Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/13/2012
01:34 AM
50%
50%

Regaining Control Of Data In The Cloud

Encryption and better access management can help tame the chaos

With a growing mobile workforce, more employees using their personal devices for work, and closer relationships with partners, sensitive data continues to move outside of the corporate firewall, whether businesses approve or not. Cloud services have become a major pathway for that data: Business teams are collaborating online, while workers are storing data in file-sharing services to continue working on the road.

Securing that data is not easy. The proliferation of mobile devices has led to scalability issues with both encryption and key-management technology. Rather than deal with the complexity of such security technologies, workers are likely to attempt an end run and use their own solutions, without giving security much thought. Fighting back against those forces with traditional encryption products is difficult because they do not scale to large number of users and devices.

"You are now encrypting any and all data with a key," says Adam Ghetti, co-founder and chief technology officer of Social Fortress, a data-protection service and technology provider. "The scalability of the security architecture is a problem -- traditional architectures, especially."

Companies looking to use encryption services and better access management to take back control of their data need to encrypt all data that leaves their networks, and yet not let the process slow down their workers.

Different security providers are approaching the problem differently. Social Fortress, which started as a way to give social-network users more control over their posts, is piloting projects in healthcare and finance, allowing fine-grained protection of data. Each piece of data gets its own key, independent of the device or user, and will be stored encrypted in whichever cloud service the business uses.

The model works especially well for data that plugs into an existing software-as-a-service application, such as Salesforce.com, or to place access controls on Facebook posts and tweets on Twitter.

Companies need to first evaluate what requirements they have and focus on what makes sense for their company. Most importantly, businesses need to make sure that, even in the event of a breach or leak, their data is safe, says Mark Bower, vice president at Voltage Security, a data-protection firm.

"It boils down to the fact that a data breach is going to be an inevitable event -- the strategy then has to shift to making a breach meaningless to the attackers and have zero impact to the business," Bower says.

[Quantifying different mobile risks could help enterprises decide what kind of technology and practices they need to support the mobile-security policies. See How Does Mobility Change IT Risk Management?.]

A key component to securing a company's sensitive data is to integrate the security in how employees work.

"The biggest culprit in undermining data-security policies are people who are e-mailing things that they should not be e-mailing and moving things where they shouldn't," says Tim Matthews, senior director of security product marketing at Symantec.

Last week, Symantec announced two encryption products that aim to help lock down data that could be leaked through e-mail or cloud storage. As part of its Symantec O3 push, the company added e-mail encryption add-ons for popular mobile devices, allowing messages and attachments to be secured, without forcing users to use special applications. The company also added an encryption solution for consumer storage solutions, such as Dropbox, often used by workers.

In a survey released in conjunction with the announcement, the company found that 55 percent of workers did not know whether their businesses had a cloud-security policy.

Other providers, such as Vormetric, use appliances that encrypt and manage keys for the company while their data is stored in the cloud. As an encryption gateway provider, the company's service encrypts and decrypts the data on the fly, keeping out of the user's way.

"Encryption underpins a lot of the security in the cloud, but what you are doing in terms of encryption depends on the delivery model of cloud services," says Todd Thiemann, senior director for product marketing at the company.

Yet Social Fortress's Ghetti warns that encryption gateway solutions, by concentrating certain operations in a single system or network of systems, can undermine the robustness of a cloud service.

"What you have done in a lot of cases is that you have limited the majority of the value of going to a cloud service because you are taking all that data and all that traffic and bringing it back in to the enterprise," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
11/14/2012 | 5:26:14 PM
re: Regaining Control Of Data In The Cloud
Interesting caveat about encryption gateways undermining the benefits of cloud.
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
CVE-2020-9432
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9433
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9434
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-6383
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.