Five Key IT Security Issues for the Next Two Years
Service providers, given the nature of their business, are a prime “aggregation” for all types of sensitive/valuable data
May. 13, 2014 11:15 AM
Last month, the Information Security Forum released their annual prediction of the top 10 information security threats they foresee for the next two years - through 2016. While I found the entire list insightful, half of the list resonated strongly with me as someone who is working with large enterprises as they wrestle with security and compliance challenges as they embark on cloud adoption. I believe this group of five predictions is particularly relevant for anyone utilizing the cloud over the next two years and I've added a few of my own thoughts on each.
1. Service Providers Become a Key Vulnerability
I find this first prediction especially valid and timely because of some recent headlines. Service providers, given the nature of their business, are a prime "aggregation" for all types of sensitive/valuable data. Cyber criminals and hackers realize this, which puts a big target on the backs of service providers. Think about it - a successful breach equals a treasure trove of coveted information from potentially multiple tenants. And the reality is that service providers acting as a central storage point for large amounts of sensitive data will continue to increase over the next two years, so the prize will only become richer. In response and in preparation, enterprises need to takes steps to protect their most sensitive and important data and decide which data they truly need to send to public cloud service providers.
2. Mobile Apps Become the Main Route for Compromise
Mobile apps, deployed on bring your own device (BYOD) technologies (tablets, cell phones, etc.) make it extremely difficult for IT departments to control where and how their sensitive data is accessed and by whom. BYOD means many heavily used employee devices will be actively in use and the reality is that this equipment does not have the same security in place as corporate owned devices. This, when combined with the proliferation of cloud applications (used for both personal and business), creates a perfect storm for compromising corporate data. Because of this scenario, IT and security should deploy security techniques that treat subsets of their data differently, with different levels of restriction and more security for the most sensitive data and Intellectual Property.
3. Encryption Fails
This is a very broad and provocative statement, as encryption use is increasing in the marketplace and many enterprises are becoming dependent on it for some of their data security needs. If someone asked me if this statement is true - Will encryption fail? - I would have to say that - Yes, some encryption will fail. That's because not all encryption is created equal. Enterprises need to understand that some encryption is much stronger than others; there are differences in how the technology is deployed. At Perspecsys, we allow customers to deploy the most secure, FIPS 140-2 validated encryption techniques. We also have the enterprise maintain physical ownership of the encryption keys. Both of these points are critical for successful deployment. And we support tokenization, another security method that many in the industry find has unique strengths when compared to encryption. (More information on tokenization is available here on our website.)
4. The CEO Gets It, Now You Have to Deliver
We are now hearing that cloud security is a board-level issue, so I agree that the CEO must "get it" since the CEO reports into this group. We are now starting to see generous budgets being allocated for cloud protection and security projects and IT and security teams have more resources than in the past to help combat operational risks to the business. It's now up to the IT and security teams to find the best technology and solutions for their enterprise's unique needs.
5. Information Security Fails to Work with New Generations
This is perhaps the most critically important observation. Clearly security solutions that interfere or inhibit with the way workers need to engage with the cloud will be unsuccessful. Why? Well, because employees will always find a way to work around them. Or, in a perhaps another scenario, there will be end-user pushback and operational issues that will land in the lap of IT and Security teams, creating organizational divisiveness (e.g., "those guys are stopping me from being able to do my job") and a significant productivity hit. This is why we have done a tremendous amount of original research to figure out ways in our cloud data control gateway to remain transparent/invisible to end users, meaning they can utilize cloud applications as needed and still perform functions such as search/sort on data, even when data has been tokenized or encrypted.
I commend the authors of the piece for their predictions and foreword looking insights that will help provoke the right conversations among many enterprise IT and Security teams. It sounds like the Information Security Forum is talking to some of the same people that we talk to and undoubtedly their predictions will help organizations think about how to improve and solidify their corporate IT and Security policies over the next couple years.
Read the original blog entry...
Perspecsys Inc. is a leading provider of cloud data tokenization and cloud encryption solutions that enable mission-critical cloud applications to be adopted throughout the enterprise. Cloud security companies like Perspecsys remove the technical, legal and financial risks of placing sensitive company data in the cloud. Perspecsys accomplishes this for many large, heavily regulated companies across the world by never allowing sensitive data to leave a customer's network, while maintaining the functionality of cloud applications. For more information please visit perspecsys.com or follow on Twitter @perspecsys.