A quick overview of the various layers where security breaches might happen and tips on basic security measures.
Security and privacy often go hand in hand as security breaches mostly compromise data integrity and protection. For more detailed information on Exoscale’s approach to security and privacy, please refer to our security page.
First, a separation between individuals and a team, the infrastructure, third party vendors, and integrations across the service spectrum needs to be considered. Security in any company starts with the individual and the team as a collective. The team shapes the on-premises home-grown infrastructure, then deploys that to a cloud infrastructure and integrates with them, then has many additional vendors. The integrations at every step of this process are also vulnerable to security attacks.
The weakest element in a team is the one person that can set off a chain reaction of security or privacy infringements. This can happen maliciously, as demonstrated by not so rare cases of employees stealing confidential information. In fact, employee theft is one of the biggest risks in every company. Therefore access to any kind of information needs to be carefully controlled. The following checklist should provide the most important points regarding team members, minimising impacts of internal and external theft. It is a list of basic factors that should be at the core of security efforts in every company.
- Sensible passwords and password management. It cannot be stressed enough that passwords are the one thing that can easily bring an empire crashing down. See a list of most commonly used passwords in 2016 as discovered in data breaches.
- Hard drive encryption. Whatever operating system is used, the hard drive needs to be encrypted in case the workstation gets lost or is stolen. The keys to unlock the encryption need to be stored safely, ideally on a system that is separated from the rest of the infrastructure with very limited access.
- Access control. Access is on a need-to-know basis and established by trust. If a person leaves the company, immediately remove their access to any given service used within your company. Another important factor is to take care of employees and their well-being. The human factor plays a deciding role and cannot be measured or left out of the equation.
- Two Factor Authentication (2FA) is crucial to enabling higher security for the services used. Make sure to not lose your authentication method, though. If your authentication method does get lost for whatever reason, refer to a previous blog post of how Exoscale handles lost tokens.
- Security measures on the phone if company data is handled on mobile. If just swiping is enough to unlock the screen, company data can already be compromised.
- Consider encrypting your e-mails and never send passwords or other account information over unencrypted e-mail. Either store the account information on a server and access it over SSH or use other encrypted team communication tools.
Apart from the individual measures, a general team awareness around the topic of security is important. Education in this regard can be crucial since not all team members will have the same background and information. Team tools for communication and collaboration should be chosen with regards to third party vendor policies and where the data is hosted. They also need to be updated and maintained regularly. The tools should also be approved by a majority of the team for usability, otherwise people will use non-sanctioned services in order to ease their work processes. An in-house standard does not make sense if half the team secretly uses something else because they prefer it to the existing solution.
In-house IT infrastructure is often considered a necessary evil and budgeted tightly. It needs documentation and usually people who take care of the IT infrastructure become irreplacable quickly which is detrimental to any team and work ethic. Depending on the size of the company, sometimes there is a system administrator who also supports the entire team. Even with high motivation throughout the years, it is impossible to always keep on track with the newest security challenges while having to provide support and set up meeting rooms. This is the point where DevOps and cloud services started becoming increasingly popular.
Cloud providers take care of security updates and solely focus on providing robust systems. DevOps then takes care of maintaining those systems with the company’s services on top. While the individual team members are responsible for maintaining a certain security awareness, the operational team is required to have more comprehensive knowledge and be alert regarding any current internal and external incidents that impact the company.
Third Party Vendors
From the leaking IoT teddy bear to intentional selling of data, there are several transgressions that can happen from third party vendors you and your team are using. It is not only your devices and infrastructure at work, but also at home where valuable (business) data can get into someone else’s hands. Google also records and saves voice search records, which can be deleted. With other services, it is not always clear where your data lands and how it is further processed.
While you might think there is never enough staff to check what you said to your spouse while on the way to work, you’re right. The only caveat in this thinking is that it does not take staff anymore to analyse the wealth of freely given away rights to privacy. Machine learning algorithms can analyse your speech for certain keywords and start whatever computing process they have in the background. This sounds dystopian but it already is our reality. With vendors, there are hosted services and closed source software. If the closed source software is running on-premises, there is still a chance it sends information elsewhere and with hosted service, there needs to be an even higher level of trust.
This article cannot give recommendations for third party vendors or tell which are safe to use, but it can give a clear set of things to look out for:
- Does the vendor describe in detail how and what they process from your company data or are they willing to provide this information upon request?
- If the vendor is not usually concerned about security and privacy, can you arrange a special contract that will ensure the important measures for your company are set?
- How does the third party vendor handle security incidents? Does their approach fit within your company regulations?
- Make sure that any input from a third party vendor that permeates your own infrastructure is cleaned up and safe. This is where integration security comes into play.
Integrating one piece of software into another permeates several circles. XSS poses only one of several threats, where malicious code can be injected into software if input is not properly whitelisted. For a crash course, see OWASP on attacks. Most well-known third party software keeps these attacks in mind, is well-tested and designed to prevent these attacks. It is therefore usually better to go with existing framewors and libraries than to rebuild the wheel. In some cases, using external software will introduce more security issues, so it needs to be a conscious decision. With the current state of security breaches becoming known, it is also crucial to keep each piece of software up-to-date.
As mentioned at the beginning of this article, Exoscale takes both security and privacy very seriously. Our security page has comprehensive in-depth information about how Exoscale operates. If you want to get in touch for critical security matters, use PGP as described on the security page.
We will post more about the tools we chose and what we developed ourselves as well as the rationale behind it in future blog posts. Stay tuned.