Safeguards for working in a mobile or cloud environment fall into three general categories: Technical Configuration; Contracts and Agreements; Policies and Procedures.
When connecting from a remote location to your own private network or to a cloud-based application, security configurations should be in place for: the device, the connection, and the destination infrastructure. A security lapse in any of these areas could leave your business open to malicious infiltration or data loss. This section describes best practices for technical configuration.
The Mobile Device
The recommended steps for securing mobile devices (e.g., smart phone, tablet, laptop, flash drive) include: encrypt devices to prevent unauthorized use if one is stolen or lost; set strong passwords; configure devices to lock after a brief idle time; create a list of approved mobile hardware for your company so security maintenance can be standardized; conduct regular audits of company devices; have a method for remotely wiping a device clean if it is lost or stolen; keep all devices up-to-date by with OS and software fixes; disable location tracking and unused connectivity options (e.g., bluetooth or wifi); initiate downloads from trusted sources only; install anti-virus or anti-malware software; and run frequent back-ups.
Any unsecured wired or wireless connection has the potential to be dangerously vulnerable to intrusion, so avoid using public wifi or any open network when working with confidential information unless encryption is in use, as with a VPN connection. When using web applications use only encrypted SSL (https) connections.
The Destination Infrastructure
Whether using a cloud-based system or applications on your own company’s private network, the same principles apply for securing the infrastructure (i.e., servers and network). If you are accessing your own network from remote locations, your infrastructure should be configured to allow only authorized users. If you are using a cloud provider ask for details about their ability to protect your information and hold them to a high security standard.
Best practices for securing networks and servers from malicious attacks include using: sophisticated authentication protocols; encryption; physical (rather than logical) separation of data; backups; redundancy; disaster recovery; enforcement of complex passwords using a combination of cases, numbers and symbols, and frequent password changes. Tightly controlled user management is also critical to security, including: giving users need-only access; immediately disabling the accounts of terminated staff; and enabling audit features so unauthorized activity can be detected. Periodic assessments should also be conducted to make sure security measures are still effective in the context of new technologies and cyber threats.
Contracts and Service Level Agreements (SLA)
When contracting with third party vendors (e.g., a consultant or cloud-based solution) the contracts, SLAs, and business associate agreements should clearly define the vendor’s responsibilities for the security of your information and set forth the consequences when the terms are not met. Here are best practices for making sure your legal paperwork protects you from unexpected security problems.
When searching for a cloud-based solution, create a comprehensive list of security requirements and after the vendor has been selected, use that list to craft the contract. The vendor should provide details about physical security (i.e., building and hardware) as well as software security, including authentication methods, encryption, and safeguards that ensure another organization using the same hosted application won’t be able to access your company’s data.
Responsibilities for all aspects of security should be clearly defined. For example, the vendor could host your application on servers maintained by a separate IaaS (Infrastructure as a Service) provider and housed in a building physically secured by a third company. In this case, know who would be liable for a data loss or breach.
Finally, retain oversight of your data even though it resides with your cloud vendor. Your organization should be constantly monitoring the integrity of your information.
Policies and Procedures
Malicious activity is not the only danger companies face. Another common source of risk is uninformed or misinformed staff. An organization using mobile devices and/or cloud-based solutions should have clearly defined and enforceable policies and procedures that address electronic communications, remote connectivity, acceptable use, and security awareness.
Policies should clearly describe the organization’s expectations and the consequences for non-compliance. Procedures should describe steps employees should take to adhere to policies.
Best practices include: providing easy access to all written policies and procedures; reviewing and updating those documents as the technology and regulations change; training all staff in a timely manner; establishing effective ways of communicating updates or changes; providing technical support for users who need assistance configuring security settings or properly making a secure remote connection; and conducting regular audits to monitor for breaches and unauthorized activity.
There has been explosive growth in the area of cloud and mobile technology making it difficult for organizations to stay ahead of security threats. Ninestone consultants have the experience to assess your organization’s security needs and implement solutions within a given budget.