Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

A Strategic Sea-Change in Protecting the Security of Private Data

Balancing data privacy and data security is a long-standing information security challenge. Historically, companies have focused their response efforts on establishing strong perimeter and endpoint controls; data was considered at risk from external actors, and protected by encryption, DLP, and network controls, but often left open to insiders without respect to role and need to see the information.

Balancing data privacy and data security is a long-standing information security challenge. Historically, companies have focused their response efforts on establishing strong perimeter and endpoint controls; data was considered at risk from external actors, and protected by encryption, DLP, and network controls, but often left open to insiders without respect to role and need to see the information. Success and failure were measured in terms of data access; if an outsider was able to read company data, the security program had failed.

The public cloud has changed this model, however. The very market forces that sparked the explosive adoption of public cloud platforms (mobile technology, a robust app market, consumerization of IT, and the technological convergence of our personal and professional lives) have rewritten the rules for how and where users are accessing and sharing their information. In allowing employees to bring their devices to work, organizations have created expectations around access and efficiency that are radically different from the top-down control model that dominated the previous decade. More importantly, the decision as to whether to implement public cloud technologies such as SaaS applications has been made already, by those very users; fail to address their needs, and they will simply use consumer-grade alternatives of their own accord.

Securing Cloud DataAs security professionals, the initial response — to simply block all applications coming in from a cloud environment — is no longer the most appropriate or most effective way to respond to the market’s demands for information protection and security. Where companies establish restrictive controls, end-users are presented with myriad options for circumventing them; where collaboration technologies where once the domain of IT, they have become democratized, and end users who are familiar with traditionally consumer-focused apps such as DropBox or Box are likely to bring those technologies into play if alternatives like Google Apps or Salesforce are locked down by organizational policies, preventing them from operating in a way that maximizes their efficiency.

In response, organizations need to rethink how they approach the challenge of data management. Engaging the user when working through data security is something that most companies have come to accept; the question that remains is how they can also enforce data privacy rules, through which highly sensitive information is protected from inadvertent exposure and external threat without driving users “underground’ into consumer-grade filesharing applications.

A Change in Expectations

End users often feel comfortable working with familiar apps that have not been subject to a security review because they do not see evidence of risk. As an industry trend, this is understandable; even catastrophic data breaches often go undetected by IT and InfoSec teams for months prior to discovery.

The delay in detection is not equivalent to a delay in damage, however. Even if a given file is only theoretically externalized, and no indicators suggest that sensitive or regulated data has been viewed by a malicious party, the exposure itself can be a data breach sufficient to warrant regulatory response.

Are your people the problem, or the solution?

What needs to change is the perception that the primary role of IT is in safeguarding and blocking data from being viewed by an outsider. The notion that the company’s employees are the source of risk is counterproductive when translated to attempts at formulating a solution; given the tremendous autonomy that the cloud grants the typical user today, especially when they own and control the endpoint devices being used to access organizational information, it is clear that security needs to make all of the people who interact with sensitive data and systems participants (and even custodians) of information security.

Putting the Pieces Together

Training is a fundamental part of the change process. Information security threats are constantly evolving and changing; to assume that your people inherently have a full understanding of the risks they are confronted with and the appropriate skills to respond is foolhardy. Make them aware of the risks, make them aware of the practices they should follow to protect data security, and importantly, make them aware that their performance in safeguarding information assets can and will be measured.

Supporting this effort requires the implementation of a risk appropriate response framework: content awareness to differentiate sensitive and mundane data, encryption where it makes sense, and the ability to easily and efficiently monitor your total risk space. Consider the following elements:

– Content Awareness: the ability to discover and classify information assets on the network that belong inside the secure perimeter, right down to the level of individual words and numbers. This allows you to flag files containing potentially sensitive data such as social security numbers, health information, credit card data, or internal IP, without manually parsing the contents.

– Risk-appropriate Encryption: Encryption is a tool, and a necessary component to a good security framework, but it is not a solution in itself. It should be an iterative response, one that builds on the content-aware policies that an organization puts in place; ideally, users will be able to self-select which files should be encrypted, to add a defense-in-depth security layer to their sharing activities. This might then be extended by policy-driven encryption actions, which can automatically encrypt files considered highly sensitive; note that this is different from universally applied encryption designed to establish a perimeter, but without any means of protecting against insider threat.

– Consolidated Security View: As mentioned above, one of the primary challenges around information security is how to narrow the gap between an incident and its detection. Any strategy designed to support a cloud security model should address this; a particularly effective approach will entail the consolidation of incidents into a single interface, highlighting policy violations, end-user data access activities, geo-awareness regarding logins and data access, and application risk in a single view.

Importantly, by enlisting information workers as part of the data security system, this total solution approach changes the equation in security management. The organization’s staff can become a vital part of the process of protecting secure information assets, rather than working at cross-purposes with InfoSec efforts, and instead of pushing users away from the environment and into consumer apps, they can be converted into essential perimeters unto themselves.

The cloud is already here; talking about adoption in 2014 is passé, because users have and will continue to find ways to move your data into cloud platforms, and will do so even more quickly when forced by overly coercive policies. Instead of trying to obfuscate and block, or worse, attempting to solve for a threat that no longer exists (that is, the perimeter security model), change your focus. We as an industry are on the cusp of a technological paradigm shift; you need to decide whether you will embrace that change, or be cast aside by it.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility