ISSA New England Panel Recap: The Evolving Cloud Security Issue
Last week I participated in a cloud security panel at the ISSA New England Chapter Meeting. As the issue of cloud security continues to evolve, I wanted to share my thoughts and responses to the panel’s questions.
1. With the increased usage of cloud services by smaller organizations, where do you see exposure of company assets (data or network) continue to not be mitigated?
Mitigating exposure of data continues to be a struggle. Even if organizations are using encryption, tokenization and identity management to access sensitive data from the cloud (and that itself is in its infancy), once it’s on the corporate network - or if the data is accessed from an unmanaged device - there must be proper data protection policies in place. Data can be vulnerable while in transit or at rest, since in most cases it is decrypted once it leaves the cloud. This is true for large enterprises as much as it is for smaller organizations.
2. What do you see as the next frontier to be addressed regarding cloud security?
An enterprise-wide data governance security program that addresses security issues for data throughout its lifecycle - across both corporate networks and cloud services. This includes identifying all sensitive data and its storage locations, including public and private clouds. The sensitive data may include IP, PHI, PCI, and corporate financial or tax information. Simply adding encryption to data stored in the cloud is not enough and it’s limited to where the data is decrypted and the availability/location of the keys.
As more data is migrated from the corporate network to cloud storage facilities, organizations will see these limitations and look to a more unified data protection solution that integrates and operates through both environments.
The one thing we can say for certain is that our environments will continue to change, the threats will continue to change, the devices and the way we access data will continue to change. The one constant is that data will always be the target and companies must adopt a data-aware approach to protecting that data throughout its lifecycle.
3. What is the solution most frequently asked for by your customers?
How can I deploy unified data protection policies from workstations and servers to mobile devices and cloud-based applications?
4. In your mind, what is the biggest problem with organizations using the cloud today?
The biggest issue with organizations is the lack of control and visibility they have over their data when using cloud services. On top of that, even though they can transfer data to cloud service providers, the liability still falls with the organization to protect it. Organizations are legally mandated to protect data they collect, process and store regardless of its location. Stronger visibility and control capabilities must emerge and align with organizations’ existing data identification and protection strategies to ensure proper ownership and security.
5. What do you see as working well with cloud security (any specific examples)?
While several of the more corporate-oriented cloud solutions have started to get more serious about data protection, there is no silver bullet to securing your data in the cloud from those provided. Access management is only one part of the equation. To gain visibility and control over data usage, a combination of isolation via virtualization, encryption and application proxies can cover most data loss prevention use cases.
6. Where do you see mistakes being made in the cloud?
There is an over-emphasis on access control and security at rest with much less attention to where the data is going once it is accessed from the cloud. What we need to keep in mind is that cybercriminals are targeting organizations directly, typically via their endpoints, or they’re targeting a business partner/third party supplier to gain access to the parent company’s systems and sensitive data. Encrypting data from the cloud is just the first step – sensitive data will be targeted by attackers while it resides on the corporate network. Data must be secured throughout its entire lifecycle in order to fully protect it.
7. Which clouds have the best security controls in place based on your experience?
Some vendors do a better job than others but it’s all a work in progress. We’ve seen some tremendous acceleration of data security features and APIs from Microsoft and the security model. APIs for products like Box and ShareFile have also improved. These providers understand that APIs are extremely important. You cannot treat cloud data security in isolation and you have to be able to integrate the security of these products with the rest of your ecosystem to preserve visibility and control throughout the data lifecycle. APIs are also important because these services are managed outside corporate controls and can be upgraded and modified with little notice. In that context, having a standard and supported way to gain visibility and integrate access and usage policies into the rest of your infrastructure is a good thing.
There’s still much work to be done in the cloud security arena, and my goal in sharing these responses is to continue the conversation around the future of cloud security. What cloud security issues do you feel are most important right now? Let us know in the comments.
Pete Tyrrell is chief operating officer at Digital Guardian.