Professionals Discuss Cloud Security in November TweetChat
Putting data into the cloud is not necessarily new, but it has crossed the chasm from a nice-to-have remote storage capability to a resource upon which companies are now fully dependent. This month’s TweetChat (#infosecchat) focused on cloud security and privacy. For those who are unfamiliar with the TweetChat format, an IBM Security moderator posts a series of questions to the Twitterverse, and anyone who is on Twitter during the hourlong event is welcome to participate.
1. Which Misconceptions Exist Around Cloud Security Today?
“I think with the rapid movement of cloud & cloud adoption, orgs might feel securing the cloud is easy to do,” wrote Brandi Boatner of IBM Global Technology Services.
The IBM THINK Leader team moved quickly to dispel the “myth about cloud security, [which] is, ‘You can’t control where your data resides in the cloud.’ That’s just false,” they wrote.
This was followed by Marko Pitkanen, chief architect of European company Descom. Pitkanen wrote, “Common misconception is that 100% secure system exist. There will always be a risk. Service providers must act transparent.”
Tech journalist Sean Kerner noted, “Misconception around cloud security is that it’s fundamentally different from other data centre security (it’s not).”
The question closed with Boatner agreeing with Pitkanen and asking, “But how can orgs build a risk-aware culture knowing there will always be risk involved?”
2. What Is Dynamic Cloud Security, and Why Is It Important?
IBM Global Technology Services shared IBM’s positions on dynamic cloud security, saying, “Dynamic cloud security addresses security gaps between on-premise, cloud, SaaS & mobile applications.”
Boatner then noted, “Dynamic cloud security would be complete visibility across the cloud with secure access & data control,” as Kerner dryly wrote, “All security should be ‘dynamic.’ If it’s not, it’s static. And static tech is a from of entropy (or death).”
3. What Is One Thing Every Cloud User Should Be Doing to Ensure Their Data Is Safe and Secure?
While admittedly difficult to identity just one thing every cloud user should be doing, the TweetChat participants had a number of tips. Kerner offered a one-word answer, “Encryption,” while IBM U.S. IT Services chimed in with, “Password hygiene,” pointing directly to a TED Talk by Lorrie Faith Cranor of Carnegie mellon’s CyLab titled “What’s wrong with my Pa$$w0rd?”
Users do have the capability to review transparency and vet their cloud service provider. Ask for and review the Statement on Standards for Attestation Engagements (SSAE-16), which is the service provider’s means to inform you, the user, on the controls that they implement within its service. Many entities follow up the SSAE-16 with an independent, third-party audit, which is normally availed under controlled (nondisclosure agreement) circumstances.
4. How Can You Be Certain the Right People Have Access to Sensitive Cloud Resources and Data?
The question points directly to access controls over users’ sensitive cloud resources and data by both the consumer and the service provider. Are the right people able to access the information, and are those without a need excluded? CSID noted access controls are important, while Pitkanen suggested starting with security architecture and then ensuring every data object and access to it is addressed specifically within the IT security policies.
5. How Can You Identify Cloud Vulnerabilities and Defend Against Attacks Before It’s Too Late?
According to Julie Gibson, IBM Digital Marketing strategist, “Prevention starts with an incident response plan, mock exercises to test the plan and an active threat assessment.”
IBM THINK Leaders added, “Intelligent threat prevention requires skills, analytics and rapid response. Answer is data. Security is a big data problem.”
Pitkanen closed with, “Allow access to the data only through well-defined and tested APIs and monitor usage deviations.”
6. How Can Organizations Protect Their Businesses and Brand From the Devastating Effects of a Public Data Breach?
Boatner repositioned the question by tweeting, “What is the reputational risk of a breach & how to fix it? Should you hire a new and first-ever CISO? Maybe. Then what?”
Pitkanen shared his firsthand response, saying, “By being [a] data-driven organization. Almost all situation can then be simulated and practiced in virtual org environment.”
7. In the Era of the Cloud, How Can Privacy and Security Be Balanced?
Yes, privacy and security can be balanced in the utilization of cloud services. The core architecture of the application or data stores must have the desired end state of both data security and user privacy. A useful barometer to use when dealing with customer data is what is revealed when a governmental entity compels the service provider (or application owner) to reveal the contents of cloud storage.
8. What Is the Next Stage in the Evolution of Security Leadership?
IBM THINK Leaders wrote, “The security leaders of today need to get better at securing the ENTIRE ecosystem & not just their orgs.”
This was followed by Boatner, who commented, “I think security leaders are facing a new reality in IT security. Hackers are young, sophisticated and hungry. Buckle up, CISOs.”
Full Disclosure: The writer of this piece is the chief executive officer of Prevendra, Inc., whose Red Folder secure Web application utilizes IBM cloud services. IBM was chosen precisely because of the manner in which it addresses security and privacy.