From the Blogosphere
Three Steps to Enable Rock Solid Cloud Security By @IanKhanLive | @CloudExpo #Cloud
Key aspects for creating a solid organization, keeping cloud security in perspective
Sep. 5, 2015 10:00 AM
Three Steps to Enable Rock Solid Cloud Security
Cloud security is at the top of every CIO's list. It is also the first subject that comes up when you engage in a discussion about the cloud. For those of us who followed the recent Ashley Madison story (from a tech perspective), you would agree that while the breach happened for so many reasons, security is at the heart of it. Here are some key aspects for creating a solid organization, keeping cloud security in perspective.
Don't Blame Vendors
Different industries have different regulations and requirements. For some, such as consumer grade document sharing platforms like Dropbox, Google Drive, Box and so many others, the problem actually is not with them but what people choose to store on these platforms. All of these and other platforms are hosted on the public cloud and while they may promise a certain level of security, they do not offer a private cloud where your data is secure on restricted servers that are meant for your use only. Sharing documents on these platforms becomes a responsibility of the end users and while the fine print covers the vendor, a breach is always possible. You probably do remember the instances where millions of records from an online document storage vendor were leaked. So if your organization wants super-tight security and is using a consumer grade document sharing platform, you are literally shooting yourself in the foot. The same goes for using public cloud applications such as Evernote, Google Docs and others. Sorry! Use solutions or hosting that offers a 100% private cloud.
Clean Your House
If your organization has no way to track and monitor changes in connected devices, you might as well save the money on your firewall. Allowing users to use non-certified or private devices such as USB drives, portable hard drives and other devices that can connect to your network is essentially security suicide. A 30-second connection with an infected device can transfer malicious code to your device and can sit there for months before it slowly starts eating away at your network like a plague. It may not even need to do that in case the malicious code is targeting specific ports to open and let the bad guys in. As I mentioned to a recent client, the inconvenience that users face unfortunately is far less than the risk and consequences that you may face with a hack. This is true for your cloud where you will be able to restrict access and enable multiple levels of user credential verification, SSL connections and so on. Lock down your network, because it's never too late.
Processes are what makes and lack of them is what breaks. Enabling processes at every level within your organization is a key success driver. Processes define a methodology and a framework under which employees should work and go about their work. When was the last time you heard that discipline hurt someone? At the enterprise level, enabling usage and access policies are a way to get started. Not having processes just invites chaos, risk and injects the vulnerability of someone new coming into the organization and disrupting the way things are done. This does not mean not looking at ways to improved processes. That should be a constant driver anyway. Take inventory of how your organization functions and if it lacks processes, not only at the cloud or IT infrastructure level but everywhere else.
Do you have a take on cloud security? Feel free to share.
This article first appeared on the Solgeniakhela Blog