Cloud Security for Rational Leaders: A Practical Approach for the C-Suite
News headlines are filled with enough stories about compromised data security, potentially driving executives away from networked and cloud solutions and back to the proverbial days of stuffing cash in a mattress. However, effective leaders recognize that threats to a computing environment are always present, and believe a more fruitful approach to operate a secure organization is to direct their IT teams to manage against real – not simply perceived – threats.
Rational vs. Irrational Fears
At the recent RSA Conference, Edward Snowden and the NSA surveillance practices dominated the conversation. While these high-profile news stories drive much of the narrative around data security, the reality is that the vast majority of network security attacks are far more basic in nature.
Effective C-Suite executives need to look past the sensationalism and accept that a sound security program for their business is not dependent on proofing their virtual infrastructure to be impenetrable to the NSA, because that is close to impossible. A far, far more effective approach is to protect a company against common, basic attacks.
During a November 2013 webcast, data security service provider leader Alert Logic found that four of the five most common attacks seen by their Tokyo-based sensors could have been prevented simply by installing a security patch that Microsoft released five years ago. While this data is regionally specific, the takeaway is that building a secure IT infrastructure is about focusing on the basics. Keep your servers patched. Set up a rational firewall. Conduct quarterly evaluations of your IT infrastructure to identify gaps. You’re never going to achieve an impenetrable system, but with careful implementation and maintenance of basic security practices, C-Suite leaders can protect against about 95 percent of potential attacks.
Ensure You’re Working Effectively
A basic step for C-Suite leaders to operate a sound IT infrastructure involves ensuring their IT teams have calibrated security solutions to address appropriate – and rational – threats. For example, laptop encryption makes sense when data is physically stored on a laptop device. If your bag is stolen or you leave it in an airport, a third party now has physical access to your data. For laptops it makes sense to implement laptop encryption along with a password protection.
Often with conversations around Desktop-as-a-Service (DaaS) and Virtual Desktop Infrastructures (VDI), people try to apply a similar control as they would to a laptop. While a sound security model for an organization can include desktop encryption, companies need to understand what it means to have a desktop on the cloud. It’s the equivalent of your laptop hard drive sitting on a 2,000-pound storage platform in the middle of a data center, surrounded by guards, biometric support and other safeguards so that no one will get access to it. The risk of physical access to desktop information through a DaaS infrastructure is minimal, and the security barriers of laptop encryption and password protection as insufficient. With DaaS and VDI, an entirely different and appropriately calibrated approach needs to be implemented and maintained to ensure a sound and secure IT infrastructure.
Treat Technology Infrastructure as a Partnership
Many successful, competitive organizations work with service providers who help architect and optimize their IT infrastructures. The leaders of companies and enterprises that most effectively leverage a relationship with a cloud service provider take the time to understand how to approach the relationship with their partner, and how to adapt their systems and processes to maximize security. The main tenet of effectively engaging a cloud service provider is to treat security as a partnership and gain a detailed understanding of how your approach to security should adapt based on the partnership.
For example, some of the controls that would be put in place if an in-house team was solely managing security are different from those you would need with a service provider. Staying with the common protection mechanism of encryption, when a leader wants to protect his or her company data, they need to trust everyone who has access to that system. For on-premise systems, leaders should be more concerned with someone coming in and getting physical access, such as an intruder or member of the staff walking out with one of the servers.
With a service provider, you are paying someone to have access to data, to host it, do antivirus management and install patches. In that scenario, they’re already going to have access to the data and ultimately you want to limit to a minimum the people who can access the data. One way to achieve this is to not focus on encrypting the entire storage platform, but instead focus on layering in the encryption at the application, as close to the data as possible. That way you, not your service provider, can get to your data and manage it securely.
Back to Basics Security
C-Suite executives can lead their organizations to build and maintain a rational, pragmatic and secure technology infrastructure that maximizes the benefits of virtual and cloud-based technology. While high-profile attacks and the NSA get much of the media attention, most attacks are a less sophisticated and can more easily be protect against. The most productive security experts regularly review the most common threats to data integrity, and work to implement and maintain rational and appropriate security measures.