In this post, we take a look at what security and dev teams should both do, and not do, to create a security-friendly environment.
Security is the responsibility of all of us. Given the visibility and public disclosure that results from cyberattack breaches, cybersecurity and enterprise readiness have become very important topics. What’s enabling most cybercrimes is simple human error, such as trusting instructions that are sent electronically, or being taken in by complex scams in which criminals pose as clients, vendors, employees, executives, or other professionals in order to gain access to financial assets.
For this reason, we’ve comprised a list of do’s and don’ts when it comes to cybersecurity.
Let’s Start With the Cybersecurity Do’s.
DevOps + Sec: We’ve recently written about DevSecOps and it’s important enough to mention it again here. DevSecOps is both an opportunity and an obligation for cybersecurity to become embedded in and a critical partner to the DevOps movement, which is a transformative trend for many enterprises. The DevOps approach is aimed at bringing new application services to production faster than legacy change control practices. With DevSecOps, security also has a role to play in ensuring that continuous delivery practices also embrace good security practices.
Cloud Security Strategy: With so many organizations adopting a cloud-first approach, cybersecurity pros need an update so they are equipped to manage and mitigate the security challenges of the cloud. Yes, many tried-and-true best practices from the on-prem world are applicable to cloud environments. However, a number of aspects of cloud operations are different and practitioners must be aware of security issues that are the same for cloud-hosted resources as well as being aware of the new challenges.
The questions are many: How will you manage backup/recovery/high availability, SaaS application security, audit and reporting needs, cross-border data restrictions, differences of security capabilities among different cloud platform providers, ever rapidly changing demands of the business (and on and on)? Industry analysts such as Gartner suggest that keeping up with the pace of change and amount of data to analyze is beyond our human capability. Early trends propose that further automation via data analytics and robotics will make the cybersecurity task more achievable. It’s very early, but we should be monitoring their development.
Attribute-Based Access Control: Typically, when someone thinks about cybersecurity they think firewalls, encrypted data, and monitoring network activity, which are critical and should be implemented. However, as a foundation for cybersecurity, organizations should start with a policy-based approach to user access, implemented with Attribute Based Access Control (ABAC). ABAC enforces enterprise-wide user access to data based on business and security policies to govern who can access certain information and under what conditions. This methodology of access control uses attributes to build policies that help define precise scenarios under which access should be granted. ABAC uses a standards-based and rich policy language to capture policies and rules; it centralizes access control policy management and is easily scalable across multiple layers – applications, data, APIs, microservices, and Big Data.
Also known as dynamic or externalized authorization, this kind of contextual access control helps enterprises solve complex issues around insider threats, outsider threats, compliance, and privacy. It enables specific policies allowing for many distinct inputs into an access control decision, providing a large set of possible combinations of those variables to reflect an extensive set of possible rules, policies, or restrictions on access.
Activity Tracking and Analytics: A reliable secure infrastructure is designed to monitor, aggregate, and filter activity data within large and complex architectures, which brings us to our final “do.” When selecting and building a network monitoring solution, IT managers should consider a flexible and scalable solution that can adapt to existing network architectures and grow as a network grows – such as a cloud-based network that will inevitably be added to your environment. A new category of software, user and entity behavior analytics (UEBA), has emerged to help detect anomalies that are outside of normal behavior patterns. UEBA has evolved alongside security information and event management (SIEM) systems, which aggregate and report on activity logs in your environment. It is important to observe how these two technologies will evolve over time, or if in fact other analytics capabilities will be required to manage the amount of log data being generated by all services, devices, users, bots, etc.
That Concludes Our Do’s, So Now It’s Time for a Few Don’ts
Ignoring Training and Corporate Compliance: According to the 2017 Verizon Data Breach Investigations Report, twenty-five percent of successful breaches involved employees compromising the system from within, using their assigned access rights. The weakest link in many incidents is a user making an erroneous click on a harmful link that exposes a business to malware, ransomware, or other security threats. Establishing security policies and holding employees accountable is a delicate balance when creating policies and practices that make the most sense for the business. Since 25 percent of successful breaches come from within, the remaining percentage leads us to our second don’t on the list.
Overlooking the Security of your Vendors or Other Third-party Partners: Do you even know who all your third-party providers and vendors are? The list is likely changing on a frequent basis with business units and service teams outsourcing any number of tasks of functions. In this case, a solid security foundation is your best defense. Security best practices for third parties should be developed, reviewed, and enforced to cover this potential vulnerability.
Security is an Attitude, not a Procedure: Don’t forget the human element. It is easy to fall back on hammering staff about security policies and procedures under the guise of “awareness training.” But it’s more about instilling the proper attitude and perspective within your organization. It’s time to emphasize the business value aspects of good security hygiene in 2018!
Cybersecurity is key to the success of any enterprise. With cybercriminals becoming increasingly creative about finding the weakest link in an enterprise it is important to implement every cybersecurity measure possible and avoid anything that can leave an enterprise open for attack.
Not sure where to start? Check out our Access Control 101 White Paper on Attribute Based Access Control.