THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Organizations of all sizes are using mobile devices in new and innovative ways. The device may be “that you have” part of the Multi-factor Authentication (MFA) process, as the device contains an application that authenticates end users to access the business systems. Or the devices may be used to respond to the business’s needs more effectively. Managing these devices can be difficult because users may want to use their own devices. Additionally, the organization may assign devices as they can better manage these without causing legal liability issues with the management of them. This article explores the various security controls an organization can take to help secure these devices. Managing mobile devices within an organization can be challenging at the best of times. This is additionally complicated by the emergence of targeted mobile device malware, as it continues to be an attack vector that attackers are looking to take advantage of if they can. Threats to Mobile Devices Mobile devices have become an integral part of our lives, and with their increasing use, the risk of cyber threats has also increased. Cybersecurity threats to mobile devices can come from malicious apps, phishing attacks, or other online scams. Users need to be aware of these threats and take steps to protect the data of the business and their privacy. This article will discuss the cybersecurity threats on mobile devices and how IT Security Pros can protect the organization. We will also discuss current best practices to help users stay safe while using their or the businesses’ mobile devices. Controls to Implement Here are the actions that you can take today to help secure the mobile devices used by the business you work for:
IT Security Pro Tip: Summary
Mobile devices can and will continue to be used within the enterprise environment. The IT Security Pro’s role is to establish the controls that will be used for the secure management of these devices. Whether you are dealing with a privately owned device or one owned by the company, they should be treated the same regarding security. Helping to secure these devices against the ever-persistent threats they are exposed to will help protect the organization’s data and the information they may have access to. Securing these devices and implementing a robust management process will allow for a more effective security program within your organization.
0 Comments
The cloud has become ubiquitous in today’s IT infrastructure as most organizations have adopted it as an integral part of their infrastructure architecture, but it continues to be difficult to implement and setup properly. While there are controls and specific settings that can be applied to your cloud resources, it is important to understand which ones and how to do it. This begins with choosing the right service provider and developing an overall strategy on how it will be implemented within your company.
1. Determining the Right Service Provider This begins with determining the right service provider. While there are a couple of HUGE players in this area (we don’t need to drop names here). They are not the only ones these days as there are more and more independent or affiliated providers that are becoming more competitive in the market. When implementing cloud security, it’s not just the data center that you are evaluating. It is the services that the provider has to offer and what types of security application resources they have to offer. Understanding what you will be using the cloud infrastructure and resources for is an important part of the evaluation and implementation process. The controls that are used to secure the cloud infrastructure will be different depending on its usage within your infrastructure. This is a key component of securing the cloud, including the cloud as part of the network, and securing as you would those within your corporate firewalls. 2. Zero Trust DON’T TRUST ANYBODY! REALLY, I MEAN IT, DON’T TRUST ANYBODY! This seems to be a great mantra these days as we find that even the slightest kink in the armor of a well-protected network can lead to a compromise. Employing Zero Trust across your cloud infrastructure will allow you to enforce and implement security controls that require your users to validate who they are by multiple methods. Why is this important? Because the cloud is one of those resources that once you are able to compromise a server or application, or even a service, it is easy to pivot and try to get into other resources of the same company (yes, even if they are logically separated) or even a different one for that matter. Zero trust allows you to be able to require and restrict all users regardless of who they say they are. This is critical for those services that your organization depends on to deliver for your customers and clients. 3. Access Management Once the service provider has been determined, it is important to determine who will gain access and how will they be granted it. The various service providers all have the capability to help determine who will be granted it. Additionally, they may have the capability of implementing multi-factor authentication (MFA). Logs and access events will also be recorded and documented, which is important if you want to know who is access your cloud resources and when. 4. Endpoint Security Securing your endpoints in the cloud is one area that most organizations do not employ when setting up and configuring their resources. This is a mistake and these assets should be protected as much as the systems that sit in the office or in the homes of your employees. Its important to have the same security measures in place for your cloud assets. A majority of organizations will depend on service providers for their security controls, even when this is not the case. The organization pays for the hardware and the bare metal of the servers and the infrastructure for which those assets reside. It is up to the company to employ endpoint security measures to secure those endpoints. Whether this means employing malware detection software, or scanning those assets for vulnerabilities, it is important that those systems are managed in a similar manner as those that are on premises. 5. Network Monitoring One of the key areas of monitoring will be the network environment, this is especially true of the resources and infrastructure that your utilizing in the cloud. This resource is something that your business will be paying for and it is important that it be utilized effectively. Monitoring traffic, access, and utilization are all important aspects that should be monitored closely be any company. 6. Define Cloud Usage Policies/ Procedures No matter why you are using the cloud, defining the policies and procedures that you will use is important for your company to establish right away. The reason for this is that resources in the cloud are finite and you may be restricted based by capacity or availability, and even monetarily. These restrictions can be detrimental to an organization that is using the cloud infrastructure to enhance their network environment. Establishing the guidelines for its usage is important as it will lay the groundwork for future development and utilization of those resources. 7. Determine Trusted Services
What services are you employing using the cloud? Setting up trusted services allows for the organization to employ automated processes to help secure those services in a timely manner. Whether it is the deployment of certificates from a trusted certificate authority as soon as the previous one expired. This allows your IT Security staff to be one step ahead of a potential bad actor. Establishing the trust relationship will enable an organization to secure its perimeter by trusting that those services meet specific requirements. Its important for an organization to determine what specific factors they will want in a trust relationship and how those factors are measured. While most cloud providers will be able to help in this process, it is important that IT Security Pros follow up and do their own evaluation. 8. Manage Data Understanding your data and how it will be transmitted and stored is important especially when monitoring network traffic. Data can accumulate at a rapid pace and it can be difficult to sift through the complex and exhaustive logs and datasets. Developing a process for how this data will be managed and monitored will help to make sure that this information is manageable. Depending on which industry you are working in, there may be specific requirements as to how long the data will need to be stored for. It is important to understand these requirements as they will effect which standard your organization adopts. With data storage, it all comes down to the capacity to store the data and how it is managed once it is collected. Having this addressed when you setup your cloud environment will go a long way in saving headaches later on. 9. Adopt a Standard While there is a myriad of standards out there, it is important to pick and adopt a standard that makes sense for your organization. This may be due to the type of work your company does, or industry specific requirements. Whatever the reason, adopt a standard. Here are some cloud related standards to consider:
Having an established baseline to build from will help to determine configurations and settings that will be employed during the development of your cloud infrastructure. Being compliant with these standards is different than being certified as the majority of the standards listed here require a third-party assessment in order to validate their processes. SummaryOrganization’s are continuing to adopt cloud services in order to realize the cost savings and the flexibility that these service providers are able to offer their business. No matter the reason that you are looking to adopt the cloud infrastructure, it is important to remember that there are things that you can do to help secure the environment and infrastructure. By employing the 9 Cloud Security Best Practices as outlined in this article, your organization will greatly benefit from the enhanced settings and configurations outlined here. With the continuing evolution of Smart Meters and the need for ever more data, companies are finding that they need to protect information that didn’t need protected before. Whether the utility provider is using data analytics to provide energy insights to their customers or using the information in new ways in order to provide value to a potential client, it comes down to IT Security to come up with ways to protect that data. While big data, smart meters, or other networked sensors provide a vast amount of data, the use of the cloud and “Big Data Analytics” has the ability to provide insight into the end consumer’s behavior and how they use their utility services. It is from this combination of sources and the ability to correlate the data in a meaningful manner that cyber criminals are finding weaknesses in how the data is protected. It is up to the utility or the support services provider to protect that data. Protecting the Undefined Much of the data that is collected and correlated through analysis are being done by organizations that may not have been responsible for this type of data in the past. For a large number of utilities and service providers, this is new territory that they are banking on to provide their customers information that will help to benefit their business. Part of the challenge is identifying what is considered Personally Identifiable Information (PII) and what should be taken to protect that data. Defining the limitations or the extent that those protections should be implemented will help businesses allocate resources that will be needed in protecting that information. Since this has not been an area of focus for any specific regulatory requirement, the implementation of current IT Security industry best practices have helped to fill this gap. PII Defined The following definitions and information is what is “normally” thought of as PII. But due to the nature of, and the type of data that is collected from utility customers, this data provides only a small part of the overall picture of the end consumer.
Typical Datasets Some typical datasets that are collected or that is used as part of the analysis process may be any of the following:
While these are not typical for use as PII, they can be used in conjunction with other publicly available data to provide targeted and detailed information about the end consumer that would not be available otherwise. This information does not identify one particular individual, but a whole category of individuals. But if the attacker knew a small piece of the information about a particular target, they would be able to collect additional information in order to create the “bigger picture” of who they are going to target. Example?? Business Benefit v. Data Protection When utilities collect data on end consumers, it is used to help the utility provide better services to the customer or to help with the overall effectiveness of the grid network and energy resource delivery. What these information providers are finding is that it is becoming ever more important to protect data that they have collected and are conducting analysis against. While the end consumer is driving this demand, utilities and support service providers are finding that they have to comply with this requirement as well. Securing the Data When a utility obtains data points on consumers, it is usually stored in large data repositories and this is where data can be readily accessed. This data pool is used to perform analysis against and can be accessed by a number of entities. This is especially true if the company employs a third-party service provider that will use the data to provide detailed information for use by the utility. This data repository is also where security controls can be implemented that helps to protect the information and its integrity within the data sets that are used for analysis. Encrypting the data at rest and in transit and only using secure and proven methods of transmission and storage is one of the ways in which this data can be secured. Preventing or restricting access to this data can also be helpful in preventing the loss or the leakage of this sensitive data. Also, there is a growing use of the various cloud services to provide the processing and storage capacity that is needed for these large data pools of information. Adhering to an established IT Security standard may provide some guidance on how to handle this information Compliance & Regulation
In North America there are two main compliance certifications that are becoming important for utilities and support services providers to follow, or at least to adhere to. These are:
While these compliance standards don’t directly describe or require specific requirements for the use and storage of the type of data that is collected by utility service providers, they do provide industry best practices for how to store and transmit sensitive data. Protecting the Consumer Utilities and support service providers have an obligation to protect the data that is collected and used or stored by the organization. Whether the data is stored in the cloud or used by a third-party for running analysis against, it is important for the company to take the needed steps to make sure that the information does not fall into the wrong hands. Utilities and support service providers can do the following:
Summary While companies have the ability to transform data that they get from diverse sensors, meters, and network nodes into actionable data, businesses that use this information have an obligation to keep the data safe and secure. With data that seems to be just noise in the background, it can be used in conjunction with other information to provide a more inclusive picture of a customer, or a potential cyber victim. The amount of electrical usage, or the times in which that usage is recorded and all this can be put together in order to form a more complete profile of a potential target. Knowing this information may provide the business an advantage against a competitor, it can also pose a risk if that information is not protected. Special Mentions A special thanks to Robert Smith who can be reached at his website TheDataScienceGuy for helping to review and critique this article. What seems to be all the buzz these days is the deployment of critical infrastructure or Software-as-a-Service (SaaS) applications into a cloud environment in order to provide additional security. While most businesses are looking for the benefits that this offers to them and their customers, an area of concern is the alignment of their business operations and that security meets their specific needs or requirements. Cloud Security Companies and organizations are looking for the following when it comes to the migration of their infrastructure to the cloud:
Centralized Security Cloud security is all about control. If you are able to control access requirements and resources from one online portal, the company will save on having to deploy specialized personnel to a data center. This is how services such as AWS (Amazon Web Services) are accessed and managed. The centralization of the security means that the IT Security Pro will have more time to devote to other areas of the infrastructure, like perimeter defenses or vulnerability scanning. Reduction in Costs One of the biggest reasons if not the sole reason that an organization will choose to deploy infrastructure or applications to the cloud is the cost savings they get from using the resources that are available within that environment. Whether it is the bandwidth, server resources, or just the overall cost savings from not having to pay for a capital expenditure. Businesses continue to move to the cloud in order to gain a financial benefit from the move. This can be a significant amount, so thinking about security and how it will be used within that environment should be understood before anything moves to the cloud. Reduced Administration
The reduction in costs that a company might see from moving to a more cloud centric environment is directly associated with the reduction in the administrative costs. With streamlined services and online portals to access all of the resources in the cloud infrastructure, companies may employ a fewer number of admins than they would if they had to create the environment on their own. Also, the people who do fill these admin roles are going to be crucial to the deployment and maintenance of the cloud environment after the deployment. Reliability of Services When we look at cloud services, one of the most significant aspects that we take into consideration is the reliability of the services that are offered (up-time percentage is a BIG one here). Additionally, looking at the redundancy of various services such as:
Summary While there are a lot of reasons to move to the cloud, a business should determine how they will address security and what sort of benefits they are looking for from this critical realignment of their network architecture. Whether it happens to be overall cost savings or the enhanced capabilities that the cloud offers, IT Security and how that will be addressed needs to be a part of the discussion. Understanding the security posture once the critical assets are migrated is the wrong time to try to figure out how your security posture will be effected in such a move. When most security professionals think of Business Continuity Planning (BCP)you think about how to back up your systems or creating a hot site in which to work and backup your data in case of a disaster. While all of these are crucial components to creating a successful recovery plan, it is important to remember that most businesses currently employ some sort cloud services technology in their day-to-day business operations. Why not use that already created infrastructure for business continuity? Cloud Infrastructure When planning to create this type of plan, it is important to understand your infrastructure and how it is currently being utilized. The second critical component is to understand the criticality of the various systems and processes. The reason for this is that they will be your drivers for which systems or services get top priority in your planning process. You have a Business Impact Analysis (BIA) right? Securing the cloud infrastructure that you already have will be an important first step. Some cloud service providers already do this for you automatically, but others may not do so. Therefore, it is important that you backup all of your critical cloud systems and processes first. Backup & Storage When using the cloud for your business continuity planning, it is important to remember that you want to use the capabilities of the service to your advantage. Using the various physical locations that you are able to have data stored will help to provide a diverse geography in which your data is stored physically. This data in some cases can also be mirrored from one location to another, giving you additional redundancies if it is needed. Flexibility One of the key benefits of using the cloud for business continuity management is its ability to be flexible with the amount of data that is stored. This information can grow and be moved around as needed within the cloud infrastructure as well. Additionally, long-term cold storage can also be used for data that may not be accessed on a regular basis. This provides a depth of continuity that if you were to create within your company would cost more to implement than to use what you already have access to. Automated Processes
An important factor that companies will look at is if they can automate the process for data backup. While in most instances this is a manual process (meaning hands on by the staff employed to carry out the specific tasks). In most instances with using the cloud infrastructure, you are able to automate the following areas:
Recovery Time Objectives One key aspect that any business will have to take into consideration when looking continuity planning is how long it will take to recover the data in case of an incident. Whether this is driven by service level agreements or by customers, it can be a critical data point in which to achieve. Meeting these objectives will be challenging, but using the cloud to achieve them is easier due to how the infrastructure is created and deployed. Downloading and requesting data from your backup storage site may take a few hours to request from the cloud service provider, but due to already being a part of the infrastructure, it will be easier than working with an outside service provider and requesting data tapes from a secured location some hundreds of miles away from your recovery site. When time is of the essence, getting the information you need in a timely manner is the name of the game. Summary While most business continuity planning involves thinking outside the box, it is important to remember all of your resources that you have at your disposal for the planning process. Thinking of new ways to use current or existing technologies will enable the business to have a cost effective solution without having to sacrifice more capital. Being able to use the cloud to store your data and as a recovery repository in case of a business impacting event will save you both time and effort in the end. Securing Your Data in the CloudAs businesses and government agencies continue to move their data to the cloud, IT Security Professionals have to balance the benefits that the new platform allows and the concerns that continue to persist around the security of the data that is stored there. The data secured in the cloud can be some of the most critical to your organization or business. The high availability of the information may be a reason for the move of the data to the cloud, but maintaining the integrity of the information should be the focus of the IT Security Professional when selecting a service provider. Some key features that will help in determining your organization’s use of the cloud should be:
Encryption from End-to-end All interaction should happen via a secure connection over an SSL transmission (TLS 1.2) to guarantee that the data is secure. This should be accomplished with a direct connection either to the service provider’s network or via a VPN connection. The connection to the systems should terminate on the inside of the service providers network and not at the firewall. This provides you with direct access to your hardware that you are paying for and enabling you direct management of your hardware. Encryption at Rest The service provider should provide encryption of the data at rest. This will allow you to comply with regulatory requirements that call for secure storage of data and the protection of sensitive information. Whether you may be dealing with HIPPA or PCI/DSS requirements, it’s always a good idea to encrypt the data, even in the cloud. The physical hardware where the sensitive data is stored should also be encrypted using AES-256 with the master keys rotated on a regular basis in order to ensure the protection of the information in accordance with current cryptographic best practices. Vulnerability Management Monitoring
The service provider should also be conducting vulnerability assessments. These should be on an on-going basis with a top of the line service provider. There should also be an automated process for finding vulnerabilities and addressing potential threats while conducting the assessments. The vulnerability scanning should address identifying critical threats as quickly as possible with a remediation process in place after the vulnerability has been identified. Vulnerability scans should also be able to be scheduled or automatically kicked off at specified dates or times. The service provider should also provide an on-demand feature that allows for manual starts to the scanning process. This will allow you to scan your systems on your time, and not that of the cloud service provider. On-demand scans are helpful when looking at the remediation efforts after the vulnerabilities were found during an assessment and measuring their effectiveness. Access Controls The service provider should provide the ability to limiting the access to your data in the cloud using role based access controls (RBAC) would allow you to target what information will be available to each individual in your organization who will access it. This also allows for an audit trail for when you start looking at a certification that requires it. The use of RBAC will allow you to specify what resources are available and have complete control over the process. Data Storage The data that is stored in the cloud should only be so for a specified time. After the specific date that is agreed upon (in the service contract) the service provider deletes the data as specified. The deletion process should be rigorously enforced with the service provider. Specific requirements should be clearly defined and expectations documented within the service agreement contract. While there are current regulations that require access to data over a set period of time (3 , 6, 9 months to 3, 5, and 7 years not being uncommon for some industries), active management of the information will allow you to take advantage of the ability to move the data around within the cloud infrastructure. Some service providers offer a cold storage capability that allows the data to be stored for a longer period of time at a reduced price. Maintaining the Cloud Maintenance of the cloud infrastructure should be invisible as much as possible to you and your team. The maintenance of the hardware should not affect your organization and the specific uptime or downtime requirements should be spelled out in the service contract. In order to protect your information, there will need to be some maintenance that will need to happen, but restricting how that impact your organization will be an important factor to work out. Physical Security Controls One of the key features for storing your data in the cloud may be the extra security measures that can be implemented by the service provider. With the skyrocketing costs of security these days, a little more protection could go a long way in protecting your data. A cloud service provider should have video monitoring of the server farm (as well as external security monitoring) and strict controls and processes for accessing it. The controls should also include how the data center is physically constructed and how security has been worked in from the floor to the roof. Compliance and Auditing Compliance and auditing should be something that is looked at as a differentiator in this field. Look for broad certifications such as ISO 27001 or SOC 2 compliance. These certifications mean that the service provider has been able to show that they are in compliance with the standards requirement controls. If you are in a highly regulated industry, make sure that the certifications that the service provider have (PCI/DSS, HIPPA), are compliment with what you are doing as well, and that the certifications are for the specific location where you have your data stored. (Some service providers will split where the certifications are good for since some controls are more stringent than others are). Identifying these issues ahead of time will save you a lot of heartache in the end. Summary While there are many benefits to utilizing the cloud infrastructure, there are also some issues that will need to be addressed prior to choosing your service provider. The great benefits of the flexibility of the service and the ability to access information and services from any location are a huge selling point. Nevertheless, if you understand that certain things need to be in place in order to make the transition from an on-premises infrastructure model to a cloud-based model. This will provide you with the enhanced capabilities that you need for your business and the flexibility to grow and add additional resources as your organization continues to grow. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|