Cloud Archives - IT Security Guru

Can you prevent the mega breach?

The Gurus — Tue, 07 Nov 2017 11:27:15 +0000

The threat landscape today is more complex and more dangerous than it has ever been. Where once hackers tended to operate individually, now organisations face much more sophisticated threats from organised eCriminal groups, hacktivists, and nation-state adversaries. The immense resources and know-how that these cybercriminals can deploy means that organisations need to update their approach to security. If they do not, then they will find themselves the victims of the next big breach, and could suffer the devastating reputational and financial consequences that follow a successful attack.
Traditional approaches to IT security are no longer enough in the face of these new, advanced threats. What’s more, many organisations are failing to understand the missing link in the continuous ‘people, process and technology’ conversation, which could make all the difference in the constant fight against hackers. By harnessing the power of the cloud, a variety of next-generation technologies, and threat intelligence, businesses can steer clear of the dreaded mega breach.

The power of the cloud
As organizations grow and become more distributed, adding more endpoints across the enterprise, sophisticated adversaries will continue to aggressively target their data and IT infrastructure. The cloud offers new means of providing pervasive protection throughout the enterprise – with lower cost and reduced management overhead while adding significantly increased performance, agility and scalability. In fact, cloud-based endpoint protection provides organisations with the ability to monitor and learn from attackers as it tests attack strategies, apply crowdsourced threat protection and provides seamless upgrades. The cloud enables for better protection and offers a level of scalability and speediness that on-premise solutions do not.

Looking to next-generation solutions
In today’s modern IT landscape, organisations need to look to more next-gen solutions to combat effectively against modern threats.
Replacing traditional, legacy antivirus (AV) technology with a more sophisticated approach that completely monitors your network is a key component of this. Traditional antivirus (AV) technologies rely on a signature-based approach and as such, can only identify known threats. All it takes for an attacker to circumvent these systems is to make a small tweak between signature updates for the malware to become “invisible.” With next-gen AV, more strains of malware and other threats become visible, so you can detect and stop these types of attacks instantly.
Traditional AV products fail to deliver the efficacy improvements required to protect organizations against modern threats. These products miss more advanced threats because they lack effective machine learning and behavioral detection capability. Traditional AV continues to have blind spots because their endpoint detection and response (EDR) features are immature and unintelligent. While they are able to record and search events collected from endpoints, customers are then tasked with sifting through the sea of data to find meaningful security events. This process is painstakingly antiquated against modern, speedy vulnerabilities. With next-generation technology, the opposite is the case, and you can pinpoint threats in an efficient manner for more complete protection and faster remediation.

Tracking threats through threat intel
Organised cybercriminals today have many motivations to infiltrate their chosen targets – from financial gain to cyberwar and more. Traditionally, eCriminals and hacktivists implemented extortionist tactics to get precious data, but there has been an uptick in cyber espionage activity this year from nation-state threat actors in North Korea, Russia and China.
In the face of these diverse, highly-motivated threats, it is no longer sufficient for organisations to take a reactive stance. Instead, organisations need to have a clear and comprehensive understanding of the different threats they face, if they are to have any chance of defending against them effectively. Threat intelligence is therefore central to modern day cyber risk mitigation, enabling organisations to anticipate and detect potential threats from across the entire web and thereby, choose the right defensive approaches.
To protect revenue, customer and other stakeholder data, jobs, IP and shareholder value, organisations must invest in real-time threat intelligence, while developing a well-trained team that can monitor, capture and analyse threat data effectively. To get out of reactive mode and prevent breaches, businesses must take steps to prioritise actionable intelligence so that they can get ahead of the threats that could compromise their business.
Ultimately, steering clear of a breach comes down to two key points: speed of detection and efficacy. Being able to assess any intrusion and contain it immediately is the only way to future-proof your business. A combination of detection technologies and comprehensive strategy is critical to ensure that no matter where the bad guys move, or whatever new tactics they deploy, the business is well equipped to repel risk.
By Amol Kulkarni, Sr. Vice President, Engineering at CrowdStrike

The post Can you prevent the mega breach? appeared first on IT Security Guru.

Janrain Raises Bar for Most Rigorous Security Certification in CIAM Industry

The Gurus — Wed, 25 Oct 2017 14:00:59 +0000

Janrain®, the company that pioneered the Customer Identity and Access Management (CIAM) category and market leader in Privacy by Design, today announced that it has obtained two of the industry’s most comprehensive third-party security certifications, and the only ones designed specifically for the cloud: 1) Cloud Security Alliance Level 2 (CSA) STAR Certification, which verifies that Janrain follows industry-best practices for securing cloud offerings, and 2) the International Organization for Standardization’s (ISO) 27018:2014 Certification for handling personally identifiable information (PII) data in the cloud. These certifications apply to all services and product offerings associated with Janrain’s Identity Cloud product, which provides customers seamless and secure way to move between web, mobile and IoT-device properties.
Janrain becomes the first CIAM provider to achieve CSA Star Certification, the highest level achievable in CSA’s program. Until now, no CIAM provider had exceeded CSA’s Level 1 self-assessment, which is simply a questionnaire uploaded by the vendor to the CSA site. By contrast, CSA Level 2 certification entails an in-depth audit by an accredited, independent third party to verify that the company adheres to the highest cloud security standards throughout its operations. ISO 27018 certification confirms that Janrain applies industry best practices when handling PII, which is only going to increase in importance once the EU’s General Data Protection Regulation’s (GDPR) stringent PII-protection decrees go into law May 2018.
“Meeting CSA’s and ISO’s most exacting security protocols doesn’t just benefit Janrain, it ensures our clients that their customers’ most critical data—upon which their respective businesses are built—is secure with Janrain,” said Jim Kaskade, CEO of Janrain. “The monetary and manpower expense of meeting these standards is a drop in the bucket compared to the peace of mind our customers get knowing that the 1.5 billion–plus digital identities under Janrain’s management are safe.”
More than 3,400 Global 1,000 and midsize organizations use Janrain’s cloud-based product suite—which includes social login, registration and profile-data storage, among other offerings—to give their customers a seamless, highly personalized experience across, web, mobile and digital properties. The number of digital customer accounts under Janrain’s management is expected to grow further—the Identity and Access Management market will reach $14.82 billion by 2021, according to research firm MarketsandMarkets. Janrain was first to market in 2002 and has pioneered almost every major CIAM product development since. By obtaining CSA STAR Level 2 Certification by Attestation and ISO 27018 certification, Janrain once again raises the bar in the CIAM industry, while saving CIAM customers the time, money and hassle of performing their own vendor security audits in evaluating choices.
CSA STAR’s security-assurance program is built on principles of transparency, rigorous auditing and harmonization of standards in order to promote best practices and validation of security posture of cloud offerings. By following the ISO 27018 controls, organizations that handle PII can assure their customers and end users that they are using industry-best practices to protect this sensitive data.
Janrain aims to keep its security measures as ironclad as possible. In order to make this transparent and attestable for clients, Janrain maintains more security assurance programs than any other CIAM vendor. In addition to the new CSA STAR Level 2 and ISO 27018 certifications, Janrain also maintains and is audited or assessed for certification/compliance with ISO 27001:2013, SOC 2 Type II (in addition to the Security Common Criteria, Janrain is compliant for the Availability and Confidentiality Trust SOC 2 Trust Principles), HIPAA (storage of healthcare data), HITECH (transmission of healthcare data), US-EU Privacy Shield Framework and the TRUSTe privacy program. Janrain is Open ID connect (OIDC)–certified, GDPR-ready and compliant with many other security/privacy regulations, such as COPPA, PIPEDA, CFR (Code of Federal Regulations Title 21, Part 11).

About Janrain
Founded in 2002, Janrain pioneered Customer Identity and Access Management (CIAM) and is widely recognized by industry analysts as a global CIAM leader. The Janrain Identity Cloud® provides identity management, security and activation solutions that enable seamless and safe customer experiences across their digitally connected world, while providing enterprise organizations with deep customer insights. Janrain’s identity capabilities include social and traditional login and registration, single sign-on, customer profile data storage and management, customer segments, customer insights and engagement solutions. The company powers brands like Pfizer, Samsung, Whole Foods, Fox News, Philips, McDonald’s and Dr Pepper. Janrain is based in Portland, Oregon, with offices in London, Paris and Silicon Valley. For more information, please visit www.janrain.com and follow @janrain.

The post Janrain Raises Bar for Most Rigorous Security Certification in CIAM Industry appeared first on IT Security Guru.

6point6 Launches Cloud Gateway Service by Hosting World’s First Virtual Cloud-Based Event

The Gurus — Thu, 28 Sep 2017 10:27:23 +0000

6point6, an independent award-winning technology consultancy, unveiled their latest product, Cloud Gateway this week. Cloud Gateway is a digital transformation enablement product delivering reduced network complexity, reduced cost, rapid deployment, topology agnosticism and a unified, single enforcement policy for organisations. It has been designed in-house by the experts at 6point6 to allow for the fluid connectivity into, out of and across multiple network environments, providing a modular approach to security, offering granularity in every facet of threat prevention.
6point6 recognises that many businesses have a desire to move to cloud computing and Cloud Gateway provides a managed service to allow this to become a reality. 6point6 transformation services will help businesses to smoothly migrate applications and services to Cloud Service Providers, providing both architectural and delivery skills throughout the transformation lifecycle.
They offer each part of the entire transformation process as a service that can be delivered stand-alone or as part of the entire suite. The modular nature of this approach gives businesses the flexibility of engaging 6point6’s expertise as well as leveraging in-house resources through diverse engagement models.
Justin Day, Cloud Gateway Technology Lead at 6point6 said, “We are very excited to be launching the Cloud Gateway service which is the latest innovation from 6point6. We will enable businesses to transition seamlessly to the cloud. Very quickly our clients will be able to realise the benefits of shifting from legacy and costly systems, to a secure, robust and above all cost effective cloud based infrastructure.”
The benefits of Cloud Gateway include:

Cost Reduction: Reduced CAPEX and an efficient OPEX model, with controlled and easy to understand monthly costs
Greater Control: Full visibility of an organisations network, data throughput and security via a single pane of glass
Flexibility: Fully adapted to suit changes which may affect an organisations priorities or business goals
Fully Managed: Access to your infrastructure 24/7, backed by a solid SLA and experience centric customer service

The Event – A World First
6point6 unveiled their latest product, Cloud Gateway with the world’s first virtual cloud-based press event. Complete with refreshments delivered directly to the public and through the VR goggles provided, participants were able to immerse themselves in the product launch to gain an understanding of how cloud computing is helping British business save costs and the benefits of the service.
During and after the event, a Q&A session has been ongoing via 6point6’s Twitter feed @6point6ltd. The public are still able to view the event via 6point6’s YouTube channel. For anyone interested in watching the event through VR goggles please contact 6point6@staturepr.com.

The post 6point6 Launches Cloud Gateway Service by Hosting World’s First Virtual Cloud-Based Event appeared first on IT Security Guru.

CALLIGO ACQUIRES LUXEMBOURG-BASED IT SERVICES BUSINESS AMS SYSTEMS PSF

The Gurus — Thu, 28 Sep 2017 10:23:54 +0000

Calligo, a leading global cloud solution provider, today announces that it has purchased AMS Systems PSF, a highly respected Luxembourg based IT Services business that provides managed services and cloud infrastructure to the financial services sector.

Founded in 2011, Calligo provides trusted, privacy-conscious cloud solutions to businesses across the globe. Calligo’s emphasis on GDPR services and data residency enables clients to leverage the advantages of combining innovative Cloud technologies, unrivalled expertise and a commitment to the highest level of standards based compliance and privacy. The business services hundreds of clients worldwide from its locations in United Kingdom, Jersey, Guernsey, Switzerland, Singapore, Bermuda and now Luxembourg.

“We’re thrilled to have found the right partner in AMS Systems PSF during this exciting period of growth for our business,” said Julian Box, Chief Executive Officer, Calligo. “I’m confident that AMS Systems’ proven track record, complementary technology services and excellent reputation will support Calligo’s strategic expansion into Luxembourg. This acquisition gives us a fantastic team, respected clients and unlocks the Luxembourg market. We’re also excited to announce that we will be the first CSP to host Azure Stack in Luxembourg. With the backing of our investor Investcorp Technology Partners, we are actively looking to execute further strategic add-on acquisitions over the coming months as we continue to expand our global footprint.”

Mark Gillies, AMS Systems said: “We are very excited about this agreement with such a respected and dynamic business as Calligo because it brings together two highly entrepreneurial organisations, providing us with a unique opportunity to expand our services while sharing in the success of Calligo’s expanding international cloud network.”

Post acquisition, AMS Systems PSF will be integrated into Calligo. The rebranded company will continue to operate from its existing location with no change of personnel thereby ensuring continuity of service for its clients. Over the next few months Calligo will expand the range of services provided including being the first service provider to offer Azure Stack in Luxembourg.

KPMG in Jersey & Luxembourg and AMMC Law in Luxembourg acted as advisors on the transaction.

ABOUT AMS SYSTEMS PSF

AMS Systems PSF supplies and manages IT services for small and medium sized businesses in Luxembourg. Its services cover every aspect of a business’s IT requirements. From supporting the day to day needs of employees to managing the roll out of new business applications, AMS take the stress out of IT, allowing organisations to focus on their core business. AMS Systems PSF is regulated by the CSSF in Luxembourg as a “Professionnel du Secteur Financier” allowing its specialist provision of services to financial organisations that are subject to stringent regulatory standards.

About Calligo

Calligo is an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud platforms. Through its four pillars of focus, Calligo delivers a platform that businesses can trust to deliver the high level of service and protection they expect and which is lacking in many cloud offerings.

The post CALLIGO ACQUIRES LUXEMBOURG-BASED IT SERVICES BUSINESS AMS SYSTEMS PSF appeared first on IT Security Guru.

Netskope Report Reveals Bulk of Cloud Services Still Not GDPR-Ready

The Gurus — Mon, 18 Sep 2017 10:34:26 +0000

Netskope, the leader in cloud security, today announced the release of the September 2017 Netskope Cloud Report on enterprise cloud service usage and trends. With the compliance deadline for the European Union General Data Protection Regulation (GDPR) fast approaching in May 2018, this quarter’s report took a close look at GDPR readiness among enterprise cloud services, finding little change in level of preparedness compared with levels previously reported. Nearly three-quarters of cloud services still lack key capabilities to ensure compliance.

Data suggests enterprise standardisation in cloud adoption
In this report, Netskope observed a slight dip in the average amount of cloud services in use per enterprise, signalling that enterprises may be standardising on cloud services and coaching users away from unsanctioned and shadow IT-related apps. The average enterprise has deployed 1,022 cloud services, down slightly from last quarter’s average of 1,053. Of those of cloud services in use, only 24.6 percent received a GDPR-readiness rating of “high”, based on attributes like location of where data are stored, level of encryption and data processing agreement specifics.

Threat landscape continues to evolve: Bitcoin malware a new finding
When examining threats putting secure enterprise data at risk on a daily basis, the Netskope Threat Research Labs found backdoors were the most frequent threat across enterprise environments, accounting for 27.4 percent of all detections. This is followed by ransomware at 8.6 percent, adware at 8.1 percent, JavaScript at 7.2 percent, Mac malware at 7.2 percent, Microsoft Office macros at 5.9 percent, and PDF exploits at 2.7 percent.
This quarter’s report also took a look at Bitcoin or cryptocurrency-related malware for the first time, finding that it accounted for .9 percent of all threats, many of which are hosted in IaaS environments like Amazon Web Services. In addition, “high severity” threats made up 86.9 percent of all threats, up from 69 percent last quarter, and 23.8 percent of malware-infected files were shared with others, including internal or external users, or even shared publicly.

Collaboration apps show no signs of slowing down
With half of the top 20 list consisting of cloud storage or collaboration services, organisations should keep an eye on data flowing in and out of these services. Many cloud storage and collaboration services connect to other cloud services (for example, cloud storage connecting to Salesforce or DocuSign), and a comprehensive cloud security program should take into account what controls to place in cloud service-to-cloud service communications and processing.
“Cloud adoption is an inevitability and has enormous business value for enterprises across all geographies and verticals. It also introduces a new set of complex security challenges in the enterprise, with regulations like the GDPR one of the more complex challenges,” said Sanjay Beri, CEO and founder of Netskope. “On the eve of the compliance deadline, complete visibility into and real-time control over cloud usage and activity in a centralised, consistent way that works across all cloud services is paramount for organisations to understand how they use and protect their customers’ personal data and, consequently, comply with the GDPR.”

Average cloud services per enterprise by category
This quarter, the average amount of cloud services per enterprise decreased 2.9 percent to 1,022 cloud services, compared to 1,053 last quarter. For the second quarter running, manufacturing led the way with the highest average amount of cloud services used with 1,370, followed by healthcare and life sciences with 1,340. Financial services, banking, and insurance came in third with 1,175 and retail, restaurants, and hospitality fourth with 976. Technology and IT services dropped to 772 this quarter.
With regard to specific cloud services, HR services are the most popular– and most likely to house sensitive and personal data as defined by the GDPR. Collaboration apps saw a jump: the average enterprise has 85 collaboration apps in use, up from 71 last quarter. By contrast, the average number of productivity apps in use actually went down, signaling a shift in the way enterprise employees are getting things done — favoring collaboration and communication over traditional productivity trackers.

Service Category	Average # cloud services	%NER
HR	109	95%
Marketing	102	98%
Collaboration	85	84%
Finance/Accounting	59	94%
CRM	50	93%
Software development	32	75%
Productivity	33	75%
Social	24	89%
Cloud storage	24	67%
IT Service/Application Management	22	96%

Resources:

Download the Netskope Cloud Report for more detailed analysis and to see the full list of the most widely used cloud services by enterprises.
Learn more about how to gain visibility into enterprise cloud services and how to ensure they are secure and compliant.
Visit the Netskope Hub for the latest commentary and insight on trends from the Netskope team.

About the Netskope Cloud Report
Based on aggregated, anonymised data from the Netskope Active Platform, which provides advanced discovery, granular visibility, and control, and data loss prevention for any cloud service, the report’s findings are based on millions of users in hundreds of accounts globally in the Netskope Active Platform from April 1 through June 30, 2017.

About Netskope
Netskope is the leader in cloud security. Using patented technology, Netskope’s cloud-scale security platform provides context-aware governance of all cloud usage in the enterprise in real-time, whether accessed from the corporate network, remote, or from a mobile device. This means that security professionals can understand risky activities, protect sensitive data, stop online threats, and respond to incidents in a way that fits how people work today. With granular security policies, the most advanced cloud DLP, and unmatched breadth of workflows, Netskope is trusted by the largest companies in the world. Netskope — security evolved. To learn more, visit our website

The post Netskope Report Reveals Bulk of Cloud Services Still Not GDPR-Ready appeared first on IT Security Guru.

KrolLDiscovery brings end-to-end eDiscovery to the cloud with Nebula

The Gurus — Mon, 04 Sep 2017 11:25:08 +0000

KrolLDiscovery announced today that it has launched Nebula, an end-to-end eDiscovery solution optimised for the cloud. Nebula is the next generation version of eDirect365 and builds on eDirect365’s strong processing and review capabilities.
Nebula offers a user-friendly approach to the eDiscovery process, automating and simplifying typically complex tasks. As a web-based application, it is accessible from all modern browsers and mobile devices, including iPad and Android tablets.
Nebula can be deployed within the Microsoft Azure cloud network, bringing scalability and rapid deployment capabilities across the globe. Alternatively, Nebula can be hosted in one of KrolLDiscovery’s state-of-the-art ISO 27001-certified data centers.
“We are excited for the future of Nebula,” said Chris Weiler, President and CEO of KrolLDiscovery. “Expanding our eDiscovery capabilities to the cloud is a benefit to our multi-national and international clients as they can now process, store and access their data across the globe. All the while, we are dedicated to providing the same industry-leading service we are known for by our clients.”
Nebula provides cutting edge technologies allowing users to process, cull, analyze, review and produce data from within a single system. While Nebula provides full support for sophisticated end-users looking to “do it all,” our clients can also rely on KrolLDiscovery’s industry-leading 24/7/365 support to manage eDiscovery projects within its framework.

The post KrolLDiscovery brings end-to-end eDiscovery to the cloud with Nebula appeared first on IT Security Guru.

An Interview with 2016 Cloud Security Superhero Andrew Hardie

The Gurus — Wed, 09 Aug 2017 12:06:51 +0000

At last year’s Security Serious Unsung Heroes Awards, Andrew Hardie, Chair of the BCS DevSecOps Group, was awarded the title of Cloud Security Superhero. I chased him up to see what his overview thoughts on the event were and ask why is it important to support and encourage people to take part.
What is the significance of the Unsung Heroes Awards for the cybersecurity community?
“It’s to recognize those who make those contributions that are below the surface, but still vitally important. It’s like infrastructure in IT – it’s unsung, often unnoticed, but it’s absolutely necessary. “
What did winning the award mean for you?
“I was very pleased. I felt our efforts to put security into DevOps, which has been largely ignored, did find an audience and did resonate with professionals in the DevOps world, who also realised and knew this needed addressing. “
What characteristics should Cloud Security Superhero Award have?
“They have to think of the stuff other people don’t think of. They also have to get past the hype of cloud and get to the core, business and functional needs of why you’re doing cloud and make sure this is done in a secure and reliable way. “
Why is it important to encourage people to get involved?
“Precisely that such unsung, but vital activities are recognized and rewarded. Infrastructure people are far too often ignored, it’s like this old adage about IT and public service: on tap but never on top. So, I think it’s excellent that these awards do recognize such activity that otherwise can get ignored or just forgotten, because when you are a site reliability engineer, that kind of infrastructure level, the only time your work is noticed is when something goes wrong.”
You can hear Andrew talk about the emergence of DevSecOps and why it is so crucial in the modern business here.

The post An Interview with 2016 Cloud Security Superhero Andrew Hardie appeared first on IT Security Guru.

Cisco accidentally loses customer data due to Meraki cloud configuration error

The Gurus — Mon, 07 Aug 2017 09:09:52 +0000

Cisco has admitted to losing some customers’ data last week due to a Meraki cloud configuration data. The company revealed in an update on Friday that its engineering team made a configuration change on the North American object storage service that led to some of its customer data being deleted in the process. Meraki is a subsidiary of Cisco that offers cloud-managed information technologies for wireless, switching, security, EMM, communications and security cameras via its web-based dashboard interface.
Read Full story
ORIGINAL SOURCE: IB Times

The post Cisco accidentally loses customer data due to Meraki cloud configuration error appeared first on IT Security Guru.

Does the cloud really live up to its security expectations?

The Gurus — Mon, 07 Aug 2017 09:03:17 +0000

Having worked in the data management industry for nearly two decades, I have noticed that “the new data culture” promised by the introduction of cloud technologies hasn’t quite taken off to the level promised to the enterprise market.
As the cloud model has matured from basic hosting all the way up to full services, a huge element of competitive uniqueness and identity is the data that is generated and leveraged across businesses. Cloud architectural models have evolved from hosted hardware through to sophisticated virtual, multi-tenant services.
In enterprise these models were initially met with scepticism, and we haven’t really yet seen the great leap forward that was predicted in the take up of these services across the globe. Whether that’s cost or cultural reasons, there may also be a genuine and increasingly high profile reason – that of data security.
Enterprises had of course always developed private, purpose built IT fortresses which are secured by isolation and both physical and virtual perimeters. Through perimeterisation came the belief that trust could be obtained within these highly controlled environments. This traditional datacentre model would include scale-up, proprietary hardware orientated architecture where business services were limited to a physical unit. ‘Locking the cabinet’ provided a great deal of comfort against any external threats. However, this model has quickly moved from being an asset to a liability.
Whilst there is no doubt this type of isolation provides a degree of security, modern business no longer happens in proprietary siloed methods. Other business partners, clients and systems are highly distributed, and the idea of centralising is against the modern trajectory of business. We even see a new breed of business and technology ‘cloud native’ which has been built and designed in (and for) exactly this type of hosted, distributed architecture. These agile and fast moving new entrants are global from the beginning and are focused on consumer grade engagement. The ease of use is core to their success.
This modern type of collaborative and sharing mentality means that traditional enterprise has sprung a plethora of ‘shadow’ IT workarounds across its data borders, and in many cases lost control of their vital data assets. Countless examples abound of intercompany and extra-company data sharing that punch holes straight through the “secure” perimeters and make a mockery of the once hallowed silo walls. CSV files extracted and sent across insecure email channels, or downloaded onto a CD and sent on a physical courier to a trusted partner – these are not unusual activities to find somewhere within an enterprise, either with or without official permission from IT owners and certainly going against standard company and regulatory protocols.
This activity isn’t usually malicious of course, it’s simply a necessary way to break the chains on the valuable enterprise data contained within each isolated silo, and to allow efficient and profitable use of that data to maintain a competitive edge over the more agile rivals, or to reduce the pressure on the bottom line. More and more managers are demanding access and availability to data right across their networks, whether that be system data or personal records,to allow them the insight and knowledge to compete.
And that of course is a major driver of enterprises who are taking up the challenge and moving toward digital transformation. It is no longer a question of if, it is a question of when.
But are the traditional data managers right to be cynical? The perceived loss of “control” once the data effectively leaves the confines of your protected environment can be alarming, and has certainly come at a cost for some high profile companies. Practically every week we hear of yet another data breach happening across the ultra-connected digital world that was meant to come with a high level of data resilience. In March this year alone, 74 million pieces of individual data were leaked globally. In May of next year we have the General Data Protection Regulation (GDPR) which will see a company who doesn’t report on a data breach within 72 hours be subject to a fine of 4% of their previous year’s global turnover or €20, whichever is the biggest. No wonder so many IT overseers are quaking in their boots about “releasing” their data to the cloud.
And this is just from external threats, how can you control and monitor what’s happening to the data within your decentralised infrastructure?
So could a new technology be the key to allowing enterprises the freedom they want (and their managers demand) without exposing them wide open to a malicious attack or a leak that could cost them millions in fines? In order to truly have the freedom and agility to act on the data collected, generated and shared within your organisation’s networks, you absolutely have to trust where it is, where it’s been and who or what has accessed it.
Blockchains, or more specifically distributed ledger technologies,are not really a new technology (and you would have to be from Mars not to have heard the hype), but the way they have mainly been used previously has been as the underwriting ledger to crypto currencies like bitcoins. Huge public shared ledgers that mathematically deliver trust in an uncontrolled environment, where the distributed results and grouped consensus is derived to determine the integrity of the absolute result.
As an append-only database technology, every new block of information is encrypted with a part of the previous one, making the historical record of data unchangeable. This builds up into a chain, where if it were even possible to remove a link, this would be identified immediately.
What if that same immutability could be applied across the enterprise to the both its corporate system data and that of the personally identifiable information (PII) that they hold and wish to share, but within a private, permissioned blockchain?
As it happens the underlying principles are perfect for just such a set-up, and a small number of firms are developing these enterprise blockchains: private, permission based ledgers that maintain the consensus architecture and high governance, whilst dropping the unnecessary and energy sapping public computing side.
What’s more, the data logic in the platforms being built upon these ledgers means that highly sophisticated and encrypted methods of authorisation and authentication can be built in, allowing not only consent based distribution of personal information (by the owner), but limited access rights to any such information by any particular sanctioned 3rd party.
Not only would the ledger have a complete immutable record of what has happened to that data, but the software can also completely control who has access, when and what is shared.
It’s early days for such systems, but it certainly seems that distributed ledger technologies could hold the key for finally allowing the de-perimeterisation of data to safely follow the de-perimeterisation of infrastructure into the clouds.

Ian Smith, Founder and CEO of Gospel Technology.

The post Does the cloud really live up to its security expectations? appeared first on IT Security Guru.

Thales strengthens its multi-cloud data security portfolio

The Gurus — Wed, 26 Jul 2017 09:57:12 +0000

Thales, a leader in critical information systems, cybersecurity and data security, is making it easier for organisations to manage and secure their data in multi-cloud environments. Its advanced data security solutions integrate with the leading cloud service provider platforms from Amazon Web Services (AWS), Google, Microsoft and Salesforce, allowing users to establish strong safeguards around their sensitive data and applications in the cloud, satisfying compliance requirements and giving them greater control and flexibility.
According to IDC, nearly 80% of IT organisations currently deploy multi-cloud or plan to implement multi-cloud environments within 12 months. Securing data in a multi-cloud environment can be especially problematic for organisations seeking compliance, since they need to prove they can control their data by following best practices around cloud data security shared responsibility models.
Delivering high performance encryption, sophisticated access control, intelligent auditing and strong key management, the latest additions to the Thales portfolio further assist customers with security, trust and control of their multi-cloud architecture. Understanding the challenges most organisations face in navigating this landscape, Thales provides the broadest support of cloud environments and data security technologies for multi-cloud data security.
Now both Microsoft Azure and AWS users will benefit from new enhancements to the Vormetric Data Security Manager (DSM), which offers centralised, FIPS 140-2 certified key and policy management. The latest version of Vormetric DSM in the Azure Marketplace brings support for Vormetric Transparent Encryption Live Data Transformation – which mitigates the need for downtime when transforming or rekeying encrypted data – and container security. Also newly available in Microsoft Azure is the Vormetric Tokenization Server; the platform enables workloads running in Microsoft Azure to tokenise data and offer dynamic data masking using simple REST API calls.
Peter Galvin, vice president of strategy for Thales eSecurity says:
“Ultimately, organisations operating in multi-cloud environments benefit most when they have a consistent, integrated solution that offers comprehensive data security and the ability to effectively manage encryption keys across diverse environments. Thales cloud security and key management allow companies to achieve both aims, which is vital as organisations are responsible for keeping their data secure, and can’t default to holding the cloud provider solely responsible if and when something goes awry.”
Other Thales solutions offering security, control and management for multi-cloud environments include:

nShield BYOK: The FIPS 140-2 certified key management solution gives organisations centralised control over their encryption keys regardless of whether they choose to utilise their cloud provider’s native encryption, available for AWS, Microsoft Azure and Google Cloud Platform users
nShield Web Services Crypto API: The new API will help customers to save time and money at deployment by avoiding custom software integration with HSMs and gain flexibility with the ability to use any custom or non-standard operating system
Vormetric Transparent Encryption: Protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging for on-premises, public clouds, and hosted services
Vormetric Key Management as a Service (KMaaS): Available for Salesforce Platform Encryption, KMaaS allows users to establish custodianship and strong controls over encryption keys. The service can be used in the cloud or deployed on-premises
Vormetric Cloud Encryption Gateway (VCEG): Delivering client-side encryption for Amazon S3 and compatible services, the latest version is now multi-tenant with increased performance
Vormetric Orchestrator: Simplifies the deployment, scale and operations of the DSM, for both on-premises and multi-cloud environments with the most notable addition being Ansible support for configuration management

Industry insight and views on the latest key management trends can be found on the Thales eSecurity blog at blog.thalesesecurity.com.

The post Thales strengthens its multi-cloud data security portfolio appeared first on IT Security Guru.