Securing Data in the Cloud 10 Critical Questions to Ask Your Cloud Provider
|
|
- Antonia Williams
- 8 years ago
- Views:
Transcription
1 Securing Data in the Cloud 10 Critical Questions to Ask Your Cloud Provider By Leonard Chung Executive Summary There is no question that businesses can benefit from moving data to the cloud. The cloud is elastic and efficient. It can improve user productivity and unburden IT staff, saving time and money. It can accommodate anything from simple file sharing to mission-critical data backup. The question is, just how secure is your cloud? And how do you know? There are major differences among cloud providers in their approach to security and their use of security technologies, processes, and personnel. These differences can have a major impact on the availability, integrity, accessibility, privacy, and compliance of your data and can directly impact your business. This paper provides a framework, built from industry best practices, for thinking about cloud security. It also provides a short list of questions you should ask any prospective cloud provider, whether that is your internal IT department or a third-party cloud service provider. For example: How much control do I maintain over my data? How do you safeguard my data from that of other clients? How do you ensure security for client (endpoint) devices? Armed with these questions and a better understanding of the underlying process, personnel, and technology issues, you can transform cloud security from a source of uncertainty and doubt into a source of business advantage. And you may experience something you never expected from your move to the cloud: peace of mind. The Promise and Challenge of the Cloud Virtually every article, blog, or white paper about security begins by trying to scare the living daylights out of the reader usually with horror stories and jaw-dropping statistics about security breaches and their devastating consequences. However, it is important to view cloud security not only as a potential vulnerability but also as an opportunity. Solid security can open new doors for your business by enabling it to offer more services to more users with greater flexibility and less expense. Moreover, the cloud model can greatly mitigate or even eliminate many traditional security risks. Simply put, a framework for cloud security should consider what security can help you accomplish, not just what it can help you avoid. Therefore, the first step in understanding cloud security is to see the big picture of the cloud itself: the advantages, the issues, and the trends that are influencing adoption of the cloud model. Page 1
2 In a word, the overarching benefit businesses expect when they move data to the cloud is agility. Customers, employees, and business partners live in their files and their files are their lives. That means they want all of their data conveniently and reliably accessible no matter where or how it is stored, no matter what kind of application they re using to access files, and no matter what type of device is at their fingertips a smartphone, a tablet, a laptop, or a desktop. They want to be able to work and transact business anywhere, at any time. In addition, the era of BYOD (bring your own device) is upon us. In many cases, employees want to use their personal devices to access work-related documents and messages. They want to share these files without cumbersome access controls and login procedures. They want corporate files and data to be as nimble as they are. And they re going to find a way to get what they want whether the IT department helps or gets in the way. The cloud can deliver the agility users need with the security IT requires, and in doing so can preclude the need for backdoor IT where users or even departments and lines of business create their own workarounds to avoid cumbersome security requirements. An additional benefit of the cloud is decreased cost and business risk. A cloud offering is a pay-as-yougo service, so there are no new capital expenditures for servers, storage systems, and VPN connections; there are no software upgrades and support costs; there is no need to hire and train new system administrators. Since most cloud services are easy to provision and deploy, with free trials and monthby-month terms available, businesses don t need to risk the expensive upfront investment typical hardware and software solutions require. The cloud service also typically works with a multitude of devices, scales on demand to accommodate growth or spikes in usage, and is accessible 24/7 virtually anywhere there is Internet access. The cloud model can also give companies the ability to leverage resources they already have including both physical infrastructure such as servers and storage systems as well as existing user credentials and security-related processes. This means IT can extract even more value from these resources by cloudenabling them rather than force a rip-and-replace migration that increases risk across the board. At the same time, the move to the cloud model can unburden the IT department of the need to develop and maintain expertise in every facet of data security. The key elements of security are left to specialists, so IT can focus on more strategic and higher-value-add projects. Despite all the potential benefits, however, most businesses are still using the cloud for only about 10% of their IT needs 1. The dominant concern is security. Businesses remain unsure whether their data is safe in the cloud, and whether the cloud model has matured enough to address the myriad security issues it creates. The next section describes the key security issues you should consider as you evaluate cloud service provider offerings. Cloud Security: Technology, Process, and Personnel Considerations The advantages of the cloud model are counterbalanced by new security risks and vulnerabilities that must be addressed. However, it must be emphasized that these risks are not mitigated by technology alone. Only a holistic approach blending the right technologies, processes, and personnel will deliver a comprehensive data security solution for the cloud. For example, the cloud is only a hosting model. Encryption by itself often touted by vendors as the solution is only one type of defense. Both are useless in addressing security issues until they are paired with the processes and personnel that empower them to fully address the underlying security threat. 1 A Lack of Standards by Amy Larsen Decarlo, Information Security, December 2011 Page 2
3 The broad categories of cloud security risks are summarized below, followed by a discussion of the technologies, processes, and personnel considerations that can provide a holistic solution. Network availability: The cloud can give more users more access to more data but only if users can access the cloud. Network outages, system outages, improperly implemented access policies, errors and oversights even routine activities such as boarding a plane or leaving the office can introduce the risk of lost access to critical data and potential downtime for the business. Device security: The cloud allows more types of devices to participate in services but those devices remain subject to the vagaries of human nature. People get sloppy with passwords; they don t always install or upgrade their antivirus and malware software; and they frequently damage or lose their devices (156,000 laptops alone are lost at U.S. airports each year, according to a recent study by the Ponemon Institute 2 ). Data durability : It s not enough for data to be accessible; it must also be protected against corruption, misplacement, and inadvertent deletion. Accidents, malicious acts, hardware failures, or inadequate controls can compromise data integrity and quickly negate the benefits of moving to the cloud. Privacy and confidentiality: In the cloud model, data is constantly transmitted to and from systems that are outside the corporate firewall. Users need assurance that sensitive communications and data are accessible only to the intended recipients whether the data is in transit or at rest. Control: The cloud transforms even the simplest deployments of desktops and mobile devices into complex distributed systems. Controlling policies, permissions, and authentications among diverse devices, applications, users, and data types can quickly become a daunting task without the right management tools and processes. Compliance: The cloud adds yet another layer of complexity to the already mind-numbing array of compliance requirements for data security. To cite just one example: most states in the U.S. now have data breach laws that require individuals to be notified if a data breach has occurred. Businesses need assurance that their cloud provider understands all the relevant laws and has the security systems in place to diminish the risk of violating any of them Airport Insecurity: The Case of Lost Laptops, Ponemon Institute Independent Research Report. Page 3
4 Technology Processes People Certifications Encryption Replication & Redundancy Data Center Access Controls Mobile App Security Customer-Controlled Policies & Access Permissions Auditing & Reporting Multiple security strategies, technologies, standards, and processes have emerged or evolved to help mitigate the risks created by the cloud model. In general, these fall into the following broad categories: Certification: The hosting provider s data centers can be certified to meet rigorous standards for physical security, physical access, and internal controls. For example, SSAE-16 (formerly known as SAS70) is an internationally recognized third-party assurance audit that provides a benchmark to compare internal controls and processes against industry best practices, and the Federal Information Security Management Act (FISMA) is U.S. legislation that defines a comprehensive framework for protecting government information, operations and assets against natural or man-made threats. Others include PCI DSS, ISO 27001, HIPAA, and FIPS Certified compliance with these standards demonstrates a high level of commitment to data security. Encryption: Data encryption and clear policies and processes for encryption are vital to ensuring complete data protection. Data that is not encrypted is open to intentional or accidental interception, which can result not only in a breach of privacy or confidentiality but also violations of regulatory requirements, loss of goodwill among employees and customers, bad press that impacts sales, and very expensive remediation efforts. Virtually every company encrypts file data during transfer, but few encrypt everything transmitted such as unique user account information and mobile phone identifiers that allow others to uniquely track a phone. Even fewer encrypt stored data at rest in the data center as well as on mobile devices. This ensures files are protected not just in the seconds it takes to transfer them, but also in the days and years they will spend stored on hard drives and phone memory. The gold standard for encryption, whether the data is in transit or at rest, is the Advanced Encryption Standard at its highest level of security of 256 bits (a.k.a. AES-256). This is the only encryption standard certified by the government for classified materials. Also, the management of encryption keys is an important consideration. These keys should be stored in a separate location from the encrypted data itself to avoid having a single point of compromise. Physical and logical access to the key server by authorized personnel must be tightly controlled. Replication and redundancy: It s common sense that having multiple copies of files and messages in multiple locations helps guard against accidental loss or corruption. However, managing all those copies can lead to complications that impact security. It is critical that the Page 4
5 prospective cloud provider can reliably retrieve the correct version, provide availability in the face of a failure at any individual data center, and synchronize the versions that exist at multiple sites. Equally important, make sure your provider can tell you exactly where your data is being stored, and verify that you have the ability to permanently and irrecoverably delete files out of their system on demand if you require. Data center access controls (physical and virtual): Part of ensuring that only the right people have access to data is ensuring that only the right people have access to the data center. Physical systems that house user data must be accessible only to employees with a legitimate business need, and authentication and key management data centers must be completely inaccessible to non-credentialed employees. The best architectures are built to require two authorized employees before any data can be accessed. In many cases a third-party provider is in a better position to provide these safeguards than the internal IT department. Mobile app security: Mobile devices are loss-prone, meaning they can contain large amounts of data and compute power and are easy to connect to the Internet and other devices but they have very little built-in security. The responsibility therefore lies with the application that provides file access to make up this gap. Applications can do so with features such as remote wipe in the event the device is lost or stolen (initiated by the user, an administrator, or by policy), an encrypted file lockbox to protect data stored at-rest on the device, or a PIN (requiring the user to authenticate via the PIN in addition to their normal password), as well as through ensuring adherence to company policies and controls. Customer-controlled policies and access permissions: Every business experiences constant change at the user level. Employees and contractors come and go. People start and stop using different types of devices. Access requirements are in a constant state of flux. You need a convenient way to control and manage who gets access to what, under what conditions. You also need an easy way to create, change, and enforce data retention policies, along with the ability to remotely wipe any user s account, their individual computers or mobile devices, in the event the device is lost or the employee/contractor is terminated. Equally important, you need a flexible way to balance the risk of security vulnerabilities against the cost and effort of mitigating them. In other words, the security solution must be able to adapt easily to fastchanging requirements so that you can protect by enabling or protect by restricting as needed, rather than being forced into one approach or the other. Auditing and reporting: Management needs insight into who has access to resources, who is using those resources, and what changes have been made. Audit trails and reporting mechanisms are designed to provide this information. The best systems also provide customizable versioning to make it possible to quickly and easily reverse damage from undesirable changes or deletions. 10 Critical Questions to Ask Your Cloud Provider The information in the previous section provides important context for understanding the challenges and requirements of cloud security. With this framework in mind, you are now prepared to ask the following pointed questions of prospective cloud service providers and gauge the adequacy of their answers. 1. What is your data encryption philosophy and how, specifically, do you encrypt data? Page 5
6 The overall approach is crucial. If the vendor is of the opinion that password protection for a file or laptop is sufficient to prevent unauthorized access to content, or that data encryption is needed only for data that is in transit and not at rest, you may want to consider other cloud providers. Encryption of all data, in transit, at rest, and in mobile devices, should be the basis of any holistic security solution. Failure to encrypt all content can have serious consequences, most notably in the area of regulatory compliance. The data-breach laws mentioned previously are only the tip of the iceberg. In the U.S. alone, legislation such as the Gramm-Leach Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), the Financial Industry Regulatory Authority (FINRA), the Health Insurance Portability and Accountability Act (HIPAA), and the Personal Information Protection and Electronic Documents Act (PIPEDA) could all be violated by a loss of unencrypted data. On the other hand, proper encryption not only defends against such violations but also creates new business opportunities and competitive advantages, such as the ability to transact securely any time, from anywhere, and the ability to serve new customer segments or geographies. Regarding the actual encryption of the data, make sure all data is transferred and stored using the highest levels of encryption: 256-bit Advanced Encryption Standard (AES) SSL for transit, and 256-bit AES for data at rest (introduced by the National Institute of Standards and Technology or NIST). AES is the only publicly accessible and open encryption technology approved by the National Security Agency (NSA) for Top Secret information. There is simply no excuse for using any lower-grade encryption technology. 2. How do you manage the encryption keys? In many cases the difficulty with encryption lies not in the encryption process itself but in the management of the encryption keys. Make sure the prospective vendor provides both physical and logical separation between the encryption keys and the encrypted data. Separate data centers would be optimal, so that there can be no single point of failure or compromise. You will also want to ensure the vendor has segmented access to their systems so in general employees only have access to one data center or the other, further protecting access to your data. In addition, ensure that the encrypted file data and the proper file version encryption key are brought together only on an as-needed basis, and in a way that can be audited. It is important to ensure that an encrypted file cannot be decrypted by anyone. The absolute highest level of security is to own and manage the keys to ensure actual control. However, this is generally so burdensome, particularly in cases where users share and collaborate with one another, that there is a significant risk users will use simpler methods such as ing files via their private accounts, defeating the purpose of the system. A compromise is to have the vendor manage the keys on your behalf. In this case, the vendor should be able to explain how they ensure the keys are properly managed and, optionally, provide you with the ability to control a key escrow so you can own the keys. The gold standard is a dual-responsibility model where two authorized employees must combine their authority before access can be granted, such as in the case of a two-datacenter security architecture. 3. What certifications for data protection have you attained? Certifications are issued today for virtually every aspect of information handling from the data center itself to information protection practices. Ideally, the vendor s data centers will have successfully completed a SOC 1 audit under SSAE-16 guidelines (formerly SAS70 Type II), as well as testing from independent auditors. An SSAE-16 audit verifies that the cloud provider s data centers have met rigorous requirements around physical security, Page 6
7 physical access, and internal controls. It also allows cloud providers to disclose their control activities and processes to their customers and their customers auditors in a uniform reporting format. In addition, ask prospective cloud providers whether they are FISMA-certified (indicating a high level of commitment to data security), and whether they are certified for compliance with PCI DSS, ISO 27001, HIPPA, and FIPS Finally, while you may want your provider to ensure they can reliably store your data forever, you will also want to ensure that they properly handle the cases where data must be reliably destroyed. Compliance with Department of Defense M or NIST ensures your provider properly handles media sanitation, such as in cases where a server holding customer information is retired with the information on it permanently and irrecoverably destroyed to prevent third parties from accessing the information. 4. How much data replication is enough, and what level of data durability do you provide? Users expect and require that data remain available and uncorrupted absolutely without fail. For years, data center managers have pursued five-nines availability (meaning %) as the Holy Grail for service-level availability. When it comes to data durability, however, there had better be a lot more than five nines (look for 10 or 11). Think of it this way: the standard RAID mirroring (data stored on two hard drives), provides about four nines of durability, meaning you have a one in 10,000 chance of data loss. Given that the average user has 10,000 files in storage, this means they will lose a single file every year. At 11 nines, this same user will lose a single file every 10 million years. With this in mind, expect your cloud vendor to store all files at least in triplicate at each of several geographically dispersed data centers, and expect those copies to be synchronized automatically and instantaneously. These measures ensure that even if a data center goes down, for any reason, or connectivity to a data center is lost, operation will still continue normally. 5. How much control do I retain over my data? You should expect to retain end-to-end, lifecycle control over where, when and how your data flows and how it is physically stored. When data is created there should be a customer-controlled system for capturing the content (files, documents, or messages), policies for uploading the content, and centralized control over which users and which devices can access or make changes to the content. During the midlife of the content, controls are needed to capture the edits and changes made by various authorized users. And at the end of the lifecycle, controls are needed to ensure that the content is properly archived or wiped (destroyed). Make sure your cloud provider can easily enforce the data retention policies you set, so that shared files and folders can be automatically and permanently deleted from user devices when required. Also, look for the ability to remotely wipe any user s account including all of the computers and mobile devices they use in the event a device is lost or stolen. You should also receive a detailed plan that defines the course of action in the event that data is in the wrong places, due to misconfiguration, maliciousness, or error. Make sure that your prospective vendor has the capability to provide the level of control you expect. 6. How do you ensure client (endpoint) security? In the cloud model, data is transmitted between and among connected data centers and a diverse array of clients: mobile phones, desktops, laptops, tablets, etc. While the cloud service provider has no control over the security mechanisms put in place by the vendors of these devices, the cloud provider can Page 7
8 ensure that no client ever opens a hole in your firewall with any externally accessible port, communicates with any non-authenticated source, or stores cached credential information in an unencrypted format. This will close three of the most common attack vectors. In addition, it is possible to protect user data on mobile devices by using AES-256 encryption for data during transmission and while stored on the mobile device, and to provide mobile apps that use app specific PINs in addition to any phone password. 7. Can I leverage existing credentials and password policies and disable access immediately? Often the weakest points of any system are user accounts with passwords that are easily guessed or an account that is accidentally left active when it should have been disabled. In fact, according to a recent article in Information Week, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts. 3 A common way to reduce the risk is to ensure any system that you adopt can leverage your users existing accounts that may be in Active Directory or even Google Apps rather than create yet another username and password for users and IT to manage. This integration should work with pre-existing password policies and advanced configurations such as two-factor authentication. It is also important that when access to an account, folder, or file is disabled or removed, the action takes effect immediately rather than taking a day or more. 8. How do you isolate and safeguard my data from that of other clients? In the past, IT departments segregated the files and data of various constituencies by putting them on separate physical servers. There were multiple problems with this approach, including server sprawl, underutilized resources, administrative complexity, excessive cost, and downtime or even data loss due to single points of failure. Virtualization technology makes it possible to encapsulate multiple types of data, applications, and content within the same physical server and to distribute copies of those assets quickly and easily among multiple servers. The content itself is electronically isolated or partitioned from all other content on the servers. The result is a more secure and more flexible access model that lowers operating costs and simplifies desktop administration and management. So, when evaluating prospective vendors, be sure to get a detailed description of their use of virtualization and, if you re not conversant in the technology yourself, consider having it appraised by an expert. 9. How is activity in my account monitored and documented? Your cloud provider should be able to provide an audit trail with full change tracking for changes occurring in an account, with previous versions retained, so that you know who is making changes and what those changes are. 10. Can you continue to provide protection as my workloads evolve? The elasticity of the cloud is one of its key advantages but make sure your prospective cloud provider can accommodate the volume of growth you anticipate, as well as unexpected spikes in demand for service, with the level of performance your users demand. Also, be sure you re not a guinea pig for an untested cloud architecture. Explain your needs to a prospective cloud provider and find out whether 3 Weak Passwords Pervasive, Despite Security Risks, by Thomas Clayburn, Information Week, January 22, Page 8
9 other customers with your same profile are currently deployed on the system. A cloud provider with real customers should be able to explain best practices for your needs and have references from other businesses. And don t assume that only a large, established cloud vendor will be able to meet your requirements; there are many small, up-and-coming providers that can deliver a higher level of service than the big players, with greater scalability, at a comparable price point. Conclusion The advent of the cloud opens up new possibilities and new security vulnerabilities for businesses. The object is to maximize the advantages and opportunities while minimizing the risks and the temptations of backdoor IT. This paper has presented a framework for considering the issues, along with specific questions for evaluating vendors. But there is one additional question that every business leader should contemplate before making the move to the cloud model, and it s an issue about which you, as a decision maker, must formulate your own opinion. What is the best approach to protecting and securing data in today s connected era? Should your business attempt to protect via restriction in other words prohibiting everything that could present an incremental security risk? Or should it protect by empowering users, finding new ways to secure the activities you know they will engage in? There is no right answer, but your opinion will shape your perception of the promise of the cloud and directly impact the results you expect and receive from a cloud service provider. About the Author Leonard Chung is co-founder and Chief Product Strategist of Syncplicity, a leading provider of cloudbased file management solutions. He has spent 12 years in the computer industry focused on finding better ways to manage, access, and secure data on a large scale. Before co-founding Syncplicity, he spent four years at Microsoft working on innovative cloud architectures and data management solutions in the early days of cloud computing. Prior to Microsoft, he distinguished himself at IBM as one of only 70 technologists in North America selected for the company s prestigious Extreme Blue program. Leonard received a B.A. in Computer Science and a B.A. in Cognitive Science from the University of California, Berkeley. About Syncplicity Syncplicity is a next-generation cloud-based solution for secure file synchronization, mobility and collaboration that is revolutionizing the way people work. Syncplicity makes it easy for business users to store all their files in the cloud, sync them with all their computers, share them with co-workers, access them on mobile devices, and ensure they are always backed up. All with the security, IT administration, controls and policy management features businesses demand. Learn more at Page 9
5 Questions to ask a 3 rd Party Cloud Provider
Effective Data, Inc. White Paper: 5 Questions to ask a 3 rd Party Cloud Provider By Timothy Wightman 1515 E. Woodfield Rd. Suite 200 Schaumburg, IL 60173 Tel (847) 969-9300 Fax (847) 969-9350 www.effective-data.com
More informationSecure and control how your business shares files using Hightail
HIGHTAIL FOR ENTERPRISE: SECURITY OVERVIEW Secure and control how your business shares files using Hightail Information the lifeblood of any business is potentially placed at risk every time digital files
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationHow To Protect Your Data From Harm
Brochure: Comprehensive Agentless Backup and Recovery Software for the Enterprise Comprehensive Agentless Backup and Recovery Software for the Enterprise BROCHURE Your company s single most valuable asset
More informationWhy Email Encryption is Essential to the Safety of Your Business
Why Email Encryption is Essential to the Safety of Your Business What We ll Cover Email is Like a Postcard o The Cost of Unsecured Email 5 Steps to Implement Email Encryption o Know Your Compliance Regulations
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationThe Essential Security Checklist. for Enterprise Endpoint Backup
The Essential Security Checklist for Enterprise Endpoint Backup IT administrators face considerable challenges protecting and securing valuable corporate data for today s mobile workforce, with users accessing
More informationSecurity Overview Enterprise-Class Secure Mobile File Sharing
Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud
More informationHIPAA and Cloud IT: What You Need to Know
HIPAA and Cloud IT: What You Need to Know A Guide for Healthcare Providers and Their Business Associates GDS WHITE PAPER HIPAA and Cloud IT: What You Need to Know As a health care provider or business
More informationEnsuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services
Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and
More informationSecurity. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9
Security CLOUD VIDEO CONFERENCING AND CALLING Whitepaper October 2015 Page 1 of 9 Contents Introduction...3 Security risks when endpoints are placed outside of firewalls...3 StarLeaf removes the risk with
More informationComprehensive Agentless Cloud Backup and Recovery Software for the Enterprise
Comprehensive Agentless Cloud Backup and Recovery Software for the Enterprise 2 Your company s single most valuable asset may be its data. Customer data, product data, financial data, employee data this
More informationEnsuring Enterprise Data Security with Secure Mobile File Sharing.
A c c e l l i o n S e c u r i t y O v e r v i e w Ensuring Enterprise Data Security with Secure Mobile File Sharing. Accellion, Inc. Tel +1 650 485-4300 1804 Embarcadero Road Fax +1 650 485-4308 Suite
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationWhite Paper. HIPAA-Regulated Enterprises. Paper Title Here
White Paper White Endpoint Paper Backup Title Compliance Here Additional Considerations Title for Line HIPAA-Regulated Enterprises A guide for White IT professionals Paper Title Here in healthcare, pharma,
More informationComprehensive Agentless Cloud Backup and Recovery Software for the Enterprise
Comprehensive Agentless Cloud Backup and Recovery Software for the Enterprise 2 Your company s single most valuable asset may be its data. Customer data, product data, financial data, employee data this
More informationAddressing Cloud Computing Security Considerations
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
More informationExecutive s Guide to Cloud Access Security Brokers
Executive s Guide to Cloud Access Security Brokers Contents Executive s Guide to Cloud Access Security Brokers Contributor: Amy Newman 2 2 Why You Need a Cloud Access Security Broker 5 You Can t Achieve
More informationThe Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency
logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011
More informationPROTECTING YOUR VOICE SYSTEM IN THE CLOUD
PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider
More informationPowered by. FSS Buyer s Guide Why a File Sync & Sharing Solution is Critical for Your Business
Powered by FSS Buyer s Guide Why a File Sync & Sharing Solution is Critical for Your Business Table of Contents Introduction to FSS... 2 Mobile Productivity... 3 Content Privacy and Security... 6 Team
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationKeep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise
Protection as a Priority TM Keep Your Data Secure in the Cloud to ensure your online data is protected from compromise Abstract The headlines have been dominated lately with massive data breaches exposing
More informationBest Practices for Protecting Laptop Data
Laptop Backup, Recovery, and Data Security: Protecting the Modern Mobile Workforce Today s fast-growing highly mobile workforce is placing new demands on IT. As data growth increases, and that data increasingly
More informationSecurity Architecture Whitepaper
Security Architecture Whitepaper 2015 by Network2Share Pty Ltd. All rights reserved. 1 Table of Contents CloudFileSync Security 1 Introduction 1 Data Security 2 Local Encryption - Data on the local computer
More informationHIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1
HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
More informationThe CIO s Guide to HIPAA Compliant Text Messaging
The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially
More informationData Storage That Looks at Business the Way You Do. Up. cloud
Data Storage That Looks at Business the Way You Do. Up. cloud Now integrating enterprise information and business processes is as simple as a click or a swipe. Konica Minolta s FileAssist solution provides
More informationThings You Need to Know About Cloud Backup
Things You Need to Know About Cloud Backup Over the last decade, cloud backup, recovery and restore (BURR) options have emerged as a secure, cost-effective and reliable method of safeguarding the increasing
More informationDell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations
Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations Inside ü Tips for deploying or expanding BYOD programs while remaining
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More informationSECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM
SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM Chandramohan Muniraman, Meledath Damodaran, Amanda Ryan University of Houston-Victoria Abstract As in any information management system security
More informationSRG Security Services Technology Report Cloud Computing and Drop Box April 2013
SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 1 Cloud Computing In the Industry Introduction to Cloud Computing The term cloud computing is simply the use of computing
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationTHE SECURITY OF HOSTED EXCHANGE FOR SMBs
THE SECURITY OF HOSTED EXCHANGE FOR SMBs In the interest of security and cost-efficiency, many businesses are turning to hosted Microsoft Exchange for the scalability, ease of use and accessibility available
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationMove to the cloud without compromising security
WHITE PAPER Citrix ShareFile Sponsored by Move to the cloud without compromising security The cloud can save you a lot of money and time. Learn how ShareFile makes the cloud secure and easy to use. By
More informationBYOD File Sharing - Go Private Cloud to Mitigate Data Risks. Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks
BYOD File Sharing - Go Private Cloud to Mitigate Data Risks An Accellion Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks Executive Summary The consumerization of IT and the popularity
More informationHIPAA COMPLIANCE AND
INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery
More informationPassword Management Evaluation Guide for Businesses
Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various
More informationWHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
More informationWith Eversync s cloud data tiering, the customer can tier data protection as follows:
APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software
More informationEND-TO-END SECURE CLOUD SERVICES
END-TO-END SECURE CLOUD SERVICES A PERTINO WHITE PAPER Abstract Whether companies use the cloud as a conduit to connect remote locations and mobile users or use cloud-based applications, corporations have
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationSpecific observations and recommendations that were discussed with campus management are presented in detail below.
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationIBM Cognos TM1 on Cloud Solution scalability with rapid time to value
IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.
More informationAgio Managed Backup FLEXIBILITY RELIABILITY TRANSPARENCY SECURITY. CONTACT SALES (877) 780 2446 agio.com
Agio Managed Backup Your data is the lifeblood of your business. Protecting it is priority #1. However rapid data growth, virtualization, and increasing cybersecurity threats have irrevocably changed the
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationSecurity Document. Issued April 2014 Updated October 2014 Updated May 2015
Security Document Issued April 2014 Updated October 2014 Updated May 2015 Table of Contents Issued April 2014... 1 Updated October 2014... 1 Updated May 2015... 1 State-of-the-art Security for Legal Data...
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationHow to Choose the Best Cloud Backup Service for Salesforce
How to Choose the Best Cloud Backup Service for Salesforce Introduction This paper is a resource for IT-responsible professionals working in corporations that use Salesforce. Over the past several years,
More informationCYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE
CYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE WHITE PAPER www.cibecs.com 2 Table of ontents 01 02 03 04 05 EXECUTIVE SUMMARY: CYBER SECURITY MANAGING YOUR ATTACK SURFACE DATA VULNERABILITY 1 THE ENDPOINT
More informationData Storage that Looks at Business the Way You Do. Up. cloud
Data Storage that Looks at Business the Way You Do. Up. cloud Now integrating enterprise information and business processes is as simple as a click or a swipe. Konica Minolta s FileAssist solution provides
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationHow To Protect Your Mobile Devices From Security Threats
Back to the Future: Securing your Unwired Enterprise By Manoj Kumar Kunta, Global Practice Leader - Security Back to the Future: Securing your Unwired Enterprise The advent of smartphones and tablets has
More informationHosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com
Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationEnd-to-end Secure Cloud Services a Pertino whitepaper
a Pertino whitepaper Executive summary Whether companies use the cloud as a conduit to connect remote locations and mobile users or use cloud-based applications, corporations have found that they can reduce
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationEncryption Buyers Guide
Encryption Buyers Guide Today your organization faces the dual challenges of keeping data safe without affecting user productivity. Encryption is one of the most effective ways to protect information from
More informationDropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description
Dropbox for Business Secure file sharing, collaboration and cloud storage G-Cloud Service Description Table of contents Introduction to Dropbox for Business 3 Security 7 Infrastructure 7 Getting Started
More informationSession 11 : (additional) Cloud Computing Advantages and Disadvantages
INFORMATION STRATEGY Session 11 : (additional) Cloud Computing Advantages and Disadvantages Tharaka Tennekoon B.Sc (Hons) Computing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Cloud
More informationEasiShare Whitepaper - Empowering Your Mobile Workforce
Accessing files on mobile devices and sharing them with external parties presents serious security risks for companies. However, most current solutions are either too cumbersome or not secure enough for
More informationSecurity Considerations
Concord Fax Security Considerations For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver
More informationInjazat s Managed Services Portfolio
Injazat s Managed Services Portfolio Overview Premium Managed Services to Transform Your IT Environment Injazat s Premier Tier IV Data Center is built to offer the highest level of security and reliability.
More informationWhy Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it
The Cloud Threat Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it This white paper outlines the concerns that often prevent midsized enterprises from taking advantage of the Cloud.
More informationProtecting Your Data On The Network, Cloud And Virtual Servers
Protecting Your Data On The Network, Cloud And Virtual Servers How SafeGuard Encryption can secure your files everywhere The workplace is never static. Developments include the widespread use of public
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationExtending Compliance to the Mobile Workforce. www.maas360.com
Extending Compliance to the Mobile Workforce www.maas360.com 1 Copyright 2014 Fiberlink Communications Corporation. All rights reserved. This document contains proprietary and confidential information
More informationTABLE OF CONTENTS. pg. 02 pg. 02 pg. 02 pg. 03 pg. 03 pg. 04 pg. 04 pg. 05 pg. 06-09 pg. 10. Feature-Benefit Summary How It Works. 1 www.keepitsafe.
TABLE OF CONTENTS Secure Cloud Backup and Recovery Key Features Fast Backup & Restore 24/7 Corruption Detection Data Security Bandwidth Optimization Exchange Backups Long Term Archiving Feature-Benefit
More informationefolder White Paper: How to Choose the Best Cloud Backup Service for Google Apps
efolder White Paper: How to Choose the Best Cloud Backup Service for Google Apps January 2015 Introduction This paper is a resource for IT-responsible professionals working in corporations that use Google
More informationESS, LLC Cloud Sync White Paper: 8 Ways to Boost Employee Productivity and Morale with Business-Grade File Sync
ESS, LLC Cloud Sync White Paper: 8 Ways to Boost Employee Productivity and Morale with Business-Grade File Sync July 2015 Copyright 2015 Eagle Secure Solutions, LLC Introduction The rapid adoption of consumer-grade
More informationWHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery
WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed
More informationAlliance AES Key Management
Alliance AES Key Management Solution Brief www.patownsend.com Patrick Townsend Security Solutions Criteria for selecting a key management solution for the System i Key Management is as important to your
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationOnline Backup Solution Features
CCC Technologies, Inc. 700 Nicholas Blvd., Suite 300 Elk Grove Village, IL 60007 877.282.9227 www.ccctechnologies.com Online Backup Solution Features Introduction Computers are the default storage medium
More informationComparing Alternatives for Business-Grade File Sharing. intermedia.net 1.800.379.7729. sales@intermedia.net CALL US EMAIL US ON THE WEB
for -Grade CALL US EMAIL US ON THE WEB 1.800.379.7729 sales@intermedia.net intermedia.net for -Grade Goal of this report This report compares and contrasts various alternatives for file sharing in a business
More informationEnterprise effectiveness of digital certificates: Are they ready for prime-time?
Enterprise effectiveness of digital certificates: Are they ready for prime-time? by Jim Peterson As published in (IN)SECURE Magazine issue 22 (September 2009). www.insecuremag.com www.insecuremag.com 1
More informationHow To Protect Your Data From Being Hacked
Data Security and the Cloud TABLE OF CONTENTS DATA SECURITY AND THE CLOUD EXECUTIVE SUMMARY PAGE 3 CHAPTER 1 CHAPTER 2 CHAPTER 3 CHAPTER 4 CHAPTER 5 PAGE 4 PAGE 5 PAGE 6 PAGE 8 PAGE 9 DATA SECURITY: HOW
More informationDoing Business Faster with Secure File Sharing. A File Sharing Solution Buyer s Guide for Corporate IT
Doing Business Faster with Secure File Sharing A File Sharing Solution Buyer s Guide for Corporate IT Introduction When it comes to file sharing, IT managers all have their nightmares about something going
More informationWHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW
NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW INTRODUCTION As businesses adopt new technologies that touch or leverage critical company data, maintaining the highest level of security is their
More informationFor more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.
For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.com 844-644-4600 This publication describes the implications of HIPAA (the Health
More informationeztechdirect Backup Service Features
eztechdirect Backup Service Features Introduction Portable media is quickly becoming an outdated and expensive method for safeguarding important data, so it is essential to secure critical business assets
More informationRequirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Whitepaper: Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider WHITEPAPER Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider Requirements Checklist
More informationFamly ApS: Overview of Security Processes
Famly ApS: Overview of Security Processes October 2015 Please consult http://famly.co for the latest version of this paper Page 1 of 10 Table of Contents 1. INTRODUCTION TO SECURITY AT FAMLY... 3 2. PHYSICAL
More informationBYOD File Sharing Go Private Cloud to Mitigate Data Risks
AN ACCELLION WHITE PAPER BYOD File Sharing Go Private Cloud to Mitigate Data Risks Accellion, Inc. Tel +1 650 485-4300 1804 Embarcadero Road Fax +1 650 485-4308 Suite 200 www.accellion.com Palo Alto, CA
More informationDaymark DPS Enterprise - Agentless Cloud Backup and Recovery Software
Daymark DPS Enterprise - Agentless Cloud Backup and Recovery Software Your company s single most valuable asset may be its data. Customer data, product data, financial data, employee data this is the lifeblood
More informationSecuring the Cloud Infrastructure
EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy
More informationWhen enterprise mobility strategies are discussed, security is usually one of the first topics
Acronis 2002-2014 Introduction When enterprise mobility strategies are discussed, security is usually one of the first topics on the table. So it should come as no surprise that Acronis Access Advanced
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationwww.pwchk.com Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?
www.pwchk.com Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready? Why is this important to you? Background Enterprise mobility through Bring-Your-Own-Device (BYOD) has been around for
More informationMIGRATIONWIZ SECURITY OVERVIEW
MIGRATIONWIZ SECURITY OVERVIEW Table of Contents Introduction... 2 Shared Security Approach... 2 Customer Best Practices... 2 Application Security... 4 Database Level Security... 4 Network Security...
More information