John Chambers, CIO of Cisco said “there are two types of companies, those who have been hacked and those who do not yet know they have been hacked.” Many companies thought that there is no such thing as a protection. Some further thought their data is already public and compromising their business data will be of no use to anyone so that protection is not something to consider that deep. Is that really the case?
The worst state of mind in security arena is to think that your data is of no use to anyone and protecting yourself is just adding another complexity to your life. Up to now, this was individuals’ thinking:who would care about my holiday photos? if they wish they can go and have a look! This thinking has been so deeply absorbed and considered so normal that it spread to small business owners’ perspective on security matters. “I have a company of 10 people, 1 is me, 1 is the front desk, and these two guys are … My budget is that much, so what can they take from me?” Add the news that the popular websites are being hacked every other day, this perspective is further strengthened “even this company, that government couldn’t protect themselves, who are we to protect our company?” This comes close to learned helplessness, and the company is just about the raise the white flag without even putting up a fight.
In the field, I ask those companies “a burglar broke into your neighbor’s house, and then some thief snapped someone’s wallet on the road. So why do you you lock your door and put your wallet to a safe place?”
If we, as an individual, are taking up measures to protect our own assets, then we have to do the same for our companies. That does not mean that we need to spend exorbitant amounts of money just to satisfy the paranoia or jump to security bandwagon. Following the best practices will allow our company to build the defending lines.
Speaking about the cloud security, you need to understand the security model of your cloud service provider. It is best to start with analyzing where the responsibility of the provider starts and where it ends, in short where the lines are drawn. What information the service provider will deliver to the customer (vulnerabilities/exploits discovered, patched, requirements from customers, security bulletins etc.) and what is the customer’s responsibility. There are many cases where the provider takes the appropriate measures but customers do not. It is important to know all these beforehand.
If your company is developing code, it is best to start with securing it: securing your code is 100% your responsibility. Code that has not been tested inside out, thoroughly means that it is more likely to do harm. Even if your company has a dedicated team to test code and even if you have security testers in your company, I recommend crowdsourcing your testing. There are some very serious companies -uTest is one of them – who employ testers worldwide and provide really detailed reports. Employing one of these companies mean that your code is tested by tens of people on very different platforms and many more bugs/vulnerabilities are discovered compared to your testing team.
Then comes the identity and access management. Since the login information is the key to your front door, you need to have a policy for access management. Many easily avoidable access security risks come from ex-employees, outside parties (vendors, consultants etc. who have outside access) and of course your employees (weak passwords). Employees using weak passwords is a whole issue on itself, which giants like Microsoft and Google are trying to solve. But the first two can easily be solved with a policy that requires temporary check of people/organizations who have been granted temporary access. The accounts who have been expired can be removed from the central directory – Active Directory, LDAP etc. You cannot imagine the rogue logins with “password never expires” option set in companies directories.
Updating systems is a huge topic to talk about. Working as a platform administrator, I always tried to keep my systems at the latest patch levels as possible. Not only you will be able to patch the security holes but also you will enable your applications to use the secured APIs/DLLs thus making them more secure. Of course there is the issue of “breaking things” however consider this: if your application/system is being broken just because a security patch, then you need to fix it to carry on with a more secure infrastructure.
Next comes the log management. In today’s workloads, logs are mainly used for two purposes: troubleshooting and security (access logs). But the logs become even more important if they are aggregated. Aggregating logs with an IT analytics tool will enable you to monitor for malicious activities and perform detailed analyzes to find the root cause of the vulnerabilities. These tools will also let you have a holistic view of your infrastructure as a hole: from patch levels to application behaviors.
IT analytics tool is basically a tool kit to aggregate logs and further to be extended with additional tools. You need to have a holistic view of your IT architecture and have the relevant tools in place to cover your all responsibilities: firewalls, anti malware applications (end point security), intrusion detection, valid certificates and the like.
And finally, stay informed of the latest security information. Internet provides latest and most detailed information on the vulnerabilities, zero-day attacks, proposed temporary solutions etc.. Use this wealth of information to your advantage. Learn about what type of breaches, exploits are happening in your industry, learn about ways to secure your infrastructure and try to keep one step ahead in security matters.
To sum things up. There is nothing as a 100% security and there is no guarantee that your infrastructure is 100% free from threats. All the things I have discussed in this article makes your systems harder to breach. That means, if an attacker is obsessed by your organization, he will find inevitably a way, but if there is a wide-scale attack, having a secure infrastructure means more work for the attacker and he will direct his efforts to less secure targets.