Last
month Gartner Analyst Jay Heiser conducted an extremely informative and
thought-provoking webinar entitled "The Current and Future State of Cloud
Security, Risk and Privacy." During the presentation, Mr. Heiser
highlighted what he called the "Public Cloud Risk Gap," characterized
in part by inadequate processes and technologies by the cloud service providers
and in part by a lack of diligence and planning by enterprises using public
cloud applications. In many ways, it was a call to arms to ensure that adequate
controls, thought and preparation are put to use before public clouds are
adopted by enterprises and public sector organizations.
From
the side of the cloud application provider, the webinar noted that most cloud
service offerings are incomplete when measured against traditional
"on-premise" security standards, there are relatively few
security-related Service Level Agreements (SLAs), and there is minimal
transparency on the security posture of most cloud services. From the
enterprise side (the cloud service consumer), he points out that they
frequently come to the table with inadequate planning and consideration in the
area of security requirements definition and have an incomplete data
sensitivity classification governing their data assets. Despite this, the
webinar highlighted that organizations of all sizes are increasingly willing to
place their data externally, and they are increasingly likely to have at least
some formalized processes for the assessment of the associated risk - which is
good news.
One
innovative part of this new category of solutions is referred to by Gartner as
"Cloud Encryption Gateways." These gateways put sensitive data control
back into the hands of the enterprise in scenarios where they are using public
cloud services. When designed and deployed correctly, they are able to preserve
the end user's experience with the cloud application (think of things like
"Search" and "Reporting") even while securing the data
being processed and stored in the cloud. These Gateways intercept sensitive
data while it is still on-premise and replace it with a random tokenized or
strongly encrypted value, rendering it meaningless should anyone hack the data
while it is in transit, processed or stored in the cloud. If encryption is
used, the enterprise controls the key. If tokenization is used, the enterprise
controls the token vault. But not all gateways are created equal, so please
refer to this recent paper in our Knowledge Center to make sure you ask the
right questions when determining which gateway is the right fit for your
specific Security, IT and End User needs.
For
further information visit: http://cloudcomputing.sys-con.com/node/2464514/print
No comments:
Post a Comment