Archive for the 'Security' Category

Page 3 of 3

Facing the Facts: How to Avoid Cloud Security Risks

Published on September 20, 2012 in Cloud Computing and Security. Closed
Posted by Kevin Van Mondfrans

Cloud Security Risks Despite increasing adoption in cloud computing, many companies are still hesitant about making the leap to the cloud due to concerns about security. In fact, a recent cloud computing survey revealed that security and compliance are the top inhibitors for cloud adoption.

But when you take a look at some of the statistics around security and compliance, it’s hard not to blame them:

69% of cloud providers do not feel that security is their responsibility
The cost of non-compliance is 2.65 times higher than the cost of compliance
More than 22.9 million records were exposed in 2011 due to external hacking (ITRC)
80% of unplanned outages are due to ill-planned changes made by operations staff or developers

These type of numbers make it all the more understandable why many companies are still under the perception that clouds are not secure enough for demanding e-business applications, especially ones handling sensitive client data.

However, as the last stat above reveals, much of the risk comes from a lack of expertise or dedicated resources to fully commit to knowing the ins and outs of not just cloud computing, but security and compliance as well.

Looking to fill that gap, we recently launched a next-generation suite of secure eBusiness Cloud Services, so that companies no longer have to worry about compliance and security in the cloud. We’ve seen too many companies risk noncompliance as a result of lacking standard security best practices and tools to manage their cloud environment. On the other hand, there are also companies spending unnecessary amounts of time, money, and resources to manage compliance when they should be focusing that attention towards innovation and growing their business.

Different companies have different needs, which is why we realize the importance of flexibility as well. Whether a customer needs just one server with iron-clad security or a robust and scalable enterprise wide system, our eBusiness Cloud Services are designed to provide a solid foundation of protection for a wide range of use cases. By using standard builds, we find it helps minimize risk of unintentional errors or noncompliance. Of course, spending time to understand various vertical markets, and making sure we understand the unique industry challenges and regulations (such as PCI and HIPAA) also play an important role in accomplishing that as well.

Compliance is a daunting task in itself. And when you add cloud computing to the equation, it can get even more complicated, time-consuming, and in turn, expensive. If you’d like to learn more about what options exist to secure a cloud and how you can ensure compliance in the simplest, most cost-effective way possible, check out our latest white paper: “Riders on the Storm: How to Reduce Risk and Ensure Compliance in the Cloud.”

Image Credit: FutUndBeidl

About the Author: As Vice President of Product Management at Layered Tech, Kevin Van Mondfrans (@VANMONDFRANS | +Kevin Van Mondfrans) is responsible for driving the Layered Tech portfolio of infrastructure as a service (IaaS) and managed service offerings. With more than 20 years of experience product development and marketing, Kevin has been delivering innovative computing, storage, cloud and service offering with companies such as HP, Dell, and Savvis.

Inherent Trust in the Cloud – ISACA Update

Published on August 30, 2012 in Cloud Computing and Security. Closed
Posted by Jeff Reich

I attended the ISACA Silicon Valley chapter 2012 Summer Conference, Enabling Trust: Business in the Cloud, on August 23^rd and 24^th. Some of the organizations presenting included Qualys, SurveyMonkey, EMC Consulting, StrongAuth, Allgress, PwC, Apollo Group, iStreet Solutions, Check Point Software Technologies and Layered Tech.

ISACA Silicon Valley Chapter Along with some lively panel discussions, the conference offered an eclectic mix of speakers from different points and perspectives within the cloud. Layered Tech was privileged to be the only Infrastructure as a Service (IaaS) provider presenting and that allowed me to offer the view of the cloud as a framework that can have inherent trust along with appropriate controls. This was the first presentation that I delivered where a majority of the attendees acknowledged using the cloud – all but one, in fact. This indicates that more of us are recognizing that the cloud is here and now our job is to better identify the components and how they interrelate. We may be at or near the tipping point of recognition of cloud computing as a valid means to leverage virtualization and the economies of scale.

I was interested to hear, through much of the conference, that some still consider the only options to be Public Cloud vs. on-premise facilities. With the offerings of compliance and security-centric providers and the utilization of strong security tools, many of which were discussed by the presenters, we can demonstrate that hybrid and community clouds have a role to play in cloud options and can be made to be as secure, if not more secure, than many traditional on-premise facilities.

I will be presenting more extensions of these views at ConSec’12 – Consumerization of Enterprise IT-Are You Keeping Pace? on September 17-19 in Austin, TX. I hope to see you there.

About the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO, +Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.

Take a Sneak Peek at our Next-Gen Secure Cloud

Published on August 23, 2012 in Cloud Computing, Compliant Hosting and Security. Closed
Posted by Kevin Van Mondfrans

We will be announcing a next generation secure cloud platform shortly. I want to give you some insight of our thoughts around cloud and security.

Secure Cloud Platform Sneak Peek Customers are often faced with choosing between greater business agility or highly secure and compliant-ready environments. We do not think this is a fair trade-off. No customer should be forced to forgo the full promise of cloud to achieve running in a secure and compliant environment. Nor should a client need to sort through piles of log data to keep themselves compliant when outsourcing to a cloud service provider. We are addressing this very quandary.

Our next generation Cloud Data Center enables customers the full benefit of running critical workloads with sensitive personal information and financial data in a self-service secure cloud environment. Security and transparency is inherent in what we do. The Layered Tech cloud platform supports customers desiring to run in a cloud that is managed to accommodate PCI DSS and HIPAA compliant hosting requirements. Our cloud makes it easy to add the necessary tools, processes and management to run in a secure environment and to achieve and pass compliance, guaranteed. We have automated over 200 steps to deliver full compliant cloud data center environments and virtual machines, in just a few mouse clicks.

Despite the focus on security, you do not need to have a compliant application or workload to run in the Layered Tech Cloud Data Center. Our next generation cloud will enable a variety of production and test/development use cases. Customers will be able to choose managed services that range from basic server and URL monitoring/alerting to proactive managed support. We built this flexible management model to enable customers with transient workloads and elastic capacity to add compute resources on an hourly basis in completely self-service model. We also enable cloud for clients who desire a managed support model to assist with complex and hybrid environments and we can provide managed support up the stack including web servers, middleware and databases. While the customer has self-service controls and visibility, Layered Tech offers layers of management to help maintain and manage client environments.

There has been significant development focus on automation of security and compliance; there has also been an equal focus on delivering a secure portal and API that will enable a breadth of self-service capabilities well beyond cloud data center provisioning and VM life-cycle management. All of this automation along with our managed services offers customers the ability to achieve a higher level of assurance and agility to run their important workloads in a cloud.

Stay tuned for more details upon our launch of this next generation secure cloud platform.

Blog Series: Reducing Risk with PCI-Compliant and Secure Community Clouds

Published on January 4, 2012 in Cloud Computing, Hosting Industry, Infrastructure, Layered Technologies, PCI Compliance, Security and Tech Tips. Closed
Posted by Jeff Reich

By Jeff Reich, Chief Risk Officer, Layered Tech

It seems almost daily a new report emerges detailing how a company suffered a data security breach, resulting in the release of sensitive data for hundreds of people. To help guard against these attacks, companies can become PCI compliant, but it is not an easy goal to achieve and does not guarantee complete and total security. As an alternative, community clouds provided through third-party resources like Layered Tech offer security options and a path to compliance without the cost and labor issues present with in-house systems.

To better understand these issues, this blog series will explore the hazards data breaches present and how, even with its challenges, PCI compliance and added security can help protect companies. Additionally, the series will discuss how leveraging a community cloud provides companies with added benefits, such as scalable infrastructure, flexibility and availability, all in a cost-effective manner.

The real risk hackers pose

PCI compliance can help protect data from hackers, but there are still challenges. In today’s business environment, data breaches are no longer disasters that happen to other companies, nor are they an issue that only plagues large enterprises. These adverse events can affect small- and medium-sized businesses that have made the leap to computerized systems and digital records.

Hackers are becoming more sophisticated and are able to employ several different tactics to retrieve information, such as exploiting backdoors and using spyware, forcing companies to focus on every aspect of security. Instead of just looking for credit card and social security numbers or personal data, such as birthdates, hackers are increasingly stealing online banking login details. According to Verizon’s 2011 Data Breach Investigations Report, the U.S. Secret Service arrested more than 1,200 cybercrime suspects in 2010 that were connected to more than $500 million in fraud loss.

PCI compliance helps but includes challenges

All companies that accept credit card payments, either online or offline, are required to takes steps to secure customer information. One way companies can accomplish this task is to become PCI compliant, meaning that the organization meets certain criteria throughout the security process, including prevention, detection and response, as set forth by the PCI Data Security Standard (PCI DSS). These standards, developed by the Payment Card Industry Security Standards Council, provide a range of requirements based on a company’s size, its type of business and the number of credit card transactions it handles. (Want to know more about PCI DSS? See the helpful PCI DSS resources available on our website.)

The strictness of these requirements, however, can make it difficult for businesses to achieve compliance. Verizon’s Payment Card Industry Compliance Report for 2011 states that only 21 percent of the companies assessed were considered fully compliant. Additionally, even though PCI-compliant companies are safer and less likely to encounter a breach, PCI compliance does not guarantee complete security of data. Additional security measures, including but not limited to patching and system interfaces, must be taken.

Many companies leverage PCI compliant hosting and managed services from providers like Layered Tech to take advantage of its security, compliance and cloud expertise. With this approach, organizations gain all the benefits of a hosted IT infrastructure but without the headaches of owning and maintaining hardware. In addition, you can dedicate your resources to what matters most: your business and your customers. To learn more about Layered Tech’s services, please visit our website or send us an email.

In the second installment of this blog series, we will discuss PCI compliance and security in community clouds and how this environment can provide businesses with unprecedented processing power, bandwidth and storage capacity, without the burdens of capital expenses and IT staff overhead.

Image credit: Mikael Altemark