Cisco Blogs


Cisco Blog > Security

Drivers for Managed Security and what to look for in a Cloud Provider [Summary]

The first blog of this series discussing the role of data security in the cloud can be found here.

In 2014 and onward, security professionals can expect to see entire corporate perimeters extended to the cloud, making it essential to choose a service provider that can deliver the security that your business needs.

While organizations can let business needs trade down security we’ve begun to see how a recent slew of data breaches are encouraging greater vigilance around security concerns. For example, a recent CloudTweaks article highlights the need for organizations to be confident in their choice of cloud providers and their control over data. IT leaders have the power to control where sensitive information is stored. They also have the power to choose how, where and by whom information can be accessed.

An important driver in mitigating risk and increasing security is to ask the right questions.

An important driver in mitigating risk and increasing security is to ask the right questions.

Institute Control By Asking the Right Questions

However, adding to fears about ceding the control of data to the cloud is lack of transparency and accountability about how cloud hosting partner/ providers secure data and ensure a secure and compliant infrastructure.  Cloud consuming organizations often don’t ask enough questions about what is contained in their  service-level agreements, and about the process for updating security software and patching both network and API vulnerabilities.

Organizations need reassurance that a cloud provider has a robust set of policies, process and than is using automated as well as the latest technologies to detect, thwart and mitigate attacks, while in progress as well as be prepared to mitigate after an attack.

An important driver in mitigating risk and increasing security is to ask the right questions. When evaluating cloud service providers, IT leaders need to ask:  Read the full blog here.

Tags: , , , , , , , , , , , , , , ,

Drivers for Managed Security and what to look for in a Cloud Provider

The first blog of this series discussing the role of data security in the cloud can be found here.

In 2014 and onward, security professionals can expect to see entire corporate perimeters extended to the cloud, making it essential to choose a service provider that can deliver the security that your business needs.

While organizations can let business needs trade down security we’ve begun to see how a recent slew of data breaches are encouraging greater vigilance around security concerns. For example, a recent CloudTweaks article highlights the need for organizations to be confident in their choice of cloud providers and their control over data. IT leaders have the power to control where sensitive information is stored. They also have the power to choose how, where and by whom information can be accessed.

An important driver in mitigating risk and increasing security is to ask the right questions.

An important driver in mitigating risk and increasing security is to ask the right questions.

Institute Control By Asking the Right Questions

However, adding to fears about ceding the control of data to the cloud is lack of transparency and accountability about how cloud hosting partner/ providers secure data and ensure a secure and compliant infrastructure.  Cloud consuming organizations often don’t ask enough questions about what is contained in their  service-level agreements, and about the process for updating security software and patching both network and API vulnerabilities.

Organizations need reassurance that a cloud provider has a robust set of policies, process and than is using automated as well as the latest technologies to detect, thwart and mitigate attacks, while in progress as well as be prepared to mitigate after an attack.

 

Read More »

Tags: , , , , , , , , , , , , , , , , ,

Data Security Through the Cloud [summary]

Is the combination of cloud computing and mobility a perfect storm of security threats?

Actually, yes. And you should prepare for them as if there is a storm coming.

As businesses become increasingly mobile, so does sensitive data. In fact, in a recent survey conducted by ESG,

31% of security professionals say that the biggest risk associated with cloud infrastructure services is, “privacy concerns associated with sensitive and/or regulated data stored and/or processed by a cloud infrastructure provider.”

Data Security Through the Cloud

 

With cloud-based services, it is key to have visibility into applications and provide consistent experience across devices accessing the web and cloud applications. More users are leaving the standard PC behind and engaging cloud applications through a mobile device, making application-layer security and user access security critical. Smartphones and tablets are able to connect to applications running anywhere, including public, private and hybrid cloud applications, opening your data to potential attacks. Security professionals need assurances that their cloud security provider will appropriately secure customer data while ensuring availability and uptime.

 

The conversation is no longer if you’ll be attacked, but when. And will you be prepared?

Read the full article: Data Security Through the Cloud

Tags: , , , , , , , , , , , ,

Data Security Through the Cloud

Is the combination of cloud computing and mobility a perfect storm of security threats?

Actually, yes. And you should prepare for them as if there is a storm coming. As businesses become increasingly mobile, so does sensitive data. In fact, in a recent survey conducted by ESG,

31% of security professionals say that the biggest risk associated with cloud infrastructure services is, “privacy concerns associated with sensitive and/or regulated data stored and/or processed by a cloud infrastructure provider.”

Data Security Through the CloudDid you know:

16 billion web requests are inspected every day through Cisco Cloud Web Security

93 billion emails are inspected every day by Cisco’s hosted email solution

 200,000 IP addresses are evaluated daily

400,000 malware samples are evaluated daily

33 million endpoint files are evaluated every day by FireAMP

28 million network connects are evaluated every day by FireAMP

Read More »

Tags: , , , , , , , , , , , ,

Securing Cloud Transformation through Cisco Domain Ten Framework v2.0

Businesses of all sizes are looking for Cloud solutions to solve some of their biggest business and technology challenges—reducing costs, creating new levels of efficiency, transform to create agile environment and facilitate innovative business models. Along with the promise of Cloud comes top concern for Security. With rise of applications, transactions and data in the Cloud, business are losing control and have less visibility on who and what is moving in and out of the business boundaries. 

Any  transformation initiative with Cloud, whether a private, hybrid or public, with early focus on security from architecture, governance, risks, threats and compliance perspective can enable the business with a compelling return on investment with a faster time to business value – regardless of geographic, industry vertical, operational diversity or regulatory needs.

Here, I would like to bring to your attention on Cisco Domain Ten framework v2.0 and my blog on What’s New in Cisco Domain Ten Framework 2.0 that is born from Cisco’s hard won experience of deploying both private, hybrid and public Cloud environments, Cisco has developed the Cisco Domain Ten framework and capabilities to help customers accelerate IT transformation.

The Cisco Domain Ten does not prescribe that customers must build each domain into their strategy – rather it provides guidance on what aspects should be considered, what impacts should be identified, and what relationships exist between domains.  Cisco Domain Ten framework 2.0, we can establish the foundation of a true IT transformation and the factors you need to consider for success. Key is to identify, establish and track strategic, operational and technological outcomes for IT transformation initiates. A major thrust of the Cisco Domain Ten is to help customers strategize for transformation vision, standardize their technology components and operational procedures, and automate their management challenges, to deliver on the potential of IT Transformation– covering Internet, Branch, Campus and Data Center environments.

Security consistently tops CIO’s list of cloud concerns. The security domain highlights identification of security and compliance requirements, along with an assessment of current vulnerabilities and deviations from security best practices for multisite, multitenant physical and virtual environments for one’s IT transformation vision.

Security should be a major consideration in any IT transformation strategy. The architecture should be designed and developed with security for applications, network, mobile devices, data, and transactions across on-premise and off-premise solutions. Moreover, security considerations for people, process, tools, and compliance needs should be assessed by experts who understand how to incorporate security and compliance safeguards into complex IT transformation initiatives.

Security is an integral part of the Cisco Domain Ten framework, applies to all ten domains, and provides guidance to customers on all security aspects that they needs. Our Senior Architect from Security Practice – Ahmed Abro articulates well in Figure – 1 Cisco Domain Ten Framework with Security Overlay that there are security considerations for all ten domains for Cloud solutions.

 d10secoverlay

Figure – 1 Cisco Domain Ten with Security Overlay

Now that we understand how Cisco’s Domain Ten Overlay approach that helps one to discuss security for each domain of Cisco Domain Ten Framework, let’s now talk about the how Cisco Domain Ten aligns with Cloud Security Alliance’s (CSA) Cloud Control Matrix to discuss the completeness and depth of the approach.

CSA Cloud Control Matrix Alignment with Cisco Domain Ten

Application & Interface Security

  • D-8 – Application

Audit Assurance & Compliance

  • D-10 – Organization, Governance, processes

Business Continuity Mgmt & Op Resilience

  • D10 – Organization, Governance, processes

Change Control & Configuration Management

  • D10 – Organization, Governance, processes and
  • D-3 – Automation

Data Security & Information Lifecycle Mgmt

  • D-9 – Security and Compliance

Datacenter Security Encryption & Key Management

  • D-9 – Security and Compliance and
  • D-1 – Infrastructure

Governance & Risk Management

  • D10 – Organization, Governance, processes

Human Resources Security

  • D10 – Organization, Governance, processes

Identity & Access Management

  • D-4 - Customer Interface

Infrastructure & Virtualization

  • D-1 – Infrastructure and Environment and
  • D-2 – Abstraction and Virtualization

Interoperability & Portability

  • D-7 – Platform and
  • D-8 – Application

Mobile Security

  • D-8 – Application and
  • D-1 – Infrastructure and Environment

Sec. Incident Mgmt , E-Disc & Cloud Forensics

  • D-9 – Security and Compliance and
  • D10 – Organization, Governance, processes

Supply Chain Mgmt, Transparency & Accountability

  • D10 – Organization, Governance, processes
Threat & Vulnerability Management
  • D-9 – Security and Compliance

 Table – 1 CSA Cloud Control Matrix Alignment

with Cisco Domain Ten Framework

From above table, one can see that Cloud Security Alliance Cloud Control Matrix and Cisco Domain Ten aligns well and it also highlights key facts that many areas such as Mobile security requires one to focus on Application and Infrastructure (network, virtual servers), etc to address security needs. One should also note that Cisco Domain Ten’s focus on Catalog (Domain 5) & Financials (Domain 6) that highlights security specific SLA and assurance discussions for security controls.

Now that that we discussed, Cisco Domain Ten approach for Security, In the next blog, I would try to discuss how Cisco Service’s focus on the strategy, structure, people, process, and system requirements for Security can help business address an increasingly hostile threat environment and help successful migration to Secure Cloud based transformation. We will also discuss current questions in business asks or should ask to understand security and privacy in the vendor’s agreements.

 

Tags: , , , , , , , , , , , , , , , , , , , , , ,