Course Introduction and Security Basics
Governance, Compliance and Risk
The course is part of these learning paths
In the last decade the nature and complexity of security attacks have increased tremendously. From simple attacks, which focused on hacking exposed web pages; we have evolved to stealthy attacks, which focus on the hacker staying hidden for years on end inside the victim’s network with the sole purpose of stealing data. To make matters worse, more and more companies have started to store their data in the cloud, thereby transferring part of the responsibility of securing that data to the cloud service provider. Therefore these days the cloud service is entrusted with the task of providing adequate security to the data and services that it provides to customers. While making a decision to move to the cloud, the two main metrics that enterprises look at tend to be cost and security risk.
The next domain that is of importance to cloud applications is access control. Most companies have developers write code on their laptops which is then stored in a development environment. Then the code is moved to a testing environment where the testing team will carry out a wide variety of tests on it and then finally when it is approved, the code is moved to production. Also, a key point to note is that not all these programmers might work out of a company network.
These days it is quite common to see employees work from home. Given this set of circumstances, it becomes very important to ensure that the access control is administered properly. The most important concept in access control is the principle of least privilege. The principle of least privilege states that each member of a team should only be given the minimum access to information assets which would enable them to perform their duties effectively. This means that a person working in the finance department who has access to Oracle systems need not have access to the coding environment of the enterprise's product development area.
This may appear like a simple enough concept, but you would be surprised how often companies do not follow this principle. This is because it is easier to give everybody access to everything rather than do an in-depth analysis about it and grant access on a need base only. Let's look now at some examples of suggested controls for access control. First and foremost, there needs to be a clearcut access control policy which lays out who gets access to what, meaning which person gets access to what information assets and how much. This defines the baseline. Then they put controls in place around user registration, meaning what is the process around granting access to an employee who has just joined the company? Who needs to approve his levels of access? And so on and so forth.
Similarly, user data registration also needs to be in place, meaning when an employee leaves the company or moves to a different department, there needs to be a clearcut policy in place to ensure that access that is no longer needed by him is taken away. These two controls are the cornerstones of access and they deal with the entry and exit of an employee to and from the system. Another key area in access control is the concept of privileged access management. This deals with the case of administrators. System administrators, by nature of their work responsibilities, usually have very high levels of access to systems.
It is important that these accesses are approved and clearly documented in a formal manner. It is also important that their actions are monitored on a regular basis to make sure that there is no maleficence being carried out. Sometimes administrators will use privileged access management software to do their job better. In those situations, there needs to be regular audits of the logs of those software to ensure that there is no fraud that's being carried out.
The area of privileged access management is one of great importance to access control and care should be given while designing and implementing and maintaining this process. In a cloud application these days, the servers are more often than not maintained by a third party infrastructure provider. Also, some employees may decide to work from home. In both these cases, the access to information assets is through VPN.
Care needs to be given to maintaining that cryptography and secret keys are handled properly. It needs to be ensured that these keys are not compromised in any way. Regular review of access rights needs to be carried out at regular intervals to ensure that the policies are being followed. Usually what happens is in the case of an employee who gets transferred to a different department, his access rights in his previous department might still be active. This is particularly dangerous. Let us consider a situation where an employee first joined the company as a coder and works there for a year and then after gets transferred to the production support group and then after a year gets transferred to the testing department. Let's assume that during this period, the employee has been granted new rights and accesses, but his old access rights have not been removed.
So here we have a case of an employee who has access to development, testing, and production environments. There is a good chance, because of a mistake, he could delete a database from the production environment while thinking that he was working in a test environment. This is why it is very important to keep reviewing access rights of employees on regular intervals. Also especially in the case of cloud application, the source code is usually maintained in configuration control softwares like GitHub or something installed within the parameter of the company. We need to make sure that not everyone in the coding environment has full access to the code control software.
Developers should only have the ability to check out and check in software. Configuration controllers should have greater access to move and delete code and only the system administrators should have root access on the servers that maintain this code.
About the Author
Vish Chidambaram is an Award-winning Enterprise Security Leader with 18+ years of experience skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most Recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace where he was responsible for securing a high performance SaaS platform with 40billion transactiions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them thru career transitions. and details can be found at datacoreacademy.com or writing to firstname.lastname@example.org His linked in page is https://www.linkedin.com/in/vish-chidambaram/