Cloud security has been a topic of conversation in the InfoSec world since the advent of the Cloud. Initially, enterprises hesitated to adopt Cloud technology based on the perception that you can't really secure what you don't have direct control over. The idea of giving up “direct control" by not maintaining all company-owned data on-premise made companies uneasy.
However, the tide has turned. With the proper configurations and the appropriate security controls in place, the Cloud can now in many ways be more secure and beneficial to security teams than on-premise data centers. To find out how information security teams are reaping the benefits of the Cloud, we reached out to a panel of cloud security experts and asked them to share their opinions on the following question:
"What are the top benefits that cloud computing can bring for information security teams?"
Meet Our Panel of Cybersecurity Experts and InfoSec Pros:
Jonathan is a Cloud Security professional experienced in Cloud Architecture, Security Architecture, and Automation with more than 18 years of information security and IT experience. He is a Managing Consultant at VerSprite, which focuses on Cloud Security services, automating security tools and processes, and creating strategic, efficient, and effective security solutions.
"The benefits of cloud computing for infosec teams include..."
- Scale & Flexibility. As the businesses cloud infrastructure scales out, the security infrastructure in the cloud should scale out as well, or at least handle the scaling without failing. This is a key step in making sure the security team is not "The Party of NO" but instead is a business-enabling team.
- Coverage & Visibility. Cloud Infrastructure is very mature. All resources are being provisioned via API calls, which means 100% coverage and visibility into assets, security settings, and policies in use. Information Security professionals must learn what secure and insecure look like in the Cloud, and then apply that knowledge to all the settings exposed by Cloud Service Providers.
- Proactive Response. Using Concepts like Dev SEC Ops, security can be embedded into release processes and even Amazon EC2 instances. Imagine a world where the infrastructure itself prevents non-compliant assets from being created. That is possible today with a little scripting. A great example of proactive security is enforcing the policy that "all assets must be tagged" by monitoring EC2 instances. When a non-compliant instance is being launched, it automatically shuts down before it even finishes launching! That is proactive response.
Cloud Service Providers offer companies building blocks. Cloud customers must recognize that the Cloud is not just another data center, and learn which technologies, options, and settings they need to adjust to deploy those building blocks securely. InfoSec professionals must adjust to the new paradigm to avoid slowing down the business and enjoy the benefits of increased visibility and enhanced control the Cloud offers.
Tim Platt has 25 years of experience in multiple areas of technology and leadership including programming, networking, databases, cloud computing, security, and project management. He currently works at Virtual Operations, LLC, providing technology consulting in the Orlando, FL area.
"There are many benefits to cloud computing..."
Such as providing fast, high-capacity scaling, eliminating capital expenditures, and providing global reach with ease. There are also considerable benefits from a security perspective. Firstly, the majority of cloud computing is implemented by highly skilled providers, utilizing data centers with uptime and security that small companies couldn’t hope to replicate. The physical security mechanisms are considerable, including bio-metric access controls and other robust mechanisms. The infrastructure supporting the cloud services commonly abides by rigorous NIST standards for cyber-security and undergoes continual evaluation by "red teams" of white-hat security experts. Small companies can’t replicate this level of expertise for a reasonable price tag.
Secondly, the emergence of Software as a Service (SaaS) and Platform as a Services (PaaS) has been a boon for businesses because it eliminates the mundane administration and endless security patching (at the OS and application level) required to maintain the underlying infrastructure. Cloud providers are well equipped to provide this service continuously at a level of expertise that a small company couldn’t match. Overall, this and other factors greatly increase the security of cloud-based systems when compared to non-cloud systems.
Adam Stern is the Founder and CEO of Infinitely Virtual, which offers cloud computing solutions.
"In May, the ransomware worm WannaCry fueled a massive attack that..."
Paralyzed some 300,000 computers in 150 countries, disabling systems at public hospitals throughout the U.K. along with those connected to Telefonica, the Spanish telecom provider, among other victims.
WannaCry wreaked havoc but, tellingly, not at the big public cloud providers like Microsoft Azure, Amazon’s AWS, IBM, and Rackspace, and not at smartly managed midsize public cloud providers, either.
This major hack provides a lesson. The experience of public cloud providers should put to rest the notion that the cloud isn’t safe. WannaCry made a compelling argument that the cloud is in fact the safest place to be in a cyber hurricane. Internal IT departments fixated on in-house technologies were affected big-time.
The takeaway is that your business and your data are considerably safer in the cloud than tethered to equipment under someone’s desk. Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention, and round-the-clock monitoring.
Donna Taylor has 20 years experience in the IT industry. She has worked at IBM, Gartner, IDC, and Ford Motor Company. She has extensive global experience in corporate development & strategy, M&As, venture capitalism, consulting, market research, and competitive analysis. Taylor has an MBA in International Management, a JD in International Corporate Law, and a BS in Finance and Multinational Business Operations. She has a deep understanding of the nuances of global markets, particularly in the EMEA region.
"There are several benefits of cloud computing for security teams including..."
Most companies are not in the business of technology. Instead, they use technology to run their businesses. They might be in financial services, healthcare, retail, etc. Therefore, they may lack the technological savvy to manage and protect their data. Many firms have a false sense of security just because their data is on-site. However, having a data center does not ensure that it is protected. Ironically, one of the inhibitors to early cloud adoption was around security concerns. Today, the cloud can often provide better data protection than having data reside on-site. This is due to the enhanced capabilities of IT staff whose one and only job is to protect your data. These IT professionals often have credentials, training, and experiences far superior to those roles at a firm's on-site facility.
Cloud customers are able to take advantage of higher quality technology by sharing the costs of more expensive and better protected technology with other customers.
3) Data Security Gates
Cloud customers can capitalize on better data monitoring, tracking, and access as well as response to anomalies. True security is not only preventing and thwarting attacks, but also having an incident response plan in place to combat incursions. This last component is often the one that most companies overlook. A crisis is not the time to be testing a process you hope to never use.
Margaret Valtierra is the Technical Marketing Specialist at Cohesive Networks, where she creates technical documentation, guides, and video demos. Margaret has a BSM from Tulane University and is an AWS Certified Solutions Architect and Cloud Security Alliance (CSA) CCSK.
"Cloud computing has obvious cost benefits..."
Especially for startups and businesses looking to move away from owning and running data centers. Cloud providers have more capacity, speed, and locations. Shifting your information security practice to fit cloud is a process, but there are upsides. Cloud providers offer Service Level Agreements (SLAs) for their services, including: specifics on security, privacy, access to data, and data portability. Offloading IaaS-layer requirements onto a provider will ease the burden on your teams as long as the SLAs meet internal security standards.
Cloud providers can also help InfoSec teams meet compliance requirements, since most IaaS offerings meet ISO, PCI, and other well-known standards. Before cloud, we had to maintain and secure our own servers and physical security. Now, Amazon, Azure, and Google run word-class data centers for us. 70% of organizations use at least one application in the cloud. Those applications - everything from CRM to mobile apps - put critical business data beyond the reach of traditional security. Security teams can now use cloud technologies to prevent data breaches and vulnerabilities by enforcing strong virtual networks and flexible data policies for each application.
Another big benefit of the cloud is the ability to build security on top of standard offerings. A virtual private network (VPN) allows security teams to create a secure network on top of a cloud provider's physical network. As teams install and launch applications, security teams can directly control network traffic with point-to-point connectivity. Network security settings like firewall rules, users access, and internet port filters can be sized, scaled, and tailored to each cloud application.
Taylor Toce is CEO of Velo IT Group, a world-class managed IT services provider focused on providing businesses with the technology and support they need to achieve maximum velocity in their markets. Taylor has a proven track record leveraging IT solutions in business strategy for small- and mid-market businesses to help clients gain efficiency and improve profit margins.
"It is safe to say cloud computing is here to stay..."
With organizations of all sizes in both the public and private sectors taking advantage of cloud computing platforms, many information security teams are increasingly willing to "green light" these cloud computing platforms as safe for work. It took time for most of these teams to find comfort in allowing an external provider in "the cloud" to have access and control over their sensitive data. In this process, most teams discovered that when partnered with the right cloud computing provider, the security of corporate data and applications is paramount to the security that can be provided internally.
With IT capital budgets under careful scrutiny, most IT security teams cannot afford the level of security they desire but rather are left with the level of security they can afford. By offloading these services to cloud providers that can spread the cost of industry-leading security systems across a larger client base, most IT security teams can gain the level of security they desire at a price they can afford today.
Further, by sharing the risk of IT security with a cloud provider, many organizations can speed up the path to security and industry regulatory compliance. This path to compliance is often associated with seemingly insurmountable cost and a huge burden of time that is placed on an already over-burdened IT team. By leveraging cloud providers that already possess the tools, processes, and procedures to meet these regulatory hurdles, IT security teams can find an easier path to compliance at a cost the organization can actually afford.
Brady Ranum is VP of Products and Strategy at Dizzion, a cloud-delivered desktop and end user computing solutions provider. Having spent more than two decades in the IT infrastructure technology industry, Brady excels in delivering high performance, highly available cloud deployments, custom networks, storage, and compliant environments.
"One of the top benefits cloud computing has for information security teams is..."
That it can keep sensitive corporate IP and data off of vulnerable endpoint devices. As the workforce continues to shift to a work at home, contractor and BYOD model, data is harder to control and at greater risk of exposure. These styles of working mean corporate data is no longer tethered to a computer in a secure office - it can be anywhere. We're seeing the increased security risk of this situation in the rising number of data breaches that are the result of laptops being lost or stolen or of employees mishandling, inappropriately accessing or sharing data. When data is stored in a cloud solution like a SaaS application or a virtual desktop, it's kept off the endpoint, minimizing the risk. This should be a critical measure for information security teams going forward as it's the first line of defense against unintentional data beaches.
Another benefit to InfoSec teams is how easy patching and updates are with some elements of cloud computing. If the team is implementing as-a-service solutions, they no longer have to worry about manually implementing updates and security patches as the updates are often automatically pushed by the service provider. Virtual desktops are a cloud computing solution that makes IT management even easier. WannaCry made it painfully obvious how often individuals and companies ignore critical updates and patches at their own peril. Virtual desktops make it easy for IT and InfoSec teams to take control back from users, no matter how wide the corporate footprint is. An update or patch can be applied to the virtual desktop golden image and is automatically applied to all cloud desktops imaged off that source. IT no longer has to touch each individual computer or rely on end users to implement critical updates.
Mark Wilcox is a Vice President at ICSynergy, a boutique services firm based in Plano, Texas that specializes in cloud security for the Fortune 2000. He is one of the world's leading experts in identity management and has been involved with cloud computing since Amazon's EC2 beta.
"The proper deployment of cloud computing can provide a lot of benefit to information security teams..."
But it is important to understand that there's a vast difference in the various types of cloud computing concepts.
For example, Infrastructure as a Service such as Amazon Web Services still puts most of the security implementation on the enterprise IT team. Amazon provides a secure data center, but if the IT team doesn't properly secure the API keys, their company AWS environment can be exploited. Meanwhile, a SaaS product such as Oracle HCM or SalesForce has almost all of the security provided by the vendor.
And products such as Box operate in the middle ground. Meaning, the data in Box is secure. But if an employee shares a confidential folder with a non-approved external entity, this also puts the company at risk.
That being said, in general, cloud computing is much safer overall than most data centers because the cloud was purpose-built for the Internet. Cloud-based data centers do not have to deal with legacy applications that were built before global networking.
What has me more excited is the next generation of SIEM solutions that leverage cloud processing and machine learning. They are able to detect attacks much earlier and with fewer false positives. This will help organizations improve their security posture because they can fix problems before the data is exported out of the environment.
Mark Hill is the Group Chief Information Officer at Frank Recruitment Group.
"The core benefits of true cloud computing are..."
Flexibility and speed to deployment, while still offering a vast array of software features at the 'touch of a button.' However, for most companies, data security is increasingly also a key ingredient when deciding to opt for a Cloud platform over a traditional in-house solution. In the fight against cyber-crime, most enterprises simply cannot keep up with the 'security arms race' protecting data in traditional in-house systems. For many, the Cloud is the only realistic alternate at an achievable price point.
In the Cloud, an organization can store data and software in highly secure locations with massive ongoing security investments in ubiquitous threat monitoring, alerting, and data protection techniques. This is an ever-increasing key factor that makes the Cloud more desirable than the alternatives. Today all of the leading Cloud platforms have a series of top security protocols, practices, and policies that protect company and customer data. Like many others, we already see Security as a key differentiator, and this will only grow as data security breaches across the globe become even more prevalent.
Jason McNew previously worked for the White House Communications Agency / Camp David for 12 years, where held one of highest security clearances. He is now based in the private sector as founder and CEO of Stronghold Cyber Security. He is a veteran, holding four degrees including a Master's in Cyber Security from Penn State.
"Cyber Security as a discipline is about managing risks to your information and your enterprise..."
For most enterprises, security is a cost center, and its application only makes sense to the extent that it reduces risk or saves money, and ideally, both. Cloud computing is an excellent security solution when used in conjunction with a formal data classification program. For example, we might employ a simple three tiered data classification strategy which divides information into three categories – Restricted Data, Private Data, and Public Data.
Based on this scheme, it is much easier to conclude what our risk tolerance for particular pieces of information is. For Public Data, cloud computing is the perfect solution, mainly due to economies of scale which offer reduced costs. Because we are dealing with Public Data, we are unconcerned with confidentiality.
When considering cloud computing for handling Private Data, a greater degree of due diligence is required. The information security team must carefully screen the cloud providers and ensure that the provider has been audited by a third party for compliance with an information security framework such as SOC 2.
Access to Restricted Data, the compromise of which can put an enterprise at great risk, should be kept to a minimum. It is inadvisable to use cloud computing for handling restricted data.
Mihai Corbuleac is the Senior IT Consultant at ComputerSupport.com LLC, an end-to-end technology solutions provider that offers services in the Cloud.
"Cloud technology provides proven data saving solutions..."
Cybersecurity experts recommend cloud-based backup services more than ever, especially because the increasingly popular Petya and notPetya threats can be successfully avoided if companies keep full backups within cloud environments. Secondly, there are several viable backup solutions that can be implemented in a relatively short period of time. Another benefit is improved data security. Public cloud companies keep investing billions in InfoSec. Moreover, companies offering cloud-based backup services also develop security plans and cutting-edge firewall technologies to prevent data breaches. Finally, cloud technology is more affordable than ever, so with the right tech support, any business can adopt it.
Adnan Raja is the Vice President of Marketing for Atlantic.Net, a web hosting solution that offers HIPAA-Compliant, Managed, and Dedicated Cloud hosting.
"There are many advantages to using cloud computing for information security teams..."
- Less IT issues - The daily tasks, responsibilities, and stress of trying to manage a data center is now passed on to an outside party.
- Increased security - Most businesses enhance their security by transitioning to the cloud, simply because good providers have infrastructure experts and security professionals on their team.
- Improved teamwork - The ability to use collaboration tools makes it far easier for employees to work together as a team to increase productivity.
- Agility - When we consider the laws of supply and demand, having a physical solution can be limiting. However, the cloud allows you to quickly adapt to changing user demand.
- Disaster ready - If some kind of disaster happens at your physical location, you could lose all your data. While backing up your data is a wise decision, the cloud simplifies the backup process and makes it way easier to implement.
Ashwin Krishnan is a technology industry expert with over two decades of experience in cybersecurity and cloud technologies. The author of Mobile Security for Dummies, Ashwin is currently a Senior Vice President of Products and Strategy at HyTrust, a late stage security startup. His speaking engagements include Mobile World Congress, RSA Security Conference, VMWorld, Telecom Industry Association, and Product Camp Silicon Valley.
"InfoSec teams are challenged on a few fronts today where the cloud can help them…”
1. The inability to keep the horse in the barn. The horse being the lines of business users who are consuming cloud computing because it is accessible, relatively cheap, and always available. However, business users sometimes don’t think enough about information security. InfoSec teams would be wise to learn what the cloud has to offer and find ways to stay ahead or at least catch up quickly. One way to do this is to understand what storage services are being used in the cloud and encrypt data by default before it goes to public cloud and keep the encryption keys on-prem. This way they are allowing users to use the public cloud to exploit its benefits while keeping the enterprise safe.
2. The other one is to learn from the lines of businesses. Previously cost-prohibitive analytics, such as forensics, log aggregation and curation, can be done at a fraction of the cost in the cloud. InfoSec teams can take advantage of this and use the cloud themselves to solve problems while maintaining a good security hygiene.
3. Really forward thinking organizations like the Province of British Columbia have gone a step ahead than most and established a 'vetted' marketplace where they engage with the large cloud providers' IaaS and PaaS offerings to ensure they meet the bar, and then all BC public sector organizations are guaranteed security and compliance if they use these services through the cloud BC marketplace.
These are a few ways where InfoSec teams can benefit using the cloud.
Rodrigo Montagner is an Italian and Brazilian IT Executive.
"Having a full-throttle cloud computing provider for one or more application processes can be a ..."
Shielding resource. Through cloud applications, cyber-threats can be more professionally treated with potentially less risk, as long as the provider and service has been properly tuned up with the business needs to leverage scale and operational capacity.
IT Departments need to be very proactive in armoring each and every application both cloud and non-cloud, especially in a hybrid environment.
All in all, cloud computing generally raises the bar for security and defense, allows for more standardized and globalized solutions in case of scale attacks, and reduces CAPEX cost in the long run.
Kathy Powell is the Marketing Manager for Tie National, LLC, an IT solutions and support provider.
"Cloud computing saved businesses from..."
The initial cost of hardware that immediately depreciates in value. Unlike on-premises hardware that requires additional money for upgrades and maintenance, cloud computing is a veritable cash cow in that it is easily scalable on demand and all changes and maintenance are performed by the provider rather than an onsite technician.
Eirini Kafourou handles communications for Megaventory, the online inventory management system that helps small businesses synchronize stock and manage purchases and sales over multiple stores.
"Recent developments in the latest ransomware attacks have taught us..."
A lesson that installed software on your PC can be used to compromise your company's security. With enterprise systems that work on the cloud, even if your company's computers fail, team members still have access to important data and are able to work as usual. On top of that, keeping your and your clients' data safe in a traditional way may be accompanied by high cost and risk, especially for smaller businesses with low server redundancy. Cloud computing can help your information security team keep your data safe while utilizing less of the company's budget.
Justin Davis is a Technology Sales Leader for Enterprise Business. He specializes in Data Security, Disaster Recovery & Business Continuity, and Predictive Analytics.
"At this point, cloud is the clear choice for many workloads for enterprise businesses..."
Among the top values are:
- Easy and efficient replication of data
- Consistent and timely security patches
- Upkeep of physical environment
- Mitigation of physical access breach concerns
- Templated support
Replicating these benefits in-house is costly and time-consuming and places an increased burden on the security team for budget approvals on minor upgrades that a cloud environment will automatically provide, further reducing the overall security posture.
Steven Sprague, CEO of Rivetz Corp. and former president and CEO of Wave Systems Corp. for 14 years, is one of the principal industry evangelists for the application of trusted computing technology. Steven has a strong technical foundation in principles, capabilities and business models of incorporating trusted hardware into everyday computing, making him a popular speaker on cybersecurity and trusted computing.
"Cloud-powered Internet of Things (IoT) is..."
Actually the replacement for PC networking. IoT-style collaboration might well replace the almost thirty-year-old model of Windows for work groups. A social network of devices would be able to easily and securely chat using end-to-end encryption, which old models in the past were never able to do. Combining this cloud model with Blockchain provides users with the tools to manage their collection of devices securely. It's a new model that will be easier to manage, configure, and control.
Swapnil Deshmukh is a Senior Director at Visa. He leads a team responsible for attesting security for emerging technologies. He is co-author of the Hacking Exposed series and is a member of OWASP. In his prior work, he has helped Fortune 500 companies build secure guidelines for organizations, including those in the healthcare industry.
"Public cloud computing provides various application abstraction layers such as..."
Software, platform, and infrastructure, which are essential for quick deployment of a product. For information security teams, it also provides an abstraction for decoupling their infrastructure from an appliance-based architecture to a software-defined one. This abstraction is essential for building a secure community and openness for various software-defined stacks. It is also essential for building all the necessary security features from the get-go or designing it in-house. This abstraction was not available in previous architectures as they were mostly closed stacks/protocols by design and tied to hardware or appliances.
Larry Port has worked with thousands of law firms worldwide since 2008 when he started the first cloud-based legal practice management software company, Rocket Matter. Rocket Matter has since remained a leader in the industry, boosting law firms' revenues by more than 20%. In Larry’s role as founder and CEO of Rocket Matter, he has become a speaker and award-winning writer at the crossroads of the legal profession, cutting-edge technology, and law firm marketing.
"Perhaps the greatest security that cloud computing brings for information security teams is..."
The protection against ransomware. Cloud computing companies are specialists in maintaining their servers and do a much better job of applying security patches than large, bureaucratic organizations. Had more organizations kept their servers up to date with the latest security patches, this year's major attacks could have been a non-event.
As lead solution consultant at itas, an award winning Sage partner, Hannah has a real passion for data and process design. With an academic background in Mathematics and Operations Management, she has spent the last 5 years applying that knowledge to the project management, design, and implementation of ERP and BI systems across a range of sectors and with organisations of varying sizes.
"One of the benefits that cloud computing can bring information security is..."
Access to the latest in digital security, something that is not usually affordable for small- to medium-size businesses. The economies of scale allow InfoSec teams access to best-of-breed technologies and dedicated teams that are focused on ensuring the security of data, including access to expensive consultants that focus purely on assessing the security and vulnerabilities of the platform.
Marco Matouk is the founder and CEO of Innovación e Inversiones en Tecnología (IIT), a partner of Intralinks for the Hispanic Latin American and Caribbean regions, specializing in high-end document security and management services. A serial entrepreneur, Marco has founded five start-ups focused on Enterprise Software, Cloud Technology, Information Security, and Digital Transformation. He is currently based in Fort Lauderdale, FL.
"Cloud information rights management solutions can protect your firm’s crown jewels from cyber thieves..."
Implementing a solution that supports an IRM strategy is a best practice for protecting critical company documents.
Your confidential documents are a prime target for thieves because they leave your network "fortress" and travel to laptops and smartphones with minimal security features. Other threats come from inside your organization, such as an employee posting a file on a social media site, forwarding it to a friend, or uploading it to insecure online services.
Without an effective document protection system, your company and your shareholders could suffer a costly financial loss, a loss of competitiveness or productivity, or lasting damage to your reputation.
Although U.S. based companies are targeted more often than companies in other regions, cyber crimes are growing around the world, as more executives, sales people and others work from remote locations. Because more and more documents are in motion over the Internet, the security risks continue to grow.
A recent Accusoft survey of the 350 IT managers and professionals, Closing the Document Management Awareness Gap, found that about 33% reported that sensitive documents had been compromised due to poor security strategies, and 43% said employees don’t always comply with policies.
Deploying IRM solutions:
To address this serious security problem, a growing number of companies are deploying information rights management (IRM) solutions that prevent confidential digital assets in the most commonly used file formats (Word, Excel, PowerPoint, PDF) from being opened by unauthorized users. If a user authenticates and opens the document (online or downloaded copies), the company can still control the level of access, including read, print and other functions.
An IRM application adds an additional layer of security to confidential documents, which can be housed securely in the cloud, and synchronized with an office computer or smartphone. They can also un-share a document from a user at a specific time, or immediately if a mobile device has been stolen. While no solution is perfect, implementing an IRM strategy is one best practice for document protection.
Here are four steps to improve document security in any organization with the Cloud:
- Protect: The most efficient way to minimize security risks is reducing the number of documents in motion. That means storing a sensitive document in a secure and certified cloud document collaboration platform, rather than sending documents over the Internet as email, text or other messaging attachments.
- Detect: A cloud-based document protection solution also allows you to track who is accessing the document, the user’s location, and any actions affecting that document. For instance, you could detect two or more simultaneous log-ins from the same user ID or a suspicious log-in from a country known to be a haven for cyber criminals.
- Contain: One of the key features in maximizing the security of documents in a collaborative environment is the ability to terminate access once a threat is detected. If a user’s ID appears to be compromised or a mobile device is stolen, access can be suspended immediately.
- Recover: With a cloud-based solution, a user who has been compromised or lost a device, can be quickly reinstated, minimizing any downtime. The recovery process involves refreshing the authentication and privileges of the user, who can be back up and running in minutes and synchronized to a new device to get the user back to where he/she was before the incident.
Get email updates with the latestfrom the Digital Guardian Blog
Thank you for subscribing!