Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: End User Security


This is the third blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In the previous blog, we reviewed “Global Privacy Regulations”. In this installment, we will be discussing the topic: "End User Security”.

It seems that every week we can turn on the news and hear about the latest cyber security breach. The irony is that so many of these breaches occur with companies and organizations that have very good information security programs with mature compliance / regulatory controls. So why are these breaches occurring?

 The simple answer: people, or more specifically – the end user.

ComplianceInTheCloudSeries.jpgA recent Ponemon Institute survey shows that employees – end users- are the cause of over 50% of the data breaches that occur.  And the numbers continue to rise.  The same survey also shows that there has been a 9% increase in data theft since the last survey was conducted in 2014. 

As much as some security professional may prefer it, business are not likely to get rid of all their people to mitigate security risks.  But there are some important compliance considerations and security controls that can be implemented to help protect businesses.

Identity and Access Control: Regardless of intent, end users should only have access to resources and data sets that are necessary for their job function.  The Ponemon Institute survey shows that 62% of employees have access to data that they should not have access to.  Resolving this issue can be difficult, and often requires additional tools and work load / data inventories – all of which are resource consuming.  But the result is a cleaner, more controlled environment with users having access to all of the resources they need and none of the resources that they don’t.  (Bonus: A data inventory is also a mandatory requirement to comply with Privacy Shield / GDPR regulations, and a good practice for any / every organization)

Anti-Virus / Malware Protection: Most IT Security professionals understand the need for anti-virus and malware protection at the end user interface, but many still do not implement it.  In fact, most of the standard regulatory controls sets – such as PCI – include an AV requirement.  As the end user is responsible for most of the viruses and malware that enters a network, a company should have an anti-virus / malware policy – one that includes the frequency of AV definition updates – as part of their security and compliance strategy.  And don’t forget the email servers: not only is email a vector for viruses and malware, it is also the easiest way to lose sensitive data.  There are many different email encryption and content filtering solutions on the market, depending on your business needs.

Security Awareness: One of the best ways to impact end user security – and meet that compliance related requirement at the same time – is to conduct regular security awareness trainings with all the employees at the company. Take it as the opportunity to highlight things that are important to the company, but also important to the user.  Personally, security awareness is one of my favorite things (I’m an evangelist, so I *LIKE* talking about security), and I have found that you need to create ways to relate and impart security lessons so the average person can understand.  It is also why I write blogs with a security awareness theme for holidays like Star Wars Day and World Towel Day – I use them as a chance to incorporate a security topic with something that they are likely already hearing on the news or in social media.  Over time, an effective security awareness training program can change the culture of security within a company, improve the personal security of your employees, and lead to less vulnerabilities.

Employees are the greatest asset, or so we have all been told.  I happen to agree, but uneducated employees can often do more harm than they intend.  I choose to believe that most employees do not break security rules and policies out of malice, but due to a lack of understanding.  As end users continue to be the greatest single vector for data breaches and security incidents, IT security professionals need to take the necessary steps to protect the company and the end users themselves from information security threats.   

For the next blog in this series, we will discuss the compliance topic: "Data Protection.” To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

Download the whitepaper



0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

See posts for
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates/locations
Reimagine 2018
Join us at one of the Reimagine 2018 stops and see how we Simplify Hybrid IT, innovate at the Intelligent Edge and bring it all together with HPE Poin...
Read more
View all