Check out the exclusive interview of the specialist to the ABES Portal
Paulo Pabliusi, Ph.D. in Information Security from the Royal Holloway University of London, a master's degree in Computer Science from Unicamp, president of the Cloud Security Alliance Brasil Chapter, Communications Director of the Information Systems Audit and Controls Association (ISACA-RJ) and managing partner of Procela Intelligence in Security, shares its knowledge and experience on security in cloud computing in this exclusive interview for Portal ABES, given during the CSC Forum 2013, held in São Paulo, where he presented the lecture "Globalized Cyber Espionage - New Challenges for Cloud-based services in Business Support".
Explain the importance of cloud computing for information security?
Computing, when migrated to public clouds, requires an information security model that reconciles the scalability and multi-tenancy of computing resources with the need for trust. Once they migrate their computing environments to the cloud, with their respective identities, infrastructure and information, institutions find themselves on the verge of giving up certain levels of control. To do so, it is necessary for them to trust the systems and cloud providers and verify their processes and events. Access control, data security, management and ongoing monitoring of events and information are part of this trust and verification process. In short, all the security elements that are understood by an IT department, deployed with existing technology, with the possibility of extending to the cloud.
Contrary to what usually happens in a traditional data center, in the cloud the barrier that protects the infrastructure is diluted. At this point, security will be focused on information. Data will need its own security to accompany and protect it. This will imply their complete isolation, as they need to be kept secure so that they are protected when multiple customers use shared resources in a cloud infrastructure. It is also important that virtualization, access control, and encryption are sufficient to allow for switchable levels of separation between corporations, users, and communities of interest.
Classification of data is also critical, as companies will need to know exactly what information is important and where it is located, to ensure that it receives due attention, especially with regard to data loss prevention procedures.
In your opinion, how can you guarantee security in the cloud?
There are seven important principles to follow when it comes to information security in cloud computing:
1. Privileged user access – The sensitivity of confidential information in companies requires user access control and very specific information on who will have administrator privileges, so that administrator controls access.
2. Compliance with regulations – Companies are responsible for the security, integrity and confidentiality of their own data. Cloud computing vendors must be prepared for external audits and security certifications.
3. Data location – The company that uses the cloud probably doesn't know exactly where the data is stored, perhaps not even the country where the information is kept. The provider must be willing to commit to storing and processing data in specific jurisdictions, making a contractual commitment to comply with the privacy requirements that the company's home country asks for.
4. Data Segregation – Usually a company shares an environment with data from several customers. It is important to understand what is done for data separation and what type of encryption is secure enough for the application to function properly.
5. Data Recovery – The cloud provider must know where the company's data is and what happens for data recovery in the event of a catastrophe. Any application that does not replicate data and infrastructure across multiple locations is vulnerable to complete failure. It is important to have a complete recovery plan and an estimated time for it.
6. Research support – The auditability of illegal activities can become impossible in cloud computing, since there is a variation of servers according to the time where access and user data are located. It is important to obtain a contractual commitment with the service provider and evidence of past success for this type of investigation.
7. Long-term viability – In an ideal world, the cloud computing provider will never go bankrupt or be acquired by a larger company. The company needs to ensure that its data will be available if the cloud provider ceases to exist or is migrated to a larger company. It is important to have a data recovery plan. The Brazil chapter of the Cloud Security Alliance, a non-profit entity that I represent after being elected president in September 2013, has as its mission the use of best practices to provide security assurance within computing in the cloud, and provide education about the uses of cloud computing to help secure all other forms of computing.
What is cyber espionage and what is Brazil's real position on this matter?
Cyber warfare is a modality where conflict does not occur with physical weapons, but through confrontation with electronic and computerized means in the so-called cyberspace. In its most common and free use, the term is used to designate attacks, reprisals or unlawful intrusion into a computer or network. Cyber espionage is an act practiced in the context of cyber warfare to obtain confidential information from governments of countries. Violation of this secrecy can do a lot of real harm to the attacked country.
President Dilma made Brazil's position on this matter very clear, in her recent opening speech at the 68th United Nations General Assembly in New York, stating that the United States' espionage actions in Brazil "hurt" the international law and “affront” the principles that govern the relationship between countries. According to her, “to meddle in the life of other countries in this way violates international law and affronts the principles that should govern relations between them, above all, between friendly nations”.
What are the main threats to enterprise security?
The top three threats to enterprise information security are:
-
Loss of Confidentiality: when there is a breach of confidentiality of certain information (eg the password of a user or a system administrator), allowing restricted information to be exposed that would be accessible only by a certain group of authorized users.
-
loss of integrity: happens when certain information is exposed to an unauthorized person, who makes changes that have not been approved and are not under the control of the owner (corporate or private) of the information.
- Loss of Availability: happens when the information is no longer accessible by those who need it. For example, the loss of communication with an important system for the company, which occurred with the fall of a server or a critical business application, which presented a failure due to an error caused by an internal or external reason to the equipment or by an action not authorized by persons with or without malicious intent.
EN 
PT 
