Dr. Larry Ponemon, chairman and founder of the Ponemon Institute described how the shift of the attack surface from the mobile device is moving to unsecure places in the cloud environment with unsecure data, as reported by HealthITSecurity.com.
More specifically, he addresses how moving data to cloud computing environments such as DropBox compromise the security of the data accessible from mobile devices. In a recent study released by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices & in the Cloud, 54 percent of respondents had, on average, five data breaches involving the loss or theft of a mobile device with regulated data.
The study defines regulated data as sensitive and confidential data that organizations are legally required to keep secured, including protected health information (PHI), credit cardholder data, employee records, etc.
When polled on their perceived greatest data protection risks to regulated data, top responses included mobile devices (69 percent), cloud computing infrastructure (45 percent) and applications (33 percent). Data center environment came in at only 5 percent. However, a secure cloud computing infrastructure, such as a private cloud, can reduce concerns about data security.
With a private cloud environment, you have complete access to your servers, storage and network as they are dedicated to and controlled by your company, and you can ensure your data is never accessed by any unauthorized persons. With a public cloud in a multi-tenant environment, you are sharing hardware, storage and network devices with other tenants. Meeting compliance standards for regulated data is much easier with a private cloud infrastructure.
Researching where and with whom you host your private cloud is an important initial aspect of ensuring security – if you have regulated data that must meet compliance requirements, ask your cloud service provider if they have passed specific audits that meet your industry’s standards, including:
SSAE 16 – The Statement on Standards for Attestation Engagements (SSAE) No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls, design and operating effectiveness of data centers, as relevant to financial reporting.
SOC 1 - The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. SOC 1 is essentially the same as SSAE 16 – the purpose of the report is to meet financial reporting needs of companies that use data hosting services, including disaster recovery.
SOC 2 – SOC 2 measures controls specifically related to IT and data center service providers, unlike SOC 1 or SSAE 16. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy.
SOC 3 – SOC 3 delivers an auditor’s opinion of SOC 2 components with the additional seal of approval needed to ensure you are hosting with an audited and compliant data center. A SOC 3 report is less detailed and technical than a SOC 2 report.
HIPAA – Mandated by the U.S. federal government, the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records). When it comes to data centers, a hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected by passing an independent audit against the OCR HIPAA Audit Protocol.
PCI DSS – The Payment Card Industry Data Security Standard was created by the major credit card issuers, and applies to companies that accept, store process and transmit credit cardholder data. When it comes to data center operators, they should prove they have a PCI compliant environment with an independent audit conducted by a QSA (Quality Security Assessor).
Find out how to handle mobile security at your organization by reading our Mobile Security white paper. This white paper explores approaches to mobile security from risk assessment (what data are truly at risk), enterprise architecture (protect the data before the devices), policies and technologies, and concludes with an example of a mobile security architecture designed and implemented within a hospital environment in which both enabling caregivers and protecting privacy, integrity, and confidentiality are paramount.