Channel Partners

FAL 2015

For 25 years, Channel Partners has been a resource for indirect sales channels, such as agents, VARs and dealers, that provide network-based communications and computing services, associated CPE and applications, and managed and professional services

Issue link:

Contents of this Issue


Page 40 of 47

do a good enough job and a breach occurs. Don't expect an iron-clad guarantee of data security — or even that every provider will follow data-focused best practices mandated by regulatory agencies. For example, very few cloud services encrypt by default because of the litany of decisions, including where keys and passwords are stored, who has access to the keys (and thus the data), whether data is encrypted in transmission and how any given application can access the encrypted data. Properly managing encryption is complex, but it's critical. Just ask former Office of Personnel Management chief Katherine Archuleta, who was grilled by Congress in July as to why data on 4 million government employees was stored in the clear. In many cases, a lack of transparency into what data security measures a CSP will and won't provide makes it difficult for customers to understand what liability they're taking on when moving to the cloud. My advice is simple: Assume you or your end customer shoulders all data-related liability and risk. For customers heavily invested in the cloud, recommend cyberrisk insurance as well as yearly assessments to ensure the environment is still as secure as when you set it up. I had a case where a client used a cloud provider that leveraged Amazon's S3 storage service to provide the SaaS offering that the client purchased. The SaaS provider decided to move from S3 to a cloud storage provider (which shall remain nameless) without telling my customer. All the security reviews and assumptions we had made were now incorrect. The customer's security changed dramatically with this unforeseen change and, without a yearly review, they wouldn't have realized they now needed to encrypt their data, whereas before they did not. Remember: The security of any data is ultimately the respon- sibility of the organization that collects it, regardless of who's hosting or providing network connectivity. This separation of responsibility is a very important and often misunderstood facet of cloud security. A cloud provider may, and likely will, do a better job protecting data than an SMB could. But it does not assume responsibility in case of a breach. A visual to help understand this transfer of risk is below. As you move customers from on-premises IT to a completely outsourced and managed infrastructure, the amount of responsibility the end organization owns is reduced and shared but never eliminated. As a partner, you always have some role in implementing security for customers. PULL SHADOW IT INTO THE LIGHT Speaking of risk, the biggest one is obliviousness. When executives or employees "go rogue" and use services without the business knowing, a data breach is only a corporate credit card and SaaS provider away. A client I worked with just two months ago ran a report on its Web filter for domains associated with cloud services. It had Dropbox and OneDrive in use by various employees — even though there was a corporationwide agreement for everyone to get an approved Box document sharing account. All of the security benefits we've discussed so far are applicable to consumer cloud services, but it doesn't matter how well Dropbox hardens its network if end users don't use encryption or strong passwords on their devices. One stolen tablet with easy access to a Dropbox account containing customer data could undo all your due diligence. Now, we all hate passwords. They're insecure, difficult to remember and usually shared among applications. To supple- ment passwords, two-factor authentication systems generate a second form of identity verification, such as an SMS text sent to a phone or a random number displayed in a mobile app. When end users log in and request access to certain data or cloud services, the 2FA provider validates the password and then asks for the additional text or numbers to validate the account further. It's very effective at mitigating the No. 1 security risk for end users: phishing attacks that reel in valid user name and password combos. If the cloud service leverages two-factor authentication, the attacker won't be able to get access to data even if the user did provide valid credentials. This technology is beginning to go mainstream — Google has adopted it for all of its cloud services, and Amazon and Azure allow for a 2FA requirement for access to their portals, though Cloud security isn't just about the cloud. It's also about mobile phones, laptops and tablets, which are usually the portal into the cloud environment as well as repositories of sensitive data. We recommend providing endpoint security and encryption for customers as part of your overall cloud security strategy. Other security items to be aware of when securing the cloud: ➊ Mobile device encryption ➋ Enabling SSL for all cloud services ➌ Security training to prevent phishing ➍ Two-factor authentication for access to all sensitive or regulated data ➎ Implementing least-privilege access SECURITY BEYOND THE CLOUD CHANNELPARTNERSONLINE.COM 21

Articles in this issue

Links on this page

Archives of this issue

view archives of Channel Partners - FAL 2015