How to secure data across multiple platforms
By now, moving at least some business processes to the cloud is not a question of if but when. So how do you keep your information safe while embracing all the benefits cloud computing offers?
Even if the enterprise is using private clouds and virtualization, your data may physically reside in infrastructure that is owned and operated by an external service provider.
When control is shifted to a third party that owns, operates, and manages infrastructure and computational resources, it is incumbent upon security professionals to put measures in place to maintain the safety of their data. It comes down to doing your research and due diligence, figuring out your threshold for risk, and not giving up all of the keys to the castle.
Ask questions, conduct audits
There is no single measure or technique that can keep a company's data secure, regardless of whether you use an on-premises data center or the cloud, notes Paul Hill, senior consultant at System Experts. "When using the cloud, an organization has to understand what responsibilities are outsourced to the cloud vendor and what will remain the responsibility of the organization," he says.
First and foremost, ask for credentials when evaluating a cloud service provider (CSP). What level of trust and reputation does the provider have in the market? How will it protect valuable data and personal information? "It's important to ask these questions and have the CSP describe their security operational controls, such as how they handle security breaches and how threats are addressed, as well as how certain insider threats are identified and countered," advises Thomas Hogan, sales specialist for BT Cloud Compute. Additionally, organizations should deploy identity access management to control the security credentials in the cloud and manage who has access to what information.
Hill agrees: "Without careful oversight, it is all too easy for someone in an organization to misunderstand the responsibilities and assume that the cloud provider is doing more than they really are." For example, if a CSP states that it has achieved PCI compliance, does that mean that your applications are automatically PCI compliant? Or is the scope of the compliance limited to the payments made by customers to the CSP? "Strong IT governance by knowledgeable individuals is essential, or the organization should engage a third party with the expertise to review the issues,” he says.
"If your organization is required to keep its data within a geo-location due to regulatory issues, you should make the CSP describe how it will ring-fence or guarantee data will not cross borders," adds Hogan, "It should also address access methods, encryption techniques, and all authentication processes needed to access data."
In terms of the responsibilities the CSP is willing to provide, the organization needs a mechanism to determine how well the service provider is implementing the security controls, Hill says. "This is typically done by a combination of testing and relying on independent security audits under a compliance program," he notes. "In some cases, an organization may not be satisfied by a compliance statement, and it may require that it perform its own audit.”
This tends to be more practical when using a small cloud provider. Amazon, Microsoft, and Google generally don't allow customers to perform their own audits, he points out: "Customers of those providers usually have to be satisfied by compliance certifications and some form of testing that they can perform.”
In some cases, depending on the sensitivity of the data and the nature of the customer relationship, an organization may want or even need to assume some of the responsibilities the CSP is willing to provide, says Hill. For example, an organization might determine that it needs to encrypt its data at rest. Many cloud services provide some level of cryptographic key management. But an organization might decide that the cloud provider should not be able to decrypt the data.
"In that case, the organization will need to assume all aspects of key management or use a third party to perform the key management," he says. "If an organization wants the ability to see any subpoenas served and control the response to them, then encrypting the data with keys under its own control is a critical control.”
Take a multi-pronged approach to security
A multi-layered approach to cybersecurity provides flexibility and choice in selecting the right security solutions for the computing environment. In addition to foundational safeguards, there are many feature-based protections that mitigate security risk.
At a foundational layer, organizations should ensure that CSPs have the right certifications for specific needs, including ISO 27001, PCI-DSS1, and SSAE. "This ensures the right adherence to security processes and procedures,” says Hogan.
And don't just ask what certifications the CSP has. "Probably more importantly is when the certifications are available to the buyer,” meaning how recent they are, adds Jim Hurley, principal analyst at ISG.
In terms of feature-based protections, Hurley recommends organizations look at some of the newer intrusion deception techniques that can be deployed either in the cloud or on premises. "Intrusion detection is old stuff that doesn't work," he says.
Deception protection involves putting up a fake screen that mirrors the existing environment so that anyone with ill intent will only see a decoy or a mirage. "That decoy, when touched, would trigger an immediate notification either back to the cloud services provider or operating center in the organization if they have one," Hurley says. "So you wouldn't be wondering six months later if you were comprised.”
Deception fabrics are relatively nascent technology, however. Hurley says it will take some time for organizations to understand and use them effectively as they migrate from other tools and prescriptive measures.
Shadow IT is still lurking
Shadow IT has been around for many years, and reining in cloud apps developed outside of IT continues to be an issue for organizations. If not mitigated properly, it can cause problems for any organization, regardless of industry. Shadow IT issues often arise when businesses feel pressure to digitally transform their organization in order to stay competitive in the marketplace.
In a survey for the 2016 Cloud Security Alliance (CSA) Mitigating Risk for Cloud Applications report, 62 percent of respondents said their companies have written policies discouraging use of unsanctioned apps, but few have technical controls in place. Thirty-eight percent block unsanctioned apps outright, while 29 percent use a proxy or firewall to redirect users.
The majority of security professionals remain as concerned today about shadow IT as they were last year (49 percent), the survey also found. Another large portion are more concerned than last year (30 percent), while a smaller percentage are less concerned or were never concerned (13 and 8 percent, respectively).
Hogan maintains that IT can mitigate the risks of shadow IT by embracing it. "IT can work with the business to build an appropriate security and compliance framework to address any lingering concerns,” he says.
In the cloud realm, one way to secure data could be the use of cloud access security brokers (CASBs) to improve visibility and control over both unsanctioned and sanctioned apps. The role of a CASB is to monitor data activity and enforce policies across multiple cloud apps, the CSA report notes.
For 32 percent of respondents, the most important use case is data loss prevention. Already, 60 percent of security professionals say they have deployed or plan to deploy a CASB. Gartner is projecting CASB deployments will grow rapidly in the next few years, reaching 85 percent of large enterprises by 2020.
Know where your data is and maintain control
Enterprise data security is expected to keep IT on its toes as organizations increasingly operate a combination of legacy systems, converged technologies, and public and private clouds. Recent ISG research found that 40 percent of workloads are now in a hybrid environment, Hurley says. "The plan going forward would seem to indicate…that will increase to 60 percent of workloads by 2018 and hold steady through 2020 at that level,” he notes.
Data is more distributed than ever with the explosion of both structured and unstructured data, thanks to cloud computing and big data. This makes it even more compelling to keep tabs on your data. Yet, it's an area that clearly requires improvement. Only 10 percent of respondents to Vormetric's 2016 Data Threat Report survey claimed little or no knowledge of the location of their sensitive data, yet nearly half (47 percent) of all respondents said they have "some idea” where their sensitive data is located. Perhaps most troubling is less than half (43 percent) claimed to have "complete knowledge” of where their sensitive data is located.
"Strong IT governance by knowledgeable individuals is essential," stresses Hill, "or the organization should engage a third party with the expertise to review the issues."
Keeping your data safe: Lessons for leaders
- It's all about understanding where and how your data is stored.
- Watch out for shadow IT.
- Multiple types of security make for more secure environments.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.