Cloud
12/23/2013
06:06 AM
Jerry Irvine
Jerry Irvine
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Mobility & Cloud: A Double Whammy For Securing Data

In 2014, legacy security solutions like firewalls and intrusion detection systems will no longer be sufficient to protect corporate data against BYOD and cybercrime.

IT security issues are top of mind in enterprise IT departments today, with a large focus on the protection of data. Moving into 2014, organizations still need to maintain their perimeter defenses, such as firewalls and intrusion-detection systems. The unfortunate truth is that the growth of mobile devices and cloud systems has made legacy security solutions practically obsolete.

Back in the good old days, security goals were directed towards the protection of physical devices. That was before companies placed their intellectual property and technology in clouds, before they allowed employees to access to corporate networks and data from personal smartphones and tablets. The general rule of thumb was that if the organization protected the device, the data was also protected.

Today, data protection has become the primary objective. Organizations cannot always protect the device on which data resides or from which it is accessed. Cloud solutions, by definition, exist outside the perimeter of the core enterprise environment. Depending on the applications, they typically require access to systems within the enterprise network. What’s more, firewalls and traditional security solutions are configured to allow mobile devices to bypass security configurations and access applications inside their protected networks.

If that’s not enough to keep IT security managers up at night, add to these challenges the fact that hackers, organized crime, and state-sponsored cyber-attackers are directing great amounts of attention to the development of malicious applications and processes that take advantage of both cloud configurations and the weaknesses of mobile devices. Regardless, executives in corner offices continue to maintain unrealistic expectations that IT departments provide the same levels of security to their systems that existed prior to the advent of such destructive new malware and threats.

A layered approach
Security solutions that help mitigate the risks of theft, loss, and corruption of systems and data are much more limited than the tools available to hackers to cause such problems. As a result, it’s important to develop a layered approach to IT security that focuses on three critical areas:

Data classification
Prior to implementing a full, complex security solution, organizations need to know what they need to secure. This is accomplished through the process of data categorization and classification. Types of classifications can include confidential, financial, intellectual property, client and employee personal information, and public, to name a few. Different categories and classifications of data will also have different security requirements, and may also have mandated requirements due to federal, state, or industry compliance.

These categories and classifications should be used to define security and access requirements. For example, data containing client or personnel health information must adhere to HIPAA standards. If the organization is considering placing this information in the cloud, the cloud provider would have to be HIPAA compliant and provide audit information performed by an independent third-party assessor to periodically document the CSPs business processes, security systems, and practices.

Strong service-level agreements
Even when an organization outsources its systems and applications to cloud providers, the responsibility for the security, reliability, and access to those systems remains their own. In order to accept that responsibility, the organization must develop and maintain contractual requirements, including service level agreements and independent reporting requirements in order to ensure that the cloud provider is fulfilling its requirements.

Policy-based and automated device management
You can’t rely on technology alone to head off data-security issues that arise when employees log on to corporate networks with personal devices. Consequently, many of the security and management tasks you need to develop and maintain will also be manual and policy-based. These start with acceptable usage and BYOD policies that spell out -- in writing -- an organization’s rights and potential actions, including denying access for nonstandard devices or to employees failing to meet company requirements. When possible, it’s also a good idea to pair these policies with MDM (Mobile Device Management), or MAM (Mobile Application Management) solutions that automate the management and security of employee devices.

Through the combination of manual policies and processes, the classification of data, and the implementation of automated device management systems, organizations should be able to manage and control data more securely and efficiently. How many of your security teams have started to move beyond legacy security comfort zones? Let’s chat in the comments about your plans and challenges for 2014.

Jerry Irvine is a member of the National Cyber Security Task Force and the CIO of Schaumburg, Ill.-based Prescient Solutions, an IT outsourcing firm.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/23/2013 | 12:41:39 PM
SLAs and transparency
It's always a good to be reminded that technology is never a bullletproof security solution. The layered approach that you outline makes a lot of sense -- particularly with that double whammy of mobility and cloud. One question with respect to cloud SLAs -- any speciric recommendations on key elements that an SLA should include, in terms of tranperency and reporting? 

 

 
jirvine
50%
50%
jirvine,
User Rank: Apprentice
12/23/2013 | 1:43:09 PM
Re: SLAs and transparency
Thank you. There are some considerations that should be included within SLAs, specifically Security and Access. You should include the provisions to receive periodic reports from third party security auditors and penetration tests.  These reports should be required to be delivered directly to you from the vendor.  Additionally, you should be allowed to monitor systems uptime directly or via an independent monitoring solution. Independent verification and reporting allows for complete transparency and accountability for the vendor.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/23/2013 | 1:48:44 PM
Re: SLAs and transparency
Thanks Jerry. do you find that most CSPs are willing to 'open their kimino" about their security practices directly to customers? Or is there an advantage to organizations to go through a third party audit? 
MiltonKer
50%
50%
MiltonKer,
User Rank: Apprentice
1/11/2014 | 7:54:41 AM
Re: SLAs and transparency
As such SLAs are to be transparent because if required user is going to touch in groups.When it comes to cloud management tools key element has to be more focused.For better option refer to this tools.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.