Course Introduction and Security Basics
Governance, Compliance and Risk
The course is part of this learning path
In the last decade the nature and complexity of security attacks have increased tremendously. From simple attacks, which focused on hacking exposed web pages; we have evolved to stealthy attacks, which focus on the hacker staying hidden for years on end inside the victim’s network with the sole purpose of stealing data. To make matters worse, more and more companies have started to store their data in the cloud, thereby transferring part of the responsibility of securing that data to the cloud service provider. Therefore these days the cloud service is entrusted with the task of providing adequate security to the data and services that it provides to customers. While making a decision to move to the cloud, the two main metrics that enterprises look at tend to be cost and security risk.
Let's, now, talk about physical security. Physical security is quite underrated since there is, usually, not a lot of technology around it. But in today's world, when most of the cloud applications are hosted on a data center far removed from the enterprise's home offices, it becomes very critical. The enterprise needs to ensure the data centers that are hosting the application servers are protected by an effective security perimeter. In the case of AWS, Amazon is responsible for providing physical security for its data centers. Within the data centers itself, there needs to be segregation of sensitive areas from the general area.
The server rooms, which host critical data, there needs to be multiple layers of access control as opposed to the visitor's area. The compliance team needs to visit the data center and ensure that secure areas have suitable entry control systems and only authorized personnel have access to those areas. The design of these offices should also be inspected to make sure they have been configured with security in mind. For example, a room that holds critical servers should not be near a window on the ground floor of the data center.
The compliance team also needs to ensure that suitable protection measures have been put in place against natural disasters like earthquakes and floods, malicious attacks, and accidents. The team also needs to check whether secure areas exist, and whether they are properly monitored. Also, controls need to be put around loading and delivery areas. They need to be separate and have different access control policies. The access to servers, from the loading areas, should not be allowed except for authorized personnel.
The team needs to make sure that there is an UPS, or backup generator, and whether these have been tested on a regular basis. Regular risk assessment needs to be conducted over the location of power and telecommunication cables, and care should be taken to ensure that they are protected from interference, interception, and damage. The data center needs to have a rigorous maintenance schedule.
This is particularly around equipment such as generators, fire prevention mechanisms, and burglary alarms, that do not directly fall under the purview of the equipment leased by the enterprise. Please note that the data center is guaranteeing you these services when you sign an agreement with them. And hence, the compliance team needs to make sure that they are in good, working condition.
Also, the process for removal of assets from the data center needs to be checked. And it'd be worthwhile to do spot checks. While on the topic of servers and data centers, in case the enterprise is hosing servers temporarily, at some offsite location, say for the sake of a demo, then, too, the compliance team needs to make sure that the appropriate security checks are carried out to ensure that the servers are not hacked and the data, or proprietary information, stolen from that location and servers. The data wiping policies, that we discussed on the topic of asset management, needs to be in place in the data center, too. We need to make sure that when the data center staff is disposing of any of the servers used by the enterprise, that it's appropriately wiped.
Last, but not least, the organization needs to have a clear desk policy. This is a case of security hygiene. This will ensure that the critical design documents are not left lying around. Stick-it notes with passwords are not left in open cubicles, and removal equipment is, safely, kept locked away. The laptops used by the development team should be locked before the employee steps away from his or her desk.
Vish Chidambaram is an Award-winning Enterprise Security Leader with 18+ years of experience skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most Recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace where he was responsible for securing a high performance SaaS platform with 40billion transactiions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them thru career transitions. and details can be found at datacoreacademy.com or writing to firstname.lastname@example.org His linked in page is https://www.linkedin.com/in/vish-chidambaram/