IT security is a non-negotiable part of any successful business plan. In today’s changing landscape, businesses must be protected from end to end. We sat down with Involta’s Chief Information Security Officer, Annalea Ilg, to discuss some of the most pressing security challenges companies face today. In the second of our three-blog series, Annalea explores data security and identity management in both public and private cloud environments.
The cyber security skills gap remains worryingly wide, and a new generation of cyber criminals are enthusiastically probing cloud-based services for vulnerabilities. Many employees in the enterprise remain uncertain about what degree they are responsible for when it comes to securing their data.
Organizations are often hesitant about moving to the public cloud because it means moving away from the idea of being able to touch their servers physically. Personally, I fully support the public cloud. It has some pretty amazing security options built in, but here's the problem: organizations don’t always incorporate a solid security framework with the assumption that “security is enabled by default.”
Public cloud migration should be approached strategically. First, you must understand your business drivers and how technology can help your organization get to the finish line. Next, think about the security and compliance that comes with those technologies or what those technologies need to have wrapped around them. Built-in security features are great, but without governance, they are often used incorrectly. You need people to do ongoing configuration management and maintenance, so the security component remains a top priority.
The public cloud has out-of-the-box audits and automated patching implementation that are ready in various compliance arenas, but you will still need to enable and apply it to your servers. The public cloud can become a very high-touch, self-service model, which is why many organizations add a managed services component to their public cloud solution. The bottom line is that your public cloud migration plan needs to be well thought out and security still needs to be considered part of that plan. Working with a knowledgeable IT solutions provider to implement your public cloud migration and assist with the ongoing management of your environment is a smart strategy for continued success.
Where does the ownership of the management of user privileges belong in the organization?
Keeping user privileges current is a critical aspect of an IT security strategy that can be easy to overlooked. When organizations have outdated records or users with access they no longer need, it opens pockets of risk that can be exploited by cyber criminals. Designating a person or team to be responsible for maintaining these records protects your organization significantly.
Ownership always depends on your environment, processes, and business needs. Access administration is most successful when you have a dedicated team defining and assigning roles within a security team - ensuring a dedicated focus and consistent maintenance. However, manual access administration is slowly changing to incorporate tools around identity management. These tools help prevent credentials from being stolen. There are several of these tools in the marketplace, and Involta recommends exploring the next command generation of Identity Management. It’s okay if you don't have a budget for these tools. Access administration can still be successful when you have a person or dedicated team focused on managing and maintaining access for your entire organization.
About Annalea Ilg
Annalea Ilg, Chief Information Security Officer (CISO), joined Involta with more than 15 years of information security and compliance experience. As CISO, Ilg runs the Quality, Security, and Compliance department. She manages holistic risk, and provides valuable solutions to protect the security, integrity, and continuity of critical organizational functions, and a team of forty individuals within Security, Service Management, Project Management, Compliance and Vendor Management. Ilg is passionate about solving risk, promoting culture change, development and executing strategy into leading-edge technical solutions.