Rob Jones

@wildsharkseo

Rob Jones is an experienced software and web developer with experience working in PHP, CSS, HTML, and in developing websites, apps, and plugins. He regularly deals with challenging security installations and is director of UK SEO digital marketing agency WildShark.

"Cloud security take-up is increasing and is estimated to reach $9 billion by 2019..."

As such, there is an increasing number of companies looking to utilize cloud security, and an increasing number of services offering it. However, not all services are equal, and no matter how effective a cloud security offering is, there are still inherent risks that need to be mitigated.

1. The greatest threat comes from within. Experian research suggests that 60 percent of security incidents were caused by or initiated by employees. This doesn't necessarily mean your staff is stealing data from you, but their actions, or inaction, could be causing major security breaches. The problem is even greater for those with remote workers and those that use their own devices to access sensitive data. This highlights the importance of ensuring that all company stakeholders implement cloud security features. Draw up strict policies and, rather than simply handing them out or emailing them, ensure that every team member is aware of how security impacts their daily work and timetable. This brings us neatly on to the next point:

2. Ensure that you have up-to-date security policies in place. Approximately a quarter of businesses do not have security policies in place, at all, while a lot of businesses that have them do not make them a part of their daily business. If your security policies are 5 years old, they're almost certainly out of date, and they will need updating or completely redoing. There are plenty of useful services online that can help draw up security policies, and you should routinely encourage your employees to become intimate with those policies and follow them to the letter.

3. A problem that has come to the fore in recent years is that of remote accessibility. More employees work from home than ever before, and it has become commonplace for employees to check emails and do work from home in the evenings or out of standard work hours. One of the benefits of cloud-based security is that the management software can be accessed from anywhere and implemented on any machine or device, which now includes IoT devices, that is used by employees. Have your remote workers bring in laptops and other devices, and if your employees use their mobile phones for anything as simple as checking work email, ensure that you implement cloud security features on those devices. Using cloud security is pointless, if only half the devices that are used by your organization benefit from that security.

Darren Guccione

@keepersecurity

Darren Guccione is the CEO and co-founder of Keeper Security, Inc. creator of Keeper, the world’s most popular password manager and secure digital vault and KeeperChat, the world’s most secure messaging app for all your devices. Keeper’s products are used by millions of people and thousands of businesses in over 100 countries.

"The three most important considerations when moving to a cloud-based security platform include..."

1. Be cautious with permissions: Not all security features are enabled by default. You need to be sure to switch on basic security settings like encryption and manage access controls. The headlines have recently been teeming with stories of companies leaving large troves of data open to the public because of a basic oversight. For example, last July Dow Jones left more than 2 million customer records out in the open for this reason, and in February, FedEx was embarrassed when 119,000 documents – including scanned passports, driver’s licenses, and other sensitive customer information – were left on an unsecured server

2. Understand regulatory limitations: Depending upon your industry, laws and regulations may limit where you can store data. In some cases, you may be required to keep information off of the cloud entirely. Other rules may prohibit cloud providers for moving data to servers outside of the country. Since many cloud providers have data centers spread across the globe, you want to be sure you have control over where your data is kept, and that you can access it anytime from anywhere. If you’re uncertain about how rules apply to you, consult legal counsel or industry trade associations for advice.

3. Use audit records: This one of the most useful services cloud providers offer, and in most cases there is no charge. Administrators of SaaS services can log on and see all the recent activity on their accounts, including who has been accessing them, for how long, and even what transactions were performed. Many services will also routinely alert you when your account has been accessed from a new device or location. If such services are available, enable them. They’re not only a great intrusion detection tool, but they can provide a valuable audit trail if your services breached.

Brandan Keaveny

@Data_ethics

Dr. Keaveny is the principal consultant/founder of Data Ethics LLC, an information management firm providing professional consulting services in the areas of data governance, analytics, and privacy. Prior to forming Data Ethics, Dr. Keaveny served in the roles of school district administrator, college professor, and teacher of students with special needs.

"Before signing an agreement with a cloud-based provider..."

Make sure to determine the supports that are in place should a breach occur. Questions to ask include:

1. How many third-parties does the provider use to facilitate their service?

Processes and documentation will need to be updated to include procedural safeguards and coordination with the cloud-based solution. Additionally, the level of security provided by the cloud-based provider should be clearly understood. Increased levels of security may need to be added in order to meet privacy and security requirements for the data being stored.

2. How will you be notified if a breach to their systems occurs and will they assist your company in the notification of your clients/customers?

By adding a cloud-based solution to storage of your data also adds an additional dimension of time to factor into the notification requirements that may apply to your data should a breach occur. These timing factors should be incorporated into breach notification procedures and privacy policies.

Tip #2: When switching to the cloud from a locally hosted solution your security risk assessment process needs to be updated. Prior to making the switch, a risk assessment should take place to understand the current state of the integrity of the data that will be migrated. Additionally, research should be done to review how data will be transferred to the cloud environment.

Questions to consider include:

1. Is your data ready for transport?

Reason: The time to conduct a data quality assessment is before migrating data to a cloud-based solution rather than after the fact.

2. Will this transfer be facilitated by the cloud provider?

Reason: It is important to understand the security parameters that are in place for the transfer of data to the cloud provider, especially when considering large data sets.

3.What level of encryption is required if any?

Reason: Best practice would include some level of encryption. This is especially important if data is being migrated to a cloud-based solution and is going to temporarily be located on a queuing server prior to being processed into your cloud-based account.

Mike Baker

@Mosaic451

Mike Baker is Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating, and defending networks across North America. Baker has decades of security monitoring and operations experience within the US government, utilities and critical infrastructure.

"There is no reason to abandon cloud services to bring everything back in-house because of security concerns..."

Securing “cloud” assets comes down to the same foundational questions that are necessary to secure a “traditional” architecture. Those considerations are:

• What are the critical systems and applications?
• What are the baseline performance metrics associated with these systems?
• How do these systems communicate across an internal network and/or the Internet?

Arguably, the biggest challenge in protecting cloud data is that, unlike data stored on a network, it’s not located in one place. The data could be stored in any number of locations, such as an enterprise cloud storage solution like Amazon Web Services or even a Hadoop database, where the data is further scattered into thousands of fragments.

Regardless of the cloud DLP solution an organization chooses, it’s important for DLP policies to be consistent. The same data policies that apply within the enterprise must be enforced within the cloud. This is especially important for organizations that must comply with HIPAA, PCI DSS, and other industry-specific regulatory requirements; cloud data is treated the same way under the law as data stored on a server.

Cloud applications have ushered in a brave new “borderless” work world that promotes open collaboration and the free flow of information. This has allowed workers to be more productive and, in many cases, has made remote work possible, allowing organizations to tap a larger talent pool. Unfortunately, it has also opened up a whole host of vulnerabilities for hackers to exploit. Organizations that do not know where their data is, how it is being accessed, and who is accessing it also don’t know if the data is being breached by outside hackers or misused by malicious insiders. On-premises DLP alone is no longer sufficient to prevent data breaches and leaks

Daryl Heinz

@DUGglobal

Daryl Heinz, CEO of DFHeinz, is a big data consultant supporting data security efforts within NASA, Jet.com, and the Chan Zuckerberg Initiative. He is the founder of Data Use Group Talks, or DUGTalks, free workshops open to professionals seeking to use open source tools to build modern, scalable data infrastructure.

"When moving to a cloud-based security platform, the top three considerations include..."

1. Looking into the Apache Software Foundation, which offers free, open source security solutions that have been tested for two decades by world-class industry leaders.

If you're looking to trim millions in licensing and analysis fees from your data budgets long term, it is important to consider the same free, customizable security solutions that Global 50 companies use. These solutions are open source projects that have been developed by some of the most talented data scientists in the world and tested by innovative leaders across the globe for two decades. The ASF Projects are a certain way to ensure that whatever updates the market may make in the next year, your enterprise is prepared to adapt using a security solution that is modern and forever relevant.

2. Evaluating open source security solutions that are both secure and scalable.

The idea that open source security solutions are not secure or scalable helps to perpetuate misinformation in the big data industry and big box security retail sales. Infrastructure that leverages open source tools can be secured by a professional open source security vendor, and security solutions can be automated. Open source solutions are leveraged by Global 50 leaders in the industry, and internal training for in-house security teams is a cost-effective way to ensure you have complete control over a robust security solution that scales as your needs scale.

3. Looking into Apache Metron, which offers a customizable solution for any use case.

Regardless of whether your company is pursuing professional open source security or in-house security management, it's important to recognize that whatever the level of breach, the indication of a suspected breach can be automated and the best practices for security solutions may also be automated. This enables teams to deliver subject-matter expertise for security at scale. Global 50 companies who use Apache Metron trim millions from their budgets each year by educating themselves on the open source products that are often resold by big box retailers looking to capitalize on widespread industry ignorance and its need for on-demand support services.

Rodrigo Montagner

@RodrigoMontagn3

Rodrigo Montagner is an Italian-Brazilian IT Executive with 20 years of experience managing multiple businesses and IT environments internationally. He is currently CEO and Founder of OM2 Tech Consulting Solutions.

"I would consider among the top three considerations in beforehand of such a move..."

1. The leverage between my current business and the scale of the platforms. If my business is a multi-country, multi-time zone enterprise, more muscular providers have to be on the short list, diminishing latency or geographical issues or problems.

2. Orchestrate the current non-cloud based app solutions in the company along with the new security platform to be in place. It is key to understand, investigate, and deploy add-ons, connectors, and any needed integrator, mainly if the environment is a hybrid one.

3. Check back end and front end integrity. Many companies sometimes take it for granted, but it is key to run a very detailed impact analysis in advance, particularly when in hybrid scenarios (cloud and non-cloud based scenarios). There are a few hundred issues that could be allowed on an environment if the incorrect service gets online without proper testing and without considering the business' needs and specificity.

Sergio Flores

@smartfrog_cam

Sergio Flores is currently leading product development efforts at Smartfrog, a German Berlin-based IoT startup.

"There is no doubt that cloud computing and IoT have entirely revolutionized several industries by..."

Enabling business models that were never thought possible in the past. In fact, ever since it was discovered that processing data from edge devices on the cloud could unlock millions of possibilities in different areas by increasing efficiency, settings like safety and security, monitoring and managing wellness, energy management, and many others have hugely benefited from it. Nevertheless, as the number of cloud-connected edge devices has increased significantly, so have the limitations of cloud computing.

Some of the most important considerations that need to be made before migrating totally into cloud solutions are:

1. Latency and decentralization: Migrating completely into a cloud solution will usually come along with centralizing the computing of all data and requests in the cloud. However, while this can enhance the possibilities of data that can be processed, this might result in long latency and therefore a degraded user experience. Products that strictly require real-time communication (like security sensors) may require a strategy to decentralize the processing of information and do more things directly on the edge.

2. User privacy: Although it has become a general practice in the IoT industry to upload information to the cloud, process it and then fetch it through apps, this should be well thought in those cases where the information used is too sensitive. To give an example, companies that develop wearable health devices might as well be interested in not migrating completely into cloud solutions since that doing most of the data processing directly at the edge device can protect user privacy a lot better than uploading raw data to the cloud.

3. Data volumes: Migrating to a cloud solution might sound attractive at first place, but this needs to be deeply understood in the context of data volume. As an example, it might look attractive to upload security footage directly into the cloud to do face recognition processing on it, but if this footage is of high quality, not only will it occupy a lot of bandwidth just for uploading it, but it will also introduce tremendous latency to the user experience. Companies considering to migrate to a cloud-based platform need to clearly understand the limitations of it and consider all those different factors (like security and scalability) which will determine whether the plan will be successful or not.

Gregory Morawietz

@SinglePointOC

Gregory is the VP of Operations at Single Point of Contact. He is an IT Security Specialist with over twenty years of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting, and integrating technology for the enterprise network.

"When moving to a cloud-based security platform, the top three considerations are..."

1. What kind of security does the security vendor employ? Find out what they have as a security policy, what kind of software, hardware, IDS, IPS etc. they use to protect your data. What is their company's security policy, and are they audited or held accountable in any way?

2. Make sure there are ways to protect your data, like two-factor authentication, encryption, and other technology provided that will protect you.

3. Make sure your company is ready to move sensitive data. Have strong passwords, internal security policies, and requirements for companies that will hold your data.

Chuck Brown

@infinitysav

With more than 30 years' experience in computer network support, IT consulting, and running his own business, Chuck Brown knows the key to developing effective business technology solutions. He and his brother, David, operate Infinity, Inc. in Savannah, GA, serving the cyber security, hosted phones, and cloud computing needs of businesses across all industries.

"Apart from scalability and cost (yes, you do get what you pay for - and sometimes you pay for more than you need), the top three considerations are..."

1. They use the shared responsibility model – the vendor is responsible for the security of the cloud infrastructure while you (the client) are responsible for the security of your own data and networks.

2. They are willing to share their knowledge. A good security vendor won't hold everything close to the chest; they will have a desire to educate you so that you're aware of what your role is in security, and the efforts they make will be supported by the things you do locally.

3. They have experience with your industry. Many industries have specific legal and other compliance issues that your security vendor must be aware of to protect you adequately.

Adnan Raja

@AtlanticNet

Adnan Raja is the Vice President of Marketing for Atlantic.Net, a web hosting solution who offers cloud, HIPAA-compliant, dedicated, and managed hosting.

"When it comes to cloud security, there are several risks to be weary of including..."

Data compliance: If your business handles sensitive data like credit card information or patient health information, there are levels of compliance that must be met. Your cloud provider should be able to tell you which compliance standards they meet.

Cross-cloud policy management: Many professionals in the IT security space are moving toward multi-cloud management platforms designed to lower the burden by creating a centralized network and security policy.

Data leaks: It's very important to have the proper monitoring procedures in place so that you're able to track data store locations and traffic flows, both coming in and going out.

Data encryption: Data should be encrypted, especially when dealing with multiple cloud environments. It should also be protected as it moves between cloud demarcation points, as well as any time data is being processed or manipulated by a cloud application. Doing this will ensure that the data is protected throughout the whole data lifecycle.

Scalability: Make sure that your security tools, procedures, and practices are able to scale for growth. The most important thing to remember is to vet all security tools that are used in the cloud so that you understand how to expand them, while also understanding any challenges that might occur if rapid growth happens.

Jeremy Vance

@us_cloud

Jeremy Vance is the US Cloud VP of Technology. Vance has been in the IT industry for 20-plus years in a variety of leadership positions and roles. Having been on both sides as a producer of cloud security services and also as a consumer, he brings a tremendous amount of perspective to organizations looking to improve their security posture.

"The top three considerations when moving to a cloud-based security platform include..."

1. Verifiability: You need to be able to see how it works. It needs to go beyond “just trust me.” A cloud-based security platform needs to have been tested and verified by others, and those results need to be accessible to audit. A lot of proprietary products are open source, which allows the source code to be compiled and checked for security.

2. Modular: Does the platform stay current? Threats evolve hourly and the platform needs to be able to adapt to new threats and methods. If the platform is modular, then single modules can be replaced with updates and make the platform much more flexible.

3. Uniqueness: Does the platform come with unique authentication and authorization as the default? Can those be changed to follow your IT policies and best practices? Many platforms are doing a better job of avoiding the generic default credentials that are the same for everyone.