Top
Jim Harris

My name is Jim Harris, I am the Blogger-in-Chief of OCDQ Blog, and an independent consultant, speaker, and freelance writer for hire.

My Services Contact Me
Follow OCDQ Blog
Search OCDQ Blog
Navigate OCDQ Blog
Recent Posts
Recent Comments
Affiliate Links
Powered by Squarespace

Entries in Data Security (4)

Monday
Oct242011

The Data Encryption Keeper

AuthorJim Harris in tagged , , , DateMonday, October 24, 2011 at 3:00PM

This blog post is sponsored by the Enterprise CIO Forum and HP.

Since next week is Halloween, and Rafal Los recently blogged about how most enterprise security discussions are FUD-filled (i.e., filled with Fear, Uncertainty, and Doubt) horror stories, I decided to use Tales from the Crypt as the theme for this blog post.

 

Tales from the Encrypted

One frightening consequence of the unrelenting trend of the consumerization of IT, especially cloud computing and mobility, is that not all of the organization’s data is stored within its on-premises technology infrastructure, or accessed using devices under its control.  With an increasing percentage of enterprise data constantly in motion as a moving target in a sometimes horrifyingly hyper-connected world, data protection and data privacy are legitimate concerns and increasingly complex challenges.

Cryptography has a long history that predates the Information Age, but data encryption via cryptographic computer algorithms has played a key (sorry, I couldn’t resist the pun) role in the history of securing the organization’s data.  But instead of trying to fight the future of business being enabled by cloud and mobile technologies like it was the Zombie Data-pocalypse, we need a modern data security model that can remain good for business, but ghoulish for the gremlins, goblins, and goons of cyber crime.

Although some rightfully emphasize the need for stronger authentication to minimize cloud breaches, data encryption is often overlooked—especially who should be responsible for it.  Most cloud providers use vendor-side encryption models, meaning that their customers transfer non-encrypted data to the cloud, where the cloud vendor then becomes responsible for data encryption.

 

The Data Encryption Keeper

However, as Richard Jarvis commented on my previous post, “it’s only a matter of time before there’s a highly public breakdown in the vendor-side encryption model.  Long term, I expect to see an increase in premium, client-side encryption services targeted at corporate clients.  To me, this will offer the best of both worlds, and will benefit both cloud vendors and their clients.”

I have to admit that in my own security assessments of cloud computing solutions, I have verified that the cloud vendor was using strong data encryption methods, but I didn’t consider that the responsibility for cloud data encryption might be misplaced.

So perhaps one way to prevent the cloud from becoming a haunted house for data is to pay more attention to who is cast to play the role of the Data Encryption Keeper.  And perhaps the casting call for this data security role should stay on-premises.

This blog post is sponsored by the Enterprise CIO Forum and HP.

 

Related Posts

The Cloud Security Paradox

The Good, the Bad, and the Secure

Securing your Digital Fortress

Shadow IT and the New Prometheus

Are Cloud Providers the Bounty Hunters of IT?

The Diderot Effect of New Technology

The IT Consumerization Conundrum

The IT Prime Directive of Business First Contact

A Sadie Hawkins Dance of Business Transformation

Are Applications the La Brea Tar Pits for Data?

Why does the sun never set on legacy applications?

The Partly Cloudy CIO

The IT Pendulum and the Federated Future of IT

Suburban Flight, Technology Sprawl, and Garage IT

CommentPost a Comment
Print ArticlePrint Article
Monday
Oct172011

The Cloud Security Paradox

AuthorJim Harris in tagged , , , , DateMonday, October 17, 2011 at 1:00PM

This blog post is sponsored by the Enterprise CIO Forum and HP.

Nowadays it seems like any discussion about enterprise security inevitably becomes a discussion about cloud security.  Last week, as I was listening to John Dodge and Bob Gourley discuss recent top cloud security tweets on Enterprise CIO Forum Radio, the story that caught my attention was the Network World article by Christine Burns, part of a six-part series on cloud computing, which had a provocative title declaring that public cloud security remains Mission Impossible.

“Cloud security vendors and cloud services providers have a long way to go,” Burns wrote, “before enterprise customers will be able to find a comfort zone in the public cloud, or even in a public/private hybrid deployment.”  Although I agree with Burns, and I highly recommend reading her entire excellent article, I have always been puzzled by debates over cloud security.

A common opinion is that cloud-based solutions are fundamentally less secure than on-premises solutions.  Some critics even suggest cloud-based solutions can never be secure.  I don’t agree with either opinion because to me it’s all a matter of perspective.

Let’s imagine that I am a cloud-based service provider selling solutions leveraging my own on-premises resources, meaning that I own and operate all of the technology infrastructure within the walls of my one corporate office.  Let’s also imagine that in addition to the public cloud solution that I sell to my customers, I have built a private cloud solution for some of my employees (e.g., salespeople in the field), and that I also have other on-premises systems (e.g., accounting) not connected to any cloud.

Since all of my solutions are leveraging the exact same technology infrastructure, if it is impossible to secure my public cloud, then it logically follows that not only is it impossible to secure my private cloud, but it is also impossible to secure my on-premises systems as well.  Therefore, all of my security must be Mission Impossible.  I refer to this as the Cloud Security Paradox.

Some of you will argue that my scenario was oversimplified, since most cloud-based solutions, whether public or private, may include technology infrastructure that is not under my control, and may be accessed using devices that are not under my control.

Although those are valid security concerns, they are not limited to—nor were they created by—cloud computing, because with the prevalence of smart phones and other mobile devices, those security concerns exist for entirely on-premises solutions as well.

In my opinion, cloud-based versus on-premises, public cloud versus private cloud, and customer access versus employee access, are all oversimplified arguments.  Regardless of the implementation strategy, technology infrastructure and especially your data needs to be secured wherever it is, however it is accessed, and with the appropriate levels of control over who can access what.

Fundamentally, the real problem is a lack of well-defined, well-implemented, and well-enforced security practices.  As Burns rightfully points out, a significant challenge with cloud-based solutions is that “public cloud providers are notoriously unwilling to provide good levels of visibility into their underlying security practices.”

However, when the cost savings and convenience of cloud-based solutions are accepted without a detailed security assessment, that is not a fundamental flaw of cloud computing—that is simply a bad business decision.

Let’s stop blaming poor enterprise security practices on the adoption of cloud computing.

This blog post is sponsored by the Enterprise CIO Forum and HP.

 

Related Posts

The Good, the Bad, and the Secure

Securing your Digital Fortress

Shadow IT and the New Prometheus

Are Cloud Providers the Bounty Hunters of IT?

The Diderot Effect of New Technology

The IT Consumerization Conundrum

The IT Prime Directive of Business First Contact

A Sadie Hawkins Dance of Business Transformation

Are Applications the La Brea Tar Pits for Data?

Why does the sun never set on legacy applications?

The Partly Cloudy CIO

The IT Pendulum and the Federated Future of IT

Suburban Flight, Technology Sprawl, and Garage IT

Comment3 Comments
Print ArticlePrint Article
Monday
Sep262011

The Good, the Bad, and the Secure

AuthorJim Harris in tagged , , DateMonday, September 26, 2011 at 5:00PM

This blog post is sponsored by the Enterprise CIO Forum and HP.

A previous post examined the data aspects of enterprise security, which requires addressing both outside-in and inside-out risks.

Most organizations tend to both overemphasize and oversimplify outside-in data security using a perimeter fence model, which, as Doug Newdick commented, “implicitly treats all of your information system assets as equivalent from a security and risk perspective, when that is clearly not true.”  Different security levels are necessary for different assets, and therefore a security zone model makes more sense, where you focus more on securing specific data or applications, and less on securing the perimeter.

“I think that these sorts of models will become more prevalent,” Newdick concluded, “as we face the proliferation of different devices and platforms in the enterprise, and the sort of Bring Your Own Device approaches that many organizations are examining.  If you don’t own or manage your perimeter, securing the data or application itself becomes more important.”

Although there’s also a growing recognition that inside-out data security needs to be improved, “it’s critical that organizations recognize the internal threat can’t be solved solely via policy and process,” commented Richard Jarvis, who recommended an increase in the internal use of two-factor authentication, as well as the physical separation of storage so highly confidential data is more tightly restricted within a dedicated hardware infrastructure.

As Rafal Los recently blogged, the costs of cyber crime continue to rise.  Although the fear of a cloud security breach is the most commonly expressed concern, Judy Redman recently blogged about how cyber crime doesn’t only happen in the cloud.  With the growing prevalence of smart phones, tablet PCs, and other mobile devices, data security in our hyper-connected world requires, as John Dodge recently blogged, that organizations also institute best practices for mobile device security.

Cloudsocial, and mobile technologies “make business and our life more enriched,” commented Pearl Zhu, “but on the other hand, this open environment makes the business environment more vulnerable from the security perspective.”  In other words, this open environment, which some have described as a multi-dimensional attack space, is good for business, but bad for security.

Most organizations already spend a fistful of dollars on enterprise security, but they may need to budget for a few dollars more because the digital age is about the good, the bad, and the secure.  In other words, we have to take the good with the bad in the more open business environment enabled by cloud, mobile, and social technologies, which requires a modern data security model that can protect us from the bad without being overprotective to the point of inhibiting the good.

This blog post is sponsored by the Enterprise CIO Forum and HP.

 

Related Posts

Securing your Digital Fortress

Are Cloud Providers the Bounty Hunters of IT?

The Diderot Effect of New Technology

The IT Consumerization Conundrum

The IT Prime Directive of Business First Contact

A Sadie Hawkins Dance of Business Transformation

Are Applications the La Brea Tar Pits for Data?

Why does the sun never set on legacy applications?

The Partly Cloudy CIO

The IT Pendulum and the Federated Future of IT

Suburban Flight, Technology Sprawl, and Garage IT

Comment1 Comment
Print ArticlePrint Article
Tuesday
Sep132011

Securing your Digital Fortress

AuthorJim Harris in tagged , , DateTuesday, September 13, 2011 at 11:00AM

This blog post is sponsored by the Enterprise CIO Forum and HP.

Although its cyber-security plot oversimplifies some technology aspects of data encryption, the Dan Brown novel Digital Fortress is an enjoyable read.  The digital fortress of the novel was a computer program thought capable of creating an unbreakable data encryption algorithm, but it’s later discovered the program is capable of infiltrating and dismantling any data security protocol.

The data aspects of enterprise security are becoming increasingly prevalent topics of discussion within many organizations, which are pondering how secure their digital fortress actually is.  In other words, whether or not their data assets are truly secure.

Most organizations focus almost exclusively on preventing external security threats, using a data security model similar to building security, where security guards make sure that only people with valid security badges are allowed to enter the building.  However, once you get past the security desk, you have mostly unrestricted access to all areas inside the building.

As Bryan Casey recently blogged, the data security equivalent is referred to as “Tootsie Pop security,” the practice of having a hard, crunchy, security exterior, but with a soft security interior.  In other words, once you enter a valid user name and password, or as a hacker you obtain or create one, you have mostly unrestricted access to all databases inside the organization.

Although hacking is a real concern, this external focus could cause companies to turn a blind eye to internal security threats.

“I think the real risk is not the outside threat in,” explained Joseph Spagnoletti, “it’s more the inside threat out.”  As more data is available to more people within the organization, and with more ways to disseminate data more quickly, data security risks can be inadvertently created when sharing data outside of the organization, perhaps in the name of customer service or marketing.

A commonly cited additional example of an inside-out threat is cloud security, especially the use of public or community clouds for collaboration and social networking.  The cloud complicates data security in the sense that not all of the organization’s data is stored within its physical fortresses of buildings and on-premises computer hardware and software.

However, it must be noted that mobility is likely an even greater inside-out data security threat than cloud computing.  Laptops have long been the primary antagonist in the off-premises data security story, but with the growing prevalence of smart phones, tablet PCs, and other mobile devices, the digital fortress is now constantly in motion, a moving target in a hyper-connected world.

So how do organizations institute effective data security protocols in the digital age?  Can the digital fortress truly be secured?

“The key to data security, and really all security,” Bryan Casey concluded, “is the ability to affect outcomes.  It’s not enough to know what’s happening, or even what’s happening right now.  You need to know what’s happening right now and what actions you can take to protect yourself and your organization.”

What actions are you taking to protect yourself and your organization?  How are you securing your digital fortress?

This blog post is sponsored by the Enterprise CIO Forum and HP.

 

Related Posts

Are Cloud Providers the Bounty Hunters of IT?

The Diderot Effect of New Technology

The IT Consumerization Conundrum

The IT Prime Directive of Business First Contact

A Sadie Hawkins Dance of Business Transformation

Are Applications the La Brea Tar Pits for Data?

Why does the sun never set on legacy applications?

The Partly Cloudy CIO

The IT Pendulum and the Federated Future of IT

Suburban Flight, Technology Sprawl, and Garage IT

Comment5 Comments
Print ArticlePrint Article