May the cloud force be with you ... and keep you secure

Star wars - force awakens

If you were only allowed three mantras for a successful data security strategy then surely they would have to be 'blend your protection' along with 'have a backup plan' and 'be vigilant'.

At the risk of upsetting die-hard Star Wars fans (for whom I have been unable to locate a fun collective noun, so nerds will have to suffice) I would suggest that these could actually be rolled up into a singular 'May The Cloud Be With You' instead. I appreciate that this flies in the face of the popular belief that all things cloud are slippery and wet as far as data security is concerned, and should therefore be avoided or at the very least treated with the utmost caution. However, as I have stated time and time again, popular belief is not to be trusted.

The cloud, on the other hand, is. At least it is when done properly. I wouldn't go say far as to claim that 'help me cloud computing, you're my only hope' (uh oh, I'm upsetting the 'warsy' folk again - does that work as a collective noun?) is something you will hear echoing around the room at your average enterprise data strategy meeting, but maybe it should be.

OK Obi Winder Kenobi, enough with the Star Wars puns already: this is actually quite serious stuff. What I'm talking about here is cloud as being a kind of Cerberus; a triple-headed guardian of your data past, present and future. Start thinking in terms of the three Cs of cryptography (protecting your archived data), cyber-resilience (helping protect your live data) and counterveillance (keeping an eye on the threats yet to come) and you can see where I am coming from with this hypothesis. So let's examine all three in a little more detail.

Cryptography: I would suggest, and the less geeky amongst you are probably breathing a sigh of relief, that I've written quite enough about cryptography and the cloud recently and don't need to revisit that particular ground on this occasion. If you've not realised by now that encryption is, if you'll excuse the pun, key to data security at rest and in transit then you are probably not taking this data protection thing seriously. I will try once more though and point you at a bunch of Cloud Pro articles that are worth reading if you missed them the first time: Bring Your Own Key, Searchable Strong Encryption and Edward Snowden, the unlikely saviour of the cloud.

RELATED CONTENT

Webinar screen with smiling man wearing black shirt and blue jacket looking out of shot

(Image credit: HPE)

Why taking ownership of resiliency is critical to cloud success

Solutions Experts from HPE share their perspectives on the resiliency challenges of cloud adoption and the need to make conscious decisions about your workloads and data

WATCH HERE

Counterveillance: of the three heads, this is the one I would chance my arm you probably haven't heard of, yet there can be no understating the importance of it as a string to your strategic data-security bow.

I appreciate that I said I would stop the Star Wars misquoting, but there's an actual quote from Yoda that fits the bill far too well to ignore when trying to explain what counterveillance is, namely: 'Ready are you? What know you of ready?'

Counterveillance is, simply put, a method of detecting and blocking zero-days and Advanced Persistent Threats (APTs) that allow the remote control or spying on mobile devices and their data ports. Devices, and here's the point, that are almost by definition going to be connecting to the cloud. I am almost ashamed to admit that I only heard the term for the first time this month during the annual consumer tech-fest that is CES, but it immediately struck a chord which resonates through the enterprise security space.

This isn't going to turn into a plug for the company that was pushing the counterveillance concept to drive customers towards it product line, but think of it instead as a plug for the concept itself. It ties in neatly with the data security strand of the cyber-resilience idea, addressing one of the gaps that endpoint security misses - control over open mobile device data ports. And don't be fooled into thinking it's just a bit of a snazzier name for Data Leak Protection (DLP), counterveillance comes with the added protective ingredients of app permissions management and granular policy-based controls.

All of this leads me nicely into cyber-resilience, the central head of our cloud-based data guard dog.

Cyber-resilience - this, and I admit it's maybe a controversial viewpoint - is where the cloud really moves into the premier league of strategic security tools. This is because it provides the kind of broad vision that is required when thinking about IT security within the enterprise today.

There is, unfortunately, a certain inevitability about your data coming under attack. Security incidents will happen, the threat landscape is such that the odds are mightily stacked against any other scenario. So with that inevitability in mind, the enterprise needs to start thinking about cyber-security in a different way; in a way that understands the security aspects are just a part, an important part I grant you but nonetheless a part only, of a bigger strategic plan.

Whereas security strategy might traditionally be thought of in terms of defence (what are the threats and how can we prevent them from impacting upon us) a cyber-resilience strategy adds response to the mix. This is where something else I have been banging on about here for months comes into play, defining the value of your data and the risks to your business should it be compromised. Once you understand the data which is most valuable and which would, in the event of a breach cause the greatest loss (reputational damage, bottom line financial impact, business disruption etc) then you can start implementing a better data security strategy to protect it.

Someone once told me that security has to be about outputs as much as inputs. By which he meant that it's not enough to focus just on the threats to your data, or the regulatory compliance check boxes but that it was imperative to look at the potential outcomes and consequences of any risk assessment as well.

Get this bit right and you can focus your attention, and your resources, on the threats to those now clearly identified key assets instead of taking the grapeshot approach to data defence. That focus will include processes, technologies and people; that focus will drive you to the cloud one way or another. The cloud allows your data to be encrypted both in transit and at rest, with options available for secure key ownership and management, yet still provides an offsite storage facility that makes budgetary, bottom line, sense.

Increasingly the cloud, when implemented correctly, which means migration only after a proper process of due diligence, has the potential to provide the resilience in any threat mitigation equation. Start moving away from a position that is purely security-led to one that embraces resilience and you gain a new perspective on things.

Instead of thinking in terms of asking why security measure x is not in place or how much it will cost to implement security measure y, you can instead see that the clever thought process turns to asking what business assets need protecting and what will be the most cost effective measures to do so. Thinking about cloud data security in isolation from disaster recovery and business continuity cannot be acceptable any more, they have to be part of a targeted risk reduction plan, part of a cyber-resilience strategy, part of a cloud-based approach to your business.

If the cloud-based components match your business needs, and if you can get to grips with the location-based stuff to enable that regulatory compliance 'being in control' chestnut, then you are a long way to achieving resilience nirvana. You just have to get your risk decisions correct, and when migrating to the cloud there will be a whole series of these, one after the other.

All of which brings me nicely back to where I started, with the key to achieving this state of cloud data nirvana simply being an understanding of what the risks are in the first place and not letting the nay-sayers and cloud sceptics drag you to the dark side...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.