How to Make Sure Your Data is Safe and Secure in the Cloud

This post is an excerpt from our Digital Growth Summit event in Los Angeles.
Here are the digital marketing experts who contributed to this blog:

Dave Mathews Security and Privacy in the Cloud

Dave Mathews
CEO & Founder
NewAer, Inc

Peter Lopez Security and Privacy in the Cloud

Peter Lopez
Hybrid Cloud Architect
Technicolor

Ariston Collander Security and Privacy in the Cloud

Ariston Collander
Analyst
AT&T

Kevin Haley Security and Privacy in the Cloud

Kevin Haley
Director
Symantec

How to Make Sure Your Data is Safe and Secure in the Cloud

How do you reap the benefits the cloud offers without compromising security? Our experts share some of their solutions

Here are some key takeaways from the Security and Privacy in the Cloud panel:

  • Have a system in place to keep your data safe
  • Create your own encryption standard outside of what the company gives you. Implement two-factor authentication to protect from phishing. Never have just one key that unlocks all of your data.

  • Understand the difference between private and public clouds
  • In a public cloud your data is stored on the provider’s server and you pay a metered subscription fee. Private clouds reside on a hosted data center and typically offer more robust security features.

  • Know the risks of using a “bring your own device” policy in your company
  • Having a “bring your own device” policy means you are bringing anything and everything that device has connected to previously into your business. So you have to determine if devices are hostile or not.

How would you define the cloud? Cloud is a term like IoT that gets thrown out often, but what does it mean?

When you take your data off of your server and put it onto somebody else’s server, that is the cloud. —Kevin Haley

There is the technical definition of cloud: broad network access, ubiquitous, etc. In essence it is typically third-party owned if it is going to be considered a public cloud such as Amazon and AT&T. With broad-network access, anyone can access it typically, and by “ubiquitous” I mean it is easy to use and metered with a subscription fee, something that would be considered an operational expense. The goal is placing data or a business process or service out on the Internet where you can scale and increase or decrease your usage as necessary. —Ariston Collander

When you take your data off of your server and put it onto somebody else’s server, that is the cloud. —Kevin Haley

What about API (application programming interfaces)? Talk about API and tapping into these clouds, and what you need to know about best practices.

Most of the conversation occurs around public cloud, but private cloud is also critical. —Peter Lopez

The cloud is very vast, so I will throw a couple of things out to frame the conversation. First, I would throw out that you can look at the National Institute of Science and Technology where they have a very good diagram that gives you the various components of cloud technologies. I do agree that most of the conversation occurs around public cloud, but private cloud is also critical. Now we go to APIs. In the late 80s, APIs became a way for people to really share information and leverage an entryway into a vast network of applications that can all work together. Previously, there was not a standardized format for apps to communicate with one another, but over the last 20 or 30 years we have gotten to the point where machines are talking to machines and actually making decisions without human interaction at all. That is where we get to business intelligence and automation among other things. —Peter Lopez

What does it mean when content is locked on your laptop, but the key to the locked content is stored in the cloud?

Creating an encryption standard outside of what the companies give you is a necessary best practice. —Dave Mathews

One of the challenges that you are going to face is getting access to your data. When it is encrypted, if you lose that key, that data is gone. There is no way to get that information back. So what is the secondary method for me to back up that key so that I can retrieve that information if I can’t get access to the device? The problem is that as soon as you start storing keys in the cloud in a system over which you have no control, you are placing trust in that cloud storage or wherever that key is going and whoever has access to that key. At the company level, it comes down to trusting these third parties and having a program in place where you are validating that wherever this key is going is trustworthy. You have to trust they have the right security mechanisms in place to keep that information safe. —Ariston Collander

Fundamentally, everybody needs to start looking at compartmentalized exposure. You need to start to classify your devices and your data, separating the passwords and keys so that there is not just one key that unlocks everything. —Peter Lopez

The weakest link in a chain isn’t necessarily the device in your hand. It could be the network that those run across as well. Creating an encryption standard that is outside of what the companies give you is a necessary best practice. —Dave Mathews

What are some of the best practices and ideas of companies or products that everyone here can take away from this and put to use?

Understand who in your company is doing what in terms of sending data out to third parties. —Ariston Collander

The obvious one is two-factor authentication. The cloud can have all of the security in the world, but if the end user’s login and password are phished, then the attacker has access to all of their information. Two-factor authentication involves having two things to allow for a login such as the password and a pin.—Kevin Haley

At the enterprise level, understand who in your company is doing what in terms of sending data out to third parties. You may not want someone in the finance department finding a business out there who could provide business analytics and suddenly they are sending a whole bunch of financial information out. DLP—data loss prevention software—can be run locally or on the server and tries to do some matching to look for credit card information, etc. and keep it from being sent out. A cloud access security broker is another option where a stream of data is sent to a security service, which is typically cloud-based, and they look at your traffic and monitor it to figure out what information is being transferred. —Ariston Collander

Multifactor authentication is becoming the new standard and includes three or more factor authentication to get into any account. —Peter Lopez

Forty-six percent of all targeted attacks are directed at companies with fewer than 250 employees. Two lessons to take away from that:

  1. You can go into the smaller company to get to the bigger company
  2. Small companies have information that is worth stealing

Kevin Haley

What will security look like in three years?

At work, we are all exposed to “Bring your own device.” It sounds great for companies. They don’t have to buy you a laptop or buy you a phone, because you are going to bring your device. Well, by bringing your device you just brought anything and everything that you connected to previously into your business. You then have to think about, is this device hostile or not? —Peter Lopez

The next thing will be agents. There is a lot of bot talk these days, and then there are the voice interface platforms such as Amazon Echo or Siri. Voice interface is going to be interesting because of the amount of processing power it takes to understand my voice and its subtle nuances compared to yours. It is nearly impossible to do in a device right now. —Dave Mathews

The only thing that you can trust is physical separation. —Peter Lopez

Join our next free reputation management webinar to learn how to help your brand shine online.

  • This field is for validation purposes and should be left unchanged.

Join our next reputation management webinar to improve your brand’s online results:
Reputation Management Webinar

Comments are closed.

Send this to friend