The cloud presents distinct new attack vectors along with new variations on traditional threats like compromised accounts and rogue insiders. This week’s CISO Beat looks at what CISOs are talking about on Twitter including new network and information security requirements from the EU, the 3 biggest concerns about external cyber threats, 5 steps to secure data in the cloud, and how the FCC fast-tracked its move to the cloud. Read on for security tips from real-world professionals on transitioning to a cloud-first IT environment.
Past data privacy laws in Europe appeared toothless to many. A regulator dismissed a 900,000 euro fine against Google as “pocket money”. The new data privacy law, the General Data Protection Regulation, aims to hold companies accountable with increased fines while also expanding companies’ responsibilities for protecting sensitive data. All global organizations should be familiar with the law, since it applies to any company storing data on EU citizens. The GDPR may serve as a model for future regulation, so IT professionals should stay tuned. A new law, PIPA, will come into effect for citizens of Bermuda in the near future.
— Phil Cracknell (@pcracknell) July 4, 2016
While some have disparaged the GDPR for encumbering businesses, IT professionals know firsthand that trust and confidence are prerequisites to adopting new technology, especially when sensitive data is involved. The EU continues to lead the way in cybersecurity standards with a new directive this week governing critical infrastructure. It comes at a time when cyber attacks are beginning to target physical infrastructure. In the past year, hackers turned off a power plant in Ukraine and a state-sponsored Iranian group penetrated the network of a New York dam. The new law will force organizations supplying essential services to meet minimum cybersecurity standards. Although these organizations are typically far behind private sector cybersecurity leaders, the directive is a step in the right direction. The constraining factor may come down to budget, and it remains to be seen whether individual nations will include budget stipulations with their local enforcement.
New EU directive requires critical infrastructure to improve cyber-security https://t.co/ojZfVN6tJn
— Dr. JR Reagan (@IdeaXplorer) July 6, 2016
The aforementioned attacks on public infrastructure shared a common trait: assailants in both cases were state-sponsored professional hacking groups. Even private sector organizations are not immune from state-sponsored groups, since geo-political tensions can drag companies into the crosshairs. Sometimes the best resolution can be diplomacy, supported by a reduction in US data breaches attributed to China after a stern US reprimand. In the absence of government protection, private sector companies can feel outgunned by well-funded state actors. While the vast majority of organizations cannot match the resources of a determined, organized attacker, there are many basic steps, like multi-factor authentication and phishing training, that can significantly reduce the risk of a catastrophic breach.
3 of the biggest concerns about external cyber threats https://t.co/ckz27TI8gx
— SecBarbie (@SecBarbie) July 6, 2016
One way companies strive to get a leg up on potential attacks is through the improved security of cloud services. Companies like Microsoft, Salesforce, and Box employ elite security teams and are able to invest more in security and infrastructure than other large enterprises whose business is not IT. The cloud service provider assumes responsibility for various aspects of infrastructure, application, and data security. Companies still maintain responsibility for a range of internal and external threats, however, and many require additional security on top of what cloud providers offer. Cloud customers turn to cloud access security brokers (CASB) as a central control point for managing the security of all cloud services in use. As companies reach greater maturity on the cloud adoption curve, they also implement a cloud governance framework to ensure corporate policies extend to SaaS applications. If the web proxy or firewall is a necessary technology to protect the corporate network, CASB is essential to protecting the cloud.
— Dan Lohrmann (@govcso) July 6, 2016
IT leaders planning to move to the cloud can avoid missteps by learning from those who have gone before. FCC CIO David Bray, a respected voice on progressive IT strategies, shares how he moved his entire organization to the cloud under a tight timeline. By taking a cloud-first approach and moving as many systems as possible off-premises, Bray reduced spend on operations and maintenance from 85 percent of the agency’s IT budget to less than 50 percent. Only 25.1 percent of IT professionals currently have a “cloud first” philosophy, but their outlook reveals the future dominance of cloud. IT professionals anticipate 41.0 percent of their organization’s computing workloads will be on public cloud IaaS in the next 12 months.
How the FCC fast-tracked its journey to the cloud: CIO David Bray explains how he was able to move the FCC fu… https://t.co/npsSiEDrSB
— Nikk Gilbert (@nikkgilbert) July 6, 2016