A good carpenter never blames his tools, but carpenters never had to keep data on countless platforms secure from criminal and state-sponsored hackers. Like it or not, enterprises can be at the mercy of the security capabilities of their technology – both in their cloud services and their security tools.
Transparency Moves the Security Needle
In theory, customer-managed servers offer the reassurance of knowing your data is in safe hands – your own. In practice, however, this has proven too good to be true. The reality of updating and implementing security features for on-premises networks has directly led to several of the most catastrophic data breaches in the past year.
Publicly-hosted cloud services offer a reprieve from the difficulties of making sure every last one of your servers supports multi-factor authentication. Trust lies at the core of cloud’s utility computing model. Leading cloud service providers can dedicate more resources to security than most enterprises, but not all providers deserve to be trusted with sensitive data.
The best way to move the security needle forward is transparency, which rewards security investment success and punishes failures. Michael Coates of Twitter points out that a new tool from Google will provide incentive for perpetrators of information security malpractice to clean up their acts. All too often, shaming entities for poor security procedures is the most effective method of achieving progress.
Warnings don't help users, but do motivate providers to change https://t.co/HlnRdgYB7z
— Michael Coates (@_mwc) November 16, 2015
The inverse is true for positive feedback. Demand for enterprise-ready cloud solutions has proven that security capabilities follow market forces. Solid security is a competitive differentiator for cloud services, and legacy providers have felt the pressure from incumbents. Jan Winter of ING highlights Microsoft’s security turnaround, “from worst in class to best in class.” With the announcement of Microsoft Graph this week, Microsoft became the latest enterprise cloud provider to foster an API ecosystem for third-party security providers. As more and more companies move to cloud applications like Office 365, Microsoft has stepped up security to claim their share of the enterprise cloud market.
— Jan Winter (@janwinter15) November 17, 2015
Managing Information Overload
No technology is a cure-all, but the best can help enterprises stay one step ahead of attackers while enabling employee productivity and collaboration. Unfortunately, tools’ ability to gather data can quickly outpace the security team’s ability to analyze the information. Daniel Kennedy of 451 Research bemoans the position of CISOs looking to analytics tools like a SIEM without fully understanding the application. This dilemma suggests two best practices for security providers. First, security companies need to automate data analysis and deliver actionable insights. Second, the best security vendors need to deliver more than a product and provide expertise and guidance, making them security partners – especially in emerging environments like cloud.
I got logs…I assume there's data in there I might want, but I don't want to look too hard for it. SIEM me. https://t.co/BMnRBfgI0g
— Dan Kennedy (@danielkennedy74) November 14, 2015
We go back to Coates for another shortcoming from security tools: too much noise. By his definition, security tools need to decrease manual security effort, prioritizing accuracy over volume of alerts – and even over missed alerts. Tools with excessive false positives actually make the security team less efficient, while tools with false negatives (missed incidents) can be layered with other tools and provide a marginal benefit for the organization. Risk is almost never a single variable equation. The most accurate security tools need to pull information from a wide range sources. With regards to cloud services specifically, companies need to look not only at the risk of a service or the volume of data downloaded or uploaded, but also contextual risk variables like the type of device, content of data accessed, and the user’s historic risk profile.
Security Tools : Why more findings are bad for your security program https://t.co/iXIoW5XXFt
— Michael Coates (@_mwc) November 12, 2015
Compromised accounts and rogue insiders have expanded to SaaS services, meaning companies have to address a cloud threat landscape of similar complexity and severity to on-premises systems of record. Security researcher Dr. John Johnson shares a framework for understanding the “security portfolio capabilities” that enterprises need to address. Don’t look for cloud security under a single bullet point; rather, cloud security spans many areas, including governance, access control, data security, incident response, mobile security, privacy protection, threat intelligence, and compliance. Cloud security should involve an extension of existing data security and governance policies to ensure consistency with how companies manage sensitive data on-premises.
What do you think of this approach to categorize cybersecurity capabilities into "sweet 16" practice areas? https://t.co/GnHoNtaN3X
— Dr. John D. Johnson (@johndjohnson) November 15, 2015
Zoom out, from down in the weeds to the boardroom. Lähi Tapiola CISO Leo Niemelä shared an article on the increasingly strategic role CISOs adopt in managing enterprise risk. “In the near future, every business will be a digital business,” the article opens, and CISOs will play a critical role in shepherding this transformation. Just as brakes actually allow cars to travel faster, CISOs need to remove security barriers slowing growth and innovation. Progressive CISOs don’t only need to manage a varied and dynamic security portfolio; they must also understand the organization’s holistic risk and become a strategic partner to the business units.
CISOs are becoming risk leaders https://t.co/wy1uJUf24f
— Leo Niemelä (@leoniemela) November 15, 2015
The New Frontier for Protecting Corporate Data in the Cloud
In this report we will explore the two distinct risk vectors that have created a cyber-security blind spot and offer guidance on how to protect your company from data loss across these two vectors.Download Now