Cloud
12/23/2013
06:06 AM
Jerry Irvine
Jerry Irvine
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Mobility & Cloud: A Double Whammy For Securing Data

In 2014, legacy security solutions like firewalls and intrusion detection systems will no longer be sufficient to protect corporate data against BYOD and cybercrime.

IT security issues are top of mind in enterprise IT departments today, with a large focus on the protection of data. Moving into 2014, organizations still need to maintain their perimeter defenses, such as firewalls and intrusion-detection systems. The unfortunate truth is that the growth of mobile devices and cloud systems has made legacy security solutions practically obsolete.

Back in the good old days, security goals were directed towards the protection of physical devices. That was before companies placed their intellectual property and technology in clouds, before they allowed employees to access to corporate networks and data from personal smartphones and tablets. The general rule of thumb was that if the organization protected the device, the data was also protected.

Today, data protection has become the primary objective. Organizations cannot always protect the device on which data resides or from which it is accessed. Cloud solutions, by definition, exist outside the perimeter of the core enterprise environment. Depending on the applications, they typically require access to systems within the enterprise network. What’s more, firewalls and traditional security solutions are configured to allow mobile devices to bypass security configurations and access applications inside their protected networks.

If that’s not enough to keep IT security managers up at night, add to these challenges the fact that hackers, organized crime, and state-sponsored cyber-attackers are directing great amounts of attention to the development of malicious applications and processes that take advantage of both cloud configurations and the weaknesses of mobile devices. Regardless, executives in corner offices continue to maintain unrealistic expectations that IT departments provide the same levels of security to their systems that existed prior to the advent of such destructive new malware and threats.

A layered approach
Security solutions that help mitigate the risks of theft, loss, and corruption of systems and data are much more limited than the tools available to hackers to cause such problems. As a result, it’s important to develop a layered approach to IT security that focuses on three critical areas:

Data classification
Prior to implementing a full, complex security solution, organizations need to know what they need to secure. This is accomplished through the process of data categorization and classification. Types of classifications can include confidential, financial, intellectual property, client and employee personal information, and public, to name a few. Different categories and classifications of data will also have different security requirements, and may also have mandated requirements due to federal, state, or industry compliance.

These categories and classifications should be used to define security and access requirements. For example, data containing client or personnel health information must adhere to HIPAA standards. If the organization is considering placing this information in the cloud, the cloud provider would have to be HIPAA compliant and provide audit information performed by an independent third-party assessor to periodically document the CSPs business processes, security systems, and practices.

Strong service-level agreements
Even when an organization outsources its systems and applications to cloud providers, the responsibility for the security, reliability, and access to those systems remains their own. In order to accept that responsibility, the organization must develop and maintain contractual requirements, including service level agreements and independent reporting requirements in order to ensure that the cloud provider is fulfilling its requirements.

Policy-based and automated device management
You can’t rely on technology alone to head off data-security issues that arise when employees log on to corporate networks with personal devices. Consequently, many of the security and management tasks you need to develop and maintain will also be manual and policy-based. These start with acceptable usage and BYOD policies that spell out -- in writing -- an organization’s rights and potential actions, including denying access for nonstandard devices or to employees failing to meet company requirements. When possible, it’s also a good idea to pair these policies with MDM (Mobile Device Management), or MAM (Mobile Application Management) solutions that automate the management and security of employee devices.

Through the combination of manual policies and processes, the classification of data, and the implementation of automated device management systems, organizations should be able to manage and control data more securely and efficiently. How many of your security teams have started to move beyond legacy security comfort zones? Let’s chat in the comments about your plans and challenges for 2014.

Jerry Irvine is a member of the National Cyber Security Task Force and the CIO of Schaumburg, Ill.-based Prescient Solutions, an IT outsourcing firm.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/23/2013 | 12:41:39 PM
SLAs and transparency
It's always a good to be reminded that technology is never a bullletproof security solution. The layered approach that you outline makes a lot of sense -- particularly with that double whammy of mobility and cloud. One question with respect to cloud SLAs -- any speciric recommendations on key elements that an SLA should include, in terms of tranperency and reporting? 

 

 
jirvine
50%
50%
jirvine,
User Rank: Apprentice
12/23/2013 | 1:43:09 PM
Re: SLAs and transparency
Thank you. There are some considerations that should be included within SLAs, specifically Security and Access. You should include the provisions to receive periodic reports from third party security auditors and penetration tests.  These reports should be required to be delivered directly to you from the vendor.  Additionally, you should be allowed to monitor systems uptime directly or via an independent monitoring solution. Independent verification and reporting allows for complete transparency and accountability for the vendor.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/23/2013 | 1:48:44 PM
Re: SLAs and transparency
Thanks Jerry. do you find that most CSPs are willing to 'open their kimino" about their security practices directly to customers? Or is there an advantage to organizations to go through a third party audit? 
MiltonKer
50%
50%
MiltonKer,
User Rank: Apprentice
1/11/2014 | 7:54:41 AM
Re: SLAs and transparency
As such SLAs are to be transparent because if required user is going to touch in groups.When it comes to cloud management tools key element has to be more focused.For better option refer to this tools.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-4350
Published: 2014-09-19
Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file.

CVE-2014-4376
Published: 2014-09-19
IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments.

CVE-2014-4390
Published: 2014-09-19
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

Best of the Web
Dark Reading Radio