Welcome!

Microsoft Cloud Authors: Liz McMillan, David H Deans, Automic Blog, Pat Romanski, Janakiram MSV

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @BigDataExpo, FinTech Journal

@CloudExpo: Article

Governance Must Drive All Security Initiatives... Even Cloud

Risk is not unique to the cloud and transcends technology

“The ‘how’ may change, but the ‘what’ is fundamental to risk management.”

I heard these sage words at a recent ISSA (Information Systems Security Association) meeting from a CIO speaking about security from the cloud.

He continued, “Risk is not unique to the cloud. It experiences the same issues that affect any outsourcing or third party deliverable. It is bounded by the same concerns regarding governance—does it meet the requirements of my industry? Is my data free from co-mingling? Are the proper notification protocols in place?”

Do a Google search on “cloud security” and the first entry is “How secure is the cloud?” True professionals know the argument is not about technology or how security is delivered, but rather one of governance. You need to know exactly who HAS access to what resources and if these levels of access are appropriate. You need to know who IS accessing resources, and if they don’t have the proper credentials, you need to be notified immediately to take further preventive action. You need know that protocols for compliance are in place and routinely and successfully generate the reporting for periodic audits. You need to know your rights, liabilities (SLA) for any application or service acquired and that they conform to your risk management practices.

The key asset in all this is data. Data is stored in many forms, via many servers and applications across the enterprise and it is processed and accessed in just as many ways. Effective governance is the ability to have a centralized map of all these information roads and create certain controlled access points, road blocks (encryption), privileged private lanes/public highways…in short, governance is about accountability.

This then becomes an internal process; making sure you have the identity management rules and capabilities in place, making sure the access management provisioning is set. Ensuring you employ the means to view it under a single pane of glass (unified security) in order to make the necessary decisions to better secure the data. You must have context and historical perspective.  The chief component to governance is visibility. And any first course of action would be to enhance existing visibility.

Governance is a critical challenge. Not every “whizz bang” development (be it cloud application or nifty BYOD device) will be able to meet a particular organization’s governance standards. It is up to the CIO or CSO’s due diligence to understand all the implications on how the deployment will affect the holistic enterprise. What liabilities are exposed? What vulnerability gaps does it close? How could it impact user productivity versus potential risks? The answer will not be the same for every company. However, dismissing cloud out of hand is not only faulty and outdated logic, but can restrict the organization from responsible growth.

“When cloud computing is treated as a governance initiative, with broad stakeholder engagement and well-planned risk management activities, it can bring tremendous value to an enterprise," said Emil D'Angelo, CISA, CISM, international president of ISACA and founding member of the Cloud Security Alliance.

This extends to the functions and capabilities of managing security from the cloud (cloud-based security) as well. When due diligence is done, a CIO will have a clear idea of an initiative’s risk versus return and whether a cloud security deployment meets the individual requirements of the company. And, with all things being equal in terms of control, compliance and reach, then the significant benefits of the cloud and its affordability, scalability and agility make it a wise investment. But cost savings should not be the first line of acceptance (although he TCO and ROI are considerable). Any security solution must first prove it is up to the task of preserving IP, upholding all aspects of regulatory compliance and keeping sensitive data sacrosanct.

To gain this level of governance visibility, it potentially incorporates several solution sets that need to work in harmony and do so in real time. It needs to connect (and put into proper context) certification, policies, roles and requests. For example, seeing who has accessed a certain application gives you historical perspective, but, what if it is a retired account or tries using a decommissioned password? If you know within moments of its occurrence, you can trace the attempt and prevent further breaches. Or if a partner accesses certain parts of your database to which they are entitled, but quadruples their order in the dead of night to be shipped to Phnom Penh? Or through an open back door, a “customer” can see and download other clients Tax ID numbers. There are literally thousands of scenarios by which leveraging the cooperative functionality of IDM, AM, SIEM and Log Management creates not only the holistic visibility to drive governance policies, but offers significant barriers to keep the IT enterprise safer.

Security is just as much about weighing the risk/return scenarios as it is bolting the castle door against the enemy.  Cloud security (and to a greater extent, a unified security initiative from the cloud) can be the effective, flexible and strong enterprise balance for prevention and audit. The challenge facing most security teams, therefore, is to provide line-of-business users with the access they need while ensuring that the access is appropriate and does not expose the enterprise to unnecessary business risk. But first you must ensure visibility--and when you know where all your data is and all the multiple ways that it is available, then you can best manage the policies, roles, and security functions that best connects your requirements.

 

Kevin Nikkhoo
Governor of the Cloud!
www.cloudaccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@ThingsExpo Stories
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, will discuss the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information,
In his General Session at 17th Cloud Expo, Bruce Swann, Senior Product Marketing Manager for Adobe Campaign, explored the key ingredients of cross-channel marketing in a digital world. Learn how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects).
"My role is working with customers, helping them go through this digital transformation. I spend a lot of time talking to banks, big industries, manufacturers working through how they are integrating and transforming their IT platforms and moving them forward," explained William Morrish, General Manager Product Sales at Interoute, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, will discuss some of the security challenges of the IoT infrastructure and relate how these aspects impact Smart Living. The material will be delivered i...
SYS-CON Events announced today that Ocean9will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Ocean9 provides cloud services for Backup, Disaster Recovery (DRaaS) and instant Innovation, and redefines enterprise infrastructure with its cloud native subscription offerings for mission critical SAP workloads.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, will provide a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services ...
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), will provide an overview of various initiatives to certifiy the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldw...
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
"delaPlex is a software development company. We do team-based outsourcing development," explained Mark Rivers, COO and Co-founder of delaPlex Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...