A. Focus on the basics. Make sure servers and workstations are properly patched, as known vulnerabilities that are years old continue to be a threat to companies (2016 Data Breach Investigations Report from Verizon). Constantly communicate and educate with your user base regarding the risks of malware and other fraud. And finally, be prepared with a plan, backups and other contacts for when something bad happens.
Q. Why are identity, credential and access management so critical in combatting today’s security threats?
A. Credentials can be one of the weakest links to an environment. According to the Verizon Report, 63% of confirmed data breaches involved weak, default or stolen passwords.
So, start with the base philosophy of two fundamental principles: Least Access and Least Privilege.
- Least Access: Users shall be granted access only to those information assets necessary to perform their duties.
- Least Privilege: Users shall not be permitted any more than the least privileges necessary for processing the information assets to which they have been granted access.
Use and enforce good password practices (SANS Password Protection Policy). And invest in multi-factor authentication for your access into your core environment and critical systems.
Q. With the vast majority of enterprise businesses leveraging the cloud, it’s no surprise that securing the critical data that’s moving to the cloud is top of mind. What security considerations should an organization keep top of mind when evaluating a cloud provider?
A. Get to know the vendor and their operations. Talk to the cloud service provider’s head of security, and understand their approach – what keeps them up at night. Do your due diligence get updated copies of compliance reports that the vendor provides. And finally, start small and invest in penetration testing and vulnerability scans of your environment.
Q. By enabling the convenience of “anywhere, anytime,” we’ve seen an emergence of Shadow IT, where LOBs are bypassing IT in order to get things done. What recommendations would you give today’s frustrated IT teams struggling to retain control and keep the infrastructure secure, all while dealing with rouge cloud services?
A. Security is all about risk management, and we have to be here to support the business in the tools and timing they need to get things done. The most important aspect is communication so you can at least do an assessment on what is being used by the business, how is it being accessed and who is handling the account management, what data is involved both transit and at rest, and what security do the cloud services have in place. Get it documented, and have the business sign off.
Q. As a provider of cloud, colocation and various advanced IT services, OneNeck has to keep security front and center to ensure we’re not putting our customers at risk. In your role as OneNeck’s VP of Information Security and Business Applications, what are you and your team doing to ensure the security of OneNeck’s customer data?
A. Most important, staying involved with our customers and our operations to know what challenges they are dealing with and keeping them informed of risks to their business. We stay involved in the industry and with our vendors, to be aware of threats, how to prevent them or at least quickly detect and address any issues. And of course, leveraging the experience throughout the family of TDS companies to constantly evaluate and improve our security practices.