Yes, it’s all going to the cloud, which is better than “to the dogs.” And yes, you have to make sure your cloud environment is secure.
You need to confront some hard realities about cloud security because the cyber landscape continues to be unforgiving. It doesn’t matter whether you’re protecting traditional computer systems, your mobile platform or the cloud itself. Simply put, organized cyber crime and cyber espionage continue to grow in sophistication. Any new hackable platform is red meat for them. Opening massive breaches that harvest critical data is their day and night job. News headlines make that clear that the aggregate total of global cyber crime damage now rivals that of many nations’ annual gross domestic product (GDP).
First reality: Organizations spend considerable time and money securing their on-premises infrastructure. That’s good. The problem is maintaining that same high level of security when outsourcing to the cloud. Security delivery requires a cloud provider’s undivided attention. Yes, there are built-in security tools, but you will not get the key to any strong security posture—24/7/365 threat monitoring, analysis and response—or “managed security service.” These are humans watching out for you. You must know what’s happening on the cloud in real time and be able to respond very quickly. You need people to manage this, even if you have automated capabilities as part of your cloud security. The “cloud” doesn’t do it on its own.
(Related: An interview with Brendan Hannigan, IBM GM Security Systems Division)
Second reality: Repeat after me: “My cloud will be breached.” Take a deep breath. Say it one more time.
Remember, just because you’ve been breached doesn’t mean an attacker knows where to go once they get in your system. If you identify the attack quickly you can prevent him or her from getting to your critical data.
So, review your incident response plan for cloud security. What, you don’t have one? Okay, review the plan you have for your premises infrastructure.
If you still have a blank look, gather your team and start putting a response plan together—fast. How you handle it is crucial, particularly the speed of your response. Sophisticated attacks often show no upfront “symptoms” but can quietly devastate your business over time. The longer it takes to resolve an attack, the more costly it becomes.
Prevention starts with an incident-response plan and mock exercises to test the plan. Get an experienced provider to try and hack your cloud. Find out your vulnerabilities. Most important, make sure you have a team ready to move quickly and decisively if you suspect your cloud has been attacked.
Third reality: Last but maybe most importantly, get smart about “security intelligence.” Your cloud systems, along with your other IT platforms, generate billions of security events each day from firewalls, emails, servers and the like. It’s simply not possible to manually sift through this data and find evidence of suspicious behavior. Beyond the costs involved, it’s confined to figuring out “what happened” rather than “what will occur.”
When applied to security data, big-data analytics tools can be transformative—the tip of the spear in security intelligence and response. Analytics can provide automated, real-time intelligence and situational awareness about your infrastructure’s state of security to help disrupt the attack chain.
Say that two similar security incidents take place, one in Brazil, the other in Pittsburgh. They may be related. But without the intelligence needed to link them, an important pattern—one that could indicate a potential incident—may go unnoticed.
You need this capability, and providers like IBM are stepping up to make it the ultimate reality.
Stay safe.
Those of you with IT security responsibilities in small businesses often resemble the stereotypical Scotsman, trying to stretch a penny as far as humanly possible. With an IT security budget that is likelier tighter than a Tom Brady spiral pass, how do you make effective use of your limited spending capabilities?
Small business security teams have to deal not only with limited budgets but resources are equally scarce. Prioritizing your security controls and needs based on risk is the obvious starting point. However, you don’t have the manpower to perform the risk assessments and gap analyses. Given these constraints where does someone even start?
Arguably, one of the best resources that security teams should utilize is the SANS Top 20 critical controls. SANS has done all the heavy lifting in identifying an extensive list of the foundational security controls. This is wonderfully laid out document that greatly helps in laying out implementation road map and how to best integrate the controls into your security infrastructure. SANS has done all the work for you – in describing in great details what each control accomplishes, all you need to do is best identify what controls are would address your most pressing security concerns.
It is actually quite amazing the level of detail that SANS went to in describing how to implement the controls, automate them, how to measure their effectiveness (metrics), how to validate, as well as a process for implementation.
Each control is broken down into sub-controls that can be implemented over multiple phases following a natural progression. The sub-controls are classified as quick wins (can be implemented fast and cheap), visibility/attribution, configuration/hygiene (basic security measures), and advanced. Based on your needs your can progress to the advanced stage of the different controls. This is a great way to form the foundational aspects of the control and then over the years to naturally evolve the capabilities.
How can one effectively manage and visualize what controls (and sub-controls) you have implemented and what areas still need addressing. There is an awesome interactive Excel worksheet from Tech-Wreck blog that makes tracking your progress with the SANS Top 20 an absolute breeze (plus it used graphs that you can give to management so they can easily see the status of the different controls.)
The SANS Top 20 security controls list coupled with the Excel spreadsheets that capture the progress make a formidable tool for ensuring that you can stretch your security dollars and spend wisely on the controls that will best address the information risk within your organization. Try it out, good or bad, I’d like to hear about your experiences.
Photo Source: Leonardo Rizzi Article By: Dominic Vogel
With so many unfortunate–and costly–data breaches making headlines today, it’s vital for businesses to safeguard their vital information with reliable security measures. By incorporating the following tips into your platform, you can better protect your company data for a more secure operation.
Create Secure Passwords
Be sure that you instruct your employees to create strong passwords. Security experts suggest that you “use an 8-12 character combination of capital and lowercase letters, numbers and symbols. Also, be sure every employee changes his or her password at least once every three months.” (1) Employees should also refrain from using personal names or birthdays in their passwords.
Use Security Controls
Businesses can adopt any number of security controls. For instance, a firewall is a good line of defense for your data. Moreover, investing in check-writing software will “cut operating costs, reduce operational risk, and improve customer service.” Remember that all devices that connect with your network must have security controls in place to reduce the risk for breach.
Invest in a Security Audit
If you’re not a security expert, you should hire one to perform an audit of your business’s security. An expert can locate the gaps in your security and provide you with effective solutions for shoring them up. If you don’t have an IT expert on staff that can advise you about maintaining strong levels of security, you need to hire a consultant who can provide you with this essential information.
Employee Training
Many security breaches occur because employees are lax about practicing security procedures each and every time. It’s important for companies to train their employees about respecting security measures and upholding them at all times. Make sure that you create excellent policies and procedures to govern your employees about how to deal with data. It’s a good idea to have a training workshop to review security procedures with both new and existing staff members. Make sure your employees understand that they are a vital aspect of your data protection plan.
Encrypt Data
If your data is stolen–and this is common given the wide array of devices used to access your network–you still have protection if your data is encrypted. Make a habit of encrypting all company data stored on everything from laptops to mobile phones.
Back up Your Company Data
If you routinely back up your data, you ensure that it will be there should a virus come along and wipe out your information. Many businesses are now using the cloud platform to store their data securely. In the event that your business suffers a natural disaster or a computer is stolen, you’ll still have that backup data to rely on.
If you consistently follow these tips, you can more effectively protect your valuable company data. Never take your security for granted. Even large companies have been caught off guard by data breaches. By following these tips, you can ensure the integrity of your data and protect the reputation of your business. Article Source: http://EzineArticles.com/8794070 Photo Source: http://pixabay.com/en/users/Picography-361976/
Highly publicized events like hacked celebrity photos, credit card data theft from major retailers, and confidential business data loss from large corporations have drawn into question the security of Cloud storage, especially for businesses.
From customer payment information to internal pricing policies to large commercial and government bids, the data that businesses keep is critical, and its loss could be devastating – just ask Sony.
And it’s not only large corporations or financial institutions that should be concerned. One study showed that over half of the small businesses surveyed had experienced data theft, and half of those had experienced it more than once.
The corresponding business disruption can also cost companies big money. Even a simple file that takes an employee an hour to recreate costs you money, and it can snowball from there. Worse still, most insurance policies don’t cover data loss of any kind. And even if you can be monetarily compensated, it won’t change the fact that your data has been stolen.
In a post earlier this year we discussed the different file storage options for businesses (an on-premise server, public or private Cloud storage, or hybrid solution). Each has its own strengths and weaknesses. With on-site servers, your information is physically with you, under your direct observation and control. However, all it takes is a single bolt of lightning knocking out your server, or a cleaning lady clever enough to steal a password to simply walk away with your hardware. Viruses, stolen laptops, crashed hard drives, spilled coffee-all threats to your computing system also threaten your data.
The truth is, cloud computing is here to stay, so it is increasingly important to protect your data there. And guess what? With the right safeguards and protocols in place, it’s actually more secure.
Keeping your data secure in the cloud
Beyond 24/7/365 monitoring that should be the basis of any managed IT services relationship, here are five key ways that cloud storage provides greater security than on-site servers.
Controlled access: Know who accesses your data and when. Levels of access should be controlled and customizable by you, meaning that each employee should be given access only to the information that they need to get their work done. We also recommend two-factor authentication for an additional shield against cyber intruders.
Data encryption: The data you send to the Cloud should be encrypted during upload and encrypted again (and assigned a unique password) every time it’s opened on a device (smart phone, tablet, PC, Mac, etc.)
More robust firewalls and virus protection: Cloud storage facilities are constantly upgraded in response to the latest threats and to implement new technology. Besides malware detection and anti-virus software updates, make sure your IT service provider is able to detect and quickly remedy data breaches that may occur.
Sophisticated management and restoration capabilities: The right service provider can identify file changes between any two backup points on a system, and can see which files were created, modified or deleted at any point in time. This means your data can always be recovered to the latest version saved before it was destroyed by a virus or accidentally deleted. Off-site backups, built-in redundancies, fail-over protocols and fault-tolerant architecture that protects against power failures also prevent costly business disruptions.
Physical security: Cloud storage is located in highly secure data centers with restricted physical access, sophisticated burglar and fire alarms, backup generators and multiple redundancies and fail-overs. Many have multiple locations around the country, creating further redundancy in order to protect against a catastrophic loss in one location. On-premise servers rarely have this kind of fortress-like protection around them.
Is your data safe in the cloud?
Given the level of security measures, physical safeguards and redundancy, Cloud-based solutions can provide superior data protection if implemented and managed correctly. Our managed IT services professionals can help you assess and implement the best solution for your organization today-and develop a plan that makes good business sense for your future. Contact us to discuss your needs regarding data security issues and cloud storage options for businesses.
Article Source: http://EzineArticles.com/?expert=E_Speidel
Photo Credit: Super Famous
Hurricane Sandy, Black Forrest fire, 6.0 earthquake hits Napa Valley – major catastrophes strike large population centers, business are damaged and even destroyed. Even after these major events, many of which make international news, numerous companies have all of their corporate data in the same building, and, in many cases, the same room.
No matter what the business goal or high level requirements, organizations must take action, intelligent action, to protect critical data. While this may seem like common sense, it’s amazing how often companies fail to perform even the most basic protection.
Nearly every business has a policy in place to cover disaster recovery, a catch all phrase to cover the need to restore data should trouble occur. In reality, disaster recovery is piece of a larger concept that includes high availability and business continuity. All of these concepts revolve around two basic ideas: recovery point objective (RPO) and recovery time objective (RTO).
There’s a tradeoff between potential for data loss, duration to recover, and cost. Certain businesses require high availability, the idea of near zero data loss and near zero downtime. Examples include financial industries, healthcare, and most organizations that utilize transactional actions in data processing. In other words, anytime one has a need to trace an action from start to finish there needs to be a way to have near zero data loss and more times than not, no downtime.
Business continuity is a step down on both RPO and RTO from high availability. The idea here is not about instantaneous recovery, it’s about making sure the business can continue to function after catastrophe hits. VMware and similar technologies using redundant infrastructure do a great job of providing business continuity; the key, how this environment is set up and over what distance, if any at all.
Disaster recovery covers both high availability and business continuity. Disaster recovery can also simply include a copy of data that sits on tape or a storage area network. The key here, where does that data reside. Having a copy of the information in the same location as the source data won’t offer protection against nearly every major catastrophe. This “old school mindset” really only protects a business from power outage, data corruption, or system related outages. Does your business implement this simplistic disaster recovery method?
Hurricane Sandy devastated the east coast in 2013 and a number of hospitals were directly impacted. One facility, a client at the time, shut their doors after the storm due to massive damage. I recall their data center was in the basement and water rose to the 5th floor; everything in the data center was destroyed. Without offsite data storage, not only would this hospital be out of business, they would have no way to run down their accounts receivable to obtain payment for services rendered.
While working with a global storage provider that was within a couple miles of the most devastating fire in Colorado history, I found out they have zero data protection outside of their server room. If the building burned down, as did so many others during this catastrophe, this company would’ve gone out of business. Data is key, protecting it is fundamental.
The recent 6.0 earthquake in Napa Valley shows the need for not only private industry to understand and implement realistic and attainable disaster recovery, Government must do the same. When certain disasters strike they can impact our infrastructure including gas, electricity, and transportation. Computer systems run large amounts of critical systems including transportation signals, lighting, and gas and electric power to the populace. Without proper disaster recovery with the necessary RPO and RTO in place, a community can suffer major impact. Government cannot only consider physical infrastructure when preparing for disaster, they have to understand the information technology impact as well.
A major impetus in creating this article revolves around the discrepancy between what a business believes they have in place versus what truly exists. So many organizations, often up to and including board of director requirements, create extensive disaster recovery plans. Unfortunately, oftentimes significant variance exists between what the business says they want, and what’s actually in place. Third party audits are critical to help close this gap. Before that audit can occur though, leadership has to know about and acknowledge the gap. Education is key; know there’s a problem and act!
Sign up today for free & stay current with local IT news.
