More companies are exploring cloud options, while struggling to find the balance between risk tolerance and evolving security models. The issue is compounded because many organizations don’t know their own security baselines for services and systems, key information to have before you adopt cloud resources or work with service providers.
The growing complexity of security in these environments has many CIOs and CISOs working to update their policy and controls, particularly with cloud resources, which may offer less visibility. The best strategies usually involve cloud-native or cloud-first security tools, according to David Strom, who reports on five strategies that CIOs use to improve hybrid cloud security issues in the September 2015 issue of Information Security magazine.
Collaboration and communication with other parts of the organization and end users takes on even more importance as enterprises rely on hybrid environments that involve a mix of cloud computing and services. “If a user has a credit card, they can deploy apps anywhere and on any cloud,” Richard Seroter, CenturyLink’s vice president of product, tells Strom. “Instead of swooping down at the end of a project with all sorts of restrictions, learn how to collaborate with operations and users upfront.”
Many business users and developers are also excited about possibilities afforded by virtual containers such as Docker. Security professionals need to stay ahead of these emerging trends because they present unique (read: scary) security challenges. “Containers can live 10 seconds or 10 days,” Seroter says. “And you have to know how to assess that attack surface because it is a very different animal.”
Complexity is an understatement when it comes to information security at companies involved in mergers and acquisitions. Increasingly security teams are dealing with the uncertainty and risks associated with protecting IP and other assets in shifting environments. Alan Earls reports on application security strategies before, during and after the M&A process as more CISOs are brought in before deals take place, to assess information security and liability issues.
Figuring out how to better protect sensitive assets is probably easier then cleaning up the mess after a major failure. So many things went wrong before the government data breaches at the United States Office of Personnel Management (OPM) that it’s hard to know where to start. Adam Rice, whose friends’, family’s and personal data may have been compromised, looks at the lack of accountability and information security leadership at executive levels and why security professionals face an uphill climb in some government agencies.
Freelance journalist Steve Zurier spoke with Jeff Wagner, the director of IT security operations at OPM, about endpoint security, this spring. That was before the news of the massive breaches broke publicly, in June, a few days after Zurier’s original article was published. (That’s the kind of thing that keeps editors awake at night.)
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.