[Editor’s note: We asked David Wippich, SVP & CTO of Ingram Micro Cloud and CloudBlue, to comment on recent industry news regarding cybersecurity. What follows are his thoughts on how resellers and service providers can protect themselves from security breaches.]
It seems like every day there’s yet another data breach or security hack in the news. As cloud adoption continues to grow, the security of cloud services is of increasing concern. As the developer of CloudBlue and the leading Cloud Marketplace provider, Ingram Micro takes the security of our customers, employees and their data very seriously. Security is not something you just set up and let run; it’s something you do every day, night—and the first thing you think about every morning.
While no systems or processes are perfect, there are key actions you can take to minimize the risk to your data and environment. Here are 10 things we do to keep Ingram Micro Cloud Marketplace and the CloudBlue digital commercial platform secure that can help with your cybersecurity efforts as well:
1. Go deeper on security
Creating multiple layers of defense has been a key principle in security, whether you’re securing a medieval castle, traditional data center or cloud-hosted data center. This involves layering security controls from your edge network (or outer castle wall) to your internal databases (or keep). The security controls vary from implementation to implementation using edge firewalls, proxies, web application firewalls or moats.
2. Build network segmentation and firewalls
Good security starts with choosing your network wisely. Just like with castles, a location impacts security as much as any other security defense you might consider. In this case, your internal systems or services should sit on non-routable IP blocks wherever feasible.
As we move to cloud services, this isn’t always possible given the limited control associated with software-as-a-service (SaaS) and platform-as-a-service (PaaS) services, making the task more challenging. However, some cloud providers now offer an option to have your SaaS services hosted on internal, private networks. Be sure to thoroughly evaluate these options.
Similarly, by isolating operating environments, you can customize your defenses to the environment and reduce risk to other environments. For example, corporate environments can be isolated from customer environments.
Beyond that, the firewall is typically your first ring in your perimeter defense and something that should be constantly monitored, assessed and reassessed. Proper configurations and placement of all critical servers behind the firewall (even cloud servers) is imperative.
Using cloud provider native tools (such as Azure policies or AWS Config) or third-party infrastructure automation tools, every instance can automatically be provisioned behind the firewall with network rules enforced throughout its lifecycle. After all, your castle’s outer wall will only protect what’s inside if all the gates are closed.
Continuous monitoring of the network will identify any firewall misconfigurations, and services that are exposed on the network must be regularly tested for vulnerabilities. Additionally, IP assignments by cloud service providers for your services can be automatically obtained via APIs and native tools, removing the need to scan large IP blocks for active hosts.
3. Exercise more control for greater protection
Obviously, access in and out of your perimeter needs to be limited to authorized personnel only. Services also need to continuously authenticate users and other systems on the internal network to protect services from threats that have breached the outer walls. While centralized access control systems simplify governance, using multiple authentication realms and forms of authentication provide additional protection from compromised credentials.
Using tools and services that allow for multiple authentication requirement, without degrading the user experience, is a delicate balance—and one that must be maintained. Considering phishing attacks are still one of the leading causes of security incidents, having multiple forms of authentication (MFA) will substantially improve your posture and can be implemented within your systems, making it easy for users to access and use.
Principles of authentication, authorization and auditing (AAA) must be applied to every network, system and service. Fine-grained privilege management ensures users and systems are only performing the tasks they are authorized to execute, minimizing the chances of an insider threat or breadth of damage from a hijacking attack.
With cloud services, the use of single sign-on or same sign-on services reduces your administrative overhead and dramatically improves overall security. These services also enable you to leverage MFA by building it into your directory services and bring MFA to cloud services, where it’s not supported natively.
4. Secure each and every server and device
The next layer of defense is dependent on security controls applied to your servers, devices or “endpoints.” This includes patching, hardening and regular monitoring of your endpoint controls.
Some of the largest security breaches continue to stem from unpatched software. The move to cloud and serverless technologies can actually make it easier to maintain control over your systems as cloud service providers will automatically take care of this for you as part of their shared responsibility model.
Statistics show that service providers are doing a better job of this than those who self-manage. This is no surprise as cloud service providers often have a head start on patching vulnerabilities on their systems either because they maintain the operating system and database, or because of responsible disclosure programs that tend to give early notice to cloud vendors based on the potential impact to the public at large.
Smart gateways, DDoS protection and web application firewalls are a few of the utilities offered by cloud service providers to protect applications, and secure APIs from network and web attacks. These services come with the latest encryption ciphers, which can be enabled with a click of a button. This ensures compliance while protecting you from yet another SSL vulnerability.
Advanced logic can also be added to API calls in-flight, providing powerful capabilities such as routing, rate-limiting and augmenting the call with additional details to be leveraged by the application downstream.
All servers, public or private, must be continuously monitored and as many servers as possible should sit behind the firewall—including logging servers—to add additional layers of protection. This greatly reduces the chance of a data breach.
5. Test the security of all applications
Regardless of whether your applications use commercial software, open source or are built in-house, security is paramount to the overall security of your environment. Basically, an application is what’s exposed on the network for user consumption. And as shift left testing becomes more popular, tools such as static application security testing (SAST) help address security vulnerabilities in the early stages of development.
The automation that comes with these tools allows for frequent testing, enabling developers to identify and resolve bugs. Before the application is made available to the internet, dynamic application security testing (DAST) allows your organization to test applications in their final form.
6. Map out detailed policies and procedures
Well-defined and established policies and procedures will ultimately govern how security is maintained in your organization. Executive leadership needs to set the tone and ensure everyone knows their part and does it. Formal, well-documented and frequently updated processes and procedures give everyone guidance on what they need to do to help keep the organization secure.
7. Conduct regular internal and external audits
No matter how good we are, we still need to check ourselves and use other departments or other companies to validate our defenses. When you’re not in the middle of fighting a war, mock exercises using red team vs. blue team drills can help identify weaknesses in your security posture and allow you to fix vulnerabilities before an actual attack.
In particular, in-house development needs dedicated application security staff to check and challenge the developers, along with their programming and open-source use methodologies.
8. Stay up to date on the latest advances
Keeping up with the latest security trends, standards and technologies helps you learn from others while staying ahead of the curve. Threats and defenses are always evolving in a continuous cat-and-mouse game, so you must vigilantly and continuously update your strategies and tactics to stay secure.
9. Keep every aspect of operations secure
While it’s easy to think of public cloud (such as Azure, AWS or GCP) as a managed hosting service, this is only a small part of the services public clouds offer. Today’s services interact with a variety of other services, including storage, queuing, messaging, machine learning and much more. Think of REST API services offered by Microsoft Office 365, Salesforce or Google App. None of them involve any of the traditional infrastructure and security layers.
To thrive in this new reality, you’ll need to consider how to build cloud-native security into your operations from day one. This includes API-level audits, security tools offered by cloud platforms, and less direct use of infrastructure wherever possible to minimize the attack surface you have to defend.
10. Develop a security-minded culture
The best locks in the world won’t work if the door is left open. This is the one concept that must become part of every company’s culture if they want to keep their data secure. While we’ve provided a number of ways that can help secure your systems, you should also recognize that the largest data breaches are often preceded by the careless actions of users.
Simply walk down the aisle on any airline flight and you’ll see proprietary data splashed across numerous laptop screens. While formal security policies are a must, it’s important to create a culture where every employee takes security personally, such as immediately reporting a stolen laptop or flash drive, and providing a security screen for their laptop to protect valuable or confidential data when they’re out in the world. These simple changes to your culture can help ensure that all the time and money you spend on security isn’t thrown out an unlocked door.
Let’s face it—nothing created by man is perfect. The best we can do is to do our best every day. By following the above guidelines, putting good practices into effect and aggressively maintaining these practices, you can create and manage a more secure environment for your customer, partners and suppliers.
To learn how Ingram Micro can help your improve your cloud security, contact us today at cloud@ingrammicro.com.
