Cloud, Mobile, Social Creating Security Conundrums
The rise of cloud services, mobility and social media is creating a new security paradigm and companies are having difficulty keeping up.
In its 2011 Global Information Security Survey, Ernst & Young found that cloud, mobile and social are three key trends affecting information security and businesses are struggling to maintain tight control as these new models take hold within their organizations. The survey probed 1,700 IT and security executives across various industries in more than 50 countries.
During a webinar discussing the survey's findings, Ernst & Young said 61 percent of respondents are currently using or evaluating cloud services within the next year. Ernst & Young Information Security Leader Jose Granado said the increase in cloud usage is prompting new questions around security, as companies question where their data is stored, who has access to it and what whether it's co-mingling with other data.
"We're not saying that 61 percent are rushing to the public cloud," he said, noting that cloud services will be a mix of public, private and hybrid environments moving forward.
The survey also found that 52 percent of organizations said they have not implemented controls to mitigate new risks related to the use of the cloud, and 90 percent said they believe that external certifications would increase their trust in cloud computing.
Granado said that it appears the industry rushed into the cloud and didn't pay close enough attention to some of the risks involved, which are coming to light more as the cloud matures.
"I don't think we've thought through as a discipline what all of the risks are," he said.
Some of the new risks and challenges cloud computing presents include new compliance and privacy concerns; information security and data integrity; governance, risk management and assurance; and regulatory impacts.
Ernst & Young recommends companies trust, but verify cloud services through their vendors, partners and providers; and plan for continuity while selecting providers that are transparent about backup and failover. It's also recommended that companies use standard security processes and techniques that have worked in the past and align them to cloud, such as access control and other data protection techniques. And it is increasingly important to align business and information security strategies, the research indicates.
Next: Mobile, Social Impacting Security
Meanwhile, regarding the mobility revolution, the Ernst & Young research found that 80 percent of organizations are either using, evaluating or planning to use tablets in their businesses, yet just 57 percent of respondents have made policy adjustments to mitigate the risks related to mobile computing and 52 percent leverage some form of security awareness activity.
Granado said that the consumerization of IT is partially to blame for the mobile deluge and the need to secure it.
"The consumer side is driving the business," he said. "That's the change. That's the transformative event."
When it comes to mobility, Ernst & Young recommends that companies establish government and guidance for the use of mobile devices and products; use encryption as a fundamental control; and perform an attack penetration on mobile apps before they're deployed.
According to Mike Herrinton, Ernst & Young partner, "the train's moving" when it comes to mobility and companies need to get up to speed and keep pace with the evolving mobile landscape. And Granado added that mobile security isn't just a concern for IT.
"This is everyone's responsibility …," he said. "It's not just IT's responsibility."
Lastly, as the use of social media and social networking sights continues to explode, Ernst & Young's survey found that 40 percent of respondents rated social media issues as challenging or significantly challenging. And the most frequently taken measures to mitigate social media-related risks where offering limited or no access to social media sites, 53 percent; or making policy adjustments, 46 percent.
But Steve Holt, Ernst & Young Financial Services Information Security lead said that limiting and not allowing access to social media sites isn't an adequate response. "Employees will always find a way around that," he said. Holt said companies should start talking about using technology to reduce the risks social media use can introduce. He recommended that companies re-evaluate hard and fast policies that prohibit or limit social media use and embrace the platforms.