As part of the WTIA’s IT Security event series, they hosted a Privacy of the Cloud panel discussion at KPMG last week. Our very own Director of Cloud Strategy, Lee Pallat, was one of the panelists, along with Co-Founder of Déjà Vu Security, Akshay Aggarwal, Founder of Rhino Security Labs, Benjamin Caudill, and Manager at KPMG, Kerri Murphy.

If you missed the event, you can read a recap on our blog, or watch the video. Interesting discussion about privacy and security related to the cloud and how it’s changing businesses, IT departments, and consumers.

21303831_s


Cloud security as it relates to the consumer

The growing popularity of the Internet of Things (IOT) and connected devices allows for an ever-increasing amount of your personal information to potentially be sold to the highest bidder.  Having new technology is great; having a car that could drive you to work would be amazing, but it is important to be a smart consumer if you are partaking in this new technology trend. If it is possible (not 30 pages of legalese), read the privacy agreement, know where and how your information is being stored and who it is shared with. You can also help to fight for more legislation around security standards for these types of devices and the companies that sell them.

Currently, businesses that process credit card payments or handle sensitive health care data are held to security guidelines provided by HIPAA or PCI DSS regulations/rules. For the average business out there, it is up to each individual company to determine how they secure, store and around transport their users data.

The FTC is starting to get involved; they recently released a detailed report urging businesses to take concrete steps in protecting the privacy and security of American consumers. One step in the right direction.

Cloud security as it relates to enterprise businesses and IT

For most enterprise IT executives the security issues keeping them up at night are related to how they are going to protect their business, data, applications, and end-users from the evil-doers out there looking to exploit others for notoriety, money, or both.

These are just a few of the security concerns facing enterprise IT brought to you by ActiveState's recent blog post:

  • Transparency from Cloud Service Providers is crucial – providers must be able to immediately expose security specs for the entire stack, including software versions, patch, levels, firewall rules, tracking server snapshots, user access rights, etc.

  • Regulations, processes, standards, practices, and mindsets need to catch up to the highly dynamic technology, apps and services being offered by companies. There is a growing gap between the pace at which processes and regulations change, and the technology of new services and apps being offered for use in today’s marketplace.

  • Real-life means real-time security audits – Security audits should be done as a long-term, ongoing, real-time, continuous process. A one-time snap shot every few months isn’t going to cut it. The audit procedure as well as the overall system needs to adapt to today’s technology.

  • The academic world is devising all sorts of ultra-secure protocols, tools, patterns, and practices, but they are out of touch with the corporate world. Corporations are unable to take advantage of many of these innovations due to legacy processes, existing requirements, hardware, customers, regulations, and other limitations.

  • Look at the big picture – many organizations put a large amount of effort into securing individual systems, VMs, devices, or apps. Their downfall is that they fail to see the big picture and inter-relationship between all of these services, processes, apps and devices. The whole is much more complex than each part.

  • Way too many developers with minimal security expertise are building “secure” products with vulnerabilities due to a lack of deep understanding. Security implementations should be left to the experts, and then made available to general app developers in the form of libraries, tools, services, apps, frameworks, practices, and underlying architecture features.

  • Security guarantees are impossible to “prove”. It’s challenging to provide security assurances to end-users who have no clue about security concepts and assurances that rely on understanding technical concepts and are completely out of reach to most users.

It’s important for enterprise businesses to protect their company from downtime and data loss. Consult with an expert or outsource if needed to find the best solution for your business. There are many sources out these for best practices and industry news. Keep up to date on security trends, new regulations, and service offerings that may be a good fit for your business.