Cloud computing is on the rise, but with it comes new fears about data security. Cybercriminals are always looking for an in, so cloud services constantly need to stay ahead of potential vulnerabilities.
Nothing has driven that point home more than a flurry of recent high-profile breaches. But because cloud computing comes with many advantages, including cost, ease and convenience, companies have an incentive to find security solutions. But it’s a daunting challenge.
In this week’s Discussion Point we ask experts to weigh in about the risks versus benefits of the cloud. Is true cloud security an unattainable dream?
How safe is the cloud? With all the advances in cloud technology, what can enterprises do to ensure safety/privacy of important business information?
Rajiv Gupta, CEO, Skyhigh Networks
Gupta is co-founder and CEO of Skyhigh Networks, a provider of cloud security software. He has more than 20 years of enterprise software and security experience. He was previously the vice president and general manager of the Policy Management Business Unit at Cisco and also spent time with Securent Inc., Confluent Software and Hewlett-Packard. With more than 45 patents to his name, he is the inventor or co-inventor of some of the seminal concepts that underpin web services.
Is a car safe? It depends how you drive. We may have been safer before there were cars, but we couldn’t get to the hospital as fast. Similarly, companies need the cloud. It is not feasible to create an environment that is completely sealed off from the cloud in today’s workplace. The question then becomes: How do we proactively enable secure cloud usage rather than just say “no” and watch employees go around IT?
Here are four recommendations based on information gathered from more than 200 customers.
First, take a user-centric approach to IT to understand employees’ needs and enable the use of cloud service while providing seamless and transparent security. Security needs to be frictionless and not require users to change their behavior. The moment you add friction, for example by requiring employees to install agents, it will backfire. Employees have no patience for friction and will simply find a way around it.
Second, there is only requisite security. Policies must be granular and vary based on data type. Not all data belongs under lock and key. In fact, security can limit business functionality. Security professionals prioritize data security according to risk appetite to ensure the most sensitive data – for example, sensitive data such as social security numbers – is kept under lock and key.
Third, the silver bullet security tool is a fallacy. Enterprises employ a range of security tools, including emerging technologies like next-generation firewalls, cloud access security brokers, and single sign-on solutions. This also heightens the importance of a corporate remediation strategy. Companies are leveraging big data analytics in their breach response protocols to minimize damage in the event of a breach.
Finally, user education is just as if not more important than any security software. The iCloud breach was due to stolen credentials, not the security of the cloud. Informing employees of best practices on password strength, multi-factor authentication, and phishing techniques is integral to any cloud security strategy.
Jeff Boehm, Vice President of Marketing, DataGravity
Boehm is responsible for marketing at DataGravity, a storage and data management company. He blends more than 20 years of experience in marketing and organizational leadership with a technical background. He previously worked in business intelligence and search markets for several industry pioneers and disrupters. His specialties include product and market strategy, positioning, branding and pricing, social media and traditional public relations, and multichannel sales development.
With today’s advances in cloud technology and the plethora of data being created, data security is more important than ever. To ensure the safety and privacy of business information, organizations need to understand how and where their data is being stored and who controls it. Organizations need to be confident that security and compliance concerns are addressed early, ideally right at the point of storage — rather than relying on separate applications that may or may not be well integrated with where the data resides. Data-aware or intelligent storage platforms help IT teams and business users provide the critical governance oversight to address security concerns, and discover data insights as the data is being ingested.
At the end of the day, to maintain security as data moves to and from the cloud, data governance must be enacted within storage environments. This will allow organizations to be agile and adjust to changing protocols and nuanced security and compliance rules. Therefore, companies must be vigilant, testing and reviewing security constantly so they can identify and address risks before someone else does.
Ryan Kalmeber, Chief Product Officer, WatchDox
Kalember has14 years of experience in a variety of information security roles in the US and abroad. Before WatchDox, he ran solutions across HP’s portfolio of security products and was director of products at ArcSight before its acquisition by HP. He also worked for VeriSign and was one of the founding members of Guardent’s consulting practice. Before joining Guardent, he co-founded a company that created authentication and encryption tools, working with financial institutions and government agencies before contributing the technology to the open source community.
There's no question that cloud technology brings big productivity and cost benefits. But as hackers continue to grow more sophisticated, IT teams need to think carefully about the types of cloud services, products and providers they select. All cloud solutions are not created equal. Do your research and take advantage of resources such as vendor rating systems to determine which cloud products best meet your needs. Files can certainly stay protected in the cloud, but only if companies have the right technology and tools in place.
When it comes to ensuring the safety and privacy of important business information, the best approach is to focus on protecting the data itself as it travels between devices and destinations. Leading analysts are urging companies to move from a device-centric management philosophy to one that revolves around apps and data. This allows IT to control and protect files even after they are downloaded from the cloud, and no matter where they travel. Additionally, companies that are concerned about privacy and want added control over files may want to adopt a hybrid approach, one that involves both on-premise and cloud storage.
Willy Leichter, Global Director, Cloud Security, CipherCloud
Leichter leads CipherCloud’s efforts to evangelize new models for cloud security, and translate that into product requirements and market positioning. He has experience in a range of IT areas including cloud platforms, B2B applications, network security, data loss prevention, email security and network access control. He is a frequent speaker on cloud and IT security issues at industry events in North America, Latin America, Europe and Asia and has held marketing and product management positions in the US and Europe at CipherCloud, Axway, Websense, Tumbleweed Communications and Secure Computing (now McAfee).
When it comes to cloud security, there are two components. The first is the network security defenses that cloud providers built natively into cloud. While advances like server-to-server encryption make it harder for unauthorized parties to breach the cloud application, a second type of protection is needed at the data level. Security controls like data encryption and tokenization add another layer of security for sensitive information in cloud applications.
These controls are the security action center-piece of a lifecycle approach to cloud information protection:
- Start with cloud discovery to identify and risk score all cloud applications in the enterprise. This first step detects shadow IT and helps the enterprise understand the different external locations where employees are sending corporate data.
- Next, use a data loss prevention (DLP) engine to set policy actions (encrypt, tokenize, quarantine) according to data type, e.g., credit card numbers
- Continuously monitor information to detect and flag suspicious data access activities