Online all the time, anywhere with anything
Call Us: +46 8 50003170

Practical Cloud Security

Weak link No chain is stronger than the weakest link

This past week has finally security been a discussion not only in the ICT business. Friday of last week the big DDOS-atack on the provider DYN in the US affected also government sites here in Sweden. The attack was initated by a network of hi-jacked IoT(Internet of Things) devices with weak security. I have been waiting for this and are still waiting for a bigger atack to come.

Not that I want the atacks to come, I predict they will come as ICT security is not on the top of mind for BDMs, C-level or board members of companies. I am also troubled by the fact that those who deal with security are doing it in the wrong way. It is not just to establish a policy documented in a report that is filed in the bookcase of the CISOs office just to checkmark that activity.  Neither is it just OK to throw hardware and software to seucre the infrastructure of the companies ICT. Another chekhmark saying yes we handled the security.

The work of security starts by doing an inventory of what the company has, that should be easy task. You just have to open the files with the diagrams of the network, serverracks and apllications. Oh, you don´t have those documents? You don´t have to be too ashamed as you are not alone! It is fascinating how many times I find that comapnies don´t have these diagrams, the few who has them don´t update them for every change in the system. How do you think you can do a security and risk assessments if you don´t know your infrastructure.

A diagram should show all objects and the relationship, here are some of the objects you should have on the diagrams(don´t try to put all on one page!)

  • Network devices such as routers, firewalls, proxy servers, switches, accesspoints and PBX(or Skype-servers).
  • Shared devices such as servers, printers, projectors (or in worst case smart-TVs). And don´t forget the IoT devices that are not installed and controlled by IT-department.
  • Outsourced and cloud-hosted shared services such as Exchange Online, SharePoint Online, Application servers in Azure or outsorced.
  • Applications such as Web-server, Database servers for CRM, ERP, HR or productionplanning.
  • Internally (or contract-made) developed applications and the modules of the applictaions with relationships to and of the hardware devices above.
  • All connections and relationships with these devices, even important employees or contractors for updating, managing and troubleshooting the problems you will get.

To setup these diagrams you need to involve many people in teh organisation, you may even have to involve the vendors or contractors you used for these systems. There are softwares that can do the inventory for you, to make it easy to show relationships and the data of each object tou most likely need a software like Microsoft Visio. We are working with a very talented Visio pro from a company called Train-IT (Swedish website), we ourselves are also working with Visio to document our own and customer networks.

When you have your diagrams ready it is your map of the infrastructure, pretty much like the drawings of a house or a map for a sailor. You can now start to find the issues that can cause outages to your business ICT infrastructure. The diagrams and other documents you have now created are the foundation for your security and risk assessment. I will come back next week with the work you have to do practically to do the assessment, you will also get some hints on what many miss when they do the assessments.

twitter-icon Follow me on Twitter