Just a few short years ago, cloud seemed like a far-away thought for businesses, a “nice to have” rather than a “need to have.” Now, cloud is becoming the new normal. Organizations of all sizes are seeing the benefits of cloud. However, as businesses move to the cloud, they must do so safely, and with a well thought-out plan in place. To achieve a safe cloud environment, however, the IT industry needs to enforce rigorous cloud strategies around the protection of policy, information, people and infrastructures. This includes implementing security metrics.

According to the Symantec 2013 Hidden Costs of Cloud survey, rogue cloud deployments are one of the pitfalls of the cloud. It is a surprisingly common problem, found in more than 77 percent of businesses within the last year. It also seems to be an issue experienced more by enterprises (83 percent) than SMBs (70 percent).

When talking with customers about seeking approval for their investments in security I think back to conversations I have with my children when they ask if they can have something.  The conversation goes a little something like this:

Andy:  Daddy can I have the new video game?

Dad: Why do you want it, you have 50 other games sitting on the floor of your room.

Andy: Because I need to have it!!!

Dad: But why?

Andy: Because!!! (repeat “But why” loop 4 times)

Dad: Will this game bring you joy and happiness?

Andy: YES!!!!

Dad: Well since you have no money if you want this game you need to clean your room, keep it clean and mow the lawn for the next month, deal?

Andy: A whole month?

Dad: Yes a whole month.

Andy: Ok then.

There have been many blog postings lately on the value of salting passwords to prevent attackers from discovering the actual password values.  Salting is very effective tool when implemented properly to protect passwords, but the problems are bigger than salting the passwords.  Attackers are able to access the systems where the passwords are stored and once they own the system then they can pretty much do whatever they want to.  Most will take the entire credential database and try to break the encryption/hashing schemes.  In addition to that, a lot of credential stores also include various bits of information about the users that own the passwords.  Encrypting/hashing/salting passwords is not enough and corporations need to go the next step of not only treating these as highly sensitive crown jewels of the company, but putting the controls on these systems to prevent/thwart the attackers/attacks in the first place.

IT compliance may not be as thrilling as the latest Tablet computer or Smartphone that users are bringing into your organization. However, for many organizations it’s the main driver for justifying IT security budgets used to protect the organization’s critical information that users have access to on those shiny new Tablets or Smartphones.

Admittedly, it’s fairly easy to secure funding for compliance. After all, you really don’t have a choice – you must comply with all the mandates, rules and regulations that are central to your industry. But, being compliant is just the start of what you must do. Adequately protecting that information means going beyond the minimum – which many are guilty of doing – despite everyone in IT recognizing that being compliant doesn’t equate to being secure. The problem is that justifying additional security budget beyond the compliance checklist remains a significant challenge for most IT departments.

Recently, the Homeland Security Department unveiled a new system of guidance intended to help make the software behind websites, power grids and other services less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. The list, topped by SQL-injection vulnerabilities, is an attempt to address the root-cause issues behind cyberattacks.

However well-intentioned, this new system will likely fall flat just like the several attempts over the years to legislate security through compliance – the last count was at least seven bills in Congress that would attempt to do so, several of which were re-attempts on previous legislation. There have also been attempts at requiring certification and licensing of information security professionals, which have also not succeeded to date. DoD 8570 is the closest thing we have for mandatory certification.

IT is constantly adapting to new realities spurred by the types of technologies that people are using and bringing into the enterprise environment. One of the most disruptive technologies of late has been iOS devices. These devices are massively popular, and for good reason. Whether you’re a vice president keeping up on the latest sales reports mid-flight via their iPad or a physician accessing medical reports while meeting with his patient, iOS devices can improve productivity.

Platforms such as iOS have been designed from the ground up to be more secure—they raise the bar by leveraging techniques such as application isolation, provenance, device encryption, and permission-based access control. However, these devices were designed for consumers and, as such, security has been traded off for usability to varying degrees. It’s this usability that makes them so popular among consumers.

(Cross-posted from Symantec Connect)

Let’s pretend for a moment that you’re on a business trip. You hear the boarding call for your flight and reach down to grab your laptop – only your laptop isn’t there. Whether it was left at security or snagged by another traveler in the terminal, your laptop is gone and your company data is at risk.

So what do you do? Typically you’ll need to make a call to the office, notifying your IT department of the incident. This call will initiate a chain reaction of events set into place to ensure measures are taken to secure the files and equip you with a new device to keep business running as usual. This process typically involves a series of forms, approvals, signatures, etc.