Cloud security is a hot discussion topic these days. Security is one of the main reasons that many business leaders have been slow to adapt to the cloud. Keeping data on premises makes business and IT leaders feel more secure.

But lately there seems to be a shift—the cloud tipping point has arrived, and more companies are moving to the cloud to replace various on-premises technologies and services.

The truth is that the cloud offers many of its own security advantages—many of which are the same as on-premises storage technologies. Before you assume that the cloud isn’t safe, it’s worth taking a look at what’s available to you and evaluating the risks associated with moving to the cloud—particularly when doing so could provide serious benefits.

According to Corey Louie, the Head of Trust, Safety, and Security at Dropbox, the best solutions will serve as an extension of the network and security infrastructure that you already have in place. When deployed properly, cloud solutions can help SMBs and Enterprises achieve more agility and can help with cost savings.

If we specifically look at one cloud service—let’s take Unified-Communications-as-a-Service (UCaaS), one of the fastest growing markets in communications, the cloud can enable companies to:

• Offload equipment costs 
• Shift certain budgeting from a CAPEX to an OPEX model 
• Simplify management and cost tracking 
• Increase scalability 
• Increase IT speed and agility 
• Improve disaster recovery and business continuity

There are still those who hesitate when choosing the cloud, which is why it is important to understand what the security threats are, and how to approach security for a cloud-based technology or solution.

What are the risks?

In 2013, the Cloud Security Alliance (CSA) identified "The Notorious Nine," the top nine cloud computing threats. The report reflects a consensus among industry experts surveyed by CSA, focusing on threats specifically related to the shared, on-demand nature of cloud computing.

These nine threats include:

• Data Theft/Breaches
• Data Loss
• Account/Service Traffic Hijacking
• Insecure Interfaces/APIs
• Denial of Service
• Malicious Insiders
• Cloud Abuse
• Insufficient Due Diligence

Physical theft, employee mistakes (like lost devices), and insider threats are responsible for 42.7% of 2013 data breaches in the United States, according to Privacy Rights Clearinghouse. In another 29.6% of data breaches, hackers broke into data owned by companies and government agencies. Big tech companies, major retailers, and airlines were some among many 2013 victims.

Each year, Alert Logic, an IT services provider, publishes a semi-annual State of Cloud Security report, surveying their customers to understand from where security threats are coming.

The results are interesting:

• An enterprise data center (EDC) is 4x more likely to suffer a malware/bot attack than a cloud hosting provider (CHP).
• EDCs and CHPs are equally vulnerable to a “vulnerability scan” and a “brute force” hack. 
• EDCs are 3x times more likely to suffer a recon attack and 4x an app attack. 

Cloud providers are 40% more likely to suffer a web app attack and 10% more prone to vulnerability scan weakness than an enterprise data center. In recons, malware, bot, and app attacks, the cloud seems to have less risk than most on-premises technologies.

According to Louie, the takeaway is not that cloud is better but that the risks are manageable. No one—regardless of their resources—is 100% secure.

What are the benefits?

Cloud-based technologies and services are not without their own security advantages. For many cloud service providers, there is a deep commitment to security—perhaps deeper than the media typically portrays. This commitment means a few, quite significant, things:

You get enterprise hardware for a small business price.

With cloud computing, your data is stored on enterprise-grade hardware, equipment that is typically unaffordable for most small and mid-sized businesses. By using the cloud for your business, you are upgrading to safer equipment.

You get more focused security.

For cloud vendors to succeed they need to focus on securing their service. This means that instead of attempting to prevent a variety of more general threats (as your in-house model would require) cloud vendors are free to (and great at) securing the one thing you want protected: your data online.

You get flexibility and agility.

Many IT organizations are stretched thin and struggle to balance day-to-day operations with strategic projects. One of the advantages of cloud services is the speed of deployment. Businesses have the flexibility to rollout cloud services without the IT time, and resource commitments typically associated with a legacy deployment model.

You get professional management.

Using the cloud to store data means that you get trained professionals managing your patch updates and keeping the server’s software up-to-date. Maintenance and support time are reduced since there is no longer a need to plan and implement system updates, and you can redeploy IT resources to more strategic initiatives to help advance the organization.

You get well-funded security.

Investing in top-level security features adds value to individual cloud service providers’ businesses. Investing in this way is a necessity for success. Businesses adopting cloud services gain the opportunity to put someone else’s financial resources to work, which can help take the sting out of security spending.

That deep commitment to security means that cloud service providers have to invest far more in scalable infrastructure and information security than do most organizations. Those investments are quite significant, and service providers will bear that burden for you. They can create economies of scale and efficiencies that benefit you.

Think about it like this: services like Dropbox go above and beyond to protect your data — so that you don’t have to invest heavily in secure systems and servers, constantly consider network and product security threats, submit to in-depth compliance reviews and audits, undergo regular testing against attacks, set up complex logical access controls, and assure data centers have advanced physical, environmental, and operational security measures.

The Cloud in Perspective: UCaaS

Hopefully, it’s clear why the cloud has some real advantages. Let’s take a quick look at UCaaS for a perspective on a unique cloud service.

The market for UCaaS is growing pretty rapidly. Among IT pros responding to a 2014 Spiceworks survey, 11% had adopted UCaaS. However, another 12% indicated they are planning to adopt it in the next year, more than doubling the number of people using UCaaS today.

This projected growth tracks consistently with the expectations of UCaaS market growth reported in 2013 by researchers at MarketsandMarkets. Their report on UCaaS projects that the global market will grow from $2.52 billion in 2013 to $7.62 billion by 2018, at an estimated CAGR of 24.8%.

Some suggest that developing confidence in hosted solutions in general is the impetus for the projected dramatic increase in adoption. Irwin Lazar, of Nemertes Research, has pointed out, “…more than 90% of companies now use software as a service (SaaS) applications.” Much of that confidence is due to the service providers’ dedication to security improvements.

Are you excited by the opportunities UCaaS presents to the communications market?

Security concerns shouldn’t hold you back from learning more. Check out the Reducing UC Costs and Increasing Business Performance whitepaper to take a deeper dive into the advantages of UCaaS, market drivers, concerns, and what to look for in a provider.

Modernizing IT infrastructure and becoming a Smarter Enterprise

The need for modernization among IT departments is a trend that is becoming increasingly relevant as IT departments are constantly faced with generational shifts in technology. The pressures of modern business require that IT departments close the gap between yesterday’s IT implementations and tomorrow’s demands.

Organizations that fail to modernize will rapidly lose their ability to respond to changing customer needs. They will weaken their competitive positions in the marketplace. And most importantly, the gap between where they are and need to be will only widen, leading to an expensive and uncertain future.

With most businesses facing incredibly tight or shrinking IT budgets, taking the appropriate steps toward modernization will seem expensive. With a modernized platform, however, organizations can add new capabilities and enhance overall employee performance while reducing their electronic footprint, leading to increased savings over time.

What is a Smart Enterprise?

Smart enterprises leverage more converged IT technologies to optimize business practices, drive workforce engagement, and create a competitive edge. Merely leveraging a converged IT framework in your IT department means that you are on your way to operating a smarter, more efficient business. IT organizations can utilize four key areas of value and then assess their plan against:

1: Business Agility

Today, most workforces are mobile. As such, your applications and enterprise architecture should empower these mobile workforces. Creating a more adaptive and more programmable infrastructure will enable IT to be more responsive to your organization. Businesses in today’s world are always on, and as a result, you need to consider how your most critical services can adapt more naturally and automatically to the mobile and always-on workforce.

2: Cloud Delivery

Modern businesses need to be incredibly efficient. Cloud delivery provides businesses with the opportunity to flexibly deploy services and software more consistently across converged premises, cloud, or hybrid infrastructures. An enterprise IT business plan should consider how and when to deploy certain services in the cloud, when to operate them on-premises, and when to purchase them as-a-service.

3: Collaborative Communities

Today’s growing workforce demands rich Internet-style applications that are easy to access from anywhere and work consistently from any device.  Organizations who have built collaborative communities by providing powerful tools that deliver consistent and intuitive user experiences, converged applications, and distributed architectures are able to adapt dynamically to change and empower employees to their fullest extent.

4: Assured Services

Securing business information—protecting your company’s intellectual properties and digital assets—falls squarely on the shoulders of IT.  Add security with the need to assure business continuity, and you get a business that must consider greater infrastructure planning, high availability at multiple layers, a consistent and aligned security credential methodology, and which must validate automated archival methods.

Steps to Modernization

Competing in today’s business environment is about meeting challenges, making decisions, and innovating rapidly—using the best and most current technologies, tools and information.

Cloud services, mobile integration, real-time collaboration, and high availability are becoming essential ingredients for the smart and secure enterprise. They are part of a rapidly evolving technology foundation by means of which the best solution providers enable new approaches to how your businesses IT services are delivered and managed, allowing you new opportunities for growth.

Want to know more about IT Modernization?

In an upcoming post we will discuss Enterprise IT Modernization Strategies and their benefits. And, if you’re going to Enterprise Connect this year, be sure to come see us.  Our solution experts will be happy to discuss how our IT solutions can help empower your smart enterprise. 

The increasing prevalence of mobile data has resulted in great security concerns for enterprises operating on multi-device systems, or with a Bring Your Own Device (BYOD) policy in place. It is challenging for businesses to decide whether the greatest value is in securing the devices that data is delivered to, or securing the data itself through methods such as Mobile Device Management (MDM). Mobile devices usage is highly favorable to end users in terms of access and convenience, but IT managers and CIOs cringe at the thought of the security risks associated with mobility and allowing sensitive data to be retrieved from virtually anywhere, any time. According to the Cibecs/IDG Connect 2012 Business Data Loss Survey, 60% of IT and executive management professionals do not feel their data is completely secure. Whereas existing security measures may suffice for company-owned and controlled devices, it is in the company’s best interests to implement new levels of control on employee devices not controlled by IT to ensure maximum data protection as opposed to device protection.

If you’ve heard that securely controlling data transmission is not possible without enterprise ownership of the device, we’d like to show you otherwise. The following examples of mobile data security best practices can give you an idea of what protocol to follow in securing data across your network and devices.

Thin Client

Thin client policies apply to both smartphones as well as tablets, and include OS streaming, hosted desktop virtualization and workplace virtualization. Sensitive information is processed centrally and remote devices can access this data through thin-client terminal applications using network access only. A major benefit of thin-client operation is that information does not leave the server and can only be accessed by an authorized end user. If the authorized user becomes restricted for any reason, access is immediately revoked, with the potential for a remote wipe of the entire device if company policy dictates. This strategy can ensure further security by implementing strong authentication policies, which limit actions such as host copy-and-paste operations and screen capture in addition to controlling data and file transfers. Internal and client contact data may not always be considered eligible for company security policies. In cases such as this, a thin-client data source with applied security is an ideal solution, as it ensures a contact database stays with the company rather than the phone when the end-user leaves the organization.

Mobile Thin Client Management

Mobile thin client management allows users to control which devices are permissible for company use, thereby restricting data access points. Perhaps the most beneficial feature of this strategy is that thin devices can be remotely wiped. Smartphones and similar devices may have limiting features, such as size, processing power and storage capacity, whereby only restricted data processing can occur. Where thin devices can only keep limited amounts of data, they have the unique capability to replicate data and store master copies within specified datacenters.

When implementing the thin device strategy, companies can still control security of these devices by employing mobile device platforms or other management applications, enabling security policies regarding backup and compulsory data encryption.

Protected Data

The aforementioned strategies focus on protecting data processing environments, but how can you protect your data directly? The Protected Data method guards the data at the source rather than the endpoint, ensuring the safety of data regardless of its location. Enterprise rights management and other such technologies directly embed access rules into documents by way of cryptography. With this method, the rules are applicable to documents regardless of location or device, allowing effective security measures for multi device environments.

This pattern also allows for “detecting, logging, and blocking” data that leaves enterprise premises. Having the capability to follow the transmission of sensitive data provides the benefit of understanding the speed and direction of information transfer and flow.

In addition to applying these strategies to mobile device environments, make sure users are aware of potential security threats and how to avoid them. In addition to securing information, users should be sure to secure the many popular applications that smartphones have. Educating users and emphasizing the security risks on their personal mobile devices can make corporate policies much more effective; by demonstrating that there is a significant and known threat to users’ personal information as well as company information, users are more likely to adhere to corporate controls. This provides a win-win scenario, protecting users’ personal info while also protecting your corporate data.

The Bring Your Own Device (BYOD) trend has faced an uphill battle for adoption due to the issue of effective policy implementation.  BYOD offers employees the luxury of working with devices they are most familiar with and can foster a more productive and collaborative environment, but these benefits must be balanced against the inherent dangers of uncontrolled devices having access to your data and network. When implementing a BYOD policy, special care needs to be taken to ensure existing company goals are not compromised. An effective, comprehensive BYOD policy will promote collaborative solutions for executives, IT staff and workforce users, but must take into account the following policy concerns:

1. Security

According to Gartner, the number one concern for potential BYOD policy implementation is security. The transition from company-issued devices to personal devices requires strict guidelines defined in your security policies. Protecting communications, monitoring data usage, and addressing privacy matters are imperative measures to take. Updating and executing data encryption methods, using SSL or HTTPS for example, will ensure secure data transmission. Archiving and recording methods should also be implemented in complying with company regulations, as well as increasing overall security.  BYOD systems can attain the same level of security (or even greater) as before implementation if optimal software services are put in place.

2. Support and System Administration

With multiple personal devices operating on company premises, support and system administration policies must be established. By instigating single-point administration, changes can be replicated smoothly across users within the enterprise. To reap the full benefits of your Unified Communications platform, it is essential to enhance support for administration as well as end users. So how can you do this? First, select a platform that allows easily accessible support, either by in-house IT staff or from your chosen support provider. It is also beneficial to define clear user roles to identify specific support and administration options that are available according to the user’s responsibilities and position.

3. Device Choice

When determining your device policies, of course you’ll have to determine which devices are allowed, which ones aren’t, and why. It is also helpful to get feedback from employees during this process. You can analyze employee preference by survey, asking such questions as “what devices do you already own?”, “are they compatible with baseline security/support features?” It is helpful to be familiar with the operating system, hardware and other specifications of the various devices and device types. In the future you may want to leverage this knowledge to lay the foundation for assessment of additional devices and technologies. Feedback from employees will also help keep your IT team up to date with changing devices as the consumer market changes.

4. Monitoring Usage

Whether your business adopts a formal BYOD plan, such as implementing a BYOD policy solely for senior-level executives, or creates a more informal plan which permits all employees to use personal devices, it is imperative to establish usage guidelines. One way you can do this is to develop a list of guidelines that establish binding agreements for employees to adhere to so that you protect and ensure the safety of sensitive corporate data. This way, if employees want to use their own devices, they will agree that the device, including their personal data, could be remotely wiped if it’s lost or stolen. It should also be clear that it is their responsibility to back up any personal information they don’t want lost in that eventuality. Appropriate termination polices should also be in place, acknowledging that all company information will be permanently deleted upon leaving the organization. It may also be beneficial to establish a mobility committee to create and monitor the success of policy goals.

How Unified Communications Can Help

Unified Communications (UC) can’t take the place of effective and well thought out BYOD guidelines, but it can help keep your company contacts and other data safe and secure when an employee’s device is lost or stolen. With the right UC app, your IT administrator can rest assured that traffic is secure and data loss is prevented with encrypted data en route to any endpoint. What’s more, Unified Communications will allow your company to provide a win-win for employee choice and corporate security. With the plethora of devices available - from iPhone to Blackberry to Android and more - you don’t want to try to support each individually when you can easily provide users all their desktop communications capabilities through a single approved UC app – on the device of their choice. This gives employees freedom of choice on their device and you the peace of mind and safety of managing a user and their network credentials the same way you’d manage their corporate issue desktop. One of the most sought-after features of the app is the added benefit of hiding a user’s mobile number when they make calls and displaying only their corporate phone number on caller ID devices – a single number identifies employees both internally and to your clients. Truly remote working.
With Unified Communications they’ll also benefit from added flexibility and mobility with the following:

• Corporate presence and IM
• Click to dial from mobile applications
• Availability of the UC app from the same app store they use on their personal device
• Access to corporate directory and resources on the go

While Unified Communications won’t solve all your concerns, it can help alleviate some of the primary security challenges related to BYOD. For more information on how NEC provides the same UC experience across multiple devices click here.

Part II Security

In the previous section, we looked at reliability, scalability, and standards compatibility. For security evaluation, systems are analyzed with various tests that pose different standardized security threats and assess vulnerability.  Ideally, the system should successfully avert the attack and report no error messages. 

IPv4 Protocol Mutation Attacks

The IPv4 protocol is the most widely used Internet communications practice for the proper format and exchange of digital messages between computing systems. The test is designed to ”attack”  the system using mutated traffic patterns at low levels of utilization and assess if the IP address will be corrupted or if any of the system’s subcomponents will fail. Successful results will demonstrate a 100% “block rate”, meaning all mutations were stopped with no reported faults or error messages.

DoS Attacks

A Disruption of Service (DoS) attack floods the system with external communication requests, creating a situation in which legitimate traffic will not be responded to properly. The goal of the attack is to cause the system to crash and reset, or at a minimum, consume its resources to the point it can no longer provide the service for which it was designed.  When under attack, a reliable system will maintain 100% availability with no overload or dropped calls.

Are you curious about how NEC’s Unified Communications and Software-Based Communications solutions performed? Follow the links above to view the test results or click here to see what we had to say about it.