Jumping straight in:
1. Security by Design
Designing a new infrastructure or system is a process that’s often dominated by the technical specifications, and to large extent, rightly so. However, specifications, stated in terms of speeds and feeds, rarely describe the whole story. They often assume that security is a given, mentions of which are likely to be few.
Instead, the security elements of any new or redesigned system should be explicitly described in terms of both purpose and functionality. This is especially true of software where malicious intent on the part of users – albeit a small proportion of the whole – should be assumed.
This means, for example, that day-to-day usage of the system should be achievable with minimal privileges – just enough to get the job done and no more. Data in transit should be encrypted by default to protect against man-in-the-middle attacks, and data stored on third party systems, where security cannot be assumed, should
similarly be encrypted.
2. Assess your Security
To understand how secure your systems are, you need first to understand what you own and manage. This means identifying all your IT assets, which include not just the technology but also people and processes. Once identified, you need to understand how each system interacts with those to which it is connected and whether that interaction is performed in a secure manner.
3. Secure your Systems
Securing your systems is of course a huge topic, but the basics hold true. Security means assuming that any system connected to another is a potential target for attack; the only truly secure computer is one that’s either switched off or unconnected to anything else.
For this, traditional tools such as firewalls and anti-malware software remain important but need to be supplemented by technology and processes that reflect the nature of today’s enterprise, which is an environment where change, complexity and risk are a given.
4. Be Adaptable
In an increasingly complex environment such as the modern enterprise, being flexible and adaptable to change are essential attributes. This is as true of security as of any other element of enterprise IT management. So staying ahead of the game and using automation where possible to reduce the possibility of human error are key.
This means continually monitoring events on the network, reconfiguring systems and processes to meet new threats, and being proactive not reactive. For example, threats are often preceded by reconnaissance with distinctive access patterns not found in normal business-related access and could alert you to an impending attack.
5. Get Users On-side
Most security breaches today result not from direct outside intrusions but because someone on the inside either deliberately or inadvertently left the door open. So training users in best practices is essential. Employees need to understand for example that links can be malicious, no matter how innocuous they appear, and that information is a key asset of the company but also for the hacker too. The more a hacker knows about the company and its people, processes and systems, the more ammunition they possess to mount an attack. Users are a key defence.
6. Protect Access
Access to a properly secured network requires information about the system – and few know more about your systems than your employees. So managing that access is a critical part of remaining secure and this means knowing who has access to which systems, and being proactive as those parameters change. This is especially true in today’s highly mobile environment, where access needs to be granted from a wide variety of devices and locations. A key focus needs to be placed on the automated monitoring of configurations and checking for errors that could lead to security breaches, failed audits, or downtime.
'Top Six Security Practices' was originally posted to cloudreadyzone.com and is reproduced here by kind permission of IDG Connect.