If you look at how and when different companies implement security, it’s clear the approach runs the gamut. Some go all in from day one while many others wait until the need is on top of them.
Of course, companies who get security off the ground as early as possible have many advantages, but that can be a daunting undertaking. This especially rings true in organizations that don’t have security pros on staff.
No matter where you are today, there are steps you can take to get more secure. And rather than succumb to analysis paralysis, it’s a good idea to just bite off what you can chew and start somewhere. So… where to start?
Cloud Security: Where To Begin
Realistically, widespread organizational security should actually be the end goal, not the starting point.
You don’t need to get there in a day or a month, but you can start by identifying small but important goals, such as password security and encryption, that can incrementally improve your company’s security. The earlier you implement them, the easier it will be to add in more security later on (and the fewer headaches you will have to deal with in the form of incident response).
The first of a two-part series, the following is a step-by-step guide for implementing security from the ground up.
The First Four Security Practices All Companies Should Implement
1. Two-Factor Authentication (2FA)
Think about how many cloud services you and your employees are logging into on a daily basis. The threat of cloud credentials theft is real, especially as more and more critical data is being stored in cloud services. With much less effort than you may think, attackers can acquire email and production-level passwords and get into critical systems if there isn’t an extra layer of protection to stop them — namely, two-factor authentication.
Two-factor authentication requires two methods, or factors, to verify your identity before logging into a cloud service. This means that even if credentials are compromised, without the extra layer of verification (often via a mobile or one-time passwords), the bad guys can’t complete their mission. DuoSecurity with a Yubico key or even free Google Authenticator are two very straightforward and effective 2FA solutions out there. (For more on implementing 2FA using Duo, see this three-part series by Threat Stack’s Tom McLaughlin.)
2. SSL Certificates
SSL (or Secure Sockets Layer) enables encrypted communications between a web server and browser. It’s a standard security measure to prevent sensitive information (e.g., credit card numbers, usernames, passwords, emails, etc.) from being stolen or tampered with. If you have a website or web app, you need SSL.
The most important part of an SSL certificate is where it comes from. SSL certificates are issued by Certificate Authorities (CAs), which are organizations that are trusted to verify the identity and legitimacy of an entity requesting a certificate. On that note, be sure to get your certificate from a CA rather than opting for a self-signed certificate. That’s because most web browsers keep a cached list of trusted CAs on file, so if a certificate is signed by someone other than a trusted CA, the browser may warn a user that the website isn’t trustworthy. And that can altogether turn off a prospect or customer from doing business with you. The rise of free and easy-to-get certificates from Let’s Encrypt, and more recently, even directly from Amazon Web Services, means cost should not be a major factor in securing your sites.
3. Encrypt Communications With PGP
Now that your logins and server-to-browser communications are secure, it’s time to encrypt your email and chat communications. As a security best practice, never assume that these communications are protected, even if your provider boasts about having security measures in place for users. Ever heard of “trust, but verify”? This is a perfect example.
PGP (Pretty Good Privacy) is a popular program used to encrypt and decrypt communications over the Internet, as well as authenticate messages with digital signatures and encrypted stored files. Using PGP, each user has a public and private encryption key. It encrypts messages you send to others using their public key, and when they receive it, they decrypt it using their private key.
While not the easiest thing to implement, you only have to set it up once using a PGP tool like GPG Tools or GPG4Win. PGP is especially critical to have in place for users with production access, but as a best practice, we recommend rolling it out to your entire company. You can use PGP not only to secure your company’s internal email communications, but to encrypt files for a group of people to access.
4. File Integrity Monitoring
File integrity monitoring, or FIM, is an excellent way to make sure you are notified if an attacker does get past any of the above protections. With any number of users logging into cloud services from different devices and locations at any time, there can be a lot to keep track of. FIM automates the monitoring of such activity and boils up suspicious activity so you can be sure you don’t miss anything.
In the cloud, file integrity monitoring can alert you about three types of events:
- When new files are added to or deleted from a directory
- When specific files are modified or any files in a directory are modified
- When specific files or any files in a directory are opened
These events, if triggered, are all indicative of a potential threat.
More Best Practices . . .
For more best practices, have a look at Part 2 of this series. Part 2 takes a dive into several procedural security practices you should integrate early on to ensure that security is embedded seamlessly across your organization.