[BreachExchange] HOW TO MAKE THE MOVE TO THE CLOUD SECURELY

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 29 19:14:18 EDT 2017


https://cloudtweaks.com/2017/03/make-move-cloud-securely/

The 2016 Enterprise Cloud Computing Survey from IDG
<http://www.idgenterprise.com/resource/research/2016-cloud-computing-executive-summary/>
 offers multiple interesting insights concerning the state of cloud
adoption in 2017. According to IDG
<http://www.idgenterprise.com/resource/research/2016-idg-enterprise-cloud-computing-survey/?utm_campaign=Cloud%20Computing%20Survey%202016&utm_medium=Press%20Release&utm_source=Press%20Release>,
70 percent of the survey’s respondent organizations have at least one
application in the cloud, and 56 percent of organizations are still
identifying IT operations that are candidates for cloud hosting. On top of
that, those that aren’t yet utilizing the cloud may soon be. A McKinsey
study found
<http://blogs.wsj.com/cio/2016/09/15/cloud-adoption-among-large-companies-set-to-accelerate-mckinsey-studies-find/>
 that over one-third of all companies will be using public infrastructure
as the primary environment for at least one workload by 2018.

One final report, the 2017 Thales Data Threat Report
<http://dtr.thalesesecurity.com/pdf/thales-2017-dtr-infographic-fin.pdf>,
finds that 93 percent of enterprises will use sensitive data in advanced
technology environments this year (*defined as cloud, SaaS, big data, IoT
and container*). However, that same report found that 63 percent believe
their organizations are deploying these technologies ahead of having
appropriate data security solutions in place.

Whether making the move now or getting ready to deploy additional cloud
applications in the future, secure cloud deployment is essential for any
business in the modern age. With malware such as ransomware costing
businesses over $1 billion in 2016
<https://www.backupassist.com/blog/news/the-cost-of-ransomware-in-2016-1-billion-and-rising/>,
and two-thirds of large businesses having suffered a data breach in the
same time
<http://www.zdnet.com/article/two-thirds-of-large-businesses-have-suffered-a-data-breach-in-past-year/>,
the cost of neglecting security could be quite substantial.
Making the Move Securely

Moving sensitive data from one place to another
<https://cloudtweaks.com/2016/03/sensitive-data-in-the-cloud-threats/> will
always inherently carry some form of risk. If you’re transferring data over
to a cloud service provider (CSP) for applications, you’ll want to pay
particular attention that any uploads or API used are secured through SSL
or similar encryption processes, such as encryption gateway products. If
you’re planning on using infrastructure as a service (Iaas) such as
collocation and virtualization, the protocol is essentially the same,
albeit on a larger scale.

Those looking to make a move toward cloud infrastructure most securely
should:

   - Ask how data will be migrated. Will the CSP be moving data via a
   virtual private network (VPN) connection between data center and virtual
   machines (VM) in the cloud, or will your company be managing key pairs
   while data is transferred via SSH.


   - Ask what security measures the CSP employs. How is risk mitigated and
   managed? Does the provider have an accountable security officer or security
   groups with which you can engage? What types of onsite security as well as
   offsite are employed? How often are backups of all data made? What disaster
   recovery measures exist for your data? The answers to these questions will
   help you determine which provider has the security features you need most.


   - Make sure they are HIPAA/PCI-DSS Compliant. If you work in healthcare
   or deal with online payments, your business needs to abide by
either the Health
   Insurance Portability and Accountability Act (HIPAA)
   <https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act>
    or the Payment Card Industry Data Security Standard (PCI DSS)
   <https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard>
    and sometimes both. In the event that your CSP suffers a breach or
   mishandles your data, you are the one responsible for telling your
   customers. Ask if they have independent audits to ensure they’re protecting
   data properly, and go through the checklist to make sure they’ll be able to
   pass a HIPAA or PCI DSS audit.


   - Understand the service level agreement (SLA). In the event that a
   disaster or breach does in fact occur, the SLA is what dictates who is
   responsible for what, and it what amount of time. For example, if your
   customer’s data is compromised, you are legally required to respond within
   a timely manner–but if your SLA dictates that the CSP has 30 days to inform
   you of a breach, and they wait until day 28, you will have little time to
   prepare your PR and notify affected individuals.

Most of all: shop around. This cannot be stressed enough. Not all service
providers are created equal and not all services offered are either. You’ll
want to ensure that you know who owns the data once it’s moved, who can see
it, where it’s stored geographically, and what happens if you decide you
don’t want to use them as a service provider anymore. Weigh your options
and make the most educated decision.
Staying Secure and Agile

The world, and the technology in it, is constantly changing. Proof of this
can be found in the reason for your move to, or even the rise of, the cloud
in the first place. The only way a CEO or CISO (*or anybody in the C-Suite,
really*) can keep up on a secure cloud is to stay agile and informed. This
lack of agility and knowledge is what causes security gaps with people,
processes, and technologies that can be bridged by:

   - Getting (or becoming) an actively learning CISO. Many of the problems
   with security in businesses is a result of not knowing. By the time that
   cybersecurity professionals learn and pick up something new, it usually
   means that they are facing and identify a new threat in their field. Don’t
   wait for that information to get to you secondhand. NetworkWorld
   recommends
   <http://www.networkworld.com/article/3183546/security/cloud-security-still-a-work-in-progress.html>
    you identify or become the CISO that “*invests in appropriate hands-on
   security education up front*,” while “*pursuing cloud security training
   with gusto*.”


   - Emphasize security as a multi-departmental collaboration. Technology
   and cloud computing are not confined to IT anymore. Gartner’s recent
   findings indicate that in 2017, CMOs will be spending more on technology
   that CIOs
   <http://blogs.gartner.com/jake-sorofman/yes-cmos-will-likely-spend-more-on-technology-than-cios-by-2017/>–which
   means that everything we know about security as “the norm” goes out the
   window. You’ll want to approach cloud security as a blank slate, and look
   at every new challenge with an open mind.


   - Educate your employees. Since the cloud is being used in more
   departments, that means that more employees need to be educated on security.
    Safeguarding against cyber attacks nowadays requires
   <http://www.startechtel.com/blog/2017/03/safeguard-against-cyber-attacks/>
    that all employees understand the risks of a breach, know and follow
   your security policy, and have up-to-date software and secure passwords.
   Shadow IT, for example, was a real problem in 2016
   <http://www.digitalistmag.com/resource-optimization/2016/02/11/2016-state-of-shadow-it-04005674>
    and will probably be an even bigger in 2017. Don’t fall victim due to a
   lack of information.


   - Keep your most sensitive information out of the cloud. Last but not
   least, make sure you’re not storing your most sensitive data in the cloud.
   While the cloud is a pretty secure place if all of the proper protocols are
   followed, there is no such thing as a completely secure cloud. Anything
   that you truly can’t afford to lose–that you would be out of business if
   compromised–should not go in the cloud.

The Block, The Edge, and The Future Ahead

This understanding and security of cloud infrastructure and the IoT is
imperative to businesses and the public alike. Cities are now adopting
everything from smart traffic lights to smart trash cans
<http://bootcamp.devry.edu/industry-insights/how-the-iot-will-change-urban-areas-forever.html>,
and the smart car itself is purported to produce so much data that it might
revolutionize the cloud by ushering in edge computing as the norm
<https://cloudtweaks.com/2017/03/computing-on-the-edge-mobile-data-centers/>.
The blockchain is another technology that promises to change the cloud in
the future
<https://guardtime.com/blog/blockcloud-re-inventing-cloud-with-blockchains>.

The point is that the cloud is not only a major disruption today, but will
also be tomorrow, and the day after that. The new norm for IT departments
and CISOs is adaptation to change. Keeping an eye on the technological data
landscape will be imperative for those who want to stay in-the-know, and,
like the move to the cloud, it will be better to know how to interact with
these new technologies correctly and securely than not to interact with
them at all.

The secure move to the cloud represents the first in a long line of steps
towards agile and effective business solutions and infrastructure. Make
sure you’re starting off on the right foot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170329/69db3036/attachment.html>


More information about the BreachExchange mailing list