Secure Cloud Computing: Lead, Follow or Get Out of the Way

If you have ever used a ZIP file, you owe a debt of thanks to a company called PKWARE. And while that company may be best known for making large files easier to share and manipulate, their core business revolves around data encryption and loss prevention.

A recent IDG Connect blog post featured an interview with PKWARE's CTO, Joe Sturonas. Here's what Joe had to say about the spate of recent, high-profile hacks and breaches of organizations ranging from Sony Corp. to the US government.

"Simply put: Many of these data beaches could have been avoided if the information was protected, instead of the devices and the network.

"Regulation and compliance largely focus on a decade old notion of protecting devices (desktops, laptops, servers, mobile, etc.) and networks (SSL, TLS, etc.). Our computing model has changed drastically where data is on BYOD (Bring Your Own Devices) and sent out to cloud computing environments, so much of an organization's data is not even on the devices or platforms they own. By encrypting the data itself, data is persistently protected regardless of the device or the network.

"Even if you are simply focused on protecting devices and networks, security should be about 'defense-in-depth.' In this day and age, you have to assume you are going to be breached, and if the data itself is not protected, the bad actors will be able to exfiltrate your sensitive data. That is why these breaches are happening with such regularity."

Joe added that while security today often focuses on protecting the perimeter of an organization, "the bad actors are already inside." (PKWARE entertainingly posits that there are three primary categories of these malefactors: thieves, snoops and idiots.) Protecting your enterprise's information, and not just its devices and systems, prevents any of these bad actors from gaining "anything of worth from a breach or heist."

In other words, as your enterprise adopts more and more cloud computing solutions, many if not most of your incumbent security solutions, processes and strategies will likely prove to be inadequate, if not irrelevant. Or, as I put it in a recent social media outburst, "Attention, IT: device/system security without data security is NO security…or meaningful compliance…"

If you're using ServiceNow, your IT-related data is already well protected by the architecture of that solution and the infrastructure that supports it. But what about the rest of your enterprise's critical information? Are you ready to lead the charge to the changes necessary to protect that data as robustly as possible, regardless of where it is and where it's being legitimately used?

This raises a larger, even more important question, and points to another interesting, evolving cache of relevant content. Michael Santarcangelo is a contributing editor at CSO Online, creator of the "Remarkable IT Leader Framework" and a self-declared "catalyst" of IT and security leaders. He also wrote the book, "Into the Breach: Protect Your Business by Managing People, Information, and Risk," first published way back in 2008.

More recently, Michael has launched a series of pieces called "Leading Security Change." His first post: "Are you ready to lead your organization to a more secure cloud?"

Michael argues that as "a security leader, you have three basic choices:

• "Lead the effort to a more secure cloud
• "React to the decisions of others, likely with choices you wish were different
• "Get left behind entirely"

He adds that anyone "leading the effort to include cloud (however you choose to define it) in your strategy has at least three key areas to consider:

• "Selecting: informing and defining criteria to guide the business to solutions that benefit them while protecting information
• "Protecting: once the decision for a specific solution is made, the process of understanding the environment and architecting the best way to keep information safe
• "Operating: the process of measuring, evaluating, and adapting the controls, approach, or solution based on changing needs and available options"

The italics are mine. The choices and responsibilities belong to you and your colleagues. Change is almost always difficult and challenging. But it is also absolutely essential to continued evolution, maturation and success for your enterprise. As is the ability to protect the information that drives your business. And that's a much bigger task than simply protecting devices, systems or perimeters.

A personal note: I am proud to be joining LANDESK as a Senior Product Marketing Manager, effective July 20. Since LANDESK is perceived as a competitor to ServiceNow, this will be my final ServiceNow Community blog post—unless ServiceNow acquires LANDESK, as it did Intréis, my previous employer. In case that doesn't happen, and it doesn't seem likely, I just wanted to thank the ServiceNow Community for indulging and encouraging my behavior here. I will continue to observe and contribute where I can, and I am confident you will remain one of the most vibrant, passionate and forward-looking communities in all of IT. Keep up the great work, and keep kicking the IT industry forward!