Cloud Providers – Addressing Security Concerns

Cloud providers often get a bad rap; IT professionals sometimes see the cloud as an insecure means of having applications and data residing outside their own data centers. Security should absolutely be a concern whenever sensitive data is involved, and that concern can be heightened when considering cloud services that operate outside your corporate firewall.  EarthLink Business wants you to be assured that these concerns are all taken care of with our services, and give you questions to ask while considering any provider.

Companies have been outsourcing services and technology for years. Just because companies may give up some control to the hosting provider when moving to a cloud environment, it does not mean they have to compromise on security. By asking the simple questions below, your company can build a trusting relationship with the cloud provider you are considering working with.

  1. How is data encrypted when stored in the cloud infrastructure?
  2. What logical and physical access controls are in place?
  3. Is the cloud infrastructure fully redundant?
  4. How well are cloud applications protected?

Ask these questions so you can understand the complexity of where your data may live. Consider only moving a couple less critical applications to the Cloud first, so you can start building that trusting relationship with the Cloud provider before deciding to go all in.

Also to help, The National Institute for Standards and Technology (NIST) has released a set of guidelines to help you manage security in the cloud. Use these guidelines to help compile a list of requirement questions before selecting a Cloud provider:

  • Carefully plan the security and privacy aspects of cloud computing solutions before implementing them.
  • Understand the public cloud computing environment offered by the cloud provider.
  • Ensure that a cloud computing solution—both cloud resources and cloud-based applications—satisfy organizational security and privacy requirements.
  • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

The benefits of Cloud computing can help you cut IT infrastructure costs, provide new services to customers and streamline business processes, so don’t hesitate to take advantage due to security concerns. Contact your EarthLink representative today and start asking the right questions!

 

 

Information Security Breaches..Here we go again!

In light of two major information security breaches last month, I thought I would remind everyone on how to effectively approach corporate information security. Here is what was compromised:

1.Personally identifiable information of 10,000 employees and contractors was stolen from a laptop stored in locked car.

2.A phishing email sent to employees compromised 387,000 credit/debit cards and 3.6 million Social Security numbers.

In the grand scheme of things, there is no such thing as a perfectly secure information environment. Laptops will continue to be lost and stolen, unknown vulnerabilities will continue to be exposed, and users will continue to click on things they shouldn’t. Designing layers upon layers of security measures is the only way to truly minimize the risk data is compromised when these things happen.

Both of the security breaches last month occurred at government agencies. Places where consumers expect the highest level of information security measures to be in place. Number 1 above is NASA and number 2 is the South Carolina Department of Revenue. If these two agencies can be breached with their level of security in place, so can you. Do I have your attention yet?

In my June blog article I talked about 10 ways to mitigate security risks. Of those 10 these, 3 I believe are lacking the most attention, and if addressed on a more proactive measure we would start hearing less and less about information security breaches in the news:

Focus on the edge – Monitor logs for failed access attempts so you are aware of attempted breaches before breaches happen.

Educate employees – Email SPAM appliances don’t catch everything. Educate users on how to spot suspicious email messages and report them. Educate annually and require content testing to make sure users understand the security risks. Add another layer of protection by enabling web content filtering so users can’t visit compromised websites.

Encrypt data – Laptops will continue to be stolen but you can add a layer of protection for the data. Encrypt corporate data on all devices that physically leave your internal corporate network. If a laptop is in the wrong hands you still hold the key to unlocking your critical information.

Breaches happen, but if you continue to deploy additional layers of protection you are less likely to be that company reporting to consumers that you lost their data. Attackers are smarter and more creative today. You should be too.

 

 

 

 

Internet Acceptable Use Policies – Hold Your Employees Accountable!

Most organizations require employees to sign and acknowledge some form of “Internet Acceptable Use Policy,” and most employees comply once they sign. But what about those who don’t? Do you know who they are? The problem is most organizations have no way to ensure employees comply with the policy until it is far too late. A company today can be severely damaged, or even worse, put out of business if someone accidently discloses proprietary or confidential information. Losses can also include employee or customer personal information or more importantly customer credit card numbers. Barnes & Noble customer credit card information was compromised by hackers just this week! Attackers planted software on computers to capture customer credit card information when they swiped their cards to make a purchase.

So how do you ensure Internet use compliance? Easy: deploy web content filtering.

There are number of beneficial reasons to deploy web content filtering: malware prevention, increased security, legal liabilities, regulatory compliance reasons or simply to monitor employee use of the Internet. The growing use of social networks like Facebook and Twitter has enhanced the need for organizations to ensure that company policies are followed and to reinsure the company’s reputation is continually safeguarded.

The most important goal for implementing any web content filtering solution is reducing the risk browsing the Internet introduces. Having an effective web content filtering solution in place that aligns itself with your internet acceptable use policy will ensure that you are protected from a security and legal standpoint and will improve the productivity of your employees. Web content filtering is one of many features built into EarthLink’s Hosted Network Security product. Go ahead and Contact your EarthLink representative today to learn more.

Asset Management and BYOD

With asset management, IT managers know what systems exist, what technology is in place, and how they all fit together within a company.  If managing IT assets is not already complex enough, now corporations are implementing Bring-Your-Own-Device (BYOD) policies that allow employees to connect their personal phones and tablets to corporate networks and applications.

Spend some time and really think about this effort, companies are now permitting users to purchase their own phones or tablets and are requiring their IT managers to manage, support, and secure data accessed by them. Today’s features on these devices make them no different than allowing users to bring and connect their own personal computers to your corporate network. However, the thing to remember is the security measures for allowing personal computers to connect remotely to corporate networks is far more advanced than today’s measures for BYOD devices.

When allowing BYOD devices on your network consider the following:

  1. What is the user doing with the device when it is not on your corporate network?
  2. What happens to corporate data when the user is terminated from your company?
  3. What happens to corporate data when the device is lost or stolen?

All three questions can seem alarming (as they should!). The key is to find a way to manage these devices so you maintain access control to your corporation’s data and other assets. Yes, these are your employee’s personal devices but you can still control the connection paths to which you allow these devices to access your critical information. It’s up to you to maintain control.

Make educating users to a top priority if you are going to allow these devices. Spot check devices to insure users are using password unlock to unlock devices before use. Consider moving all corporate remote applications to the Cloud so all data is retained on the network and not downloaded to the device. Only allow a small sample of BYOD devices, for example only allowing iPads or iPhones. This lowers the burden of maintaining multiple vender devices and allows you to tailor your BYOD polices. Think about the risks before deciding to allow BYOD in your environment. BYOD devices should be used as a portal to access corporate data and not as an insecure data repository located outside your network.

The good news is that EarthLink’s Asset Management IT Service already takes these BYOD devices into account. Contact your EarthLink representative today to learn more!