Continuous monitoring is enough for compliance, but ISN’T enough for securing data

Every 4,000 miles or so I bring my car into have the oil changed, the brakes checked and tires rotated. Why? Because I know if I leave it to chance, at some point down the road something much more devastating will affect the car. Many of us follow this simple preventive best practice. Then why is it major corporations and modest enterprises alike wait until their security is breached to address growing concerns of data theft, private information leakage or worse? Many of these companies

How do you eat a network security elephant?

One byte at a time. Now before you roll your eyes at my stupid pun, consider the deeper wisdom to this IT twist on an very old adage. Security is big. It encompasses a great many definitions, confronts a great many issues and is addressed through a great many solutions using a great many formats. For many organizations, it can be an overwhelming proposition. Beyond the issues of data defense, regulatory compliance, traffic management, identity regulation, archiving, reporting, access control, intrusion detection, encryption, app administration,

Mapping Compliance Requirements to an Integrated Cloud Security Platform

Much has been written about compliance. Best practices. New regulations. Technology cure-alls. Nevertheless, regulatory compliance remains a critical and strategic business need for most companies. If you process payments online; if you store sensitive customer data; if you transit financial or health information; you are bound by the mandates of an alphabet soup of state, federal and industrial regulatory agencies. Compliance is a reality of everyday business life, but often times becomes a burdensome cost center. Over the past several months I have had the

Maneuvering though the IT Threatscape: A video blog

I was fortunate to receive an invitation to speak at the recent 2013 Credit Union InfoSec Conference in Las Vegas. One of the key drivers for many of the attendees is the burden of compliance and finding ways to remove nagging blindspots due to the creation of technology islands meant to analyze and monitor different aspects of keeping applications secure, data  and account information private, devices inventories and identities properly managed. In my hour long chat, I looked to frame the issues in terms of

Identity-As-A-Service (IDaaS) is more important than ever

Conspiracy theorists and other concerned citizens will insist the government is watching every keystroke, keeping a record of every website, transaction, text and email. Shades of 1984’s Big Brother, right? These last few weeks, the news has been brimming with revelations of data surveillance and monitoring by the government (not to mention data harvesting corporations like Google, Yahoo, Facebook etc…). Everyone, including the security buffs at CloudAccess, is sensitive as to what is being looked at, stored, and analyzed for hazily defined purposes. Privacy is

The Do’s and Don’ts of Password Management

I’ve written quite a few words for CloudAccess on the importance of password management and cloud security, but I think this list I found through my friends over at iRise Security really hits the nail on the head. DON’T Reuse and recycle passwords. If you do, a hacker who gets just one of your accounts will own them all. Use a dictionary word as your password. If you must, then string several together into a pass phrase. Use names of loved ones, dogs, birthdays, birthdays of loved ones

7 Causes of Security Paralysis & Cloud-based Cures

Over and over again the team at CloudAccess are pummeled with statistics on how risk is growing in disproportion to security readiness. -91% of companies have experienced at least one IT security event from an external source. -90% of all cyber crime costs are those caused by web attacks, malicious code and malicious insiders. -40% reported rogue cloud issues (shadow IT) experienced the exposure of confidential information as a result -34% share passwords with their co-workers for applications like FedEx, Twitter, Staples, LinkedIn. These are

Integrated provisioning and access: He said it was too good to be true

It’s no covert fact that my secret identity is that of a mild-mannered cloud security executive. And as such, I don’t try to directly promote or discuss any specific solutions my firm offers. However, I was showing a recent upgrade of an access and identity management integration to a CIO of a large medical management company and he offered up the best compliment I could hope for: “This is too good to be true.” What he was alluding to was the successful demonstration of a

Erasing the Identity Blind Spot

Security is not an all-or-nothing proposition. And that’s part of the problem. It creates blind spots; gaps in vulnerability. Partly because of the inherent complacency that after a company institutes a new security initiative that hackers will be held at bay, or the employees won’t be tempted to make off with a database or a hundred other internal or external threats. I have long promoted that security is as much about planning and process as it is about the various solutions that are deployed to

Brass tacks: answering the cloud security questions that matter

Enterprise security can be a labyrinthine, complex beast with many moving parts, dozen upon dozen of requirements, needs, implications, options and alternatives. But when we get down to the nitty gritty (the brass tacks if you will), cloud security can be simplified by six simple questions: WHO is logging in? WHAT are they accessing/viewing? WHERE is the device from which that person logs in? WHEN was any asset changed/modified/moved HOW are they authorized/credentialed? WHAT is the impact of the event? Now determining the answers to