Month: January 2015

Surveys show cloud tops 2015 priorities.

As security professional prioritize for 2015, cloud security initiatives once again sit on top of their to-do lists. According to two surveys out in the past week, insider threat and shadow IT concerns continue to thrust cloud security to the forefront, with cloud identity and access management and cloud governance among those controls needing the most help.

“As companies move data to the cloud, they are looking to put in place policies and processes so that employees can take advantage of cloud services that drive business growth without compromising the security, compliance, and governance of corporate data,” said Jim Reavis, CEO of the Cloud Security Alliance, which together with vendor Skyhigh released a reportthat showed cloud security as the top security priority for IT organizations in 2015.

The highlights from the survey detailed in that report showed that only about 8 percent of organizations today believe they truly know the scope of unauthorized cloud purchasing—so-called shadow IT.  This jibes with findings in another report released last week from Netskope, which showed that IT professionals constantly underestimate the extent of shadow IT in their organization—with organizations estimating one-tenth of the actual number of apps found by cloud app audits.

This poses scary consequences as organizational data exits corporate boundaries within unsanctioned apps. For example, 17 percent of organizations last year experienced an insider incident, according to the CSA report, and 15 percent of corporate cloud users have had their credentials compromised, according to the Netskope report.

Part of the reason this situation has arisen is that security organizations are ill-equipped help their businesses move quickly toward the cloud through well-crafted and balanced cloud governance policies. According to the CSA survey, about a third of organizations today are full-steam ahead with cloud adoption and 51 percent of respondents feel pressured to approve services that don’t meet security or compliance requirements. But just 16 percent of organizations have a fully enforced cloud governance policy.

What’s more, even among organizations with policies or in the middle of creating a policy through a cloud governance committee, just 43 percent of them include line-of-business representation.

“Employees today have shifted from thinking of apps as a nice-to-have to a must-have, and CISOs must continue to adapt to that trend to secure their sensitive corporate and customer data across all cloud apps, including those unsanctioned by IT,” says Sanjay Beri, CEO and founder of Netskope.

As the CSA concludes in its report, IT in 2015 must find better ways to govern data in the cloud similar to data on premises. Not only will that take investment in enforcement technology, but also collaboration with the very stakeholders who are driving cloud adoption in the first place.

“IT will also need to work more collaboratively with busiess users to understand the motivations behind shadow IT and enable the cloud services that drive employee productivity and growth in the business without sacrificing security,” the report concludes.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. 

[DarkReading]

Concern over data breaches and privacy are two reasons enterprises in the European Union didn’t increase their use of cloud services in 2014, according to the EU’s recent Eurostat report.

“Heaven’s not beyond the clouds, it’s just beyond the fear.” – Garth Brooks

A lot of Europeans believe that the European Union is really an employment scheme for bureaucrats who want to live in Brussels — which is, admittedly, a nice place to live. But for those of us in the analyst business, the EU is one of our best sources of the data we need to advise people on their technology needs.

I firmly believe that cloud services are no longer optional. Any business, large or small, needs cloud services to both remain competitive as well as to get better control over its bottom line. So I eagerly looked forward to the release last month of the EU’s Eurostat report on “Cloud computing – statistics on the use by enterprises,” which was broken out by country.

It wasn’t really a surprise that Finland led the way, nor that Hungary, Bulgaria, Greece, Poland, Latvia, and Romania were the trailers among the 28 member states. What was surprising, though, was the low percentages of adoption. Finland, the leader, barely passed 50% when counting those enterprises that used at least some cloud services. Those listed above as “trailers” were all under 10%. And the seemingly “advanced” countries of France, Austria, and Germany barely reached above the trailers, coming in at 11 to 12%.

When broken out by sector, information and communication were, not surprisingly, the leaders at 45%, followed by professional, scientific, and technical activities at 27%. Enterprises reported that they relied on the cloud mainly for their email services (66%) and, in second place, for file storage (53%).

Those organizations already using cloud services viewed the fear of security breaches as the main reason they hadn’t increased their use. In light of the spectacular breaches (such as Sony’s) revealed recently, that’s not an unwarranted fear. Well, until you realize that it was datacenter — and not cloud — resources that were stolen in the Sony incident.

Another fear is the proliferation of data privacy issues among the various member countries of the EU. That, and the various spying revelations that have come from the Snowden incident, have made a number of enterprises wary of putting personal and privileged information into the cloud. It was hoped that a new EU Data Protection Regulation would clear up the privacy issues when it was promulgated this year, but there are now fears that serious differences remaining between the European Parliament and the 28 member states will push the regulation into 2016, further clouding (pun intended) the issue for commercial organizations.

But by far the biggest surprise, to me, in the Eurostat survey was the reason given by those enterprises that have yet to use any cloud services as to why that is so; for the 81% of European enterprises not using the cloud, the main stumbling block was insufficient knowledge of cloud computing! In fact, though, while there are many good reasons for adopting cloud services, there is little guidance for planning it. The first step is for companies to take a strategic approach to cloud migration rather than a tactical response to business unit demands.

Once the strategy is in place, a clear definition of the business objectives of cloud-based services can be developed, the attendant risks can be quantified, the necessary policies for operating in the cloud can be documented, and board-level direction of cloud adoption can occur. Then the pitfalls can be avoided.

You need to know that with cloud services, as with most things in your corporate life, ignorance can be fatal.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe’s leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity management to a generation of technologists.

[DarkReading]

I’m pleased to start off 2015 as the new (ISC)² executive director. As someone who has been entrusted with information security responsibilities throughout my career, I welcome the opportunity to speak out about the challenges we face on behalf of those working to keep our cyber world safe.

During my past two years as COO at (ISC)², I’ve seen the organization make positive strides toward establishing a member focus; however, this is a sustained commitment with more work to be done. I want to build on the momentum of our successes while continuing to evaluate areas that we need to improve so that we’re continually striving for excellence in everything we do.

As the new (ISC)² executive director, I want to continue on the path of success we’ve achieved under the leadership of Hord Tipton, whose boundless energy and enthusiasm for all things information security and (ISC)² are unrivaled in the industry. I understand that I have big shoes to fill.

My own background includes 14 years working with the U.S. Coast Guard before moving to the U.S. Department of Interior, where I ultimately served as deputy CIO. At both organizations, I was fortunate to work with some true visionaries who understood the role IT could play in these large, disbursed organizations with diverse missions. The last ten years of my government career, I served at the senior executive level before joining (ISC)² in 2012. My full bio can be found on the (ISC)²website at https://www.isc2.org/management-team.aspx.

Having worked in the profession and having dealt with the challenges of managing large infrastructure as well as the challenges associated with information security, I come into this role with passion and sincerity to advocate for the profession. I also have a sense for the hard work that goes into this across the board – not just the security roles, but IT professionals that may monitor and manage infrastructure that hosts or provides access to enterprise information assets.

I think there are some parallels between public service and a not-for-profit that’s membership oriented. We’re here on behalf of you – the global membership. The investments and decisions we make should stand up to the questions and transparency we need to demonstrate to our members and always need to deliver value.

I take my new responsibility of being the leader and public face of this organization very seriously. My first order of business will be to continue to advance our global partnerships to ensure a smooth transition and to continue building rapport with the lifeblood of our organization – the global (ISC)² membership. There’s certainly more work to be done on behalf of the membership to advance our mission globally, and I plan to roll my sleeves up to further that cause.

We have a broad range of initiatives underway, so I will ensure those projects come to fruition. It’s not always about adding new ideas to the pipeline. I’ve always respected people and organizations that demonstrate the ability to make great ideas a reality. During my tenure as executive director, I plan to advance the goals and objectives that our Board of Directors has put forth for the organization and its 100,000-plus global membership.

I look forward to this exciting new challenge of becoming the leader of (ISC)². Let’s make 2015 a prosperous and progressive year!

[(ISC)² Blog]