns – in fact moving to 5th place. Mr. McKendrick writes, “The reduced concern about security reflects a comfort level that increases as the time spent with cloud engagements increases. That doesn’t mean slacking off on security, of course — ultimately, security is the responsibility of the end-user company.”

For the respondents that have more experience with cloud computing, the survey found that compliance, cost and performance are top concerns as well as the challenges with managing multiple cloud services.

The survey also found that respondents are seeing cloud benefits more clearly in 2014 than in the previous year’s survey:

  • Higher availability, 48% reported this as a benefit in 2014 vs 41% in 2013
  • Geographic reach, 37% in 2014 vs 32% in 2013
  • Cost savings, 34% in 2014 vs 30% in 2013
  • Business continuity, 34% in 2014 vs 28% in 2013

Have you piloted a cloud project or implemented at full scale? Share what learnings you have gained from the experience.