I was recently interviewed for an article that addressed potential IT infrastructure security risks introduced by cloud computing. It struck me that, while large organizations are asking about security that we at NaviSite have integrated with our cloud offering, what is equally important are questions in response: What security measures do you have in place to ensure your use of the cloud environment does not violate your company’s security policies and data handling procedures? How do you know your users are not infected or infectious?
My point is, simply, how do you protect your online reputation, corporate data, and applications from these seven habits of highly infected people?
1. AUP Violations
Most companies allow employees and IT users to access the internet for both work purposes and personal use. But that comes with risks.
Internet access should be coupled with an enforceable Acceptable Use Policy. By restricting the use of corporate network infrastructure and company-supplied computers, you can prevent accidental – and intentional – retrieval of malicious code (e.g., viruses, trojans, key-loggers, etc.) from introducing vulnerabilities into your IT infrastructure. This malware can come from shopping, phishing, and entertainment sites (including adult entertainment sites). Recommendation: Develop and implement an Acceptable Use Policy and train your employees to avoid the downfalls of improper web browsing.
2. Email Abuse
Email is an integral part of our day-to-day business. I could not be as effective in my job if I did not have constant access to my corporate email account – by mobile phone, tablet, or old-fashioned laptop. However, I‘m careful about using and distributing my email address, and I keep work-related email separate from personal, or worse, trivial email (spam).
This approach greatly reduces my inbound junk mail, the chances that I will get distracted by personal email while at work, and most importantly the likelihood that a virus will evade my anti-virus tools (zero-day viruses can be quite disruptive) and infect my laptop and corporate systems. Recommendation: Enforce strong email policies and teach proper email usage.
3. Bad Password Management
Password management continues to be among the most important measures users can take to protect their data and online experience. Weak passwords, and the infrequent changing of passwords, should be avoided.
While I am a firm believer in strong passwords, a password policy should not force a password to be so complex that it requires a user to write it down and put it in desk drawers. Force the regular change of passwords and encourage employees to use these same habits when they create their passwords for personal online banking, shopping, or social media sites. Recommendation: Create and implement a strong (but not impossible) password management policy that requires upper and lower case letters, numbers and non-standard characters.
4. Bad Handling of Sensitive Data
We all handle sensitive information that shouldn’t be shared – even with fellow employees. A good rule of thumb is, if you don’t want information seen by a large audience, then don’t put it in an email. I can’t tell you how many times I have had to deal with an employee who read something that another employee wrote about them because they were later copied on an email thread. This practice is appropriate for sensitive corporate data as well. Recommendation: Implement an information security policy, including the classification of data, and enforce the proper handling of sensitive and confidential information.
5. Social Communication
Every week another story comes out about how somebody lost their job, or didn’t get a job, because of something their boss or a potential employer saw on their social media page. Our society has become too free with information, and there is no privacy in social networking sites.
Imagine what could be shared about your organization if one of your employees posted sensitive company information to their social media page – “Boy I hope I don’t get caught up in next week’s downsizing”, or, “Hey, I just got a huge raise.” Recommendation: Establish and publish reputation policies that protect your company’s interests as well as your employees’ interests.
6. External Media or Connectivity
Face it, we all need to be connected to work every hour of the day. We need access to our corporate applications, email, and occasionally removable media.
While all of these things may be necessary to do our work, they can introduce great risks. Appropriate secured connectivity policies may include restricting access to USB ports, removable media, and online share sites. Recommendation: Enforce a secured connectivity policy via encrypted access that enables users to perform only their job functions.
7. Human Error in Administration and Configuration
Alright, I admit it. I am as guilty as the next person in this regard. In my former role as a security engineer, I would, on occasion, troubleshoot a VPN connection and use the word “password” as the shared secret for ease of configuration, with full intention of returning to restore the shared secret to a complex, non-sensible character string. Recommendation: Find a tool to automate the frequent audit of configurations and administrative tasks.
Although it is unlikely that these seven steps alone will completely eliminate your exposure to risk as you migrate your systems to cloud, these are easy-to-implement measures that will improve your overall data security and minimize the chances that employees will inadvertently put your data, applications, and overall company reputation at risk.
Allen Allison is chief security officer at NaviSite. During his 20-plus-year career in the information security industry, Allison has served in management and technical roles, including the development of NaviSite’s cloud computing platform; chief engineer and developer for a managed security operations center; and lead auditor and assessor for information security programs in the healthcare, government, e-commerce, and financial industries. With experience in the fields of systems programming, network infrastructure design and deployment, and information security, Allison has earned the highest industry certifications, including CCIE, CCSP, CISSP, MCSE, CCSE, and INFOSEC Professional. A graduate of the University of California at Irvine, Allison has lectured at colleges and universities on the subject of information security and regulatory compliance.