Course Introduction and Security Basics
Governance, Compliance and Risk
The course is part of this learning path
In the last decade the nature and complexity of security attacks have increased tremendously. From simple attacks, which focused on hacking exposed web pages; we have evolved to stealthy attacks, which focus on the hacker staying hidden for years on end inside the victim’s network with the sole purpose of stealing data. To make matters worse, more and more companies have started to store their data in the cloud, thereby transferring part of the responsibility of securing that data to the cloud service provider. Therefore these days the cloud service is entrusted with the task of providing adequate security to the data and services that it provides to customers. While making a decision to move to the cloud, the two main metrics that enterprises look at tend to be cost and security risk.
The next domain we are going to cover is Operations Security. There needs to be clear-cut operating procedures which need to be documented. Most security failures happen when an employee, who is relatively new to the organization, does not have clear-cut operating procedures to follow. So make sure all processes and procedures are documented and stored in a configuration control system that allows easy read access to people who need them but at the same time does not allow the document to be modified without authorization.
Next, there needs to be a very effective and tested process of change management. This covers both code and servers. It is good to use a change management system to log the changes and track whether they have been closed out or not. Also, in the case of a breach, it is easy to track back and see when the change was made and who authorized it. In the case of servers, usually what happens is the infrastructure team gets the approval of the security group when moving it to the DMZ, but once the server is in the DMZ, further changes to configuration are not reported back to the security group. This could result in insecure and unapproved configurations being introduced into the system which could be used to breach the system. Next, it is wise to ensure that appropriate capacity planning is in place.
Remember, a cloud application is pretty much open to the whole world. It is very important to make sure that the number of servers that are required to run the applications smoothly needs to be planned well in advance. If you want to provision extra servers from the data center, they would sometimes needs extra time to satisfy your requirement. If your application is an eCommerce application, then it is safe to assume that around holiday season, your sales and hence activity will go up. It is important to plan this since, as we discussed earlier, availability is also a key factor in security. If your application goes down because of too many users, then it is classified as a security incident as well as an operations failure. This applies to virtualized environments too.
The servers that are hosting the application need to have antivirus software or some kind of malware detection software installed on them. It is always safer to use defense and depth strategy and use host-based malware detection software on the servers and perimeter-based malware detection software. Later on, we'll talk about how we can bring monitoring into the architecture and make our defense against malware more effective.
Also, network configurations need to be in place to ensure that once a server is infected, the malware does not get a chance to spread. Effectively configuring the switches and breaking the network down into smaller manageable units can do this. It is also important to ensure that in the case of an attack there is a backup plan to recover and ensure that the availability of the application is not compromised. While we talk about recovery, it is important to note that there needs to be a very effective backup policy in place. The compliance team needs to do spot checks at regular intervals to ensure that the backups are carried out as per policy. The organization also needs to maintain golden standards of all the servers that are used in running the cloud-based application.
The gold standards are then replicated every time a new server is needed. These gold standards should be tested thoroughly and signed off by the security group. The practice of building a server from scratch every time should not be followed. The organization needs to have detailed inventory of all the network services and service agreements. These agreements with network service providers needs to have appropriate security mandates in place. For example, remember our conversation on physical security requirements for the data center. This domain ensures that those clauses are effectively entered into the agreements.
About the Author
Vish Chidambaram is an Award-winning Enterprise Security Leader with 18+ years of experience skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most Recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace where he was responsible for securing a high performance SaaS platform with 40billion transactiions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them thru career transitions. and details can be found at datacoreacademy.com or writing to firstname.lastname@example.org His linked in page is https://www.linkedin.com/in/vish-chidambaram/