Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Dropbox security chief defends security and privacy in the cloud

David Geer | Aug. 7, 2015
Patrick Heim is the (relatively) new head of Trust & Security at Dropbox. Formerly Chief Trust Officer at Salesforce, he has served as CISO at Kaiser Permanente and McKesson Corporation. Heim has worked more than 20 years in the information security field. Heim discusses security and privacy in the arena of consumerized cloud-based tools like those that employees select for business use.

How can the enterprise use the cloud to boost security and minimize company overhead?

If you think about boosting security, there is this competition for talent and the lack of resources for the enterprise to do it in-house. If you look at the net risk concept, where you evaluate your security and risk posture prior to and after you invest in the cloud, and you understand what changes, one of those changes is: what do I not have to manage anymore? If you look at the complexity of the tech stack, there are security accountabilities, and the enterprise shifts the vast majority of security accountabilities on the infrastructure side to the cloud computing provider; that leaves your existing resources free to perform more value-added functions.

What are the security concerns in cloud collaboration scenarios?

When I think about collaboration especially outside of the boundaries of an individual organization, there is always the question of how do you maintain reasonable control over that information once it's in the hands of somebody else? There is that underlying tension that the recipient of that shared information may not continue to protect it.

In response to that, there is ERM, which provides a document-level control that's cryptographically enforced. We're looking at ways of minimizing the usability tradeoff that can come with adding in some of these kinds of security advancements. We're working with some vendors in this space to identify what do we have to do from an interface and API perspective to integrate this so that the impact on the end user for adopting some of these advanced encryption capabilities is absolutely minimized, meaning that when you encrypt a document using some of these technologies that you can still, for example, preview it and search for it.

How do enterprises need to power their security solutions in the current IT landscape?

When they look at security solutions, I think more and more they have to think beyond the old model of the network parameter. When they send data to the cloud, they have to adopt a security strategy that also involves cloud security, where the cloud actually provides the security as one of its functions.

There are a number of cloud-access security brokers, and the smart ones aren't necessarily sitting on the network and monitoring, but the smart ones are interacting, using access and APIs, and looking at the data people are placing into cloud environments, analyzing them for policy violations, and providing for archiving and backup and similar capabilities.

Security tools that companies need to focus on could be oriented to how these capabilities are going to scale across multiple cloud vendors as well as how do I get away from inserting it into our network directly and focus more on API integration with multiple cloud vendors?

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.