Cloud computing is quickly becoming a mainstay for many technology companies today because of its superior flexibility, accessibility, and capacity compared to traditional online computing and storage methods. But just like traditional storage and data sharing methods, cloud computing comes with its own set of data security issues.
At Digital Guardian, our mission is to provide data security solutions and services to help businesses protect their most valuable digital assets. In doing so, we follow the top data security issues facing companies in today’s digital world and work with security experts from all around the industry. As cloud security risks grow, we wanted to compile some tips from data security experts on the most common (and avoidable) issues companies face when it comes to the cloud and securing their data to ensure they avoid security issues and common problems like data loss prevention. To do this, we asked 27 cloud computing and data security experts to answer this question:
”What is the number one issue most companies face with cloud computing and data security, and what can they do to address the issue?”
We’ve collected and compiled their expert advice into this comprehensive guide on safeguarding your company from cloud computing and data security issues. See what our experts said below:
Meet Our Panel of Data Security Experts:
Adam Stern
Adam Stern is Founder and CEO of Infinitely Virtual, a provider of cloud hosting services for SMBs, and is an entrepreneur who saw the value of virtualization and cloud computing some six years ago. Stern's company helps businesses move from obsolete hardware investments to an IaaS [Infrastructure as a Service] cloud platform, providing them the flexibility and scalability to transition select data operations from in-house to the cloud.
One of the most important issues companies face with cloud computing and data security is…
The proper mitigation of security risks before and throughout cloud adoption.
Mitigating security risks is imperative to creating a comfort level among CIOs and CISOs, to transition applications and data to the cloud.
Applications, systems and data all have different security thresholds. For example, web, mobile and social can be moved to a virtual server without the same degree of security concern as there is for regulated information or mission-critical applications. When deciding whether an application, product or service belongs in a cloud server, CIOs and CISOs must consider:
- Type of data or application
- Service-level agreement
- Security environment
The decision to move to the cloud, especially the public cloud, should depend on the sensitivity of the data and the level of security offered by the cloud provider. The final question should be whether the business value offsets the risk.
Jessica Franken
Jessica Franken is a Partner with Quarles & Brady, LLP in the Intellectual Property group, and is an experienced technology transactions lawyer who works with companies to protect, commercialize and obtain intellectual property. Jessica has negotiated a wide variety of technology-related agreements, including software, patent and trademark licenses, e-commerce agreements, consulting agreements, and joint development agreements. She regularly advises clients on issues faced when providing or obtaining cloud-based services, such as data security, privacy policies, terms of use, terms of service and provides practical advice that helps companies reduce risk and maximize their results.
When it comes cloud computing and data security, the number one issue most companies face is…
Adequate understanding of the cloud-based service provider.
Before moving forward with a cloud-based service, a customer should understand: 1) what data it will upload to the cloud environment; 2) whether any special security requirements, such as HIPAA, may apply; 3) how critical access to data and the services are to the daily running of the business; and 4) the unique requirements that will exist when the services end.
Adequate investigation of the cloud-based service provider before entering into an agreement is essential. Sophisticated providers will understand the data security requirements in the customer's industry, have adequate security measures in place, have independent audits conducted that confirm the environment is secure, offer 99.9%-plus availability and have easily accessible support. Companies in multiple locations should also evaluate the location of the stored data and how the services are structured to avoid problems with data transfer restrictions and the system's processing and response time.
Many cloud service providers offer on-line subscription agreements, which should be carefully reviewed before acceptance. Ideally, a customer will negotiate the terms of an agreement to insure that the security, service availability and support meet the customer's needs. Further, the responsibility, and costs, of handling a data breach should be addressed. Additionally, providers and customers should have a data breach policy in place with a well-conceived plan for handling a breach. Customers should ask the provider to bear the costs associated with addressing a data breach, including notifications, if the provider is responsible for the breach. Finally, companies need to monitor the provider's performance against its promises, information released about security vulnerabilities, and stay abreast of legislation that addresses data security.
Jerry Irvine
Jerry Irvine is the CIO of Chicago-based Prescient Solutions, and has been deeply involved with the IT industry since 1987. Irvine has filled MIS and CIO positions at multiple facilities and has managed more than 100 technicians and thousands of devices. He has led multiple project teams, such as the largest Microsoft Directory migration project ever. In 2008, Irvine was selected to join the National Cyber Security Task Force, a joint operation between the Department of Homeland Security and the U.S. Chamber of Commerce. This task force is responsible for advising federal decision-makers on cyber security policy and sharing best practices related to this urgent and ongoing need. His expertise on cyber security has been featured in a number of national and industry publications, including The New York Times, WGN Radio and Wired magazine.
The number one cloud computing and data security issue facing companies today is…
The lack of understanding that they are already in the cloud and they should have already been protecting themselves accordingly.
Cloud computing has been around for more than a decade. Companies have had laptops, which allow for remote communications, email and websites that they use across the Internet, and connections between their facilities and partners facilities to exchange data. All of this is cloud computing.
Today, however, companies are using significantly more cloud providers, and allowing access to more remote users and devices than ever before. As a result, the complexity of networks has increased and requires even greater levels of security than ever before. Traditional security measures, which included firewalls and intrusion detection system were designed to protect facilities and equipment with defined parameters that have with minimal entry points into the networks and devices.
With today’s cloud-based environments there are multiple data centers, spread across multiple vendors that are managing different categories of datasets which need to be available to different users with different access rights. As a result, firewalls and IDS tools are configured to allow traffic to remote users’ mobile devices, tablets and laptops from anywhere they are. This reduces legacy security tools' effectiveness.
In order to maintain the confidentiality, integrity and availability of these different systems and datasets, organizations need to change their security controls from these legacy perimeter and detection-based tools to a focus on implementing increased protection at the application and data levels. Data access controls start with categorizing data. Once categorized, data controls can be implemented to deny or allow access based on multiple requirements including - but not limited to - user id, multi-form factor authentication, type of device, application set, time of day and location.
In addition to data controls, organizations should look at application-level security solutions such as server firewalls to define what applications can be used to access data as well as how data can be viewed and used. Finally, other proactive security solutions (i.e. app scanners, vulnerability assessment scanners and patch management solutions) should be implemented to assure applications and systems are up-to-date with bug fixes and industry best practice configurations.
Chris Ciborowski
Chris Ciborowski is Co-founder and Managing Partner at Nebulaworks, a cloud solutions integrator and IT consultancy located in Southern California. He is an expert in cloud architectures and deployments who has worked with a number of companies on solutions to their unique business challenges through the use of cloud services and deployments
In my experience the number one issue many companies face with cloud computing is…
Understanding what "the cloud" is and how cloud computing should be utilized given unique business requirements. Until an organization understands what a cloud encompasses, in its entirety, determining the best approach is an effort in futility.
Consider the fact that today there is no standard definition of Cloud. At the most basic level we can reference two methodologies: Delivery methodologies - public, private, hybrid deployments, and Service methodologies - infrastructure, platform, or software. And each of these are not mutually exclusive.
Take for instance an company which is looking to gain agility in application deployment by utilizing Platform as a Service (PaaS). Deploy PaaS and push applications quickly, allowing developers to work towards the demands of their internal users without the overhead associated with typical application development and delivery life cycles. However, PaaS can be utilized in the public, private, and hybrid cloud. Depending on the business needs - security, data centricity, etc., one delivery methodology will be a better fit than others. So it is important to start with a clear set of definitions.
Adding to this, each technology and provider approach is usually different and these can have a massive impact as use cases are mapped to a solution. Companies can easily spin up elastic compute resources in a public cloud today if time agility is required. But if the needs of the business change at a future point - for various reasons - they could be forced to abandon the work already completed in favor of a different technology or provider. Companies want to move away from vendor lock-in, and that is what the cloud should promise. Having a clear understanding of capabilities and limitations is critical in making sure a solution deployed today is cloud agnostic.
Harish Krishnamurthy
Harish Krishnamurthy is the Senior Vice President of Insight Enterprises, Inc., a leading technology provider of hardware, software and service solutions to business and government clients in North America, Europe, the Middle East, Africa and Asia-Pacific. Insight is focused on helping organizations move technology goals forward in the areas of Office Productivity, Unified Communications and Collaboration, Mobility, Network and Security, Data Center and Virtualization, Data Protection and Cloud.
According to my company’s recent survey of IT leaders, the number one issue companies face with cloud computing is…
A lack of trust in cloud security.
In fact, while businesses of all sizes want to improve productivity by moving more functions to the cloud - the larger the company, the greater the concerns surrounding security in particular.
Our study also found that cloud security misconceptions can be cleared up when IT leaders are provided with information on physical security, backup and recovery, compliance, incident handling, logs of security attacks and non-disclosure agreements.
The cloud has been an established part of the IT landscape for at least 15 years, yet there remains a considerable amount of mystery surrounding how it works and how secure it is. We found that businesses embrace cloud technology when they understand how a solution would impact the organization and when the benefits to the organization were seen as practical, obtainable and cost-effective.
Nicholas Lee
Nicholas Lee is the Head of Global Offerings, End-User Computing (EUC) at Fujitsu, one of the leading IT companies in the world. In his leadership role, Nicholas has accountability for the vision, development and execution of next-generation enterprise workplace solutions. He has always had a passion to operate on the cusp of the bleeding-edge in terms of technology evolution and integration, and has had the privilege of managing within this domain for Fujitsu’s Global Delivery organization. Prior to moving into Global Delivery, Nicholas ran the End-User Computing business for the Americas for the past six years which he started in 2009 from the ground floor and grew to an operation recognized by Gartner on the leadership/visionary axis.
The biggest challenge most companies face with cloud computing and data security is...
How to protect their environment from data leaks and/or malicious attacks.
In 2014, the world experienced an increased number of sophisticated strikes used to mine critical financial and user data. In fact, the number of attacks has increased 91% since 2013. This has cost many companies, including some Fortune 100 companies, billions of dollars and loyalty loss.
More interesting is the fact that there have been several recent high-profile attacks that didn’t perpetrate the data center or cloud directly, but compromised end-points such as teller registers, end-user laptops and payment terminals. The vulnerability is real and universal across industries including retail, manufacturing and healthcare, and the key is where humans interact with applications, data and devices. The number of connected devices is expected to quintuple by 2020, presenting a real and growing challenge, and all it takes is an inconsistent policy, inadequate protection or an improperly used device to open a penetration point for a would-be hacker.
Organizations are mitigating risks by virtualizing users and applications, enhancing the use of data leak protection functions, and embedding controlled file sync and document editors that tie back into a secure cloud-hosted environment. This allows users to experience an improved traditional environment, while the data itself never sits on the end-point. It also reduces the perimeter of exposure as applications, data and processes are housed behind a hardened infrastructure.
Stephen Pao
Stephen Pao serves as General Manager, Security Business, at Barracuda Networks, where he is responsible for strategic product direction, definition, program management, and development for all of the company's security products. The Security Business brings together Barracuda's content security, network security, and application security product portfolio, as well as the Barracuda Central content team. He has more than 20 years of experience in high growth technology companies based in both Seattle and the Bay Area.
Today, cloud computing has become a "must-have" to a majority of the enterprise IT community, for reasons ranging from economic gains to technology benefits. But one of the major concerns carrying over from traditional IT - data and application security - has not changed, and requires the same diligence in the cloud as with on-premises solutions and that is…
Building confidence in the security of the cloud is an important step in encouraging migration. Fortunately, what works in the on-premises, hardware server world is easily transferable to the virtual and cloud world. As long as organizations remember to design the same security processes that have worked for them on-premises, there is a good chance that they can continue to limit risks to their applications in the cloud.
Customers bringing their applications to the cloud need to ensure that they are secure from threats like SQL Injection, Application DDoS, and other attacks that target the application layer. Organizations hosting applications or workloads in the cloud should look to secure applications hosted in the cloud, and the data they have access to, with an advanced web application security solution. A web application firewall offers comprehensive protection for web applications and confidential data hosted in the cloud, ensuring that web applications have the same high levels of protection afforded by in-house data centers.
Daniel V. Hoffman
Daniel V. Hoffman is the Chief Technology Officer of Viewabill. He has held numerous executive positions within technology-based companies, is a veteran of the United States Coast Guard where he was responsible for many facets of classified information and has over 19 years direct experience with security technologies. He is well-known for his live hacking demonstrations, videos, security articles and books, including "Blackjacking: Security Threats to Blackberry Devices, PDAs, and Cell Phones in the Enterprise" (Wiley 2007) and "Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control" (Wiley 2008). He has achieved Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and Certified Hacking Forensic Investigator (CHFI) certifications and is often relied upon for his expert opinion by all forms of media including The Wall Street Journal, USA Today, Financial Times, Fox Business, MSNBC and Forbes.
In my experience the number one issue many companies face with cloud computing is…
The lack of analysis on actual application code for vulnerabilities.
When sensitive data is stored in the Cloud, a tremendous focus is directed towards the security of the hosting facility and technical components providing the hosting infrastructure. While these are clearly important, this focus is too often at the expense of analyzing the actual application code itself.
For example, if data resides within a vendor application that is hosted by a Tier 1 hosting facility, such as Amazon Web Services, the weak link in securing your sensitive data is very likely not the hosting provider. It's not that they are impenetrable; it's that these industry-leading facilities have expansive teams of security experts and numerous industry audits and certifications. It is far more likely that the vendor application processing and storing your data has vulnerabilities.
Many cloud-based solutions are written by small teams that direct their efforts on usability, the user interface and the functionality associated with specific features - not security. Additionally, it is very uncommon that these teams consist of developers with expansive security knowledge. These points can easily lead to a beautiful application that is very usable and has security vulnerabilities threatening your data.
What to do: Ask your vendors to share the results of Dynamic and Static Security Analysis against their application. (Dynamic will analyze the web application in production, while Static will analyze the actual code). If they can't, or won't provide it, then ask to run your own. A flat-out refusal on their end to comply with these requests should be a huge red flag. It is also fair to inquire into the security knowledge of their team. Ultimately, all security comes down to people. You wouldn't want unskilled electricians working on your home, nor should you settle for unskilled developers writing the code that processes your secure data.
Joe Siegrist
Joe Siegrist is a Founding Developer of Marvasol, Inc. (alternatively LastPass) and serves as its Chief Executive Officer. Mr. Siegrist has more than a decade of experience in developing and running Internet applications. He served as chief technology officer of eStara, Inc. since May 2006. He served as Vice President, Technology of Estara, Inc. Mr.Siegrist directs software development and systems operations for eStara. An innovative software architect and accomplished programming team leader, Mr. Siegrist is a named inventor on a dozen patent applications in the voice over Internet and Internet-initiated calling space. Prior to joining eStara, he worked in server operations for UUNET, a major Internet service provider acquired by WorldCom in 1997.
The number one issue for many companies when it comes to cloud computing and data security is…
Who do you trust?
Do you trust company X's technology? Do you trust their employees? Do you trust their motivations? Do you trust their safe guards? Do you trust their continuity? Do you trust that if their back was against the wall they wouldn't sell your data?
Some vendors like LastPass go so far as to say we only store encrypted data in the cloud, and that we never have the key to decrypt that data --- which eliminates one of the failure modes of using the cloud.
Benjamin Caudill
Benjamin Caudill is Founder and Principle Consultant at Rhino Security Labs. An expert in cybersecurity and hacking, he’s worked as a penetration testing (ethical hacker) and digital forensic examiner, with clients ranging from defense contractors and governments to financial institutions and more. He has presented research at conferences such as Defcon and has been featured on various media outlets such as CNN, Wired, Washington Post, and CNET.
One of the biggest issues for companies when it comes to cloud computing and data security is that…
Cloud environments provide very weak access logging and access authentication, making it far harder to detect when user credentials have been stolen or compromised and are being used for malicious purposes.
On a traditional system, key information is always recorded, such as who accessed the system, when they logged in and out, what IP address their session came from, and other such details which enable more thorough cyber-security monitoring. For instance, if an employee logs in with a working username and password, but the originating IP is in Beijing rather than Portland, a traditional system can quickly sound an alert or lock down the employee's account. Alternatively, reviewing access logs can reveal a compromised account being used for malicious purposes, and allow system administrators to prevent further damage. On a cloud system, it is usually impossible to implement that kind of comprehensive security.
Robert Siciliano
Robert Siciliano is a renowned Personal Security and Identity Theft Expert, the CEO of www.IDTheftSecurity.com and resident security expert with TheBestCompanys.com. Robert is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds.
The biggest issue for companies when it comes to cloud computing and data security is…
The three A’s: authentication, authorization, access control. Here are some questions to ponder about a cloud service:
- How often does it clean up dormant accounts?
- What kind of authentication is necessary for a privileged user?
- Who can access or even see your data?
- Where is it physically stored?
- Does your organization share a common namespace with the service (something that greatly increases risks)?
- Are private keys shared among tenants if a data encryption is used?
- Ask your cloud vendor these questions. Get answers.
A public cloud service can come with several problems that will impact your business. They do have remedies, but hey, who wants a problem that needs to be fixed in the first place?
Here’s some questions to ask first: Who can gain entry to the data in a cloud service—your service? Can a crook somehow bypass verification and sneak in? Do you even know who has authorization to access your business’s cloud?
There are other factors to consider as well. Does your cloud service, or one you’re considering, have a regular habit of ridding inactive accounts? Who might be able to get a look at your data? For those who are indeed authorized to do this, including yourself, what steps must they (and you) take to gain access? And suppose encryption is in place. Will the same private keys be used from one user to the next, or will all authorized users have unique keys?
Make a list of additional questions not covered here, and bring all of these questions to your current cloud service, or one that you’re considering using.
Data Leaks
A user of a cloud service can’t help but wonder about the service’s other customers, namely, what are the odds that your data could somehow, some way, slip out and get into the hands of another tenant of that service? Could this happen by accident? What about maliciously? Imagine the mayhem that can result if your sensitive information gets out to another tenant. The sky’s the limit it seems.
Other Questions to Ask
Do you know what virtual exploits refer to? If not, ask the vendor. Make sure the vendor gives you a thorough explanation. Cloud services have virtualization tools, and you should know about these. When there are security updates, who makes the updates? How often are these?
The Contract
Read the doggone contract! You’ll be surprised what you might find. For example, don’t be shocked if the contract states that your data is the property of the cloud service. Now why would a cloud service make this claim? They may be able to generate earnings by “owning” your data. And it gets them more legal protection in the face of a breach. So you’d better read the contract word for word.
Lost Data
Is it possible for a cloud service to lose your data, as in, it gets swallowed up by a black hole? Though a cloud service may claim they have top-flight data backup systems in place, this is no guarantee that your data might one day end up in the Bermuda Triangle…vanished off the face of the earth. Though the cloud may seem like the backup system for your data, you actually have to back up the data you have in the cloud storage.
Don’t trust something in cyberspace. Have a physical backup, like a flash drive. And go one step further: Make sure that the contract says you’ll be compensated for damages should your data get lost or stolen.
Final Thoughts
Cloud services are like real clouds: They have holes; they’re not solid. This is relatively new technology and it needs time to arrive at a point where all possible risks can be laid out and analyzed—for individual vendors as well as the cloud service industry as a whole.
In the meantime, learn about the history of the vendor and its customers. Anything grab your attention? Find out how the vendor alerts customers about data breaches. And get ahold of the service’s most recent audit report.
Praveen Asthana
Praveen Asthana is the CMO of Gravitant and has more than two decades of experience in technology marketing, strategy and product management. Prior to joining Gravitant in 2012, he was Vice President of Dell’s $12B Enterprise Solutions Group where he led marketing and strategy. Earlier, he was VP of Storage and Networking at Dell and helped grow Dell storage to a multi-billion dollar revenue business. Prior to Dell, Praveen had leadership roles at storage startup Zambeel and IBM.
Analysts estimate that at least 35% of cloud spend is due to “Shadow IT,” which suggests that even if you don’t know of any public cloud usage in your organization, it’s almost certainly happening. For CIO’s and IT leaders this means being exposed to new risks and vulnerabilities in the cloud that they may not even be aware of, but may be held responsible for. The first order risk issues for companies in the cloud are…
The financial and business continuity exposure for your company.
Do you have visibility into what is being spent in the public cloud? Is it predictable? What if someone leaves virtual machines running and forgets to turn them off? How much financial exposure do you have?
The plethora of compliance regulations out there, from securing customer data to financial risk management, means that your organization’s cloud usage could expose you to compliance and legal issues.
So, what should you do? A lock-down on public cloud usage is not the answer; it will only put your company at competitive disadvantage by removing agility. There is a reason your organization is using public cloud and that is because it is fast. In today’s competitive world, speed is critical. However, how do you maintain this speed, and still have the proper risk mitigation and control?
The Solution
The first step of gaining control is discovery of what your organization is doing in the public cloud.
Using discovery and sync tools, you can determine which cloud assets are provisioned, how secure and resilient they are, and how much is being spent. Then you can use a cloud service brokerage solution to provide governance and control over cloud activities while still allowing speed and agility for business users. Finally, you can run alternate sourcing scenarios to determine which cloud is best for your application and business needs.
Gilad Parann-Nissany
Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance.
The most important issue with cloud computing and data security is…
Control.
Companies want to reap the benefits of cloud computing (cost-effectiveness, scalability, flexibility, etc.), but cannot afford to lose control of their data. There are innovative technologies being developed and use to address this problem.
For example, a combination of split key encryption and homomorphic key management can allow companies to migrate their apps and data to the cloud and retain total control of their encryption keys, and their data. Due to privacy concerns and industry regulations, keys can never be stored alongside data in the cloud or with cloud providers. These innovations solve this pain and allow for safe use of the cloud.
Yvonne Li
Yvonne Li is Co-founder and VP of Business Development at SurMD, the leading provider of next-generation HIPAA compliant cloud services. As a technologist and a business executive, Ms. Li's areas of expertise are in cloud, mobile, enterprise and internet business models. She also has authored a number of business patents and developed two mobile engagement platforms for her two previous startups.
The #1 issue most companies face regarding data security is…
Protecting data while 'in flight' (transferring/sharing) as well as 'at rest' (storage).
As a professional dealing with cloud data storage as it pertains to patient health information, SurMD has ensured our cloud storage and sharing services met the most stringent guidelines outlined by HIPAA. HIPAA, or the Health Insurance Portability and Accountability Act, was set forth to secure the protection and confidential handling of protected health information. We can borrow from the healthcare industry's stringent regulations in order to address data security issues companies in other industries may be facing.
To address security, it is important to create several points of unique user identification, authentication, and automatic logoff timers. Data must be encrypted during transferring and later decrypted once received. Data 'at rest' on servers can still be stolen, and should be encrypted as well, although this can prove to be costly. Data at rest refers to inactive data which is stored on the cloud, on mobile devices, thumb drives, and other inactive mediums. This provides control over the data as well as deters data breaches.
Protecting the physical devices and mediums information is stored on is just as important as the data itself. Physical safeguards such as facility access controls (who are allowed on the devices), proper workstation use and security regulations should be put in place.
Lastly, monitor activity. Regularly review system activity, logs, and logins to be informed on who is accessing data and when.
By implementing several of these security protocols, it will be easier to analyze and assess risk as it pertains to data stored and shared via cloud technology.
Charles Henson
Charles Henson is Managing Partner of Nashville Computer and has been in the IT industry for over 20 years. Charles was invited to the Google Headquarters for his personal feedback and has been interviewed and featured in the Redmond IT magazine regarding Backup Disaster Recovery solutions. Additionally, he was interviewed by Robin Robins during her building of the Cloud Blueprint.
The most important security concern, or vulnerability, with the cloud is really …
The device that is being used to attach to the Cloud.
The Cloud in itself is more safe and secure than a traditional network that is not maintained. Cloud servers have all the security, lock down, updates, policies etc. The issue is that people are not managing nor preventing the end users from using any device they want to use to access the Cloud environment.
When this happens it makes Cloud vulnerable to being attacked or infected by malware or even root kits as these devices are giving them the keys and the access to the Cloud. One laptop at Chase had malware causing 85 million accounts to be compromised. The problem isn't Cloud; it’s the users and their devices.
Companies need to have policies and procedures in place to ensure that ANY device that connects to the Cloud environment is secured. Managed Antivirus, Anti-Malware, DNS routing mobile device management (for phones and tablets) and a secure wireless connection while on the road (MiFi) to ensure the systems connecting, stay safe. The connecting device also needs admin privileges restricted so users don't install malicious software that they "think" is spyware free.
Mariano Nunez
Mariano Nunez is the CEO of Onapsis, the global experts in business-critical application security.
The #1 issue most companies face with cloud computing and data security is…
Complacency.
In our area of expertise - business-critical applications - we find security and compliance gaps and vulnerabilities in more than 90 percent of cases when we review on-premise installations. Business platforms such as ERP, HCM and CRM are big and complex, a have grown organically. These systems house everything from intellectual property, financial, employee, and customer data. Understanding the scope and interconnectivity of these systems is a project that is overlooked, there’s an assumption that traditional checks such as segregation of duties cover the bases, but it falls severely short.
Then add in the complication of the cloud. With companies moving to private clouds, whether its clouds from vendors or those offered by cloud-hosting providers, the increased remote access to the systems inherently raises the risk of those ERP deployments and the overlying business-critical applications. Consider what can be available on an ERP system: confidential financial data, manufacturing plans and blueprints, sensitive HR data – the lifeblood of the organization.
Meanwhile there’s a paradox where companies are terrified of moving key applications into the cloud so that they can achieve cost and efficiency savings. They need to review all network and point connections, the limits of existing SIEM solutions and workflows of business applications. The risk for each of these is broadened with cloud due to new challenges around user access, data location, regulatory compliance and risk of a 3rd party managing the processes and data for the organization. They need to focus, to map out all connections and network points, and to implement systems that continuously monitor core systems.
Complex and ever-changing business critical applications running on SAP and Oracle cannot be left at risk. The risk of this data being accessed is real with massive repercussions – one Fortune 500 company we work with admitted that if its ERP system went down it would cost them $22 million per minute.
Jeff Cherrington
Jeff Cherrington is the VP of Product Management at Prime Factors, Inc. and brings over 30 years of experience in technology development, implementation, sales, & promotion, primarily focused on payments, banking, & financial. More than half of that time was spent directly in the payments industry, either working for the largest third party transaction processor of that time (First Data Resources) or the largest issuer of Visa credit cards (Bank One/JPMorgan Chase). In the latter role, he focused on regulatory compliance, vendor audit & security controls, and third party service agreement negotiations. Most recently, Cherrington held a variety of roles on the executive team of PKWARE, a leading provider of data management, protection, and integrity applications, including VP of Product Management, Technical Director for EMEA, and VP of Vertical Solutions.
The largest issue most companies face with cloud computing and data security is…
Believing that a cloud provider is 1) better at protecting sensitive data, and 2) is as vested in protecting your data as you are.
While a breach of one customer’s data would certainly have a negative impact on a customer’s relationship with the provider, that relationship might be only one of many. Moreover, cloud providers are not subject to the same data breach disclosure laws as are banks, federal agencies, and other entities, and breaches that do occur may not be widely publicized or associated with cloud provider. If such a data breach is publicized, the negative attention will be focused more on the data owner than on the cloud-computing provider. It is, ultimately, the obligation of the enterprise to protect its data, wherever and however it is processed.
This is why the Cloud Security Alliance, in its “Security Guidance for Critical Areas of Focus in Cloud Computing,” recommends that sensitive data should be:
- Encrypted for data privacy with approved algorithms and long, random keys
- Encrypted before it passes from the enterprise to the cloud provider
- Should remain encrypted in transit, at rest, and in use
- The cloud provider and its staff should never have access to decryption keys
When processing of sensitive data occurs in the cloud, as is the most useful case:
- The data should remain encrypted up to the moment of use
- Both the decryption keys and the decrypted versions of the data should be available in the clear only within a protected transient memory space
- Both the keys and the clear text versions of the sensitive data must be auditably wiped so that no copies are ever written to disk
- Likewise, the processing must never write copies of the clear text sensitive data to any logs or other persistent records
Dan Roy
Dan Roy is the CEO and Co-Founder of MessageGears, the only hybrid email marketing service that combines the power and security of on-premise software with the efficiency and scalability of the cloud. Founded in 2010, MessageGears is based in Atlanta, GA.
The number one issue we see on a day to day basis with pure cloud computing and data security is…
The need for data replication within the cloud infrastructure so that it can be processed, and tasks, such as email marketing can be effectively and safely executed.
The movement and continual synchronization of customer sensitive data to the cloud requires vast time and resources while also substantially increasing risk and vulnerabilities. What we have found, and research by Gartner supports these findings, is that a hybrid approach is the best solution.
A hybrid solution entails installing software on-premise that directly connects to corporate databases. This completely eliminates the need for data replication and enables the enterprise to use a full set of up to date live data in their operations. This allows for customer data to stay where it belongs, on-premise behind the corporate firewall under the company’s complete control and significantly reduces the risk of a security breach.
The on-premise software is then connected to the cloud, which we all know, is a massively scalable and highly available platform. Only the data that is needed to run an operation is securely transferred to the cloud to be distributed amongst an unlimited number of servers for processing. The customer data sent to the cloud is ephemeral and is removed once the operation has been processed.
When you combine the power and security of on-premise software and efficiency and scalability of the cloud in a hybrid system you end up with the best of both worlds and can greatly reduce the security risk associated with cloud computing and often times have a more cost effective solution to boot.
Paul Hill
Paul Hill is a Senior Consultant at SystemExperts, a security and compliance consultancy. Paul has worked as a principal project consultant at SystemsExperts for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services.
For companies purchasing cloud services, the number one priority should be…
How to evaluate the risk of using a particular vendor.
Many companies don't have a solid process for determining how to evaluate a third party cloud vendor for risks nor how to assess the likelihood of a breach at a third party. Too often, if a company attempts to assess the risk, the task will get delegated to someone who will concentrate on a very narrow aspect of the service provided.
For example, someone might only validate if the data is encrypted during transmission, or the decision might rely on determining if the system is multi-tenant versus a dedicated host. In order to properly assess the risk, companies should be using mature frameworks such as ISO 27002 or the emergent Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA). These frameworks look at a broad range of controls including HR practices; physical security; environmental controls; authentication policies, procedures, and mechanisms; access controls; cryptography usage; and key management.
The current version of ISO 27002 examines over 130 different aspects of an organization's overall security. The CCM has similar granularity. A small number of organizations with mature IT departments use ISO 27002 or a similar framework to assess its third party vendors, including cloud service providers. Some cloud vendors perform an annual assessment and publish compliance information about the assessment.
However, too often these diligent practices are the exception rather than the standard practice. One area that ISO 27002 does not address is breach notifications by third party vendors. When purchasing cloud services, companies should include terms and conditions that address the definition of a breach, the timeliness of notifications upon learning of a breach, and what information will be communicated about a breach.
Morris Tabush
Morris Tabush is the Founder & Principal of TabushGroup, one of New York's leading Managed Service Providers. As a life-learner and avid student of Business and Information Technology, Morris’ focus includes research & development, constant improvement and client relations, while also overseeing all aspects of the firm’s business and clients. Morris has presented on topics including IT Management best practices, network and end-user data security, and cloud computing to groups of 20-200 professionals nationwide, and has also been quoted by media publications such as Commercial Observer, Information Week, and CIO.
The #1 issue companies face when it comes to cloud computing and data security is…
Going into a cloud system too quickly and basically not paying any attention to security.
The beauty of cloud is that it's typically very easy to get up and running. Then people rapidly ramp up the systems, adding users, data, features, etc, and often not paying attention to the most basic security tasks such as proper passwords, user access controls, etc. They simply push that stuff off to the side to "figure out later", but later never comes until it's too late.
Of course this happens in traditional IT systems also, but not as often, due to the barriers to entry.
Dustin Kinn
Dustin Kinn is a Citrix, ITIL, and Microsoft-certified Solutions Architect for Netrepid, a provider of colocation, infrastructure and application hosting services. He is responsible for designing and deploying applications, networks, and products for clients that seamlessly integrate with Netrepid's Tier 3-quality data center. Prior to joining Netrepid, he spent 10 years advancing his IT skillset with a billion-dollar, publicly traded fiber-based materials company with an international footprint.
The #1 issue most companies face with security of their cloud and data is…
Uninformed users.
Users let in viruses, surf sites with malware, download corrupted files, keep their passwords under keyboards, etc. Too often, I encounter clients who don't know enough to stay secure - and often, they don't want to learn. They expect whatever they have set up is fool proof.
Companies need to do a better job of educating their users on what to watch for, and how to prevent themselves from being the weak link. When users are informed, babysitting corporate networks becomes much easier - whether it’s cloud-based or in-house.
Keao Caindec
Keao Caindec is the CMO of 365 Data Centers, a provider of secure and reliable colocation services that offer an easier way to scale business growth and connect to the cloud. A passionate technology entrepreneur, Caindec led global marketing as the CMO at Dimension Data's Cloud Business, OpSource, Reliance Globalcom and Yipes. Caindec specialized in Entrepreneurial Studies at The Wharton School, University of Pennsylvania, where he earned a B.S. in Economics. He has served as an Entrepreneur in Residence at Panorama Capital and been an advisor to numerous technology and communications companies.
The # 1 issue that companies face with cloud computing and data security is…
The "public" part of the public cloud.
The 2 themes that companies focus on when evaluating risk in deploying the public cloud are Latency and Security. Distance affects latency (explained below) and security is not guaranteed as there's nothing private about the public cloud.
While cloud service providers like AWS, Microsoft Azure and Google Cloud Platform make it easy to use compute and storage, companies still find it difficult to integrate on-premise enterprise applications with the public cloud. Why? For enterprise applications to perform well, the actual data must reside very close to the application. Since the public cloud is not local, applications are not able to integrate with cloud-based storage reliably. This distance limitation has to do with the low-latency required by applications to access storage.
365 Cloud Storage solves this problem by offering truly local on-demand SAN & NAS cloud storage physically located in 17 cities & 16 markets throughout the country. Being close to your data means low latency and speeds that emulate those of on-premise systems. This service securely and privately connects to your data to cloud applications via metro fiber or metro Ethernet connection and can be accessed from up to 100 miles away. Using dedicated VLANs, encryption of data in flight and at rest, you'll sleep better knowing that no one else can snoop your data.
Robert J. Scott
Robert J. Scott is Managing Partner of intellectual property and technology law firm, Scott & Scott, LLP.
The biggest challenges companies face in terms of data security is….
IT governance, compliance and the risks of cloud computing.
The effective CIO will implement clear policies regarding information security, document retention and destruction, breach incident response, and cloud computing risk mitigation strategies. Failures in these areas could cause CIOs' headaches and put their jobs in jeopardy. Implementing strong controls around software licensing should be a big priority in 2015.
Only with effective software asset management, can licensing spend be optimized and compliance risk be mitigated. Finally, cloud adoption and data center virtualization should be priorities for companies as they enter 2015.
Edward Kiledjian
Edward Kiledjian is the CISO of Bombardier Aerospace, the third largest airplane manufacturer in the world and has over 20 years of international IT and management consulting experience. His customers include some of the world’s largest and most recognized companies. Learn more about Edward and his work at http://kiledjian.com/.
Cloud computing offer flexible pay-per use computing which is the ideal model for cash strapped CIOs however it also presents many risks that the organization must be aware of and accept. One of the biggest risks is…
The fact that once you migrate to the cloud-computing platform, you can no longer wrap your data in your own security tool (DLP, Data Classification, Filtering, etc). In many cases, the move to cloud means you will have to trust the knowledge, judgment and vigilance of your users.
One of the best security control measures is a well defined, properly delivered Information Security Awareness program to teach users what security means, how to be secure, how to make the right decisions and what do to if they have questions.
Greg Kelley
Greg Kelley is CTO for Vestige, Ltd, a company the performs computer forensic services and data breach response for organizations.
The number one issue that companies face with cloud data security is…
A belief that it is separate from their local data security.
Companies get wrapped up into the security of the cloud and think that it can be separated from their own security; quite the opposite. When computers on a company network are compromised, the hackers will use resources gathered (namely login credentials or the compromised computers themselves) to attack the cloud.
In order the combat this scenario companies need to have an assessment performed, either by internal staff or preferably outside. The assessment will look at what sensitive, personal or confidential data that the client has and how they are going about protecting that data. In the case of the cloud, that assessment will also consider how the data in the cloud is protected and what provisions are in the contract with the cloud provider. Many companies mistakenly believe that the cloud provider is responsible for the security of the data. In most cases, the opposite is true.
In summary, companies need to know where their data is, who is protecting it, who is responsible for protecting it and whether they are covered financially if the data is exposed.
Charles Moore
Charles Moore is the Vice President of Cloud and Managed Services for Pinnacle Business Systems. Charles joined Pinnacle Business Systems in August of 2008 from Oklahoma Natural Gas (ONEOK, INC) where he served as the Chief Information Officer (CIO) for more than 20 years. Charles successfully set the technology direction for ONEOK during a time of extreme growth within the organization and continues to lead that direction at Pinnacle. His experience brings unique insight, as prior CIO for a Fortune 500 company he is able to better understand the needs of the customer.
A lot of companies are caught-up in determining the appropriate “cloud strategy” for their organization. While the cloud market is confusing at best, and “time” of adoption seems to be on leaderships’ side, cloud is a viable, and often cost-effective, enterprise infrastructure option. There are steps a CIO can take while determining which option or product would be an appropriate solution, and it starts with non-critical workloads:
I recommend moving test/dev or non-critical workloads off premise. This would enable both IT departments and the organization to gain more confidence while working through the learning curve prior to moving primary or critical workloads to the cloud.
The CIO of today has to be able to deliver a cloud strategy, while lowering costs and raising security. This can be very difficult to accomplish, but cloud is becoming one of the strongest solutions method to deliver on that endeavor.
Jonathan Reeves
Jonathan Reeves is the Chief Strategy Officer and Chairman of CloudLink, a leading provider of advanced data security and encryption management products.
One of the #1 issues most companies face with cloud computing and data security is also seen as one of its advantages, and that is…
The fact that cloud providers build and manage massive pools of compute and storage resources and that are "rented" to many tenants allowing for tremendous economies of scale.
While cloud providers implement a number of security measures to segregate tenant environments, there is still a loss of organizational IT control that equates to business risk as applications and sensitive information no longer run within your own private, physically isolated datacenter. Whether the risk is breaking regulatory compliance law or subjecting the company to financial or reputational risk due to data breach, it is no wonder that security is regularly cited as the top barrier to cloud adoption.
Fortunately, there are options to mitigate these risks and gain the confidence necessary to accelerate cloud adoption. While cloud providers control all hardware and virtualization layers of the cloud stack, organizations have the opportunity to Bring-Your-Own-Security (BYOS) to the cloud enabling them to isolate and protect their applications and keep data private from other tenants and even their cloud providers.
BYOS can take several forms but one of the most proven approaches is protecting access to information through data encryption of virtual machines. When evaluating solutions, three key areas should be explored.
- Security effective: Regardless of encryption algorithm used, if you do not retain control of the encryption keys, you really do not have control of who can access your data.
- Deployment impact: Security solutions that are complex to deploy, involve learning new tools and requires changes to your applications will hinder rather than fuel cloud adoption. Choose solutions that leverage rather than replace what exists today.
- Future proof: Multi-cloud / hybrid cloud strategies will be the norm. Consider solutions that support single pane of glass security management out of the box.
