We’ve talked about how the security breaches in 2014 can make IT security feel like a Hollywood slasher. Sticking together will help, but what about some practical tips for staying safe out there? Here’s cloud security in 7 steps.
1. Protect more than the perimeter.
Think about the number of people who have access to your network: employees, customers, partners, contractors and more. With this breadth of access, protecting the edge is no longer enough. You need to dig deeper.
2. Sanity check users’ access based on context.
Mobile devices allow us to connect from anywhere, but that doesn’t mean that we should always have the same access. Sanity checking based on context can prevent questionable scenarios that a normal perimeter protection might miss. For example, your VMware admin might have carte blanche access from his laptop when on-site, but does it make sense that he have the same access when accessing your network from his Android tablet while traveling in China? You should consider extending these contextual boxes to all users in your network.
3. Know who has access to what.
At its core, security relies on providing exactly the access each person needs to complete his or her given task, and no more. The Access Policy Manager from F5 Networks can get you started here. If your contractor needs access to a certain database to do an audit for the next two weeks, give it to him or her. And when the audit ends, remove his or her access. Setup a plan with tools that make this sort of sand-boxing easy so that you’ll actually do it. Better yet, automate it.
4. Get better visibility into what’s happening.
Doctors don’t prescribe solutions sight unseen, and neither should you. To keep your data center in peak condition, you need to see what’s going on in there. The deeper visibility provided by tools like these from SonicWALL help you spot anomalies or potential security issues before that issue lands you and your company in the next breach report. For cloud environments, make sure your provider has tools that let you see behind the curtain.
5. Control the information, not the device.
The bring-your-own-device economy changes the way we have to think about control. Gone are the days where we control a device from start to finish. Unless you work for the DoD in an action theater, your employees and, more importantly, your customers, will never let you lock down their devices to your satisfaction. Fortunately for you, their devices are not your concern. Your information is. Be firm about who has access and when, and don’t give up control of your data to anyone who you can’t get it back from.
6. Focus your efforts on what’s most important.
Nothing can be protected 100%, so spend your time and energy on the most important areas of your data center. In this case, everything is important = nothing is important. Sit down with your team and stack rank the top 10 most important elements.
7. Talk to your extended team.
Strong policies can quickly be undermined by your contractors or cloud providers if you do not communicate your expectations and get them on-board. This is your data, not theirs, and no one will ever care as much about it as you. Set high standards and make sure everyone knows what you’re protecting and why.
Contextual security, better visibility, and knowing what’s important will help you avoid becoming another statistic.