Information security principles and strategies go together naturally. Previously, we described three key security strategies for cloud computing. These are the establishment of a suitable security perimeter, leverage of appropriate technology, and verification of each cloud provider that you work with.
Your strategies must also consider the type of attacks to which your business is exposed, to ensure that information security resources are used to provide protection where it is most needed. In addition, your business may be required to implement security to satisfy regulations, or to continue trading with key partners and customers that insist on compliance with those regulations. Your strategies should also be oriented to help you reduce risks to your business.
Information security design principles
The following principles can help you build an architecture with robust confidentiality, integrity, and availability in the cloud, on your premises, or both at the same time.
- Focus on business mission and value – Information security resources must be aligned with the key objectives of your business. The focus is on ensuring that it can carry out its mission and achieve its critical business objectives. Priority for information security efforts should therefore also be given to people and assets of high business value or with access to high value assets.
- Apply a well-rounded strategy – A robust security culture is as important as well-oiled processes and controls. All three apply end-to-end across all IT and cyber assets, including supply, implementation, interactions, upgrades, and decommissioning.
- Keep it simple – Complexity breeds errors, failures, and vulnerabilities. Where reasonably possible, keep things simple.
- See things through attackers’ eyes – If your security is to be effective against attackers, you must see it as attackers do, from the outside as well as the inside. You need to avoid a blinkered view that could leave gaps and weaknesses for attackers to exploit. Suitable approaches include penetration testing to simulate single attacks and red team simulations of persistent attacks.
- Use native controls – A good cloud provider will offer built-in information security controls for you to use as a customer. This prevents dependencies on third parties and avoids risks of out of date or out of sync security tools.
- Prioritize identity as a security control – Authentication and authorization are the better security controls than network gateways or encryption keys for cloud-based assets.
- Assign accountability – Define the individuals responsible for assets and security clearly and unambiguously.
- Limit to least privilege – As a rule, restrict each user’s access privileges to the minimum needed by that user to do his or her job.
- Automate to avoid errors – Properly governed automation can prevent human error, a key source of risk and security breaches.
- Concentrate on information protection – As the saying goes, data is the new oil. Intellectual property, strategic plans, and customer information are examples of high-value data assets for which security is essential.
- Build resilience into your strategy – At some point, every security control can fail. Resilience includes building in backup controls, together with detection, response, and recovery capabilities to limit attacker damage or abuse, and as fast as possible restore systems to the secure, operational status required by your business.
- Benchmark your information security – Test your security (penetration and red team) and compare it with industry practices and performance, as well as standards and regulations. Then use these findings to improve it.
- Never stop – Information security is a process that is never finished. Your business will change, and attackers will find new ways to attack, so your security must continually evolve and improve.
- Trust nobody, trust nothing – Apply zero trust. Give no access to resources before properly checking authentication and authorization. Prefer multiple checks as in multi-factor authentication.
- Educate and motivate the people in your business about security – Everyone, including administrators, end-users, and managers, must understand and apply basic best practices for keeping data and assets secure.
Attacks that your business must resist
Naturally, these attacks will depend on the nature of your business and the environment in which it operates.
There are several sources of information that can help identify such attacks for your business:
- Using an attacker viewpoint. Which IT assets in your business will be most attractive to attackers, whether for financial gain, sabotage, or abuse? How might attackers go after these assets?
- Comparison with similar businesses/business sectors. Industry attack statistics can give you indications of attack methods favored by attackers against organizations like yours.
- Current attack data. New attack methods may not yet feature in statistics records, so find out from the latest reports which ones might impact your business.
- Threat modeling. Look for all possible attack vectors and surfaces, then prioritize from the most damaging attacks downwards and block them.
Legal and regulatory requirements
Ignorance of the law or regulations is no excuse. Make sure that your information security is up to date and compliant in the following areas:
- Generally applicable regulations, like GDPR (General Data Protection Regulation from the European Union).
- Regulations specific to your industry or your business activities, such as HIPAA for the US health sector and FedRAMP for working with US federal customers.
- Applicable standards relating to information security, such as ISO 27001.
The overall risk assessment for the information security of your business will be specific to your business. However, there are some basic principles for risk reduction that are applicable to many organizations:
- Make resilience a key component of your information security strategy – Key components of resilience are in-depth security with backup controls, rapid detection of attacks, effective response to contain (prevent further access and movement within your systems) then eliminate the attack, and speedy recovery to normal operational status. Each component contributes to mitigating risk, if it is correctly aligned to business priorities, as well as being part of a continuing process to evolve and improve your security.
- Increase the cost (time, effort, money) of attacking, to discourage attackers – By preventing and rapidly detecting and handling basic attacks, you can automatically make things more expensive for attackers. Those that are driven by financial gain, such as stealing and reselling confidential information, will begin to look for easier targets and better returns elsewhere. Others will need to spend more time, effort and perhaps money on launching attacks on you. They too will start to question whether they can afford higher percentages of their own finite attacker resources to try to penetrate your systems.
Information security is often most effective when it adheres to generally applicable principles that are simple to understand and common sense in nature. Laws and regulations are not specific to individual businesses either. They must be complied with as an overall requirement affecting all businesses or as a sectoral requirement affecting businesses in that sector. Other aspects of your information security will be specific to your business, because of your business assets, objectives, and environment. For example, assessment of the most likely attacks and the most important risks should be done specifically for your business. You can compare with, but you should not simply copy from other businesses.
About the Author:
Jason is a 1st Vice President, Cloud Solutions Architect at City National Bank of Florida headquartered in Miami, Florida. Jason has been working with computers ever since he bought his first, a Timex/Sinclair 1000 in 6th grade and taught himself BASIC programming. Jason was educated at the University of Cincinnati and the Massachusetts Institute of Technology – Sloan School of Management. He is a Microsoft Azure MVP (2010-present), a young adult author, and a cellist.
Milgram, J. (2020). Security design principles, attacks, regulations, and risk reduction. Available at: https://www.linkedin.com/pulse/security-design-principles-attacks-regulations-risk-jason-milgram/ [Accessed: 20th May 2020].
Check out more great Azure content here