Security in the new normal

With the transition of so many from a sessile office environment to a work-from-home paradigm, it’s no wonder that organizations are having problems ensuring the security of customer data as well as their own.

Organizations whose remote workforce, including finance and banking with significant call centers, customer support, and field marketing are now challenged to provide remote work access to not only those groups, but to many privileged-access positions, such as accounting, controllers, purchasing, and executive branches. This effectively moves the decision-making process to the remote site, and in many instances, bypasses the natural protections of the communal office. For example, a sensitive conversation about money transfers may be overheard by family or friends.

More than ever, the security principles behind Identity Access Management (IAM), such as multi-factor authentication and encryption, are key to protecting the assets of your institution. Without a solid strategy in IAM, web collaboration tools become avenues for bad actors to eavesdrop on sensitive conversations, exfiltrate critical data, and evenin certain instances take remote control of host machines on your network.

Attack vectors and the growth of suspectable surfaces

Many data breaches or vulnerabilities are the result of user error. Users are also commonly granted more access than their role requires. As more business users shift to accessing organization assets remotely, cyber criminals wait in the shadows to pounce.  It is crucial to be vigilant, especially during periods of higher traffic since web attacks follow the traffic trends.

Why do misconfigurations leading to gaps happen? In short many reasons. But companies can proactively take action to help reduce them. Keep complexity in the environment as low as feasibly possible. Create and clearly document operating procedures, build guides and workflows. Utilize Amazon Web Services (AWS) resources such as Amazon Machine Images along with automation tools to limit the amount of user performed administrative tasks.

How do we secure the cloud? The question itself can seem overwhelming. For many organizations there is still a lack of understanding of how to utilize cloud platforms most effectively such as AWS, let alone secure them. A false premise persists that the hyperscale cloud is a 3rd party environment.Therefore, if it’s ultimately not owned by the business it’s not to be trusted. This should, in theory, lead to companies being particularly cautious about how and what they deploy in the cloud. However, given the dynamic nature of the cloud, it’s not uncommon for environments to be spun up quickly with overall security strategy being a victim of constrained time and resource.

New capability and access require very granular Identity and Access Management to limit attack surfaces. Technologent recommends spending the time to develop least-privilege access groups and roles that users can appropriately be assigned to giving them the ability to perform required tasks and nothing more. Don’t overlook the basics, including restricting use of the hyperscale cloud root accounts. Enable strong authentication with features like two-factor authentication (2FA) and stringent password policies. Utilize an AWS Secrets Manager to securely store and rotate secrets. Take note of service accounts and verify they adhere to the same policies. Validate and enforce account lifecycle management.

A solid security strategy should start with the basics. Make sure you have a solid foundation and revisit whether your cloud deployment initiatives are being governed by your security framework.  If not, create that framework and identify controls, tools and procedures required to enforce it. Have you had an independent audit of your framework? Cyber criminals continue to innovate and your security strategy should be no less active and current.

Security needs for a work-from-home world

To prepare for a permanent remote workforce, financial and banking companies need to ramp up their security technologies. The average cost of a single business data breach increased to $8.64 million in 2019, which poses an even greater threat to companies without adequate remote workforce security infrastructure and protocols. Avoiding that worst-case scenario means finding ways to deal with:

  • Application access; network, data center, cloud, and remote desktop and mobile device setup; security; and identity access management
  • Wi-Fi security setups and broadband (bandwidth) issues for remote workforce
  • Mobile/remote device data storage and security
  • Email and collaboration tool security/planning
  • Data management and curation (tiering, classification, archival and retention), backup, recovery and business continuity

In or out – similar risks

Companies typically experience several perceived security gaps in respect to their internal vs. cloud environments. Organizations tend to lack the same visibility and control in the cloud that they enjoy in their own infrastructure. Assess what tools can be leveraged to provide visibility into both environments and focus on consolidation or migration to a global tool sets vs point solution for each type of environment. On the same note implementing contiguous security architectures such as micro-segmentation solutions across hybrid environments facilitates a more uniform administrative domain. There are plenty of cases where one tool, technology or architecture won’t meet the need for both environments and that is expected. By identifying inconsistencies and gaps you will be better prepared to identify the solution.

Best practices – best outcomes

Maximum security of data both at rest and in transit is a bigger problem beyond the network—with every remote user a potential vulnerability access point. Protecting that data via conventional means such as firewall and end-to-end encryption takes on a whole new meaning when having to scaleup across an entire company.

The goal is to develop systems and protocols for protecting data and application storage pathways as well as permissions between the network, data centers, the cloud, and desktops/mobile devices. When bandwidth and Internet Service Provider (ISP) broadband challenges are also taken into consideration, businesses are ideally positioned to embrace remote workforce challenges and reap the benefits. However, investment in security controls and help validating this framework is essential.

A comprehensive security framework and associated controls will address the following areas:

  • Procedural – Risk, culture, governance, standards, threat intelligence and event management, forensic capability, configuration management and analytics
  • Operational – Identity, access, vulnerability, patch and change management and anomaly detection
  • Application – WAF, SIEM, APT, secure document, encryption, DAM, DLP, IDM, SSO and email
  • Infrastructure – DDOS protection, firewall, IDS/IPS, gateways, Wi-Fi security, sandboxing and AV
  • Endpoints – AV, patch, configuration and vulnerability management, BYOD, NAC, AAA, MFA and PIM

While this list appears daunting, organizations can achieve reasonably mature postures in much less time and with much less investment than it appears at first glance.

Last, but not least – fight automation with automation

Gaining visibility into activity across a network to stymie the latest generation of AI cyberattacks and other advanced network security threats is made more complex by more remote work, but also by the steady march to the cloud and virtualized or containerized infrastructure.

For many companies, deploying applications to the cloud is done before they have adequate visibility. To keep up, companies have to automate the analysis of anomalies and response to attacks. There is no single hacking attack in the last 15 years that was not initially automated, so why is our response not automated?

 

Read through the full articles here:

Tags:
Company News
Michael McLaughlin & David Martinez
Post by Michael McLaughlin & David Martinez
July 27, 2020
CIO (McLaughlin), Security Practice Director (Martinez)

Comments