Vigilance Is Everybodys Business

 

It would mean that employees would have to be more vigilant during the outage to not click on links, surf to only recognized sites and not open attachments. IT managers can decide to restrict certain activities to prevent any threats from entering the network, according to Roberts. "It's a calculated risk," he said.

As for Sony, recent events have shown that companies can be hacked and have sensitive customer data stolen even when the data was stored in corporate data centers. Epsilon, the email marketing firm that disclosed its data breach a month ago, has yet to say how many consumers were affected.

"The ultimate lesson here is that all businesses are vulnerable to hackers, regardless of size or industry," Mandeep Khera, CMO at Cenzic, told eWEEK.

It's not clear what went wrong at Sony, but information was stolen because there was a flaw somewhere in Sony's environment. Cloud security is not inferior to data center security, according to Andres Kohn, vice president of technology and product management of Proofpoint.

Kohn addressed the commonly held belief that unimportant data and applications could be moved to the cloud while critical and sensitive applications remain in the corporate data center during his "Can Data Be More Secure in the Cloud?" talk on April 19 at the Infosecurity Europe conference in London. In general, data is actually more secure in the cloud, and there is no reason why enterprises shouldn't store critical data in the cloud, Kohn said.

Enterprises, especially midsize ones, would be far more secure with a cloud provider with the resources to provide higher-level security expertise than they can otherwise afford themselves, according to Randy Abrams, director of technical education at ESET.

"There is no perfect security. If the net result of outsourcing your security is an improvement in security, then it is a good thing, but there is no perfect security, only risk management," Abrams told eWEEK. 

A security-conscious cloud provider would be continuously auditing and monitoring its environment, have higher levels of automation for repetitive tasks, strict access controls against malicious insiders, and more skilled technicians maintaining the network, Kohn said. There are some additional considerations, such as sifting through the logs for intrusions, closing any SQL injection or cross-site scripting flaws in Web applications, and regularly patching the environment to ensure all vulnerabilities are closed.

Cloud IT security is not intended to replace conventional in-house IT security, but it's supposed to be "an addition," Yevgeny Kaspersky, CEO of Kaspersky Lab said at Infosecurity Europe.