Guard Yourself in the Cloud

Before you dive in to the cloud, make sure your network is secure and managed!  We are seeing enterprises and SMBs everyday adopting new cloud computing models to help further business opportunities, raise profit margins, etc., however, neglecting to take into consideration security and policy measures.  Now IT managers are quickly looking for ways to secure their company’s internal data, particularly for remote employees who have free access to the cloud and services, while still enjoying the benefits of the cloud.

Remote employees are a concern for IT managers because stored information is at high risk for data loss and leakage via online activity.  One way to enforce security measures is through a VPN.  This ensures that sessions are secured both in and out of the office, while giving staff the adequate access they need and the opportunity to share important data securely within the cloud and across the network.  This also maintains productivity levels for mobile workers as well as businesses that need to comply with specific regulatory requirements.

IT managers can also guard their business from data loss and leakage by implementing a personal firewall that controls network traffic to and from a computer, permitting or denying communications based on a security policy.  Furthermore, remote workers accessing the cloud remotely or from hotspots can fend off Internet attacks with personal firewalls.

In terms of the cloud, business managers and entrepreneurs need to continuously look further than advised guidelines. Those who do will experience the true benefits of using the cloud including improved corporate social responsibility and dramatically reduced IT spending.

What We’re Reading, Week of 3/22

Gartner Blog…
Cloud Security and VPNs
Neil McDonald remembers the debate over whether or not the Internet could be securely used for remote access. He says nowadays, we take VPNs for granted. We’ve given up control of the pipe (the Internet), but it doesn’t mean we have to give up control of the data in the pipe. Neil believes the same will be true of cloud-based computing services if we do it right. We can give up control of the pipes, the servers, the data centers, the applications, etc. – as long as we keep control of the data.

Insecure about Security…
Health Care Bill, Networking and Security
John Oltsik discusses that with 2009’s Health Information Technology for Economic and Clinical Health Act (HITECH) and the recent major health reform bill that was passed in the U.S., a lot of money is currently going into health care. The health care industry is going to be increasing IT spending and will need help with security. John believes that IT vendors need to embrace a focused sales and marketing effort in the health care field.

Network World…
WiFi Poised to Supplement 3G
Joanie Wexler looks at how WiFi is spreading fast among phones and the security concern about business users moving on and off of public WiFi hotspots. Users typically running client devices without IPSec VPN software are “in the clear” with their credentials when they first connect to a public WiFi access point. While many laptops run the software, most handsets do not support IPSec VPNs. It is not yet clear how an IPSec VPN would kick in as the client switches between network types.

VPN’s Can Prevent Data Breaches

Stumbled upon an interesting article last week in the Wall Street Journal, titled Data Breaches Are Heaviest at Hotels.  The underlying news isn’t anything new, but there are some alarming statistics and details that struck me as a surprise.

Sarah Nassaur references a SpiderLabs report in her article that examines data breach investigations across various industries—with hotel and hospitality, 38% and financial services, 19% leading.  The most common weakness found at hotels is the security surrounding point-of-sale software (the software hotels use to process credit card transactions).  Often times, systems are maintained remotely by an outsourced IT company, and to maintain the system employees must sign in remotely.  When remote user names and passwords are left blank or not changed from their default setting, hackers can identify these credentials, and gain access to the system to steal credit card numbers and other personally indefinable information (PII).

This article just goes to show how important it is to use VPN and have NAC features in place, particularly when logging in remotely.  Without these anyone can access data available on the network and potentially cause a lot of harm.

Check out our Rethink Remote Access series with featured guest posts.

What We’re Reading, Week of 3/15

Agency Insider Blog…
Who’s Breaking the Rules on Your Staff?
Linda McGlasson looks at a poll that shows more than one in 10 U.S. employees says they’ve known they were violating policies put in place by their company’s IT departments, but violated them anyway to get their work done. Linda says that technology plays a part in detecting policy-breakers and evaders; compliance tools are needed to make sure employees are following the rules. Without them, organizations face breaches and the possible loss of data, which can lead to major problems for the company.

IT Business Edge…
Password Management: What Employees Should Know
Paul Mah offers five aspects of good password management that employees need to know. The password cannot be too short or else it will be compromised very quickly. Avoid reusing passwords between personal and work accounts and know that IT staff will never ask for your password. Employees are welcome to change a password at any time and should do so often. With employees increasingly accessing their work accounts from remote locations, users need to be educated on the necessity of changing their passwords regularly.

SearchNetworking.com…
NAC Appliance Combats Unwitting Insider Threats from Infected Devices
This article by Jessica Scarpati discusses what can happen if a user is causing attacks within their own network, whether it’s malicious or accidental. After dealing with an employee whose personal laptop infected the network, a northern California credit union is using a network access control (NAC) appliance to prevent insider threats. The company says they haven’t suffered any more breaches with the NAC appliances. They keep systems administrators busy with alerts, letting them know if an endpoint doesn’t have the latest Windows security patch so the company can make sure they meet compliance standards.

What We’re Reading, Week of 3/8

Gartner Blog…
Lawrence Orans Guest Post: NAC Panel at RSA Conference
Lawrence Orans shares some highlights from a panel outlining the best practices for NAC that he moderated at the RSA Conference. Session attendees asked questions about choosing EAP methods, handling exceptions (non-802.1X-capable endpoints) and troubleshooting failed authentications. Lawrence says his main takeaway from the session is that the industry still needs to step up and provide solutions that ease the deployment and the manageability of 802.1X.

Network Security Blog…
The Network Security Podcast, Episode 188
This week’s Network Security podcast discusses the latest security news and gives a recap of the RSA Conference, including Martin McKeay’s panel on disclosure.

eSecurity Planet…
Top Ten WiFi Security Threats
This contributed article from Lisa Phifer looks at the top ten threats when using WiFi. They include data interception, denial of service, rogue APs, wireless intruders, misconfigured APs, ad hocs and soft APs, misbehaving clients, endpoint attacks, evil twin APs and wireless phishing. To stay protected, make sure to route all hotspot traffic, even public, through a trusted, authenticated VPN gateway.

The Ashimmy Blog…
If the Security Industry Cannot Give You 100% Protection, Is It a FAIL?
This post discusses a recent Robert McMillan article that says, despite billions of dollars in security spending, it’s still surprisingly hard to keep corporate networks safe. Alan says security is about managing risk; although you can never eliminate the risk, you can make it less likely to occur. Good security is about having process and procedures in place, including incident response. It’s important to be able to handle an incident when it occurs, in addition to trying to prevent it.