Cloud

12/23/2013
06:06 AM
Jerry Irvine
Jerry Irvine
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Mobility & Cloud: A Double Whammy For Securing Data

In 2014, legacy security solutions like firewalls and intrusion detection systems will no longer be sufficient to protect corporate data against BYOD and cybercrime.

IT security issues are top of mind in enterprise IT departments today, with a large focus on the protection of data. Moving into 2014, organizations still need to maintain their perimeter defenses, such as firewalls and intrusion-detection systems. The unfortunate truth is that the growth of mobile devices and cloud systems has made legacy security solutions practically obsolete.

Back in the good old days, security goals were directed towards the protection of physical devices. That was before companies placed their intellectual property and technology in clouds, before they allowed employees to access to corporate networks and data from personal smartphones and tablets. The general rule of thumb was that if the organization protected the device, the data was also protected.

Today, data protection has become the primary objective. Organizations cannot always protect the device on which data resides or from which it is accessed. Cloud solutions, by definition, exist outside the perimeter of the core enterprise environment. Depending on the applications, they typically require access to systems within the enterprise network. What’s more, firewalls and traditional security solutions are configured to allow mobile devices to bypass security configurations and access applications inside their protected networks.

If that’s not enough to keep IT security managers up at night, add to these challenges the fact that hackers, organized crime, and state-sponsored cyber-attackers are directing great amounts of attention to the development of malicious applications and processes that take advantage of both cloud configurations and the weaknesses of mobile devices. Regardless, executives in corner offices continue to maintain unrealistic expectations that IT departments provide the same levels of security to their systems that existed prior to the advent of such destructive new malware and threats.

A layered approach
Security solutions that help mitigate the risks of theft, loss, and corruption of systems and data are much more limited than the tools available to hackers to cause such problems. As a result, it’s important to develop a layered approach to IT security that focuses on three critical areas:

Data classification
Prior to implementing a full, complex security solution, organizations need to know what they need to secure. This is accomplished through the process of data categorization and classification. Types of classifications can include confidential, financial, intellectual property, client and employee personal information, and public, to name a few. Different categories and classifications of data will also have different security requirements, and may also have mandated requirements due to federal, state, or industry compliance.

These categories and classifications should be used to define security and access requirements. For example, data containing client or personnel health information must adhere to HIPAA standards. If the organization is considering placing this information in the cloud, the cloud provider would have to be HIPAA compliant and provide audit information performed by an independent third-party assessor to periodically document the CSPs business processes, security systems, and practices.

Strong service-level agreements
Even when an organization outsources its systems and applications to cloud providers, the responsibility for the security, reliability, and access to those systems remains their own. In order to accept that responsibility, the organization must develop and maintain contractual requirements, including service level agreements and independent reporting requirements in order to ensure that the cloud provider is fulfilling its requirements.

Policy-based and automated device management
You can’t rely on technology alone to head off data-security issues that arise when employees log on to corporate networks with personal devices. Consequently, many of the security and management tasks you need to develop and maintain will also be manual and policy-based. These start with acceptable usage and BYOD policies that spell out -- in writing -- an organization’s rights and potential actions, including denying access for nonstandard devices or to employees failing to meet company requirements. When possible, it’s also a good idea to pair these policies with MDM (Mobile Device Management), or MAM (Mobile Application Management) solutions that automate the management and security of employee devices.

Through the combination of manual policies and processes, the classification of data, and the implementation of automated device management systems, organizations should be able to manage and control data more securely and efficiently. How many of your security teams have started to move beyond legacy security comfort zones? Let’s chat in the comments about your plans and challenges for 2014.

Jerry Irvine is a member of the National Cyber Security Task Force and the CIO of Schaumburg, Ill.-based Prescient Solutions, an IT outsourcing firm.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/23/2013 | 12:41:39 PM
SLAs and transparency
It's always a good to be reminded that technology is never a bullletproof security solution. The layered approach that you outline makes a lot of sense -- particularly with that double whammy of mobility and cloud. One question with respect to cloud SLAs -- any speciric recommendations on key elements that an SLA should include, in terms of tranperency and reporting? 

 

 
jirvine
50%
50%
jirvine,
User Rank: Apprentice
12/23/2013 | 1:43:09 PM
Re: SLAs and transparency
Thank you. There are some considerations that should be included within SLAs, specifically Security and Access. You should include the provisions to receive periodic reports from third party security auditors and penetration tests.  These reports should be required to be delivered directly to you from the vendor.  Additionally, you should be allowed to monitor systems uptime directly or via an independent monitoring solution. Independent verification and reporting allows for complete transparency and accountability for the vendor.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/23/2013 | 1:48:44 PM
Re: SLAs and transparency
Thanks Jerry. do you find that most CSPs are willing to 'open their kimino" about their security practices directly to customers? Or is there an advantage to organizations to go through a third party audit? 
MiltonKer
50%
50%
MiltonKer,
User Rank: Apprentice
1/11/2014 | 7:54:41 AM
Re: SLAs and transparency
As such SLAs are to be transparent because if required user is going to touch in groups.When it comes to cloud management tools key element has to be more focused.For better option refer to this tools.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.