In a time when security consciousness is high and stories about security breaches are all too frequently in the headlines, your security team needs to be ready for questions it’s bound to receive from customers, auditors, employees, board members, and other affected parties.
We’ve covered a lot of topics in this blog, including cloud security strategies, basic security hygiene, best practices, and how to mature your security posture. But to make it easy for your security team, we’re going to use this post to address five fundamental questions that any security team must be able to answer and give tips on how you can prepare to answer them.
1. Who can access data?
Keeping data secure requires that you restrict who can access it, including your own employees. It’s important to establish user access policies as early as possible in your company’s trajectory to make sure that the same policies apply to everyone, even the earliest employees. Things to consider here include:
- Do you allow root logins? (hint: you shouldn’t)
- Who has the ability to escalate privileges?
- Do developers log into production?
Following security best practices, employees should be assigned the lowest level of user access they need in order to do their jobs effectively, a practice that’s known as “least privilege” access.
To implement this, consider how much access different levels of employees (junior, middle-management, leadership, etc.) and different roles (engineering, QA, DevOps) should have to applications, systems, and devices. You may want to sit down with various department leaders to determine what level of access their teams need to get work done, and then revisit those parameters on a regular (e.g., yearly) basis to ensure that they’re being upheld and are still appropriate.
With data access policies laid out clearly and early on, you can quickly and confidently answer user access questions from customers, auditors, leadership, board members, and so on.
2. Where does sensitive data live?
If customers are trusting you with their sensitive data, they will want to know where and how it’s stored and processed before doing business with you. Internal stakeholders (e.g., leadership and the board) will also want to know how sensitive company data is stored. In order to effectively protect this data, you need to know exactly where it’s stored and processed so you can verify that proper security measures are in place.
Start by listing out the types of data you store and transmit. It could be a mix of intellectual property, payment information, and personally identifiable information (PII). Then, determine where each type of data is stored (in the cloud, on-premise, or a hybrid mix) and what other systems or applications it touches.
With this mapped out, you can clearly articulate exactly where data lives, whether at rest or in transit. This process will inform how you go about protecting that data, which we will get into next.
3. How do you protect data?
Different security measures are required depending on how sensitive and valuable certain data is, and you can be certain your customers will ask you about this. In fact, doing business with a company in a regulated industry necessitates certain data protections.
Intellectual property, payment card information, and healthcare data, for example, are extremely valuable and must be protected under the highest levels of security. That means you need to encrypt all applications that touch it, enable two-factor authentication to access it, implement 24/7 security monitoring, and so on.
Other data, such as configuration data, is just as sensitive, so it needs to be just as locked down so malicious actors can’t access it and any accesses and changes are identified and alerted immediately.
Knowing exactly what types of data you’re required to protect and in what ways will help to ensure that you have the proper protections in place. It’s a good idea to evaluate your data protection policies on a regular basis (e.g., quarterly or yearly, depending on how fast you’re growing) to ensure that you’re always meeting compliance and industry best practices.
With a complete view of how data is protected, your team can confidently convey to customers that their data is safe and sound.
4. How do you verify that controls and policies are working?
You can put all the right protections and policies in place, but how do you know they’re actually working and being enforced? It’s a great question, and one a customer or auditor will ask at some point. So it’s important to have a layer of validation in place so that when the time comes, you have an answer.
At any given time, you need a way to verify things like:
- Are only authorized users touching highly sensitive data?
- Who is and isn’t using multi-factor authentication?
- Are alerts being sent to the right people and in real time?
- Are backups happening on a regular basis?
- And much more
If you’re running on AWS, you can get a pretty good understanding of what people are doing anywhere within your account using CloudTrail. But CloudTrail can produce a lot of data. That’s why many companies integrate with Threat Stack to help prioritize and contextualize that data so they can quickly take action on critical areas of non-compliance.
With Threat Stack’s continuous security monitoring in place, you ensure that no configuration change, file change, or suspicious login happens without you knowing about it immediately. For example, if you process and store payment data, and you have a designated PCI zone within your cloud environment, being able to show, at any given moment, what protections are in place and what’s happening gives you and any other stakeholders visibility into and confidence in the security of that data. Then, if an unauthorized user logs in or a server is improperly configured in that zone, Threat Stack will immediately notify you so you can take action.
This level of security monitoring, in our view, is the single best way to verify that controls and policies are implemented and followed at all times.
5. Do you have an audit trail of activity?
In the event of a breach or other security issue, you need the ability to trace exactly what happened to determine the root cause. Many compliance requirements also necessitate audit trails and logs to document activity. So you can bet this will be a question that will be asked by customers, auditors, and internal stakeholders.
Audit trails give you visibility into who did what, where, and when — as well as records. For example, if you experienced a data breach, the audit trail will show you who logged into the server, from where, and at what time, so you can quickly pinpoint the attack, clean it up, and implement better protections.
Especially in the face of a public breach, customers will demand details about the attack, so having an audit trail will save you a great deal of time in an already stressful situation.
Preparing Your Team
It’s critical that your team have visibility into real-time activity across your environment so they’re armed with answers to each of the above questions. Implementing a security strategy up front and continuously monitoring infrastructure for changes or issues in real time can go a long way towards keeping your organization secure and your team well informed about security policies. Furthermore, holding a team-wide meeting to discuss the answers to these questions, along with any others your team regularly receives, is a good way to unify your responses and keep everyone in the know.
What other top questions does your team get around security? Let us know by tweeting us @ThreatStack.
If you need immediate, hands-on guidance on how to get started with cloud security in your organization, download your free copy of Jump Starting Cloud Security: A Guide to Starting Your Cloud Security Journey.