Hackers are now revealing a new level of ambition-be it virtual bank heists or huge DDoS attacks. They are creating levels of disruption that are neither known nor heard of, by only focusing their exploits on simple tactics to make a big impact.
As organizations are inclining towards cloud to improve collaboration and flexibility, it is becoming increasingly difficult for IT security leaders to keep a track of sensitive data and maintain compliance.
In an exclusive chat with CSO Online, Tarun Kaura, Director, Product Management at Symantec Asia Pacific and Japan (APJ), sheds light on the most critical industry compliance issues faced by IT security heads and how they can mitigate them.
CISOs consider cloud security as one of the biggest challenges. How should they tackle it?
The increasing inclination towards cloud has left organizations open to attacks. Therefore, cloud security continues to be the foremost challenge for IT security leaders. We believe that CIOs usually lose track of the number of cloud apps being used inside their organizations, which can create complications. This leads to a lack of policies and procedures making cloud applications riskier for organizations.
The first tactic is to figure out the targeted vertical and compliance issues related to it. Second, organizations require platforms that give them visibility of users and applications. Third, organizations need to differentiate the sanctioned applications from the unsanctioned ones and should make policies around them.
It is also very important for organizations to get a proper data loss prevention system, which can provide contextual details about the kind of information moving on the cloud. Organizations also need to tighten their encryption, because while sharing data to cloud, it is important to ensure how encryption kicks in to keep the data secured.
Furthermore, using advanced threat intelligence solutions can help IT security leaders respond to incidents faster. Incident management is another layer that will ensure that the security framework is optimized.
“From an internal threat perspective in India, CISOs are more worried about staff being noncompliant. For this, CISOs are looking at strategies where staff could be equipped with more knowledge and the technology behind it.
- Tarun Kaura
Director, Product Management, Symantec APJ
It is also required to implement a multi-layered defense strategy, along with two-factor authentication, intrusion detection and website vulnerability malware protection to address attack vectors at the entry. Failure to establish such safeguards eliminates the potential benefits of cloud-based services.
What are the other critical industry compliance issues faced by CISOs?
Apart from cloud security, other industry compliance issues that CISOs find most worrying include governance of corporate-owned mobile devices, tracking of activities in sanctioned cloud applications, data residency and control regulations and use of unsanctioned cloud applications.
The widespread adoption of cloud applications along with risky employee behavior is further widening the scope of cloud-based attacks. It is becoming increasingly difficult for CISOs to keep track of sensitive company data and maintain compliance with regulatory requirements. This is, therefore, forcing IT security leaders to look for encryption and tokenization solutions to support their SaaS initiatives.
Why do you think tokenization is the key to card payment security? How is it gaining momentum among Indian CISOs?
Tokenization as a concept is gaining traction in the card payment industry (PCI). It generates and uses a unique identifier, also known as a token, instead of credit card data. The actual data is secured in a centralized server of the organization and a token is generated and used as a substitute. This removes the actual card data from the systems, reducing the amount of data stored, which in turn makes it easier to manage and meet PCI compliance, and support cloud initiatives.
With tokenization, if a system is being compromised, the attackers will not be able to access the real card data, thereby reducing the impact of the breach.
While deploying such concepts organizations should look for solutions that offer granular controls and meet the requirements of the company.
What are the top concerns for CISOs in 2017?
Data breach is always topping the list of concerns that are keeping Indian CISOs awake at night. The vulnerability is another challenge for CISOs, which they are eradicating by deploying proactive end-to-end solutions.
From an internal threat perspective in India, CISOs are more worried about the staff being noncompliant. For this, CISOs are looking at strategies where staff could be equipped with more knowledge and the technology behind it.
Data loss is another area of concern for IT security leaders, along with insecure business applications and shadow IT.
What is modern cyber-defense?
Cyber defense strategies have transformed from traditional solutions towards complete secure systems. According to us, modern cyber-defense facilitates sharing of cyber threats, management of situational awareness and enabling a coordinated response to attacks.
Symantec's acquisition of Blue Coat gives our customers end point security. This level of visibility across endpoints allows customers to block targeted attacks. This integration provides the foundation for an integrated cyber-defense platform, which improves security outcomes for customers across all control points.