alt =""
Showing posts with label Data Security. Show all posts
Showing posts with label Data Security. Show all posts

Wednesday, 25 November 2015

5 Ways to Secure the Public Cloud

As cloud computing becomes more sophisticated and mainstream, the shift to the public cloud is gaining tremendous traction. With big-brand clouds (Amazon Web Services, Google Cloud Platform and Microsoft Azure) fast evolving, more and more enterprises are moving away from private clouds. However security is justifiably a top concern when moving applications and data into the public cloud. Some of the questions foremost on everyone’s mind are - How secure is my data? What will happen is there is a breach with the public cloud vendor? How do I ensure that my data is properly protected in this case?

Security is ultimately a shared responsibility between the company and the public cloud vendor.  According to Forrester, cloud success comes from mastering the “uneven handshake”. While cloud vendors are typically responsible for securing the data center, infrastructure and hypervisor, the onus is on you, as a consumer to close this gap with the necessary OS, users, applications, data and of course, security – in tandem with the vendor.

Journeying to the Public Cloud

The key is to find a cloud provider that fits best for your business. This means you need to thoroughly vet potential vendors and conduct a full risk assessment prior to signing any contract. Considering the fact that different cloud service providers provide varying levels of security, it is best to look at their security and compliance activities and choose one with transparent processes. Once this decision has been made, the next step is to take into account the various security risks and chart possible solutions to create a secure cloud environment.

Here are 5 steps to best protect data in the public cloud:

Intelligent Encryption

Encryption is a viral security component of any organization and it is all the more important when transferring and storing sensitive data in the cloud. It ensures data confidentiality thus mitigating the risk of data loss or theft in the case of a breach in the cloud. This focus on the data itself rather than placing full emphasis on the infrastructure for protection goes a long way in ensuring that data stays safe even if the network or perimeter security is compromised.
security and compliance
Strict Identity Management and Access Control

An effective identity management strategy for the cloud can be summed under the three ‘As’ – access, authentication and authorization. Consumers must ensure that only trusted and authorized users can access the public cloud data through a strong identity management system. Additional layers of authentication measures further help in ensuring a controlled cloud environment. An important note here is to find a good balance between security and developer performance.

Smart Security at All End-points

In most cases, physical security is usually covered by the cloud provider through regular audits and certifications from accreditation bodies. In certain industries like healthcare, finance and defense, it is a regulatory mandate that there be security at all points along the data path – be it entering or exiting the corporate network or moving along to the cloud and in the cloud itself. However as a general trend in today’s cloud and BYOD era, it is of utmost importance that the consumer ensures some hardware necessities and best practices for end-point security in addition to the cloud security measures. Mobile devices in particular pose a unique challenge as despite best intentions, users generally do not prioritize securing them. Unfortunately, this results in exposing potential access points to sensitive corporate data. Strong end-point measures typically should encompass mobile/on-device protection, next generation firewalls, network intrusion systems, VPN and up-to-data security architectures.

Real-time Monitoring & Incident Response

As part of the shift to a “prevent and control attack” mindset, real-time monitoring through analytics and forensics enables consumers to identify attacks early in the breach lifecycle. Instant alerts and automatic data collection through analytics enables rapid forensics and insights into behavior from endpoint to the cloud. Armed with these insights, security team can identify potential risks and patterns in real-time, while also determining the path for on immediate remediation. Organizations should also focus on enterprise level visibility for hosted applications in the cloud in conjunction with the cloud provider, thus providing a multi-pronged approach for quick detection and incident response for security issues.

Strong Governance Framework

A governance framework is an essential tool that will enable your IT security team to assess and manage all risks, security and compliance related to the organization’s cloud environment. This crux of this framework is that it needs a synergy between security, IT, business and the organization itself for a secure cloud. A strong framework typically encompasses stringent security policies, audit compliance, identity management, security control tools, a BYOD policy and a contingency plan. But to ensure true compliance with cloud policies, organizations have to work closely with IT security teams to understand the unique challenges of cloud security and ways to protect sensitive data workloads. Additionally, educating and training users to comply with the organization’s cloud policies can go a long way in achieving compliance.

Cloud computing is revolutionizing the way enterprises operate in today’s world with a slew of cost benefits and tremendous economies of scale. As with any other investment, it is your responsibility to ensure that cloud is protected as much as possible. With a robust set of security processes, tools, a clear BYOD-compatible cloud computing strategy and a strong governance framework in place, there is a significant reduction in risk as you embark into the cloud. And the future is yours as long as your organization continuously adapts to stay agile and competitive in a fast evolving cloud technology landscape.

Wednesday, 30 September 2015

How to Protect Your Data from Third-Party Breaches

 How to Protect Your Data from Third-Party Breaches

The December 2013 Target data breach that compromised the credit card information of 40 million customers was the first of many wake-up calls to organizations, bringing home the damage a company can sustain when a partner’s systems are hacked. As the whole world now knows, the HVAC supplier had access to more of Target’s systems than was needed or intended, and hackers infiltrated Target’s network through the partner’s own vulnerable solution.

Sadly, Target is not the lone case. More recently, 15,000 Boston Medical Center patients’ personal information and the payment card details of 868,000 Good will customers were compromised through data breaches at vendor companies with access to the organizations’ systems. In fact, a recent PwC study found the biggest challenge to security today is from internal sources – employees and partners – not external threats.

Vendors often need remote access to maintain your internal systems, but they may not be as stringent about security processes as your chief security officer, CIO, or IT team. For example, partners’ systems may use software that a developer no longer supports, and is hence, vulnerable. Even worse, they may use the same administrative passwords across every customers’ systems.

All this translates into the need for a far more comprehensive information security risk management strategy — one that not only oversees your data, but also third-party access rights, the robustness of network defenses, and more.

Here are some best practices to help protect your network from third-party data breaches:

Be aware of what your vendors can remotely access. Understand what kind of data and which systems your vendors can access, and the levels of access they enjoy. Can they retrieve any critical data they do not need for their work? Or do they have access only to the resources necessary to perform their jobs? This is of particular importance when you work with infrastructure management partners, for instance, because these have privileged access that could pose a significant threat if not properly secured. Provide access to data and systems only on a need to know basis.

How to Protect Your Data from Third-Party Breaches

Standardize remote access methodologies. The proliferation of available remote access methodologies (WebEx, web conferencing tools, and virtual private networks, for example) makes it difficult to monitor and manage access controls. Simplify this and better manage connections made to your network by defining the specific methodologies you will allow.

Use stronger authentication. Insist that vendors who must access your environment use two-factor authentication and institute well-defined access control processes.

Segment your network behind firewalls. It is advisable to allow vendors access only to a specific segment of the network, with this segment being firewalled from others. Network segmentation can limit the damage from a third-party data breach. To make this even more effective, provide dedicated systems for vendors, so they do not use their systems to connect to your network.

Monitor network defenses frequently. Frequently audit access controls and security policies to identify potential security gaps that can be plugged before a breach occurs. Real-time analyses allow your IT department to see what is being accessed by whom and why, as your vendors connect to your network. This helps proactively identify any problematic activity.

Hold vendors to the same security standards you hold yourself. However stringent your organization’s security system, all is nullified if your vendors are not equally particular. Define your security requirements upfront when signing on a new vendor. Review their security processes and access control policies, and check if they conduct regular penetration testing on their systems and network. Insist they adhere to the same standards as your organization in the areas of data protection, identity management, authentication, and other security measures.

Proactively plan for third-party breaches. You will (or should) already have a robust incident response and disaster recovery plan for attacks on your own systems. Take this a step further by planning a defense against third-party attacks as well. Ask your vendors to demonstrate how they protect your data, their incident response plan, and how they will deal with breaches that can affect your data.  

Periodically verify your vendor’s security posture. Security assurance is not a one-time task but a continuous process. Conduct periodic audits of your vendors to make sure that they follow best practices and have the necessary technical controls in place. The aim should not be to review every vendor you engage, but to conduct a thorough audit with greater frequency for targeted, high-risk vendors.

In this, as in other aspects of your relationship with your vendors, work with partners to identify security gaps and protect against breaches before they occur. Industry standards are gradually evolving to this end as well. The latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.0) mandates that organizations pay closer attention to partners’ security practices. This will probably provide the much-needed nudge to get businesses to think beyond only their own security posture.