Saturday, February 28, 2015

The cloud security conundrum: de-perimeterisation or re-perimeterisation?

The cloud is, perhaps, the epitome of de-perimeterisation. If you take the definition of this being the removal of boundaries between the enterprise and the outside world it's pretty much bang on the money. It's easy to assume, therefore, that de-perimeterisation in the information security sense is the answer to your cloud security concerns. It isn't, at least not the complete answer. For the more rounded solution you need to throw re-perimeterisation into the mix and let the two bang heads. I appreciate that this sounds more than a little contradictory, but when you think about it there is plenty of method in the apparent anarchic madness.

How to convince your CEO that the cloud is secure

Convincing senior management that the cloud brings functional and financial benefit to the business is not a hard sell. The same, sadly, cannot be said when it comes to the security argument. With so many media headlines painting the cloud as an insecure place for your data to reside, most often erroneously courtesy of a misunderstanding of the nature of the breaches involved, it's perhaps not surprising that something of a culture of cloud mistrust has crept into the boardroom. Most of the biggest data breaches which resulted in the loudest media reporting were enterprise system breaches and did not involve the cloud, yet there are fewer headlines proclaiming how insecure your network is than there are dismantling cloud trust. Unfortunately, the consequences of this are twofold: organisations may miss out on the benefits of cloud migration and, ironically, data could be less secure outside the cloud rather than in. Convincing your CEO that the cloud is a secure place to do business is key, but how do you buck the cultural trend and do that?

Three simple ways to mitigate risk in the cloud

Research recently published by Netskope suggests that 15 per cent of business users have suffered a compromise of sensitive data in the cloud, with half of those asked apparently ignoring such simple security basics such as not reusing passwords across services and applications. I've already addressed one of the specific concerns was flagged by the research, that 88 per cent of cloud applications being used in organisations are not enterprise ready. However, I am actually less concerned by the specifics that I am the generalisations. I mean, seriously, have we really come this far down the road to commercial cloud commoditization and yet the security basics are still unknown to a considerable minority? Part of the problem, I suspect, is that of longtailing the security problem; by which I mean that the more established consumers of cloud services have got it as far as security goes, but the further down the recent adoption curve you slide so the more diluted the security message becomes. It's almost as if the newest entrants to the market simply assume that those who have gone before them have sorted security out.

How to secure the Cloud of Everything

Speaking at CES, the chair of the US Federal Trade Commission warned that the Internet of Things posed a serious risk to the privacy of consumers. The speech by Edith Ramirez may have been talking about connected devices and consumers, but the same issues apply to the corporate 'Cloud of Everything.' She spoke of the dangers of ubiquitous data collection, unexpected uses of that data and heightened security risks with devices opening up new routes to attack. There was an implication that low-cost devices with high volume distribution generally equates to less attention paid to matters of security. Security by design is not high on the list of priorities when you are participating in a race to the bottom as far as cost is concerned. Ramirez was urging manufacturers to change this, and to ensure that data encryption and lifecycle product monitoring were firmly on the design agenda. If you think about the potential security risks of the consumer Internet of Things, they can be summed up neatly as 'more devices equal more intrusion entry points.' This is an exact match to what is happening in organisations in terms of cloud services.