[Info-vax] Clouds and security

Kerry Main kemain.nospam at gmail.com
Tue Sep 27 09:10:35 EDT 2016 

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of mcleanjoh--- via Info-vax
> Sent: 27-Sep-16 2:56 AM
> To: info-vax at rbnsn.com
> Cc: mcleanjoh at gmail.com
> Subject: [Info-vax] Clouds and security
> 
> 
> Back in May of this year security group Mcafee published an
> article from Intel Security about clouds and security.  It's at
> https://blogs.mcafee.com/business/no-excuses-time-get-grip-
> cloud-security/
> 
> Here's an extract...
> 
> "If we look at our own survey results the picture isn’t great when
> it comes to how well organisations are doing cloud security today.
> Some 40 per cent are failing to protect files located on SaaS with
> encryption or data loss prevention tools, 43 per cent do not use
> encryption or anti-malware in their private cloud servers and 38
> per cent use IaaS without encryption or anti-malware.
> 
> Many organisations have already been at the sharp end of cloud
> security incidents. Nearly a quarter of respondents (23 per cent)
> report cloud provider data losses or breaches and one in five
> reports unauthorised access to its data or services in the cloud.
> The reality check here is that the most common cloud security
> incidents cited were actually around migrating services or data,
> high costs and lack of visibility into the provider’s operations."
> 
> This looks like a good argument for private clouds on in-house
> SANs.
> 
> 
> cheers
> 
> John

What many large companies are starting to realize is that while the security issues are definitely a big concern, the bigger concern is loss of control over security POLICY and data management POLICY.

What happens when your security policy states that all new IT hires must pass a police check (and in some cases - a drug check), but your cloud provider uses resources from all over the globe and as IT SysAdmins who potentially have access to your companies data?  

Many companies want a single point of control over employees access to company resources i.e. if HR decides to terminate someone, they should only have to disable that persons access in one place (usually the HR system is integrated with the company global directory product). Unless one is willing to expose the company directory to some access to the cloud provider, how does one do this when you have one or more applications running at the cloud providers premises?

Or if your company policy states your passwords must automatically change every 90 days and have complex algorithms and your provider policy is different? Yes, you could replicate the directory data across the internet to the cloud premise, but is that what you want to do?

Or if your company data mgmt. policy states your company needs to maintain offsite archives for 7 or 10+ years? As I recall, the AWS policy re: offsite (not on AWS premise) data archives was you ship them a disk, they will copy data to it and then ship the drive back to you.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com

More information about the Info-vax mailing list