Stormy weather? Cloud security and data encryption
Tim Compston, Features Editor at SecurityNewsDesk, looks at the key challenges for organisations when it comes to managing the rise of cloud applications in an increasingly mobile world.
We live in an ever-more connected world where the technology we use, and the volume of data we generate, is changing at an unprecedented pace, changes which are transforming the way we work mostly, it has to be said, for the better. This is a view underscored by an IBM study ‘Redefining Boundaries’ which found that business leaders believe cloud computing, mobile solutions, the Internet of Things, and cognitive computing, are the technologies most likely to revolutionise their business. However just as change tends to open up new opportunities, so there are also some unfortunate downsides that organisations are having to negotiate. High on the list of concerns here is data security as more and more information finds its way into ‘the cloud’ with cybercriminals all too willing to exploit any new vulnerabilities that emerge from this process.
So what can be done by organisations to mitigate the risks associated with the cloud? Well in the context of ‘Bring Your Own Device’ (BYOD) and ‘cloud-based apps’, Carmina Lees, the Director of IBM Security in the UK and Ireland, tells me that: “Companies encourage people to bring their own devices but then these are linked into their network,” says Lees. She also reveals that IBM has launched a new product – IBM Cloud Security Enforcer – to help mitigate the risks here: “You don’t necessarily know what apps employees have on their smartphones and what they are clicking on during the day which is leading back to your network. As clients are moving to a cloud model they need security to underpin that too.” Essentially, when employed Cloud Security Enforcer combines cloud identity management with the ability for companies to discover which outside apps are actually being accessed by their employees. Underlining the way that cloud solutions are taking-off, Lees confirms that IBM’s cloud business has posted double digit growth in the last two years: “Security for us is now seen as underpinning our cloud, mobile and analytics businesses.”
The bigger picture
Another vendor which has a strong focus on what is happening in and around ‘the cloud’ is CensorNet, the cloud security specialist. Speaking to Ed Macnair, CensorNet’s CEO, he confirms that the vendor has just gone ‘live’ with its cloud-based Unified Security Service (USS) solution. Explaining the rationale for bringing to market CensorNet USS, Macnair says: “Our vision is to provide organisations with the ability to correlate events across the web, cloud applications, authentication, and email through a single centralised management dashboard. By monitoring the data flow across these different channels, CensorNet USS is able to mine vast amounts of data and identify exactly who did what, where, and when, and with which application. Organisations can easily pick up an analytical audit trail of what is happening in the event of a threat and swiftly act upon it.”
Macnair reckons that seeing the whole picture for organisations is very much a prerequisite for effective cybersecurity: “Today’s cyberattacks and threats are so much more sophisticated because typically they can use more than one attack vector, email is an attack vector but so is the web and, increasingly now, the figures are showing that 10 percent of these data breaches involve cloud applications.”
On the hotly debated subject of encryption, which feeds into the wider cloud security narrative, V. Miller Newton, President and CEO, of PKWARE (pictured right) – a leading provider of enterprise level smart encryption – is adamant that the way forward is to actually ‘armour the data at its core: “This is with persistent security that follows the data every place that it is used, shared, or stored. The days of ‘castle and moat’ security, the days of security at rest are gone.” Newton goes on to say that the advent of cloud and BYOD [Bring Your Own Device] serve to underline this requirement for new thinking with regards to security: “We live in a very different world. Data is the new perimeter versus networks and systems. Sensitive information, all information really, has to be encrypted at source before it goes to the cloud and that is paramount if you are going to have a secure posture in the cloud.”
Newton’s colleague Matt Little, Product Development VP at PKWARE, offers an interesting take on the nature of ‘the cloud’: “Our customers often joke that a lot of people misuse the term cloud. Miller and I were just talking to a CISO only last week who said it has taken a long time just to convince people that the cloud is really just someone else’s hard-drive. So you should start thinking about what kind of data you would put on there and what you would do beforehand to protect it.”
On how BYOD fits into the mix, Little contrasts the new reality with the situation ten years ago: “Then everyone had two phones, their own and their work phone, and never the two shall meet. At some point following the path of least resistance a huge chunk of our customers have embraced BYOD and acknowledged that that data needs to be secured.”
Turning to Jens Monrad, who is a Consulting Systems Engineer at FireEye and is involved in global intelligence liaison, for his take on the growth of the cloud, he says that over the past two years enterprises have really embraced this IT architecture: “They realise that they don’t have the capabilities to drive development or drive applications internally so they are seeking services from various cloud providers. The other thing that I am hearing is that enterprises are considering cloud services because they are looking at the total cost of ownership so, for them, it makes more sense to utilise the cloud for storage and for application usage.”
The challenge that comes with this ramping up of reliance on the cloud, reports Monrad, is that many enterprises who are adopting the cloud, from a cost perspective, simply don’t factor in considerations like security: “The cloud is sort of a hostile space so we recommend to enterprises that are considering pushing a lot of their usage to the cloud, or partly their application usage, to carefully vet the security posture they are actually buying into with their cloud providers.” On a positive note, Monrad says that FireEye is witnessing more cloud providers aligning their development operations with their security operations ‘to provide more security features to their customer base as they embrace their cloud services.’
Talking to Sean Sullivan, Security Advisor at F-Secure, (pictured below) he agrees that the cloud has both pros and cons: “One big movement that probably has benefits if you are running an exchange server using Microsoft Exchange is to put your server in the cloud in terms of patching and other maintenance. There are many ways for an IT department which is on top of things to keep the exchange server secure in an authenticated kind of exchange cloud environment without having to keep their own physical hardware up and running.”
Sullivan admits that things can become trickier for storage resources, especially in the context of ransomware: “I read a story recently – it was a consumer one, but illustrates the point – where a woman’s cloud back-up failed on revision control so the ransomware encrypted her stuff that was in the cloud because it was just mapped out as an ordinary drive. When she went through the back-ups the back-ups weren’t actually successfully backed up in a way she could retrieve the pre-encrypted revision so, sadly, she lost that data.”
As enterprises are expanding their storage out to the cloud, Sullivan stresses that they definitely need to make sure that they are testing this ‘revision control’ element properly: “I don’t want to get version 1.2 of the document, I want to see if I can still get version 1.1 if I have got ransomware breaking out in my ecosystem.”
Outside the corporate firewall
Charles Milton, Director of EMEA channels at Zscaler, flags up a couple of trends that are impacting on the footprint of the company’s cloud security application: “There is obviously increased mobility and cloud apps. From our point-of-view a lot of projects are driven by the adoption of major corporate cloud apps, leading to people transforming networking and the way they do business, and therefore their perception of security – things like Office 365, salesforce.com. Some of those big ones [apps] are really fundamental. The other side of it is people using websites that have become cloud applications to be more efficient at work.”
Milton goes on to say that what something like an Office 365 application does is that it redefines the way users work so they able to tap into a consistent experience when they are at home or in the office or at a partner’s site ‘wherever they happen to be’: “If the IT Department is bright it also changes the way that they do their networking because they can make much more use of local network Internet offload. That brings with it some real security challenges too because the user is no longer behind the corporate firewall and the application is no longer behind the corporate firewall.” Milton feels that the only place you can really do security is in the cloud, as well as the applications being in the cloud: “That is kind of our [Zscaler’s] take on that piece,” he concludes.
So, as we have seen, the advent of the cloud is transforming the way that organisations and their employees work, but at the same time introducing new vulnerabilities which require constant vigilance. It is therefore encouraging to see that cybersecurity vendors are stepping up to the plate with more capable solutions to strengthen encryption on the move and to keep a watchful eye on these ever emerging threats.