Tag Archives: security

cloud security, Dell, enterprise mobility, News & Analysis

IT security still a barrier to public cloud and employee mobility – Dell survey

Dell office logoDell has released the findings from its Data Security Survey which revealed IT decision makers are still not confident enough to encourage mobility or use of public cloud platforms.

Although the pattern over the last few years has been to broaden employee boundaries, increasing flexibility within the working environment, the survey demonstrated that a substantial number of businesses are resisting mobility due to security concerns.

The majority of businesses would claim cyber and cloud security sits at the top of the priority list, and whilst this might be the case, Dell’s survey has highlighted a number of deficiencies across the board.

Over the last 12 months the tech world has been lit up by numerous data breaches, hacks and leaks on both sides of the Atlantic. From TalkTalk to Ashley Madison to Kaspersky Labs, security has once more been highlighted as a major deficiency in the IT world.

Following a number of PR disasters for large scale enterprise throughout the world, 75% of decision makers agree that C-Suite recognises the importance of data security, though only 25% believe that the C-Suite is adequately educated about the issues to make informed decisions. The survey also highlighted that only 25% feel that their leadership has the ability to set suitable budget to tackle the challenges of data security over the next five years.

65% of mid-market companies are freezing plans to increase mobility within their workforce, with 67% resisting BYOD programmes, due to security concerns. The benefits of a mobility strategy, both from an employee satisfaction and productivity perspective, are well documented, though these statistics demonstrate security fears drastically outweigh the benefits. In fact, 82% of decision makers have made attempts to reduce mobility for employees, by decreasing data access points.

On the contrary, only 40% of respondents highlighted that they were actively interested in pursuing opportunities to increase employee mobility.

In terms of public cloud platforms, there does not appear to be a high level of confidence in offerings such as Google Drive. Almost 80% of decision makers said that they would not be confident in uploading critical data to the cloud, 58% highlighted that they believed the threat to be greater than 12 months ago, and 38% restricted access to public cloud sites within their organization.

Another area addressed by the survey is that of Shadow IT. Almost every business will have a strict IT policy in place, though there will still be a proportion of the workforce deems this to prohibit their working day. Despite the concerns of public cloud platforms, 83% of respondents acknowledge that their employees are using such platforms to store or share valuable data.

As these statistics demonstrate, most organizations have not identified the crossroads between security, assumed business risk and productivity, to most effectively enable the workforce.

“Security programs must enable employees to be both secure and productive, and this means enabling technology that helps them do their jobs,” said Brett Hansen, Executive Director, Data Security Solutions for Dell. “Companies can try to limit or prohibit public cloud use, but it’s more effective to use intelligent data encryption to protect corporate data wherever it may go, and reduce the risk of employees working around restrictive policies in order to be productive.”

While the survey demonstrates growth within the cyber and cloud security world, it also highlights a number of restrictions. On the positive side, security is now a priority throughout the business, as opposed to simply in the IT team. It also emphasises a slight overreaction from decision makers who have taken the move of reducing mobility and access to public cloud offerings; two areas which could increase an organization’s competitiveness in an already challenging market.

Disaster Recovery, Opinion, wandisco

The economics of disaster recovery

Disaster Recovery Plan - DRPCompanies increasingly need constant access to data and the cost of losing this access – downtime – can be catastrophic. Large organizations can quickly find themselves in the eye of a storm when software glitches strike. It can result in lost revenue, shaken customer loyalty and significant reputational damage.

In August 2013, the NASDAQ electronic exchange went down for 3 hours 11 minutes, causing the shutdown of trading in stocks like Apple, Facebook, Google and 3,200 other companies. It resulted in the loss of millions of dollars, paralyzing trading in stocks with a combined value of more than $5.9 trillion. The Royal Bank of Scotland has now had five outages in three years including on the most popular shopping day of the year. Bloomberg also experienced a global outage in April 2015 resulting in the unavailability of its terminals worldwide. Disaster recovery for these firms is not a luxury but an absolute necessity.

Yet whilst the costs of downtime are significant, it is becoming more and more expensive for companies to manage disaster recovery as they have more and more data to manage: by 2020 the average business will have to manage fifty times more information than it does today. Downtime costs companies on average $5600 per minute and yet the costs of disaster recovery systems can be crippling as companies build redundant storage systems that rarely get used. As a result, disaster recovery has traditionally been a luxury only deep-pocketed organizations could afford given the investment in equipment, effort and expertise to formulate a comprehensive disaster recovery plan.

Cloud computing is now making disaster recovery available to all by removing the need for a dedicated remote location and hardware altogether. The fast retrieval of files in the cloud allows companies to avoid fines for missing compliance deadlines. Furthermore, the cloud’s pay for use model means organizations need only pay for protection when they need it and still have backup and recovery assets standing by. It also means firms can add any amount of data quickly as well as easily expire and delete data. Compare this to traditional back up methods where it is easy to miss files, data is only current to the last back up (which is increasingly insufficient as more data is captured via web transactions) and recovery times are longer.

Netflix has now shifted to Amazon Web Services for its streaming service after experiencing an outage in its DVD operation in 2008 when it couldn’t ship to customers for three days because of a major database corruption. Netflix says the cloud allows it to meet increasing demand at a lower price than it would have paid if it still operated its own data centres. It has tested Amazon’s systems robustly with disaster recovery plans “Chaos Monkey”, “Simian Army” and “Chaos Kong” which simulated an outage affecting an entire Amazon region.

Traditionally it has been difficult for organizations like Netflix to migrate to the cloud for disaster recovery as they have grappled with how to move petabytes of data that is transactional and hence continually in use. With technology such as WANdisco’s Fusion active replication making it easy to move large volumes of data to the cloud whilst continuing with transactions, companies can now move critical applications and processes seamlessly enabling disaster recovery migration. In certain circumstances a move to the cloud even offers a chance to upgrade security with industry recognized audits making it much more secure than on site servers.

Society’s growing reliance on crucial computer systems mean that even short periods of downtime can result in significant financial loss or in some cases even put human lives at risk. In spite of this, many companies have been reluctant to allocate funding for Disaster Recovery as management often does not fully understand the risks. Time and time again network computing infrastructure has proven inadequate. Cloud computing offers an opportunity to step up to a higher level of recovery capability at a cost that is palatable to nearly any sized business. The economics of disaster recovery in the cloud are such that businesses today cannot afford not to use it.

Written by David Richards, Co-Founder, President and Chief Executive of WANdisco.

News, Services

Telstra and Cisco Unveil New Products

Telstra and Cisco have recently announced three new software-designed networking (SDN) and network function virtualization (NFV) products that aim to improve both cloud security and global data center interconnection. These products come in addition to Telstra’s two additional functions for its SDN PEN platform, announced in January.

Cloud Gateway Protection: This product was the first of the three made available in beta. It is a virtual security application that aims to secure cloud services and  internet access, as well as Next IP networks against cyber-attacks.

Internet Virtual Private Network (VPN): This product will provide both a secure and encrypted office network over public internet. This can be used by businesses across several sites. The launch is expected to occur later in March.

Data Center Interconnect: This product will extend Telstra’s SDN PEN1 global data center interconnection. Australian data centers will be added. Customers may configure links between domestic and foreign data centers.

These products aim to revolutionize the cloud. The three new products will be connected by Telstra’s self service portal. The two companies have a long standing partnership and this combined effort utilizes both companies’ assets.

The additional features Telstra added in January allow customers to call upon network functions and make digital partnerships.

PEN Exchange: This function allows customers to connect their network services with other customers’.

Improvements to PEN Marketplace: This function improved the marketplace; businesses may order NFV equipment from various vendors.

In addition to the strong partnership between Telstra and Cisco, Telstra has also formed a strong connection with HP and other businesses, allowing Telstra to further its BFV strategies and other programs.

Telstra-2

Comments

Philip Jones, Telstra executive director of Global Products and Solutions: “By allowing us to overcome the constraints of traditional network infrastructure, the software-driven customer experiences dramatically increases our agility by enabling us to quickly create new solutions, and puts the control of those solutions into the hands of our customers.”

Kelly Ahuja, Cisco senior vice president of Service Provider Business, Products, and Solutions: “By combining Cisco’s agile and flexible software platform with Telstra’s customer-focused and customer-friendly range of products, we send a powerful message to the industry and a provide a clear example of how to develop and design the network services of tomorrow.”

David Robertson, Telstra Operations director of Transport and Routing Engineering for Networks, said at the time: “Partnering with multiple vendors helps us to deliver impactful virtualization and orchestration capabilities within a flexible architectural framework. As service providers look to build seamless application delivery networks, vendors that have qualified their technologies with the industry’s standardization groups are seen as more attractive to customers.”

The post Telstra and Cisco Unveil New Products appeared first on Cloud News Daily.

BT, Networks, News & Analysis, Palo Alto

BT beefs up Cloud of Clouds security with Palo Alto Wildfire

Security concept with padlock icon on digital screenBT is to install a cloud-based breach prevention security system from Palo Alto Networks (PAN) into its global Cloud of Clouds, writes Telecoms.com.

Under the terms of a new BT-PAN agreement, BT’s existing Assure Managed Firewall service will now include PAN’s cloud-based WildFire malware prevention system, described as a ‘key component’ of the security specialist’s Next-Generation Security Platform. In a statement, BT said the installation is part of a long term plan to roll out stronger protection for its cloud-based applications as it aims to encourage enterprise customers to benefit from its Cloud of Clouds.

Though enterprises are keen to embark on a digital transformation, security concerns continue to hold them back, according to Mark Hughes, CEO of BT Security. The most obviously profitable use cases for cloud computing, such as big-data analytics and access to more cloud based applications, are the very attractions that cyber criminals are most likely to target. In the rush to provide greater levels of security telcos and cloud service providers face an investment protection challenge, Hughes said.

While enterprise customers need to access these applications quickly and securely, they must also find future-proof tools that can go with the cloud and won’t have to be expensively replaced in a few years time. “Enterprises need security that can protect them against targeted and increasingly sophisticated cyber-attacks. They need a tougher lining around their cloud services,” said Hughes.

Palo Alto Networks will provide intelligent security monitoring and management services to the BT Assure portfolio of security services. The Palo Alto Networks Next-Generation Security Platform includes a Next-Generation Firewall, Advanced Endpoint Protection and a Threat Intelligence Cloud.

BT recently won two new cloud service contracts with the European Commission worth £24 million, bringing its total of EC contract wins to four in 12 months, BCN reported in January. With data security an increasingly sensitive issue with the EC (as reported in BCN), BT has taken on a challenging brief to provide public and private cloud services across 52 major European institutions, agencies and bodies.

News, Services

Microsoft Improves Cloud Security

Microsoft has recently announced its huge developments in the cloud security sector that will allegedly improve the security of online companies. Microsoft plans to unveil more at the RSA Conference, taking place from February 29th to March 4th in San Francisco. These new developments include Customer Lockbox, Microsoft Cloud App Security, Azure Active Directory Identity Protection, and Microsoft Operations Management Suite.

Customer Lockbox: Lockbox helps Microsoft engineers achieve more transparency when they require access to Office 365 accounts to aid in troubleshooting. Lockbox aims to make the customer approval process more efficient. Lockbox is already available to those using Exchange Online.

Microsoft Cloud App Security: This application provides both security and control over data stored in app clouds, including SalesForce and Office 365. This application comes after the addition of security broker Adallom to the cloud giant. Office 365 was also upgraded in conjunction with Microsoft Cloud App Security: users will be made aware of suspicious activity. Uses will also have the choice of approving third party services.

Azure Active Directory Identity Protection: Microsoft has yet to unveil much about thus application, but it is expected that it will provide threat detection. It will utilize Microsoft’s data to investigate threats such as authentications from unfamiliar locations.

Azure

Microsoft Operations Management Suite: Some improvements were made to the Microsoft Operations Management Suite; users will receive information pertaining to malware detections, network activity, and system updates.

 

Comments:

Bret Arsenault, Microsoft’s chief information security officer: “Keeping our network safe, while protecting our data and our customers’ data, is paramount. As Chief Information Security Officer at Microsoft, I am constantly looking for ways to improve our security posture, through new technologies that accelerate our ability to protect, detect and respond to cyber incidents… After years of examining crash dumps that our customers opted to send to Microsoft from more than a billion PCs worldwide, Microsoft has developed the capability to analyze this data to effectively detect compromised systems because crashes are often the result of failed exploitation attempts and brittle malware.”

 

Sarah Fender, principal program manager of Microsoft Azure Cybersecurity: “After years of examining crash dumps that customers sent to Microsoft from more than 1 billion PCs worldwide, we are able to analyze these events to detect when a crash is the result of a failed exploitation attempt or brittle malware. Azure Security Center automatically collects crash events from Azure virtual machines, analyzes the data, and alerts you when a VM is likely compromised…Starting next week, in addition to configuring a Security Policy at the subscription level, you can also configure a Security Policy for a Resource Group—enabling you to tailor the policy based on the security needs of a specific workload. Azure Security Center continually monitors your resources according to the policy you set, and alerts you if a configuration drifts or appropriate controls are not in place.”

The post Microsoft Improves Cloud Security appeared first on Cloud News Daily.

News & Analysis, Ponemon, Thales

Most data in the cloud is exposed says Thales/Ponemon study

Cloud securityA new study into encryption and key management suggests that nearly of all the companies in the world are planning to make a potentially fatal security mistake.

If the new global study is an accurate gauge of global trends, 84% of companies across the world are about to commit sensitive data to the cloud by 2018. However, only 37% of the same survey sample has an encryption plan or strategy.

With consultant PwC recently declaring that cloud computing is attracting the attention of the world’s cyber criminals and attracting a mini-boom in hacking attacks, the lack of data encryption could prove fatally negligent.

The Global Encryption Trends report, commissioned by Thales Security and conducted by IT security think-tank Ponemon, revealed that though the use of encryption is increasing, the security industry isn’t keeping pace with its criminal opponents. In the study Ponemon interviewed 5,009 individuals across multiple industry sectors in 11 of the world’s top economies, including the US, the UK, Germany, France, Brazil and Japan. If that survey is an accurate reflection of the global state of security of the cloud, there are some worrying trends, according to Thales.

While use of encryption is on the up, with nearly three times more organisations classifying themselves as extensive users in comparison with years ago, there is ‘still some way to go’, according to Thales. In 2005 a Thales study found that 16% of its global survey sample used encryption. By 2015 the proportion of encryption users had risen to 41%, of those surveyed. That still means that a minority of companies around the world are using a baseline level of cyber security, according to John Grimm, Senior Director at Thales e-Security. To make matters worse, in that time the cyber crime industry will have been far more agile and fast moving.

Other findings were that 40% of cloud data at rest is unprotected and 57% of companies don’t even know where their sensitive data resides. Sensitive data discovery ranked as the top challenge to planning and executing an encryption strategy, according to researchers.

Support for both cloud and on-premise deployment was rated the most important encryption solution and 58% of companies said they leave their cloud provider to be responsible for protecting sensitive data transferred in the cloud.

Dell, News & Analysis

Dell launches new backup and recovery services that straddle the cloud and the client

Dell office logoDell has announced a programme of new data protection initiatives to protect systems, apps and data that straddle private premise computers and the cloud.

There are four main strands to the new offerings: Dell Data Protection and Rapid Recovery, three new data deduplication appliances models, Dell Data Protection and Endpoint Recovery and a new Dell Data Protection and NetVault Backup offering.

The Dell Data Protection and Rapid Recovery system integrates with previous Dell offering such as AppAssure in order to help eliminate downtime for customer environments. Dell claims that users get ‘ZeroImpact’ recovery of systems, applications and data across physical, virtual and cloud environments. The Rapid Snap for Applications technology works by taking snapshots of entire physical or virtual environments every five minutes so users can get immediate access to data in the event of an incident. Rapid Snap for Virtual technology also offers agentless protection of VMware virtual machines.

The new Dell DR deduplication appliances are named as the Dell DR4300e, DR4300 and DR6300. The mid-market DR4300 offers up to 108TB of usable capacity while ingesting up to 23TB of data per hour. The entry-level DR4300e is a smaller scale, low-cost appliance that can scale up to 27TB. The DR63000 is a larger midmarket and small enterprise solution that delivers up to 360TB of usable capacity while ingesting up to 29TB of data per hour.

Dell Data Protection and Endpoint Recovery is a light-weight, easy-to-use software offering that gives customers endpoint protection and recovery solution for Windows clients. This is an offering for single users and starts off being free.

The Dell NetVault Backup is a cross-platform, enterprise backup and recovery solution that offers a spectrum of operating systems, applications and backup target support. A new option is to allow customers to break up backups into smaller, simultaneously executed chunks to increase performance.

Cato Networks, Network Security as a Service, News & Analysis

Start up Cato Networks claims Network Security as a Service first

CybersecurityCheck Point founder Schlomo Kramer is launching a new cloud security firm with former Imperva colleague Gur Shatz as demand for traditional on premise firewall security diminishes. Cato Networks will offer a new cloud security concept that’s been dubbed Network Security as a Service (NSaaS).

The Cato Cloud has two complementary layers. One, the Cato Cloud Network, is based on a global, geographically distributed network of points of presence (PoPs). The second, Cato Security Services, is a suite of network security (such as firewalls, VPNs, URL filtering) delivered through the cloud as an integrated managed service.

Cato Networks’ software creates an encrypted network out of all the disparate elements of the connected enterprise, such as branch offices, remote locations, data centres and mobile users. The last two groups in that list have changed the model of security, according to Kramer, since the liquidity of the network has been exacerbated by the virtual nature of systems residing in data centres and the increasing prominence of mobile users. With new virtual machines being spun up in their thousands and mobile workers multiplying in both numbers and computing capacity, firewalls are not the right solution to this moveable vulnerability problem, according to Kramer.

The Internet of Things will only exacerbate security problems, according to a Cato Networks statement. Research commissioned by Cato showed that maintenance, costs and the complexity of managing policies for multiple locations is too challenging for up to 57% of security professionals.

Companies that use a variety of cloud services can tie their hybrid clouds into a secure network and forget about having to maintain firewalls or invest in expensive network security, according to Cato.

Cato would allow retail chains, which typically have hundreds of locations each with a multiplicity of devices, to securely connect directly to the cloud for Internet access.

Cato raised $20 million in financing led by Aspect Ventures and will launch its new cloud security offering around September 2016 with co-founder Kramer investing $4 million of his own money.

Black Duck, Box, IBM, News & Analysis, Open Source

Box, IBM and Black Duck announce security offerings amid open source vulnerabilities

Security concept with padlock icon on digital screenTwo more services have been launched with the aim of shoring up the security of the cloud, as its popularity sees it becoming increasingly targeted for attack.

File sharing company Box has launched a customer-managed encryption service, KeySafe, in a bid to give clients more control over their encryption keys without sacrificing the ease of use and collaboration features of Box. Meanwhile UK-based open source security vendor Black Duck has been recognised under IBM PartnerWorld’s ‘Ready for IBM Security Intelligence’ designation.

Box’s KeySafe aims to centralise sensitive content in the cloud, and promises new levels of productivity and faster business processes. Box Enterprise Key Management (EKM) uses Amazon Web Services (AWS) and a dedicated hardware storage module (HSM) to protect keys used to encrypt sensitive data. Box also has a service that integrates with AWS Key Management Service so customers can control their encryption keys. The service is intended to be simple and uses a software-based technology that doesn’t need dedicated HSMs.

Box says it can never access a customer’s encryption keys, which the customer owns. The main selling points of KeySafe, in addition to this independent key control, are unchangeable usage policies and audit logs and a ‘frictionless end user experience’ with simple data. Pricing is to be based on size.

In another security announcement, Black Duck’s new offering through IBM follows a research finding that 95% of mission critical apps now contain open source components, with 98% of companies using open source software they don’t know about. With 4,000 new open source vulnerabilities reported every year, Black Duck claims that cloud computing is creating greater vulnerabilities.

IBM has announced that Black Duck Hub has been validated to integrate with IBM Security AppScan in order to identify and manage application security risks in custom-developed and open source code. The hub now provides a clarified view within IBM Security AppScan which will help spot problems quicker. Black Duck Hub identifies and logs the open source in applications and containers and maps any known security vulnerabilities by comparing the inventory against data from the National Vulnerability Database (NVD) and VulnDB.

“It’s not uncommon for open source software to make up 50 per cent of a large organisation’s code base. By integrating Black Duck Hub with AppScan, IBM customers will gain visibility into and control of the open source they’re using,” said Black Duck CEO Louis Shipley.

Check Point, Infrastructure as a Service, News & Analysis, Platform as a service, Skyhigh, Software as a service

Skyhigh, Check Point claim cloud security simplification

Cloud securityCloud access security broker Skyhigh Networks and security vendor Check Point claim they’ve jointly made security, compliance and governance policies for cloud services a lot easier to manage.

The initial launch of their combined service is aimed at regulating software, platform and infrastructure (SaaS, PaaS and IaaS) as a service offerings.

The integration of their security offerings means that mutual customers can use Skyhigh’s cloud access security broker (CASB) and Check Point’s firewall more effectively while taking less time to set up and enforce internal policies. The idea is to alleviate the work of enterprise security managers as they try to comply with external regulations and protect corporate data.

Meanwhile Skyhigh is offering a free cloud audit as it claims that an all time high adoption of cloud has not been matched by cloud security standards. According to the Q4 2015 Skyhigh Cloud Adoption and Risk Report, the average company uses 1,154 cloud services and uploads over 5.6 TB to file sharing services each month. However, this vast migration of data to the cloud is creating a security gulf, it claims, because the rush to cut costs has seen companies lose visibility and control over their IT estate.

The combined Skyhigh Check Point service promises to shed more light on the state of the network, enforce data loss prevention (DLP) policies, protect company data, consolidate usage of cloud services, identify any risky data uploads or downloads from questionable service providers and protect against data exfiltration attempts. By applying threat intelligence to analyse cloud traffic patterns, detecting anomalous behaviour and remediating against users or cloud services the two partners claim they can restore the levels of security enterprises need, by making it easier to implement.

“Companies want to embrace cloud services, but they can’t leave behind security controls as corporate data moves off-premises,” said Chris Cesio, business development VP at Skyhigh Networks.