Whilst the personal and commercial benefits of the connected world cannot be denied, it is foolish to turn a blind eye towards the dangers the online world has exposed everyone. Tasked with protecting individual’s privacy, the Privacy Rights Clearinghouse recorded 579 breaches in the US alone that affected over 54.79 million records. What is surprising though is that many of these breaches occurred from within privately held and operated.
Storageasean recently interviewed Vic Mankotia, Vice President, Solution Strategy, Asia Pacific & Japan at CA Technologies to share his view on data security and cloud computing. In this capacity, he is responsible for growing the CA Technologies Security, IT Business Management and Mobility portfolios in the Asia Pacific and Japan markets. Prior to this role, Vic was vice president for Security for Asia Pacific & Japan. Vic is a veteran in the software industry with more than 17 years of experience.
Storageasean: How safe is putting data in the cloud?
Vic Mankotia: So cloud computing has been changing the way technology is being used and consumed, from individuals like us simply wanting to back up our personal data and synchronizing them between devices (e.g. iCloud, DropBox, Google Drive, etc) to Enterprises who want shorter time to value by consuming enterprise cloud services such as some CRM and HR Management services, for example. However to ensure Identity, Access, Advanced Authentication and are eco-systems that manage the way we share data is important. All information was not created for everyone, or equal, hence to ensure only the Right People get the Right Access to the Right Information and On the Right Device, is vital. Information across borders now needs regulation for data that is sovereign. Many users and corporation may not understand these but this is critical as the cloud does not have borders, unless specified by the SaaS providers.
Data shared and stored in the cloud can have a potential to be relatively safe but a lot of that really depends on the cloud provider you are signing up with. For example, premium cloud service providers such as Google and Amazon have invested millions of dollars on data security and have a huge team of support personnel to ensure their customer data is secure. One likely issue is some Enterprises don’t do enough due diligence in their cloud vendor evaluation leading to a lot of headaches later on as not all cloud vendors provide the same level of data security and privacy in their offerings. Another useful thing to look out for are industry certifications and compliance such as SSAE 16, US/EU Safe Harbor, FISMA and ISO 27001 which usually indicates how seriously a view does a cloud vendor take on data security and privacy.
The HIMSS Cloud Security Workgroup provides a good checklist where enterprises can use to measure these critical elements. Although not all-encompassing, this checklist should provide enterprises with a good starting point on cloud data security and privacy.
Storageasean: Are cloud solutions today sufficiently protected against hacking?
Vic Mankotia: Most reputable and premium cloud service vendors provide sufficient security controls to guard against hacking and data breach attempts. Once again, who you choose as your cloud vendor makes a big difference in terms of the security controls that are deployed. For example, premium cloud service vendors usually maintain a specialized penetration-testing team who does nothing but find ways to hack into their systems regularly in order to find identify weak spots and vulnerabilities on top of the traditional security controls such as firewalls, encryption, integrity monitoring and user based authentication. Others may have a dedicated Security Operations Center that monitors anomalies and responding to incidents round the clock to protect your data. In short, the technology and processes to sufficiently protect the data does exist but which cloud vendor is deploying it and how it is deployed makes a critical difference.
Storageasean: What security measures will be critical in 2014?
Vic Mankotia: With the recent publicity surrounding the some security agency’s attempts to snoop around cloud data and gather intelligence, we suspect encryption and data obfuscation technologies will be pretty widely adopted and deployed to secure cloud based data, if they are not already widely used today. Strong authentication and Privileged User Management will also become core critical as it has been shown time and again that passwords are simply not secure enough. There also need to be a way to manage privileged users such as administrators and super-users to limit not only insiders who are up to no good but also protect against what a privileged user account can do in the event it is compromised or hijacked. This is important in a cloud-based scenario as cloud vendors not only need to protect their own data against attacks but also their customers’.
Storageasean: Do you see Asia as getting ahead or behind data security in 2014?
Vic Mankotia: We think that Asia is still slightly lagging behind geographies like the North America and Europe in terms of acceptance and maturity but are fast gaining pace. Part of this drive is as more Asian enterprises embrace cloud based computing and mobility, they will start to face a heightened urgency to look at data security and privacy. We are also seeing data privacy acts enacted by several governments across Asia such as Singapore and Hong Kong which shows Asia is serious about protecting Personally Identifiable Information. As more Asian enterprises become more open, connecting not only to their customers but also to their business partners, suppliers and outsourcers, the amount of confidential data that goes in and out of this ecosystem increases. This in turn drives the need to put in place robust data security controls and processes to protect against data breaches and data leaks whether be it accidental or intentional. However, identity is the new perimeter, so to protect Identity will enable protecting data.