Cloud Security Starts with the Basics

RESTON, Va. - Oct. 4, 2018 -- If you have seen the headlines, or googled “cyber threats” recently, you might be asking the question: How can hackers continually grab headlines for high-profile beaches when senior executives have known for decades that protecting mission-critical information from theft is a core functional requirement?

At this point, what is keeping CISSPs up at night? Is it DDoS attacks, creepy malware, data leakage, or even accidental deletion caused by that new intern? Perhaps it is recurring hallucinations where key systems - on premises, or in the cloud - are compromised by viruses, worms, Trojans, rootkits, botnets or spam, or worst yet, an evil crime syndicate, like something from Mission Impossible.

The increasing cyber attacks have everyone feeling a bit jumpy, and if the biggest companies in the world are getting hacked, is there any hope for small guy, or mom and pop? Okay, this is where we need to take a big deep breath. Yes, cyber crime is here to stay, but the good news is Security Best Practices can help businesses find gaps and bugs, fix vulnerabilities, and (hopefully) stay one step ahead of those pesky digital miscreants.

For starters, let’s tackle a paramount concept in systems security: The Information Security Management System or ISMS. The easiest way to think of an ISMS is as a collection of information security policies and processes for your organization’s assets. (readers who really want to geek out on ISMS can check out ISO 27001)

Without a doubt, companies who are vigilant about building and maintaining their ISMS are building a strong base in security. In fact, taking a methodical approach to managing security, and using the basic building blocks of widely adopted global security approaches that make up ISMS will without exception help companies improve their overall security position.

It is crucial to understand that an ISMS in the cloud is built on the concept of “shared responsibility”. Many people may have heard of this term, but what does it really mean? Basically, “shared responsibility” means cloud providers are in charge of their data centers, and also liable for certain (often very limited) aspects of the performance of their products. Businesses are basically responsible for everything else. In other words, they are “solely responsible” for protecting the confidentiality, integrity, availability and protection of their data. No wonder your CISSP friend keeps a roll of Tums handy in her desk.

One key to a robust ISMS is Identity and Access Management (IAM), defined loosely as the controls companies can configure to manage user and permissions. Fine grain control of IAM allows security professionals to manage users, and issue security credentials such as passwords, access keys, and permission policies that can access to services and resources.

“Even basic compute instances offer a set of flexible and practical tools for managing keys and providing industry-standard authentication” indicates Brian Tunison - Director, Service Delivery & Design at cloud integrator RestonLogic. “We work with our clients to prioritize and leverage controls including monitoring, and bake those into their infrastructure, containers and abstracted services.”

But beyond IAM, bastion hosts can help businesses protect assets, manage access to resources, and secure data in the cloud. Another established layer of protection between the cloud and mission-critical systems is protecting data “at rest” or “in transit’ which can include data encryption, data integrity authentication, data signaling, timestamping and more. Additionally, advisor tools can offer snapshots of services, and help security pros identify unintended misconfigurations, and can even offer suggestions for improving system performance.

So what is a takeaway? Businesses just starting out may want to use a "phased" approach to building their ISMS. Also, factors change all the time so it is good practice to frequently update and manage an ISMS. Lastly, conventional security and compliance concepts that work on premises (some of them decades old) will still probably apply in the cloud.

So the light you see at the end of the tunnel doesn’t have to be an oncoming train. Companies able to accurately identify the assets they need to protect, and devise technically and financially viable solutions to reduce security risks are going to be less attractive for the bad guys to target.

RestonLogic: Based in the Washington D.C. Metropolitan Area, RestonLogic is a cloud-systems integrator with over 10 years experience building scalable, secure and cost-effective solutions

Brian Tunison
Director, Service Delivery & Design
RestonLogic
85 Broad St. NYC
info@restonlogic.com

This release was published on openPR.