This chapter covers the importance of software updates. It may seem like a boring topic, but keeping software up to date is essential to good security. We also talk about how a provider can implement updates without interrupting your service. You'll understand how those updates have prevented issues in the past and where to look for new SAP notes, which detail fixes. You should be able to ask intelligent questions about their update policy to make sure it's as aggressive as you need it to be.
With companies like SAP recently announcing near-record highs with customers since the start of their cloud integration, it seems obvious cloud migration can’t be avoided. However, with migration comes new security and disaster recovery prevention needs.
8 industry experts shared their top tips and strategies for cloud security and disaster recovery planning.
Align Your Strongest Teams
Not everything needs to go to the cloud. Identifying what to migrate will help reduce an agency's data footprint and save project time.
Also consider your teams that easily adapt to change – they should be moved to the cloud first. This way, these teams can flag potential security issues and provide leadership with feedback ahead of the wholesale migration.
- Shyam Oza, Senior Product Manager at AvePoint
Single Sign-On for Efficient Management
Undertake due diligence when selecting a Cloud Service Provider (CSP). Review the CSP's security history and references; ask about known security vulnerabilities and be sure the service agreement covers all-important eventualities.
Use Single Sign-on (SSO) as an efficient way to manage hundreds of user accounts. Automatically removes access privileges when someone leaves the company and save users from having to remember multiple passwords for access to different applications or services.
- Julian Weinberger, Director of Systems Engineering, CISSP at NCP engineering.
Encrypt everything with AES256 - all data in-flight and at-rest should be encrypted; it's just too easy these days for someone to tap into live traffic streams or data sitting on disk.
Ensure your cloud offers a DDoS shield, IPS (intrusion prevention services) and IPR (IP reputation) protection. The ability to stop massive DDoS attacks, brute force attacks, and malware spreading bot networks is essential to keeping your business online.
- Mike Chase, CTO dinCloud
Continually monitoring for security and for configuration vulnerabilities is crucial. Even the most secure cloud providers only offer security OF the cloud. The user is responsible for security IN the cloud. As groups, roles, devices, etc. change, oversights and misconfigurations open vulnerabilities that lead to outright hacks or a Financial DDOS. A single misstep can compromise your entire infrastructure.
- Josh Rosenthal, CloudSploit
Synergize Security Best Practices, Cloud, and SDDC
Large organizations are actively developing cloud-based applications, embracing SDDC (software-defined data center) technologies, and moving production workloads to the public cloud. This strategy delivers benefits like lower cost, simpler operations, and accelerated application deployment.
However, they also have a profound impact on cyber security. Why? These new technologies aren't well understood and organizations often lack the right skills or controls to address cloud/SDDC risks or respond to security incidents. Smart CISOs will address these gaps with security policies, controls, and monitoring that align current best practices with burgeoning cloud and SDDC security requirements.
CISOs must improve cloud security skills, processes, and technologies or quickly face a future of ever-increasing and unacceptably high IT risk. Does this mean shunning traditional security processes and controls? No. To achieve synergy between security best practices, cloud, and SDDC, security technologies should include:
- Familiar management tools and techniques
- Comprehensive visibility, monitoring, and reporting
- Support for cloud automation and orchestration
- Advanced security controls designed for cloud and SDDC
A pragmatic cloud security strategy can build upon existing security best practices and leading technologies that extend their support to cloud and SDDC.
- Donald Meyer, Head of Product Marketing for Data Center and Cloud Security, Check Point Software
Start by enabling two-factor authentication (2FA) wherever possible, implementing centralized user management for cloud applications, and increasing visibility within those same cloud applications.
Passwords remain a primary source of breeches, and will forever be that way as long as a human is required to remember something. Whether it's a simple password guessing attack against your Twitter account or a sophisticated spear-phishing attack against executives, the impact of a successful attempt to compromise a password can be mitigated by enabling and enforcing 2FA. With 2FA, even if a password is compromised, without that other piece of information, the attackers cannot access the account.
The next step would be to centralize and improve user management workflow for your cloud applications. Most organizations are fairly good at adding or removing users from their on-premise systems, or at least have something that will allow them to do so. Whether they are actually disabling inactive users and checking for appropriate access rights every 90 days notwithstanding, organizations need to extend their on-premise capabilities to the cloud or mirror them through another solution. Not doing so greatly greatly increases the risk that unauthorized access to cloud applications can occur.
Last step: make sure you have visibility into your cloud applications. This is another common on-premise security capability that is not always easily extended into the cloud. Without a reporting ability that gives user statistics and information, it is going to be very difficult to make sure you have disabled inactive users and removed inappropriate access every 90 days.
- Conrad Smith, CISO, Bitium
Invest in DRaaS
Because the threat of ransomware is fragile, it's critical for organizations to invest in both backups and real-time recovery. In the face of a cyber attack, backups are key –providing a second copy of data, protected offsite.
In addition, some organizations are large enough to have the capital and headcount to oversee private data centers in one or more locations where they can actually manage the backup replication, monitoring and testing in-house.
Many midsize organizations, however, can't afford that luxury. If multi-site recovery isn't an option, organizations should look for a DRaaS (disaster recovery-as-a-service) provider that has data centers in several different regional locations. In case of a crisis, this allows organizations the option of recovering data from an offsite backup location or quickly failing over to another location that hasn’t been compromised.
- Derek Brost, Director of Engineering at Bluelock
Treat security as a process, not an event
Achieving some measure of security requires a specific mindset that every organization needs to understand and then internalize. It doesn’t matter if you’re VISA or a neighborhood bank or a small business – every organization is more and less secure over time, since the nature of cyber attacks constantly evolves. The process of security means adjusting and learning accordingly. A head-in-the-sand approach ensures that an organization will become less secure.
Patching is for sweaters and tires, not firewalls. Piecemeal approaches to security simply don’t work. Patching a hole or fixing a bug, and moving on – that’s hardly the stuff of which effective security policies are made. Because security is a moving target, scattershot repairs ignore the hundreds or even thousands of points of vulnerability that a policy of ongoing monitoring can help mitigate.
- Adam Stern, Founder and CEO of Infinitely Virtual