Bob West is the Chief Trust Officer at CipherCloud. Bob is a longtime security expert: he has held CISO positions at both Fifth Third Bank and Bank One, led the security practice at Ernst & Young, and served as Senior Systems Officer at Citicorp. As Chief Trust Officer, Bob evangelizes the importance of cloud data protection in the cloud through our transformative Discover, Protect, and Monitor platform.. He also contributes his thoughts on enterprise data security and the security industry at large to our blog in our regular Q&As.
Today, we discuss the first steps enterprises must take to protect their data.
What are the key problems organizations must address to improve their cloud security postures?
Bob West: For the average enterprise, taking care of the basic blocking and tackling is something that’s not being done right now. For example, there is a Fortune 100 company I’m very familiar with who has a flat network and has made very poor decisions in terms of what traffic to let into their network and what traffic to restrict. If you have a flat network and you’re letting all sorts of traffic through, it’s easy for malware to go almost anywhere. They’re not the only ones like that in the Fortune 100, regrettably. And once you get further down than the Fortune 100, companies have fewer resources to deal with the problem, and the dicier it gets. For a real substantial percentage of companies, taking care of basics is number one.
What are the cloud security measures that are worth the investment, and which ones are less critical?
Bob West: From my perspective, encryption is one of the first things to do—encrypting and keeping the keys separate. Because if someone steals the information, whether it’s in the cloud or otherwise, and you have the keys separate, it doesn’t matter. It’s kind of like when you leave your home in the morning. You lock the door and take your key. In the same way, if you encrypt the information but the keys are nearby, you’re not really creating a safe environment.
There are a lot of organizations that have a big investment in antimalware solutions. Symantec, McAfee, Kaspersky—the traditional anti-malware. I would say the utility is limited, and I say that because if it were really fulfilling its purpose, then we wouldn’t continue to have such significant issues with malware.
The security industry tends to be reactive in general. It’s very poor at doing preventative things. Think of Smokey the Bear. You can prevent forest fires. It’s a lot easier to control the forest fire when you can prevent it from happening in the first place. That’s one of the reasons I really like what we do at CipherCloud. We enable companies to fundamentally take a look at their information and protect it, preventing it from being stolen.
What can an organization do right now to improve their cloud security with whatever infrastructure they already have?
Bob West: Technology and security organizations in general are guilty of not having a good dialogue with the executive team, and as a consequence, without that open dialogue, it’s hard to be aligned with where the corporation’s going. Technology leaders need to understand the vocabulary of the CEO, the CFO, the general counsel, because if they’re not communicating their needs appropriately, they won’t get them addressed and will be relegated to the geeks in the corner and will complain they have no visibility with the executive team. Establishing a dialogue at the senior most level enables you to make decisions on what to put into place given where the business is heading.
Let’s say, for argument’s sake, the enterprise is going to the cloud. What are the business drivers? What business benefits am I getting out of it? What’s the technology I need to put in place? What are the risks associated with that, and how do I prevent them? This dialogue could be done early and often, and it doesn’t cost a lot of money, if anything. A good second step after that is learning where your information actually sits. Then you can develop a good plan around how to protect it.
There are a lot of people that communicate to their executive team that they can prevent a breach from happening. That’s not realistic. The question becomes, “Can I create a good framework that minimizes the risk to the organization?”