In a seminal post last year, Bruce Schneier said it straight: Data is a toxic asset. Companies and governments have been collecting and storing data, “…because the cost of saving all this data is so cheap, there’s no reason not to save as much as possible, and save it all forever. Figuring out what isn’t worth saving is hard. And because someday the companies might figure out how to turn the data into money, until recently there was absolutely no downside to saving everything”. But data is fasting turning out to be a toxic asset because it securing it is problematic. “Saving it is dangerous because many people want it”…”Saving it is dangerous because it’s hard for companies to secure”…”And saving it is dangerous because failing to secure it is damaging.” Read the post here.
We’ve reported about data breaches (for example, from Zomato, Axis Bank and SBI), and irresponsible practices, such as from the government of India (here and here). Leading up to our first discussion on Data Privacy and Security today in Bangalore, in partnership with Akamai, and supported by Microsoft, with community support from hasgeek – for which we’re all full up – (co-moderators) Vinayak Hedge and I have put together some reading material to understand issues related to securing data better.
We have participation from stakeholders across organizations such as Accenture, Axilor Ventures, Bank Bazaar, Byjus, Capillary Technologies, Capital Float, CCICI, ClearTax, CSIR-4PI, Daily Hunt, E2E Networks, Explara, Fallible, Flipkart, GigSky India, Go-Jek, HasGeek, Infosys, Kotak Mahindra Bank, L&T Infotech, Lenovo, Ozonetel, PhonePe, Poynt India, Practo, ProArch, QGraph, Rapido, Razorpay, Red Hat, Shadowfax Technologies, ShieldSquare, Voonik, etc.
Apart from the post from Bruce Schneier above, here’s what you ought to read up on:
Analytics and data storage are leading cloud adoption. 28% of organizations’ total IT budgets is dedicated to cloud computing, of which, 45% is allocated to SaaS (Software as a service), 30% to IaaS (Infrastructure as a service) and 19% to PaaS (Platform as a service). More here.
Top 12 security issues facing cloud, including the fact that “Data breaches and other types of attacks thrive in environments with poor user authentication and weak passwords”, human error, account hijacking, insufficient due diligence, among others. Read it here.
The US Federal Trade Commission has advice on steps that businesses ought to take following a breach, regarding securing operations, notifying users, addressing vulnerabilities, and also ensuring that evidence related to the breach is not destroyed. Read it here.
Indian law also has requirements regarding steps to be taken following a breach. CIS India has compiled a set of legal requirements related to breaches, under rules from India’s Computer Emergency Response Team, the IT Act rules, and under the Unified License. Read the compilation here.
The government of India also has guidelines for its departments, relating to security when it does cloud procurement, including terms of dealing with classified and decommissioned data. Read that here.
Questions for our discussion today
1. Compliance and securing the cloud:
- What are the top challenges that people see in moving to the cloud and securing their infrastructure? How are they remedying these issues?
- Authentication is at the heart of cloud storage and cloud security. How are organizations approaching authentication, and is it leaving them vulnerable to data theft or compromise?
- Many organizations are pursuing a hybrid cloud strategy. How do they secure the communications between private and public cloud?
- How will the Internet of Things (IoT) introduce new threats, and how should the way IoT interacts with the cloud ecosystem be of concern to organizations?
- What are the legal challenges in hosting in certain countries (compliance wise)? How does this apply across verticals (compliance with COPPA, HIPPA, Sox for example)?
- How do you prevent national intelligence organisations from seizing and snooping private data?
2. Innovations/Trends and best practices:
- What are the new innovations/trends that are making the cloud more secure? Is it easier to secure the cloud via automation than to build security teams in-house?
- The specific cloud-side practices that prevent breaches that could compromise multiple clients
- How is the architecture audited and validated?
- Are there any architectural patterns for securing the cloud? How are they different from a traditional datacenter?
- Any differences in how different cloud vendors handle them? Any best practices that need to be followed.
3. Incident response and user communication
- How is incident response handled and how is incident information communicated to affected users (vendors or end-users)?
- Especially since you have less control over your infrastructure as compared to a traditional datacenter, how is patch management done (say Heartbleed, ghost)?
- How do you respond to DDoS against infrastructure providers – DR strategy?
- How are data breaches handled and communicated to users? Basically data is toxic asset so how do you minimize logging and secure access to them?
Other (longer) reads
Last year, the Telecom Regulatory Authority of India had issued a paper on Cloud Computing. Read it here.