There seems to be no clear consensus about how to do cloud security, or even it it’s possible. According to Colin Tankard of Digital Pathways, it really comes down to what you define as ‘secure’.
A lot of it is to do with who needs to see the data and how you access it, he explains in this interview with Steve Mansfield-Devine. However, people aren’t properly monitoring what’s going on with their data, who’s accessing it and when – and they’re not using their logs. In fact they’re not applying the same care and attention that they would if the data was on their own servers.
Is there a danger that people are trying to reinvent the wheel when it comes to cloud security? Are they failing to appreciate what of their existing processes and policies can be carried over into the cloud? Tankard thinks this is true, but a lot depends on how the enterprise is using the cloud and what it’s doing with it.
By and large, organisations are not asking the right questions about security – or maybe don’t know what to ask. One big problem is that many organisations simply rely on the cloud service provider that is providing them with infrastructure services and/or data storage, to provide security – often as an afterthought. There are real dangers in putting all your eggs in one basket, Tankard contends. For example, you might encrypt your data, but then people who are storing it also have the keys. Security needs to be ‘decoupled’ from the other aspects of the cloud, he believes, and this can be handled by a managed service provider, along with things like logging. That way, only the organisation itself has access to both the data and the keys.
Encryption is an important part of this – but is it being used & understood properly? Tankard feels that some people don’t understand the complexities and subtleties of encryption.
Going to a security specialist to help with that aspect of the cloud has a number of benefits, says Tankard. But it makes sense to do this separately from buying the cloud service itself.
With new payment card data standards coming into force soon, it is more important than ever to mitigate the risk of ‘authorised data in unauthorised places’.
The latest Payment Card Industry Data Security Standard (PCI DSS) rules demand that organisations ensure that the right processes and technology are in place to understand exactly where data – such as credit card information – is stored.
This is essential not only for compliance with legislation but also for managing risk and avoiding loss or theft of sensitive data. Organisations who fail to secure payment data could incur fines, penalties, even termination of the right to accept payment cards.
Sam Maccherola, general manager EMEA & APAC at Guidance Software, explains to Tracey Caldwell how the new guidelines will improve payment security and what businesses need to do to prepare for them.
He warns that organisations need to be alert to the threat of the rogue insider more than ever and explains how regular audits can help organisations to understand exactly where sensitive data resides.