Seagate, Erez Baum: How to deal with cloud security and compliance

Erez Baum, Seagate

Seagate, Erez Baum: How to deal with cloud security and compliance Duncan is an award-winning technology industry analyst, specialising in cloud computing, blockchain, martech and edge computing.

Could you tell us a little bit about your company? What type of products and services do you offer?

We craft the datasphere, helping to maximise humanity’s potential by innovating world-class, precision-engineered data storage and management solutions with a focus on sustainable partnerships. A global technology leader for more than 40 years, the company has shipped over three billion terabytes of data capacity.

Have there been any particularly interesting developments at Seagate?

Last year we introduced Lyve Cloud, a simple, trusted, and efficient object storage cloud service for mass data. It provides cost competitive object storage designed to tear down the barriers between clouds.

With no egress or API fees, you can move your data seamlessly across private, public, and compute clouds – accessing it wherever and whenever you need it.

Lyve Cloud is designed to provide unparalleled multicloud freedom – no egress fees, no API fees, and no vendor lock-ins; storage designed for multicloud freedom; simple, predictable, capacity-based pricing; and best-in-class security and availability.

What do you think will be the most problematic future cloud-based threat vectors? And what advice would you give to companies regarding how they can deal with this?

We continue to see a credential thief as a top threat agent against cloud environments. Adversaries apply different tactics to harvest legitimate authentication credentials, (e.g., targeted victim-tailored phishing attacks). 

We suggest companies consider, number one, fully deploying and enabling MFA (Multi-Factor Authentication), not only to important accounts but also across the enterprise to prevent lateral movement. Secondly, disabling legacy (weak) authentication protocols. And thirdly, implementing access controls and applying the least-privilege principle for users and cloud services throughout the enterprise.

To what extent do you think the consequences of a data breach are worse than ever before?

Data privacy controls are critical for protecting the variety and value of today’s digital transformation data. A data breach is not just about losing intellectual property or competitive business information, it can be weaponized to impact a variety of things, from human safety to a country’s economy, quickly. For example, a data breach could prevent a doctor from performing a time sensitive medical procedure, allow an imposter to impersonate a victim, disrupt city water or electricity supplies, or manipulate a financial market.

What are the main pitfalls when it comes to configuring cloud storage?

When it comes to configuring cloud environments including cloud storage, inconsistency, human error, and not following security best practices are the main pitfalls. A common misconfiguration that can easily be prevented is allowing unauthenticated public access to cloud storage buckets.

What advice would you give to companies that are attempting to prevent compliance violations?

Select prioritised Information Security control metrics and share weekly metric data vs. control metric requirements to drive the right personnel compliance behaviours every day. Ensure that Information Security threats and vulnerabilities are discovered, contained, mitigated with appropriate controls, and then permanently remediated in a timely manner.

Conduct internal independent audits to ensure that the Information Security controls are operating properly. From these audits, implement cross-functional improvement actions. Then, conduct independent external audits to audit Information Security controls for compliance with national and international standards. From these audits, implement cross-functional improvement actions.

How can the risk of a data breach be reduced with a comprehensive policy?

An organisation’s risk appetite should be defined in a comprehensive security policy and then translated into a security requirement, i.e., constructing a secure environment based on industry standard security frameworks. To effectively reduce risks, the security policy must be enforceable, sustainable, and adopted by the entire organisation. The security policy needs to be periodically reviewed and updated.  

What plans does Seagate have for the year ahead?

We’ll continue to innovate on all fronts, from providing best of class object storage as a service, to providing a wide variety of features, tools and compatible partner solutions, allowing our customers to safely store and activate their mass-capacity data lakes.

At Cyber Security & Cloud Congress on October 5 in Santa Clara, USA, Seagate Technology will take part in a panel discussion titled ‘Addressing Cloud Computing Vulnerabilities’.


View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *