Skip navigation
Twitter   Follow us  •   Share   Share    Become a member
Home Business Technology Strategy Business Technology Execution Professional Development Live Exchanges Smart Archive Smart Enterprise Magazine
Up to Blog Posts in IT Security

IT Security

3 Posts tagged with the cloud tag
George Hulme
0

Protect and Innovate in IT Security

Posted by George Hulme May 11, 2012

In business, there’s always been friction between the need to protect information and the desire to push technology forward and innovate. Today, perhaps, that friction is hotter than ever, as end users want to bring their own devices and applications to work. While some organizations try to block everything that isn’t approved — employees can use only corporate-approved-devices and software — others are trying to accommodate the trends by opening the floodgates.

 

Neither is the ideal approach.

 

The first is too draconian and won’t work because users will sidestep overbearing rules. Tell them they can’t tweet from work? They’ll tweet from their personal iPhone. Tell them they can’t use tablets for work? They’ll do it anyway from their 3/4G-enabled tablet and on their personal network connection. All of this happens outside corporate IT’s view because IT doesn’t control the devices, the networks or even the data that employees use outside the office. Counterintuitively, controlling the user too much in this way actually decreases security; out of sight is not out of mind — when user actions are pushed out of view, IT and security teams don’t know what’s going on.

 

The second approach — a laissez-faire environment — doesn’t work either, as it sets up the organization for data breaches in the making, especially from mobile devices accessing corporate data. Reaching a balance: to protect systems and data while enabling the business to push forward with innovative initiatives, was the subject CA Technologies Director of Research, Carrie Gates, and Mike Denning, General Manager, Security Business, tackled at the recent RSA 2012 security conference. The pair told security officers to move from “No” to “Know” — that is, security teams should no longer say no to new initiatives such as cloud and mobile, and instead should arm themselves with the “KNOW”-ledge which can help IT to let employees use the devices of their choice at work.

 

Finding Alternatives

So, rather than tell employees that they can’t use online file-sharing services, provide business managers with an alternative. Perhaps that could be turning to a competing service that caters to the enterprise, or maybe building private cloud storage where the appropriate access controls and monitoring can be put into place. Whenever there is friction between what users need for their jobs and the organization’s need to protect its data, look for a viable alternative and detail the costs versus the business risk and reward for all alternatives. 

 

To gain this knowledge, listen to user needs. If the HR department is having a hard time attracting talent because the company doesn't allow tablets at work, IT should see an opportunity to enable the business to be competitive in the marketplace for talent.

 

Access vs. Risk

As Gates and Denning described in the talk, that can include looking for ways to manage device access to corporate applications, such as single sign-on authentication; by backing up work files to corporate storage in the cloud; or by segmenting the users’ personal workspaces from their work data and applications. None of this is especially easy to do today, but the tools are maturing, and it’s time to start taking a close look at how to make it happen. Each organization has to weigh its own business needs against its own level of tolerance for risk.

 

For instance, ask whether data can appropriately be stored in an on-demand software service. Can security controls be put into place, such as proper authentication and access monitoring, to satisfy security policy and that data level’s classification? If not, maybe that data isn’t suitable for that service, and an internally managed option would be the way to go.

 

The ability to innovate, and perhaps even drive increased revenue, doesn’t require esoteric technology. You just need to keep an eye on what can be done, and how to secure it with the available technologies. When this is done right, you’ll be rewarded with the ability to effectively — and securely — move forward with innovative initiatives in mobile, cloud, or new services and applications in your industry.

488 Views 0 Comments Permalink Tags: carrie_gates, security, innovation, rsa, michael_denning, authentication, cloud, mobile, george_hulme, byod
Larry Lange
0

Numerous start-up cloud vendors are busy hyping their "Security-as-a-Service" wares, with requisite promises of turnkey "Security in a Box" and the like. But enterprise CIOs have tough questions about the validity and reliability of such firms and their services — as well they should. Securing a global IT infrastructure is paramount — with millions of dollars and customers at stake, not to mention a company's tarnished reputation if a major security breach occurs. It’s wise to ask whether such a mission-critical task can be entrusted to a third-party host.

 

That’s why Matthew Clark, Senior Director of IT at telecom provider Qualcomm in San Diego, is taking a cautious approach to cloud services. "Trust and security in cloud computing are big deals to companies,” he says, and too often cloud providers are more concerned with protecting their own business than the customer’s. As a result, “We are very, very cautious about what we allow to be put out into external clouds," Clark says.

 

Lina Liberti, VP of the Security business at CA Technologies, understands the concerns. She told me recently that, "Some of these new-to-the-market Security-as-a-Service providers are great for small to midsize business, as smaller firms are more likely to take risks in order to realize the benefits from a cloud deployment." But, she warns, outsourcing large enterprise security to a new, immature vendor is a risky consideration.

 

That doesn’t mean a large or growing enterprise can’t take advantage of the cost and resource savings cloud security offers; they just need to partner with companies that have hardened enterprise-grade security tools delivered as a service.

 

Peter Hinssen, one of Europe's leading tech gurus, noted that "CA [Technologies] realized that cloud was going to happen faster than anyone else anticipated, and the company has taken a leading role in this market. Hinssen believes that CA Technologies also is out front with its Identity Management-as-a-Service as well.

 

The company recently released several cloud solutions aimed at the identity and access management (IAM) security market. The CA CloudMinder portfolio, for example, is morphing the firm's long-established IAM solutions into hosted, subscription-based security services for customers. With the new services, CIOs no longer need to purchase, install and maintain their IAM tools via old-school methods (as applications on CDs, for instance). Now, they're available in the cloud as services customers can procure or buy or license from CA Technologies.

 

Besides its experience with enterprise data centers, CA Technologies provides trained support 24x7x365 — critical to most global online enterprises. These “comfort factors” may boost Security-as-a-Service among skeptical CIOs — even those like financial and healthcare CIOs, who need to meet stringent requirements and regulations with their cloud deployment.

 

To me, that's hope, not just hype.

 

 

Larry Lange is a freelance writer on the business of technology and a contributor to Smart Enterprise magazine.

573 Views 0 Comments Permalink Tags: matthew_clark, security-in-a-box, larry_lange, lina_liberti, iam, cloud, security, peter_hinssen, cloud_services, services
Paula Klein
2

Chief Information Security Officers and corporate risk officers need a break. These execs may have the hardest jobs in the organization and instead of being praised for their efforts to protect enterprise data and prevent breaches, they are often maligned as obstacles to progress and innovation. Even CIOs, whom many business users view as blockers to social media, cloud computing and other leading-edge technologies, sometimes do an end-run around CISOs and compliance folks in order to push projects forward more quickly.

 

Can a truce be reached? Several speakers at yesterday's Smart Enterprise Exchange meeting, agreed that security and the cloud can coexist, but partnerships have to be forged first. Here are some views and tips from our panelists, but we also want to know what you think about this topic. Add your comments and views to these:

 

 

  • Arnold Felderbaum, Chief IT security and Compliance Officer at Reed Elsevor Tech Services, and adjunct professor at New York University's Polytech Institute, leads a committee looking at cloud models. "Cloud computing is not a tech challenge," he said, the challenges are more about compliance, risk, and the types of data that will flow through the cloud. "You need to bring together architects, back-office managers and IT to forge the road ahead."  Also, when a business person says 'I can escape privacy, compliance and legal issues,'  an attorney has to be available to respond.

 

  • Michael Denning, General Manager, Security Customer Solutions Unit, CA Technologies: IT needs to change from the "Power of No, to the power of Know." CISOs don't want to bear all the burden, they need to become a partner, get smarter and turn risk management into knowing what’s going on and granting access." Bring business users into the process and incent them to use internal services.

 

  • Timothy Chou, author and cloud evangelist suggests that the  tougher issue is how to foster innovation among business users without bogging them down in bureaucracy and restrictions like security and compliance. Best way? Create dedicated groups, away from the rest of the organization and "protect them until there’s some legs."

 

  • Ajit N. Maira, Vice President, Strategy Cloud-Connected Enterprise Management Business Unit, CA Technologies: Business units are "taking initiative, not control, like it or not." The question now is, how can we describe cloud services so that IT and the CISO can have an intelligent discussions with the business? ...The CIO is  becoming a supply chain manager for business processes. In this model, systems architecture gets elevated for cloud services and CIOs need new skills for very carefully managing SLAs, security and vendors.

 

  • Joseph A. Puglisi, V.P. and Chief Information Officer, EMCOR Group: Traditional security methods like firewalls, can’t stop breaches and won't stop business users from going around IT. Unless you create a good relationshp with the business, and find out what they think they can't get from you, problems will persist.

 

  • Elizabeth Butwin Mann, Chief Information Security Officer at Mycroft, suggested that a Chief Services Officer position may be needed to provide cloud options to the organization. That person would be agile enough to make it as easy for users to get services "as using a credit card and Amazon, but can still partner up and exert some control within the confines of the business." Enterprises need to become an internal managed services provider (MSP), she said. To do this, they need to speak with business users about their needs but also state that security can’t be avoided. Open the dialogue and discuss options, she said.

 

  • Tony Orlando, Senior VP and GM CA Technologies Eastern U.S.: "Change can be uncomfortable and shifting a paradigm creates fear." Moving services off-premise can eliminate people and jobs. At the same time, if you roll out slowly or wait for dollars, lines of business get  frustrated and go directly to the service provider bypassing IT. You  need to be aware of these dynamics."

 

Share your experiences. Also read more from the event here.

1005 Views 2 Comments Permalink Tags: ciso, reed_elsevor, ajit_maira, tony_orlando, arnold_felderbaume, elizabeth_butwin_mann, security_officer, mycroft, new, cloud, service_providers, cloud_security, event, joseph_puglisi, york, cloud_computing, timothy_chou, security, tim_chou


Incoming Links

We encourage your feedback. Reach out via the "Contact the Editor" and "Contact the Concierge" services for any needs, questions or comments. We look forward to serving you!

Paula Klein, Smart Enterprise Exchange Editor
e-mail

Ellen Lalier, Smart Enterprise Exchange Concierge
e-mail
phone 516-562-5727; fax 516-562-5466