Click here to close now.




















Welcome!

@BigDataExpo Authors: Pat Romanski, Dana Gardner, Liz McMillan, Adrian Bridgwater, Jim Kaskade

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @BigDataExpo, OpenStack Journal

@CloudExpo: Article

Governance Must Drive All Security Initiatives... Even Cloud

Risk is not unique to the cloud and transcends technology

“The ‘how’ may change, but the ‘what’ is fundamental to risk management.”

I heard these sage words at a recent ISSA (Information Systems Security Association) meeting from a CIO speaking about security from the cloud.

He continued, “Risk is not unique to the cloud. It experiences the same issues that affect any outsourcing or third party deliverable. It is bounded by the same concerns regarding governance—does it meet the requirements of my industry? Is my data free from co-mingling? Are the proper notification protocols in place?”

Do a Google search on “cloud security” and the first entry is “How secure is the cloud?” True professionals know the argument is not about technology or how security is delivered, but rather one of governance. You need to know exactly who HAS access to what resources and if these levels of access are appropriate. You need to know who IS accessing resources, and if they don’t have the proper credentials, you need to be notified immediately to take further preventive action. You need know that protocols for compliance are in place and routinely and successfully generate the reporting for periodic audits. You need to know your rights, liabilities (SLA) for any application or service acquired and that they conform to your risk management practices.

The key asset in all this is data. Data is stored in many forms, via many servers and applications across the enterprise and it is processed and accessed in just as many ways. Effective governance is the ability to have a centralized map of all these information roads and create certain controlled access points, road blocks (encryption), privileged private lanes/public highways…in short, governance is about accountability.

This then becomes an internal process; making sure you have the identity management rules and capabilities in place, making sure the access management provisioning is set. Ensuring you employ the means to view it under a single pane of glass (unified security) in order to make the necessary decisions to better secure the data. You must have context and historical perspective.  The chief component to governance is visibility. And any first course of action would be to enhance existing visibility.

Governance is a critical challenge. Not every “whizz bang” development (be it cloud application or nifty BYOD device) will be able to meet a particular organization’s governance standards. It is up to the CIO or CSO’s due diligence to understand all the implications on how the deployment will affect the holistic enterprise. What liabilities are exposed? What vulnerability gaps does it close? How could it impact user productivity versus potential risks? The answer will not be the same for every company. However, dismissing cloud out of hand is not only faulty and outdated logic, but can restrict the organization from responsible growth.

“When cloud computing is treated as a governance initiative, with broad stakeholder engagement and well-planned risk management activities, it can bring tremendous value to an enterprise," said Emil D'Angelo, CISA, CISM, international president of ISACA and founding member of the Cloud Security Alliance.

This extends to the functions and capabilities of managing security from the cloud (cloud-based security) as well. When due diligence is done, a CIO will have a clear idea of an initiative’s risk versus return and whether a cloud security deployment meets the individual requirements of the company. And, with all things being equal in terms of control, compliance and reach, then the significant benefits of the cloud and its affordability, scalability and agility make it a wise investment. But cost savings should not be the first line of acceptance (although he TCO and ROI are considerable). Any security solution must first prove it is up to the task of preserving IP, upholding all aspects of regulatory compliance and keeping sensitive data sacrosanct.

To gain this level of governance visibility, it potentially incorporates several solution sets that need to work in harmony and do so in real time. It needs to connect (and put into proper context) certification, policies, roles and requests. For example, seeing who has accessed a certain application gives you historical perspective, but, what if it is a retired account or tries using a decommissioned password? If you know within moments of its occurrence, you can trace the attempt and prevent further breaches. Or if a partner accesses certain parts of your database to which they are entitled, but quadruples their order in the dead of night to be shipped to Phnom Penh? Or through an open back door, a “customer” can see and download other clients Tax ID numbers. There are literally thousands of scenarios by which leveraging the cooperative functionality of IDM, AM, SIEM and Log Management creates not only the holistic visibility to drive governance policies, but offers significant barriers to keep the IT enterprise safer.

Security is just as much about weighing the risk/return scenarios as it is bolting the castle door against the enemy.  Cloud security (and to a greater extent, a unified security initiative from the cloud) can be the effective, flexible and strong enterprise balance for prevention and audit. The challenge facing most security teams, therefore, is to provide line-of-business users with the access they need while ensuring that the access is appropriate and does not expose the enterprise to unnecessary business risk. But first you must ensure visibility--and when you know where all your data is and all the multiple ways that it is available, then you can best manage the policies, roles, and security functions that best connects your requirements.

 

Kevin Nikkhoo
Governor of the Cloud!
www.cloudaccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@BigDataExpo Stories
There are many considerations when moving applications from on-premise to cloud. It is critical to understand the benefits and also challenges of this migration. A successful migration will result in lower Total Cost of Ownership, yet offer the same or higher level of robustness. In his session at 15th Cloud Expo, Michael Meiner, an Engineering Director at Oracle, Corporation, analyzed a range of cloud offerings (IaaS, PaaS, SaaS) and discussed the benefits/challenges of migrating to each offe...
One of the hottest areas in cloud right now is DRaaS and related offerings. In his session at 16th Cloud Expo, Dale Levesque, Disaster Recovery Product Manager with Windstream's Cloud and Data Center Marketing team, will discuss the benefits of the cloud model, which far outweigh the traditional approach, and how enterprises need to ensure that their needs are properly being met.
With SaaS use rampant across organizations, how can IT departments track company data and maintain security? More and more departments are commissioning their own solutions and bypassing IT. A cloud environment is amorphous and powerful, allowing you to set up solutions for all of your user needs: document sharing and collaboration, mobile access, e-mail, even industry-specific applications. In his session at 16th Cloud Expo, Shawn Mills, President and a founder of Green House Data, discussed h...
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducte...
Malicious agents are moving faster than the speed of business. Even more worrisome, most companies are relying on legacy approaches to security that are no longer capable of meeting current threats. In the modern cloud, threat diversity is rapidly expanding, necessitating more sophisticated security protocols than those used in the past or in desktop environments. Yet companies are falling for cloud security myths that were truths at one time but have evolved out of existence.
Public Cloud IaaS started its life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in adop...
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
The Cloud industry has moved from being more than just being able to provide infrastructure and management services on the Cloud. Enter a new era of Cloud computing where monetization’s services through the Cloud are an essential piece of strategy to feed your organizations bottom-line, your revenue and Profitability. In their session at 16th Cloud Expo, Ermanno Bonifazi, CEO & Founder of Solgenia, and Ian Khan, Global Strategic Positioning & Brand Manager at Solgenia, discussed how to easily o...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Opening Keynote at 16th Cloud Expo, S...
In his keynote at 16th Cloud Expo, Rodney Rogers, CEO of Virtustream, discussed the evolution of the company from inception to its recent acquisition by EMC – including personal insights, lessons learned (and some WTF moments) along the way. Learn how Virtustream’s unique approach of combining the economics and elasticity of the consumer cloud model with proper performance, application automation and security into a platform became a breakout success with enterprise customers and a natural fit f...
"We have been in business for 21 years and have been building many enterprise solutions, all IT plumbing - server, storage, interconnects," stated Alex Gorbachev, President of Intelligent Systems Services, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
The essence of cloud computing is that all consumable IT resources are delivered as services. In his session at 15th Cloud Expo, Yung Chou, Technology Evangelist at Microsoft, demonstrated the concepts and implementations of two important cloud computing deliveries: Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). He discussed from business and technical viewpoints what exactly they are, why we care, how they are different and in what ways, and the strategies for IT to tran...
Discussions about cloud computing are evolving into discussions about enterprise IT in general. As enterprises increasingly migrate toward their own unique clouds, new issues such as the use of containers and microservices emerge to keep things interesting. In this Power Panel at 16th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the state of cloud computing today, and what enterprise IT professionals need to know about how the latest topics and trends affect t...
"Our biggest growth area has been the security services, the managed services - the things that differentiate us in the market that there is no client that's too small and there's no client that's too big," explained Paul Mazzucco, Chief Security Officer at TierPoint, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
"We do data integration for B2B also application to application, and we do data management and enable Big Data," explained Pat Adamiak, Vice President, Product Marketing at Liaison Technologies, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
"We've just seen a huge influx of new partners coming into our ecosystem, and partners building unique offerings on top of our API set," explained Seth Bostock, Chief Executive Officer at IndependenceIT, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
It is one thing to build single industrial IoT applications, but what will it take to build the Smart Cities and truly society-changing applications of the future? The technology won’t be the problem, it will be the number of parties that need to work together and be aligned in their motivation to succeed. In his session at @ThingsExpo, Jason Mondanaro, Director, Product Management at Metanga, discussed how you can plan to cooperate, partner, and form lasting all-star teams to change the world...
SYS-CON Events announced today that Agema Systems will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Agema Systems is the leading provider of critical white-box rack solutions to data centers through the major integrators and value added distribution channels.
Converging digital disruptions is creating a major sea change - Cisco calls this the Internet of Everything (IoE). IoE is the network connection of People, Process, Data and Things, fueled by Cloud, Mobile, Social, Analytics and Security, and it represents a $19Trillion value-at-stake over the next 10 years. In her keynote at @ThingsExpo, Manjula Talreja, VP of Cisco Consulting Services, discussed IoE and the enormous opportunities it provides to public and private firms alike. She will share w...
In the midst of the widespread popularity and adoption of cloud computing, it seems like everything is being offered “as a Service” these days: Infrastructure? Check. Platform? You bet. Software? Absolutely. Toaster? It’s only a matter of time. With service providers positioning vastly differing offerings under a generic “cloud” umbrella, it’s all too easy to get confused about what’s actually being offered. In his session at 16th Cloud Expo, Kevin Hazard, Director of Digital Content for SoftL...