I’ve been poking around more and more about security, about best practices and about data protection. I have spent a good deal of time watching the tried and true “Securing Your SQL Server” type sessions and trying to understand what is critical and what you can do about it.
Security expert Duncan McAlynn (LinkedIn) sent me over a great video that went into the nitty gritty of a couple of exploits. How it’s done, but even more interestingly, how to prevent it. Now, call me innocent (I’ll wait) but I was floored at the tools and techniques that are readily available, what types of things can be done and the different things you can easily do to prevent them from working. But you need to do them.
My hat’s off, too, to CQURE Academy – it’s a great example of two issues.
I’ve talked about security for quite some time in different mediums. From writing about it, to presentations and such.
What struck me about the exploits is how very specific they are, how readily available the tools are, and how much access could be gained.
SO, my net suggestion – review those different points of protection. Remember the different concentric rings of protection – from collection of information to data in transit to data at rest to retrieval and use. It’s important not only to have the right protections running and in place, but also to understand how your hosting environment supports your security requirements.
This is something that has been a pretty significant learning curve for me personally – when we hosted our own systems, and even when we were in a pure co-location type of environment, I felt like I “owned” the security. But now, with a cloud based infrastructure also in the mix and evolving access for reporting and such, things are instantly more complex. Keeping access available, providing data protection and keeping some sort of control over data use adds all sorts of complexity to the process.
When you add in cloud infrastructure, or even applications as a service, or functions as a service or whatever level of cloud usage you decide to move forward with, you introduce some new challenges. Credit card processors, reporting, analysis, multi-server usage for reporting and analysis, data query tools, PowerBI, Excel, all of it. It also goes down to the location(s) you store information – be it online storage, local or a mix. There are profiles to set up to control access, and you have to balance that with usability and protection of personally identifiable information.
All of this to say that, for me, it’s been this constant running back and forth up and down the proverbial wire to see what else can be considered or locked down. There’s also “one more thing” you can do – and personally, I believe it’s critical to keep tuning and tightening and testing and learning and beating up on your infrastructure. Make sure you know the implications of the solutions you provide.
And, when you think the little settings don’t matter so much, re-watch the video.