This is an ongoing series of guest blogs written by TAG Cyber analysts in conjunction with various members of our SPHERE team. Offering insights from the perspective of the professional industry analysts combined with a technology company focused on the goal of establishing cyber hygiene. This article comes from a fearless leader, CEO & Founder of TAG Cyber, Edward Amoroso.
While moderating a recent conference panel session of Chief Information Security Officers (CISOs), I happened to ask each of the participants what their primary protection solution would be as they transition infrastructure to cloud. The question had been strongly encouraged by the planning team of the panel’s corporate sponsor – an established security company that markets a high-tech, machine-learning solution to virtualized hosting in the public cloud.
To my amusement (and perhaps to the disappointment of the sponsor), every participant referenced the need for foundation security controls with emphasis on establishing a program of basic cyber hygiene. Each CISO pointed to the need to make sure that their virtual house was in order, so to speak, before they could ever hope to provide sufficient security, compliance, and privacy for their workloads hosted in the major public cloud provider infrastructure.
I offer this anecdote because it supports the value proposition driven by my colleague Rita Gurevich, CEO of cybersecurity company SPHERE – namely, that cyber hygiene is the key to proper foundational protection for an organization’s most critical assets. This security support applies not only to legacy infrastructure, including traditional data centers, but also to the myriad of applications, systems, and platform that reside in modern cloud services.
My observation is that cyber hygiene plays three roles in securing the enterprise transition to cloud. First, it provides protection against the architectural seams that can emerge when applications and systems (such as Active Directory and the Domain Name System) are stretched across legacy enterprise and multi-cloud networks. Such seams can result in poorly managed permissions, sloppy account management, and other configuration errors. Cyber hygiene is the solution to these problems.
Second, a program of cyber hygiene can help to ensure that compliance requirements are sufficiently covered during the transition to a more virtual architecture. Regulators, for example, are typically nervous when networks are being reconfigured and applications rehosted, and basic hygiene will inevitably be the first things they will probe for non-compliance. A strong foundation program that emphasizes the basics will ease this compliance burden and calm down auditors.
And finally, a program of cyber hygiene can help drive commonality of protection across the diverse environments that exist in hybrid architectures including multi-cloud hosting. Certainly, different networks will demand different types of controls. The Azure cloud, for example, will include different web hosting protections than in a physical data center. But the basic tenets of hygiene, including focus on permissions management and attention to least privilege will apply across all environments.
If these themes resonate as your infrastructure inevitably shifts in the direction of modern multi-cloud hosting, then you’d be wise to check in with the SPHERE team. Ask them to explain how they can help you improve your hygiene program and clean up the types of complex and often-sloppy administrative tasks that are so attractive to offensive cyber actors. Ask to see how their SPHEREboard might be integrated into your own hybrid environment.
And, as always, please let us know what you learn after your discussion!