cloud security. IT SECURITY HAS NEVER BEEN SO CONTROVERSIAL.

Transcription

1 cloud security. IT SECURITY HAS NEVER BEEN SO CONTROVERSIAL. Quick guide: cloud security on the new relevance of a controversial topic. Cloud computing helps companies increase their productivity and lower their costs. But at the same time, it also increases their vulnerability to hackers. It s no wonder that IT security is now a widely discussed topic in the business world. The quick guide on cloud security discusses a topic that is both controversial and complex. Insiders report on where and from whom the greatest dangers exist and how one can avoid them. Experts explain why IT security needs to be taken into account from the beginning and why a comprehensive approach is needed to do so. We hope you find this information interesting and look forward to your feedback! your contact person. michael pauly Consulting & Solution Sales michael.pauly@t-systems.com Cloud blog: Internet: ConTenTs: The threat of data hijacking Rüdiger Spies, Analyst, IDC Why the cloud makes a reassessment of security risks necessary. ec cloud with advantages Christian Solmecke, Attorney and IT Expert, Cologne Why it is well worth it to carefully choose your partners. integrated strategy Bernt Ostergaard, Research Director, Current Analysis Security must also advance a company economically. securing routes Axel Oppermann, Senior Advisor, Experton Group AG Why end-to-end security must be seamless. The data espionage game Dr. Christiane Meis, Sicherheisforum Baden-Württemberg and Dr. Sandro Gaycken, Steinbeis-Hochschule Berlin The pros and cons: does more danger come from the inside or the outside? safe use of Byod The trend can t be stopped, but how can private mobile devices be safely integrated into a company?

2 The threat of data hijacking More danger due to the cloud: A reassessment of security risks is needed. According to a current survey conducted by the inter-trade organization Bitkom among ICT companies, IT security is one of the most important topics of the new year. Some 48% of those surveyed have placed this topic at the top of their agenda. The main reason for this is clear: With cloud computing, companies increase their productivity while decreasing their costs. Nevertheless, the infrastructures required for this technology are also providing increasingly larger attack zones for hackers which must be protected at all costs, as analyst Rüdiger Spies from IDC knows all too well. Given the growth rate of cloud computing, for many companies it is unfortunately no longer a question of if but when their corporate data will be hijacked, says the IT security expert. Translate data into monetary values aware of what it means when 10,000 of their 100,000 pieces of customer data are suddenly copied by hackers, explains the Independent Vice President Enterprise Applications from IDC. In connection with this, says Spies, a proactive corporate management should be established that includes a fundamentally revised IT security strategy. Check contracts For companies, the first step in the right direction can therefore be to check their existing contracts with cloud providers in regard to ICT security, as also recommended by data privacy commissioners of the German states and the federal government. Because the best data theft is the one that doesn t take place. In the same breath, Spies advises the introduction of fundamentally new measures. A reassessment of the IT security risks must be undertaken. IT managers have to translate their data into monetary values and be Internet resource: 2

3 EC cloud with advantages Companies are under threat of financial loss due to defective data centers. According to investigations conducted by the Aberdeen Group consulting firm, data center outages cost companies and service providers an average of USD 1.5 million per year. In view of the cloud computing boom, it is thus easy to imagine the threat of the gigantic financial losses that companies are facing due to the defective quality of data centers. There is no question that cloud computing requires secure data centers. Data center shut down? Companies can acquire the corresponding protection through contractual provisions regarding liability, data security and data availability although this is meaningless if a data center operator becomes bankrupt, for example, as Cologne-based attorney and IT expert Christian Solmecke explains. In this case, the company theoretically has a right to withdraw its data. However, once the cloud has been switched off, the legal process to assert this right can take years especially if the data are located in the USA, says the legal expert. Choose your cloud partner carefully Correspondingly, it is particularly important for operators with large or sensitive data volumes to be painstakingly meticulous when selecting their cloud partner for reasons of data security. In many cases, European data security laws have an entirely different level of protection than those in the USA, for example. Companies can try to protect themselves contractually, but this will be more difficult with a non-european company due to the different data security levels. Solmecke concludes: In order to use cloud services in a manner that complies with the data protection provisions of the Federal Data Protection Act, commissioned data processing within an EC/EEA cloud is the medium of choice. Internet resource: 3

4 Integrated strategy Security must also advance the company economically Analyst Bernt Ostergaard. According to a current study conducted by the Ponemon Institute, there are three things that are currently giving CIOs major headaches: mobile devices, virtualization and cloud computing Bernt Ostergaard, Research Director at Current Analysis, knows why it is these three key trends in particular. More and more employees need access to applications such as data per smartphone and tablet PC, at best even from their own device. Says Ostergaard: A direct result of the use of virtualization and cloud computing is that nowadays applications and data are often scattered all over the place and are no longer provided centrally like in the past. A talk with: Bernt Ostergaard Research Director, Current Analysis Taking security into account from the beginning This is why Ostergaard recommends that companies not close their eyes to these trends, or even prohibit them, but rather that they implement an integrated, value-adding ICT security strategy. His motto is: Security must also advance the company economically, not impede it. According to the expert, this also includes a company taking security aspects into account when developing business processes. Ostergaard: The idea that it is possible to integrate security after the fact is decidedly incorrect. When implementing adequate ICT security for the cloud, CIOs should be open for cooperation in Ostergaard s opinion, who also believes that it is impossible to imagine the globalized world without international division of labor. It is therefore important when selecting the corresponding service provider that they possess the corresponding cloud expertise. Companies can recognize such expertise when the provider meets an adequate number of security standards, from the inspection of data centers to authentication to identity management 360-degree security, in other words. Read the entire interview with Bernt Ostergaard in the Best Practice Security Issue. Internet resource: 4

5 Securing routes Seamless end-to-end security between cloud users and providers. Secure use of cloud computing and prevention of hacker attacks will be ICT security s greatest challenge this year. This is according to a current study by the National Initiative for Information and Internet Security entitled IT Security and Data Protection This is primarily due to the fact that the threat situation has changed, as analyst Axel Oppermann knows all too well, and gives the following example: In the cloud, the browser is the central element with which all services can be accessed. And from the hacker s perspective, old-timers such as an outdated browser are the ideal target for an attack, says the Senior Advisor at the Experton Group AG. This is why he recommends that companies rigorously scrap outdated Internet software. System and operational stability Finally, it is important for the original ICT security concept to be expanded in a secure cloud network in regard to system and operational stability. It s simple logic: If the connection to the service provider fails, then the ICT also fails. Accordingly, a competent cloud provider will offer redundant routes to the data centers, for example. This massively increases the system stability. More intensive securing of routes Here is a simple equation: Because applications, and especially data, are increasingly leaving the company due to cloud computing, the individual routes have to be secured more intensively. And the scenario painted by analyst Oppermann confirms this trend: While in the old network there was usually a sufficiently secured corporate network standing between the hacker and the browser and not much went on outside of the company itself, the new cloud world requires sophisticated mechanisms. Overall, the data center used for cloud computing should operate at the highest possible security level. The security between the cloud user and provider should function in an end to end security level with seamless protection. In addition, services such as encrypted VPN connections should be a matter of course. Internet resource: 5

6 The data espionage game Data theft: internal or external attackers who is more dangerous? Secret data stolen from Japan s aerospace agency by an employee, 24 million stolen customer data records at an online shipper and a political party s membership data pilfered by hackers news stories about data theft abound. However, experts are at odds as to the main attack points where companies should confront this danger. The risk of internal attackers is underestimated When companies experience the theft of data and know-how, their own employees usually have a finger in the pie. The risk of internal attackers is underestimated within the grander scope of cybercrime, says Dr. Christiane Meis from the Baden-Württemberg Security Forum (Sicherheitsforum Baden-Württemberg [SiFo]). A study commissioned by the SiFo and conducted by the School of Governance, Risk & Compliance of Steinbeis University in Berlin showed that the most widespread form of economic and industrial espionage is treason, or the spying out of company and trade secrets. According to the study, the perpetrators main objectives were to hit the production and manufacturing (19 percent) and R&D (14 percent) areas. The expert s conclusion: Most of the perpetrators can be found amongst the company s own employees, independent of their job title or hierarchical level! The majority of people would not have suspected either their superiors or their colleagues of the deed. External perpetrators are more dangerous On the opposite side of the spectrum, Dr. Sandro Gaycken of Steinbeis University in Berlin maintains that there is not an inordinate number of internal attackers at an average company. He classifies outside threats as more dangerous because these have become an extraordinarily profitable business. Gaycken believes that the costs for breaking in to a company network with normal security are quite manageable. It takes no more than three of four days for hackers to amass a good amount of company data. However, the benefits of such a break-in for competitors with similar interests are quite high. Internet resource: 6

7 Safe use of BYOD Any way you look at it, personal mobile end-devices cannot be kept out of the workplace. Bring Your Own Device, or BYOD for short, is dividing CIOs. On the one hand, the abbreviation could better be translated with Bring Your Own Disaster because many fear a worst-case ICT scenario caused by personal smartphones or tablets that are contaminated with viruses and full of security gaps. Others are hoping such devices will create benefits for the company due to increased mobility. Fact: Gartner analysts forecast that by 2014 some 90 percent of all companies will allow access to applications and corporate networks through personal end-devices. The reason for this is clear, as consulting firm A.T. Kearney found out. According to Kearny, BYOD requires investment in the ICT infrastructure for security reasons but could also permanently increase employee productivity. Employees use tools that they know and like, and the introduction phase is significantly shortened thanks to existing knowledge. Productive and secure use Another important point is the implementation of security and compliance requirements and ultimately integration into the back-end systems up to operation. This is absolutely essential because BYOD in terms of the company cannot mean only bringing along personal devices. Rather, employees must also be able to use these devices in the most productive and secure way possible. This necessitates a flexible ICT infrastructure that can respond dynamically to data and application requests per mobile end-device. Read the entire article by Martin Schweinoch in the latest issue of Best Practice. Sophisticated strategy instead of simple administration However, in order for large companies to profit from this increased productivity, a comprehensive mobile business strategy is needed. This goes beyond the simple registration of smartphones and tablets. It requires cloud-based mobile device management of both devices and the associated applications. The decisive factor here is that such a platform must be flexible and have the option of being expanded with new devices and operating systems. You can read the complete list of pros and cons with Dr. Christiane Meis and Dr. Sandro Gaycken in the Best Practice Security issue. Internet resource: 7

8 EDITOR: T-Systems International GmbH Hahnstraße 43d D Frankfurt am Main Phone: +49 (0) Internet: Responsible for content: PR & OnlineMarketing