Managing Mobile, Cloud and Social Media SecurityBy Bob Violino | Posted 2013-04-04 Email Print
These popular technologies create unique security threats, which, if not addressed, can lead to serious problems for all types and sizes of organizations.
For public cloud SaaS and IaaS offerings, the security challenge involves controlling public cloud services sprawl. Employees can easily sign up for some of these services and begin using them, Falzarano says.
Other security challenges include data ownership, data encryption and key management, and controls for data replication. "When storing data on public cloud services, for example, does the public cloud services provider replicate that data nationwide and/or internationally?" Falzarano asks. "Are there control policies available to the client to opt-out or limit the replication of data?"
To mitigate some of the concerns with public cloud services, Walz has deployed its production applications and business services on private cloud platforms, allowing it to meet stringent information security requirements. In addition, the company provides security training for employees regarding the installation and use of third-party software and cloud services, and employees must sign off on their acceptance of system usage policies.
As for social media, that creates its own challenges. "Numerous threat vectors exist from these sites, and the security challenges have been controlling, monitoring, and logging employee usage, data exchanges and information communication flows," Falzarano says. "We've managed the risks associated with these challenges and concerns by blocking some social media sites through firewall and other edge-device rules and policies."
The company also uses data-loss prevention appliances, and it's training employees in secure use of social media.
Through all these efforts, "we have been able to meet information security safeguards and controls, business continuity/disaster recovery and data privacy requirements," says Falzarano.
Security Versus Usability
Automatic Data Processing (ADP), a Roseland, N.J., provider of human resources, payroll, tax and benefits administration services, is using mobile technology and the cloud to enhance its business.
"Mobile is a uniquely enabling strategy in that it connects ADP to an enormous amount of new opportunity," says V. Jay LaRosa, senior director, converged security architecture, at ADP's Global Security Organization. "Our ability to leverage these devices to facilitate things like faster access to data, close sales quicker, or allow our clients to manage employee's payroll from their mobile devices is a true market differentiator."
But security versus usability is always a concern, LaRosa says. "If you are too draconian with your security policies, the value of these fast, flexible-computing devices is lost," he says. "We are taking a hard look at how we balance the usability aspects with security through a risk-based approach."
The company created an assurance level model for security controls, which is mapped to data and privilege-level requirements. As access to higher levels of information is required, ADP uses "step-up" authentication on an as-needed basis. For example, when an employee is checking in with a time clock application from a smartphone, that requires a much lower level of authentication than if a payroll administrator is adding a new employee to the payroll.
Cloud services such as the firm's Dealer Management Platforms and Human Capital Management platforms have become a staple of its business model, LaRosa says. Cloud-enabling technologies that allow secured use of IaaS are starting to emerge, and ADP is working with service providers to align their solutions with its needs.
"The ability to encrypt all our data—not only at rest but in motion, and while it is in use in these public clouds—is just starting to become a reality," he says. "With these new capabilities, we can truly guarantee our data will be secure because we retain the keys and manage them at our facility and not in the cloud."
Defining ADP's global security standards has been a collaborative effort between IT and development operations. "In the last 24 months, the Global Security Organization has been able to help the IT and development teams solve some very complex and challenging problems, while maintaining the delicate balance between usability and security," LaRosa says.
The strong partnership has allowed ADP to build the appropriate levels of security in these new areas up front, instead of trying to bolt on security after the fact, he adds.