From the Blogosphere
Governance Must Drive All Security Initiatives... Even Cloud
Risk is not unique to the cloud and transcends technology
By: Kevin Nikkhoo
Feb. 1, 2013 08:00 AM
“The ‘how’ may change, but the ‘what’ is fundamental to risk management.”
I heard these sage words at a recent ISSA (Information Systems Security Association) meeting from a CIO speaking about security from the cloud.
He continued, “Risk is not unique to the cloud. It experiences the same issues that affect any outsourcing or third party deliverable. It is bounded by the same concerns regarding governance—does it meet the requirements of my industry? Is my data free from co-mingling? Are the proper notification protocols in place?”
Do a Google search on “cloud security” and the first entry is “How secure is the cloud?” True professionals know the argument is not about technology or how security is delivered, but rather one of governance. You need to know exactly who HAS access to what resources and if these levels of access are appropriate. You need to know who IS accessing resources, and if they don’t have the proper credentials, you need to be notified immediately to take further preventive action. You need know that protocols for compliance are in place and routinely and successfully generate the reporting for periodic audits. You need to know your rights, liabilities (SLA) for any application or service acquired and that they conform to your risk management practices.
The key asset in all this is data. Data is stored in many forms, via many servers and applications across the enterprise and it is processed and accessed in just as many ways. Effective governance is the ability to have a centralized map of all these information roads and create certain controlled access points, road blocks (encryption), privileged private lanes/public highways…in short, governance is about accountability.
This then becomes an internal process; making sure you have the identity management rules and capabilities in place, making sure the access management provisioning is set. Ensuring you employ the means to view it under a single pane of glass (unified security) in order to make the necessary decisions to better secure the data. You must have context and historical perspective. The chief component to governance is visibility. And any first course of action would be to enhance existing visibility.
Governance is a critical challenge. Not every “whizz bang” development (be it cloud application or nifty BYOD device) will be able to meet a particular organization’s governance standards. It is up to the CIO or CSO’s due diligence to understand all the implications on how the deployment will affect the holistic enterprise. What liabilities are exposed? What vulnerability gaps does it close? How could it impact user productivity versus potential risks? The answer will not be the same for every company. However, dismissing cloud out of hand is not only faulty and outdated logic, but can restrict the organization from responsible growth.
“When cloud computing is treated as a governance initiative, with broad stakeholder engagement and well-planned risk management activities, it can bring tremendous value to an enterprise," said Emil D'Angelo, CISA, CISM, international president of ISACA and founding member of the Cloud Security Alliance.
This extends to the functions and capabilities of managing security from the cloud (cloud-based security) as well. When due diligence is done, a CIO will have a clear idea of an initiative’s risk versus return and whether a cloud security deployment meets the individual requirements of the company. And, with all things being equal in terms of control, compliance and reach, then the significant benefits of the cloud and its affordability, scalability and agility make it a wise investment. But cost savings should not be the first line of acceptance (although he TCO and ROI are considerable). Any security solution must first prove it is up to the task of preserving IP, upholding all aspects of regulatory compliance and keeping sensitive data sacrosanct.
To gain this level of governance visibility, it potentially incorporates several solution sets that need to work in harmony and do so in real time. It needs to connect (and put into proper context) certification, policies, roles and requests. For example, seeing who has accessed a certain application gives you historical perspective, but, what if it is a retired account or tries using a decommissioned password? If you know within moments of its occurrence, you can trace the attempt and prevent further breaches. Or if a partner accesses certain parts of your database to which they are entitled, but quadruples their order in the dead of night to be shipped to Phnom Penh? Or through an open back door, a “customer” can see and download other clients Tax ID numbers. There are literally thousands of scenarios by which leveraging the cooperative functionality of IDM, AM, SIEM and Log Management creates not only the holistic visibility to drive governance policies, but offers significant barriers to keep the IT enterprise safer.
Security is just as much about weighing the risk/return scenarios as it is bolting the castle door against the enemy. Cloud security (and to a greater extent, a unified security initiative from the cloud) can be the effective, flexible and strong enterprise balance for prevention and audit. The challenge facing most security teams, therefore, is to provide line-of-business users with the access they need while ensuring that the access is appropriate and does not expose the enterprise to unnecessary business risk. But first you must ensure visibility--and when you know where all your data is and all the multiple ways that it is available, then you can best manage the policies, roles, and security functions that best connects your requirements.
Top Stories for Cloud Expo 2012 East
In this Big Data Power Panel at the 10th International Cloud Expo, moderated by Cloud Expo Conference Chair Jeremy Geelan, Govind Rangasamy, Director of Product Management at Eucalyptus Systems; Kevin Brown; CEO of Coraid, Inc.; Christos Tryfonas, CTO and Co-Founder of Cetas; and Max Riggsbee, CMO and VP of Products for WhipTail, discussed such topics as: Big Data has existed since the early days of computing; why, then, do you think there is such an industry buzz around it right now? How is Big Data impacting storage and networking architecture in data centers? How about the intersection of Big Data Analytics and Cloud Computing - how big a sector is that and why? What's the difference between Big Data and Fast Data? ... (more)
Best Recent Articles on Cloud Computing & Big Data Topics
As we enter a new year, it is time to look back over the past year and resolve to improve upon it. In 2014, we will see more service providers resolve to add more personalization in enterprise technology. Below are seven predictions about what will drive this trend toward personalization.
IT organizations face a growing demand for faster innovation and new applications to support emerging opportunities in social, mobile, growth markets, Big Data analytics, mergers and acquisitions, strategic partnerships, and more. This is great news because it shows that IT continues to be a key stakeholder in delivering business service innovation. However, it also means that IT must deliver new innovation despite flat budgets, while maintaining existing services that grow more complex every day.
Cloud computing is transforming the way businesses think about and leverage technology. As a result, the general understanding of cloud computing has come a long way in a short time. However, there are still many misconceptions about what cloud computing is and what it can do for businesses that adopt this game-changing computing model. In this exclusive Q&A with Cloud Expo Conference Chair Jeremy Geelan, Rex Wang, Vice President of Product Marketing at Oracle, discusses and dispels some of the common myths about cloud computing that still exist today.
Despite the economy, cloud computing is doing well. Gartner estimates the cloud market will double by 2016 to $206 billion. The time for dabbling in the cloud is over! The 14th International Cloud Expo, co-located with 5th International Big Data Expo and 3rd International SDN Expo, to be held June 10-12, 2014, at the Javits Center in New York City, N.Y. announces that its Call for Papers is now open. Topics include all aspects of providing or using massively scalable IT-related capabilities as a service using Internet technologies (see suggested topics below). Cloud computing helps IT cut infrastructure costs while adding new features and services to grow core businesses. Clouds can help grow margins as costs are cut back but service offerings are expanded. Help plant your flag in the fast-expanding business opportunity that is The Cloud, Big Data and Software-Defined Networking: submit your speaking proposal today!
What do you get when you combine Big Data technologies….like Pig and Hive? A flying pig? No, you get a “Logical Data Warehouse.” In 2012, Infochimps (now CSC) leveraged its early use of stream processing, NoSQLs, and Hadoop to create a design pattern which combined real-time, ad-hoc, and batch analytics. This concept of combining the best-in-breed Big Data technologies will continue to advance across the industry until the entire legacy (and proprietary) data infrastructure stack will be replaced with a new (and open) one.
While unprecedented technological advances have been made in healthcare in areas such as genomics, digital imaging and Health Information Systems, access to this information has been not been easy for both the healthcare provider and the patient themselves. Regulatory compliance and controls, information lock-in in proprietary Electronic Health Record systems and security concerns have made it difficult to share data across health care providers.
Cloud Expo, Inc. has announced today that Vanessa Alvarez has been named conference chair of Cloud Expo® 2014. 14th International Cloud Expo will take place on June 10-12, 2014, at the Javits Center in New York City, New York, and 15th International Cloud Expo® will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
12th International Cloud Expo, held on June 10–13, 2013 at the Javits Center in New York City, featured four content-packed days with a rich array of sessions about the business and technical value of cloud computing led by exceptional speakers from every sector of the cloud computing ecosystem. The Cloud Expo series is the fastest-growing Enterprise IT event in the past 10 years, devoted to every aspect of delivering massively scalable enterprise IT as a service.
Ulitzer.com announced "the World's 30 most influential Cloud bloggers," who collectively generated more than 24 million Ulitzer page views. Ulitzer's annual "most influential Cloud bloggers" list was announced at Cloud Expo, which drew more delegates than all other Cloud-related events put together worldwide. "The world's 50 most influential Cloud bloggers 2010" list will be announced at the Cloud Expo 2010 East, which will take place April 19-21, 2010, at the Jacob Javitz Convention Center, in New York City, with more than 5,000 expected to attend.
It's a simple fact that the better sales reps understand their prospects' intentions, preferences and pain points during calls, the more business they'll close. Each day, as your prospects interact with websites and social media platforms, their behavioral data profile is expanding. It's now possible to gain unprecedented insight into prospects' content preferences, product needs and budget. We hear a lot about how valuable Big Data is to sales and marketing teams. But data itself is only valuable when it's part of a bigger story, made visible in the right context.
Cloud Expo, Inc. has announced today that Larry Carvalho has been named Tech Chair of Cloud Expo® 2014. 14th International Cloud Expo will take place on June 10-12, 2014, at the Javits Center in New York City, New York, and 15th International Cloud Expo® will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Everyone talks about a cloud-first or mobile-first strategy. It's the trend du jour, and for good reason as these innovative technologies have revolutionized an industry and made savvy companies a lot of money. But consider for a minute what's emerging with the Age of Context and the Internet of Things. Devices, interfaces, everyday objects are becoming endowed with computing smarts. This is creating an unprecedented focus on the Application Programming Interface (API) as developers seek to connect these devices and interfaces to create new supporting services and hybrids. I call this trend the move toward an API-first business model and strategy.
We live in a world that requires us to compete on our differential use of time and information, yet only a fraction of information workers today have access to the analytical capabilities they need to make better decisions. Now, with the advent of a new generation of embedded business intelligence (BI) platforms, cloud developers are disrupting the world of analytics. They are using these new BI platforms to inject more intelligence into the applications business people use every day. As a result, data-driven decision-making is finally on track to become the rule, not the exception.
Digital Transformation Blogs