5 Cloud Security Best Practices

Cloud-security-tips-e1603911679385 5 Cloud Security Best Practices

What are the top 5 cloud security best practices?

Here’s a staggering fact: Each year, cybercrime rakes in more profits for criminals than the illegal drug trade and is predicted to cost the world $6 trillion by 2021. Given this, it shouldn’t be a surprise that cybersecurity attacks are becoming more common and more sophisticated (often targeting the financial assets of a business). So, we decided to sit down with an expert in the field, Michael Argast, CEO and Co-Founder of Kobalt Security Inc. Based on our discussion, we picked our top 5 cloud security best practices.

Read on or watch the full video of our discussion on-demand here

 

Best Practice #1: Design security for how you are adopting the cloud (IaaS vs PaaS)

If you’re moving to the cloud, the security questions you need to ask yourself will differ based on how you are adopting the cloud. A common mistake is assuming security is the same from one provider to another. For example, if you are using IaaS and moving workloads from a secure data center that provides a lot of security layers to a bare-bones MS or AWS environment where the security isn’t built-in. In the case of IaaS, the Cloud provider is responsible for the hardware and you are responsible for the rest, which includes building in the security layers. For PaaS, your responsibility is limited because you are only responsible for the code and there is more security built into the PaaS environment. It is important to look at your security architecture upfront. This allows you to see who (Cloud provider, your organization, third party) is responsible for what and map in controls for the gaps.

 

Best Practice #2: Migrate to the cloud quickly to avoid hybrid environments

Hybrid environments can make security more complex. Most organizations don’t have enough resources and expertise for both data centers and the cloud which can leave you at risk. If you are migrating to the cloud, you should do this as fast as possible and/or leave as little behind in the data center as possible. The longer you are in a hybrid environment, the longer you will have a skills gap. 

 

Best Practice #3: Use Microservices to address multiple entry points

Today’s applications need to talk to several other applications and are connected with multiple APIs. APIs create multiple entry points for attackers. Over the last few years, there has been a shift from a traditional monolithic architecture to microservices and serverless infrastructure. The benefit of using microservices is that it is decoupled from the rest of the system; which defines a smaller surface area of attack. Security can now happen on the API layer and not the network boundary layer.

Read more about securing modern APIs and microservices in this blog from Kobalt Security.

 

Best Practice #4: Use Proactive Security Methods 

While your response to attacks is vital, getting ahead of attackers and taking proactive steps can help minimize vulnerabilities. Some easy proactive security methods are: 

  • implementing multi-factor authentication, 
  • providing awareness training to educate your staff, 
  • using security monitoring to help identify intrusions, and
  • using penetration testing on your applications.

 

Best Practice #5: Focus on risks with the greatest impact and highest probability of attack

Security is a balancing act. You want to secure as much as you can but you don’t want to sacrifice your ability to be agile. Use a risk register to analyze the impact and the probability of breaches and attacks on your business. Knowing what will have a critical impact on your business is a good place to start. Taking a security program gap assessment can also help. It shows where you are strong and where you are weak; based on the risks your organization is most likely to face (e.g. data breach, ransomware). That way you know where you should be investing or if you are over-investing in a certain area.

 

Contact us to learn more about securing your cloud environment.

/by

What is Multi-Factor Authentication and Why Should You Have it?

what-is-multifactor-authentication-1500x630 What is Multi-Factor Authentication and Why Should You Have it?

The Status Quo: Single Factor Authentication

You’re probably familiar with normal authentication by now. It’s made up of typically two things: your username and password. And if you know your username and password, you can get into a site, right? It’s a good basic first level of security. But if you happen to use that same username and password somewhere else, and that site gets compromised, it can be used to compromise other sites where you happen to use those same credentials. And if we’re being honest, those credentials can often be guessed again and again. So single-factor authentication has some limitations, and it’s easy for accounts to be hacked. The solution? Multi-factor authentication.

The Future: Multi-Factor Authentication

So what is multi-factor authentication (MFA)? It combines two or more different factors, typically something only you would know or have. Bank cards are a great analogy in this situation. If you think about your traditional bank card, you need your bank card as well as your pin. Having your bank card alone doesn’t get your cash out of the machine and neither does having your pin alone. You have to have the two of those things in combination. This combined layer of security adds a layer that makes it much harder to compromise. 

Authenticator Applications

There are two classic applications of MFA these days. In addition to your username and password, the site might send you a text message to your phone. This way you have to enter a code in order to authenticate. Although better than single factor authentication, it does have its weaknesses. It can be compromised by someone taking over your phone number or intercepting a message. This would be considered the weaker form of MFA. The stronger of the two would be an authenticator application that runs on your phone and generates codes on a regular basis. This way you have to know your username and password, but also must have access to the exact device at the time of login. 

Why Should You Use Multi-Factor Authentication?

MFA is the best thing that individual users can do to protect themselves. Google and Microsoft have both independently done studies on the effectiveness of adding MFA to protect your accounts. Their findings? It increases the effectiveness of your security by over 99%. In simpler words, it reduces the likelihood of a successful attack to less than 1% of what it would otherwise be. In security, we’re a big believer there’s no such thing as a silver bullet, but multi-factor authentication is as close as it comes. And it’s effectively zero cost for the sites that support it. 

Watch the video from our webinar about Cloud Security Best Practices to learn more about MFA and other ways to stay safe from cybersecurity threats. 

/by

The Digital Transformation Journey of a Vancouver based eCommerce Retailer

key-business-success-1500x630 The Digital Transformation Journey of a Vancouver based eCommerce Retailer

What’s behind most successful businesses nowadays? We’d argue the key is a solid data centre, cloud base, and vision. While communication and office culture are both integral in a thriving business, it helps to have an online space that encompasses it all. Recently we hosted a “Digital Transformation Journey with Azure” webinar with Riz Somji. As the CEO of Cymax Group, one of the fastest online furniture retailers, he was more than qualified to discuss many key points of his experiences: community, data storage and digital transformation being a few. Keep reading to hear the highlights of the event. 

People, Culture, and the Need for a Top-Down Buy In:

Vision and strategy are two of the most integral parts of the digital transformation journey. When Cymax first started, most sales were driven by ad revenue. But soon the team realized that they really needed to take a bold move to be data driven. Instead of finding data and working from that, they needed a top down model. They soon had a stronger, more sound foundation. As Somji shares during the webinar, people need to drive the transformation. Everyone should imagine the vision and comprehend the strategy before sponsorship even begins. 

Data-Driven Organization: 

How is Cymax using data to help improve their business? First off, as Somji tells us, everyone needs to have the software and understand how the analytics work. Implementing a dashboarding tool, such as PowerBI, is also a good choice. For Cymax, every part of the company was focussing on data to drive decisions during the digital transformation journey. True, at the beginning analytics were inconsistent because everyone had different perspectives of which data was crucial or not. But soon after, the company decided to just have one source of data and proof. Enter: data warehousing. Now they could have data cleaned as it came in. The newest development? They’re working on linking data to people’s own objectives and jobs. It’s a cross functional view, as Somji describes it. And it’s more efficient. They used to have 120 people in the call centre. Now they are down to only 30 people. And the sales? Well, they’ve tripled. 

A Digital Transformation Journey with Azure and Microsoft: 

For Cymax, because everyone was motivated to undergo the transformation process, they got their migration done and moved over to Office 365 in the span of a couple weeks. Crazy? We know. Microsoft supported them on this journey to the cloud as well, providing investment funds, strategic directions and more. Somji explained that because Cymax is such a dynamic company, using Azure kept everyone’s energy levels high. Because Azure DevOps is constantly evolving, the team stayed interested and had a really positive experience. For them, they understood that servicing technical debt is too much work, so using the cloud would save not only time but also money.

Where are They Investing Next and Why?:

So what is a company like Cymax planning on investing their money in next? There are really 2 main categories: artificial intelligence and machine learning. Both provide added value to them but also their vendors. They’re looking for AI and ML engineers to help them integrate the processes into production. In the past, they had a pricing engine that priced products in real time. Sound slow? Well it was. And considering that they were competing against so many other sellers, this was less than ideal. But now, they’re looking to use AI and ML for image optimization. This way they can look at damaged products, and using technology find out where the product inconsistency is. Instead of having back and forth conversations with vendors, they can share their learnings, and improve product quality. 

Digital transformation is the way to the future. It ensures that your business is online in the upcoming times, especially important as everything has been remote lately. If digital transformation is something you’re interested in, contact us at Optimus here.

 

/by