The debate on public versus private cloud is a fierce one with advocates on both sides. Security experts, however, consistently fall in the pro-private camp. As a compliance and security expert, I have to agree.First, let’s be clear on the definitions.The public cloud is available to the public—in a free or pay-per-use capacity—and is accessible via the web. Some examples include Google Apps, Office 365, file sharing applications such as Box or Dropbox, and so on. The private cloud, on the other hand, is the same service, but it sits behind your firewall and limits access to your internal departments, employees, customers, etc. in your organization. The private cloud is either run by your IT department or your data center. To read this article in full or to leave a comment, please click here
The debate on public versus private cloud is a fierce one with advocates on both sides. Security experts, however, consistently fall in the pro-private camp. As a compliance and security expert, I have to agree.First, let’s be clear on the definitions.The public cloud is available to the public—in a free or pay-per-use capacity—and is accessible via the web. Some examples include Google Apps, Office 365, file sharing applications such as Box or Dropbox, and so on. The private cloud, on the other hand, is the same service, but it sits behind your firewall and limits access to your internal departments, employees, customers, etc. in your organization. The private cloud is either run by your IT department or your data center. To read this article in full or to leave a comment, please click here
As connectivity grows, so do threats to the IT infrastructures under your care—and, by extension, your organization’s ability to profit and serve its customers. Security strategies that worked fine in the not-so-distant past have grown woefully inadequate as the technology terrain shifts.
You’ve probably heard the acronym SIEM being thrown around a lot these days and for good reasons. As security experts, we know that perimeter defenses simply aren’t enough anymore, and we need a holistic view of our IT infrastructures.
+ Also on Network World: SIEM market dynamics in play +To read this article in full or to leave a comment, please click here
As connectivity grows, so do threats to the IT infrastructures under your care—and, by extension, your organization’s ability to profit and serve its customers. Security strategies that worked fine in the not-so-distant past have grown woefully inadequate as the technology terrain shifts.
You’ve probably heard the acronym SIEM being thrown around a lot these days and for good reasons. As security experts, we know that perimeter defenses simply aren’t enough anymore, and we need a holistic view of our IT infrastructures.
+ Also on Network World: SIEM market dynamics in play +To read this article in full or to leave a comment, please click here
“The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”—FedRamp websiteThat sounds positive, but getting approved for the FedRAMP certification is far tougher than most cloud providers anticipated. In fact, few organizations are truly capable of making it through the process. As shared by an article in GCN:“Of more than 80 cloud providers who have applied to go through the FedRAMP certification, more than half are not yet ready to go through the process, according to Kathy Conrad, principal deputy associate administrator with the General Services Administration’s Office of Citizen Services and Innovative Technologies.”To read this article in full or to leave a comment, please click here
Back in the day, "rogue IT" typically entailed departments building servers and putting them under their desks in an attempt to circumvent the IT department and all of the pesky security controls that came with IT-approved servers.Often, those servers sat under a desk, inside a closet or back room — unpatched, unprotected, and non-compliant — for long stretches of time before finally being discovered. Those were the good ol' days, compared to the new type of rogue IT that's quickly spreading through today's IT landscape. It's invisible, nearly undetectable, and completely unacceptable, to say the least. The new rogue IT involves departments buying things online (think Amazon Web Services, Google Services, and Microsoft Azure), and setting up off-the-books IT operations outside of your organization's boundaries. To read this article in full or to leave a comment, please click here
Data breaches are serious and very real threats in today's digital world, and no industry sectors are immune. In the medical sector alone, the cost of client data breach liability, expense, and settlements surpassed the same costs from medical malpractice. Securing data and minimizing the probability and impact of data breaches is at its core a risk-based endeavor.While many businesses have recognized the need for risk assessment and management, there is still a tendency to treat risk assessment and managements as "checkbox" exercises. For a risk management program to provide true benefit, several things are required:
An enterprise-level risk management practice. This is NOT your IT risk management team – it is a standalone and empowered practice that operates at the CXO level. This team is focused on business alignment.
An IT-level risk management practice. This team is focused on the application and testing of applicable risk management frameworks and the controls associated with those frameworks.
Certified and qualified risk management professionals. There are several industry certifications available. CRISC (Certified in Risk & Information Systems Control) and CRMP (Certified Risk Management Professional) are examples. They both require hefty amounts of continuing education, which is critical, given the moving target Continue reading
Earlier this year, the 3.5-hour outage at the New York Stock Exchange (NYSE) raised a lot of eyebrows in the IT community. Opinions about the cause of this outage, including my own, came out of the woodwork despite official statements claiming "technical issues" following a software update. I have to ask: Would the NYSE really perform a software update on a production system first thing Wednesday morning?While I can't rule out a hack on the NYSE, the situation sparks another discussion: Was human error to blame?To read this article in full or to leave a comment, please click here