What do you get when you combine the cloud and mobility? According to Cisco, you get a “perfect storm of security threats” ─ not that there was any shortage of security fears associated with the cloud already.
After all, we’ve all seen the numerous studies, including the much-publicized survey by Internap, citing “security” as among the major inhibitors to cloud adoption. It’s also well documented in Cisco’s own annual security report for 2014. However, mobility ups the security concerns for many reasons.
First, the growth of mobile devices and cloud computing has made most legacy security solutions obsolete. Traditional firewalls and comparable security mechanisms are designed to allow mobile devices to bypass security configurations and access applications inside an organization’s protected network, which means a mobile device in the wrong hands has access too.
Second, it used to be that security goals were focused on protecting physical assets like a desktop computer. Protect the device, and you protect the data housed on it. With a mobile workforce accessing enterprise data from a wide array of devices ─ many belonging to employees ─ things get complicated.
Mobile devices easily connect with cloud services and devices with security approaches that may be unknown and outside of the organization’s control, making it easier for these devices to introduce security risks by merely accessing an organization’s network. And let’s not forget mobile malware that targets specific device types and things like phishing and social engineering ruses.
Forbidding the use of employee-owned devices isn’t going to fly, and there’s no guarantee that every employee will abide by stringent BYOD policies. Add in the cloud, which exists outside the boundaries of an enterprise environment, and you can see how daunting the challenge is.
Now think about organizations in highly regulated industries, like healthcare, which are subject to mandated data privacy requirements. It is often unclear what role mobility and cloud computing play and where the burden of responsibility lies. What is known is that meeting the stringent security controls can be costly, but not nearly as costly as not meeting them.
There’s no single solution for securing data amidst this convergence of mobility and cloud usage. However, employing a multi-faceted, multi-layered approach to IT security can help. Many of these suggestions have been addressed before, but they are worth repeating.
- Categorize and classify your data and determine the different security needs of each, including any impacted by industry or government compliance mandates. Use the information to define security and access requirements.
- Explore the use of next-generation physical and virtual firewalls, which make use of new types of scanning processes and security engines to offer advanced levels of protection.
- Insist upon service level agreements from any cloud services provider (CSP) you work with and independent reporting processes to help ensure it meets your security requirements. While you’re at it, make sure these CSPs have state-of-the–art security built into their services. Supplement your confidence by also making sure your CSP undergoes regular audits for compliance with a number of regulatory requirements, which mandate rigorous security controls ─ PCI DSS and HIPAA among them.
- Explore managed security services that enable you to draw upon the expertise and industry best practices of companies that specialize in staying on top of and battling emerging security threats.
- Consider implementing mobile device management (MDM) solutions to automate employee device security and management. Virtual or cloud-delivered desktop services are options as well.
Equally important, don’t be caught unprepared. Have a plan in place for dealing with it, including how you will recover mission-critical data and when. A recovery cloud solution or other disaster recovery solutions should be components of your plan.