Security is Security, regardless of location

Let’s face it, the cloud is here to stay. If you are resisting it because of security, then you are probably not security focused with your on-premises assets either. Psychologically, it is always reassuring to know that all your data is sitting within your firewall, secured by the lack of access and accessible by a pipeline that you control at all times. That alone is a false positive that can get most companies in trouble, because it can create ease of mind and leave you in a dangerously relaxed state. Vulnerabilities are not a simple bi-product of the geographic location of data. They exist because of a lack of focus on governance and rigorous processes that continuously revisit your security policies. Some of the more high profile breaches we hear about in the news have come from within. It is not always a hacker finding a path from the outside in, but an outsider exploiting you by utilizing methods that require one of your own to inadvertently, or advertently, expose your data.

The number of security products in the marketplace that advertise securing all things IT are numerous and most of them are good products. None of them can replace well designed processes and frameworks that ensure your chances of a breach remain minimal. Humans use software, so humans need to be governed to ensure they are not the cause of a breach.

Are security reviews injected at various layers of your IT ecosystem? They should be. The difference between a good secure infrastructure and a great one is the cadence at which you revisit your security framework to keep up with the changing IT landscape. I am not suggesting endless meetings, but a realistic dose of recurring security reviews and security processes/framework updates.

 How to proceed:

1. You should hire an external firm to review your security
   1. You need somebody to tell you that your baby is ugly.
2. Make auditing a quarterly exercise at a minimum
   1. Update your auditing checklist often.
3. Inject security reviews in everything IT
   1. Do you have a BYOD policy? If your employees can bring their own devices into the workplace, make sure you are managing these devices.
   2. How are you ensuring company owned assets that leave your building are secure in case they are lost or stolen?
   3. How are you ensuring company owned assets that never leave your building are secure?
4. Even the most technical of employees are not security focused
   1. If you have in-house developers, make sure their code is reviewed by their peers or an external development firm. Developers never think there's anything wrong with their code.
5. Eliminate shadow applications
   1. A line of business that needs a specific application to do their jobs effectively must go through IT to get the application on-boarded.
6. Standardize
   1. Different operating systems and different browsers and different versions make it messy and will always result in you missing something during a review. Choose one or two versions of everything and enforce it. You don’t necessarily need to be running the latest and greatest, but it’s time to sunset your Windows XP clients (Vista too) and your Windows Servers 2003.
   2. Find the budget to update legacy products. It’s a lot more cost effective to buy a Windows Server 2012 License than to get your Windows Server 2003 hacked.
7. Create layers for access
   1. It is cumbersome to go through two or three layers of authentication to access data, but it is more cumbersome and expensive to clean up.  
   2. A password, even a complex password that expires regularly, is not enough. What other form of authentication are you using?
8. Isolate
   1. Understand the various businesses and roles in your company, from end to end. If a breach happens because of employee negligence, is it in silo and not far reaching?
9. Diagrams are fun to build and useful too
   1. Take the time to build a detailed (very detailed) diagram of your network topology and all the assets within. Update it often. It’s the next man up model. Even a junior IT employee should be able to look at it and understand how to shut off the leaking pipe and act quickly when necessary. I bet you don’t have one today and if asked you’ll need ten people in a conference room talking over each other to explain the complexity of your infrastructure.
10. IT is not just servers and laptops and mobile devices
    1. HVAC?