Click here to close now.

Welcome!

Virtualization Authors: AppDynamics Blog, Lori MacVittie, Elizabeth White, Alena Prokharchyk, Pat Romanski

Related Topics: Big Data Journal, Java, Linux, Virtualization, Cloud Expo, Security

Big Data Journal: Article

Protecting Data in the Cloud

Today’s cloud-driven, always-connected world enables organizations to be very agile but is also putting data integrity at risk

The cloud plays an integral role in enabling the agility required to take advantage of new business models and to do so in a very convenient and cost-effective way. However, this also means that more personal information and business data will exist in the cloud and be passed back and forth. Maintaining data integrity is paramount.

Today's approach to security in the cloud may not be sufficient; it doesn't focus on putting controls close to data, which is now more fluid, and it doesn't discriminate one set of data from another. All data is not created equal and should not be treated in the same manner; a one-size fits all model doesn't work.

In this always-connected world, protection measures in the cloud need to focus on what really matters - the type of data, how it is used, and where it goes.

Data Classification
In order to adequately protect data in the cloud, organizations need to start considering how to classify data. One approach is to use a three-tier data protection model to cater to data of different sensitivities and relevance across industries. This model would include:

Tier 1, Regulated: Data subject to regulation, or data that carries with it proprietary, ethical, or privacy considerations such as personally identifiable information (PII). Unauthorized disclosure of regulated data may have serious adverse effects on an organization's reputation, resources, services, or individuals and requires the most stringent level of control.

Tier 2, Commercial: Industry-related, ecommerce or transactional and intellectual property data whose unauthorized disclosure may have moderately adverse effects on an organization's reputation, resources, services, or individuals. Commercial data requires a moderate level of security.

Tier 3, Collaborative: Collaborative and DevOps-type data that typically is publicly accessible, requires minimal security controls and poses little or no risk to the consuming organization's reputation, resources, or services.

Using this model, security teams can strategically partner with business users to understand requirements and determine the right approach for their organization. Small to mid-sized organizations, enterprises, and service providers can apply this model to begin classifying their data based on contextual attributes such as how the data will be accessed, stored, and transmitted. Once the data is classified, they can then apply appropriate data protection measures focused on protecting work streams and transactions that continue to evolve to enable business agility. Given that most of today's data breaches are a result of user-access issues, security considerations such as Identity and Access Management, Authorization, and Authentication are critical.

The Data Integrity Challenge
Understanding and classifying data is just a first step, albeit an important one. Organizations also need to determine how to ensure data integrity when the perimeter is amorphous and control of the endpoints and the data is diminished mobility and cloud services.

Business departments are increasingly encouraged to find efficient and innovative ways to generate new business. This requires identifying new applications and ways to support the business anywhere and anytime. Business users often make the decision to use the cloud before involving IT since they can get up and running in a fraction of the time and cost it would take to provision in house.

With this unprecedented change in operations and infrastructure comes an unprecedented need for ensuring data integrity - ultimately working through the life cycle of data that can, at any point, be within the confines of a company, out to a network of partners and suppliers, or floating in a cloud. The challenge in this fractured landscape is that the perimeter is amorphous, but legacy security solutions are not; designed for a time when there was a more well-defined perimeter. The result is that attackers now use various techniques to bypass traditional perimeter-based defenses and compromise data - be it through tampering, stealing, or leaking data. Point-in-time defenses are no longer sufficient.

To effectively protect data wherever it may be, defenses must go beyond simply blocking and detection to including capabilities such as data correlation, continuous data analysis, and retrospective action when data has been found to have been corrupted, tampered with, or exfiltrated.

A New Approach to Applying Controls
In order to protect the classes of data described earlier - regulated, commercial, and collaborative - security teams need a mix of policy, process, and technology controls. These controls should be applied based on user and location context and according to a security model that is open, integrated, continuous, and pervasive:

  • Open to provide access to global intelligence and context to detect and remediate breaches and to support new standards for data protection.
  • Integrated solutions that enable policy to be automated and minimize manual processes can close gaps in security and support centralized management and control according to data classifications.
  • Both point-in-time solutions as well as continuous capabilities are needed to identify new threats to data.
  • Pervasive security delivers protection across the full attack continuum - before, during, and after an attack.

Let's take a closer look at the advantages of applying controls to protect data based on this model.

Openness provides:

  • The opportunity to participate in an open community of users and standards bodies to ensure consistent data classification and standards of policy and process.
  • Easy integration with other layers of security defenses to continue to uphold data protection best practices as IT environments and business requirements change.
  • The ability to access to global intelligence with the right context to identify new threats and take immediate action.

Integrated enables:

  • Technology controls that map to data tiers and also track data through different usage contexts and locations to support the fundamental first step of data classification.
  • Identity and access controls, authorization, and authentication that work in unison to map data protection to data classifications.
  • Encryption controls applied based on deemed data sensitivity to further strengthen protection, including strong encryption key standards (minimum AES256) and encryption keys retained by data owners.
  • Security solutions and technologies that seamlessly work together to protect data across its entire lifecycle.
  • Centralized policy management, monitoring, and distributed policy enforcement to ensure compliance with regulatory and corporate policies.

Continuous supports:

  • Technologies and services to constantly aggregate and correlate data from across the connected environment with historical patterns and global attack intelligence to maintain real-time contextual information, track data movement, and detect data exfiltration.
  • The ability to leverage insights into emerging new threats, take action (automatically or manually) to stop these threats, and use that intelligence to protect against future data breaches.

Pervasive translates into:

  • Defenses (including technologies and best practices) that address the full attack continuum - before, during, and after an attack. Before an attack, total, actionable visibility is required to see who is accessing what data from where and how, and to correlate that information against emerging threat vectors. During an attack, continuous visibility and control to analyze and take action in real time to protect data is necessary. After an attack, the key is to mitigate the damage, remediate, quickly recover, and prevent similar, future data breaches, data tampering, or data corruption activities.
  • The ability to address all attack vectors - including network, endpoints, virtual, the cloud, email and Web - to mitigate risk associated with various communications channels that could be used by an attacker to compromise data.

Today's cloud-driven, always-connected world is enabling organizations to be very agile but it is also putting data integrity at risk. IT teams need to quickly adapt to this new way of doing business despite having less control of the endpoints and the data. Traditional data protection models fail due to their inability to discriminate one set of data from another. By putting in place protection measures based on the type of data, how it is used, and where it goes, and backed by a security model that is open, integrated, continuous, and pervasive, organizations can take advantage of new business opportunities the cloud affords without sacrificing data integrity.

More Stories By Raja Patel

Raja Patel is a Senior Director, Cloud Security Product Management, at Cisco, where he is responsible for the portfolio strategy and development of security solutions for Cisco's Security Business. His responsibilities include building solutions and managing operations associated with Cloud, Threat Intelligence, Web and Email Security. Raja has been at Cisco for 13 years and during this tenure he has product managed a broad portfolio of products within Cisco’s Enterprise Networking Business Group, developed and accelerated new consumption & business models such as Enterprise Licensing, and lead strategic initiatives to develop more agile business practices across Cisco.

Mr. Patel holds a BS in Aerospace Engineering with a Minor in Mathematics from Embry Riddle Aeronautical University, and an MBA in Global Business Management.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The Internet of Things Maturity Model (IoTMM) is a qualitative method to gauge the growth and increasing impact of IoT capabilities in an IT environment from both a business and technology perspective. In his session at @ThingsExpo, Tony Shan will first scan the IoT landscape and investigate the major challenges and barriers. The key areas of consideration are identified to get started with IoT journey. He will then pinpoint the need of a tool for effective IoT adoption and implementation, which leads to IoTMM in which five maturity levels are defined: Advanced, Dynamic, Optimized, Primitive,...
SYS-CON Events announced today that B2Cloud, a provider of enterprise resource planning software, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. B2cloud develops the software you need. They have the ideal tools to help you work with your clients. B2Cloud’s main solutions include AGIS – ERP, CLOHC, AGIS – Invoice, and IZUM
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal an...
Enterprise IoT is an exciting and chaotic space with a lot of potential to transform how the enterprise resources are managed. In his session at @ThingsExpo, Hari Srinivasan, Sr Product Manager at Cisco, will describe the challenges in enabling mass adoption of IoT, and share perspectives and insights on architectures/standards/protocols that are necessary to build a healthy ecosystem and lay the foundation to for a wide variety of exciting IoT use cases in the years to come.
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
There is no doubt that Big Data is here and getting bigger every day. Building a Big Data infrastructure today is no easy task. There are an enormous number of choices for database engines and technologies. To make things even more challenging, requirements are getting more sophisticated, and the standard paradigm of supporting historical analytics queries is often just one facet of what is needed. As Big Data growth continues, organizations are demanding real-time access to data, allowing immediate and actionable interpretation of events as they happen. Another aspect concerns how to deliver ...
So I guess we’ve officially entered a new era of lean and mean. I say this with the announcement of Ubuntu Snappy Core, “designed for lightweight cloud container hosts running Docker and for smart devices,” according to Canonical. “Snappy Ubuntu Core is the smallest Ubuntu available, designed for security and efficiency in devices or on the cloud.” This first version of Snappy Ubuntu Core features secure app containment and Docker 1.6 (1.5 in main release), is available on public clouds, and for ARM and x86 devices on several IoT boards. It’s a Trend! This announcement comes just as...
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, discussed how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.
The security devil is always in the details of the attack: the ones you've endured, the ones you prepare yourself to fend off, and the ones that, you fear, will catch you completely unaware and defenseless. The Internet of Things (IoT) is nothing if not an endless proliferation of details. It's the vision of a world in which continuous Internet connectivity and addressability is embedded into a growing range of human artifacts, into the natural world, and even into our smartphones, appliances, and physical persons. In the IoT vision, every new "thing" - sensor, actuator, data source, data con...
It's time to put the "Thing" back in IoT. Whether it’s drones, robots, self-driving cars, ... There are multiple incredible examples of the power of IoT nowadays that are shadowed by announcements of yet another twist on statistics, databases, .... Sorry, I meant, Big Data(TM), tiered storage(TM), complex systems(TM), smart nations(TM), .... In his session at WebRTC Summit, Dr Alex Gouaillard, CTO and Co-Founder of Temasys, will discuss the concrete, cool, examples of IoT already happening today, and how mixing all those different sources of visual and audio input can make your life happier ...
The Internet of Things is not new. Historically, smart businesses have used its basic concept of leveraging data to drive better decision making and have capitalized on those insights to realize additional revenue opportunities. So, what has changed to make the Internet of Things one of the hottest topics in tech? In his session at @ThingsExpo, Chris Gray, Director, Embedded and Internet of Things, discussed the underlying factors that are driving the economics of intelligent systems. Discover how hardware commoditization, the ubiquitous nature of connectivity, and the emergence of Big Data a...
SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
Scott Jenson leads a project called The Physical Web within the Chrome team at Google. Project members are working to take the scalability and openness of the web and use it to talk to the exponentially exploding range of smart devices. Nearly every company today working on the IoT comes up with the same basic solution: use my server and you'll be fine. But if we really believe there will be trillions of these devices, that just can't scale. We need a system that is open a scalable and by using the URL as a basic building block, we open this up and get the same resilience that the web enjoys.
Avnet, Inc. has announced that it ranked No. 4 on the InformationWeek Elite 100 – a list of the top business technology innovators in the U.S. Avnet was recognized for the development of an innovative cloud-based training system that serves as the foundation for Avnet Academy – the company’s education and training organization focused on technical training around top IT vendor technologies. The development of this system allowed Avnet to quickly expand its IT-related training capabilities around the world, while creating a new service that Avnet and its IT solution providers can offer to their...
The WebRTC Summit 2015 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
Chuck Piluso will present a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. Speaker Bio: Prior to Data Storage Corporation (DSC), Mr. Piluso founded North American Telecommunication Corporation, a facilities-based Competitive Local Exchange Carrier licensed by the Public Service Commission in 10 states, serving as the company's chairman and president from 1997 to 2000. Between 1990 and 1997, Mr. Piluso served as chairman & founder of International Telecommunications Corporation, a facilities-based international carrier licensed by t...
There are lots of challenges in IoT around secure, scalable and business friendly infrastructure for enterprises. For large corporations, IoT implementations are one of the top priorities of the decade. All industries are seeing a competitive need to sustain by investing in IoT initiatives. The value addition comes from improved customer service, innovative product and additional revenue streams. The data from these IP-connected devices can be leveraged for a variety of business applications as well as responsive action controls. The various architectural building blocks of an IoT ...
In this session we look at creating interactive communications via the web by adding messaging, file transfer, and group communication (group chat and audio/video conferencing) into the web experience. We will also discuss potential applications of this technology in areas including B2B, B2C, P2P, and gaming. Peter is Technical Director at Acision. He graduated from The University of Edinburgh in 2000 with a BSc (Hons) in Computer Science. After graduation Peter worked on a PSTN switch developing signalling stacks for SS7, ISDN and similar protocols and creating advanced routing and serv...