The New Normal: Security Metrics and Cloud Computing | In ...

Just a few short years ago, cloud seemed like a far-away thought for businesses, a ?nice to have? rather than a ?need to have.? Now, cloud is becoming the new normal. Organizations of all sizes are seeing the benefits of cloud. However, as businesses move to the cloud, they must do so safely, and with a well thought-out plan in place. To achieve a safe cloud environment, however, the IT industry needs to enforce rigorous cloud strategies around the protection of policy, information, people and infrastructures. This includes implementing security metrics.

According to the Symantec 2013 Hidden Costs of Cloud survey, rogue cloud deployments are one of the pitfalls of the cloud. It is a surprisingly common problem, found in more than 77 percent of businesses within the last year. It also seems to be an issue experienced more by enterprises (83 percent) than SMBs (70 percent).

Among organizations who reported rogue cloud issues, 40 percent experienced the exposure of confidential information, and more than a quarter faced account takeover issues, defacement of Web properties, or stolen goods or services. And yet the most commonly cited reasons for rogue cloud projects were to save time and money.

This is where implementing security metrics in the organization relating to cloud can help measure, analyze and manage risk. In addition to an organization managing data, customers and business requirements, they now need to keep an eye on their cloud vendors? security. The organization needs to know all the layers of security and exactly which assets they own in the cloud, and what is accessed both locally and remotely.

So what can cloud security metrics provide?

• Cloud metrics provide visibility for the company, both into the cloud provider and into itself.
• Cloud metrics educate and provide a common language for understanding the information security program as applicable to the cloud vendor and to the company.
• Cloud metrics motivate both the cloud provider and the company to improve.

From a security metrics point of view, while cloud computing may be the new normal, with shared responsibilities as the new cloud security model, some things haven?t changed.

• Both an organization and its vendor will measure security. Organizations need to define who is doing what.
• Both an organization and its vendor will manage functional components of an information security program.
• Security work is never finished. Cloud computing should motivate both an organization and its cloud vendor to assess the threat landscape and what new or different security threats exist in the cloud.
• In order to correctly assess responsibility, three service models for cloud computing (SaaS, PaaS, IaaS) can be viewed as a stack, with platform building on infrastructure and software building on both infrastructure and platform.

The need for security metrics in the cloud is not much different from the need for security metrics in general. Everyone in the cloud, vendor and purchaser alike, will need to measure the effectiveness of security controls and show their accountability to each other and to regulatory bodies. In the past, there was little benefit for companies to share security metrics as there were risks in doing so. With cloud computing and a world of share d accountabilities across virtual, physical and geographic boundaries, we need to find ways to share information between vendor and tenant across the industry in responsible ways. This implies we need to remove some of the roadblocks to success and work on areas such as common definitions for terms, common metrics deployed in a consistent manner, and a consistent reporting framework. Industry bodies such as the Cloud Security Alliance, of which Symantec is a member, are helping to achieve these goals, and many security practitioners are volunteering their time and talent.

In addition, solutions to protect cloud data keep getting stronger. Symantec O3 enables its partners and customers to embrace the business agility and cost advantages of the cloud. O3 offers a single point of identity and access control, and related policies, for cloud apps for all endpoints. O3 is also easily integrated with existing identity stores, various cloud app authentication and a simple cloud single-sign-on for user.

For information security practitioners, an important first step is to establish a baseline that is appropriate for the business to determine what is the new normal for security in cloud computing. Businesses will need to make decisions based on concrete data, and a comprehensive security metrics program can support important planning and decision making, and drive beneficial changes in an organization.

Tags: cloud computing, security management, security metrics, Symantec O3

Source: http://www.indefenseofdata.com/2013/02/the-new-normal-security-metrics-and-cloud-computing/

black friday deals Sephora Cyber Monday 2012 Walmart.com detroit lions Thanksgiving Day cooking a turkey