Cloud
9/4/2014
12:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

In Cloud We Trust: A New Model

The solution to the problem of data security in the public cloud will require more than a traditional compliance-driven approach.

Everything is moving fast in the cloud. Public cloud services are delivered with the promise of instant provisioning and constant availability at a fraction of the cost of on-premises implementations. But given our mobile, cloud-enabled, data-driven environment, it is highly likely that in the near future there will be a significant data breach as a result of a compromised cloud account with excessive access to sensitive customer data.

While the prediction is that cloud service providers will be attacked, business consumers will have the most to lose if they are compromised. So how do we control the uncontrollable: the nexus of cloud, mobile, and a data-driven environment? CISO’s and their InfoSec teams need to simplify the problem, the solution, and how they speak with the rest of business operations.

A failure to communicate
Currently, most security teams don’t effectively communicate with business operations. However, by doing so, CISOs and InfoSec teams will have a much better chance to partner with the key internal influencers and enable smarter data security.
 
Back in the day, information security frameworks were created at a time when data was primarily housed behind a corporate firewall and the focus was on placing controls on the endpoints and key points in the infrastructure. As a result, existing frameworks do not cater to a cloud-enabled enterprise in which the traditional enterprise perimeter has evaporated, control of the endpoints is greatly diminished and there are new, higher levels of data fluidity than ever before.

Many public cloud-consuming organizations look for cloud providers to adhere to particular regulations and standards both because they are a business requirement and because they equate them with trustworthiness. However, even though the intent of these regulations and standards is to protect, the long rote of compliance has taken its toll. When faced with an overwhelming number of compliance obligations and audits, the tendency of CSPs is to treat compliance in a checkbox fashion versus taking a risk-based, sustained approach where controls are assessed on a continual basis rather than at just a single point in time. What that means is that while compliance requirements may prove that a particular scope of an environment was compliant at a specific state in time, it does not guarantee the protection of data.

Furthermore, the way that InfoSec teams classify and treat data has to align to the new business and usage contexts of cloud and mobile. In other words, data identification and classification schemes have to be intuitive and simple in order for the business to own up to protecting their data.

A new model for data sets
A simple-tiered model including three categories of regulated, commercial and collaborative could be an industry-agnostic model for tiering data and provide a construct for educating business users about to how to identify critical data assets and transactions. It also ensures that the business is able to have an intelligent discussion with the cloud service provider about protecting data.

Specific industries and verticals may want to tailor data classifications schemes to the values that data holds for their particular industry. However, in the baseline model we propose, regulated would classify any data that is subject to regulation including Personally Identifiable Information (PII), commercial would cover any business to business or business to consumer transactions, industry data or intellectual IP and collaborative would imply data such as document collaboration, DevOps, and also that which is publicly accessible.

We propose these tiers as a base model because they can be applied concretely to define data and minimize misinterpretation versus definitions such as "confidential" and "not confidential" which could be informed by personal values. They also allow for easy mapping of policy, process and technology controls based on standard definitions.

Data could be identified, classified, digitally tagged, or watermarked based on these tiers. User entitlement, access, authorization, authentication, logging monitoring, and other data protection controls map easily to this model. Encryption strength and type can be based on data type. For example, commercial cata would ideally require point-to-point encryption and tokenization while collaborative data may not always require encryption especially if already publicly accessible. Data residency controls in many cases will apply only to regulated data given data privacy and national regulations that restrict the flow of data geographically.

Looping CISOs and CSPs
Data classification schemes provide the means by which the CISO can be better looped in with cloud service providers. They enable the business to intelligently champion data security with the CSP without having to defer to a purely compliance-driven approach to security.

In this construct CISOs and InfoSec teams can start to focus on protecting the data, the users, the transactions and workstreams through digital watermarking technologies, encryption, strong user access controls and data residency controls. It is this overarching approach -- rather than having a secure and compliant infrastructure -- that will help retain customer trust, because in the cloud-enabled business, the most control that CISOs can have is over their data and users.

So, what can IT and InfoSec teams do to better protect data and reduce the risk of a data breach in the cloud?

  • Start to align information security measures to the business usages and contexts for cloud today.
  • Communicate regularly with business users to understand and align to their needs.
  • Shift the focus on data and user centric controls rather than solely relying on an infrastructure-based approach to security.
  • Consider using a tiered data scheme that to ensure that the data that is most valuable or sensitive to your business is protected appropriately.

By taking these steps, CISOs and InfoSec teams can ensure more effective collaborations with internal business units, while enabling smarter data security.

Evelyn De Souza, Cloud Security Alliance Data Governance Chair & Cloud Compliance & Data Privacy Strategy Leader, CiscoEvelyn de Souza is a Data Privacy and Compliance Leader at Cisco Systems, where she focuses on developing industry blueprints to help organizations embrace ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 3:45:21 PM
Re: Data security is going to have to get more granular
thanks for the update, Rich. Keep us apprised of what your experience is at The Gap so we can all learn from it.
rnoguera
50%
50%
rnoguera,
User Rank: Author
9/10/2014 | 3:11:55 PM
Re: Data security is going to have to get more granular
Yes, there are two large SaaS providers - both of which are pure play cloud service providers that have integrated data security within their DNA from the start. Unfortunately, I cannot name them in this forum - but most large enterprises (that I know of anyway) employ their services.

Regarding Gap, we are in the process of deploying the data type paradigm in a manner very similar to what I have  described. Perhaps the greatest (and most rewarding) opportunity throughout, is the education and active collaboration with the business through the type classification process.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 11:37:23 AM
Re: Data security is going to have to get more granular
Any organizations come to mind Rick? Where does The Gap fit in this new paradigm? And what were/are the biggest  challenges?
rnoguera
50%
50%
rnoguera,
User Rank: Author
9/10/2014 | 11:35:48 AM
Re: Data security is going to have to get more granular> Some examples?
Great question! Secure data transport, encrypted storage, and strong user authentication are all table stakes. Pushing into the concepts of data usage and user access context are cutting edge.

There are data-centric CSPs in play today that are pushing the bounds of data encryption and identity/context usage analytics. However, these are the relative few - in my experience, a single digit count. However, this is a great advantage to enterprise cloud consumers - because we can influence (if not demand) that level of security being the key service differentiators in the marketplace.

 
rnoguera
50%
50%
rnoguera,
User Rank: Author
9/10/2014 | 11:25:31 AM
Re: Data security is going to have to get more granular
I fully agree. To be fair though, jumping to a '3.0 Data Protection' program - one specific to data type and context of use - requires a bit of corporate maturity (wherein data classification and data type is clearly understood and enforced), a corporate environment that is highly agile (think transformative or still forming).
rnoguera
50%
50%
rnoguera,
User Rank: Author
9/10/2014 | 11:17:52 AM
Re: Data security is going to have to get more granular
Successfully deploying a 'type' versus 'class' based data protection model starts with business education and awareness. While information security practitioners will understand this concept fairly quickly, our business partners typically need a bit of education. For many, this is a somewhat revolutionary approach if only because this attempts to bridge the gap of understanding and explaining why data protection matters. Take advantage of that!

In regards to deployment, I would first recommend confirming that your 'crown jewels' are identical to what your business partners describe them to be. Through this (discovery maybe?) exercise, be opportunisitic and introduce the data type methodology and collaborate on the type assignment with the partner. Ideally, at that point forward you will have the basis - thinking in an opportunities and challenges mindset - to develop the data protection approach best suited to your organization.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 7:53:10 AM
Re: Data security is going to have to get more granular> Some examples?
Very interesting point that "Cloud providers may have in the past taken advantage of business users who were leading the charge to the cloud and who may not have been security savvy, are beginning to realize that customer trust once lost cannot be regained. So, they too are increasingly beefing up their data security."

So what specifically are forward-thinking CSPs offering to their customers in terms of data security and where are they still lagging?

 
ede souza950
50%
50%
ede souza950,
User Rank: Author
9/9/2014 | 7:04:54 PM
Re: Data security is going to have to get more granular
Stay tuned for Rich's reply.  We are seeing the shift in IT security from an infrastructure-based approach, which served very well when assets were primarily housed behind an enterprise perimeter towards a data-centric approach to meet the needs of a cloud-extended enterprise. Many of the organizations we speak to are also educating business users on the value of data and the importance of securing personal, regulated and other sensitive data especially as the business increasingly gravitates towards SaaS applications for mission-critical purposes. Cloud providers may have in the past taken advantage of business users who were leading the charge to the cloud and who may not have been security savvy, are beginning to realize that customer trust once lost cannot be regained. So, they too are increasingly beefing up their data security.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/8/2014 | 9:41:56 AM
Re: Data security is going to have to get more granular
@ede souza950 and Richard -- What's been your experience in deploying this model (or elements of it) in the real world? I'd be particularly interested to hear from Richard what The Gap is doing or planning to do.
ede souza950
50%
50%
ede souza950,
User Rank: Author
9/5/2014 | 12:25:57 PM
Re: Data security is going to have to get more granular
I agree fully!  Rich and I suggested a tiering as a first step to getting  beyond a a one size fits all  data security approach. Data security needs to be broken down into the granular components you suggest, be contextual and also be based on a lifcycle.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.