protect-data

Developers, the Cloud and Security Concerns

Thought Provoking Survey

So I got to thinking about security and how this relates to developers in particular. This was prompted by a recent read of the findings reported in a survey, “2014: The Year of Encryption” conducted by Egress Software Technologies, of delegates at Europe’s largest information security event Infosecurity Europe 2014. And you know the first and almost overwhelming thought that struck me was how important security should be for these folk. Why? Because by the very nature of their work the information they will be storing, sharing or exchanging will be proprietary and possibly ground breaking. Developers bring new products to market in a very competitive world where keeping one’s secrets secret until the very last moment before publishing can mean the difference to your market lead and thus your ultimate success.

2014 Market Survey Infographic

Market survey 2014: The Year of Encryption

Obvious Risk But…

An obvious observation you would think but then when you read that; “only 17% of those surveyed said their existing secure information sharing system was easy to use” and even more worryingly; “100% of those not interested is security systems admitted to regularly sharing sensitive/confidential data with external third parties”. I wonder if these figures stack-up when applied to developers as a community? I have no research data to refer to here but relying on my twenty plus years experience of working in the IT security arena I would not be surprised if they did.

The Basics

As with most things in this life you can distil security down to the core basic requirements and thereby be sure you are concentrating your effort to find the correct solution for your given situation. When it comes to shared information for the development community my take on it would be something like this:

  • Transfers between team member and the rest of the team
  • Latest version source code
  • Transfers between testing team and development
  • Stored latest beta code

Your view would obviously be different dependant on your circumstances but hopefully you get the idea I’m driving at.

Follow the Data Security

The crucial thing here is the release of information to specific people or groups of people with confidence that only those people and groups can access that information. Additionally you would want to know that these various end points of distribution could not compromise the security by passing on this information in an insecure way to unauthorised people or groups. In other words you would want the security “envelope” to be wrapped around the data and travel with it throughout it’s lifetime. By adopting this “follow the data model” where the secure envelope travels with the data throughout it’s lifetime we have further distilled the core element to one of access control to each data package.

Sounds Complicated

This is all very good stuff but it’s beginning to sound terribly complicated I hear you say. Well that is dependent on the underlying security architecture. It is imperative that the security you adopt is simple and fast to use with maybe no more than one or two extra clicks of the mouse. The focus is sharper still and the distilled core now looks more like this:

  • Follow the Data Security
  • Ease of use

We’re not going to be able to get much sharper than this, so the next step is to review our understanding of the gains to be made by adopting this approach and then to ask can such a system be easily integrated with our legacy systems since cost will also be an issue when asking management for the go ahead.

The Gains that You Win

To measure the gains that you win when adopting a system of follow the data security can best be expressed by a few examples:

We can all imagine the situation where we pass sensitive information to an authorised member of the team who then without thinking forwards this to a third party for either legitimate reasons connected with their job function or should they deliberately passes on the data to deliberately compromise the project. In both cases the data owner will be requested to grant access to this new person.

Or how about the authorised member of the team that has access to the data but subsequently leaves the team. Should they continue to have that access right? With the follow the data security model you can revoke that person’s access rights in real time.

Follow the data security can be used to control access to that data by event, time or date for instance coupled that with a person’s access rights and you have an amazing level of control over the release or access to your shared data.

Follow the data security is there independently of the transport mechanism or for that matter the storage medium.

Follow the data security by its very nature provides an audit trail of who did what to it where and when and what unauthorised attempts to access it were made, also where and when will be recorded.

You can begin to see how flexible this type of system can be, but is it possible and can it be integrated into the way we work and our current architecture?

Describing the Model

For follow the data security to work and work every time it requires that the data owner/creator defines the security to be applied. Such factors as who will be granted access, when is access to be granted are there any time constraints regarding when and for how long.

It’s a given that the underlying tool being used to envelop and secure the data will be encryption. I don’t intend to discuss encryption in any depth here but suffice to say that it must be robust encryption that has been securely implemented and independently certified as fit for purpose. There are few better places to get approval from than the UK Government’s Certified Product Assurance (CPA) programme led by CESG. Adopting a product whose encryption module has been approved through this scheme gives the user the comfort that the product “does what it say on the tin”.

cloud_99

There is absolutely no reason why this type of system could not be inserted into most existing work processes with minimum fuss. When you send email, use file transfer protocols, copy to removable media a rule-based system could kick in and automatically add the encryption layer and ask for the recipients list. By linking the public/private key encryption to the individuals email address it guarantees this unique entity would be the authorised recipient. In this way there is no need for the user to be concerned about key pairs etc. The whole complicated issue of encryption is hidden from the user experience and as a consequence it makes for extreme ease of use.

Securing the Cloud

Hopefully you will see how by adopting follow the data security it has the effect of securing the Cloud. It adds further security by the fact that each data package could have it’s own unique key pair still associated the sender and receiver’s email addresses by different for each exchange made. How does this improve security? It means that should one exchange be compromised it does not affect any previous or subsequent exchange. Each exchange has to be broken or compromised independently.

Follow the data security is the way forward! If you want further information about products certified by CESG visit Cesg.gov.uk and for information about Egress Switch large file transfer and file encryption software visit: Egress.com

By Paul Simms

CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information, resources and thought leadership services.

Contact us for a list of our leading programs.

New Rackspace Application Services for Databases: “Any Database, Any Deployment, Any Service Level”

New Rackspace Application Services for Databases: “Any Database, Any Deployment, Any Service Level”

Rackspace has been offering enterprise-class database services for more than a decade. Today, we’re taking that service to a new level, with our “any database, any deployment, any service level” approach, which meets customers wherever ...
'What the Hock?'; Broadcom shares sink on shock software deal

‘What the Hock?’; Broadcom shares sink on shock software deal

(Reuters) - Broadcom Inc’s (AVGO.O) surprise bid to buy software company CA Inc (CA.O) knocked $11 billion off the value of the chipmaker in trading before the bell on Wall Street on Thursday, with analysts ...
Protect Your Small Business

2.3 Billion Account Credentials Compromised from 51 Organizations in 2017; New Research Shows Breadth of Breach Impacts

MOUNTAIN VIEW, Calif., July 18, 2018 (GLOBE NEWSWIRE) -- Shape Security, the provider of advanced security and fraud technology for the world’s largest companies, today released its second annual Credential Spill Report, shedding light on the extent ...
3 Major Concerns For The Cloud

3 Major Concerns For The Cloud

Concerns For The Cloud With the rise of cloud computing, different concerns about adopting the cloud have arisen over the ...
The Economics, Concepts and Fundamentals of Cloud Computing

The Economics, Concepts and Fundamentals of Cloud Computing

Fundamentals of Cloud Computing Addressing security concerns of the Public Cloud Enthusiasm for cloud computing has as much to do ...
How Artificial Intelligence Is Revolutionizing Business

How Artificial Intelligence Is Revolutionizing Business

Artificial Intelligence Revolution 84% of respondents say AI will enable them to obtain or sustain a competitive advantage. 83% believe ...
2017 Brings DLP Technology and IoT's Weaknesses to Light

2017 Brings DLP Technology and IoT’s Weaknesses to Light

DLP Technology In regards to data loss prevention (DLP), in the last five years many companies rushed to implement DLP ...
Write Once, Run Anywhere: The IoT Machine Learning Shift From Proprietary Technology To Data

Write Once, Run Anywhere: The IoT Machine Learning Shift From Proprietary Technology To Data

The IoT Machine Learning Shift While early artificial intelligence (AI) programs were a one-trick pony, typically only able to excel ...
Journey Science In Telecom: Take Customer Experience To The Next Level

Journey Science In Telecom: Take Customer Experience To The Next Level

Journey Science In Telecom Journey Science, being derived from connected data from different customer activities, has become pivotal for the ...