More and more Amazon Web Services (AWS) customers in 2014 could not make their networks as secure using AWS/S3, explained Vormetric's VP of Cloud C.J. Radford. This trend will pick up in 2015, with more enterprises using cloud applications in order to defend themselves from the rising tide of cyberthreats.
In an email Q&A with TechRepublic, regarding 2015 cloud security trends Radford said he also expects that organizations will "open their coffers" to protect Software as a Service (SaaS) offerings, that more Information as a Service (IaaS) providers will offer encryption and access control services, and that hosted private clouds will exceed the number of in-house private clouds as the preferred environment.
Founded in 2001, Vormetric provides enterprise encryption and key management services to over 1,400 customers, including 17 on the Fortune 25 list. According to Radford, at present the main data security challenges for enterprises is "moving data to the cloud while keeping it safe, encrypted, and secure — while still managing to retain key ownership — across the entire cloud stack of infrastructure, platform, and software services."
In our Q&A Radford also discussed how he would advise CISOs, protecting data at rest, the Vormetric data security solution, and compliance trends.
TechRepublic: With 2015 approaching, what do you consider to be the main data security trends?
C.J. Radford: I can tell you some of what I think we can expect to see on the cloud security side.
In 2014 we saw AWS customers saying they couldn't make their own networks as secure as using Amazon's AWS/S3 services. This trend will accelerate in 2015; small and medium business/enterprise usage of cloud applications will accelerate because they are unable to keep pace with the rate of change of attacks and threats, as well as the resulting legal and compliance requirements.
With over 50% of enterprise application spending in 2014 going to SaaS, and with sensitive data a large component of the information used and stored there, organizations will open their coffers to increase spending on protections for SaaS. SaaS providers that offer explicit security controls, as well as additional detail on data locations and written security commitments, will see their business increase at the expense of competitors who lag.
I also believe all serious IaaS and hosting providers will offer an encryption and access control service to customers. As the bar continues to rise for services to earn enterprise business, IaaS and hosting vendors will offer a baseline and advanced service set to enterprise customers for data protection within their environments.
Lastly, hosted private cloud will take over from in-house private clouds as the majority private cloud environment. As economies of scale, service-level commitments and security visibility and controls become more widely available from cloud providers, enterprises will increasingly favor hosted private cloud environments that offer the best of both worlds. That happens to be the scalability available from public clouds, plus the increased security required for enterprise data protection and operation.
TechRepublic: How would you advise a CISO of a mid to large-size organization seeking to boost his or her data security capabilities?
C.J. Radford: When thinking about the security posture of mid to large-size organizations, I advise CISOs to think about the data that needs protecting and review what security solutions are being deployed up and down the IT stack in order to protect the data that matters most to the organization.
First, organizations should use "best in class" security solutions across the IT stack. One required adjustment is a need to add focus on protecting data where it is used. The reason for this is that strong perimeter, network, and end point defenses are no longer enough to protect sensitive data. No matter the strength of these traditional defenses, they are subject to compromise by attackers' present suite of available attacks, mining techniques, and extraction strategies. Add to this the blurring of perimeters caused by cloud and mobile, and it becomes clear IT security strategies and implementations need a strong element of data protection.
Second, ensure that your organization's internal IT and security policies and procedures are being followed and continuously tested to ensure compliance against those policies.
Finally, have a plan for when a security event happens to limit the negative impact of such event — don't get caught off guard because it's not a question of whether you will have security event, it's when and how it will occur. Invest in tools that can detect compromises early and have mitigation plans in place to minimize damage.
TechRepublic: Why is protection of data at rest critical to an enterprise cloud deployment?
C.J. Radford: Data-at-rest protection is absolutely imperative for enterprise cloud deployment, due to the rising tide of data breaches at high profile institutions, multiplying national privacy regulations, and increasingly strict compliance requirements. Enterprises that fall behind on any of these fronts will risk losing business opportunities, or worse.
There are very clear business and economic benefits that come from leveraging cloud environments, but those benefits are moot if enterprises don't have proper precautions in place. Think about the reputational and financial fallout that occurs following data breaches, or the sticky legal challenges that arise when data residency laws aren't respected.
TechRepublic: What are the main benefits of the Vormetric data security solution?
C.J. Radford: The Vormetric Data Security platform provides a complete solution across databases, platforms (Linux, Windows, Unix) and operating environments (data centers, big data, and private/public/hybrid cloud).
Our solution makes it simpler and less costly to protect information within databases. The platform allows organizations to deploy quickly in a uniform and repeatable way. Instead of having to use a multitude of point products, enterprises can take a consistent and centralized approach.
Along those lines, administration is also simple and efficient. Vormetric Data Security offers an intuitive web-based interface, application programming interface, and command-line interface. Because database security can be applied quickly and consistently across the organization, IT resources can be employed more efficiently.
And of course, the platform provides capabilities for encrypting data, controlling access, and creating granular security intelligence logs that help organizations quickly meet security and compliance requirements.
TechRepublic: What differentiates Vormetric's technology in the data security marketplace?
C.J. Radford: Only Vormetric offers a single scalable solution for data-at-rest encryption and access control at the file system and volume level that can easily protect any file, database, or application, anywhere it resides. Competing solutions specialize in either encryption or access control, have limited support for OS platforms, cloud environments, and have limited key management options. Customers utilizing Vormetric receive a) transparent encryption b) fine-grained access controls c) security intelligence and d) broad cloud platform support.
TechRepublic: In enterprise cloud computing, what are the main trends in compliance?
C.J. Radford: Data sovereignty — the idea that enterprises don't like their data to leave the four walls of their own country, largely because of strict data residency laws or concerns about who has a legal right to access that data — often comes up as a big (global) issue for cloud service providers (CSPs) with data centers located in jurisdictions different from those of their customers. Recently, we've seen CSPs like Amazon and VMware take the step of opening up database centers in other countries to meet that country's customers' needs. I suspect we'll see more and more CSPs going this route as we usher in the New Year.
There are hundreds of data privacy laws on the books, but our mantra remains the same: enterprises concerned about meeting data residency requirements should encrypt all data-at-rest, and only allow access to data-at-rest from the jurisdiction that it originates from.
TechRepublic: How does the Vormetric solution enable compliance for your customers?
C.J. Radford: We serve over 1,400 customers in 20 countries across a broad range of industries including healthcare, retail, consumer goods, manufacturing, banking, insurance, government, and CSPs — so it's safe to say we have our finger on the pulse of compliance! In short, Vormetric Data Security provides a common, extensible implementation infrastructure that supports compliance regimes with protection for data-at-rest. Some of the most common compliance regulations our customers must abide by include HIPAA, Sarbanes-Oxley, and of course, state and national data breach and protection laws.
Top of mind for many of our customers is the Payment Card Industry Data Security Standard's (PCI DSS) recent update. As of January 1, 2015, all companies that access, store, or transmit cardholder data and personally identifiable information will be required to meet the new 3.0 standard. Knowing how important this is to our customers, we actually issued a white paper about the new rules and how Vormetric Transparent Encryption helps achieve PCI DSS encryption.
Another important regulation is the new cybersecurity framework, or FedRAMP/NIST. Government agencies and CSPs who want to do business with the federal government must meet a baseline security standard. We took a similar approach towards NIST as we did with PCI DSS, and pulled together a white paper that maps Vormetric's data security capabilities against the updated NIST security controls.
Brian will do client work for AtTask.
Brian Taylor is a contributing writer for TechRepublic. He covers the tech trends, solutions, risks, and research that IT leaders need to know about, from startups to the enterprise. Technology is creating a new world, and he loves to report on it.