Key Management in the Cloud

In my previous cloud security blogs, I mentioned the need to use key-based encryption for protecting data. Whether the data is in flight (i.e., being transmitted) or at rest (i.e., stored), it must be encrypted to ensure confidentiality, integrity and availability. Managing encryption keys can be challenging. There are different key types (symmetric vs. asymmetric), key strengths (128-bit through 2048-bit and greater), key usage (privacy, key exchange, authentication and digital signature) and key encryption algorithms (AES, 3DES, SHA-1, SHA-2, MD5, etc). Furthermore, each data end point, like storage or server, requires an integration point that also needs to be managed. For example, for storage we need an encryption integration point for each storage medium (disk, SAN, NAS or tape).

Read more

Logfile Management’s Important Role in Cloud Security

How do you know if your cloud security controls are adequate? How would you know if you have a security breach in progress right now? You may have diligently planned and implemented strict security policies and mechanisms to prevent an intruder from accessing your servers and data in your cloud environment — but how can you be sure that these are sufficient, and that no security breach has occurred?

Read more

Network Perimeter: Who Goes There?

Remember as a kid (or perhaps now as a parent) your mom would tell you, “When you go to Johnny’s house to play, go straight to his home, don’t stop anywhere in between, don’t take short cuts, and call me when you get there”? Your mom was managing what path to travel and other details to ensure safe arrival.

Read more

Securing Cloud Data

Information security in any public cloud can meet contractual commitments and still allow your data to escape into the wild. This discontinuity is the subject of articles across the web, including documented cases of secure infrastructure plus lax polices equaling a data breach. Cloud providers for storage, services, application, infrastructure, etc. provide services and pricing that many executives and end users find enticing. The per-click, per-gig or per-transaction-only fees get our attention. The built-in redundancy, access from anywhere and ownership-eliminating possibilities cause us to think, how can this be a bad thing? Finally, the rigorous security compliance standards that some cloud service providers meet allows us to think, this will be OK. And it can all go very bad with one click.

Read more

Can the Cloud Ever Be Secure?

With all of the recent news about IT security breaches and data theft, you may question why anyone would put anything in the cloud. The impact of these of security breaches can be quite overwhelming: up to 80 million of Anthem’s customers had their personal information stolen; up to 60 million credit card numbers were stolen from Home Depot; 76 million households and 7 million small business customers of JP Morgan Chase had their contact information stolen; and Target estimates its data breach costs $162 million. All of these as a result of IT security breaches. So is it really safe to put your IT computing out in the cloud?

Read more