What ENISA’s “Assume the Worst” Recommendation Means for the Cloud
Recently, ENISA issued guidance that financial institutions should “assume the worst” for their online banking population, meaning banks should assume their customers’ computers are infected and compromised. This is a logical recommendation given the Anti-Phishing Working Group (APWG) estimated 1 in 4 computers were infected with crimeware. SpyEye Tracker shows current AV software successful detection at ~27%. That might mean ~18% of the online banking population is compromised. Similar logic was used by the FFIEC in their 2011 Supplemental Guidance on Internet Banking Authentication when they noted that almost all forms of authentication can be compromised.
What does this mean for the cloud and organizations that aren’t banks?
Looking at cloud security, in almost all cases (approaching 100%) a cloud service provider can:
- Acess your data
- Not ensure unauthorized access to data under ITAR or CJIS
- Move data out of your legal jurisdiction
- Provide data to to legal authorities without notice or authorization
- Not ensure compliance with important regulations like HITECH/HIPAA for all services
Applying the same rules of risk that ENISA did, organizations using cloud services must assume their cloud service provider can’t ensure security for their data. John Pescatore, VP Distinguished Analyst at Gartner, summed this up well:
As you move out to cloud-based models, there are some things you can trust your cloud provider with, but for critical business data and regulation-controlled information, very rarely is the infrastructure going to be enough.
Derek Brink of Aberdeen Group found that those enterprises that proactively augment their security in moving to the cloud, not just relying on their provider, spend one third less on cloud services compared to those that just rely on what their cloud service provider offers.
This is where CipherCloud can help. Gartner recently found that because organizations aren’t making the right encryption and access controls decisions, 70% will still be vulnerable to data breaches in 2015.
With cloud encryption, you now can:
- Prevent your cloud service provider, from administrators to support staff, from accessing data
- Control who in your organization is authorized to access data, critical for ITAR and CJIS certification
- Secure data everywhere it goes even if moved by your cloud service provider
- Lock out unauthorized access by criminal attackers or legal authorities
- Achieve compliance with industry regulations with the universally recognized method to secure data