protect-data

Developers, the Cloud and Security Concerns

Thought Provoking Survey

So I got to thinking about security and how this relates to developers in particular. This was prompted by a recent read of the findings reported in a survey, “2014: The Year of Encryption” conducted by Egress Software Technologies, of delegates at Europe’s largest information security event Infosecurity Europe 2014. And you know the first and almost overwhelming thought that struck me was how important security should be for these folk. Why? Because by the very nature of their work the information they will be storing, sharing or exchanging will be proprietary and possibly ground breaking. Developers bring new products to market in a very competitive world where keeping one’s secrets secret until the very last moment before publishing can mean the difference to your market lead and thus your ultimate success.

2014 Market Survey Infographic

Market survey 2014: The Year of Encryption

Obvious Risk But…

An obvious observation you would think but then when you read that; “only 17% of those surveyed said their existing secure information sharing system was easy to use” and even more worryingly; “100% of those not interested is security systems admitted to regularly sharing sensitive/confidential data with external third parties”. I wonder if these figures stack-up when applied to developers as a community? I have no research data to refer to here but relying on my twenty plus years experience of working in the IT security arena I would not be surprised if they did.

The Basics

As with most things in this life you can distil security down to the core basic requirements and thereby be sure you are concentrating your effort to find the correct solution for your given situation. When it comes to shared information for the development community my take on it would be something like this:

  • Transfers between team member and the rest of the team
  • Latest version source code
  • Transfers between testing team and development
  • Stored latest beta code

Your view would obviously be different dependant on your circumstances but hopefully you get the idea I’m driving at.

Follow the Data Security

The crucial thing here is the release of information to specific people or groups of people with confidence that only those people and groups can access that information. Additionally you would want to know that these various end points of distribution could not compromise the security by passing on this information in an insecure way to unauthorised people or groups. In other words you would want the security “envelope” to be wrapped around the data and travel with it throughout it’s lifetime. By adopting this “follow the data model” where the secure envelope travels with the data throughout it’s lifetime we have further distilled the core element to one of access control to each data package.

Sounds Complicated

This is all very good stuff but it’s beginning to sound terribly complicated I hear you say. Well that is dependent on the underlying security architecture. It is imperative that the security you adopt is simple and fast to use with maybe no more than one or two extra clicks of the mouse. The focus is sharper still and the distilled core now looks more like this:

  • Follow the Data Security
  • Ease of use

We’re not going to be able to get much sharper than this, so the next step is to review our understanding of the gains to be made by adopting this approach and then to ask can such a system be easily integrated with our legacy systems since cost will also be an issue when asking management for the go ahead.

The Gains that You Win

To measure the gains that you win when adopting a system of follow the data security can best be expressed by a few examples:

We can all imagine the situation where we pass sensitive information to an authorised member of the team who then without thinking forwards this to a third party for either legitimate reasons connected with their job function or should they deliberately passes on the data to deliberately compromise the project. In both cases the data owner will be requested to grant access to this new person.

Or how about the authorised member of the team that has access to the data but subsequently leaves the team. Should they continue to have that access right? With the follow the data security model you can revoke that person’s access rights in real time.

Follow the data security can be used to control access to that data by event, time or date for instance coupled that with a person’s access rights and you have an amazing level of control over the release or access to your shared data.

Follow the data security is there independently of the transport mechanism or for that matter the storage medium.

Follow the data security by its very nature provides an audit trail of who did what to it where and when and what unauthorised attempts to access it were made, also where and when will be recorded.

You can begin to see how flexible this type of system can be, but is it possible and can it be integrated into the way we work and our current architecture?

Describing the Model

For follow the data security to work and work every time it requires that the data owner/creator defines the security to be applied. Such factors as who will be granted access, when is access to be granted are there any time constraints regarding when and for how long.

It’s a given that the underlying tool being used to envelop and secure the data will be encryption. I don’t intend to discuss encryption in any depth here but suffice to say that it must be robust encryption that has been securely implemented and independently certified as fit for purpose. There are few better places to get approval from than the UK Government’s Certified Product Assurance (CPA) programme led by CESG. Adopting a product whose encryption module has been approved through this scheme gives the user the comfort that the product “does what it say on the tin”.

cloud_99

There is absolutely no reason why this type of system could not be inserted into most existing work processes with minimum fuss. When you send email, use file transfer protocols, copy to removable media a rule-based system could kick in and automatically add the encryption layer and ask for the recipients list. By linking the public/private key encryption to the individuals email address it guarantees this unique entity would be the authorised recipient. In this way there is no need for the user to be concerned about key pairs etc. The whole complicated issue of encryption is hidden from the user experience and as a consequence it makes for extreme ease of use.

Securing the Cloud

Hopefully you will see how by adopting follow the data security it has the effect of securing the Cloud. It adds further security by the fact that each data package could have it’s own unique key pair still associated the sender and receiver’s email addresses by different for each exchange made. How does this improve security? It means that should one exchange be compromised it does not affect any previous or subsequent exchange. Each exchange has to be broken or compromised independently.

Follow the data security is the way forward! If you want further information about products certified by CESG visit Cesg.gov.uk and for information about Egress Switch large file transfer and file encryption software visit: Egress.com

By Paul Simms

CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information and consultancy services.

Are you a cloud services expert in a world of digital transformation? If so, contact us for information on how to become part of our growing cloud consultancy ecosystem.

CONTRIBUTORS

The Rise Of BI Data And How To Use It Effectively

The Rise Of BI Data And How To Use It Effectively

The Rise of BI Data Every few years, a new concept or technological development is introduced that drastically improves the ...
Principles of an Effective Cybersecurity Strategy

Principles of an Effective Cybersecurity Strategy

Effective Cybersecurity Strategy A number of trends contribute to today’s reality in which businesses can no longer treat cybersecurity as ...
Safeguarding Data Before Disaster Strikes

Safeguarding Data Before Disaster Strikes

Safeguarding Data  Online data backup is one of the best methods for businesses of all sizes to replicate their data ...
Digital Transformation: Not Just For Large Enterprises Anymore

Digital Transformation: Not Just For Large Enterprises Anymore

Digital Transformation Digital transformation is the acceleration of business activities, processes, and operational models to fully embrace the changes and ...
What’s Next In Cloud And Data Security For 2017?

What’s Next In Cloud And Data Security For 2017?

Cloud and Data Security It has been a tumultuous year in data privacy to say the least – we’ve had ...
10 Ways The Enterprise Can Prevent Data Leaks In The Cloud

10 Ways The Enterprise Can Prevent Data Leaks In The Cloud

Prevent Data Leaks In The Cloud More companies are turning to the cloud for storage. In fact, over 60 percent ...
Bryan Doerr

Cyber-Threats and the Need for Secure Industrial Control Systems

Secure Industrial Control Systems (ICS) Industrial Control Systems (ICS) tend to be “out of sight, out of mind.” These systems ...
How Big Data Can Empower Native Ads

How Big Data Can Empower Native Ads

Empower Native Ads The realm of big data is expanding an astonishing rate, and its presence can be felt across ...
What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The ...
The Good, Bad, and Downright Ugly Takeaways from WikiLeaks’ Vault 7

The Good, Bad, and Downright Ugly Takeaways from WikiLeaks’ Vault 7

WikiLeaks’ Vault 7 If you haven’t heard of the Vault 7 WikiLeaks data dump, you’ve probably been living under a ...

NEWS

Hackers shut down infrastructure safety system in attack: FireEye

Hackers shut down infrastructure safety system in attack: FireEye

Hackers shut down infrastructure safety system (Reuters) - Hackers likely working for a nation-state recently penetrated the safety system of ...
Deloitte TMT Predictions: Machine Learning Deployments, On-Demand Content and Live Events Will Continue to Drive Growth

Deloitte TMT Predictions: Machine Learning Deployments, On-Demand Content and Live Events Will Continue to Drive Growth

NEW YORK, Dec. 12, 2017 /PRNewswire/ -- Deloitte forecasts double digital growth in machine learning deployments for the enterprise, an increasing worldwide ...
email as a service

Google Data Analysis, Artificial Intelligence and Predicting Vaccine Scares

Social media trends can predict tipping points in vaccine scares Analyzing trends on Twitter and Google can help predict vaccine ...