This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
Today more and more businesses in Hong Kong are moving to the cloud. According to the Report on Hong Kong SME Cloud Adoption, Security & Privacy Readiness Survey produced by Internet Society Hong Kong and Cloud Security Alliance (Hong Kong & Macau Chapter) in 2015, nearly 83 percent of companies in Hong Kong are using or planning to use cloud services. The top two reasons are the reliable support and security features offered by cloud service providers.
As organizations increasingly rely on cloud services, data security risks in the Cloud are gaining more attention than ever. From the perspective of Privileged Access Management (PAM), addressing the monitoring of encrypted privileged access in the Cloud is a key concern.
There is no doubt that encryption is required to protect and control access for on-premise and in-cloud environments. While encryption itself is not a problem, it may create neglected blind spots in the cloud-hosting environment. Without the ability to monitor and control what is transmitted across encrypted networks it is difficult to detect the compromise of user accounts, to prevent malicious activities, or to stop data theft.
Encryption can blind network security systems and deny organizations the visibility into the communications to and from the Cloud. This creates a dangerous loophole for malicious activity or data leakage. These concerns are further emphasized when encrypted channels are used for third-party access (e.g. outsourced IT, partners, vendors, or service providers).
More Stringent Regulatory Audit
Global compliance standards such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standards (PCI-DSS), and many other regulations have mandated the control of privileged access and encrypted channels.
Over the past few years, the monetary authorities in Hong Kong and Singapore addressed these risks in their publications - General Principles for Technology Risk Management by Hong Kong Monetary Authority and Technology Risk Management Guidelines by Monetary Authority of Singapore. Cloud users are required to adopt necessary control measures to meet compliance and demonstrate this to auditors.
The Answers That You Need to Know
Before moving to a hosted cloud deployment, enterprises need to clarify the issues on responsibility and control of the Cloud environment. The cloud service provider needs to be able to answer three basic questions:
- How do you monitor, control and audit both interactive and automated encrypted traffic?
- How do you obtain and present the audit trail of outsourced administrator actions?
- How do you implement real-time controls for privileged access?
Next-Generation Privileged Session Management in the Cloud
Sign up for CIO Asia eNewsletters.