As we look back, 2014 could easily have been named "the year of the biggest security breaches since the beginning of forever."
The bad guys are armed to the teeth, but despite the very real technological advances many criminals are making, what really stood out to me was that current security practices and technologies could have prevented many of these breaches.
Many of the affected companies fell into a very common trap, often referred to as the "compliance = security" mindset. This thinking concludes that if a company goes to the trouble to be legally compliant -- compliant to any number of regulations, including HIPAA, PCI, etc. -- then it will be effectively "secure." Unfortunately, nothing could be further from the truth. As with many kinds of regulations, legal compliance really represents the absolute least amount of effort required.
That's not to say that compliance isn't important -- it is. And even with the best of efforts, 100% security is never guaranteed. But if cloud service companies want to give themselves the best chance to avoid the very severe consequences that come with a major breach, there are five practices they need to put in place now.
[Want to learn more about imposing security in the cloud? See IBM Launches Cross-Cloud Security Protection.]
1. Continuous visibility
First and foremost, companies need to have 100% continuous visibility into their technology assets and services. In brief, you can't secure what can't see. Know what you've got and what it's doing at all times. This sounds incredibly basic, but given the automated, elastic, on-demand nature of modern virtual infrastructure, visibility can be a challenge. Once you understand what's going on with your infrastructure, applications, data, and users, you can begin to understand how to limit your attack surface and better prevent or mitigate attacks.
2. Exposure management
This means taking the visibility and transparency of the first best practice and adding context. Once transparency is achieved, companies need to eliminate the obvious vulnerabilities that are known to exist within their networks (out-of-date workstations, mobile devices, etc.). Continuous monitoring tools, as well as strong vulnerability and security configuration management technology and practices, are key to mitigating exposure at this level.
3. Strong access control
It may seem self-evident, but this best practice is often implemented incorrectly. While many companies do implement access control, they often give more access than is necessary. In several recent breaches, valid access-control IDs were used to compromise systems that had nothing to do with the individual's function within the organization. They just had access because of their level within the organization, even though they didn't really need that access to do their job. Make sure you have the appropriate access-management and privilege monitoring in place. Here the concept of least privilege is critical, as is continuously monitoring user activity to ensure there are no deviations from your corporate policies.
4. Data protection and encryption
Once strong access controls are established, along with continuous visibility, and you have mitigated known vulnerabilities, encrypt all data you know to be sensitive. Look back at some previous breaches as examples. In them you can see what kind of data needs to be protected and at what level of priority. This generally means protecting "data at rest" and "data in motion" but also establishing technologies such as data loss prevention (DLP) to ensure that even if compromised, the data can't be sent outside the network.
5. Compromise management
Few companies implement policies and procedures for how to quickly handle data breaches and mitigate the damage. The bottom line is that even with sound security practices, breaches will happen; it's not a question of "if," rather it's a question of "when." To prepare for this, companies need to put processes and technologies in place that enable them to react quickly and mitigate the impact of any security breach. This means having the ability to understand that you have been compromised and what you can do to limit its impact. Technologies involved here include file integrity monitoring, intrusion detection, and forensic data for post-compromise analysis. Create an action plan before breaches happen, and then follow it as soon as a breach is detected.
Regardless of what kind of business you're in, or how many cloud services you use, these five pillars of security should be applied to your organization and implemented as part of an ongoing and continuous process. Remember, compliance does not equal security. It represents the bare minimum of protection. Compliance does not address anomalous security or advanced persistent threats (APTs), where hidden malware is causing a breach over a long period.
So if you want to avoid being another headline, make sure you're implementing these five steps to limit your vulnerability.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.Amrit Williams is the CTO of CloudPassage and former director of emerging security technologies and CTO for mobile computing at IBM. He joined IBM when it acquired BigFix, an enterprise systems and security management firm, where Williams was CTO. Prior to BigFix, Williams ... View Full Bio