Kalyani M., Author at The Privacy Post - Page 2 of 21

0

Managing Disaster Recovery in the Cloud

Posted by on Mar 18, 2014

Cloud based disaster recovery is the most efficient and cost effective approach for data back up.
Image from www.clearpathsg.com.

Cloud computing is attracting many enterprises because of its easy deployment, cost effectiveness, and flexibility. One of the major advantages of cloud computing is its disaster recovery approach. With this system, enterprises have a cost effective disaster recovery plan in place, and do not have to worry about deployment and maintenance of IT infrastructure or resources for disaster recovery. Cloud computing gives a completely different approach to disaster recoveryIn this approach, the operating system, data and applications are integrated into a single software bundle or virtual server. This virtual server can be easily copied and backed up on an off-site data center within minutes. In comparison to the conventional disaster recovery approaches, this is extremely beneficial because it is hardware independent and therefore it is easy to transfer information from one data center to another without the burden of installing every component of the server. Cloud-based disaster recovery approach is extremely cost effective and dramatically reduces recovery time compared to traditional approaches.

Beyond easy deployment and cost effectiveness, there are a few other benefits of a cloud-based disaster recovery approach:

  • The cloud platform manages the disaster recovery servers and storage devices effectively and reduces the impact of failure at the disaster site.
  • With the cloud it is possible to add resources on an as-needed basis with fine granularity, and optimum costs.
  • The cloud-based approach completely eliminates the hardware dependencies, and reduces the hardware requirements at the back up site.
  • It can be easily automated, lowering recovery times after a disaster.

Given the benefits of cloud disaster recovery, it definitely looks like an attractive alternative for enterprises searching for reliable data storage and back up. Before implementing cloud disaster recovery, you do need to take several things into consideration. Like any traditional disaster recovery, there is no blueprint for cloud disaster recovery. Different organizations have different needs and priorities depending on the business they are in.

  • First and foremost, identify and prioritize the critical resources of your organization. Determine how much downtime is acceptable before there is a significant impact on the business. Prioritizing critical resources and determining recovery method is the most important aspect during this process. Ensure that all your critical apps and systems are included in the blueprint.
  • Once you have determined the critical resources, the next step is to identify a cloud provider who is equipped to fulfill your needs. There are different cloud providers that offer different facilities. If you want to build a cloud-based disaster recovery site, then you need to find a provider with specific capabilities. Similarly, if you want to replicate data to the cloud, then you should sign up for a storage plan only and avoid paying expenses for other services.
  • After all the above-mentioned tasks are taken care of, you need to determine the cost of your cloud-based disaster recovery plan. The pricing model is comprised of various factors, like monthly subscription, the amount of bandwidth used, storage space used, and the number of VMs.

Additionally, one of the most important aspects that an enterprise needs to take into consideration is security. The cloud is vulnerable to many security attacks and breaches. Therefore, while moving to a cloud-based disaster recovery plan, enterprises should focus heavily on the security practices of cloud service provider.

According to John Morency, research vice president at research firm Gartner, Inc. in Stamford, Connecticut, “You still see with some major events, such as the lightning strike in Dublin [in 2011] that took out the cloud services, of Amazon and Microsoft, that there can be some temporary loss of service. The cloud shouldn’t be considered 100% foolproof. If organizations do need that 100% availability guaranteed they need to put some serious thought into what they need to develop for contingencies.” There are several  aspects of security that the enterprises should take into account before moving to cloud disaster recovery: Determine how security data is transferred, stored and managed in the cloud. What  access control mechanisms are in place? What security controls are used to protect data from unauthorized access? Apart from passwords, what extra layer of security is used to protect your data? Lastly, make sure that the cloud service provider complies with all the security rules and regulations required to maintain the privacy of data. With strong security practices and controls in place, the cloud disaster recovery approach is one of the most efficient and cost effective approaches for modern enterprises.

SpiderOak and Disaster Recovery

SpiderOak provides makes it easy to backup existing data and provides disaster recovery. It allows users to create and sync their local documents with a cloud version, which they can later access from any device. These systems even save revisions of documents so users can go back if they make a mistake and retrieve a previous version. SpiderOak Blue provides enterprises and large businesses with fully secure cloud storage, zero-knowledge, end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud, along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers, or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android, to provide comprehensive and mobile security for companies with a remote workforce. Sign up today to try SpiderOak.

 

 

 

 

 

 

Kalyani M., Author at The Privacy Post - Page 2 of 21

3

A United Front: Credit Unions & Congress Fight Back Against Data Theft

Posted by on Mar 13, 2014

Capitol building

Congress is working on legislation for stronger data security standards.
Image Courtesy of Glyn Lowe Photoworks

When it comes to enacting new protections and punishments for massive data breaches, like the sort recently suffered by Target stores, Congress and credit unions are joining forces to fight back. Data theft threatens virtually every industry, from online gambling and alternate currencies like Bitcoin, to established healthcare providers and insurance companies. So when it comes to protecting customer data, everyone has a hand to play and a vested interest in the outcome. Major credit unions and their representatives are pushing for stronger penalties for data breaches so that they won’t have to keep recouping the costs of identity theft that is most often the direct result of such breaches. And congressional leaders are forging ahead to enact tougher laws and disclosure requirements to take advantage of the public’s wave of frustration over lost credit card information. While pushing for strong legislation is definitely a great step towards stronger universal data security standards and consumer protections, enterprises shouldn’t wait around for Congress to decide on a final plan. Instead, proactive businesses should stay ahead of the curve while gaining fierce brand loyalty by keeping consumer data private and anonymous through secure cloud storage and sync solutions.

As if the well-publicized case of Target wasn’t enough to turn the tide of industry standards towards strong data security, a recent breach of records at the University of Northern Iowa has added fuel to the flame. Hackers were able to breach the school’s system to retrieve federal tax return refunds from faculty and staff. To date, around 200 UNI workers have suffered tax-filing complications due to the breach, which indicates fraudulent use of their data. According to UNI secretary Darnell Cole-Taylor, “With my information out there, who’s to say that somebody, two years from now, a year from now, won’t use that to do something illegal?” Such are the inherent complications of identity theft; the victim suffers for years, having to keep a vigilant eye on all financial activity in the case of a breach, as records are often sold around the world numerous times.

Many times, such breaches are due to lack of strong security standards on the part of the victims. In an interview, Bryan Sartin, Director of the Verizon Research, Investigations, Solutions, and Knowledge Team said, “With respect to brick-and-mortar retailers, 86% of the points of intrusion are through desktop sharing technologies. If simple two-factor authentication was used across the board on those technologies, 86% of those breaches wouldn’t happen. It’s security common sense.” Unfortunately, many enterprises have yet to enact even basic common sense security principles. In just the Target breach alone, credit unions have had to cover upwards of $30 million dollars in theft. This imbalance in responsibility has led B. Dan Berger, President and CEO of the National Association of Federal Credit Unions, to write to Congress requesting a more comprehensive national security standard. One of the most notable points requested in a federal consumer protection law would be to place the responsibility for paying for breaches entirely in the hands of negligent merchants.

Another step in the right direction is the standard set forth by the NIST (National Institute for Standards and Technology). The NIST’s “Framework for Improving Critical Infrastructure Cybersecurity” specifically provides tiered requirements for data centers revolving around five key elements: identify, protect, detect, respond, and recover. A bulked up standard based on these principles would compliment breach notification laws, which alone, are largely ineffective. As an anonymous financial sector representative stated to RollCall, “Breach notification laws can be a useful tool to – potentially – raise awareness about data security issues, incentivize companies to invest in security and empower consumers. But the reality is that notification is after the fact. The key to data security is to prevent breaches in the first place and notification does nothing to prevent breaches except in a very indirect way.” While Senate Judiciary Chairman Patrick J. Leahy, D-Vt., spearheads efforts to offer criminal penalties to companies that fail to disclose breaches, enterprises must be proactive in the meantime. As Randy Vanderhoof, president of the Smart Card Alliance, says, “I really think the industry needs to do a better job in how it protects its information.” Such proactivity on the part of industry leaders will preempt any drastic legislation, so that companies won’t have to scramble in a mad dash to bring standards up to federal compliance. Rather, those enterprises that can show that consumer data is fiercely protected will earn loyal customers for life. They’ll also be poised to rise above their competitors that simply lie in wait for Congress to dictate security standards to them. As companies wait and figure out next steps, IT teams should look to secure cloud solutions as a feasible option for providing data privacy for sensitive information like consumer credit cards.

Protecting Customers With SpiderOak Blue

One great option available to enterprises for cloud storage is  SpiderOak Blue. This secure cloud service offers 100% data privacy and user anonymity through easy storage, convenient sharing, remote syncing for a mobile workforce, and zero-knowledge end-point device backup solutions. With availability on Mac, Windows, Linux, iOS, and Android, SpiderOak provides flexible solutions to meet any company’s demands.

 

Kalyani M., Author at The Privacy Post - Page 2 of 21

2

Protecting Medical Records in a New Era of Health Insurance

Posted by on Mar 11, 2014

Courtesy of Greg Harbaugh/Feature Photo Service

With the healthcare system undergoing numerous changes, it’s important to make sure medical data is secure.
Courtesy of Greg Harbaugh/Feature Photo Service

Enterprises have scrambled to stay ahead of new regulations brought about by the Affordable Care Act, otherwise known as ObamaCare. The healthcare industry, however, is the most directly impacted by the law, as healthcare providers and insurance companies must prepare for an influx of new patients and a more widely insured populace. But as the insurance pool broadens, risk will be compounded as medical records and sensitive data becomes a brighter target for hacking and leaks. The best way to protect medical data in this new era of mandatory health insurance is through secure cloud storage and sync services that offer 100% data privacy and user anonymity. Anything less than full data privacy and security for medical records could result in damaged brands, exploited information, and increasingly costly HIPAA fines.

According to Norse, a cyber security firm based in St. Louis, the health care industry is a prime target for cyber attacks. In a recent study conducted by Norse, about 60% of malicious web traffic targeted healthcare providers, associates, and insurance companies. The reason for such a wide prevalence of attacks is the relative lack of proper data security in the industry. Proactive enterprises should take note and guard data well beyond HIPAA expectations to ensure that sensitive data stays private and that medical records are kept fully secure. Not only is it the ethical thing to do, but such precautions also maintain brand loyalty, especially in an age of massive public distrust in the health care industry. Larry Ponemon, chairman of the Ponemon Institute, says, “With the Internet of Things expanding the attack surface, and current HIPAA and HITECH compliance not nearly providing enough security, healthcare organizations are falling further and further behind in their efforts to secure patient data.”

This concern echoes the findings of the Ponemon Institute’s “2013 Cost of a Data Breach Study”. According to the study, 94% of healthcare providers and affiliate organizations like insurance companies had experienced some sort of data breach from 2011 to 2013. In 2013’s first quarter, over 875,000 private records were exposed due to a breach. With the HIPAA Omnibus rule, which demands up to $1.5 million per lost record in penalties, these sorts of breaches are just too costly for enterprises to ignore. A severe breach could permanently damage a provider through large HIPAA penalties and severed public trust. Even with Google’s recent announcement of HIPAA compliance through the Business Associate Agreement, products like Gmail and the Google Drive simply don’t provide medical enterprises with the securities needed to truly keep records and data private.

In a recent report put out by the Office of the Inspector General, it was found that state Medicaid databases could be highly vulnerable to attack. In light of such revelations, enterprises that deal with Medicaid must be highly cautious when moving forward and sharing sensitive information in order to avoid leaks and data breaches. According to Mac McMillan, CEO of the CynergisTek consulting firm, “We have seen these reports over and over again. It all stems from a lack of a good, solid framework for security and an accreditation process to ensure there is accountability.” For McMillan, vulnerabilities are established because “Poor security, inadequate controls, [and] lack of proactive monitoring all create a welcoming playground for the would-be identity thief and fraudster.” Many enterprises hastily rush out big data projects to leverage technology and stay one step ahead of competitors. In the rush, proper security measures are neglected or outright abandoned. But development teams should remember that projects must be fully secure before rollout, otherwise, all of the time and effort invested into an unguarded project could be wasted in the likely event of a data breach.

In an attempt to save a sliver of funds on proper security investment, some enterprises try to forgo secure cloud services in favor of encrypting data onsite. But history shows that trying to protect sensitive information can be difficult for even the largest organizations. AOL, Netflix, and the State of Massachusetts’s Group Insurance Commission have all suffered data breaches despite attempts at securing private data. According to Ed Felten, Princeton professor of computer science and public affairs, “A decade of computer science research shows that many data sets can be re-identified. Removing obvious identifiers is not enough to prevent re-identification. Removing all data about individuals may not be enough.” This means that even if such security measures are initially successful, a savvy hacker could undermine them by piecing together bits of scrambled data to find something exploitable. Instead of implementing disproven methods for securing data onsite, enterprises in the medical and healthcare fields should opt for tried and true protections through private cloud solutions. This will ensure that patient data is truly kept safe from external breaches and even internal leaks.

Securing Medical Records With SpiderOak Blue

Medical businesses and enterprises must keep records private in order to thrive and stave off costly HIPAA penalties. But finding a cloud service that can provide 100% data privacy and user anonymity can be difficult in a market flooded with subpar providers. A truly secure service must close off any security gaps so that data can never be leaked, attacked, or breached in any way. A great option can be found with SpiderOak Blue. This secure cloud provider offers enterprises storage, sharing, remote syncing, and zero-knowledge end-point device backup solutions. Businesses can offer their employees popular mobile and work from home opportunities while ensuring that offsite data stay safe.

SpiderOak offers IT admins a convenient central management console so that your enterprise keeps control of all of your data. Deployment is available onsite with private servers or through secured public cloud servers that provide scalable solutions. A virtual appliance positioned behind your firewall resolves authentication and offers a single sign-on through integration with your Active Directory/LDAP. SpiderOak Blue is available with Linux, Mac, and Windows operating systems along with mobile options through Android and iOS. Sign up today!

 

Kalyani M., Author at The Privacy Post - Page 2 of 21

0

Router Security In the Cloud: Enterprises Seek Data Protection for Remote Workers

Posted by on Mar 6, 2014

As router security becomes an increasing concern, companies with remote workers are seeking data protection in the cloud.
Image Source: Flickr User Cisco Hardware at Router-switch.com

For many enterprises, security has become a chief concern in the light of hacking, the spread of malware, and international cyber wars. The latest in the litany of worries over data safety comes from news of 300,000 compromised routers. While many enterprises operate on a much bigger scale than the small office and home office (SOHO) routers that were recently attacked, the growing popularity of enabling mobile workforce and work from home policies jeopardizes sensitive company data, due to the relative insecurity of such commonly used routers. Instead of scaling back worker mobility, enterprises can still take advantage of on-the-go work and work from home solutions by securing important corporate and consumer data in a private cloud service.

According to a recent white paper put out by the security firm Team Cymru, man-in-the-middle attacks on SOHO routers have been traced to two IP addresses registered in the UK. In their SOHO Pharming paper, Team Cymru warns, “In January 2014, Team Cymru’s Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS [domain name system] settings in central Europe.” Furthermore, the scale of the attacks is alarming. The paper reads, “To date, we have identified 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one of which dates back to at least mid-December 2013.”

The implications of this large-scale attack are far reaching and should concern enterprises, as it could mean the presence of a new hacktivist botnet. As F-Secure security analyst Sean Sullivan says, “Until a clear business model comes to light, nothing’s off the table. Is this some type of hacktivist botnet? It seems like a possible fit.” Many enterprises are not equipped to address such a botnet attack, as Sullivan notes, “Traditional botnets are limited in usefulness as far as DDoS goes. I’ve read compelling research on the topic of servers being targeted and it seems probable that routers would also be useful.” With servers and routers both being targeted, enterprises must establish clear security protocols that protect sensitive data both onsite and offsite for remote workers.

As of yet, the reason behind such attacks is still unclear. Steve Santorelli of Team Cymru recently told BBC that as technology grows, so will cybercrime, “It’s a definite evolution in technology – going after the Internet gateway, not the end machine. We see these leaps in concepts every few years in cybercrime.” In order to stay ahead of innovations in cybercrime, enterprises must make data security a top priority. In a BitSight survey of the S&P 500, it was found that between 68% and 82% of the S&P 500 had suffered a data compromise. Only 18% had good SSL certificates and 24% had good SPF records.

What’s the reason for such negligence? For many companies, development trumps security. As shown by a Trustwave survey of 800 IT professionals, 4 out of 5 were pressured to rollout IT projects in the face of glaring security gaps. Another study by Tripwire shows that about 80% of Amazon’s top selling SOHO wireless routers have security gaps that leave them vulnerable to third party attacks. Ultimately, when rolling out security measures, enterprises should cover all bases so that data stays safe onsite and at home where mobile workers could be accessing sensitive information through insecure SOHO devices.

Router Security & Safe Mobility with SpiderOak Blue

Many enterprises have a hard time finding a private third party cloud service that can offer true data privacy. An unsecured cloud provider could leave sensitive data wide open to leaks or attacks, and in the case of the recent wave of router attacks, such unsecured clouds would open up an added danger to mobile workers or work from home employees. In a market flooded with subpar security standards, a notable option lies in the services of  SpiderOak Blue. This storage and sync service for enterprises offers 100% data privacy through zero-knowledge end-point device backup, mobile syncing and sharing, as well as cloud storage. Through SpiderOak Blue, enterprises can utilize onsite deployment through their own private servers or for companies that prefer more scalable solutions, SpiderOak also offers outsourced deployment with a private cloud server.

The secured authentication system is handled with a virtual appliance that sits behind an enterprise’s firewall and signing on is simplified through an integrated Active Directory/LDAP. SpiderOak Blue  is completely compatible with Mac, Windows, and Linux, as well as iOS and Android for mobile security on the go and at home. With the rising popularity of work from home solutions, enterprises can leverage competitive work benefits to a growing sector of workers that seek such mobility while keeping corporate and consumer data safe from hackers, leaks, and even insecure routers. Whatever the next cyber crime innovation may be, SpiderOak helps businesses proactively stay a step ahead.

 

Kalyani M., Author at The Privacy Post - Page 2 of 21

6

Digital Currency Concerns: Bitcoin Security in the Cloud

Posted by on Mar 4, 2014

http://farm6.staticflickr.com/5544/10307542203_8ecae47c05.jpg

Bitcoin digital currency has been the focus of some attacks, but will it still gain traction among large enterprises?
Image Courtesy of Flickr User anatanacoins

For tech-savvy early adopters and enterprises seeking to stay ahead of technological innovations, Bitcoin has been presented as if it were a digital gold mine. This decentralized digital currency works through value transfers that are not yet regulated by any country, corporation, or bank. Bitcoin isn’t backed up by solid assets, so value tends to fluctuate with user investment, jumping from $150USD to $1,000USD in just a matter of months. While many enterprises have stayed away from Bitcoin use or investment until the legal issues are all cleared up, those that want to stay ahead of the curve can still take advantage of the currency while keeping their assets safe through private key storage and sync with a secure cloud service.

One of the burgeoning industries for Bitcoin is online gambling. Last July, Bitcoin gambling site Satoshidice.com was sold for 126,315 Bitcoins, or about $12.4 million US dollars. In a testament to Bitcoin’s appeal, that initial sale is now worth about $70 million USD. According to many estimates, Bitcoin’s transactions are still primarily relegated to gambling with around 50-60% of total transactions garnered by online gambling sites. One of the reasons that companies are wary of the digital currency is the recent wave of attacks and lost assets.

Last February, Mt. Gox, a Bitcoin exchange service based in Japan, froze withdrawals only to indefinitely close transactions at the end of the month due to a technical error. This error, termed “transaction malleability” boiled down to invalidated hashes resulting in modified transactions. Ultimately, users lost a total of 744,408 Bitcoins, which went unnoticed. Mt. Gox was previously notorious for its link to the underground criminal online store called Silk Road. According to Silk Road’s founder, Dread Pirate Roberts, “We’ve [Silk Road] won the State’s [U.S.] War on Drugs because of Bitcoin.” Such massive loss of assets and association with the criminal underworld have kept many enterprises at bay, but the staying power of Bitcoin means that development and IT teams should begin to discuss how they will interact with Bitcoin in the future.

As Bitcoin gains traction around the world, it will face more attacks. Uri Rivner, head of cyber strategy at BioCatch, recently told the RSA Conference, “The Bitcoin exchanges are basically sitting ducks” due to their vulnerability to broad strains of malware. According to Rivner, “if you are inside a Bitcoin exchange, you can get away with all their Bitcoin…it’s like robbing not a branch of the Bank of America, but all of Bank of America.” The ability for Bitcoin exchanges to lose everything in a single attack should give such exchanges and investing enterprises caution. When it comes to securing Bitcoin wallets and keys, only secure cloud storage should be trusted. In the words of cyber security expert Brian Krebs, “Anyone who plays in this space, you better have a plan for when an attack happens because it’s going to be a when, not an if.”

Whether it comes to the introduction of online sales or the rising popularity of Bitcoin, any new technology is bound to cause concern over security and privacy. Rather than abstaining from the benefits of Bitcoin, enterprises should consider rolling out plans to securely utilize the currency to offer users more choice, while protecting Bitcoin wallets and keys through a cloud service that offers data anonymity.  Simple precautions to consider include limiting employee access to Bitcoin wallets, storing user keys offline or in a secure cloud, and backing up private copies of Bitcoin wallets in the case of server or device failure.

Bitcoin Security & Key Protection through SpiderOak Blue

For early adopting enterprises seeking to jump on board the Bitcoin train, finding a truly protected third party cloud service can be a challenge. Many “secure” services on the market have glaring security gaps that leave private data and sensitive company info wide open to third party attacks, internal leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak Blue. This service provides enterprises and large businesses with fully secure cloud storage, zero-knowledge end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud along with 100% data privacy so that companies can utilize Bitcoin without assuming the currency’s massive risk.

SpiderOak Blue is available with onsite deployment and private servers, or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android to provide comprehensive and mobile security for companies with a remote workforce. So no more worries about digital wallet breaches and lost assets; SpiderOak Blue completely covers your corporate and consumer data both onsite and offsite. And IT Admins will jump on board as SpiderOak features a convenient and secure central management console, giving your organization full control over and ownership of your data and Bitcoin keys.

Kalyani M., Author at The Privacy Post - Page 2 of 21

4

Don’t Wait For Data Legislation: Get Ahead of It

Posted by on Feb 27, 2014

 

FCC Chairman Genachowski Speaks About Consumer Protection

 

In the wake of the stunning data breach suffered by Target late last year, proactive enterprises have already started to draft and enact better security standards to protect corporate and customer data. Such data breaches irreversibly tarnish brands by establishing a bad corporate reputation and losing consumer trust that can be incredibly hard to earn back. Congress has started to discuss legislation that would provide a federal security standard along with consumer protections, but instead of waiting around for legislation that must be responded to, the best enterprises will leverage technology in their favor by seeking out fully secure solutions to data storage and syncing. Being able to proactively protect data not only offers peace of mind, but also allows enterprises to market themselves as fierce defenders of their consumers’ privacy, earning lifelong trust and better branding.

Attorney General Eric Holder recently raised public awareness of the need for a federal data breach notification standard, in which American consumers would be legally entitled to notification of loss of consumer data within a specific time frame. This consumer data loss would include such sensitive information as credit card numbers, debit card pins, and personal information like billing addresses. According to Holder, such future legislation “would enable law enforcement to better investigate these [data breach] crimes – and hold compromised entities accountable when they fail to keep sensitive information safe.” Companies that haven’t begun the framework and planning necessary to meet such standards will have to allocate precious time and resources in a mad scramble to meet requirements once such legislation is passed. And, given recent high-profile data breaches, the passage of such legislation is almost guaranteed. According to Tom Kellermann, managing director of consumer protection at Alvarez & Marsal, “When you are a victim of attack, time is of the essence in terms of how you react…There have been many instances where corporations have waited months to report that a breach occurred, and during that time, identity theft cases have dramatically grown in number.”

For many consumers, enterprises that proactively seek to protect their data are worth fierce brand loyalty, especially as the perception is that such protections are against the norm. According to U.S. attorney for the Southern District of New York Preet Bharara, “Corporations may wait days or even weeks and months, or never disclose the attacks at all, for fear of exposing proprietary information…but doing so makes it much harder to identify the perpetrator and prevent future economic injury.” As Bharara notes, “It’s not just a law enforcement problem; it’s a corporate culture problem also.” Rather than following the crisis management wake of the mainstream, strategic enterprises will be proactive.

While there is some resistance among certain states to adopting a federal standard, the increase of data breaches assures some kind of universal protocol in the near future. Another reason to stay ahead of consumer data protection legislation is that these recent cases may be the result of organized crime. As Zscaler cybert security expert Michael Sutton asserts, “There is certainly a real element of sophistication here…There would have needed to be some reconnaissance up front to understand the network that was being targeted, the hardware and software that they were going after. They would have had to customize the malware that they used and then figured out means of exfiltrating that data and doing so without being detected…I think that we’re seeing the tip of the iceberg here. Because yes, Target was the first and now we’re starting to see other retailers, Neiman Marcus, Michael’s have also stepped forward.” In the case of Neiman Marcus, a data breach has resulted in exposed credit card information, with 9,200 already having been used fraudulently since the report of the attack. Robert Sadowski, director of technology solutions at RSA Security has noted that card-data networks and general-purpose networks should be separated, but that such standards are far from the norm when it comes to enterprise data standards.

Branding Security & Trust With SpiderOak Blue

For proactive enterprises, searching for a truly protected third party cloud service can be a challenge as many “secure” services on the market have glaring security gaps that leave private data and sensitive company info wide open to third party attacks, internal leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak Blue. This service provides enterprises and large businesses with fully secure cloud storage, zero-knowledge end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud along with 100% data privacy.

SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android to provide comprehensive and mobile security for companies with a remote workforce. So no more worries about data breaches and damaged brands, SpiderOak Blue completely covers your corporate and consumer data both onsite and offsite. And IT Admins will jump onboard as SpiderOak features a convenient and secure central management console giving your organization full control over and ownership of your data.

Kalyani M., Author at The Privacy Post - Page 2 of 21

2

Generational Risk: Millennials & Data Security

Posted by on Feb 25, 2014

IT, Finance, & The Threat to Data Safety.
Image Source: Softchoice

Millennials are typically seen as the go-to generation for all things tech-related. So it may come as a big surprise that recent surveys indicate that lax generational views toward data security could jeopardize the safety of your enterprise’s data. This flies in the face of the recent trend of reverse mentoring, in which younger workers share their tech habits to older workers. When it comes to bad habits, such practices could cause entire organizations to adopt unsafe data storage and syncing techniques, leaving sensitive corporate information open to attack or leakage.

The best way to protect such data is through strong internal systems and the adoption of secure storage and sync services. A recent survey put out by Softchoice is changing the way enterprises view their Millennial workers. According to the research, 28.5% of 20-somethings have their passwords kept in plain sight. This is in comparison with 10.8% of Baby Boomers. So it’s clear that the common wisdom that younger generations are inherently more data-secure falls flat on its face. The survey also found that the lack of secure password storage went hand in hand with syncing sensitive files to unprotected devices for the convenience of working from home. As Millennials are more likely than other generations to push for mobile or work-from-home options, companies need to find secure solutions to handle this trend without putting their data at risk.

The Softchoice survey also showed that regardless of generation, workers who utilize the cloud tend to be less stringent about keeping data secure than those that are cloudless. Surprisingly, this goes for IT staff as well. This shows a massive need for services that can leverage the cloud while providing data security both in-house and on mobile devices. Simply relying on strong passwords has shown to be widely ineffective against data breaches, attacks, and leaks. In a Fortinet survey of Generation X (those between 33 to 48) and Millennials (those between 18 and 32), it was found that about 40% of respondents across generations never changed their password unless required to do so by company protocol. This negligence, combined with the ability to breach data through hashing and salting, shows that strong and regularly changed passwords are not enough to truly secure sensitive company data.

Millennials do rely on technology more than other generations and demand greater mobility, as current work trends indicate. Many enterprises have jumped onboard for the sake of convenience and morale, although many times without doing the work of keeping their data safe in the process. As work moves increasingly to networks and mobile devices, it’s important not to lose sight of the true cost of a data breach. As Nick Stamos, CEO of nCrypted Cloud, cautions, “The enterprise needs a network-agnostic, device-agnostic, app-agnostic approach.” Furthermore, he claims that company networks “should be considered untrusted, and open to anyone onsite.” This level of caution keeps companies from relying on generational tech-savvy employees to keep their data safe and brings information security into a new era of proactivity. But concern should translate into fear that keeps enterprises from leveraging good technology. Instead, as Dan Dearing, vice president of marketing at MobileSpaces, points out, there is a need for a strategy that “focuses less on the device and more on applications and data. That will provide the enterprise with the security that it requires while giving workers the freedom and flexibility that they want.” The best way to achieve this is through a secure cloud storage and sync service that protects mobile users as well as in-house data.

A Solution With SpiderOak Blue For most enterprises, finding a truly protected third party cloud service can be a challenge, as many “secure” services on the market have glaring security gaps that leave private data and sensitive company info wide open to third party attacks, internal leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak Blue. This service provides enterprises and large businesses with fully secure cloud storage, zero-knowledge end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android to provide comprehensive and mobile security for companies with a remote workforce. So no more worries about oversight or lax security attitudes with Millennial workers, SpiderOak Blue covers your data completely both onsite and offsite. And IT Admins will jump onboard as SpiderOak features a convenient and secure central management console giving your organization full control over and ownership of your data. Sign up today to try SpiderOak.

Kalyani M., Author at The Privacy Post - Page 2 of 21

4

NSA Surveillance Taking a Toll on U.S. Cloud Computing Companies

Posted by on Feb 20, 2014

The NSA surveillance might affect U.S. cloud computing companies negatively.
Image from firmex.com/

Recently we have examined both the conveniences and concerns regarding cloud services, and the conversation is most likely far from over. National Security Agency surveillance has definitely raised concerns about privacy of user data in cloud services. Documents leaked by Edward Snowden indicate that the NSA has been collecting huge amounts of user data by cracking encryption technologies, using backdoor methods, and in some cases providing legal notice. As enterprises are using well-known cloud services like Amazon or Google, the PRISM revelations might lead to a negative impact on U.S. cloud storage companies, as the surveillance activities of the spy agency have taken a toll on the reputation of technology companies. People are becoming increasingly concerned about the privacy and security of their data stored in the cloud.

The NSA is basically devising all possible ways to break the security controls on the web to track and collect huge amounts of user data. The news about the NSA cracking encryption of common online security products and placing secret doors at the access points can further undermine the confidence of foreign businesses. The NSA has been successful in cracking the majority of the encryption codes on the Web, by using supercomputers, technical trickery, court orders, and behind-the-scenes persuasion. Apart from deciphering the encryption of online products, the NSA has devised programs to deliberately insert vulnerabilities in commercial products, so that they may collect more information by exploiting those vulnerabilities. The NSA asks these companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on.

According to research done by the information technology and innovation foundation (IITIF), NSA surveillance may end up costing U.S. cloud service companies $22 billion through 2016. The prediction by IITIF assumes that the U.S. might lose about 10% of its cloud computing market to European and Asian competitors. The United States is considered a leader in cloud computing usage and innovation, but PRISM revelations might cause a shift away from leading data storage providers like Google, Yahoo, and IBM. Salesforce.com recently lost one of their major clients due to government surveillance activities. This is just one example showing the negative impact of surveillance on cloud services. In the future, if the government does not take a stand on reforming the surveillance programs, cloud service companies in this country might have to bear huge loss.

Taking all of the security concerns into consideration, many companies have requested the government to allow them to publish a transparent report of mass data collection requests made my the NSA. In order to gain the trust of their customers, it is extremely important for cloud service providers to be transparent regarding the storage and sharing of sensitive user information. The government needs to take action towards reforming the surveillance program, and allow companies to reveal more details about what data has been requested of them by the government. It also needs to establish international transparency to gain the trust of foreign customers.

Similarly, cloud service providers also need to implement strong security controls to ensure better safety of their customers from surveillance programs. It would be wide for them to construct strong encryption standards such as 256 bit-AES for better security. Encryption has time and again proved to be the most secure method for protecting data in the cloud. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation and re-encryption of data with new keys. Employees should be not be given more access than what is needed to complete their tasks. Cloud storage companies should require strong passwords, longer keys, or complex hash algorithms to make it difficult for anyone to access user data.

I believe by implementing security measures and being transparent data usage, companies can gain the trust of their customers, and those who have been enjoying the benefits of U.S. cloud services might think twice before moving to alternate services. Under the light of NSA surveillance, cloud startups whose prime goal is to secure their customer data will see a huge growth in their business in the near future.

Protect your personal data from NSA surveillance with SpiderOak: SpiderOak encrypts the files in your computer before uploading them to the server. As a result, you, and only you, have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

Kalyani M., Author at The Privacy Post - Page 2 of 21

3

Cloud Computing and Denial of Service Attacks: Examining the Vulnerability of NTP Servers

Posted by on Feb 18, 2014

Denial of Service Attacks on Cloud Services are becoming increasingly frequent.
Image from livehacking.com

Cloud services are becoming increasingly popular these days, both among the public and business enterprises. While convenient, Cloud services can be extremely vulnerable to Denial of Service attacks (DoS). As more organizations are relying on cloud computing technology for their business operations, denial of service attacks, one of the most common forms of attack on the cloud, can prove extremely damaging. A DoS attack makes your network or machine unavailable to the intended users by flooding them with connection requests. Within the eighth annual Worldwide Infrastructure Security Report from security provider Arbor Networks, it was revealed how cloud services increase the risk of attacks. The report indicated: “94% of data center operators reported security attacks, 76% had suffered distributed denial of service (DDoS) attacks towards their customers, while just under half (43%) had partial or total infrastructure outages due to DDoS and yet only 14% of respondents had seen attacks targeting any form of cloud service.”

Continue reading…

Kalyani M., Author at The Privacy Post - Page 2 of 21

2

Healthcare Data Security: Is Your Cloud Service Provider HIPAA compliant?

Posted by on Feb 13, 2014

HIPAA

Cloud service providers must comply with HIPAA guidelines. Image from qliqsoft.com

With healthcare data doubling every year, it can be extremely difficult for medical institutions to manage such a huge amount of information using traditional IT systems. This is one of the reasons why the healthcare industry is gradually moving towards the use of cloud services.  A cloud storage system allows organizations to place data on a centralized electronic system that can be accessed anytime from anywhere. Cloud services can help the healthcare industry to access and manage health records effectively in order to provide better patient care. A properly implemented cloud storage system allows hospitals to process tasks effectively and quickly, without causing a drop in performance. Cloud computing has proven extremely beneficial and cost effective for patients and healthcare providers.

Continue reading…