Our organization works with a number of VIPs, and because we use a cloud-based infrastructure we've been asked...
to put a program in place to ensure we don't suffer an incident like last year's iCloud hack. We have a small IT department. What policies or security controls would you start with?
Security policies should be driven by an enterprise's long-term business strategies, risk assessments and tolerance for those risks. While the seemingly endless stream of news stories about data breaches are not likely to end anytime soon, enterprises can learn from such attacks so they can improve procedures and controls.
If you have a small IT department, start by learning from others. For example, the SANS Institute has a number of policy templates that can get you started. Begin with policies on authorized use, authentication and passwords, network security, desktop security, mobile devices and BYOD. If your company uses a public cloud provider or SaaS service, check the Cloud Security Alliance website for guidance and training on cloud security. Larger organizations and midsize companies with basic security policies and controls in place can leverage maturity models and guidance from the CERT division of the Software Engineering Institute; it offers guidance on resilience management, insider threats and capability assessments.
Keep in mind that security is a joint responsibility. The iCloud attack exploited attacks on user accounts, security questions and passwords. Your organization's employees should be advised to use passwords that are not easily guessed. In the past, that meant not using passwords readily found in a dictionary; today it includes not using passwords based on information available on social networks. Note that VIPs and executives are especially worthy targets for attackers willing to invest the time to collect and analyze publically available personal data, so be sure to advise them to do the same.
Ask the Expert!
Perplexed about cloud security? Send Dan Sullivan your questions today! (All questions are anonymous.)
Get help crafting cloud security controls in an ever-changing environment.
Here are six policies you need to know if you're looking at cloud security
Dig Deeper on Public Cloud Computing Security
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading