Views
1 year ago

CSLATEST

cloud security shells:

cloud security shells: we're now dealing with infrastructure that must block unwanted access from many sources," he warns. Instead of the focus on reinforcing networks perimeters, managers should establish what cybercriminals had access to when entering the network; then look at how they can bolster the security around specific elements that put the organisation at greatest risk, he advises. This might include the following: Cloud security. "Companies should work closely with their cloud service provider to put in measures to stop unwanted access, however the responsibility is shared. Start by classifying the data and applications that you are putting in the cloud according to criticality and sensitivity." Shadow IT. "According to Gartner, 28% of IT spend now occurs outside IT departments. With organisations no longer having full control of their infrastructure, any network user has the ability to install new applications that are managed outside the IT department, without IT being aware." To combat this, IT managers should use a Cloud Access Security Broker (CASB) to safely enable cloud application, Sollars suggests. Mobile. IT managers should implement the same security policies across all endpoints - workstations, laptops or mobile devices - and mandate security policies, regardless of employee location, by understanding application use and associating the traffic with users and devices. Since many cybercriminals can penetrate a network, regardless of perimeter security measures, IT managers need to refocus strengthening the interior elements of the network, he adds. CONTRACTUAL COMMITMENTS Every well-known cloud vendor is going to implement most of the common security best practices, both physical security - "let's not forget who potentially has access to the physical hardware" - and cyber security, points out Brian Chappell, senior director, Enterprise & Solutions Architecture, BeyondTrust. "For both aspects, we need to seek documentation about the vendor's strategy for preventing, monitoring and attenuating hacking into their environment. For the most part, what you are likely to get, unless you are planning to spend the same as the GDP of a small nation, is contractual commitments, which is about as much as you can expect. "This puts the responsibility back in our court, which is absolutely appropriate for IaaS (Infrastructure as a Service) and PaaS (Platform as a Service); after all, who is going to take responsibility for something they don't maintain the configuration for?" is Chappell’s take on this. "You need to make sure that your cloud vendor has processes and provision for you to verify and maintain the cyber security of your cloud provisions using your tools. For SaaS (Software as a Service) and DBaaS (Database as a Service), it can be a little more complex; but, if you can't scan those systems directly for vulnerabilities, then your vendors should be sharing their security status information with you, ideally unedited. For our part, we need to accept that systems may not always be 100% secure (or as close as it's physically possible to get). "After all, the systems would be unlikely to be 100% secure inside our own networks (however much we like to tell ourselves that they would). Our cloud vendors should have plans in place to address any outstanding issues, prioritised by the risk that each poses to the solution. At the base level, wherever your data is, the responsibility for its security lies squarely on your shoulders," Chappell adds. "You cannot abdicate that responsibility or pass it on to someone else. You may accept that the lock on your offices will be secure, your lock manufacturer tells you it is, but I bet you still push it to make sure after you've locked it. Why should your data security, internal or cloud, be any different?" 16 computing security July/August 2017 @CSMagAndAwards www.computingsecurity.co.uk