"Hotel California" isn’t just a best-selling single by rock giants, the Eagles. It’s also become an IT industry metaphor for security concerns over the use of cloud applications. As the song’s lyric puts it: “you can check out any time you like, but you can never leave”.
In other words, how do you know what happens to your business data once it’s uploaded into the cloud? Can you retrieve it safely, ensure your data isn’t copied, or stop unknown third parties from accessing it without authorization?
These are critical security questions that any organization using – or planning to use SaaS or cloud applications – should ask their application provider before committing. You need assurances on how the data will be handled, if it can be encrypted when it’s stored, and how it will be segregated from other companies’ data.
It’s useful advice. But "Hotel California" isn’t the only Eagles song to offer wise counsel on infosecurity issues. Here are several more examples, and the lessons that should be drawn from them.
Take It Easy
We would all like to think our networks and data are secure. That the odds against a malware infection, a lost laptop or memory stick, or a targeted hack happening to your company are small. But the temptation to “lighten up while you still can, don’t even try to understand” should be strenuously avoided.
As we’ve seen over the last two and a half years, leaks, losses and expensive malware outbreaks can and do happen, even to leading organizations with well-established security policies and practices. Your company’s security position needs constant vigilance, so you can’t afford to “Take It Easy”.
Desperado
The threat of external hackers, the Desperadoes who “only want the ones that you can’t get”, is often dismissed as an exaggeration. Not so, as organizations such as The Guardian, Monster.com and TJX found. All were the victims of stealthy infiltration.
Hackers no longer try to beat down the front door to a network or website by brute force: instead they look at the windows, skylights and ventilation shafts to find an easier way in. They also plant malware that can eavesdrop on usage to intercept passwords, or exploit unpatched vulnerabilities.
The point is that the mythical desperado hacker has been replaced by white-collar criminals that will patiently probe for any weaknesses. So IT teams need to monitor network and site traffic for unusual patterns, apply anti-malware updates fastidiously, and stay abreast of emerging threats.
Intrusion prevention systems (IPS) help stop these attacks, and security information and event manager (SIEM) solutions can assist in early identification of threats, before they turn into a breach. This can catch a hacker before he’s “Already Gone”.
Lyin' Eyes
Another popular concept worth examining is that of disgruntled employees who “can’t hide their lyin’ eyes”. Many of the biggest security problems are caused by ordinary office employees, who are just trying to save a little time. As the song puts it, “did they get tired, or did they just get lazy?”
It’s not just the so-called ‘bad guys’ we need to protect against: it’s all staff members, because we all make mistakes. We’ve all thought it would be OK, just this once. So it’s no good looking for “Lyin’ Eyes” among employees: security breaches happen when people think they are just doing their job.
An organization shouldn’t leave what, how, and when security decisions to its staff. It shouldn’t be the employee’s sole responsibility. The security needs to be applied automatically, and I will expand on how this should be done.
Life in the Fast Lane
With more employees working flexibly than ever before, the complexity of securing a growing fleet of laptops, smartphones and portable storage can, as the song puts it, “surely make you lose your mind”.
However, it doesn’t have to be that way. The key is to take a data-centric view of security. Whether the information is moving or at rest, it needs to be protected. Several solutions are available that automatically encrypt all data in real time on laptops, PCs and smartphones; these can also encrypt all data copied to removable media like CDs, DVDs or memory sticks.
By delivering security as invisibly as possible, without interference from users, it’s much more likely that systems and data will stay protected, even when your users’ work lives are in the fast lane.
The Last Resort
An added benefit of automating data encryption and security is that it enforces corporate security policies as a matter of course. As mentioned earlier, employees often need saving from themselves and shouldn’t have to bear responsibility for deciding what data needs protecting.
As "The Last Resort" puts it: “Who will provide the grand design, what is yours and what is mine?” Organizations need to provide that grand design, backing up their policies with products that build security into the way people work, instead of making it the last resort.
The Long Run
When you “Take It To The Limit” in this way, effective corporate security does require extensive auditing of systems and users, devising of new policies, and new levels of protection to be added to systems.
However, when the result in “The Long Run” is knowing your organization is better protected against all types of threats, that should help engender a “Peaceful, Easy Feeling”.
Nick Lowe is head of Western Europe sales for Check Point Software Technologies. He oversees activities with Check Point's customers and partners in these regions, and is also an expert across IT security from compliance and security reporting, to technology development and evolving threats.