Reducing opportunity for catastrophic compromised data

Securing Your Cloud

Reducing opportunity for catastrophic compromised data

Cloud computing offers numerous benefits, such as powerful processing capabilities, improved access, higher availability and significant savings with on-demand hosting. However, many organizations are still wary that the cloud may deliver a less secure option. Preventing data breaches everywhere is one of the highest priorities facing businesses and regulators in 2015. The recent breach at the Federal Office of Personnel Management resulted in stolen personal data on countless Americans with top-secret security clearances. This breach is viewed as catastrophic both for national security and for the individuals whose information has been compromised. The OPM breach occurred just a few short months after other large data breaches including Home Depot, Anthem and Premera.

Although these breaches have occurred primarily in traditional enterprise IT environments, organizations are reluctant to transfer mission-critical and sensitive information to a seemingly anonymous IT admin in an unidentified location. Other organizations may be concerned that their IT teams may not have the requisite skills and processes to manage the migration and maintenance of the cloud deployment.

As hackers become more sophisticated in their attacks, organizations must become increasingly vigilant in implementing the highest standards to secure their data. According to the Javelin 2015 Identity Fraud Study, 12.7 million U.S. consumers were victimized in 2014 to the tune of $16 billion. Identity fraud can result in someone using your identifying information to take out cash, obtain a loan, use your credit cards, apply for a job based on your profile, and more.

Although millennials are generally more tech-savvy than previous generations, they are more open with their personal information and less concerned with protecting their identity. This makes them particularly vulnerable to identity fraud.

Health Data: Biggest Risk for Identity Theft

However, the information with the highest risk for identity theft is personal medical data. The cost of restoring identity after a medical theft incident has been estimated at $20,000. The most serious consequence for identity theft victims can be the alteration of their medical records.

According to a Ponemon Institute study, 57 percent of the identity theft victims never check their medical records to verify that the information is accurate. Disturbingly, approximately 25 percent indicate that after the identity theft they were misdiagnosed or mistreated due to inaccuracies in their health records—a potentially life-threatening situation. Data can never be removed from a medical record, only annotated; therefore, incorrect information can be potentially harmful for a lifetime.

Integrating Shadow IT

Added to the challenges of keeping data safe comes the new ‘norm’ of the (official or unofficial) integration of Shadow IT within organizations. Employees and business partners are taking advantage of Bring Your Own Device (BYOD) to use their personal mobile devices and software for business purposes, and/or use the organization’s devices for personal purposes that can expose the company’s resources. Not all of these usages are malicious; in fact, the majority of users may be unaware of the potential risk to which they are exposing their organization’s data.

Shadow IT was born to solve a business need; traditional IT practices are not able to keep pace with the new technologies coming to market.

The growth of cloud computing options and the associated SaaS and PaaS applications have made it simpler than ever to evade IT practices. Shadow IT takes advantage of the cloud or cloud-based software, both external hosting of solutions and the pay-as-you-go business model. Cloud configuration options include public, private and hybrid environments. In the public IaaS environment, different cloud customers share the same cloud service subnet. Private clouds are designed so that the private subnet is not reachable from other customers’ cloud servers or from the public Internet. Hybrid deployments maintain certain resources on premise, while other resources reside in the cloud.

A recent RightScale survey indicates that 93 percent of the organizations surveyed are already running applications in the cloud or experimenting with Infrastructure as a Service (IaaS). Many organizations currently use both on premise and cloud deployments to house their information. Some enterprises have decided to migrate only certain resources to the cloud; others choose to conduct the migration in stages. In fact, this survey indicates that 82% of enterprises have adopted a hybrid cloud strategy.

Shadow IT and Cloud Computing

No matter which type of deployment is implemented, the challenges for businesses looking to keep their data safeguarded, maintain a productive workforce and benefit from the potential cost savings available from cloud computing are substantial.

Shared Responsibility Model

In the Public Cloud environment, responsibility for IT security is shared between the organization and the Cloud Service Provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing access to the physical servers and the virtualization layer, while the business is responsible for securing the hosted Operating Systems, the applications and the data itself. CSPs differ in the ‘native’ security features they offer, but those always fall short of best-practice security requirements. Therefore, organizations using public clouds are required to supplement the CSP’s offering to ensure a secure cloud deployment.

Currently, organizations that require a complete enterprise-grade security solution, let alone a specific compliance such as HIPAA, need to complement the missing security features using solutions from third-party vendors (ISVs). The cloud providers’ marketplaces are usually a good place to locate these add-on solutions.

Encryption

A number of factors must be considered when selecting a solution. To protect their resources within an IaaS deployment, organizations must encrypt their data. Encryption is a must for security, both for data at rest and for data in motion. While most cloud providers ensure encryption of data at rest, the picture for data in motion is less defined and most often requires a third-party solution. Therefore, maintaining ownership over the encryption, end-to-end is only possible if you control all the keys—at all points.

Multi-Factor Authentication

In addition, organizations must implement a strong two factor or multi-factor authentication systems. Identity-based access management policies assure that employees are not able to access unauthorized data, and multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources.

Centralized Identity-based Access Control

As the virtual boundary has superseded the physical boundary, setting tough, centralized identity-based access control is critical. This identity-based access control means that company resources are demarcated, so that only those employees or partners who require access to specific data are able to reach those resources. For example, warehouse staff should only be able to view customer data relevant to shipping and logistics, while sales personnel should be able to view full lead and customer details.

Another important step in securing company information involves implementing monitoring and logging capabilities. This is emphasized in a cloud environment where the infrastructure is owned by a third party and is shared among several organizations, for instance a multi-tenant. Although logs are important, unless they are regularly monitored in an accurate manner, important or suspicious events will not be noted. Therefore, visibility and automated alerts are critical in early detection of security incidents.

Backup and Recovery

Company resources are only secure if your backup and recovery systems are also secured. Designing the network architecture for recovery necessitates ensuring that your authentication and authorization safeguards extend throughout your deployment, including all backups. These measures include encryption of both the data-in-transit and at the data at rest. In addition, the same strict measures of user-access control, including authentication and authorization must be incorporated in all backup locations.

Monitoring and managing both the production and recovery sites requires high visibility of all network elements including virtual servers and connectivity statuses, with automated alerts and notifications. Your cloud provider may not provide all these features out of the box. Especially if you have a multi-provider cloud deployment for your production and recovery sites, you will likely require a third-party solution to encrypt the data-in-transit between the different providers and regions.

Wrapping Up

Creating and maintaining a secure deployment in the cloud requires careful planning and implementation. Key to a viable security solution are encryption, access management and firewall policies, combined with event monitoring capabilities and alerts. Solutions that provide this set of security elements for the public and hybrid cloud are now available in the cloud provider marketplaces, evidence that cloud security technologies have come of age.

This article originally appeared in the September 2015 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3