You can’t blame IT and business leaders if they’re feeling a little paranoid about security these days. Headlines are rife with disastrous breaches:
• June 12 – AT&T announces that personal information, including Social Security numbers and call records, was accessed for an unknown number of AT&T Mobility customers by people outside of the company.
• May 26 - eBay announces a breach that may have affected more than 100 million users and which is now the subject of an investigation by the Federal Trade Commission.
• December 2013 — Target announces the loss of data from 40 million credit and debit card accounts, which eventually costs the CEO and CIO their jobs.
And with more and more businesses deploying cloud computing services every day, the security stakes are even higher. A new report from the Ponemon Institute (Data Breach: The Cloud Multiplier Effect) reports that cloud deployments can triple the chances of a serious data breach.
Here’s the other piece of this perfect storm: Gartner is predicting that the bulk of new IT spending will be for cloud computing platforms and applications by 2016.
And when we say “cloud,” don’t be lulled into thinking the “cloud” is a homogeneous, turnkey entity. A recent survey found companies use an average of 24 different file-sharing services and 91 different collaboration services, with an average of 759 cloud services per organization.
That’s generating a boon for the cloud-based security services market, which will rise to $3.1 billion globally in 2015, Gartner estimates.
Malicious exploits are gaining a foothold in web hosting servers, name servers and data centers across the Internet, according to Cisco’s 2014 Annual Security Report. Buffer errors are a leading threat, and malware attacks are shifting toward electronics manufacturing and the agriculture and mining industries at about six times the average encounter rate across industry verticals, the study found.
Although spam is on the decline, the proportion of malicious spam remains constant, the study also found. Some 91 percent of web exploits are in Java and “watering hole” attacks are targeting specific industry-related websites to deliver malware.
Most significant is that compromised networks may go undetected over long periods and that threat alerts are on the rise.
The popularity of cloud technologies complicates the security challenge. But IT and business leaders have no choice – the cloud is here to stay because it delivers on its promise of speed, agility and lower costs. And cloud is an essential part of the Internet of Everything - the convergence of Cloud, Mobility, Big Data and Analytics, and ubiquitous sensor technologies that are changing the way business gets done — and the way we live.
Could the stakes be higher?
Best practices for cloud security
All this means that organizations must have the appropriate security strategies and tools in place to protect against infrastructure attacks. Unfortunately, many organizations don’t have security staff with the expertise and experience to safeguard against potential threats as they move to cloud computing and their businesses become more mobile. Consequently, it’s critical that organizations be aware of what is on their network and in the cloud – everything from devices and operating systems to applications and users.
Prior to an attack, IT executives should ensure that access controls are implemented; security policies are enforced; and applications and access to critical assets are blocked, according to the Cisco report. But policies and controls are just one part of the equation; attackers inevitably will still be able to find gaps.
Solutions must be in place everywhere there is the potential for an attack so that when one occurs, security professionals are better positioned to block threats and help defend the infrastructure. Organizations must also have formal plans in place to address how to contain an attack and remediate it. When seeking help from a cloud provider, be sure to find out:
• Are they using the latest technologies to identify, protect and remediate threats?
• What assurances do they provide around secure data handling, storage and transmission?
• What types of audits do they perform and how often?
• What kind of physical security do they maintain?
Top-tier cloud providers offer higher levels of security than most businesses have on their own, especially SMBs with little to no internal IT staff. But as they increasingly seek the benefits of cloud computing, it’s up to the organization to do its due diligence.