Your Sensitive Data is Moving to the Cloud – Is it Secure?

Today, I begin a 5-part series of blogs discussing the results of a recent industry survey conducted on behalf of NetIQ to understand the perceptions of cloud security within enterprises worldwide. Extensive in scope, we gather responses from over 200 IT managers (and above) with our questions on cloud security. We targeted security professionals across the North America, EMEA, and APAC regions that were currently employed at companies with at least 500+ employees.

The results were often unexpected. Take for example, our question about whether or not IT managers believed their sensitive data would become more, or less, secure as it moves to the cloud (we also gave them the option of saying it was “too soon to tell” how their data security would be impacted.)

We anticipated that a healthy majority of respondents would say they believed their data would be less secure with a move to the cloud or, at least, that it was too soon to tell how the move to the cloud would impact data security. Surprisingly, about half (51%) of the respondents globally believed their data would be more – not less – secure with the move to the cloud. We also found that confidence levels in data security within the cloud varied wildly by region, with Europeans being the most sensitive to cloud-based data security, and IT managers in the USA least so.

On the face of it, the regional differences make sense. The US cloud provider market is more established than the nascent European market, whose growth has been delayed due to the many national and international laws at play. IT market researcher IDC predicts that IT cloud services revenue will reach $43.2 billion in the United States by 2016 – up from an estimated $18.5 billion in 2011. Along with that rapid growth, however, we’ve seen a rise in the misconception that migrating applications and services to a cloud infrastructure somehow diminishes cyber security risks due to the (perceived) sophisticated network security protections offered by the cloud provider. This is a dangerous assumption and probably one that contributed to the belief of 56% of the U.S. IT managers questioned that their sensitive data would somehow be more secure as it moved to the cloud.

In my blog post of last week, “The NSA Leaks: Security Lessons…and a Wake-Up Call”, I challenged security professionals to view the U.S. National Security Agency’s (NSA’s) PRISM program leaks as a wake-up call for those businesses and organizations that have grown complacent with the idea that their data is being protected adequately by “someone else”, be it a subcontractor or a cloud provider. I further posed the specific question of whether or not the incident would make organizations think twice about holding critical data on servers at clouds hosts – where presumably the government could, at will, see and gather it.

As the results of our survey showed, Europeans are more sensitive to cloud-based security. Fully 58% of the IT managers questioned believed their data would be either less secure as it moved to the cloud, or they were simply not sure (too soon to tell.) Only 44% believed their data would be more secure. The NSA leaks will do nothing to change that perception. In fact, the scandal may prove a turning point for the region’s young cloud computing industry.

In a July 4, 2013 statement by the European Commission’s vice-president, Neelie Kroes, U.S. based cloud providers were warned that the recent actions of the U.S. government may have long term effects on their business model. Said Ms. Kroes:

“If European cloud customers cannot trust the United States government or their assurances, then maybe they won’t trust US cloud providers either. That is my guess. And if I am right then there are multi-billion euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now…”

Some European cloud providers believe that the recent revelations of wide-scale, clandestine electronic surveillance by the NSA could hand them the competitive advantage they have long needed to catch-up with the dominant American cloud providers. Touting “servers owned by Europeans and located in Europe”, they market their ability to provide cloud services based upon infrastructure that is independent of U.S. cloud computing giants, and seek to certify certain conditions such as contract terms that comply with national privacy laws.

Yet while these European firms seek to make the privacy of their citizens a competitive advantage, they must accept the fact that while storing sensitive information on European-owned and -located servers could shield it from the prying eyes of the NSA, it does nothing to protect the information from the attentions of intelligence agencies much closer to home.

Spying scandals, international inquires and economic consequences aside, this simple fact remains: You must take back ownership of the confidentiality, integrity, and availability of your own data. It is ultimately your responsibility as a security professional to protect your organization’s sensitive data and to demonstrate compliance with the industry and governmental regulations that provide a framework of protection for that data. Relying on “someone else” to provide these protections, whether that other entity be a cloud provider or a subcontractor, operating in your particular region or not, is a risky proposition – one that is likely to result in serious reputation and financial damages when that big breach or compliance gap finally does occur.

Data-centric security programs remain the most targeted and effective way to protect your sensitive data as it moves to the cloud. Identifying sensitive data, applying appropriate layers of protection around that data, and tracking who is accessing it remain the best ways to respond to threats, meet regulatory requirements and minimize organizational risk – from anywhere and from anyone.

Thanks to NetIQ for the article.

 

Social Media and Security – Are They Mutually Exclusive?

Social media has become a major talking point in many organizations, and for good reason. There are plenty of horror stories around the phenomenon and the risks have been widely discussed. They include the possibility of introducing malware via third-party applications, security issues resulting from information leaks, legal concerns over issues such as bullying, discrimination and stalking, and damage to corporate reputations as a result of employees’ postings.

There are less obvious risks too. For example, it’s likely that, even in companies where a ban is in force, managers are in a position both to flout it and to reveal company secrets.

What can you do? Banning access is the obvious, knee-jerk response, but it’s not as simple as that – nor is it in most cases even possible. The number of devices to which people now have access means that it’s simply not possible to ban Facebook et al, even if it were desirable. And fears that people will waste company time on Facebook rather than working is likely to be more of a management issue: if some people aren’t motivated to do their jobs, then banning Facebook is likely to drive them into finding something else with which to occupy their time.

Instead, the answer is to embrace it – cautiously. There are departments, such as marketing, which absolutely need access to social media. This is the first opportunity to be grasped. Your customers are likely to be using social media too, so this is an ideal opportunity to make connections, promote the company’s name and products, and learn more quickly what customers are thinking, which in turn can provide a competitive edge.

What’s needed to back this up is a social media policy. This should state clearly what the purpose of the policy is – for example, to promote the company and its products and services – and to explain under what circumstances using company time and equipment to access social media sites is acceptable.

More tricky is what employees can and can’t say about the company when they’re not at work. Here it’s a good idea to be explicit about the things that people clearly shouldn’t be saying about the company and other employees – such as being defamatory, discriminatory, obscene and so on – that they shouldn’t disclose confidential or proprietary information, and that, when they mention the company online, they must disclose their relationship with the company.

Ultimately, you need to rely on the common sense of your employees, and to remind them that internet postings endure, and that they must bear that in mind when posting.

Thanks to NetIq for the article.