Deemed the "Year of the Breach," 2014 featured major hacker attacks on Sony, Target, Home Depot and JP Morgan....
And while many IT professionals were quick to point a finger at cloud, insider assistance or careless access controls were more to blame. Many of these security issues have existed in IT for years, but cloud -- and the fear of losing control once data is outside the firewall -- re-emphasizes them.
Pressure to use cloud and offload IT brings security into focus, and is changing IT security practices and tools overall. If the cloud can be made bulletproof, on-premises operations will also be secure.
Despite security remaining a widespread IT issue, cloud security concerns hamper potential deployment. While a majority of IT teams cite security as an inhibitor to cloud deployment, privacy regulations are often a major reason why many keep data on-premises. This fuels a hybrid cloud model in which an on-premises facility colocates with a public cloud and maintains data storage. However, major cloud providers don't currently support this approach. In this form of colocation, managed services can be more expensive than using Amazon Web Services. But colocation brings LAN-speed connections between clouds, and dramatically reduces public cloud instances and job run times.
To ensure cloud security, it's essential to properly use authentication and sign-on controls. This should be as easy as protecting on-premises data, but the cloud's low cost and barrier to entry caused an explosion of department-level computing. Numerous studies have shown that a significant portion of a company's IT footprint is outside IT's control. This is especially true for HR tools and marketing apps, such as Salesforce.com, that are hosted in the cloud.
Bring your own device (BYOD) compounds these issues, making it easy to download and upload key company data. For example, if employees allow LinkedIn to search their Outlook address books, sensitive company data is exposed.
IT will wrestle with departmental computing and BYOD issues throughout 2015. To limit these issues, organizations have to implement identity management and increase authentication efforts. Keeping the bad guys out is still a good starting point. Approximately 15% of users' credentials were stolen in 2014, according to a Cloud Security Alliance report. The Cloud Security Alliance also identified a rash of insider problems -- from downloading customer lists or development code when leaving a company to uploading personnel or sales data to social media.
To solve these issues, many organizations use data compartmentalization. However, it's often poorly implemented. Employees can access all of the network-attached storage (NAS) data in a department or the entire enterprise, as NAS server security is often atrocious.
Intrusion prevention, SaaS considerations for 2015
Intrusion prevention will emphasize endpoint detection and mobile device management in 2015. It's essential to prevent download and upload, and that starts at the server. New services will emerge throughout the year as intrusion prevention evolves. It's possible to lock browsers from being able to download information, so a purely browser-based corporate data access mechanism makes sense.
A browser-based mechanism, however, doesn't resolve the departmental computing issue. Additionally, these issues are out of control in most organizations. Many admins have likely tried to dictate suppliers, only to be told to go fly a kite. The best approach is to collaborate to determine needs. Then, make the apps available through an on-premises app store. This removes negotiation and support issues, while introducing better prices. It also controls app sprawl.
If needed, it's fine to ban certain applications. Similarly, prevent company file uploads by blocking downloads. This process is easy with on-premises applications, but is more difficult with software-as-a-service (SaaS) apps in the cloud.
SaaS has become the path of least resistance to making business process support more agile. Prices are low, with no upfront Capex to approve. Carrying corporate governance standards into SaaS environments is a major problem, especially if department-level contracts were signed. Remember -- SaaS vendors mainly operate on public clouds, so there is a second layer of governance issues.
A good app store can channel SaaS contracts to vendors with appropriate governance, but departmental SaaS is where the CEO needs to establish rules of engagement. Requiring IT to sign a compliance audit statement prior to a contract may do the trick.
The cloud has a major edge over on-premises environments when it comes to improving security. The scale of cloud installations creates low security costs per user for cloud providers. Ensuring compliance and data governance is still a challenge for any public or hybrid cloud user. But in a world filled with hackers, it's a priority for a successful cloud engagement -- even if protecting on-premises services is high on the list, as well.
About the author:
Jim O'Reilly was Vice President of Engineering at Germane Systems, where he created ruggedized servers and storage for the US submarine fleet. He has also held senior management positions at SGI/Rackable and Verari; was CEO at startups Scalant and CDS; headed operations at PC Brand and Metalithic; and led major divisions of Memorex-Telex and NCR, where his team developed the first SCSI ASIC, now in the Smithsonian. Jim is currently a consultant focused on storage and cloud computing.
How hacker attacks hurt public cloud's reputation
Is cloud data encryption still necessary?
Ensuring lock-down cloud storage security