Posts from ‘MFT’
Cloud security is the new great debate
Last week I ranted a bit about the importance of governing your cloud vendors. At about the same time, Ipswitch’s Frank Kenney participated in a panel discussion on cloud security at the Interop conference in Las Vegas.
As you know, there is great debate over whether cloud services are secure enough for businesses to use. I believe that the cloud model will quickly evolve and prove itself to a point where security is deemed no riskier than doing business with solely on-premises tools.
I also believe that member-driven organizations such as the Cloud Security Alliance – which focus on providing security assurance within Cloud Computing – will help us get there.
At the Interop discussion, Frank Kenney spoke about the safety of the cloud, here’s what he had to say:
“Cloud customers have the obligation to assess the risk of allowing data to be stored in a cloud based on how valuable it is to the customers…. The cloud is as secure as you want it to be.
Cloud services can provide value if performance and service-level agreements align with what customers need. If not, customers shouldn’t buy them. It’s not ‘the sky is falling’. Assign risks appropriately. Security is just one of many things you have to do.”
Take a quick read of Google’s Terms of Service or Amazon EC2’s SLA Exclusions and you’ll see examples of how cloud platform vendors limit their governance and control responsibility.
So what happens when you put your business in the cloud and then the cloud goes down? Just ask Foursquare, Hootsuite, Reddit, Quora and others who endured the recent EC2 outage that hobbled their websites, resulting in lost revenue and strained customer support teams.
Chances are some of your critical business processes have already moved to the cloud. But you still need to know the instant one of them fails.
So how should you treat vendor platforms such as Salesforce.com, Amazon EC2, Rackspace Cloud Files and Microsoft Azure?
As the saying goes, “don’t rely on a fox to guard the chicken coop”. Don’t rely solely on your service providers to alert you of inaccuracies or outages that they themselves have caused…. Service provider dashboards will be of no use when they themselves are responsible for failure. A governed pipe will instantly give you that information.
Our suggestion is to treat cloud platform vendors the same way you would treat any other vendor. Manage all file and data interactions, with visibility, management and enforcement… And carefully craft SLAs that represent end-to-end services and link them to easily trackable key performance indicators. Cloud does not solve all your data issues on its own, but you can and should leverage your Managed File Transfer (MFT) solution to extend and govern the cloud.
Security researcher Derek Newton and a few Dropbox users have found a significant security hole in Dropbox. They published their results and Dropbox responded.
Dropbox’s response is not adequate. It’s not enough for them to bury their head in the sand and to say that this security gap is not their problem if a hacker has physical access to the computer. The very nature of Dropbox lets its users increase their physical presence onto many more computers. As such, these users are increasing the risk of their information being stolen and their businesses being compromised.
Instead, Dropbox needs to say what steps they are taking to close this security gap. If Dropbox wants to minimize the impact to their business and to increase their presence as a responsible corporate citizen, Dropbox needs to make this security issue theirs to resolve.
Encryption is the best way for Dropbox to proceed right now. Encrypting their configuration files would be the first and best place to start. Second, Dropbox (like Google or my credit card company) should monitor users’ accounts for unusual activity. Whenever they notice a blip or a change in user’s activity, they should send the user an email or SMS.
Third, no application or user should be given implicit access to a user’s files. All access needs to be explicit. An end user needs to specify each application and user that has permission to view, update, copy or remove their files.
As all our transactions become electronic, it’s more important than ever that securing the data, securing access to the data without compromising usability and authorized access is the number one requirement for software vendors.
Did you know that Managed File Transfer solutions have become the most widely used mechanisms for integrating your applications and processes with those of your customers and partners?
Are you feeling frustrated by your middleware’s inability to handle data or large files?
Join us to learn more about how MFT can gracefully extend your Enterprise Service Bus (ESB) suite and integrate into your existing enterprise technology. We’ll also cover the governance benefits of integrating MFT with B2B processes and applications (such as governing your file transfers can solve 60-70% of your compliance and regulatory issues).
- Speaker: L. Frank Kenney, VP of Global Strategy at Ipswitch
- Date: Wednesday, March 16, 2011
- Time: 11:00AM ET
