Category Archives: Security

CDN Performance Report – Month of June – 2015

CDN Performance Report – Month of June – 2015

CDN Performance Report

Each month CloudTweaks will be providing a series of benchmark testing performance reports conducted by our contributing partners. The first in our series will be on (CDN) Content Delivery Networks which is a growing industry whose customers are primarily web based companies looking for that extra layer of site protection and speed. This monthly Performance Data Report is provided by Cedexis

HTTP Latency

In North America we note an increase in Latency for Akamai around the 14th of June that lasted about 3 days. Over the course of the month however, Akamai maintained a clear advantage over the other CDNs measured here.

cdn-1

Moving to South America we see that Akamai is also maintaining a clear latency lead at 125ms on average for the month vs. their competitors as measured at the 75th percentile.

cdn-5

In Europe Level3 and Edgecast ran neck and neck for the entire month at the number 2 slot averaging roughly 67ms at the 75th percentile.

cdn-2

In Asia Akamai ran on average at around half the latency of its nearest competitors at around 37ms at the 75th percentile. Of note was a 3-4 day increase in latency that knocked them to over 160ms for at least 2 days on average.

cdn-6

In Africa Akamai ran at near 210ms at 75th percentile while the rest of the pack at between 247ms and 251ms at the 75th percentile.

cdn-3

Now turning our attention to Availability we see that worldwide (5 major geographies: Asia/Europe/N America/S American/Africa) for the month of June Availability on average was between 98.295% and 98.578%. In spite of a significant dip in Availability for Level3 in the middle of the month – they led on average for the month.

cdn-7

Regionally the story was different. It was only in Europe that all 5 CDNs reached 99% available. In N American not one CDN was over 99% for the month. Other geographies were worse.

cdn-4

Benchmark testing provided by

cedexis

7 Cloud Security Mistakes Bound To Bite You

7 Cloud Security Mistakes Bound To Bite You

7 Main Cloud Security Mistakes 

Like sharks off the coast of North Carolina this summer, information security threats are lurking. And now that cloud computing is woven into the fabric of IT everywhere, specific risks to an enterprise’s data apply.

Cloud computing is to IT what Shark Week is to summertime: a cultural feeding frenzy. In a nod to the annual TV chomp-fest, Perspecsys presents the Seven Cloud Security Mistakes Bound to Bite You.

But taking basic precautions – whether at the beach or on the job – can help keep you and your data safe, respectively.

1. Relinquishing control of your most sensitive data to a cloud service provider

Just as swimmers are at the mercy of the ocean, using public cloud services equates to turning control of your data – even the sensitive and regulated data – over to cloud service providers.

Safety tip: For users: adhere to IT and security policies set by your organization when signing up for cloud services for business use. For organizations: Get familiar with data-centric security tools that work in and outside the company’s walls, in particular, cloud data encryption and tokenization.

sensitive-data

2. Not knowing where your data is hanging out

There are some beaches were you know you should not be going into the water. In the same vein, knowing the physical locations of where your data is being processed and stored will keep you on the right side of data-residency regulations that have a painful bite if they are violated.

Safety tip: Make sure you understand where you cloud provider’s primary and back-up datacenters are located. Take time to investigate the prevailing legal requirements in all of these jurisdictions regarding data privacy. Look to technologies such as cloud data tokenization to keep data resident in specific locations if data residency issues are challenging your cloud adoption program.

3. Not reading the fine print

When you sign up for cloud apps, you agree to the associated terms and conditions. This is like going full Hasselhoff with disregard for beach warning signs, since the policies and standards your organization adheres to regarding the treatment of data are likely not shared by the cloud service provider.

Safety tip: Insist on contractual clauses, which require that data maintained by your service providers be treated in certain ways. For example, if regulated data such as patient information is placed in third party cloud systems, additional safeguards may need to be put in place to ensure it is adequately protected.

4. Using weak passwords

Weak passwords are like a three-sided shark cage. Cyber criminals can swim right through your defenses. The top 100 passwords people use haven’t changed over the years, according to Researcher Mark Burnett who released 10 million passwords collected from data breaches over the past decade.

Safety tip: Use different passwords for different services and change your passwords frequently.

5. Believing passwords are enough

Letting passwords lull you into a false sense of security is like thinking you’re safe by swimming in a group, but not knowing there’s a colony of seals a few feet away. Shark and cyber attacks are both on the rise in 2015 as the number of bites and breaches continue to climb. The good news is that awareness is rising that even a strong password isn’t enough to keep data safe and savvy professionals are putting multiple layers of defense in place.

Safety tip: Strong multi-factor authentication is necessary to keep the network and cloud applications secure. Also use techniques like data encryption and tokenization to minimize the number of systems where data flows to in the “clear”, thereby minimizing the points where cyber criminals can get their hands on anything meaningful.

6. Not backing up your data

Boating without a life raft isn’t a high percentage move in the event of an accident. If anything, the famous U.S.S. Indianapolis speech from Jaws will make you want to always have a back up ride to shore. Make sure your cloud provider allows you to make local backups of your data too. This isn’t always possible with some of the big consumer cloud services, so be sure to ask.

Safety tip: Having backups of your data is always a good idea whether it is stored in the cloud or not. Using more than one cloud service minimizes the risk of widespread data loss or downtime due to a localized component failure.

7. Poor planning leaves you in a bind

If only Quint had listened to Chief Brody and went back to shore to get a bigger boat, perhaps he would have survived! As with most things in life, incorporating new data points into your plans can help keep you afloat. As you consider your cloud adoption programs, stay abreast of impending changes that can impact your cloud use, such as data privacy regulations that have been getting increasingly strict over the past year.

Safety tip: Map out the “life” of your cloud data. Pay attention to what countries it flows through and where it gets processed and stored. Identify if the movement of your data to any of these countries creates potential compliance or regulatory issues for you – either now or in the future – and take proactive steps to address the problem before it is too late.

PerspecSys-David-CanellosBy David Canellos

David is President and CEO of Perspecsys. Previously, David was SVP of Sales and Marketing at Irdeto Worldwide, a division of Naspers. Prior to that, David was the President and COO of Cloakware, which was acquired by Irdeto. Before joining Cloakware, David was the General Manager and Vice President of Sales for Cramer Systems (now Amdocs), a UK-based company, where he was responsible for the company’s revenue and operations in the Americas. 

The Business of Security: Avoiding Risks

The Business of Security: Avoiding Risks

The Business of Security

Security is one of those IT concerns that aren’t problematic until disaster strikes. It might be tomorrow, it could be next week or next year. The fact is that poor security leaves businesses wide open for data loss and theft. News outlets just skim the surface, but hackers cost business up to $575 billion each year. What’s concerning for CIOs is that risk assessment is placed solely on the IT department, even if the breach stems from BYOD and other personal systems.

Encryption Isn’t Enough

security

The traditional school of thought – especially with SMBs – is to encrypt data and use SSL or TLS on public systems. While this protects from eavesdroppers, it doesn’t protect from creative cyber threats that often phish for legitimate credentials from employees or contractors.

The latest big-time hacks circumvented encryption defense. The recent OPM hack that gave cyber criminals access to data covering millions of government employees and contractors wouldn’t have helped. Encryption protects data from being seen by unauthorized users and eavesdroppers, but OPM hackers had valid security credentials. They mimicked real login attempts, which circumvent basic encryption.

Even following common standards isn’t enough as Target discovered in 2013. Target lost 40 million credit card numbers to hackers who penetrated their point-of-sale (PoS) systems. You might think that Target oversaw some security standard, but the company was PCI compliant. PCI compliance is the de facto in credit card processing security, and Target’s security followed all the requirements. Regardless of its security implementation, hackers were still able to find a hole in the system.

Both OPM and Target have two things in common – the security hole was created by their own employees and vendors who gave up security credentials to phishing malware.

Assessing Risks Across Internal Systems

CIOs are tasked with providing employees with more mobility and freedom across the network while still creating a secure environment that’s hacker-proof. It’s not an easy task when you’re limited to what you can lock down.

Bring-your-own-device (BYOD) policies are a good start. Mobility is one of the fastest trending benefits for employees. BYOD lets them use personal laptops, smartphones and tablets for business. It’s become a part of corporate culture, and it offers more flexibility for employees to work at the office or at home. Before CIOs can implement a policy, they need to know the risks.

Mobility offers flexibility for employees and hackers. Mobile devices are even more vulnerable to viruses than desktops since most people have antivirus software on a desktop but not a mobile device. This leaves mobile devices wide open as a vector for trojan or virus injection onto the network.

Mobility isn’t the only risk. Telecommuting also gives employees the ability to work from home and saves in office resource costs. VPN connections allow employees to connect to the corporate network from any personal device. Just like BYOD security risks, these desktops could house malware that then transfers to the internal network.

VPN and BYOD are two hot topics in corporate security, but there are numerous others. Before CIOs can assure protection from cyber threats, they first must document each mode of network connection and assess risks associated with them. Even if the internal machine is completely anonymous to outside traffic using a firewall, it can still house vulnerabilities. It’s a team effort to assess risk, but it’s also a prudent part of IT asset management.

Creating Security Policies

risk-management

With both VPN and mobility risks assessed, CIOs can craft security policies that focus on flexibility for teleworking while still protecting internal resources. MDM tools track the number of mobile devices. IDS software identifies rogue, suspicious network traffic. IPS software tests servers and software for any common security flaws. Find the right tools on the market that make risk management more efficient.

CIOs and security experts are still new to mobility, so the commonality between most businesses is piecing together a policy that works for the business. It’s tempting to lock down systems and remove mobility altogether, but this type of policy isn’t feasible in today’s mobile market.

Quarantining mobile hotspots from critical systems is one way to manage risk. Users can share and store data on a segmented part of the network away from sensitive data, servers, and workstations.

Your policy should implement granular authentication and authorization that matches users with data they need to know. Classify information, so then security roles can be assigned to authorized employees. While this won’t guarantee protection, it will limit the amount of damage in case of a breach.

Training Staff

One of the most important parts of risk assessment and IT security is training staff. Protecting data should be a unified effort between all employees, vendors, contractors, and outside visitors.

Training is an ongoing effort from IT security staff that should integrate well into the on-boarding staff process. It’s not a process that’s limited to just employees. All executives, managers and employees should understand the risks and work to protect data from cyber threats.

In conclusion, reining in assets and risks and then applying the right security management is a huge effort for any CIO. Whether the business is small and growing or large and revenue-generating, a security policy should be a line of business that strategically defends against cyber threats and hackers.

By Jennifer Marsh

This post is brought to you by The CIO Agenda.

KPMG LLP is a Delaware limited liability partnership and is the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. The views and opinions expressed herein are those of the authors and do not necessarily represent the views and opinions of KPMG LLP.

Cisco Expands Portfolio By Acquiring Threat Protection Firm OpenDNS

Cisco Expands Portfolio By Acquiring Threat Protection Firm OpenDNS

Cisco Announces Intent to Acquire OpenDNS

Acquisition to Accelerate Cisco’s Cloud Delivered Security Portfolio

SAN JOSE, Calif. – June 30, 2015 – Today, Cisco announced its intent to acquire OpenDNS, a privately held security company based in San Francisco. OpenDNS provides advanced threat protection for any device, anywhere, anytime. The acquisition will boost Cisco’s Security Everywhere approach by adding broad visibility and threat intelligence from the OpenDNS cloud delivered platform.

The burgeoning digital economy and the Internet of Everything (IoE) are expected to spur the connection of nearly 50 billion devices by 2020, creating a vast new wave of opportunities for security breaches across networks. The faster customers can deploy a solution, the faster they can detect, block and remediate these emerging security threats. OpenDNS’ cloud platform offers security delivered in a Software-as-a- Service (SaaS) model, making it quick and easy for customers to deploy and integrate as part of their defense architecture or incident response strategies. By providing comprehensive threat awareness and pervasive visibility, the combination of Cisco and OpenDNS will enhance advanced threat protection across the full attack continuum—before, during and after an attack.

Typically devices and people connected to the network are easier to identify and track for potential security threats. However in a world in which devices and people can connect from anywhere at anytime, enterprise IT teams have increasingly limited visibility into potential threats from these unmonitored and potentially unsecure entry points into the network, creating tremendous security risk. Combining OpenDNS’ broad visibility, unique predictive threat intelligence and cloud platform with Cisco’s robust security and threat capabilities will increase awareness across the extended network, both on- and off-premise, reduce the time to detect and respond to threats, and mitigate risk of a security breach.

As more people, processes, data and things become connected, opportunities for security breaches and malicious threats grow exponentially when away from secure enterprise networks,” said Hilton Romanski, Cisco chief technology and strategy officer. “OpenDNS has a strong team with deep security expertise and key technology that complements Cisco’s security vision. Together, we will help customers protect their extended network wherever the user is and regardless of the device.

The OpenDNS team will join the Cisco Security Business Group organization led by David Goeckeler, senior vice president and general manager. Under the terms of the agreement, Cisco will pay $635 million in cash and assumed equity awards, plus retention based incentives for OpenDNS. The acquisition is expected to close in the first quarter of fiscal year 2016, subject to customary closing conditions.

About Cisco

Cisco (NASDAQ: CSCO) is the worldwide leader in IT that helps companies seize the opportunities of tomorrow by proving that amazing things can happen when you connect the previously unconnected. For ongoing news, please go to http://thenetwork.cisco.com.

Cyber Security Is BIG Business

Cyber Security Is BIG Business

Cyber Security Investments Are Growing

Cyber Security shares on Wall Street are soaring as hackers continue to crack into the cyber defense systems set up by government agencies, banks and retailers. Ongoing high-profile breaches have led to larger-than-life share increases of numerous US companies, as well as the exponential growth of a “passive investment” fund that tracks cyber-security stocks.

ETF Ticker HACK

This month saw assets of the exchange-traded fund (ETF), HACK skyrocket past the $1 billion mark, just seven months after it was launched in November 2014. The company bundles 30 cyber security companies, trading as one on the stock exchange. In June alone, investments shot up by close to $300 million.

stock-investments

According to Andrew Chanin, CEO and co-founder of PureFunds who established HACK, people are investing in the ETF because they see the cyber security industry as “a long-term growth trend.”

He said that when they launched HACK last year, they knew it would be big, but the rate at which it has taken off has exceeded their greatest expectations. He said he believed this was largely due to the recent number of cyber attacks that have “really brought the issue to the front page.”

The world’s first cyber security ETF, HACK, provides people with the opportunity to use a “transparent vehicle” that enables them to invest in the surging industry. According to PureFunds, it aims to provide investors with results (prior to expenses and fees, which are known to be relatively expensive) that generally correspond to price and yield performances of the established ISE Cyber Security Index.

The ISE Cyber Security Index reflects the performance of companies operating in the growing cyber security industry and includes companies that provide services as well as hardware and software. Stocks are screened for liquidity, and then weighted according to accepted methodology. Investments cannot be made directly in an index.

Cyber Security Companies Increase In Value Beyond Worth

It is no secret that governments worldwide have committed to spending billions of dollars per year to prevent and fight cyber attacks. This is one of the reasons, say analysts, for the flood of venture capital funding into cyber security companies, as well as the crazy buying of shares. While they say there is no doubt that the cyber security boom is real, analysts warn that in many instances, it has propelled share prices to levels that are much higher than they are worth. And the question is whether they will be able to maintain these values.

The Wall Street Journal names several smaller US cyber security companies that, like HACK, have experienced exponential growth this year. These include next-generation firewall company, Palo Alto Networks Inc., which boasts shares that have already jumped 43 percent this year, and the plug-and-player server appliance company, Infoblox Inc. that has increased its share price by 35 percent. CyberArk Software Ltd, who focuses on privileged account security, has done even better, with its shares soaring by an incredible 66 percent.

holding-security

Both Palo Alto Networks Inc. and Infoblox Inc. were listed in HACK’s Top Ten Holdings yesterday (June 29, 2015). Their market value was shown as $48,116,968.90 and $47,622,944.07 respectively. Other top holdings include Intralinks Holdings Inc., Proofpoint Inc., Imperva Inc. and Fortinet Inc.

With analysts at Gartner having projected that $77 billion would be spent on cyber security during 2015, this spending spree may not be a surprise to everyone.

By Penny Swift

What Don’t You Know About Your Cloud?

What Don’t You Know About Your Cloud?

Looking Under The Hood

Do you feel you know your cloud workloads well? Remember when those applications were running locally? You knew every quirk and cared for every surge. Now, they are in the cloud, and everything is different. Sometimes it feels like you barely know them at all.

You’re right

In many ways it’s like the difference between owning a car – complete with maintenance, odd behaviors, and that sentimental mark on the dashboard – and taking public transportation. When is the cheapest time to ride the train? How much gas is in the airplane? Is that bus usually on time? Sure, you’re not out there maintaining a fleet and managing baggage, but you also have far less information about the transportation you’re using.

But, the bus company – and the cloud company – know a great deal more, of course. They must to run their businesses.

Just as it would be much easier to use the bus, plane or train if you had a better sense for when they are likely to run late, how they charge for tickets, and what accidents they have had lately, cloud users are impacted – both financially and operationally – by secret cloud metadata.

meta-data

Cloud metadata is information about your cloud workloads. This can run the gamut from performance data to billing information to compliance and security data. It’s information that is perpetually churned out of the cloud environment, but rarely reaches the cloud user.

Findings from a recent global study conducted by Forrester Consulting on behalf of iland showed that across the board, companies were suffering from a lack of data about their cloud, and that 100 percent of respondents felt financially or operationally impacted. Further, this may be driving negative sentiments about cloud providers, as many respondents agreed with statements like, “I am just another account – my cloud provider doesn’t know me or my company,” and, “If I were a bigger customer, my cloud providers would care more about my success.”

The survey wasn’t given to just any cloud user. Respondents hailed from around the globe, with one-third each in the United States, United Kingdom and Singapore. Most were IT executives, and all had recent direct engagement with their cloud providers.

In fact, these respondents, 70 percent of whom had been using cloud for over a year, were typically customers of multiple clouds. These folks are discerning buyers with great experience. Their experience was that compliance, transparency and support are critical cloud challenges.

Complying with Compliance

Compliance in cloud workloads, not unlike car ownership, is both about maintenance and routine audits. 72 percent (197 respondents) were bound by compliance requirements, and of those, 55 percent found it challenging to implement the controls needed to fulfill those requirements. That’s like not being able to perform an oil change on your own car.

About half had trouble getting documentation of the compliance status of their own workloads and/or the cloud provider’s platform. Without those documents, audits become onerous. Imagine needing to prove that you took eco-friendly transport for your trip to New York, but couldn’t get any data from your airline. It would make you more likely to drive your hybrid and skip the flight entirely.

Transparency Isn’t Clear

Transparency posed similar challenges. Lacking in performance, billing, security, and other data, companies found they had unexpected bills or line items (36 percent), resources paid for but not used (39 percent), reporting challenges (41 percent) and performance issues or outages (43 percent).

Clearly, the operator of the train knows how tickets are priced and can tell you where your reservations are. But if the end user cannot access the data or if that data is presented in a way that isn’t actionable or easily consumed, then the user is left with little upon which to base their operational decisions.

Many cloud vendors opt to provide access to unlimited reams of data, which, theoretically, could be imported into a tool and analyzed in detail – by which time, the window for rapid decision making would have past. The survey respondents seem to be moving forward with new cloud purchase decisions that prioritize transparency (39%), evaluating the native management tools of their provider for data, analytics and alerting.

Support Could Be More Supportive

test-drive

(Image Source: Shutterstock)

Finally, support was cited as a challenge, as it often is with reasonably new technologies. Each problem identified seemed to impact 1in 5 respondents – from issues with the expertise of the support personnel to disappointment with response times – rendering half of respondents unsatisfied with support, in general.

The fact that well over half of these global IT leaders said support was hindering cloud growth was particularly troubling. Typically, support isn’t needed for boring, repetitive tasks, like spinning up yet another web server or development VM. Support is engaged when new, innovative, challenging things are attempted. So, if cloud growth slows due to a weak partnership between provider and user, we can assume it will take a toll on cloud-based innovation. That is a tragic outcome.

Customers can test-drive support as much as they can test-drive a car. While no airline or bus company will give you a free ride to Tulsa to ascertain whether their service is tolerable, cloud vendors do typically offer test-drive or proof-of-concept periods. Customers can avail themselves of access to support and onboarding resources during that period and evaluate whether the manner, knowledge, and responsiveness meet their needs.

So where does this leave the cloud user? Often, trying to make the most of the flexibility of cloud infrastructure, but without the data to optimize costs and performance. Now that they know data is missing, cloud users can scrutinize cloud providers from the outset.

Since cloud vendors have the data, users should ask:

  • Can I speak with your compliance experts? Can you share the compliance documentation on your data centers?
  • What are your target support times? Can I test support as part of my proof-of-concept?
  • Where can I see detailed performance data on each workload? How long is that granular information available? Is similar billing data available?
  • What do the native management tools for this cloud look like – and how are they evolving to meet all these information needs?

Cloud providers have this information. It’s up to users to ask for it – or find a provider who freely shares it, knowing that it is the right thing for their users.

Lilac Schoenbeck picBy Lilac Schoenbeck, Vice President of Project Management / iland

How To Choose The Right Cloud Security Package For Your Business

How To Choose The Right Cloud Security Package For Your Business

How To Choose The Right Cloud Security Package

The questions you need to ask yourself when deciding on the right cloud security solution for a growing organisation

Not sure which cloud security package will be the best fit for your business? Check out our guide to choosing a service that’s going to meet your needs now and in the future.

What is cloud-based security?

security-cloud

Cloud based security provides businesses with an external security service that aims to protect the entire business from malicious attacks, hacking and viruses. Rather than a business installing and maintaining security software on each individual computer, security-as-a-service provides a blanket of protection for the entire business and protects its desktop computers, servers and mobile devices.

Cloud based security software may operate entirely independently from business hardware or it may run off a light-weight piece of software on companies’ computers that is auto updated with latest virus definitions.

Once installed, the service is kept up-to-date automatically by the cloud software provider, reducing the risk of a business running out-of-date security software with known vulnerabilities. Before setting up cloud security, you should complete a cloud risk assessment to identify your networks vulnerabilities.

Are you able to keep your computers secure?

Internet and computer security is becoming a major challenge for small businesses and the rapid growth of cloud adoption by major businesses is making the task more complex. Large corporations have the advantage of operating internal IT departments who can cover security as part of their business services, but smaller businesses rarely have the resources to keep all systems secure.

One of the biggest challenges for businesses is the when multiple devices, such as laptops, tablets, home PCs and mobile phones, are used to access business services over the internet. When choosing a cloud security package, you need to make sure that the service offers a level of protection that’s more than adequate for your needs.

Do you require endpoint security?

security-cloud-fog

Endpoint security protects a company’s central servers from intrusions and attacks from external devices. Cloud based security services essentially provide a third party firewall that sits between the company’s resources and the internet. These services protect documents, emails and servers from malicious software and data breaches.

Can your business survive a security breach?

A survey by the Ponemen Institute found that over 85% of businesses had experience a data breach event but fewer than 43% of companies had implemented a strategy to manage breaches. Even after experiencing a breach, 46% of companies failed to upgrade their business security, with a lack of encryption technology on portable devices being a major problem.

Data breaches can be extremely costly for businesses and if IT systems are lost completely a business may never recover. Many companies strive towards operating a paperless office and are totally reliant on computer servers to store company and customer data. A major breach can close a business down overnight, so important steps need to be taken to prevent this from happening.

Do you take payments over the internet?

If your business takes payment by credit or debit card it should ensure that payment systems are secure. The Payment Card Industry Data Security Standard (PCI DSS) has developed a standard for companies that handle take payments via the major credit cards. Although compliance with PCI DSS is not required by law, some government bodies will shield a business from liability in the event of a data breach if they meet the standards.

To achieve PCI DSS compliancy a company must pass penetration tests and demonstrate that they have a system of vulnerability management in place. Ideally, a business’s security should be level 1 compliant with PCI DSS; several cloud based security systems provide this level of protection.

Are your employees safe?

Almost half of all security breaches reported by Ponemen were caused by lost or stolen portable devices, such as laptops, mobiles and memory sticks. Business servers are only as secure as the weakest link and a stolen device can give a hacker direct access to all company data.

Data encryption and two-step authentication can greatly reduce security risks following portable device theft. For example, Panda Cloud Office Protection provides Device Control real time protection for all connected devices.

What can you afford?

Internet security is constantly evolving to combat ever more resourceful and determined hackers. Company data is a highly valuable commodity on the criminal market and hackers are developing more advanced systems to detect and circumvent software vulnerabilities. Cloud security services provide companies with a level of protection that is usually only available to large corporations, and are well worth the investment.

Now that Microsoft have fully launched Office 365, businesses accept that cloud networking is standard practice; few people really understand the risks of opening up their networks to so many providers.

That said, it’s important that you choose a cloud security software package that is going to be affordable for your business in the long-term. Most cloud security services are paid for via a monthly subscription fee, which spreads the cost of the package and eliminates hefty upfront costs – the key, though, is to ensure that you opt for a package that you’re going to be able to afford now and in the months and years to come.

By Gary Gould

The Future Of Cybersecurity

The Future Of Cybersecurity

The Future of Cybersecurity

In 2013, President Obama issued an Executive Order to protect critical infrastructure by establishing baseline security standards. One year later, the government announced the cybersecurity framework, a voluntary how-to guide to strengthen cybersecurity and meanwhile, the Senate Intelligence Committee voted to approve the Cybersecurity Information Sharing Act (CISA), moving it one step closer to a floor debate.

Most recently, President Obama unveiled his new Cybersecurity Legislative Proposal, which aims to promote better cybersecurity in information-sharing between the United States government and the private sector. As further support, The White House recently hosted a Summit on cybersecurity and consumer protection at Stanford University in Palo Alto on February 13, 2015 which convened key stakeholders from government, industry and academia to advance the discussion on how to protect consumers and companies from mounting network threats.

No doubt we have come a long way, but looking at the front-page headlines today reminds us that we’ve still got a long ways to go. If the future if going to be different and more secure than today, we have to do some things differently.

I recently participated on a panel titled “The Future of Cybersecurity” at the MetricStream GRC Summit 2015, where I was joined on stage by some of today’s leading thinkers and experts on cybersecurity; Dr. Peter Fonash, Chief Technology Officer Office of Cybersecurity and Communications, Department of Homeland Security; Alma R. Cole, Vice President of Cyber Security, Robbins Gioia; Charles Tango, SVP and CISO, Sterling National Bank; Randy Sloan, Managing Director, Citigroup; and moderator John Pescatore, Director of Emerging Security Trends, SANS Institute.

The purpose of this panel was to convene a diverse group of experts who believe in a common and shared goal – to help our customers, companies, governments and societies become more secure. This panel followed on the heels of a keynote address by Anne Neuberger, Chief Risk Officer of the NSA, who spoke about a simple challenge that we can all relate to: operations. Speaking on her experience at the NSA, Neuberger articulated that a lot of security problems can be traced back to the operations, and more precisely, this idea that ‘we know what to do, but we just weren’t doing it well’ or ‘we had the right data, but the data wasn’t in the right place.’

Moderator John Pescatore from SANS Institute did an exceptional job asking the questions that needed to be asked, and guiding a very enlightening discussion for the audience. For one hour on stage, we played our small part in advancing the discussion on cybersecurity, exploring the latest threats and challenges at hand, and sharing some of the strategies and solutions that can help us all become more secure.

Here are the five key takeaways that resonated most.

threat-cybersecurity

Topic 1: Threat information sharing tends to be a one-way street. There is an obvious desire from the government to get information from private industry, but a lot more needs to be done to make this a two-way street.

According to Dr. Peter Fonash, Chief Technology Officer at the Office of Cybersecurity and Communications at the Department of Homeland Security, the DHS is looking to play a more active role in threat information sharing. To that end, the DHS is actively collecting a significant amount of information, and even paying security companies for information, including the reputation information of IP addresses. However, some challenges faced when it comes to the government being able to participate in sharing that threat information is in getting that information as “unclassified as possible” and second, lots of lawyers involved in making sure that everything that is shared is done so in a legal manner. Dr. Fonash stressed that government faces another challenge; private industry thinking that government is in some way an advisory or industry competitor when it comes to threat information – this is simply not the case.

Topic 2: There are lots of new tools, the rise of automation, big data mining – but the real challenge is around talent.

Simply stated, our organizations need more skilled cybersecurity professionals than what the currently supply offers. For cybersecurity professionals, it is a great time to be working in this field – job security for life, but it is a bad time if you are charged with hiring for this role. Automation and big data mining tools can definitely help when they are optimized for your organization, with the right context and analysts who can review the results of those tools. According to Alma R. Cole, Vice President of Cyber Security at Robbins Gioia, in the absence of the skill-sets that that you aren’t able to find, look internally. Your enterprise architecture, business analysis, or process improvement leaders can directly contribute to the outcome of cybersecurity without themselves having a PHD in cybersecurity. While cybersecurity experts are needed, we can’t just rely on the experts. Cole makes the case that as part of the solution, organizations are building security operations centers outside of the larger city centers like New York and DC – where salaries aren’t as high, and there isn’t as much competition for these roles. Some organizations are also experimenting with virtual security operations centers, which provide employees with flexibility, the ability to work from anywhere, and improved quality of life, while also providing the organization with the talent they need.

Topic 3: We are living and doing business in a global economy – we sell and buy across the world and we compete and cooperate with enemies and business partners around the world. We are trying to make our supply chains more secure but we keep making more risky connections.

According to Charles Tango, SVP and CISO at Sterling National Bank, this might be a problem that gets worse before it gets better. We’ve seen a dramatic increase in outsourcing, and many organizations have come to realize that the weakest link in the chain is oftentimes their third party. At this moment in time, as an industry, banks are largely reactionary, and there’s a lot of layering of processes, people and tools to identify and manage different risks across the supply chain. The industry needs a new approach, wherein banks can start to tackle the problem together. According to Tango, we won’t be able to solve this challenge of managing our third and fourth parties on an individual bank-by-bank basis; we have to start to tackle this collaboratively as an industry.

Topic 4: No doubt, the future of applications is changing dramatically, and evolving everyday – just look at the space of mobile computing.

According to Randy Sloan, Managing Director at Citigroup, from a dev-ops automation perspective, if you are introducing well-understood components and automation such as pluggable security – you are way out in front, and you are going to be able to tighten things up to increase security. More challenging from an app-dev perspective is the rapidness – the rapid development and the agile lifecycles that you have to stay up with. The goal is always to deliver software faster and cheaper, but that does not always mean better. Sloan advocates for balance – investing the right time from an IS architecture, to putting the right security testing processes in place, and focusing on speed – slowing things down and doing things a more thoughtfully.

Topic 5: We’ve got dashboards, and threat data, and more sharing than ever before. But what we need now are more meaningful approaches to analytics that aren’t in the rear view mirror.

I believe over the next few years, organizations will be more analytics driven, leveraging artificial intelligence, automation, machine learning and heuristic-based mechanisms. Now the challenge is figuring out how to sustain it. This is the value of an ERM framework where you can bring together different technologies and tools to get information that can distilled and reported out. This is about managing and mitigating risk in real time, and intercepting threats and preventing them from happening rather than doing analysis after the fact.

We live in an increasingly hyper-connected, socially collaborative, mobile, global, cloudy world. These are exciting times, full of new opportunities and technologies that continue to push the boundaries and limits of our wildest imaginations. Our personal and professional lives are marked by very different technology interaction paradigms than just five years ago. Organizations and everyone within them need to focus on pursuing the opportunities that such disruption and change brings about, while also addressing the risk and security issues at hand. We must remember that the discussions, strategies, and actions of today are helping to define and shape the future of cybersecurity.

By Vidya Phalke, CTO, MetricStream

CloudTweaks Comics
Teach Yourself The Cloud: Cloud Computing Knowledge In 5 Easy Steps

Teach Yourself The Cloud: Cloud Computing Knowledge In 5 Easy Steps

Teach Yourself The Cloud Learn how to get to grips with cloud computing in business  Struggling to get your head around the Cloud? Here are five easy ways you can improve your cloud knowledge and perhaps even introduce cloud systems into your business.  Any new technology can appear daunting, and cloud computing is no exception.…

The Future of M2M Technology & Opportunities

The Future of M2M Technology & Opportunities

The Future Of The Emerging M2M Here at CloudTweaks, most of our coverage is centered around the growing number of exciting and interconnected emerging markets. Wearable, IoT, M2M, Mobile and Cloud computing to name a few. Over the past couple of weeks we’ve talked about Machine to Machine (M2M) such as the differences between IoT and…

Cloud Infographic – What Is The Internet of Things?

Cloud Infographic – What Is The Internet of Things?

What Is The Internet of Things? “We’re still in the first minutes of the first day of the Internet revolution.”  – Scott Cook The Internet of Things (IOT) and Smart Systems are based on the notions of Sensors, Connectivity, People and Processes. We are creating a new world to view and measure anything around us through…

Cloud Infographic – Interesting Big Data Facts

Cloud Infographic – Interesting Big Data Facts

Big Data Facts You Didn’t Know The term Big Data has been buzzing around tech circles for a few years now. Forrester has defined big data as “Technologies and techniques that make capturing value from data at an extreme scale economical.” The key word here is economical. If the costs of extracting, processing, and making use…

6 Tech Predictions To Have A Major Impact In 2016

6 Tech Predictions To Have A Major Impact In 2016

6 Tech Predictions To Have A Major Impact The technology industry moves at a relentless pace, making it both exhilarating and unforgiving. For those at the forefront of innovation it is an incredibly exciting place to be, but what trends are we likely to see coming to the fore in 2016? Below are six predictions…

Cloud Infographic – Cloud Computing And SMEs

Cloud Infographic – Cloud Computing And SMEs

Cloud Computing And SMEs SMEs (Small/Medium Sized Enterprises) make up the bulk of businesses today. Most cloud based applications created today are geared toward the SME market. Accounting, Storage, Backup services are just a few of them. According to the European Commission, cloud based technology could help 80% of organisations reduce costs by 10-20%. This infographic provided…

Cloud Infographic – The Future Of Big Data

Cloud Infographic – The Future Of Big Data

The Future Of Big Data Big Data is BIG business and will continue to be one of the more predominant areas of focus in the coming years from small startups to large scale corporations. We’ve already covered on CloudTweaks how Big Data can be utilized in a number of interesting ways from preventing world hunger to helping teams win…

Report: Enterprise Cloud Computing Moves Into Mature Growth Phase

Report: Enterprise Cloud Computing Moves Into Mature Growth Phase

Verizon Cloud Report Enterprises using the cloud, even for mission-critical projects, is no longer new or unusual. It’s now firmly established as a reliable workhorse for an organization and one that can deliver great value and drive transformation. That’s according to a new report from Verizon entitled “State of the Market: Enterprise Cloud 2016.” which…

5 Surprising Ways Cloud Computing Is Changing Education

5 Surprising Ways Cloud Computing Is Changing Education

Cloud Computing Education The benefits of cloud computing are being recognized in businesses and institutions across the board, with almost 90 percent of organizations currently using some kind of cloud-based application. The immediate benefits of cloud computing are obvious: cloud-based applications reduce infrastructure and IT costs, increase accessibility, enable collaboration, and allow organizations more flexibility…

Cloud Computing Services Perfect For Your Startup

Cloud Computing Services Perfect For Your Startup

Cloud Computing Services Chances are if you’re working for a startup or smaller company, you don’t have a robust IT department. You’d be lucky to even have a couple IT specialists. It’s not that smaller companies are ignoring the value and importance of IT, but with limited resources, they can’t afford to focus on anything…

The CloudTweaks Archive - Posted by
How To Overcome Data Insecurity In The Cloud

How To Overcome Data Insecurity In The Cloud

Data Insecurity In The Cloud Today’s escalating attacks, vulnerabilities, breaches, and losses have cut deeply across organizations and captured the attention of, regulators, investors and most importantly customers. In many cases such incidents have completely eroded customer trust in a company, its services and its employees. The challenge of ensuring data security is far more…

The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” effort: finding a cure for cancer. The term “moonshot” comes from one of America’s greatest achievements, the moon landing. If the scientific community can achieve that kind of feat, then surely it can rally around…

Four Recurring Revenue Imperatives

Four Recurring Revenue Imperatives

Revenue Imperatives “Follow the money” is always a good piece of advice, but in today’s recurring revenue-driven market, “follow the customer” may be more powerful. Two recurring revenue imperatives highlight the importance of responding to, and cherishing customer interactions. Technology and competitive advantage influence the final two. If you’re part of the movement towards recurring…

The Fully Aware, Hybrid-Cloud Approach

The Fully Aware, Hybrid-Cloud Approach

Hybrid-Cloud Approach For over 20 years, organizations have been attempting to secure their networks and protect their data. However, have any of their efforts really improved security? Today we hear journalists and industry experts talk about the erosion of the perimeter. Some say it’s squishy, others say it’s spongy, and yet another claims it crunchy.…

Three Tips To Simplify Governance, Risk and Compliance

Three Tips To Simplify Governance, Risk and Compliance

Governance, Risk and Compliance Businesses are under pressure to deliver against a backdrop of evolving regulations and security threats. In the face of such challenges they strive to perform better, be leaner, cut costs and be more efficient. Effective governance, risk and compliance (GRC) can help preserve the business’ corporate integrity and protect the brand,…

How Formal Verification Can Thwart Change-Induced Network Outages and Breaches

How Formal Verification Can Thwart Change-Induced Network Outages and Breaches

How Formal Verification Can Thwart  Breaches Formal verification is not a new concept. In a nutshell, the process uses sophisticated math to prove or disprove whether a system achieves its desired functional specifications. It is employed by organizations that build products that absolutely cannot fail. One of the reasons NASA rovers are still roaming Mars…

How The CFAA Ruling Affects Individuals And Password-Sharing

How The CFAA Ruling Affects Individuals And Password-Sharing

Individuals and Password-Sharing With the 1980s came the explosion of computing. In 1980, the Commodore ushered in the advent of home computing. Time magazine declared 1982 was “The Year of the Computer.” By 1983, there were an estimated 10 million personal computers in the United States alone. As soon as computers became popular, the federal government…

Using Cloud Technology In The Education Industry

Using Cloud Technology In The Education Industry

Education Tech and the Cloud Arguably one of society’s most important functions, teaching can still seem antiquated at times. Many schools still function similarly to how they did five or 10 years ago, which is surprising considering the amount of technical innovation we’ve seen in the past decade. Education is an industry ripe for innovation…

7 Common Cloud Security Missteps

7 Common Cloud Security Missteps

Cloud Security Missteps Cloud computing remains shrouded in mystery for the average American. The most common sentiment is, “It’s not secure.” Few realize how many cloud applications they access every day: Facebook, Gmail, Uber, Evernote, Venmo, and the list goes on and on… People flock to cloud services for convenient solutions to everyday tasks. They…