Reducing opportunity for catastrophic compromised data

Securing Your Cloud

Reducing opportunity for catastrophic compromised data

Cloud computing offers numerous benefits, such as powerful processing capabilities, improved access, higher availability and significant savings with on-demand hosting. However, many organizations are still wary that the cloud may deliver a less secure option. Preventing data breaches everywhere is one of the highest priorities facing businesses and regulators in 2015. The recent breach at the Federal Office of Personnel Management resulted in stolen personal data on countless Americans with top-secret security clearances. This breach is viewed as catastrophic both for national security and for the individuals whose information has been compromised. The OPM breach occurred just a few short months after other large data breaches including Home Depot, Anthem and Premera.

Although these breaches have occurred primarily in traditional enterprise IT environments, organizations are reluctant to transfer mission-critical and sensitive information to a seemingly anonymous IT admin in an unidentified location. Other organizations may be concerned that their IT teams may not have the requisite skills and processes to manage the migration and maintenance of the cloud deployment.

As hackers become more sophisticated in their attacks, organizations must become increasingly vigilant in implementing the highest standards to secure their data. According to the Javelin 2015 Identity Fraud Study, 12.7 million U.S. consumers were victimized in 2014 to the tune of $16 billion. Identity fraud can result in someone using your identifying information to take out cash, obtain a loan, use your credit cards, apply for a job based on your profile, and more.

Although millennials are generally more tech-savvy than previous generations, they are more open with their personal information and less concerned with protecting their identity. This makes them particularly vulnerable to identity fraud.

Health Data: Biggest Risk for Identity Theft

However, the information with the highest risk for identity theft is personal medical data. The cost of restoring identity after a medical theft incident has been estimated at $20,000. The most serious consequence for identity theft victims can be the alteration of their medical records.

According to a Ponemon Institute study, 57 percent of the identity theft victims never check their medical records to verify that the information is accurate. Disturbingly, approximately 25 percent indicate that after the identity theft they were misdiagnosed or mistreated due to inaccuracies in their health records—a potentially life-threatening situation. Data can never be removed from a medical record, only annotated; therefore, incorrect information can be potentially harmful for a lifetime.

Integrating Shadow IT

Added to the challenges of keeping data safe comes the new ‘norm’ of the (official or unofficial) integration of Shadow IT within organizations. Employees and business partners are taking advantage of Bring Your Own Device (BYOD) to use their personal mobile devices and software for business purposes, and/or use the organization’s devices for personal purposes that can expose the company’s resources. Not all of these usages are malicious; in fact, the majority of users may be unaware of the potential risk to which they are exposing their organization’s data.

Shadow IT was born to solve a business need; traditional IT practices are not able to keep pace with the new technologies coming to market.

The growth of cloud computing options and the associated SaaS and PaaS applications have made it simpler than ever to evade IT practices. Shadow IT takes advantage of the cloud or cloud-based software, both external hosting of solutions and the pay-as-you-go business model. Cloud configuration options include public, private and hybrid environments. In the public IaaS environment, different cloud customers share the same cloud service subnet. Private clouds are designed so that the private subnet is not reachable from other customers’ cloud servers or from the public Internet. Hybrid deployments maintain certain resources on premise, while other resources reside in the cloud.

A recent RightScale survey indicates that 93 percent of the organizations surveyed are already running applications in the cloud or experimenting with Infrastructure as a Service (IaaS). Many organizations currently use both on premise and cloud deployments to house their information. Some enterprises have decided to migrate only certain resources to the cloud; others choose to conduct the migration in stages. In fact, this survey indicates that 82% of enterprises have adopted a hybrid cloud strategy.

Shadow IT and Cloud Computing

No matter which type of deployment is implemented, the challenges for businesses looking to keep their data safeguarded, maintain a productive workforce and benefit from the potential cost savings available from cloud computing are substantial.

Shared Responsibility Model

In the Public Cloud environment, responsibility for IT security is shared between the organization and the Cloud Service Provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing access to the physical servers and the virtualization layer, while the business is responsible for securing the hosted Operating Systems, the applications and the data itself. CSPs differ in the ‘native’ security features they offer, but those always fall short of best-practice security requirements. Therefore, organizations using public clouds are required to supplement the CSP’s offering to ensure a secure cloud deployment.

Currently, organizations that require a complete enterprise-grade security solution, let alone a specific compliance such as HIPAA, need to complement the missing security features using solutions from third-party vendors (ISVs). The cloud providers’ marketplaces are usually a good place to locate these add-on solutions.


A number of factors must be considered when selecting a solution. To protect their resources within an IaaS deployment, organizations must encrypt their data. Encryption is a must for security, both for data at rest and for data in motion. While most cloud providers ensure encryption of data at rest, the picture for data in motion is less defined and most often requires a third-party solution. Therefore, maintaining ownership over the encryption, end-to-end is only possible if you control all the keys—at all points.

Multi-Factor Authentication

In addition, organizations must implement a strong two factor or multi-factor authentication systems. Identity-based access management policies assure that employees are not able to access unauthorized data, and multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources.

Centralized Identity-based Access Control

As the virtual boundary has superseded the physical boundary, setting tough, centralized identity-based access control is critical. This identity-based access control means that company resources are demarcated, so that only those employees or partners who require access to specific data are able to reach those resources. For example, warehouse staff should only be able to view customer data relevant to shipping and logistics, while sales personnel should be able to view full lead and customer details.

Another important step in securing company information involves implementing monitoring and logging capabilities. This is emphasized in a cloud environment where the infrastructure is owned by a third party and is shared among several organizations, for instance a multi-tenant. Although logs are important, unless they are regularly monitored in an accurate manner, important or suspicious events will not be noted. Therefore, visibility and automated alerts are critical in early detection of security incidents.

Backup and Recovery

Company resources are only secure if your backup and recovery systems are also secured. Designing the network architecture for recovery necessitates ensuring that your authentication and authorization safeguards extend throughout your deployment, including all backups. These measures include encryption of both the data-in-transit and at the data at rest. In addition, the same strict measures of user-access control, including authentication and authorization must be incorporated in all backup locations.

Monitoring and managing both the production and recovery sites requires high visibility of all network elements including virtual servers and connectivity statuses, with automated alerts and notifications. Your cloud provider may not provide all these features out of the box. Especially if you have a multi-provider cloud deployment for your production and recovery sites, you will likely require a third-party solution to encrypt the data-in-transit between the different providers and regions.

Wrapping Up

Creating and maintaining a secure deployment in the cloud requires careful planning and implementation. Key to a viable security solution are encryption, access management and firewall policies, combined with event monitoring capabilities and alerts. Solutions that provide this set of security elements for the public and hybrid cloud are now available in the cloud provider marketplaces, evidence that cloud security technologies have come of age.

This article originally appeared in the September 2015 issue of Security Today.


  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Busy South Africa Building Integrates Custom Access Control System

    Nicol Corner, based in Bedfordview, Johannesburg, South Africa, is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. This is the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption. Nicol Corner (Pty) LTD has developed a landmark with sophisticated design and unique architecture by collaborating with industry-leading partners and specifying world-class equipment throughout the project. This includes installing a high-spec, bespoke security and access control system. Read Now

  • Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

Featured Cybersecurity


New Products

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3