Trillium Insights

Thoughts and Insights from Trillium's Practice Leaders

How do I Secure my Cloud Services?

How do I Secure my Cloud Services?

With the growth of Cloud Services, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) solutions, your organization needs to be cognizant of what is involved with their use and what security in these environments means.  

SaaS is the Cloud-based service that consumes the entire operation – specific application(s) that are hosted by a third-party provider, available over the Internet.    PaaS provides the platform, allowing customers to develop, run, and manage applications without having to build and maintain the attendant infrastructure.  IaaS typically only provides infrastructure, including hardware, storage, and data center space to support the enterprise, with the customer directing the applications and operations.  

IDC estimates that in 2018 Cloud computing will be at least 50% of all IT spending, with additional growth to 60-70% by 2020.   However, with that growth additional security vulnerabilities will be uncovered, potentially exposing your organization.  Recently, a survey of security professionals indicated that one-third (1/3) of breaches affected more than one-half (1/2) of systems.  You simply cannot dismiss security concerns once you make the decision to go with a cloud-based solution. 

So, what is being done?  Cloud providers are beginning to be work directly with security solution providers to address customer concerns and implement end-to-end measures, such as Rackspace’s recent partnership with Cisco to deploy next-generation firewalls directly into its services.  Further, according to Cisco, in addition to traditional security tools, tools such as Machine Learning (ML) and Artificial Intelligence (AI) are maturing.  Tools like AWS Guardduty and AWS Macie are now being used within the enterprise.  It is imperative that as you develop relationships with Cloud providers, you understand their security roadmaps so you can make informed security decisions for your company. 

Also, there is a major security skills shortage and using an ‘automation first’ agile approach to security reduces the operational load on security, leverages automation learnings across multiple environments and provides economies of scale savings by utilizing scarce resources in a shared model.

Being acutely aware of your Cloud-based security risks, issues, and potential mitigation strategies will help your company to protect your data and electronic assets.

Increased Cybersecurity and Data Privacy Requirements

Increased Cybersecurity and Data Privacy Requirements

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect.  GDPR is the legal set of guidelines for the collection and processing of personal information within the European Union (EU.)   GDPR rules impacts organization that offer goods and services to people in the EU or collect and analyze personal data tied to EU residents.  In the United States, several states are implementing laws similar to GDPR.  Among the most aggressive states to establish such laws are New York and California. 

The New York Law, Cybersecurity Requirements for Financial Services Companies, relates to information maintained by organizations that operate in the banking, insurance, or financial services industries.  It was passed in March 2017 and has staggered effective dates for various aspects of the law, ending with all parts needing to be in full effect by March 2019.  The California Law, the California Consumer Privacy Act of 2018, is a broad, sweeping law concerning digital privacy, allowing consumers significant control over their online personal information.  It was passed in June 2018 and has an effective date of January 2020.  While there are different requirements in each law, both laws require policies, processes, and systems to support the secure management of online Personally Identifiable Information (PII) by companies.  Some of the requirements for maintenance of PII include:

  • Documented cybersecurity programs to protect information systems from intrusion
  • Documented cybersecurity policies related to information security, including data governance and classification; asset inventory and device management; access controls and identity management; business continuity and disaster recovery; systems operations and availability concerns; systems and network security; systems and network monitoring; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party service provider management; risk assessment; and, incident response.
  • Annual penetration testing and bi-annual vulnerability assessments
  • Audit trail of transactions to reconstruct activities and transactions
  • Limited access to data as needed and review of access privileges
  • Documented procedures, guidelines, and standards for secure application development
  • Periodic risk assessments along with documentation on risk mitigation)
  • Documented third-party service provider policies including limitation to nonpublic data
  • Multi-factor authentication to limit unauthorized access to PII
  • Documented policies and procedures for disposal of PII
  • Training on cybersecurity awareness, and risk-based policies, procedures, and controls to monitor authorized user activities and detect unauthorized user access to PII
  • Implementation of controls on PII to protect such data, including encryption
  • Documented incident response plans in the event of a breach
  • Notices to appropriate authorities in the event of cybersecurity breaches
  • Disclosure of PII as well as use of that information to consumer on request
  • Disclosure of PII that is sold by business on consumer request
  • Deletion of PII collected by business on request of consumer along with appropriate methods to do so
  • Consumer opt out of business sale of PII along with appropriate methods to do so

US companies can be assessed financial penalties both by states and consumers for violations.  Therefore, it is critical that your organization’s PII is protected.  Many US companies are already familiar with data privacy, because of Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI,) so the new data privacy laws are not a new concept.  These new PII laws will likely be introduced by other states in the near future.  Trillium has significant experience in privacy and cybersecurity and can perform the analysis on your systems to determine what may be needed to bring your organization into compliance as well as to create the roadmap you will need.