Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/23/2013
06:06 AM
Jerry Irvine
Jerry Irvine
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Mobility & Cloud: A Double Whammy For Securing Data

In 2014, legacy security solutions like firewalls and intrusion detection systems will no longer be sufficient to protect corporate data against BYOD and cybercrime.

IT security issues are top of mind in enterprise IT departments today, with a large focus on the protection of data. Moving into 2014, organizations still need to maintain their perimeter defenses, such as firewalls and intrusion-detection systems. The unfortunate truth is that the growth of mobile devices and cloud systems has made legacy security solutions practically obsolete.

Back in the good old days, security goals were directed towards the protection of physical devices. That was before companies placed their intellectual property and technology in clouds, before they allowed employees to access to corporate networks and data from personal smartphones and tablets. The general rule of thumb was that if the organization protected the device, the data was also protected.

Today, data protection has become the primary objective. Organizations cannot always protect the device on which data resides or from which it is accessed. Cloud solutions, by definition, exist outside the perimeter of the core enterprise environment. Depending on the applications, they typically require access to systems within the enterprise network. What’s more, firewalls and traditional security solutions are configured to allow mobile devices to bypass security configurations and access applications inside their protected networks.

If that’s not enough to keep IT security managers up at night, add to these challenges the fact that hackers, organized crime, and state-sponsored cyber-attackers are directing great amounts of attention to the development of malicious applications and processes that take advantage of both cloud configurations and the weaknesses of mobile devices. Regardless, executives in corner offices continue to maintain unrealistic expectations that IT departments provide the same levels of security to their systems that existed prior to the advent of such destructive new malware and threats.

A layered approach
Security solutions that help mitigate the risks of theft, loss, and corruption of systems and data are much more limited than the tools available to hackers to cause such problems. As a result, it’s important to develop a layered approach to IT security that focuses on three critical areas:

Data classification
Prior to implementing a full, complex security solution, organizations need to know what they need to secure. This is accomplished through the process of data categorization and classification. Types of classifications can include confidential, financial, intellectual property, client and employee personal information, and public, to name a few. Different categories and classifications of data will also have different security requirements, and may also have mandated requirements due to federal, state, or industry compliance.

These categories and classifications should be used to define security and access requirements. For example, data containing client or personnel health information must adhere to HIPAA standards. If the organization is considering placing this information in the cloud, the cloud provider would have to be HIPAA compliant and provide audit information performed by an independent third-party assessor to periodically document the CSPs business processes, security systems, and practices.

Strong service-level agreements
Even when an organization outsources its systems and applications to cloud providers, the responsibility for the security, reliability, and access to those systems remains their own. In order to accept that responsibility, the organization must develop and maintain contractual requirements, including service level agreements and independent reporting requirements in order to ensure that the cloud provider is fulfilling its requirements.

Policy-based and automated device management
You can’t rely on technology alone to head off data-security issues that arise when employees log on to corporate networks with personal devices. Consequently, many of the security and management tasks you need to develop and maintain will also be manual and policy-based. These start with acceptable usage and BYOD policies that spell out -- in writing -- an organization’s rights and potential actions, including denying access for nonstandard devices or to employees failing to meet company requirements. When possible, it’s also a good idea to pair these policies with MDM (Mobile Device Management), or MAM (Mobile Application Management) solutions that automate the management and security of employee devices.

Through the combination of manual policies and processes, the classification of data, and the implementation of automated device management systems, organizations should be able to manage and control data more securely and efficiently. How many of your security teams have started to move beyond legacy security comfort zones? Let’s chat in the comments about your plans and challenges for 2014.

Jerry Irvine is a member of the National Cyber Security Task Force and the CIO of Schaumburg, Ill.-based Prescient Solutions, an IT outsourcing firm.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MiltonKer
50%
50%
MiltonKer,
User Rank: Apprentice
1/11/2014 | 7:54:41 AM
Re: SLAs and transparency
As such SLAs are to be transparent because if required user is going to touch in groups.When it comes to cloud management tools key element has to be more focused.For better option refer to this tools.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/23/2013 | 1:48:44 PM
Re: SLAs and transparency
Thanks Jerry. do you find that most CSPs are willing to 'open their kimino" about their security practices directly to customers? Or is there an advantage to organizations to go through a third party audit? 
jirvine
50%
50%
jirvine,
User Rank: Apprentice
12/23/2013 | 1:43:09 PM
Re: SLAs and transparency
Thank you. There are some considerations that should be included within SLAs, specifically Security and Access. You should include the provisions to receive periodic reports from third party security auditors and penetration tests.  These reports should be required to be delivered directly to you from the vendor.  Additionally, you should be allowed to monitor systems uptime directly or via an independent monitoring solution. Independent verification and reporting allows for complete transparency and accountability for the vendor.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/23/2013 | 12:41:39 PM
SLAs and transparency
It's always a good to be reminded that technology is never a bullletproof security solution. The layered approach that you outline makes a lot of sense -- particularly with that double whammy of mobility and cloud. One question with respect to cloud SLAs -- any speciric recommendations on key elements that an SLA should include, in terms of tranperency and reporting? 

 

 
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.