There are many elements to consider for a good Cybersecurity posture. In this week’s episode we are going to be talking about cloud on premises and why this is an important feature for security. The way that cloud providers deal with networking is completely different than the way traditional networking works. We want to make sure that when we’re implementing cloud based strategies, there are qualified infrastructure architects that help to create secure environments.
Welcome back to Whiteboard Wednesday. My name is Mike Cromwell.
I’m Brian DeVault.
And today we’re going to talk about our next episode in security posture.
So we’re talking about the elements of a good cybersecurity posture. And we’ve talked so far about the first four. Now we’re getting into cloud on Prem. So in order magnitude. Brian, where does this one rank in terms of order of importance?
It’s very high, especially as more of our applications move towards the cloud. And it’s a good segue to kind of talk about the first item on the list, which is architecture. And so when you’re architecting a cloud based application or say you’re moving to Aya’s infrastructure as a service, especially when you’re using a public cloud service provider, it can be very tricky to get the right security in place up front.
The way that cloud providers deal with networking is completely different than the way traditional networking works. And so we want to make sure that when we’re implementing those cloud based strategies, we have qualified infrastructure architects that are helping us create those secure environments. So architecture is a huge one, right? Mfa? We’ve mentioned that a couple of different times, but multi factor authentication in place for every cloud app that you use, all of them offer it. If you’re using something that doesn’t offer a multi factor authentication, then tell them to go at it.
Why is having a password or password manager no longer effective?
Because of things like phishing attempts because of malware, because of keystroke recording because of there’s so many different threat vectors out there. And MFAs is particularly important in the cloud environment because I can access these apps from anywhere. Right. So most of the time, it’s foreign countries that we see are attempting to hack into SAS providers or cloud based assets. And so it’s not like you can call the local FBI and get him to track down the script Kitty that’s sitting in his basement of his mom’s house trying to attack your systems. These are highly intelligent people with advanced mechanisms for breaking password.
Zero trust access. So consider the zero trust environment where essentially you don’t trust anything unless you’ve authenticated it using some type of a multi factor authentication.
When we talk about multi factor authentication. What does that look like?
In its simplest form, there are several different third party service providers that allow integration with all of your business apps that allow you to do multi factor, but in some cases it’s an application that loads on your smartphone. And so when you go to log into the app, you put in your username and your password and you hit login, and then it sends a code to your phone through a push notification, and then you enter the code, usually at six digits, sometimes longer. You enter that code in, and then it authenticates you against that verification source. So it’s literally third party verification, right.
This is a great best practice. So a lot of times you get pushed to accept two factor authentication. You should always do that.
Always, in every case, I guess maybe the best example of the most recognizable example of that now is face recognition on your iphone, because that is two factor authentication. The first factor is your password that the app is saving. But the next factor is your facial scan, which masks have put a challenge on that. And then you want to make sure you secure and Harden that environment and do that on a regular basis. One of the things that people don’t understand is that when you’re in a public cloud environment, that public cloud service provider can be making changes to their network pretty consistently upgrades, changes ways that they transmit traffic, and those can create security holes for yourself.
So that’s where you’ve got to assess. You’ve got to be regularly assessing doing vulnerability scanning against those environments, doing Port scanning, making sure that those environments stay secure through the process of change. This is something that any mature it Department is going to know. Any mature MSP is also going to be experienced with this. But anytime you execute change management, you always have to go back and assess.
Reporting against those environments. Right. So you’ve got to see the data. Understand it, to me if I don’t get a report back from a vulnerability assessment that says all clear, then that vulnerability assessment didn’t happen. Right? I’ve got to have a point in time snapshot that says your environment is safe as of this date. Right.
And then integrate and use things like Active Directory to integrate with your cloud applications so that you can get single sign on. Use your native MFA that’s built into Active directory. Use your domain security that’s integrated as well. And then when you talk about application security, this could be an episode on its own, right. But we’re really talking about is your data. So wherever your data is on Prem or cloud, have a security minded approach towards how you store your data. Where you store your data, the ways that you allow your data to transmit, whether that’s Https or FTP or FTPS or whatever it may be, make sure it’s secure, make sure it’s encrypted.
While security architecture has many definitions, ultimately it is a set of security principles, methods and models designed to align to your objectives and help keep your organization safe from cyber threats. Security architecture translates the business requirements to executable security requirements.
One way to quickly understand it is to liken it to regular architecture. An architect of homes, schools and office blocks has much the same job as a security architect. They examine the property, take into account such factors such as client preference, soil type, topography and climate and then produce a plan to achieve the desired outcome. Other individuals, in this case builders and contractors, then construct the building itself, under the guidance of the architect to ensure it meets the objective.
Security architectures typically share the same purpose – protect the organization from cyber harm. In order to achieve this, architects will often try to install themselves in your business for a period of time while they learn what makes you and your people different. They will talk to your leaders and employees seeking to understand your individual business goals, the requirements of your systems, the needs of your customers and other critical factors. From here, they can produce a plan and offer guidance that is aligned to your business objectives and suits your cybersecurity needs.
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.
MFA works by requiring additional verification information. One of the most common MFA factors that users encounter are one time passwords, (OTP). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value.
Zero Trust Access
Zero Trust is a network security model, based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data. At the same time, it protects those applications and users from advanced threats on the Internet. This model was first introduced by an analyst at Forrester Research and although not entirely a new theory, it has become more and more important for modern day digital transformation and its impact on business network security architecture.
With the modern workforce becoming increasingly on the go accessing applications from multiple devices outside of the business perimeter, enterprises have adopted a “verify, then trust” model which means if someone has the correct user credentials, they are admitted to whichever site, app, or device they are requesting. This results in an increasing risk of exposure, dissolving what was once the trusted enterprise zone of control and leaving many organizations exposed to data breaches, malware and ransomware attacks. Protection is now needed where applications, data, users and devices are located.
Users, devices, applications, and data are moving outside of the enterprise perimeter and zone of control.
New business processes driven by digital transformation increase the risk of exposure.
“Trust but verify” is no longer an option, as targeted, advanced threats are moving inside the corporate perimeter.
Traditional perimeters are complex, increase risk, and are no longer compatible with today’s business models.
To be competitive, businesses need a zero trust network architecture able to protect the enterprise data, wherever users and devices are, while also ensuring that applications work quickly and seamlessly.
One way to secure IT assets, maintain an awareness of the vulnerabilities in an environment and respond quickly to mitigate potential threats is through regular vulnerability assessment (VA). A VA is a process to identify and quantify the security vulnerabilities in an organization’s environment. A comprehensive VA program provides organizations with the knowledge, awareness and risk background necessary to understand threats to their environment and react accordingly.
Your business should regularly assess, doing vulnerability scanning against all security threat environments. There is also port scanning to make sure that those environments stay secure through the process of change. This is something that any mature IT Department is going to know. Any mature Managed Service Provider (MSP) is also going to be experienced with this. Any time you execute change management, you always have to go back and assess.
After a vulnerability assessment, the only outcome of the work is a vulnerability assessment report. Without a clear and well-structured report, your company might not understand the scale of the threat they are facing, or understand what steps they need to take to decrease the threat.
One of the most important sections of a vulnerability assessment report is the executive summary. The executive summary section should include:
Assessment date: The assessment date range is important as this will show the current state of the scope, tested vulnerabilities and the time required to eliminate these vulnerabilities.
Scope: This is the summary of the general scope. The scope is not separately written as an IP or domain name. A number or the project name of the scope can be assigned.
Assessment general status: The summary section must make a general assessment in terms of risk for the readers. Here, you can summarize the vulnerability categories or general status.
Limitations and Methodology: This section is important to have the same perspective as your company. In this section, you need to provide information about the software you use or software methodology. The outcome of your vulnerability assessment is directly linked with the software and methodology you use.
Your business can use software like Microsoft Active Directory to integrate with your cloud applications so that you can get single sign on. You can also use your native MFA that’s built into the Active directory. You can use your domain security that’s integrated as well. Whether your data is on Prem or cloud, have a security minded approach towards how you store your data. Where you store your data, the ways that you allow your data to transmit, whether that’s HTTPS or FTP or SFTP or whatever it may be, make sure it’s secure and encrypted.