Category: Steps forward

Employee security awareness is the most important defense against data breaches.

Related: Leveraging security standards to protect your company

It involves regularly changing passwords and inventorying sensitive data. Cybercriminals view employees as a path of least resistance. As such, you should limit the amount of information that employees have access to.

There are several ways you can protect your business from data breaches.

Create security awareness for employees. One of the most important ways to protect against data breaches is to increase employee security awareness. Employees are the first line of defense against cybercrime and should understand how to recognize phishing emails and what to do if they suspect them. With proper training, employees can prevent these attacks before they happen.

While the protection of the company’s assets can never be completely guaranteed, security awareness training should be a top priority for business owners. Without it, a business is vulnerable to a variety of risks, including financial loss, damage to intellectual property, and brand reputation. In addition, educating employees about cybersecurity issues can help to reinforce the security-minded culture of the organization and change employee behaviour.

Provide frequent training about the risks of cyberattacks. One of the best ways to increase employee security awareness is to provide frequent training and communication about the risks of phishing and other cyberattacks. This training should be short and concise and provide guidance on identifying security risks.

Additionally, employees should receive guidance on how to report suspicious activity and confront strangers in secure areas. After a few months, organizations should evaluate the security awareness training to make sure that it is still relevant and effective.

Shafiq

Cybercriminals are constantly searching for ways to gain access to an organization. As a result, they seek to exploit the weakest link. This can include phishing emails that contain malicious links that infect an organization’s network or steal its database login credentials. Training employees is a crucial part of fighting back against this kind of attack and can complement other technological security solutions.

•Change passwords regularly. One of the most overlooked ways to protect your business from data breaches is changing passwords on a regular basis. Many people have their original passwords from college, and they never update them. This can be risky. It can also leave your company vulnerable to disgruntled employees. That’s why it’s essential to change passwords regularly and change them after every staff change.

Passwords are easy to steal, and hackers can use them in just a few seconds. If you’re not changing passwords regularly, you’re inviting hackers and cybercriminals to steal your company’s sensitive data. Changing passwords regularly will make the lives of cyberbullies much harder. It also ensures that your account credentials won’t be used for as long. The best practice is to change passwords every 90 days. You can even use password managers to automatically create strong passwords for you.

In addition to changing passwords, you should also change passwords when entering sensitive information on public computers.

The best passwords are those that are difficult to guess. A common problem is that people tend to use the same password for too long. If you want to be completely safe, use passwords that are hard to guess and don’t use passwords you don’t know.

Inventory your sensitive data. Inventorying sensitive data is a crucial process in protecting your business from data breaches. It helps you determine gaps in security and prioritize your efforts. Data discovery technologies can scan data stores and label sensitive and regulated data by purpose and type. By doing so, you can better protect sensitive data and improve security. This process also helps you determine the amount of data you have in your possession.

Sensitive data may be stored on different media, including discs, tapes, mobile devices, or websites. Every potential source should be considered when creating an inventory. Make sure to involve each department in the process. This includes accounting, sales, and other teams. You should also include third-party service providers, like call centres and contractors.

Data inventory also makes your data searchable. Often, it is the first time a company has a common definition of data. If teams have different naming conventions, data inventory can be a confusing process. Make sure to use common, understandable labels and data value tags for your data.

•Use a corporate VPN. Encrypting data on corporate devices can prevent hackers from accessing sensitive information. The best way to protect data in this way is to set up a corporate VPN (a virtual private network). VPNs allow employees to connect to the internet securely while hiding the company’s IP address. This method is particularly important for employees working remotely and in public places.

Identifying sensitive data is an essential part of effective information security. You must understand how sensitive data is moved and who has access to it. The Federal Trade Commission recommends that organizations put sensitive data in inventory stored on storage devices and add the devices of employees who work from home. By identifying these locations, you can easily determine security vulnerabilities.

About the essayist: Idrees Shafiq  is a Research Analyst at AstrillVPN with diverse experience in the field of data protection, and cyber security, particularly internet security.

 

Standards. Where would we be without them?

Universally accepted protocols give us confidence that our buildings, utilities, vehicles, food and medicines are uniformly safe and trustworthy. At this moment, we’re in dire need of implementing standards designed to make digital services as private and secure as they need to be.

Related: How matter addresses vulnerabilities of smart home devices

A breakthrough is about to happen with the roll out this fall of Matter, a new home automation connectivity standard backed by Amazon, Apple, Google, Comcast and others.

Matter is intended to be the lingua franca for the Internet of Things. It’s only a first step and there’s a long way to go. That said, Matter is an important stake in the ground. To get a full grasp on why Matter matters, I recently visited with Steve Hanna, distinguished engineer at Infineon Technologies, a global semiconductor manufacturer based in Neubiberg, Germany.

For a full drill down on our evocative discussion, please watch the accompanying videocast. Here are the main takeaways:

Great leap coming

We’ve only scratched the surface in terms of bringing advanced digital technologies to bear solving humankind’s most profound challenges. Data gathering, data analytics, machine learning and digital automation have advanced to the level where they could be leveraged to accomplish much greater things.

Climate change solutions, driverless vehicles and stupendous medical breakthroughs are close at hand. Likewise, it’s no longer the stuff of science fiction to imagine how advanced digital services could be directed at making water, food, health services and even economic stability readily available to every inhabitant of the planet.

However, before any of these great leaps forward can happen, organizations must achieve digital resiliency. The only way for digital innovation to achieve its full potential is if enterprises and small businesses alike embrace technologies and best practices that support agility, while at the same time choking off any unauthorized network access.

“The Internet of Things is a huge new platform for amazing innovation,” Hanna observes. “But none of it will happen if we don’t get cybersecurity right and people have confidence in the safety and security of every domain the Internet of Things will be present in, whether it’s smart homes, smart vehicles or smart cities.”

Interoperability needed

At present, it’s easier than ever for malicious hackers to breach business networks and gain a foothold from which to steal data, spread ransomware, disrupt infrastructure and attain long-run unauthorized access.

Hanna

This is the consequence of rapid migration to cloud-centric IT resources, a trend that has only accelerated as organizations come to rely more heavily on a remote workforce and a globally-scattered supply chain.

Today, processing power and data storage gets delivered virtually from Amazon Web Services (AWS), Microsoft Azure or Google Cloud, and communication and collaboration tools are supplied by dozens to hundreds of mobile and web apps. Modern digital services are the product of far-flung software code interconnecting dynamically. This has resulted in an exponential expansion of a network’s attack surface; every connection represents an attack vector that must be accounted for.

The problem isn’t a dearth of telemetry, nor a lack of data analytics know-how; we’ve got plenty of both. The reason threat actors are having a field day is because of a fundamental lack of interoperability between legacy and next-gen security tools delivered by highly competitive technology vendors.

Meshing agility, security

Matter signals the start of addressing this interoperability conundrum, Hanna told me. Here’s how:

Google, Amazon and Apple, arguably the most competitive tech giants, have spent nearly three years hammering out Matter, a global open-source standard designed to ensure that smart home devices from different manufacturers can communicate simply and securely.

Starting this fall, smart light bulbs, thermostats and garage door openers using the Matter standard will start appearing on store shelves. Matter devices will be compatible with Amazon AlexaGoogle Assistant, or Apple HomeKit. Notably, they’ll connect to the Internet – and to each other – via an advanced type of mesh network. 

This mesh network will be both agile and secure, fostering both convenience and security. Consumers will be able to control their IoT devices with any phone, without necessarily having to connect to the Internet.

This ability for a consumer to disconnect smart home devices from the Internet, yet still operate them locally, should enhance convenience while also boosting security. By using Matter devices offline, most of the time, i.e. when at home, a consumer can directly eliminate a primary attack vector.

Baked-in security

Thus Matter is a template and a harbinger. Hardware manufacturers, Infineon among them, as well as security software developers, are already off and running. They’re designing and testing prototype components for the coming generation of interoperable network security solutions that, if all goes well, should extend from Matter, Hanna says.

At one level, Matter provides a model for how rival tech vendors can, and must, collaborate to derive a new tier of standards for highly-interconnected digital services. At another level, Matter tangibly demonstrates how convenience and security can be two sides of the same coin.

For its part, Infineon is pioneering a way to bake-in advanced security controls at the chip level. Please do watch the accompanying video for Hanna’s deeper dive into work that’s underway to set up a cloud-based “resiliency engine” that can keep close track of things like real-time threat intelligence and vulnerability patching – and then automatically update systems at the chip level, as needed. In order to do this comprehensively, industry-wide consensus needs to gel around several more levels of connectivity standards. Matter is the first baby step.

“The Internet of Things needs a full set of interoperability standards in order for new applications to be invented,” Hanna observes. “Then the more interesting innovation can happen. We’re creating a platform for innovation and none of us can predict what those innovations will be, any more than Vint Cerf knew what the Internet would become when he was involved in creating it in 1969.”

The traction Matter gains in the coming months will tell us a lot about whether companies understand what it will take to get us to the next level of digital innovation. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Digital resiliency has arisen as something of a Holy Grail in the current environment.

Related: The big lesson of Log4j

Enterprises are racing to push their digital services out to the far edge of a highly interconnected, cloud-centric operating environment. This has triggered a seismic transition of company networks, one that has put IT teams and security teams under enormous pressure.

It’s at the digital edge where all the innovation is happening – and that’s also where threat actors are taking full advantage of a rapidly expanding attack surface. In this milieu, IT teams and security teams must somehow strike a balance between dialing in a necessary level of security — without unduly hindering agility.

Digital resiliency – in terms of business continuity, and especially when it comes to data security — has become a must have. I had the chance to visit with Paul Nicholson, senior director of product at A10 Networks, a San Jose, Calif.-based supplier of security, cloud and application services.

Guest expert: Paul Nicholson, Senior Director of Product, A10 Networks

We discussed how and why true digital resiliency, at the moment, eludes the vast majority of organizations. That said, advanced security tools and new best practices are gaining traction.

There is every reason to anticipate that emerging security tools and practices will help organizations achieve digital resiliency in terms of supporting work-from-home scenarios, protecting their supply chains and mitigating attack surface expansion. As part of this dynamic, Zero Trust protocols appear to be rapidly taking shape as something of a linchpin.

“When you say Zero Trust, people’s ears perk up and they understand that you’re basically talking about making sure only the right people can get to the digital assets which are required,” Nicholson told me.

For more context on these encouraging developments, please give the accompanying podcast a listen. Meanwhile, I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Today’s enterprises are facing more complexities and challenges than ever before.

Related: Replacing VPNs with ZTNA

Thanks to the emergence of today’s hybrid and multi-cloud environments and factors like remote work, ransomware attacks continue to permeate each industry. In fact, the 2022 Verizon Data Breach Investigation Report revealed an alarming 13 percent increase in ransomware attacks overall – greater than past five years combined – and the inability to properly manage identities and privileges across the enterprise is often the root cause.

As enterprises continue to fall victim to increasingly complex attacks, there’s one topic that cybersecurity professionals and vendors can agree on: the importance of Zero Trust. Still, ways to properly identify and tackle this strategy often remains one of the biggest challenges to overcome.

A ‘Zero Trust’ core

The Zero Trust buzzword has exploded in use over the last few years. Through endless redefinitions, it’s difficult to find a reliable one. While this continuous pivot can be tough to track, it does not diminish the need for a real, executable strategy for tackling its core tenants.  One helpful perspective is to view Zero Trust as a three-legged tripod:

•The first leg of this tripod is the network protecting the perimeter and ensuring organizations are safeguarded from the outside in, as well as inside out.

•The second is the endpoint – protecting the workstations, servers, laptops, cloud instances, network devices, etc. – the crown jewels are on endpoints or accessed from these

•The third is identity – the validation that a requestor is who they say they are and has the ability and limitation to do only what they should.

Dodhiawala

Without addressing the identity leg of the tripod, and more importantly privileged identity, there simply is no Zero Trust. With its core tenant of verify (not trust), a robust Zero Trust framework must include the privileged identity and just-in-time authorizations.

In typical attacks, the attacker uses compromised admin credentials to elevate privileges and move laterally between systems. These techniques succeed due to standing privilege granted to the privileged identities – the accounts which are trusted.

To build identity-centric trust across an organization, every enterprise asset must be identified and managed – putting greater emphasis on privileged identity for both human (employees, consultants, partners, vendors, customers, etc.) and digital identities (apps, devices, machines, etc.)

While solutions are available to augment the authentication of an entity through MFA and credential-centric tools, there is a key component missing – authorization. Without this, the identity leg of the tripod will remain incomplete. Attacks are still successful and realized identity enforcement is impossible.

Redefining access

As most of today’s attackers accomplish their mission by leveraging privilege (or admin) account sprawl – a prominent and highly exploited attack surface – it’s unsurprising that once an attacker is inside the network, finding the organization’s crown jewels is straightforward. From there, they can encrypt data, execute a ransomware attack and more.

Given these eminent threats, the industry needs a paradigm shift that goes beyond credential hygiene that more holistically solves for authorization. Given that nearly 80 percent of today’s cyberattacks involve leveraging privileged identities, one novel approach is to forego the focus on the password itself for something different – Zero Standing Privilege (ZSP).

Coined by Gartner, ZSP goes beyond the typical privilege access management (PAM) strategies. It removes the typical, 24×7 standing privilege and protects organizations against the discovery of administrative credentials, hashes, or secrets.

Even if the attacker gains a foothold through a weak password, ZSP protects the organizations by reducing the attack surface they can move to. ZSP is the most important and proactive IAM measure an organization can implement to mitigate real and present threats.

In the end, there is no silver bullet for achieving and maintaining Zero Trust security, and we as an industry have long road to truly establish Zero Trust across each pillar within an organization. With a ZSP approach to identity management though, organizations can more successfully ensure the identity leg of the Zero Trust tripod is powerful and secure.

 About the essayist: Raj Dodhiawala is President of Remediant, a San Francisco-based cybersecurity company. He has over 30 years of experience in enterprise software and cybersecurity, primarily focused on bringing disruptive enterprise products to new markets.

Finally, Uncle Sam is compelling companies to take cybersecurity seriously.

Related: How the Middle East paved the way to CMMC

Cybersecurity Maturity Model Certification version 2.0 could  take effect as early as May 2023 mandating detailed audits of the cybersecurity practices of any company that hopes to do business with the Department of Defense.

Make no mistake, CMMC 2.0, which has been under development since 2017, represents a sea change. The DoD is going to require contractors up and down its supply chain to meet the cybersecurity best practices called out in the National Institute of Standards and Technology’s SP 800-171 framework.

I sat down with Elizabeth Jimenez, executive director of market development at NeoSystems, a Washington D.C.-based supplier of back-office management services, to discuss the prominent role managed security services providers (MSSPs) are sure to play as CMMC 2.0 rolls out. For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Passing muster

CMMC 2.0 sets forth three levels of cybersecurity certification a company can gain in order to provide products or services to the DoD, all having to do with proving a certain set of cybersecurity controls and policies are in place.

Level 1, for instance, requires some 17 controls to protect information systems and limit access to authorized users. Meanwhile, Level 3, calls for several more tiers of protection specifically aimed at reducing the risk from Advanced Persistent Threats (APTs) in order to safeguard so-called Controlled Unclassified Information (CUI.)

In addition, every DoD contractor must conduct, at the very least, an annual self-assessment. Crucially, this includes accounting for the cybersecurity posture of third-party partners. In general, contractors must be prepared to divulge details about the people, technology, facilities and external providers — just about anything that intersects with their position in the supply chain. This includes cloud providers and managed services providers.

“It’s a milestone, for sure,” Jimenez told me. “All these controls need to be fulfilled from a compliance perspective and internal practices need to be put into place. This is all to attest that the contractor has a robust security posture, and, in the event of an audit, could pass muster.”

Auditable reviews

To get to square one under CMMC 2.0, a contractor needs to get a couple of very basic, yet widely overlooked, things done; those that handle controlled unclassified information, or CUI, must implement both a formal security management program and have an in place.

This comes down to reviewing IT systems, identifying sensitive assets, cataloguing all security tools and policies and, last but not least, implementing a reporting framework that can be audited. This seems very basic, yet it is something many organizations in the throes of digital transformation have left in disarray.

Jimenez

“Having both a security program and incident response plan in place is really important,” says Jimenez. “This should include continuous monitoring to highlight that the security environment is constantly being reviewed and refreshed with data that has an audit trail available for future reference.”

Doing basic best practices to pass an audit suggests doing the minimum. However, companies that view CMMC 2.0 as a kick-starter to stop procrastinating about cyber hygiene basics should reap greater benefits.

Performing auditable security reviews on a scheduled basis can provide critical insights not just to improve network security but also to smooth digital convergence.

“You can reconcile your current controls with your risk tolerance, and align your IT risk management programs with your security and business goals,” Jimenez observes.

Raising the bar

In short, CMMC 2.0 is the stick the federal government is using to hammer cybersecurity best practices into the defense department’s supply chain. In doing so, Uncle Sam, should, in the long run, raise the cybersecurity bar and cause fundamental best practices to spread across companies of all sizes and in all sectors.

This is much the way we got fire alarms and ceiling sprinklers in our buildings and seat belts and air bags in our cars. In getting us to a comparable level of safety in digital services, managed security services providers (MSSPs) seem destined to play a prominent role.

It was a natural progression for MSSPs to advance from supplying endpoint protection and email security to a full portfolio of monitoring and management services.  In a dynamic operating environment, rife with active threats, it makes perfect sense to have a trusted consultant assume the burden of nurturing specialized analysts and engineers and equipping them with top shelf tools.

Full-service MSSPs today focus on improving visibility of cyber assets, detecting intrusions, speeding up mitigation and efficiently patching vulnerabilities. This reduces the urgency for companies to have to recruit and retain in-house security teams.

Meeting a dire need

Thus, MSSPs have advanced rapidly over the past five years to meet a  need, a trend that only accelerated with the onset of Covid 19. The leading MSSPs today typically maintain crack teams of inhouse analysts and engineers myopically focused on understanding and mitigating emerging cyber threats.

They leverage leading-edge, cloud-centric security tools – often by hooking up with best-of-breed partners for vulnerability management, endpoint security and threat intelligence gathering. Many of these experts in the MSSP trenches helped develop NIST best practices — and continue to help refine them.

MSSPs are increasingly assuming a primary role in mid-sized enterprises for maintaining endpoint security, vulnerability patch management and even things like firewall management and configuration management.

NeoSystems, for its part, offers all these security services, in modular packages, with a focus on eliminating compliance hurdles for federal government contractors. It’s gaining a lot of traction with small businesses and mid-sized enterprises that can’t spare resources to suddenly infuse security into their networks, Jimenez told me.

CMMC 2.0, coming in May 2023, puts defense contractors’ feet to the fire – and it sends a signal to all companies. “It’s the first real, definitive step from the federal government saying this has to be in place, you must have a security posture and it has to be robust,” Jimenez says. “Once it really takes hold, it will be paramount for companies to step into line and make sure that they’re ready for an audit.”

Companies could have, and should have, embraced NIST’s cybersecurity best practices a decade ago. Hopefully, CMMC 2.0 will nudge them forward in the 2020s. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Network security has been radically altered, two-plus years into the global pandemic.

Related: Attack surface management’ rises to the fore

The new normal CISOs face today is something of a nightmare. They must take into account a widely scattered workforce and somehow comprehensively mitigate new and evolving cyber threats.

Criminal hacking collectives are thriving, more  than ever. Security teams are on a mission to push network defenses to the perimeter edges of an open, highly interconnected digital landscape; the defenders are under assault and running hard to stay one step ahead.

Managed Security Services Providers have been steadily evolving for two decades; they now seem poised to help large enterprises and, especially, small to mid-sized businesses manage their cybersecurity.

The global market for managed security services is estimated to be growing at a compound annual rate of 14 percent and should climb to $44 billion by 2026, up from $23 billion in 2021, says research firm MarketsandMarkets.

Jimenez

“Managed security service providers are rising to meet a need that’s clearly out there,” observes Elizabeth Jimenez, executive director of market development at NeoSystems, an MSP and systems integrator. “We can plug in parts or all of a complete stack of cutting-edge security technologies, and provide the expertise an organization requires to operate securely in today’s environment.”

MSSPs arrived on the scene some 17 years ago to help organizations cope with the rising complexity of their IT infrastructure. The focus in those early days was on compliance and device management. MSSPs have since broadened and advanced their services, a trend that continues as cloud migration gained momentum in the 2010s — and then accelerated with the onset of Covid 19.

Today, it’s feasible for an enterprise or SMB to outsource just about any facet of their security program — much the same as outsourcing payroll or human services functions.

I’ve a had a couple of deep discussions about this trend with NeoSystems. The company is based in Washington D.C. and one of its specialties is helping government contractors continuously monitor and manage their networks, systems and data. For more info, visit neosystemscorp.com.

A drill-down on MSSPs is coming tomorrow in a news analysis column and podcast. Stay tuned.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Penetration testing – pen tests – traditionally have been something companies might do once or twice a year.

Related: Cyber espionage is on the rise

Bad news is always anticipated. That’s the whole point. The pen tester’s assignment is to seek out and exploit egregious, latent vulnerabilities – before the bad guys — thereby affording the organization a chance to shore up its network defenses.

Pen testing has limitations, of course. The probes typically take considerable effort to coordinate and often can be more disruptive than planned.

These shortcomings have been exacerbated by digital transformation, which has vastly expanded the network attack surface.

Guest expert: Snehal Antani, CEO, Horizon3.ai

I had the chance at Black Hat 2022 to visit with Snehal Antani and Monti Knode, CEO and director of customer success, respectively, at Horizon3.ai, a San Francisco-based startup, which launched in 2020. Horizon3 supplies “autonomous” vulnerability assessment technology.

Co-founder Antani previously served as the first CTO for the U.S. Joint Special Operations Command (JSOC)  and Knode was a commander in the U.S. Air Force 67th Cyberspace Operations Group. They argue that U.S. businesses need to take a wartime approach the cybersecurity. For a full drill down, please give the accompanying podcast a listen.

Horizon3’s flagship service, NodeZero, is designed to continuously assess an organization’s network attack surface to identify specific scenarios by which an attacker might combine stolen credentials with misconfigurations or software flaws to gain a foothold.

Will pen testing make a great leap forward? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

APIs have come to embody the yin and yang of our digital lives.

Related: Biden moves to protect water facilities

Without application programming interface, all the cool digital services we take for granted would not be possible.

But it’s also true that the way software developers and companies have deployed APIs has contributed greatly to the exponential expansion of the cyber-attack surface. APIs have emerged as a go-to tool used by threat actors in all phases of sophisticated, multi-stage network attacks.

Upon gaining a toehold on a targeted device or server, attackers now quickly turn their attention to locating and manipulating available APIs to hook deeply into company systems. APIs provide paths to move laterally, to implant malware and to steal data.

Guest expert: Sudeep Padiyar, founding member, Traceable.ai

The encouraging news is that API security technology has advanced quite a bit over the past five years or so.

I had the chance at Black Hat 2022 to visit with Sudeep Padiyar, founding member and director of product management, at Traceable, a San Francisco-based supplier of advanced API security systems. Traceable launched in 2018, the brainchild of tech entrepreneurs Jyoti Bansal and Sanjay Nagaraj; it provides deep-dive API management capabilities — as software is being developed and while it is being used in the field.

We discussed the Gordian-knot challenge security teams face getting a grip on the avalanche of APIs hooking into their organizations. For a full drill down, please give the accompanying podcast a listen.

The security-proofing of APIs is gaining traction, and that’s a very good thing. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Migrating to and utilizing cloud environments – public, hybrid, or multi – is a source of real investment and positive change for businesses. Cloud is the powerhouse that drives digital organizations.

Related: Cloud security frameworks take hold

Gartner predicts that spending on public cloud alone is set to top $500 billion in 2022 – a 20% growth over last year. But often overlooked in the migration process is the significance of a company’s embedded security measures.

For cloud migration programs to succeed in both the short and long-term, organizations must have an established cloud security policy to guide operations in the cloud, identify and mitigate vulnerabilities, and defend against cyberattacks – before a single byte is migrated.

But where should you begin? Following these steps will help you lay the foundation for a secure and sustainable cloud strategy.

•Design with security first. Although moving to the cloud should follow a standardized approach, the order of operations is often prioritized in favor of rapid results, not security. When security becomes an afterthought, best practices are overlooked, mistakes are made, and vulnerabilities are introduced that can result in significant risk, cost and breaks later.

By considering security first (not a detail to be added on later) and fully grasping cloud technology and risk exposure, your organization can ensure that the cloud architecture is secure before any data is migrated off-premises. It may slow the start but designing with security-first in mind can save you a lot of trouble down the road. For example, companies must plan to secure the perimeter with access protocols and controls – something that is very hard to do once systems are in use.

•Avoid using the same security measures as you do on-premises. Security controls will be a major aspect of your cloud security policy. While it’s essential to consider the security measures you use on-premises – don’t simply replicate them in the cloud. Instead, assess the security controls of your cloud vendor, specifically their identity and access management offerings – both of which increase security and convenience, if done right.

•Adopt a layered approach. A multi-layered defense is an essential component of any winning cloud cybersecurity posture. From the simplest protections like anti-virus, multi-factor authentication, patch management software, and employee security awareness training to the most advanced features like SIEM and conditional access, adding layers provides a vital safety net should something fall through the cracks.

As the business grows and new threats emerge, you can evolve and layer in additional controls as needed. The trick is not to go tool-crazy. Visibility into your cloud security posture is critical, but if it takes an army to sift through dashboards and alerts, things can quickly become unmanageable. Layer, but ensure good integrations of security information across your controls for full-stack observability.

•Know where your data resides – and what’s most critical. Knowing where your cloud data is stored (especially your most sensitive data) can help inform your security policies and meet compliance obligations, such as keeping data within domestic borders. As you craft your cloud security policy, ask your provider where your data is located geographically and if it is likely to be moved around different data centers to increase latency, meet SLAs, or mitigate data loss.

Schoener

What controls are in place to protect data as it moves? Also, prioritize what kinds of data is most important. By identifying the “crown jewels” in your data, you’ll be able to make better decisions on tools, time and talent regarding your security program. After all, if you don’t know what or where your most sensitive is stored, you can’t protect it.

•Revisit your policy often. At a minimum, plan to review your cloud security policy annually. However, if you plan several digital transformation projects or operate in an agile environment where applications are developed or updated rapidly, such as two-week sprints, consider tying your policy review to your rate of change. This will also likely be a compliance related need as regulations – such as the new proposed SEC rules – take shape.

•Make it sustainable. A cloud security policy can help keep cloud data protected and improve your ability to respond to threats quickly. But these measures must also be sustainable. You can’t reap the benefits of the cloud if you don’t make security a priority from the start. And for that you must cultivate a security-first mindset to migrations and future digital transformation.

About the essayist: Steve Schoener is Chief Technology Officer,  at ECI. Prior to ECI, he was head of IT for DW Investment Management in New York; he also previously was at UBS Investment Bank as an associate director. Schoener holds a computer science degree from State University of New York at Albany.

After years of competitive jockeying, the leading tech giants have agreed to embrace a brand new open-source standard – called Matter – that will allow consumers to mix and match smart home devices and platforms.

Related: The crucial role of ‘Digital Trust’

After numerous delays and course changes, the Matter protocol, is set to roll out this fall, in time for the 2022 holiday shopping season. To start, seven types of smart home devices will be capable of adopting the Matter protocol, and thus get affixed with a Matter logo.

Matter is intended to foster interoperability of smart home devices – so a homeowner can stick with just one voice assistance platform and have the freedom to choose from a wide selection of smart devices sporting the Matter logo.

What this boils down to is that a consumer living in a smart home filled with Matter devices would no longer be forced to use Amazon’s Alexa to control some devices, while having to switch to Apple’s Siri, Google’s Assistant or Samsung’s SmartThings to operate other devices. No surprise: Amazon, Google, Apple and Samsung are the biggest names on a list of 250 companies supporting the roll out of Matter.

The qualifying types of smart home devices, to start, include light bulbs and switches; smart plugs; smart locks; smart window coverings; garage door openers; thermostats; and HVAC controllers. If all goes smoothly, surveillance cams, smart doorbells and robot vacuums would soon follow.

DigiCert, the Lehi, Utah-based Certificate Authority and a supplier of services to manage Public Key Infrastructure, has been at the table helping develop the privacy and data security components of Matter. I had the chance to discuss the wider significance of Matter with Mike Nelson, DigiCert’s vice president of IoT security. Here’s what we discussed, edited for clarity and length.

LW: When a consumer sees a smart home device with a Matter logo this fall, what do you hope that conveys?

Nelson

Nelson: The Matter logo represents seamless interoperability for consumers, ultimately enhancing users’ experience and control. It also represents digital trust [insert the way we are defining DT] between all compliant devices from different manufacturers.

LW: What was the core security issue that had to resolve in deriving Matter?

Nelson: The security challenges present in many smart home devices include device identity, proper authentication (user and device), confidentiality of sensitive data, and integrity of software.

The Matter specification focuses on establishing a robust immutable identity for each device and requiring all participants to use security credentials (digital certificates) that are chained to secure roots of trust. This practice ensures that only trusted devices can identify and interoperate with other Matter compliant devices.

LW: How did the alliance resolve this core security issue?

Nelson: The Matter security specification has been developed collaboratively with many industry stakeholders over the last several years. The Matter specification takes a secure-by-design approach to ensure devices can be trusted throughout their lifecycle. The security specification is a layered approach with strong, easy to implement, resilient and agile security approaches.

The security specification raises the bar for IoT security and privacy through the following approaches:

•Establishing a strong device identity so only trusted devices can join a smart home

•Secured, standard software updates to ensure integrity

•Validation of every device to ensure it is authentic and certified

•Secured unicast and group communications

•Easy, secure, and flexible device commissioning

•Up-to-date info via Distributed Compliance Ledger

LW: What was the core privacy issue and how was it resolved?

Nelson: There are a number of privacy threats with smart home devices. Security cameras, smart speakers and other monitoring devices could enable a bad actor with access to eavesdrop on members of a home. Additionally, data theft could reveal sensitive information about consumers.

LW: Near term – can you paint a picture of a likely adoption scenario in 2022 and 2023? (For instance, would the alliance be happy if Matter wins over more smart home platform suppliers and device manufacturers?)

Nelson: We are seeing many CSA members participating in Matter moving quickly to achieve compliance with the specification. I believe we will see Matter-compliant devices on the shelf before the end of the year.

LW: Long run – what’s a plausible, hoped-for outcome; how does Matter connect to the progress of advanced IoT systems?

Nelson: IoT security has finally evolved to a state where manufacturers aren’t only concerned about securing their devices. Industries are begging to look at how to securely connect with devices from other manufacturers to improve the end users’ experience. Matter is leading the way with this effort and I believe we will see other industries follow. The CSA also has plans to expand Matter beyond smart home and into smart commercial buildings and potentially other industries.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)