By Brad Bussie, Trace3
As each year winds down, we tend to look at the coming new year with hope and determination. We will get on that treadmill, we will eat less cake, and we will adopt sound security principals. However, the reality is, we change very little from year to year. That is until something happens to shock our systems.
Often, we refer to this shock as the compelling event. Your blood pressure is up significantly? It sounds like the treadmill will get used, and the cake will sit untouched on the plate. Cybersecurity is no different. Without an event, very little changes year over year. Looking back at the past year is good practice to find those compelling events. No, I am not telling you to get on the treadmill. What I am asking you to do is look at three areas of security in your service provider business and evaluate your effectiveness.
- Security Area 1 — Application Security
Many breaches over the past several years have been traced back to a lack of application security. Patching, surprisingly, is one of the most effective forms of securing an application. As we have witnessed, it is also one of the more challenging areas to get right. Some applications don’t respond well to the latest security updates or framework improvements, so many application owners stay several revisions back for performance or stability concerns.
This practice is a breach waiting to happen. Make sure your organization adopts a new year’s resolution and puts security first when it comes to application security. Adopt strong security practices with new application development, consider where web application firewalls make sense, and take a hard look at how runtime application self-protection will increase your cyber readiness. Service providers are uniquely positioned to provide application security as part of a standard set of offerings. Many application security solutions are software based and can be single or multi-tenant.
- Security Area 2 — Vulnerability Management
Vulnerability Management is an art form. Professionals spend countless hours on identification, categorization, remediation, and mitigation of software vulnerabilities. The main idea behind Vulnerability Management is to defend against attackers bent on taking advantage of vulnerabilities present in networks, software, and applications.
Enhancing Vulnerability Management should be on everyone wish list this year. Most organizations are doing minimal scans for compliance reasons and fail to adopt a true program to combat the life cycle of vulnerabilities. There are three parts to consider in any successful Vulnerability Management program: people, process, and technology.
Service providers typically have high levels of access into customer environments. They have the right combination of the key three on hand for a successful vulnerability management program. Consider spending time preparing Vulnerability Management offerings and determining your resource allocated to detect and remediate vulnerabilities for a nominal fee. Customers will thank you for it.
- Security Area 3 — Password Management
The password is still the most common way to protect resources. We have spent the last few decades refining the length and complexity of password to combat the rapid theft of credentials. A shorter and easier-to-guess password is obsolete now that most systems require increased length and complexity.
The problem is, a complex password is only part of the equation. Fundamentally, a password exists to verify someone is who they say they are. Passwords are only effective when paired with another factor of authentication such as a phone protected by a fingerprint, one-time use code, or facial recognition. Secure password vaults that change passwords after use are another good way to manage the ever-present danger of impersonation.
Look back at how your organization offered password management as a service over the past year. Depending on the answer, provide a purchasable option for password resets, multifactor tokens, and privileged password management. Password management is the most sought-after and easier to deploy security solution for consumers of service provider offerings.
If you have a strong desire to eat cake by the end of this article, you are not alone. The real hope is you have a better understanding of why Application Security, Vulnerability Management, and Password Management are imperative areas of investment for 2019 service providers.
All three disciplines are critical for hybrid cloud environments where attackers now have a larger attack surface. Most cloud applications are not sitting behind thick datacenter firewalls. The applications were created for employee or customer access from any device, making traditional firewalls difficult to implement for advanced application protection.
Vulnerability Management in its most basic form is making sure systems and platforms maintain proper patch levels. Analyzing who has access to what is also important as it can shed light on lurking vulnerabilities related to privileged access. Password Management isn’t new this year, but it is still a problem for most organizations. Consider multi-factor authentication, pass-phrase passwords, and privileged password vaults as critical customer acquisitions for the new year. Building the right blend of services with visibility and reporting should be the goal to help your customers weather anything 2019 throws at them.
Service Providers and VARs have a duty to their customers. They look to us as trusted advisors to help them navigate the noise and focus on what matters most. Remember — just because you can put something in the cloud, doesn’t always mean you should.
About The Author
Brad Bussie is Managing Principal, Security Strategy at Trace3. He is an award-winning veteran of the information security industry and holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2.