October was Cybersecurity Awareness Month and this year’s theme was “Do Your Part. #BeCyberSmart.”
The purpose of Cybersecurity Awareness Month is to empower individuals and organizations to own their role in protecting their cyberspace. With more organizations moving to the cloud, followed by rapid technological advances, increasing ransomware threats, and a global workforce managing sensitive data remotely, application and data security are perhaps more important than ever.
It’s time for everyone to know how they can do their part.
Managing your data securely
First things first. Before you can implement data management systems and policies, you need to identify your data, understand how your data is being used – and by whom.
Data classification is the process of analyzing structured or unstructured data and organizing it into four categories – public, internal-only, confidential, restricted – and is often an automated process conducted by a data classification engine. Classifying organizational data provides the intelligence you need to assess the risks and costs associated with data loss or theft, such as loss of intellectual property or regulatory penalties.
Understanding how data is being used – and by whom – is the next step. Who is accessing the data and how are they using it? Is it being shared? Assess file and folder permissions, user locations and roles, and devices being used. Malicious behavior by both employees and third-party attackers should also be considered. To mitigate internal and external data loss, user behavior analytics systems are effective for tracking and assessing data use and identifying anomalies. Shadow IT should also be investigated as it can cause serious security risks through data leaks and compliance violations.
Effective data management is a balancing act; while it’s vital to protect your data with strict data sharing policies, you also need to ensure it’s accessible to the right people. Secure data management systems and policies provide automated backups and disaster recovery, automated updates (minimal business disruption), governed access, and the ability to scale along with your business.
Identity and Access Management
Identity and access management (IAM) is a foundational piece of cloud security that controls access to critical applications and data within your organization. The “identity” piece authenticates user credentials, allowing users to sign in. The “access” piece provides the appropriate permissions for the use of your organization’s apps and data. While the main goal of IAM is to boost security, it can also deliver time and cost savings. Key points to consider when implementing IAM:
- Adopt a zero-trust approach: The concept of zero trust is that no user or application – inside or outside of your network – is trusted by default. Only when their identity has been verified are they allowed access. This is especially important in today’s business environment with so many people working remotely and using multiple applications and devices.
- Automate onboarding and offboarding: IAM ensures that new employees, vendors and partners have the right permissions when joining your organization and are deprovisioned should they move to another department or leave your organization entirely. This automation saves your IT department time and money.
- Implement multi-factor authentication: By now, most of us are familiar with multi-factor authentication as a commonplace requirement for gaining access to online banking and other services. It’s an effective way to add an extra layer of security and user verification during the sign in process.
Design applications with baked-in security
Ransomware, crypto-mining, data exfiltration and other security threats are on the rise every day. A recent case in point is the cyberattack on Colonial Pipeline, which provides nearly half of the U.S. East Coast’s fuel supply. Reuters describes it as “…one of the most disruptive digital ransom operations ever reported… a prolonged shutdown of the line would cause prices to spike at gasoline pumps ahead of peak summer driving season, a potential blow to U.S. consumers and the economy.”
From IDC’s 2020 Data Security Report:
“No organization is immune from data security threats, with 49 percent of global respondents experiencing a breach at some point and 26 percent having been breached in the past year. And 47 percent of organizations report that they have been breached or failed a compliance audit in the past year.”
Many organizations adopted cloud services rapidly in order to maintain operations during the Covid-19 pandemic, but with this rush to the cloud, proper security measures were sometimes overlooked, leaving the door open to malicious attacks and accidental loss. While there are tools that protect apps once they are deployed, it is best practice to “bake in” security capabilities during the application design and development cycle. By integrating security and compliance functionality at the point of application creation, you can develop, deploy and operate workloads with speed and scale – not only that – through automation, you can continuously audit and optimize.
That brings us to best practice number 4…
Adopt a DevSecOps approach
DevSecOps – development/security/operations – is a modern approach to laying a security foundation into DevOps initiatives. It is not about perimeter security around apps and data – it is about building end-to-end security into your apps.
DevSecOps also means a cultural change, a mindset that “everyone is responsible for security” and shares insights and feedback on known threats so that developers are able to write code with security in mind. Automating security tasks is also key to DevSecOps in order to avoid time-consuming manual security checks.
Application security must adapt as new cloud-native technologies like microservices and containers continue to emerge – and a DevSecOps approach will help you do just that.
Educate your organization
As mentioned above, in a DevSecOps environment, all stakeholders are accountable for security and play a part in identifying and avoiding risks. In fact, cultural transformation is where a DevSecOps methodology begins. By transitioning from siloed departments into collaborative teams, security becomes everyone’s responsibility; it’s an integral and continuous element of the application lifecycle and not something just bolted on at the end.
Education is key to ensuring your cloud applications and data are secure in the cloud:
- organizational policies should be available that provide information and training on how to manage third-party relationships, and how to classify and manage data (see best practice #1 – Managing Your Data Securely)
- Those responsible for identity and access management (IAM) should know how to properly configure and manage this tool (see best practice #2 – Identity and Access Management).
- The security team should be trained to develop functional security tests and provide insights, recommendations and direction to other team members.
- Roles and responsibilities – and how they impact security – must be clearly defined.
- Leaders must communicate and advocate to the wider organization.
In the spirit of Cybersecurity Awareness Month, in order to empower individuals and organizations to own their role in protecting their cyberspace, having clear processes and accessible information enables all employees to make intelligent security decisions that comply with your organization’s security objectives.
Shanoor Hussain, Global Head of Managed Services, Cloudreach