Tag Archives: Cloud Security

Spiceworks survey shows one-in-four organisations “not confident” over security of cloud-stored data

Spiceworks has published the results of a new survey examining the adoption and perceptions of cloud storage and file sharing services in businesses across Europe and North America. The results show that Microsoft OneDrive is the most commonly used service, followed by Google Drive and Dropbox (among others). The findings indicate that, although the adoption of cloud storage services has grown rapidly, a quarter of business technology buyers are still concerned about hosting company data in the cloud and are therefore prioritising security when evaluating solution providers.

According to a similar Spiceworks report issued back in March 2016, 53% of organisations were using cloud storage and file sharing services. Among those organisations, 33% were using Dropbox, 31% were using Microsoft OneDrive and 27% were using Google Drive. However, the 2016 report revealed that OneDrive had the highest planned adoption rates.

Today, 80% of organisations are using cloud storage services, while an additional 16% plan to deploy a solution within the next two years. Currently, 51% of organisations are using Microsoft OneDrive, 34% are using Google Drive and 34% are using Dropbox. Additionally, 13% of businesses are currently using Apple iCloud, 6% are using Box, 6% are using Citrix ShareFile and 3% are using Amazon Drive.

When examining adoption rates by company size, the results show that OneDrive has the highest usage in enterprises – defined as businesses with more than 1,000 employees – with an adoption rate of 59%, compared to Google Drive at 29% and Dropbox at 25%.

SpiceworksCloudSecurity

Although OneDrive also claims the top spot in SMEs, the gap in adoption rates among the top players is much smaller. For example, among mid-size businesses with 100 to 999 employees, 54% are using OneDrive, 35% are using Dropbox and 33% are using Google Drive. In small businesses with one to 99 employees, 47% are using OneDrive compared to 39% using Google Drive and 34% using Dropbox.

Security: the most important factor for service selection

Among business technology buyers involved in the purchase decisions for cloud storage services at their organisation, security was considered the most important factor when evaluating providers. In fact, 97% said that security is an important to extremely important factor followed by reliability (96%), cost (93%), ease of use (93%) and vendor reputation (89%). Conversely, technology buyers believe factors such as document collaboration (67%) and app/tool integrations (59%) still matter, but are less important.

When asked to select up to five attributes that they most associate with the top providers, 39% of business technology buyers primarily associate OneDrive with being secure, compared to Google Drive at 28% and Dropbox at 19%. Google Drive ranks the highest in terms of reliability and cost-effectiveness, while Dropbox ranks the highest when it comes to ease of use. Additionally, Microsoft OneDrive was recognised as a trusted vendor and for being integrated with existing apps/tools.

Security of data stored in the cloud

Despite the pervasiveness of cloud storage and file sharing services, some organisations are not confident in the security of their data stored within those services. In fact, 25%of technology buyers believe their data in the cloud is ‘not at all’ to ‘somewhat’ secure. This is perhaps because 16% of organisations have experienced one or more security incidents – such as unauthorised access, stolen credentials or data theft – via their cloud storage service in the last 12 months.

Therefore, organisations are taking extra steps to enhance their data security when using cloud storage and file sharing services. 57% of organisations only allow employees to use cloud storage providers approved by their IT Department, 55% enforce user access controls and 48% train employees on how to use cloud storage services properly.

However, other security measures are less common, such as enforcing multi-factor authentication when using these services (28%), putting a cloud storage/file-sharing security policy in place (28%) and encrypting data in transit (26%) and at rest (22%) via their cloud storage service.

“It’s evident organisations are putting more trust into cloud storage services, but some are still hesitant despite the recent growth in adoption,” explained Peter Tsai, senior technology analyst at Spiceworks. “Although cloud storage services often include features that help in securing sensitive corporate information, there will always be risks involved when entrusting data to a third party.”

The Spiceworks survey was conducted in April and included the views of 544 respondents. Respondents are among the millions of business technology professionals in Spiceworks and represent a variety of company sizes, including SMEs and enterprises. Respondents come from a variety of industries, including manufacturing, healthcare, non-profits, education, Government and finance.

*For more information and a complete list of survey results visit https://community.spiceworks.com/blog/3058-cloud-storage-services-who-claims-the-top-spot-among-microsoft-google-dropbox

Leave a comment

Filed under Risk Xtra, Uncategorized

NSI Installer Summit seminars focus on business solutions advice

The National Security Inspectorate’s (NSI) second Installer Summit was held in Manchester on Thursday 20 November and proved to be a major success, with over 100 delegates and 35 exhibitors in attendance. Brian Sims reports.

The NSI Installer Summit took place at the Worsley Park Marriott Hotel and showcased contributions from a wide array of top security brands, industry experts and business solutions providers, in turn offering delegates a perfect platform from which to learn about the latest innovations within the industry – including new products and solutions, equipment and tools – and, of course, the latest news from the NSI.

The Installer Summit’s programme of bite-sized seminar sessions delivered by industry experts included a focus on the importance of integrity and performance through the buying chain (presented by Simon Banks of CSL DualCom), the value apprenticeships can bring to a business (described by Kings Security’s Anthony King), Google marketing (courtesy of Clinton Porter from NVisage), employment law tips and advice (discussed by Citation’s Louise Lockett), funding for capital growth (Rob Donaldson of Baker Tilly) and the myths of cloud security (Steve Riley of RISCO Group).

In addition, there was a timely update from ACPO on the reduction of false alarms due to improving technology.

The next NSI Installer Summit takes place in Birmingham next March

The next NSI Installer Summit takes place in Birmingham next March

Speaking about the first NSI Installer Summit to take place in the North West, the NSI’s CEO Richard Jenkins commented: “Following the success of the first NSI Installer Summit in Birmingham last March, we listened to our installers and brought the event to Manchester. The NSI Installer Summit is a truly unique event for our approved companies, providing them with the opportunity to network, see at first hand the latest products from the leading manufacturers, hear from NSI technical experts about developments in standards and be given solutions advice from a number of business-related specialists.”

Jenkins continued: “We believe the Installer Summit adds real value to ‘The NSI Community’, ensuring that NSI approved installers are well informed about developments that impact their industry and their businesses. Given the exceptionally positive feedback we’ve received from both events, we’re delighted to announce that our next Installer Summit will take place in Birmingham on Tuesday 10 March 2015.”

*View a selection of photos from the day via the NSI’s Pinterest site at: http://www.pinterest.com/nsi1/nsi-installer-summit-manchester/

**Download the presentations: http://www.nsi.org.uk/information-centre/nsi-events/nsi-installer-summit-manchester-2014/nsi-installer-summit-manchester-programme/

***If you’re interested in sponsoring or exhibiting at the next NSI Installer Summit (which takes place at the National Motorcycle Museum in Birmingham on 10 March 2015, please contact the NSI via e-mail at: exhibit@nsi.org.uk or telephone 01628 764843. Delegate registration for this event will be launched in the New Year

Leave a comment

Filed under Risk UK News

Security Management via the Cloud: ‘Organisations must embrace the risks as well as the opportunities’

Organisations embracing cloud-based security management systems will see major benefits from doing so but must adapt quickly to ensure they don’t open themselves up to evolving risks. This was the clear message emanating from the Association of Security Consultants’ (ASC) winter Business Group meeting held on 18 November at the London Chamber of Commerce and Industry.

Inderpall Sall, technical director at NG Bailey IT Services, highlighted the rapid progress towards the next phase of cloud evolution when everything will be connected to the Internet. This would maximise the intelligence available, facilitate the convergence of building, ICT and business systems within organisations and routinely mean that powerful analytics were available.

Examples given included access control data triggering whether lights were switched on or off at a particular workstation, an entry card being disabled and desk and parking space released when someone is on holiday and an American company using data from cameras to analyse behaviour on train stations with a view to preventing suicides.

Clients are now demanding cloud-based mobile technology – “You have to put a network in otherwise someone else will do it”. There’s now a move away from organisations requiring every system to have its own separate infrastructure and applications. Indeed, Sall cited the examples of a client that had opted to have just one cabling infrastructure to manage and monitor everything and of a requirement to provide a very simple, single application with security, fire and building management sections available from one screen.

Inderpall Sall: technical director at NG Bailey IT Services

Inderpall Sall: technical director at NG Bailey IT Services

Consideration of risk alongside opportunity

However, there’s a need to consider the risks alongside the opportunities. If all information is on the network, the implications of being hacked would be much more serious. Effectively, it would be possible for someone to gain control of a whole building.

To offset these risks, i’s important to have substantial physical and IT security in place, give very careful consideration to enterprise security architecture and ensure that all functions involved with security provision are co-ordinating their activities effectively.

The intelligent buildings theme was continued with a presentation on security reporting from Brian and Steve Larkins of Verifi FMS. Despite all the technology developments of recent years, security officers have remained largely dependent on paper records. This could make organising and retrieving information (particularly where this is related to events that had occurred some time ago) challenging to say the least. This session demonstrated VeriFi EIDOS, a new cloud-based alternative which requires only a standard browser.

The ASC event also included a presentation by Broadgate Estates’ security and business continuity manager Jonathan Schulten on the scale and nature of dealing with such a large property portfolio, the dynamics of the relationships between landlord, occupiers and property managers and some typical challenges such as public realm management (for example during World Cup coverage in Exchange Square).

The next ASC Business Group meetings will take place on 3 March and 14 May 2015

The next ASC Business Group meetings will take place on 3 March and 14 May 2015

Speaking after the event, ASC chairman Allan Hildage commented: “We’ve seen today how cloud technology can help to provide a consistent and quality service and ensure different parts of an organisation work together more effectively to meet overall business objectives. However, we’re also constantly reminded that the speed of technological development is challenging everyone. The impact on systems’ integrity and the ability of the regulatory framework to keep pace are just two of the issues raised in questions from the floor.”

Hildage concluded: “From a security and resilience perspective, it’s vital that we grasp the full implications and act on them if we are to maximise the benefits while minimising the risks.”

*The next ASC Business Group meetings will take place on 3 March and 14 May 2015

**For further information about the ASC visit: http://www.securityconsultants.org.uk

Leave a comment

Filed under Risk UK News

‘Vortex in my Cortex!’… James Wickes on ‘Security and the Cloud’

The security sector is only just waking up to the idea that many features offered by the cloud extend the capabilities of existing security solutions into new and lucrative markets. So what’s on offer? James Wickes has all the answers.

It’s nigh on two months since the last IFSEC International attendee left the airy corridors of the ExCeL Exhibition and Conference Centre. Show organiser UBM has hailed the event a massive success by every measurement and the security world is now retiring on the beach for its summer holidays.

During the show I was fortunate enough to be given the opportunity to air a short presentation to IFSEC International’s visitors on the condition that I limited my spiel to the general benefits of cloud technology and didn’t recite a Cloudview propaganda speech. Asking a salesman not to sell? That was the first challenge to be confronted.

The second challenge was somewhat unexpected. When I arrived at the hallowed halls early on the appointed day, I broke into a cold sweat. Every ‘What if?’ scenario I could dream up entered my head, and everything I had meticulously planned to orate for my compliant and grateful audience disappeared into the dark and inaccessible vortex in my cortex that no amount of rolled-up newspaper punching or controlled yoga-style breathing was going to unlock.

Once on the podium, some of my ‘What ifs’ sprang to life. There was the inevitable bloke having a chat on his mobile phone, the microphone didn’t work all of the time and, of course, there was the guy that just wanted to give me a good verbal bashing as I was wrong and he was right.

Too much to try and say

Anyway, I crashed through my Powerpoint deck like someone running across a collapsing bridge, repeating word for word what was on each slide, rendering the whole reason for actually being there in person somewhat pointless. In my 30 years in the IT Industry I’ve had plenty of experience of giving presentations on all sorts of subjects to all sorts of audiences all over the world – so why did I freak out at IFSEC International 2014?

James Wickes: director of Cloudview

James Wickes: director of Cloudview

Put simply, there was just too much to try and say. The PC, Internet and smartphones have enabled mainframe computing resources to be made available to all and sundry and its latest costume is known as ‘the cloud. Yes, it’s powerful. Yes, it’s accessible. Yes, it’s scalable… but it’s certainly not new.

Far from disrupting the security and CCTV world, cloud services are only now just about beginning to make any kind of dent in it. That’s because the security industry is only just waking up to the idea that many features offered by the cloud extend the capabilities of existing security solutions into new and lucrative markets that exist, unclaimed somewhere between itself and the IT industry. And that these can be accessed by using packaged cloud services bolted onto current hardware and software offerings.

These markets are facilitated as much by legislation as they are by technology. Health and Safety and the litigious/insurance culture we’ve all experienced in some way that demand ever larger amounts of CCTV data are securely stored for long periods of time for future reference, and ideally off-site.

Of course, the best way of doing this is through integration with an effective cloud service. For the end user there are many, many features offered by Cloudview (I’m sorry, I’ve said it now) and other cloud service providers that can augment CCTV solutions without compromising security and don’t actually require a degree in astrophysics to implement.

Channels to market

Then there’s the somewhat knotty issue of ‘channels to market’ early VSaaS (Video Surveillance as a Service) providers built their business models around in selling direct. This is fine for Hamstercam.com-type offerings but, for anything more serious, channel partners are essential not just to instigate sales and do the installation work but to specify the correct hardware solutions for the plethora of vertical markets that all require different ways of doing things.

All in all, in my humble opinion the UK security and CCTV industry is on the edge of a vast collective opportunity that can be facilitated by adding cloud services to existing and new customer solutions. It’s happening now and it’s picking up speed. So it’s worth taking a look at what’s available, what’s feasible and how it can be wrapped into existing end user offerings.

Next year, when you’re cutting a stride past Costa early in the morning on your way into IFSEC International and you see in the corner of your eye someone gently rocking back and forth, muttering to themselves and punching a copy of one of that day’s national newspapers please don’t call security. It’ll just be me getting ready for my presentation.

James Wickes is director of Cloudview (UK)

Leave a comment

Filed under Uncategorized

Thales Report: ‘More than half of businesses own up to sensitive information being ‘readable’ when stored in the cloud’

Thales’ annual global survey reveals widespread uncertainty about cloud security and a negative impact on security posture. Thales has announced that the cloud is losing the ‘scare factor’ for businesses.

In its latest report, entitled: ‘Encryption in the Cloud’, Thales reveals that more and more organisations are transferring sensitive or confidential information to public cloud services even though more than a third expect a negative impact on security posture.

In response, the use of encryption is increasing but more than half of respondents still admit their sensitive data goes unprotected when it’s stored in the cloud despite data security regularly topping the global news agenda.

Thales Encryption in the Cloud Report April 2014

The independent global study of more than 4,000 organisations was conducted by The Ponemon Institute, and reveals differing opinions over who is responsible for security in the cloud – the cloud provider or the cloud consumer – and how best to protect the sensitive data that’s sent there.

The ‘Encryption in the Cloud’ study was commissioned as part of a larger international study on Global Encryption Trends. More than 4,000 organisations were surveyed in the US, UK, Germany, France, Australia, Japan, Brazil and Russia.

The report explores the impact on security posture of moving to the cloud, the transparency of cloud providers, how organisations are treading the line between trust and control with regard to encryption and how encryption keys should be managed.

Staying in control of sensitive data

Larry Ponemon, chairman and founder of The Ponemon Institute, commented: “Staying in control of sensitive or confidential data is paramount for most organisations, and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud.”

Ponemon continued: “It’s perhaps a sign of confidence that organisations with the highest overall security posture were most likely to use the cloud for operations involving sensitive data, and it’s encouraging to find significantly fewer respondents believe that use of the cloud is weakening their security posture. However, there are still concerns that many organisations continue to believe their cloud providers are solely responsible for protecting their sensitive data even though the majority of respondents claim not to know what specific security measures their cloud provider is taking.”

Richard Moulds, vice-president (strategy) at Thales e-Security, explained: “Encryption is the most widely proven method to secure sensitive data in the enterprise and in the cloud, but more than half of respondents report that sensitive data in the cloud goes unprotected. Those that are using encryption have adopted a variety of deployment strategies, but once again a universal pain point is key management.”

Richard Moulds: vice-president of strategy at Thales e-Security

Richard Moulds: vice-president of strategy at Thales e-Security

Moulds went on to state: “Very often, the way that keys are managed makes all the difference, with poor implementations dramatically reducing effectiveness and driving up costs. Key management is a critical control issue for respondents, who are increasingly focused on retaining ownership of keys as a way to control access to data. Deployed correctly, encryption can help organisations migrate sensitive data and high risk applications to the cloud, in turn allowing them to safely unlock the full potential for economic benefit that the cloud can deliver.”

Key findings of the report

Cloud security is here to stay
The use of the cloud for processing and storing sensitive data seems inevitable. More than half of all respondents say their organisation already transfers sensitive or confidential data to the cloud and only 11% say that their organisation has no plans to use the cloud for sensitive operations (down from 19% only two years ago).

Cloud confidence is on the up, but at what cost?
Although nearly half of respondents believe that their use of the cloud has had no impact on their overall security posture, those that believe it has had a negative effect (34%) on their security posture outnumbered those that experienced a positive effect (17%) by a factor of two-to-one.

Where does the security buck stop?
The perceived responsibility for protecting sensitive data in the cloud is very dependent on the type of cloud service in question. In Software-as-a-Service (SaaS) environments, for example, more than half of respondents see the cloud provider as being primarily responsible for security. In contrast, nearly half of Infrastructure-as-a-Service/Platform-as-a-Service (IaaS/PaaS) users view security as a shared responsibility between the user and cloud provider.

Visibility improves but gaps remain
The good news is that visibility into the security practices of cloud providers is increasing, with 35% of respondents considering themselves knowledgeable about the security practices of their cloud providers compared with 29% only two years ago. However, half of SaaS users still claim to have no knowledge of what steps their providers are taking to secure their sensitive data.

Encryption usage increases but data still exposed
The use of encryption to protect sensitive or confidential data stored in the cloud (data at rest) appears to be increasing. For SaaS users, the report posts an increase from 32% in 2011 to 39% in 2013. For IaaS/PaaS users, respondents report an increase from 17% to 26% over the same period, but still more than half of respondents report that their sensitive data is in the clear (and therefore readable) when stored in the cloud.

Treading a line between trust and control
There is currently an almost equal division in terms of how stored data is encrypted while in the cloud. Of those respondents that encrypt stored data, just over half apply encryption directly within in the cloud with just over 40% electing to encrypt the data before it’s sent to the cloud.

Who holds the key?
When it comes to key management, there is a clear recognition of the importance of retaining ownership of encryption keys with 34% of respondents reporting that their own organisation is in control of encryption keys when data is encrypted in the cloud. Only 18% of respondents report that the cloud provider has full control over keys.

Standards enable trust in a shared environment
The need to share keys between organisations and the cloud highlights the growing interest in key management standards – in particular OASIS Key Management Interoperability Protocol (KMIP) – where 54% of respondents identify cloud-based applications and storage encryption as the area to be most impacted by the adoption of the KMIP standard.

About Thales e-Security

Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, Government and technology sectors.

With a 40-year track record of protecting corporate and Government information, Thales solutions are used by four of the five largest energy and aerospace companies and 22 NATO countries, and secure more than 80% of worldwide payment transactions.

Thales e-Security has offices in Australia, France, Hong Kong, Norway, the United States and the United Kingdom. For more information visit: http://www.thales-esecurity.com

About Thales

Thales is a global technology leader in the aerospace, transportation and defence/security markets. In 2013, the company generated revenues of €14.2 billion (equivalent of $18.3 billion) with 65,000 employees in 56 countries.

With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers and local partners. For further detail visit: http://www.thalesgroup.com

Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market. The Group’s security teams work with Government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure.

Drawing on its strong cryptographic capabilities, Thales is one of the world leaders in cyber security products and solutions for critical state and military infrastructures, satellite networks and industrial and financial companies.

With a presence throughout the entire security chain, Thales offers a comprehensive range of services and solutions ranging from security consulting, intrusion detection and architecture design through to system certification, development and through-life management of products and services, and security supervision with Security Operation Centres in France and the United Kingdom.

Leave a comment

Filed under IFSECGlobal.com News

AT&T and IBM simplify cyber security management through new joint venture

AT&T* and IBM have announced a new strategic relationship to give businesses a simplified, single-source for network security and threat management.

The two companies will offer business customers a new joint service combining security network infrastructure with advanced threat monitoring and analytics. The new service is initilly available in the US with plans for global expansion.

Cyber threats have become a Boardroom agenda with the potential to bring down an organisation’s network, create compliance issues, damage bottom lines and impact brand reputation.

Additionally, disparate security technologies create ‘security silos’ and can increase the cost and complexity of security management, making it almost impossible to uniformly monitor security threats across IT environments.

The new service from AT&T and IBM will help businesses address these challenges with a highly secure network infrastructure, analytics and the optimal blend of on-premise and next generation cloud-managed security capabilities.

AT&T and IBM will improve the management of these capabilities with the following customer benefits:
• Reduced costs and minimised complexities
• Advanced visibility with intelligence and control across diverse IT environments
• Simplified infrastructure with less need for security hardware, licenses and maintenance

Specifics of the joint offer

Individually, AT&T and IBM boast world class IT security data monitoring operations, each generating advanced security threat intelligence from the billions of security events they track each day.

Together, the companies will create a combined security intelligence source and analytics capability that will be “unmatched” in the industry.

The new offering is comprised of proven solutions from AT&T and IBM. Specific elements of the new offering include Network Security Infrastructure and Managed Security Services from AT&T, including network-based firewall, IDS/IPS, web filtering, secure e-mail gateway and distributed denial of service (DDoS) protection services for security devices managed on premise or in the AT&T cloud.

IBM capabilities include IBM Network Security Consulting to assess and transform network security, IBM Security Monitoring and Threat Intelligence for faster threat detection and response and IBM Emergency Response Services for around-the-clock security expert support in responding to sophisticated attacks and helping remediate them.

“With today’s constantly changing threat environment, companies need cost-effective solutions that provide end-to-end protection alongside real-time monitoring and response operations,” said Andy Daudelin, vice-president (security services) at AT&T Business Solutions. “We’ve created an unparalleled solution with the combined strength, reliability and agility of AT&T network-based security services and IBM threat intelligence and analytics.”

Kris Lovejoy – general manager for IBM Security Services – added: “Organizations are finding great benefits with hybrid IT strategies that blend mobile, cloud-based and on-premise IT resources. However, securing these infrastructures can be complicated without a single, integrated management system that avoids creating silos of security data making it almost impossible to uniformly monitor security threats across environments. IBM and AT&T have come together to offer unprecedented security services designed to break down those silos and better secure data no matter where it resides.”

“This is an advantageous combination of industry-leading network-based security, consulting, and analytics,” commented Christina Richmond, program director for infrastructure security at IDC.

“AT&T and IBM are meeting a real market need with a robust end-to-end security solution that provides enterprise customers with both integration and simplicity.”

Note: *AT&T products and services are provided or offered by subsidiaries and affiliates of AT&T Inc. under the AT&T brand and not by AT&T Inc.

Leave a comment

Filed under IFSECGlobal.com News