Reducing opportunity for catastrophic compromised data

Securing Your Cloud

Reducing opportunity for catastrophic compromised data

Cloud computing offers numerous benefits, such as powerful processing capabilities, improved access, higher availability and significant savings with on-demand hosting. However, many organizations are still wary that the cloud may deliver a less secure option. Preventing data breaches everywhere is one of the highest priorities facing businesses and regulators in 2015. The recent breach at the Federal Office of Personnel Management resulted in stolen personal data on countless Americans with top-secret security clearances. This breach is viewed as catastrophic both for national security and for the individuals whose information has been compromised. The OPM breach occurred just a few short months after other large data breaches including Home Depot, Anthem and Premera.

Although these breaches have occurred primarily in traditional enterprise IT environments, organizations are reluctant to transfer mission-critical and sensitive information to a seemingly anonymous IT admin in an unidentified location. Other organizations may be concerned that their IT teams may not have the requisite skills and processes to manage the migration and maintenance of the cloud deployment.

As hackers become more sophisticated in their attacks, organizations must become increasingly vigilant in implementing the highest standards to secure their data. According to the Javelin 2015 Identity Fraud Study, 12.7 million U.S. consumers were victimized in 2014 to the tune of $16 billion. Identity fraud can result in someone using your identifying information to take out cash, obtain a loan, use your credit cards, apply for a job based on your profile, and more.

Although millennials are generally more tech-savvy than previous generations, they are more open with their personal information and less concerned with protecting their identity. This makes them particularly vulnerable to identity fraud.

Health Data: Biggest Risk for Identity Theft

However, the information with the highest risk for identity theft is personal medical data. The cost of restoring identity after a medical theft incident has been estimated at $20,000. The most serious consequence for identity theft victims can be the alteration of their medical records.

According to a Ponemon Institute study, 57 percent of the identity theft victims never check their medical records to verify that the information is accurate. Disturbingly, approximately 25 percent indicate that after the identity theft they were misdiagnosed or mistreated due to inaccuracies in their health records—a potentially life-threatening situation. Data can never be removed from a medical record, only annotated; therefore, incorrect information can be potentially harmful for a lifetime.

Integrating Shadow IT

Added to the challenges of keeping data safe comes the new ‘norm’ of the (official or unofficial) integration of Shadow IT within organizations. Employees and business partners are taking advantage of Bring Your Own Device (BYOD) to use their personal mobile devices and software for business purposes, and/or use the organization’s devices for personal purposes that can expose the company’s resources. Not all of these usages are malicious; in fact, the majority of users may be unaware of the potential risk to which they are exposing their organization’s data.

Shadow IT was born to solve a business need; traditional IT practices are not able to keep pace with the new technologies coming to market.

The growth of cloud computing options and the associated SaaS and PaaS applications have made it simpler than ever to evade IT practices. Shadow IT takes advantage of the cloud or cloud-based software, both external hosting of solutions and the pay-as-you-go business model. Cloud configuration options include public, private and hybrid environments. In the public IaaS environment, different cloud customers share the same cloud service subnet. Private clouds are designed so that the private subnet is not reachable from other customers’ cloud servers or from the public Internet. Hybrid deployments maintain certain resources on premise, while other resources reside in the cloud.

A recent RightScale survey indicates that 93 percent of the organizations surveyed are already running applications in the cloud or experimenting with Infrastructure as a Service (IaaS). Many organizations currently use both on premise and cloud deployments to house their information. Some enterprises have decided to migrate only certain resources to the cloud; others choose to conduct the migration in stages. In fact, this survey indicates that 82% of enterprises have adopted a hybrid cloud strategy.

Shadow IT and Cloud Computing

No matter which type of deployment is implemented, the challenges for businesses looking to keep their data safeguarded, maintain a productive workforce and benefit from the potential cost savings available from cloud computing are substantial.

Shared Responsibility Model

In the Public Cloud environment, responsibility for IT security is shared between the organization and the Cloud Service Provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing access to the physical servers and the virtualization layer, while the business is responsible for securing the hosted Operating Systems, the applications and the data itself. CSPs differ in the ‘native’ security features they offer, but those always fall short of best-practice security requirements. Therefore, organizations using public clouds are required to supplement the CSP’s offering to ensure a secure cloud deployment.

Currently, organizations that require a complete enterprise-grade security solution, let alone a specific compliance such as HIPAA, need to complement the missing security features using solutions from third-party vendors (ISVs). The cloud providers’ marketplaces are usually a good place to locate these add-on solutions.


A number of factors must be considered when selecting a solution. To protect their resources within an IaaS deployment, organizations must encrypt their data. Encryption is a must for security, both for data at rest and for data in motion. While most cloud providers ensure encryption of data at rest, the picture for data in motion is less defined and most often requires a third-party solution. Therefore, maintaining ownership over the encryption, end-to-end is only possible if you control all the keys—at all points.

Multi-Factor Authentication

In addition, organizations must implement a strong two factor or multi-factor authentication systems. Identity-based access management policies assure that employees are not able to access unauthorized data, and multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources.

Centralized Identity-based Access Control

As the virtual boundary has superseded the physical boundary, setting tough, centralized identity-based access control is critical. This identity-based access control means that company resources are demarcated, so that only those employees or partners who require access to specific data are able to reach those resources. For example, warehouse staff should only be able to view customer data relevant to shipping and logistics, while sales personnel should be able to view full lead and customer details.

Another important step in securing company information involves implementing monitoring and logging capabilities. This is emphasized in a cloud environment where the infrastructure is owned by a third party and is shared among several organizations, for instance a multi-tenant. Although logs are important, unless they are regularly monitored in an accurate manner, important or suspicious events will not be noted. Therefore, visibility and automated alerts are critical in early detection of security incidents.

Backup and Recovery

Company resources are only secure if your backup and recovery systems are also secured. Designing the network architecture for recovery necessitates ensuring that your authentication and authorization safeguards extend throughout your deployment, including all backups. These measures include encryption of both the data-in-transit and at the data at rest. In addition, the same strict measures of user-access control, including authentication and authorization must be incorporated in all backup locations.

Monitoring and managing both the production and recovery sites requires high visibility of all network elements including virtual servers and connectivity statuses, with automated alerts and notifications. Your cloud provider may not provide all these features out of the box. Especially if you have a multi-provider cloud deployment for your production and recovery sites, you will likely require a third-party solution to encrypt the data-in-transit between the different providers and regions.

Wrapping Up

Creating and maintaining a secure deployment in the cloud requires careful planning and implementation. Key to a viable security solution are encryption, access management and firewall policies, combined with event monitoring capabilities and alerts. Solutions that provide this set of security elements for the public and hybrid cloud are now available in the cloud provider marketplaces, evidence that cloud security technologies have come of age.

This article originally appeared in the September 2015 issue of Security Today.


Featured Cybersecurity


New Products

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3

  • VideoEdge 2U High Capacity Network Video Recorder

    VideoEdge 2U High Capacity Network Video Recorder

    Johnson Controls announces a powerful recording solution to meet demanding requirements with its VideoEdge 2U High Capacity Network Video Recorder. This solution combines the powerful capabilities of victor with the intelligence of VideoEdge NVRs, fueled by Tyco Artificial Intelligence, for video management that provides actionable insights to save time, money and lives. 3

  • Camden Door Controls Application Spec Guide

    Camden Door Controls Application Spec Guide

    Camden Door Controls, an industry-leading provider of innovative, high quality door activation and locking products, has published a new application spec guide for specification writers designing a wireless barrier-free restroom control system. 3