ZSAH Security - Web
0 likes161 views
The document discusses the risks IT infrastructure can pose to businesses and provides recommendations to improve security. It covers: 1) There are three elements of security - overall security, hacking, and privacy of data within IT systems. 2) Recent high-profile security failures show how breaches can damage reputation and business. Proper encryption, storage, and access rules for different types of data are critical to reduce risks. 3) Organizations need clear ownership and accountability for IT security and should regularly review security processes, access, and compliance with best practices. Outsourced IT providers also require oversight to ensure security standards are met.
ZSAH Security - Web
- 1. 3 technology group Amir Hashmi, Managing Director, zsah Technology Group Could your IT infrastructure harm your business?
- 2. 2 3 Over recent months, there have been a number of high profile and very well publicised security issues resulting in a loss of customer data. These include the hacking of Sony’s systems, the Ashley Madison dating site in the US, Marks and Spencer, Apple, and most recently, Talk Talk in the UK. All of these demonstrate the potential risks and resulting damage to business from breaches in IT security. The impact of such a breach of security can last for many years, with massive reputational damage and loss of customer confidence, not only in the company’s systems, but also in the brand itself. There is typically also a significant short term business impact. In the case of Talk Talk, some reports claim that up to one third of all customers have terminated or are looking to end their contracts in the immediate aftermath of the problems. In this article, we discuss the causes of security failures and outline the key lessons to be carried into any business environment to reduce the risks to your business, including any specific considerations for the use of Cloud Services. 2 Following recent high profile IT and data security failures, how much risk is your IT infrastructure placing on your business? How secure is your data? Firstly, we need to consider that there are actually three distinct, but related, elements: overall security (including processes and physical security); hacking (i.e. attempts to breach the IT systems’ security); and privacy of data held within your IT systems. To the non-expert eye, it is commonly considered that the primary risk comes from external hackers and that protection is achieved mainly through the use of security measures such as firewalls and virus protection software. Indeed, the majority of hacks and attempted infiltration involve Denial of Service (DoS) attacks to bring down a company’s IT services. A Distributed Denial of Service (DDoS) was the first part of the attack to gain access to Talk Talk’s customer data—and it is critical that all companies maintain up to date virus protection measures. However, even with up to date security software, agents looking to infiltrate your IT infrastructure can still often find ways to get past this layer of security. One of the most common tactics employed by hackers is through an “exploit”—a piece of software that manages to get past the security layer, but in doing so, opens up a channel through which more malicious software can be deployed. These are typically prevented by a process of notification (when detected) followed by the issue of a new security patch provided by vendors. The problem though is in the delay involved in getting new security patches implemented in the market—one day in the world of IT Infrastructure is like one year in normal business cycles. It is therefore critical that all businesses keep all aspects of the IT infrastructure up to date. For many businesses, the use of externally provided Cloud Services can significantly de-risk this part of the IT delivery— avoiding what might be a reliance on a potentially small internal IT department, removing this work from them and allowing them to focus on more strategic objectives. However, outsourcing the IT infrastructure does not outsource the problem and we will talk later in this article about additional considerations for companies who choose to go down this route. Firewalls are a key part of the defence against external hacking and will, properly implemented, provide a barrier to potential “exploit” packages. However, given the constant re-invention of attacks from external agents, the time to implement patches means the risks can never be completely eliminated. Many firewall manufacturers are now starting to implement “auto-patch” versions of their products—but don’t be misled into thinking that this solves the problem. Many patches and software revisions will require a re-start, with knock- on effects for the rest of your systems and availability to your staff and customers. The best practice in the implementation of firewalls is to employ a “dual-layer” firewall. This will significantly reduce the risks of breach, as an exploit package that manages to open up a channel through the first firewall layer will hopefully not be successful at the next layer. What are the main causes of recent security failures and how can businesses, big and small, protect themselves in what appears to be an increasingly insecure world? The best practice in the implementation of firewalls is to employ a dual-layer firewall. Organisations need clear ownership and understanding of all aspects of IT security. Overall security, hacking, and privacy of data held within your IT systems 1
- 3. 2 32 Data Security Firstly, you need to consider that there are three types of data, all requiring different levels of protection—non-personal data; personal data; and financial data. These also bring in the question of compliance—especially for financial data where FCA and PCI rules determine the levels and types of security that must be implemented. These rules dictate not only how data should be stored, but also certain aspects of physical compliance relating to your IT infrastructure. Failure to comply with (and ensure continued compliance with) such regulations is a serious breach of company obligations and will result in fines, or worse, against the company and its Directors. As is now well known, one of the key issues with the recent breach of IT security at Talk Talk was that the data was not all encrypted. Data must not only be encrypted to an appropriate level, but different types of data have to be stored separately to provide a critical additional level of security such that even if one level of data is breached, full personal and financial data is not disclosed. Proper encryption and storage of data (including separation of data types) will reduce the risks of an incident such as the one at Talk Talk by a factor of 100. Best practice security solutions will ensure that personal data is well protected, even when firewall and virus protection layers are breached. In the case of the US dating website, Ashley Madison, data was encrypted but best practices were not fully implemented in other aspects of their security policy, relating to access rules and processes. The hack in this case was perpetrated with the help of inside information— clearly illustrating the need for strong security processes, implemented across the organisation to avoid risks from internal agents. This leads onto discussion about processes, organisational considerations and the requirement for clear ownership of IT security. 3 Given the very real dangers in the modern connected IT world and the potential for loss of confidential customer data resulting in significant damage to reputation and direct business, companies must have clear ownership, responsibility and accountability for all aspects of IT security. There is a strong argument for the role of a Chief Data Officer, reporting to, or having a direct role on the Board. Organisations should also regularly review their processes, including who has access to data and systems. You might want to consider the use of external audit services as part of the review process to ensure on-going compliance with best practice. Management review meetings typically review aspects of performance (and risk) using a form of “balanced scorecard”—looking at the overall position of the company against financial, staffing and other metrics. We contend that IT security should be a specific additional scorecard element, reviewed as part of the normal company review processes and owned by a senior member of the company’s Board or Management Team. Most companies employ some level of outsourced IT provision, either through the use of Cloud based applications (e.g. Sage accounting or Salesforce.com CRM systems provided through a “Software as a Service”—or SaaS—solution), or through more wholesale use of external providers of Cloud Services. In all such cases, these solutions involve holding your customers’ data outside your own physical environment. Of course, most reputable providers use highly secure and well developed data centres that should provide better physical security than the alternative of an in-house IT system in your own offices. Even if your own servers are in secure rooms, who has access to these locations and can you be certain that physical security cannot be breached? So, external Cloud Service providers should provide secure services—but there are steps you need to take to check that their processes are in compliance not only with best practices and external rules (FCA, PCI, etc.), but also with your own security policies and processes. For example, if using one of the “big brand” Cloud Service providers such as AWS or Rackspace, you will be tied to their contracts and embedded policies. You therefore need to be aware of these in sufficient detail to ensure that your end-to-end security solution is fit for purpose. There is also a separate issue of data privacy. You typically don’t have control over where data might be held, with the risk that external agents such as other governments might have rights to access your data. What is your security policy and processes? An example of the level of detail required is that if PCI data is held, this should be on a server in a physically locked cabinet, not just within an area covered by a general security lock. If the provider is fairly new to the market, what rules do they follow and what is their track record, financial strength and longevity? Updates and maintenance. Does the architecture employed comply with best practices as outlined in this article (e.g. dual layer firewalls)? Who do they use for infrastructure or specific elements of their own delivery? Many Cloud Service providers are partially or wholly “brokers” of services, using another provider for the actual infrastructure. What about the impact of external providers? There are a number of questions you should be asking your external Cloud Service provider, including: So, if we assume that we cannot 100% guarantee against a malicious attack getting through the security systems, what should companies be doing to protect their data, and that of their customers? Ownership and Responsibility There are three types of data, all requiring different levels of protection—non-personal data, personal data, and financial data. Data must not only be encrypted to an appropriate level, but different types of data have to be stored separately. 4
- 4. 2 3 Get in touch We’d love to hear from you info@zsah.net +44 (0) 20 7060 6032 @zsahLTD 15 Reece Mews South Kensington London SW7 3HE We are based in South Kensington, Central London. Feel free to contact us and we would be happy to have you over for a chat. email call tweet Queen’sGate QueensburyPl ReeceMews CromwellPl ButeStreet SumnerPl Harrington Road Pelham St Onslow Square A3218 Old Brompton Road A3218 South Kensington Station Lamborghini Starbucks Summary 5 Recent cases highlight the need for a fully coordinated security policy covering physical location, people, processes, IT security (protection from hacking) and encryption/data separation to protect from loss of data if attacked. Organisations need clear ownership and understanding of all of these aspects of IT security—even if some elements of your IT solution are outsourced. Managed properly, the use of an external Cloud Service provider should significantly increase your own capability and overall IT security. Join zsah Ltd in analysing how IT Infrastructure could be harming your business.
- 5. 2Enabling you to focus on your business without the complexity of managing your IT spectrum QUALITY ASSURANCE ISO 9001 INFORMATION SECURITY MANAGEMENT ISO 27001