Channel Partners

FAL 2015

For 25 years, Channel Partners has been a resource for indirect sales channels, such as agents, VARs and dealers, that provide network-based communications and computing services, associated CPE and applications, and managed and professional services

Issue link:

Contents of this Issue


Page 41 of 47

not your customers' servers or data. That leaves the reseller or end customer to implement and manage a two-factor method. Offerings such as Duo Security's Push and Google's Authenticator applica- tion integrate with many cloud providers' networks and provide a massive risk reduction for little or no cost. My advice is to never spin up a cloud service without two-factor authentication. Another cloud risk that customers don't think about is disaster recovery. Many assume that the cloud is auto- matically reliable and redundant, but that simply is not true. Outages at both Amazon and Google in the past year brought down some well-funded startups that didn't plan appropriately. In some cases, end customers are stuck between a rock and a hard place, depending on cloud services that are stacked on top of one another. Now there are miles of fiber and multiple regions, data centers and POPs in the mix. One outage at Amazon may bring down a few services, and all channel providers can do is wait. Any security audit should include reviewing disaster recovery strategies for all mission- critical providers; if a plan isn't up to par for customer requirements, consider an alternate or supplemental service. All of the risks we've discussed so far have rather straightforward solu- tions, whether via process, technology Michael Davis , CTO for CounterTack, is responsible for driving the advancement of CounterTack's revolutionary endpoint security platform, as well as leveraging his visionary approach to push defenders ahead of attackers. He has earned a reputation as one of the nation's leading authorities on information technology. The list of organizations that rely on his council includes AT&T, Sears, Exelon and the U.S. Department of Defense. Prior to CounterTack, Davis was president of External IT, a national managed IT and cloud services provider; founder of IT security consulting firm Savid Technologies; and senior manager of global threats at McAfee, where he led a team of researchers in cutting-edge security analysis. He was voted one of the "Top 25 under 25" by BusinessWeek and is a contributing author to the best-selling computer security book, "Hacking Exposed," as well as "Hacking Exposed: Malware and Rootkits." He is a frequent contributor and speaker, including at Black Hat, Interop, SuperStrategies, Cloud Partners and Channel Partners, and InfoSecWorld. @countertack TOKENIZATION 101 Tokenization systems, like TransArmor or TokenEx, swap a sensitive piece of information, such as a credit card number, for a random token, often a 64-digit number, that is used in applications in lieu of the real data. If the app is compromised, the attacker can't reverse the token back to the card number. It's a good idea, but there are gotchas: Ensure that the service provider performing the sensitive- data-to-token process, and the database where that sensitive data then lives, are hardened and secure. Watch for lock-in; tokenization systems are proprietary. Favor in-place tokenization. These systems generate tokens that resemble the replaced data in terms of structure and length, and that means fewer application changes. Make sure data analysts can run queries on the tokens for customer and sales insights. Kill the value of big data and the business will rebel. or evaluating different providers. There is one cloud risk, though, that simply doesn't have a good answer: forensics. What happens if your customer's cloud environment is hacked? Who do you work with to find out how it happened, who left the door open and what was taken? Who does the investigation and, maybe, prosecution? Most of the forensics tools and processes used in the industry today are very on-premises focused. Some need disk or memory images, which might not be available from a cloud provider. For example, if a CSP doesn't provide access to a raw disk image, you might not be able to work with the FBI or police. Since there is no easy way to solve this issue, the best bet is to maximize the logs available for any cloud service. Every time a user logs in or makes a change, that event should be logged and stored for review — outside the cloud and away from access by privileged, and possibly malicious, users within the customer's company. While log files stored securely at a solution provider site may not be a perfect answer, it will help reconstruct the crime scene as much as is possible without forensic access to the CSP network. When asked about cloud security, my stock answer is that it's all about trade- offs, so confusion becomes the biggest risk. But that should not stop SMBs from heading to the cloud. Working with security-focused CSPs and knowledge- able solutions providers, including cloud brokers, makes all the difference. Where security is implemented, by whom, and visibility when it changes are all part of cloud security risk management, and end customers can't be expected to have that level of technical knowledge. They're trusting their advisers. Channel partners cannot take this responsibility lightly. Knowing what type of security is required and when a custom solution is needed can add value to existing customer accounts in addition to being a differentiator when competing against other CSPs, just as banks use their security capabilities to stand out in a crowded market. Offering security services, including a brokerage practice with deep insight into CSPs' offerings, yearly cloud security reviews, two-factor authentication and encryption management, will provide higher security, and ultimately, higher margins for your business. 22 CHANNEL PARTNERS FALL 2015 COVER

Articles in this issue

Links on this page

Archives of this issue

view archives of Channel Partners - FAL 2015