Why internal policies are crucial for managed security success
Once upon a time, good security amounted to little more than protecting your perimeter to keep threat actors out of your networks. But now, with the rise of remote work, we can no longer focus on only one location.
Tools and software alone are no longer enough to keep your data safe. Having the best players on the field or the court is no good if you don't have a gameplan to ensure everyone's on the same page.
Good security requires strategy in the form of your company's internal policies.
Prepare for the worst
This pillar of internal policies sets the tone for everything else that follows.
As attack surfaces—and the methods threat actors use to try to gain access to your systems—continue to grow, the odds you will be hacked increase. So it's better to assume that you will be compromised at some point, and to plan accordingly (such as by investing in business continuity planning). We can no longer afford to bury our heads in the sand like an ostrich and wait for the storm to pass over.
This mindset is not intended to promote a defeatist attitude—it's not a suggestion that you should leave the gates open and welcome the intruders with arms wide open. But the mindset does promote setting realistic goals to measure and plan for success.
The unfortunate truth is that each of us will likely be compromised at some point. By accepting this inevitability, we can focus on reducing the damage when and where we can.
A vulnerability management program can help your business identify potential threats and take the proactive approach of patching security holes before they can be exploited.
Worst case scenario, this strategy is a great example of "Better safe than sorry."
Zero trust security
In some situations, we default to trusting other parties and questioning their motives only when we see suspicious behavior.
In other situations, we assume the worst and let our guards down once we've identified the other party as being trustworthy. In this mindset, we're practicing the zero trust security model.
What is zero trust?
The zero trust security model begins with the assumption of a breach and requires trust to be established.
Imagine you hear someone in your kitchen at 3 o'clock in the morning. You instantly assume the worst: There's a burglar in your house. In other words, your home has been breached. It's only after you walk into the kitchen and confirm that what you assumed was an intruder was actually your own child rummaging for a midnight snack that you allow yourself to exhale.
Sure, your kid still has some explaining to do, but at least you know you can let your guard down. This scenario is an illustration of zero trust security, which follows a simple blueprint: Never trust, always verify.
The principle of least privilege
What is least privilege?
The principle of least privilege is all about controlling access to data and making sure that only the people who need access to data actually have access to that data.
For example, the people in sales only have access to sales data and the people in accounting only have access to accounting data. It’s a way of partitioning off your data into "islands" so if one area is breached it doesn’t mean that the whole system is breached.
Implementing the principle of least privilege
The reason some companies struggle to implement least privilege is that they’ve been doing things wrong for a long time, so they’ve got a very unorganized pile of data out on a server or similar system. Instilling or retrofitting some sort of organization on top of it seems like a challenge.
The first step is always the hardest.
How we generally approach least privilege is to create a new structure and then move the data into the new structure and work through any issues. In the end, least privilege is something everyone should implement because it’s really all about protecting data and corporate information: protecting it from ransomware, from malicious outsiders, and from employees gaining access to things they shouldn’t. It’s really very important that companies implement something like this.
Least privilege best practices
A rule of thumb for us is never to grant privileges explicitly to an end user; you always grant privileges to a group. That way you know who has access to what by their group membership.
This is all built into Windows Active Directory. It’s part of Windows server and it’s very simple to administer. It’s available to everybody.
BYOD (Bring Your Own Device)
Today it's common practice for employers to rely on their employees' personal devices (such as smart phones) rather than invest in new hardware and regular service fees. This practice is commonly referred to as a BYOD program. But by relying on an employee's personal device, you may be giving up a certain degree of control over security. If not implemented correctly, BYOD security is a majority security concern for the modern web.
Create a BYOD policy
While a BYOD program might be the right choice for your company, it does bring its own share of issues and concerns.
Be sure to take the time to lay out the details and expectations of such a program so that everyone can be on the same page.