Ask any manufacturer what is their most valuable data, and inevitably you'll be told intellectual property (IP). IP is the lifeblood of business; it's the building blocks of competitive advantage, and protecting it is critical to the success of manufacturing organizations.
Unfortunately, stealing intellectual property has supplanted achieving notoriety as malware authors' primary motivation, and their attacks are growing increasingly sophisticated and insidious. This is evidenced by attacks such as Hydraq, Stuxnet and recent thefts of proprietary designs and programs from large corporations. Now, as more companies explore cloud computing-based services, they are faced with new security threats to information. The reason is very simply financial gain -- hackers are looking to monetize their attacks, and it's not just credit card data they want anymore. According to a May 2009 federal report, American businesses lost more than $1 trillion worth of IP due to cyber attacks between 2008 and 2009.
For manufacturers who must manage and store volumes of confidential plans and IP, the task of protecting this sensitive information contained in documents, spreadsheets and product design files is more important than ever before. However, locating and protecting IP throughout an organization has become much more difficult. That's because IP comingles among other unstructured data and proliferates in highly dispersed locations across the organization: folders on file servers, on laptops, tucked inside USB drives and now in the cloud.
The cloud brings unique opportunities and challenges for organizations. With cloud computing, IT resources can scale almost immediately in response to business needs and can be delivered under a predictable (and cost effective) pay-as-you-go model. While the potential cost and efficiency benefits of migrating to the cloud hold a great deal of promise in data intensive industries like manufacturing, the open accessibility of the cloud platform makes protecting IP all the more critical.
Whether you are using third-party cloud applications or infrastructure or building cloud-like services yourself, one of biggest challenges in moving applications to a cloud is security and more specifically data access control. Manufacturers must be confident their data is protected, whether at rest or in motion. But most organizations lack the procedures, policies and tools to ensure that sensitive information they put in the cloud remains secure. In fact, a recent cloud security survey from Symantec shows only 27% have procedures for approving cloud applications that use sensitive or confidential information.
However, when push comes to shove, you want to ensure your information is protected, whether it's in your network or the cloud. Even though devices, networks, core infrastructure and providers may be out of your control, your data and your users' interactions are not.
Taking an information-centric approach when making the move to cloud computing will help you to mitigate risk. Consider the following as you think about moving your infrastructure -- and your data -- to the cloud.
Conduct a full risk assessment before you contract with any cloud provider. Do their security standards meet the needs of your business? Even the smallest entry point can create an opening for unauthorized access and theft. The cloud provider should offer a broad set of security solutions enabling an information-centric approach to securing critical interfaces -- between services and end users, private and public services, as well as virtual and physical cloud infrastructures.
But don't just look at the provider's security and compliance activities also consider how stringently they apply their policies to their subcontractors, how easily you can migrate your data to another platform at the end of a contract, and how likely the provider is to drop offline or go bankrupt.
Cloud standards bodies, like the Cloud Security Alliance, have already published frameworks and benchmarks you can use to conduct your assessment.
Policies and Procedures for Handling IP
Certainly, not all applications and data are ideally suited for the cloud. That's why it's important to ensure that policies outline what information is considered sensitive and proprietary and how to handle this data with respect to the cloud. Manufacturers should identify the top categories of sensitive content and develop data loss prevention (DLP)-based detection rules to detect and protect that data before it goes to the cloud. Modern DLP systems are now quite capable of providing such detection and preventing sensitive IP leaking into the cloud unprotected.
Evaluate Your Own Security
Manufacturers also need to look at how their own security works in a cloud environment. Ask yourself if you can adequately protect your data and your user identities beyond the perimeter. Traditional security techniques such as authentication and encryption will play a vital in securing your own information and identities in the cloud.
You should limit user privileges, including the privileges of your administrators. Rogue admins are a big source of security breaches in the cloud, just as they are in traditional computing. Strong passwords are still important, even if you have limited user access rights and segregated systems. Two-factor authentication is better, and cloud-based strong authentication gives access to this extra layer of identity verification without the cost and management overhead of traditional implementations. Risk-based authentication balances security against ease of access, which is one goal of using the cloud. You can also leverage single-sign-on and federated identity systems to pass authentication details between trusted providers -- SAML and OATH are two options.
Encryption of your data in storage and in motion is a critical measure for guarding against threats from all sides, including from your providers' staff. Furthermore, some organizations may want to augment encryption controls with DLP to prevent data leaks to the cloud. Supplementing encryption with DLP may be one of the best overall solutions for organizations deeply concerned about security, but also dealing with mandates to leverage the power of public clouds more aggressively.
And endpoint security is still important, even if you don't control all the devices accessing a public cloud service. Firewalls, anti-virus, VPN connections and a strict patching policy are standard measures that you should continue to use as part of a "security in depth" strategy.
Prior to deploying cloud technology, manufacturers should formally train employees how to mitigate the security risks specific to the new technology to make sure sensitive and confidential information is protected. Equally important is implementing a strong governance framework. Manufacturers must gather information from providers and from their own systems, and monitor for security events and compliance with accepted best-practice and specific regulation/standards where appropriate. Check that your providers are fulfilling their SLAs and contracted obligations. pLAN for how you'll respond to and remediate problems.
By thoroughly assessing the risk of moving information to the cloud and taking the proactive steps discussed above, manufacturers can leverage the cloud and realize the efficiencies that it offers while simultaneously protecting their crown jewels -- their high-value IP -- in the increasingly complex threat landscape.
Elliott is responsible for Global Cloud Marketing at Symantec, an active member of the Cloud Security Alliance (CSA) and participates on the CSA Solution Provider Advisory Council.