Cloud computing is on the rise, but with it comes new fears about data security. Cybercriminals are always looking for an in, so cloud services constantly need to stay ahead of potential vulnerabilities.
Nothing has driven that point home more than a flurry of recent high-profile breaches. But because cloud computing comes with many advantages, including cost, ease and convenience, companies have an incentive to find security solutions. But it’s a daunting challenge.
In this week’s Discussion Point we ask experts to weigh in about the risks versus benefits of the cloud. Is true cloud security an unattainable dream?
How safe is the cloud? With all the advances in cloud technology, what canenterprises do to ensure safety/privacy of important businessinformation?
Rajiv Gupta, CEO, Skyhigh Networks
Gupta is co-founder and CEO of Skyhigh Networks, a provider of cloud security software. He has more than 20years of enterprise software and security experience. He was previously the vice president and general manager of the Policy Management Business Unit at Ciscoand also spent time with Securent Inc., Confluent Softwareand Hewlett-Packard. With more than 45 patents to his name, he is the inventor or co-inventor of some of the seminal concepts thatunderpin web services.
Is a car safe? It depends how you drive.We may have been safer before there were cars, but we couldn’t get tothe hospital as fast. Similarly, companies need the cloud. It is notfeasible to create an environment that is completely sealed off from thecloud in today’s workplace. The question then becomes: How do weproactively enable secure cloud usage rather than just say “no” andwatch employees go around IT?
Here are four recommendations based on information gathered from more than 200 customers.
First,take a user-centric approach to IT to understand employees’ needs andenable the use of cloud service while providing seamless and transparentsecurity. Security needs to be frictionless and not require users tochange their behavior. The moment you add friction, for example byrequiring employees to install agents, it will backfire. Employees haveno patience for friction and will simply find a way around it.
Second,there is only requisite security. Policies must be granular and varybased on data type. Not all data belongs under lock and key. In fact,security can limit business functionality. Security professionalsprioritize data security according to risk appetite to ensure the mostsensitive data – for example, sensitive data such as social securitynumbers – is kept under lock and key.
Third, the silver bullet security tool is a fallacy. Enterprises employ a range of securitytools, including emerging technologies like next-generation firewalls,cloud access security brokers, and single sign-on solutions. This alsoheightens the importance of a corporate remediation strategy. Companiesare leveraging big data analytics in their breach response protocols tominimize damage in the event of a breach.
Finally, usereducation is just as if not more important than any security software.The iCloud breach was due to stolen credentials, not the security of thecloud. Informing employees of best practices on password strength,multi-factor authentication, and phishing techniques is integral to anycloud security strategy.
Jeff Boehm, Vice President of Marketing, DataGravity
Boehmis responsible for marketing at DataGravity, a storage and datamanagement company. He blends more than 20 years of experience in marketing and organizational leadership with a technical background. He previously worked in business intelligence and searchmarkets for several industry pioneers and disrupters. His specialties include product and market strategy, positioning, branding and pricing, social media and traditional public relations, and multichannel sales development.
With today’s advances in cloudtechnology and the plethora of data being created, data security is more important than ever. To ensure the safety andprivacy of business information, organizations need to understand howand where their data is being stored and who controls it. Organizationsneed to be confident that security and compliance concerns are addressedearly, ideally right at the point of storage — rather than relying onseparate applications that may or may not be well integrated with wherethe data resides. Data-aware or intelligent storage platforms help ITteams and business users provide the critical governance oversight toaddress security concerns, and discover data insights as the data isbeing ingested.
At the end of the day, to maintainsecurity as data moves to and from the cloud, data governance must beenacted within storage environments. This will allow organizations to beagile and adjust to changing protocols and nuanced securityand compliance rules. Therefore, companies must be vigilant, testing andreviewing security constantly so they can identify and address risksbefore someone else does.
Ryan Kalmeber, Chief Product Officer, WatchDox
Kalember has14 years of experiencein a variety of information security roles in the US and abroad. Before WatchDox, he ransolutions across HP’s portfolio of security products and was director of products at ArcSight before itsacquisition by HP. He also worked for VeriSign and was one of the founding members of Guardent’sconsulting practice. Before joining Guardent, he co-founded acompany that created authentication and encryption tools, working withfinancial institutions and government agencies before contributing thetechnology to the open source community.
There's no question thatcloud technology brings big productivity and cost benefits. But ashackers continue to grow more sophisticated, IT teams need to thinkcarefully about the types of cloud services, products and providers theyselect. All cloud solutions are not created equal. Do your research and take advantage of resources such as vendor rating systems to determine which cloudproducts best meet your needs. Files can certainly stay protected in thecloud, but only if companies have the right technology and tools inplace.
When it comes to ensuring the safety and privacy ofimportant business information, the best approach is to focus onprotecting the data itself as it travels between devices anddestinations. Leading analysts are urging companies to move from adevice-centric management philosophy to one that revolves around appsand data. This allows IT to control and protect files even after theyare downloaded from the cloud, and no matter where they travel.Additionally, companies that are concerned about privacy and want addedcontrol over files may want to adopt a hybrid approach, one thatinvolves both on-premise and cloud storage.
Willy Leichter, Global Director, Cloud Security, CipherCloud
Leichter leads CipherCloud’s efforts to evangelize new models for cloud security, and translate that into product requirements and market positioning. He has experience in a range of IT areas including cloud platforms, B2B applications, network security, data loss prevention, email security and network access control. He is a frequent speaker on cloud and IT security issues at industry events in North America, Latin America, Europe and Asia and has held marketing and product management positions in the US and Europe at CipherCloud, Axway, Websense, Tumbleweed Communications and Secure Computing (now McAfee).
Whenit comes to cloud security, there are two components. The first is thenetwork security defenses that cloud providers built natively intocloud. While advances like server-to-server encryption make it harderfor unauthorized parties to breach the cloud application, a second typeof protection is needed at the data level. Security controls like dataencryption and tokenization add another layer of security for sensitiveinformation in cloud applications.
These controls are the securityaction center-piece of a lifecycle approach to cloud informationprotection:
- Start with cloud discovery to identify and riskscore all cloud applications in the enterprise. This first step detectsshadow IT and helps the enterprise understand the different externallocations where employees are sending corporate data.
- Next,use a data loss prevention (DLP) engine to set policy actions (encrypt,tokenize, quarantine) according to data type, e.g., credit cardnumbers
- Continuously monitor information to detect and flag suspicious data access activities