CISOs have to be more open to new security solutions to meet the challenge of staff signing up for cloud services behind their backs, a business and IT audience has been warned.
Most infosec pros are still trying to secure the perimeter of their organizations, complained Mark Zimmerman, CIO of Toronto’s MaRS Discovery District, a hub for some 300 startups. But he said, “in a world of bring your own devices, app stores, and cloud applications, (we are witnessing) a model that doesn’t do us justice any more.”
Most organizations have a fixed process for buying applications, but for cloud apps — everything from Salesforce to Dropbox to Gmail — any employee can sign up. “Business leaders are going to route around us (IT) unless we figure out ways to support that need,” he said, “and I suggest they already are.”
IT needs to find solutions that give visibility and security to cloud solutions. “This is also a huge opportunity,” he said, adding that cloud applications enable us to
“leap frog or play catch up quickly” to countries with greater productivity and investment in research and development compared to Canada.
“(We should) treat this as not as something we are afraid of, but something we can use to narrow the IT gap in the Canadian landscape,” he said. “We need to figure out how we move from the department of no (cloud apps) to the department of ‘Yes,’ or at least ‘Yes, but,’ (only use these).”
For example, MaRS uses a cloud access broker to examine network traffic and enforce security policies, he added.
Still, he noted that while the hub has 41 approved cloud apps for its member startups, a recent survey showed another 371 unapproved apps were in use.
The audience also heard Michael Dundas, former global head of network security for a financial institution who has just been hired by the Toronto-based solutions provider Herjavec Group, warn that current data loss prevention software doesn’t meet the security holes cloud applications open up.
Once staff lift sensitive data into the cloud IT has no idea where it will go, he said. “We don’t have control of the infrastructure anymore.”
In an interview, Dundas said that too many CSOs are “relying on traditional solutions, because that’s what they’ve done…they’ve really got to push their teams, look at those new technologies.”
At the former financial institution he worked for — which he wouldn’t name — “we were successful at managing it…we were able to take a proactive role from the perimeter and the endpoint standpoint. We introduced a lot of newer technologies that brought them further ahead of other FIs,” he said, adding that this was in part because IT was less “risk adverse” than others.
Finally, the audience heard former Ontario privacy commissioner Ann Cavoukian warn organizations that personally-identifiable information of customers and employees isn’t owned by them.
“Don’t treat data as an asset that belongs to you. You may have custody and control over that data, but it doesn’t belong to you. You have a duty of care. You have obligation to protect that data and ensure that the individual to whom the data relates is aware of what you’re doing.”
Now head of Ryerson University’s Privacy and Big Data Institute, Cavoukian is known for creating the Privacy By Design principles which maintains that privacy can be built into applications and business processes.
There doesn’t have to be a trade-off between security and privacy, she said — organizations can have both by giving customers control over personal data. For only they know how much privacy they want to surrender, she explained.
She also urged organizations to anonymize the data they have if they want to share it.
Most data breaches are unknown, unchallenged and unregulated, Cavoukian argued, and in an era of the Internet of Things everything is connected. “If we don’t embed privacy proactively, we’re going to lose the game.”