The Red Herrings of Cybersecurity – Blog 2 of 4

Hello again.

In the previous blog in this series, I set things up for you. I explained the three things that I believe are “red herrings” in our industry – and now we’re going to dive into the first. Let’s go for a short, pointed, and honest ride.

There has been a consistency about managed services providers in the years I’ve worked for them. While not particularly comforting, the consistency of failings at least meant that we were all doing it wrong together. There is cold comfort in that.

One of those things that killed me for years is the speed of implementation. Or should I say, the complete lack thereof? In my years with HP, one of the managed services accounts that I worked with directly was grumpy because it had taken over 9 months to get an IDS successfully implemented. Yes, you read that right. Nine months. It’s not like security is a real-time battle of good and evil, and losing seconds is cause for concern, right?

I swore that I’d work to improve this, but ultimately I was unsuccessful. Then I left the company. But this stayed in my mind for a while. In my next role, I was too far removed from this situation to be able to affect it. That said, it never left my mind as my team and I advised CISOs on strategy and program development. The goal was always to decrease the time that elapsed between signing a contract and getting “security value.”

Fast-forward a bit to when I joined my previous role at Armor. The company was touting “2 minutes to deploy” and given my previous experience I thought I hit the jackpot. I’d learn over the next two years why I had been chasing a false dream. I’d recognize that faster is not necessarily better, although rapid time to value is desirable.

So what changed that swayed my thinking? Experience.

You see, I had the opportunity to witness a few “2-minute” deployments. They were categorically a disaster. Why? The answer lies in another question.

“How much protection can you expect from a security tool that does near-zero customization?”

If you answered the above with “about that, near-zero” you are now in my headspace. One of the reasons; and this is personal opinion now, there were so many install failures and missed issues downstream was that we were going for speed versus security. Sure we had it installed in two minutes. But did it serve any value? That was debatable, at best.

The lesson is this – to provide a valuable outcome to your customers, you need to do the work. There is a multi-step process that needs to be followed that I’ll readily share with you, here.

1. Understand your customer, their environment, and their challenges. Without this, you’re applying peanut butter. There are no two customers that share the same strategy, architecture, network topology, and security response needs. This I can guarantee. So why would you pretend that a single stock configuration would do anything but provide for the most basic of controls? I would argue that without this step you’ll be doing more harm than good.

2. Prototype and test your configurations. Once you think you know your customer, develop the defensive model, policies, and response actions. Work hard to identify not just the 80% case but those 20% outliers that are going to cause trouble once you deploy. Here’s a hint – one of the most difficult things to get right is the disruptive cases. The situations where something happens to upset the customer’s ecosystem due to a configuration you’ve made are irreversible – especially during initial deployment. If you can’t get it right from the start, you’ll lose your customer’s trust before you ever get to protect them. Minimize your unknowns; that’s the best advice I can give.

3. Expertly guided deployment is essential. Far too many times I heard customers say, “We got this” and then proceed to bungle everything because of either ego or something else. But I promise if your provider is offering you assistance to deploy – take it. If they’re not, ask why they’re not helping you be successful.

Expect this effort to take you north of forty hours for a mid-size implementation. That’s my estimation. You, the provider, should spend a week of solid work to get to a deployment stage. That’s a far cry from 2 minutes but provides infinitely more security value.

While I still believe that deploying as quickly as possible to get security value is critical, I no longer believe that doing so at the expense of customization and testing is viable. Everything comes at a price, and in cybersecurity, the price for protection is time. And effort. It takes effort, planning, patience, and expertise on your part and your customers. I don’t care how you present it – those are things you can’t rush.

Next up, removing complexity. I welcome your comments in the meantime.

Top 5 Azure Mistakes your Security Team is Making

With its scalable structure, pay-as-you-go pricing, and 99.95% SLAs, it’s no wonder Microsoft Azure is a long-time leader in the IaaS space. Its popularity is also due to the fact that it not only offers -Infrastructure as a Service (IaaS) but also Software as a Service (SaaS) and Platform as a Service (PaaS). With Azure, clients can use the services purely in the cloud or combine them with any existing applications, data center or infrastructure already in place. But with all of this flexibility and reliability comes responsibility. It is critical that IT professionals understand Azure’s shared responsibility model as well as which security tasks are handled by the cloud provider and which tasks are handled by you.

Here are -five common security mistakes that typically result from a rushed build/setup process and inadequate management, as well as tips on and how you can avoid them when designing, deploying, and managing your Azure cloud solution.

1. Misconfiguration of Roles & Administration

Misconfiguration is a common occurrence in situations where an Azure solution is implemented without proper planning.

One aspect of misconfiguration is the assignment of roles to users. It is recommended that you follow the principle of least privilege and select a role that provides the user only with the amount of permission they need to do their job. Failing to follow this best practice leads to excess access permission which can easily be avoided by taking the time to properly assign these roles at the outset.

The old adage that “too many cooks spoil the broth” applies to countless scenarios, and Azure is no exception. Assigning too many administrators, failing to establish lease permissions for those administrators, and not enabling Azure’s Multi-Factor Authentication (MFA) are risky oversites. MFA provides an extra layer of security by requiring administrators to provide authentication via phone call, text, or mobile app before they can log into the portal. This helps prevent the administrator’s account from being compromised or misused.

2. Weak, Mismanaged Passwords

This misstep may seem obvious, but regardless of how many times people are warned against setting weak passwords, far too many people still use them. According to Microsoft, they see over 10 million username/password pair attacks every day across their platforms. Failing to assign strong passwords and requiring them to be frequently updated creates vulnerabilities that are easily avoidable.

In setting up Azure services, Microsoft recommends the following to IT administrators:

  • Maintain an 8-character minimum length requirement (and longer is not necessarily better).
  • Eliminate character-composition requirements.
  • Eliminate mandatory periodic password resets for user accounts.
  • Ban common passwords, to keep the most vulnerable passwords out of your system.
  • Educate your users not to re-use their password for non-work-related purposes.
  • Enforce registration for multi-factor authentication.
  • Enable risk based multi-factor authentication challenges.

3. Not Enabling or Managing Logging

Failing to turn on the logging feature is another common misstep in the building process. First, logging must be turned on to permit access visibility. But it doesn’t stop there. The Azure Activity Log must be regularly monitored to gain insight into who is accessing and managing your Azure subscription and to track all create, update, delete, and action activities performed. In addition, an investment in Sentinel – Azure’s cloud-native security information and event manager (SIEM) platform – can go a long way, as it uses built-in artificial intelligence to quickly analyze large volumes of data across an enterprise.

4. Misconfiguration of Security Controls

Haste and -lack of expertise in the configuration of your security tools can mean huge exposure risks for your organization. Failing to enable Azure’s security center and its highly valuable native security tools is a big no-go as it leaves your data open to breaches.

Network Security Groups (NSGs) are the foundation of all network security designs in Azure, and therefore should always be applied to safeguard subnets of a virtual machine-based web application deployment. In a typical design, there is a virtual network and subnets. The subnets should not be assigned to a public IP that could open unwanted ports. NSGs control access by permitting or denying network traffic via communication between different workloads on a vNET, network connectivity from on-site environment into Azure, or direct internet connection.

5. Lack of Oversight

IT administrators often view their Azure cloud solution as just a data center, but it’s essential to remember that this isn’t a case of “set it and forget it.” In fact, your job is far from over once the migration or build is complete; ongoing management and security are critical to the success of your Azure environment.

Proper management of your solution requires a multi-faceted approach. In addition to maintaining compliance with organizational and regulatory security requirements, you must continuously monitor the machines, networks, storage, data services, and applications to protect against potential security issues. Prioritize security alerts and incidents so you can zero in on the most critical threats first. Troubleshooting will be easier if you track changes and create alerts to proactively monitor critical components. Managing update schedules will ensure that your solution is equipped with the latest tools to support ongoing operations.

The bottom line is that your Azure solution is only as strong as the team supporting it. Therefore, IT professionals must do everything in their power to remediate security vulnerabilities before attackers have a chance to take advantage of them. If security and technical expertise and staffing have become obstacles to the effective implementation of your cloud strategy, turn to Lightstream’s Cloud Managed Services (CMS) for help overcoming these challenges.

The Red Herrings of Cybersecurity Blog Series – Blog 1 of 4

The longer you’re in the cybersecurity business, the more you realize that some of the things you learned early on as ground truths were red herrings. Allow me to elaborate.

As the head of security strategy here at Lightstream, my job is to innovate and think ahead of the demand curve. I take this job very seriously, which is why I’ve been re-evaluating some of the things I held true in previous roles. There are three things I want to address over the next four posts, and I hope this reveals a little about how I’m thinking and perhaps provides some groundwork for good dialogue.

First, the three red herrings I want to discuss. These apply specifically to the delivery of security services in the form of an MSSP – and while these three things may be applicable elsewhere, that’s not what I’m addressing in this series.

  1. Faster deployments are somehow better;
  2. Complex services are more effective;
  3. Vendors taking over your tools is a good idea.

Let me break these three things down so you can get a sense of the high level here, and then over the next few posts, I’ll share my thoughts and how I have arrived there.

At my last company, there was a very odd metric we put on all of our marketing literature – the time to deploy our product. It made sense at the time. We told customers we could get the product installed in about 2 minutes and that as soon as they signed up for our service, they’d be off and going in that short timeframe. That all sounded good until I observed a few of these deployments. Have you ever tried to install a security product in 2 minutes? If you have, then you will probably agree with me that the only thing you get in those 2 minutes is a stock vanilla deployment with virtually no contextual understanding or customization. To translate that into an outcome – low value, and a potential disaster by breaking something.

Complexity has always been the archenemy of everything in technology. The more complex a deployment becomes, the more difficult it is to understand it. Hence it will be difficult to fix and secure. I don’t believe this is disputable. So why is it that so many security services vendors build slide after slide in their presentation to explain their overly complex systems and processes? The answer is simple – the buyer has come to believe that if they don’t understand it, then it must be advanced. It’s like the Arthur C. Clarke quote: “Any sufficiently advanced technology is indistinguishable from magic.” My friends, don’t buy magic; it’s rarely real in the end.

Finally, let’s talk about those RFPs you’re sending out. If you’ve purchased a set of tools and failed to implement them properly – whether you figure this out on day three or three hundred is immaterial – asking someone else to take your operation over is a terrible idea. The likely outcome is what we in the industry refer to as: “your mess, for less.” I promise you there is no value here. You get what you pay for, and “cheap” is not the same thing as “less expensive.” There’s a lot to unpack here. I’ll save my thoughts for the full post; however, I wanted to seed this in your mind for now.

So now you have it – my thoughts on the three most important red herrings cybersecurity services vendors put forth that I believe you should avoid. In the next three blog posts, I’ll unpack each and perhaps leave you with something to think over. A better way forward, perhaps.

Lightstream helps a SaaS Company Solidify Its Cloud Strategy in Azure

Cloud Foundation Framework helps the company meet FedRAMP requirements and secure a new government contract.

Business Challenge

Winning a government contract is a big achievement. It takes months, and sometimes years, of diligence and hard work. New business in the public sector brings many benefits, but it also creates new requirements and responsibilities for the service provider.

For one SaaS company, securing a new government contract was contingent on the company’s ability to meet FedRAMP (Federal Risk and Authorization Management Program), a strict set of federally-mandated requirements for cloud products and services. At the time, the company operated 15 data centers around the world and had no public cloud footprint. Though the company’s application was cloud-ready, it was designed to run only in a private cloud environment.

The company needed an ecosystem to run its software that complied with FedRAMP. But to establish that ecosystem within its own data centers would take a long time to achieve and require a substantial investment.

To address this challenge, the company decided to use Microsoft Azure Government, Microsoft’s cloud service designed specifically for government agencies. But to meet the contract requirements, the IT team needed to architect and build the Azure environment quickly and ensure it met all FedRAMP specifications. As a result, they reached out to Lightstream for help.

Solution

The first step was to assess the company’s existing environment—infrastructure, security requirements, application dependencies, and processes—and design Azure to meet both the application needs and FedRAMP requirements. This was done by performing a Cloud Foundation Framework engagement.

Next, Lightstream cloud experts built the new environment. The Azure platform was implemented using a design blueprint, which was created during the framework engagement and defined all the technical specifications for the new environment. The work included defining the Azure architecture, implementing all infrastructure (IaaS) components, networking services, Azure SQL, security, and app services needed to make the platform operational.

The final step was validating the environment. Lightstream specialists helped the company execute a proof of concept (POC) project. The company’s application was deployed to Azure and tested to ensure it functioned properly and met all FedRAMP specifications.

Business Outcomes

Successful Migration to Azure Government

Through the Cloud Foundation Framework engagement, the company was able to successfully migrate all its production instances to Azure and meet FedRAMP regulations. This enabled the organization to deliver on the requirements specified in the contract, expanding the company’s presence in the public sector space and increasing its revenue.

CMMC and FedRAMP-compliant Platform

The company’s Azure environment met all FedRAMP requirements and CMMC (Cybersecurity Maturity Model Certification) compliance. This established a platform the company can use to pursue more public sector business opportunities in the future, especially those that require CMMC compliance.

Positioning for Future Cloud Migration

With its cloud strategy firmly set, the company is now positioned to migrate additional workloads and data storage from its existing data centers to the cloud. This will enable them to leverage the cloud’s scalability, flexibility, and operational advantages to lower data center costs over time, address skill-gap challenges, and remove facility-based barriers to growth.

Contact Information

To learn more about how Lightstream Managed Services can help you architect, implement, and manage a hybrid cloud environment that meets your business needs, visit www.lightstream.tech/solutions/managed-services/.

Financial Services Company Architects a Secure Hybrid Cloud Environment in Azure

Cloud Foundation Framework and Cloud Managed Services from Lightstream enable the company to modernize its mortgage lending application and deliver better service.

Business Challenge

The financial services industry is fast-moving and competitive. New SaaS entrants with easy to use applications have put pressure on traditional companies. Today, consumers have a vast array of choices, literally in the palm of their hand.

For one financial services company, addressing this business challenge meant modernizing its applications. For years, the company operated a traditional legacy IT environment. It owned its own data centers. Applications were monolithic tied to back-end relational databases. There was no cloud footprint or ecosystem.

Moving to the cloud offered many benefits: better scalability, faster application development, the opportunity to leverage microservices, and flexible infrastructure. But the company had limited experience with cloud computing.

The CIO reached out to Lightstream for help. The IT team had decided to modernize its mortgage lending application and deploy it in Microsoft Azure. To do that, they needed to architect a hybrid cloud environment that met all security and regulatory requirements for the financial services industry and ensure it remained compliant indefinitely.

Solution

Lightstream began by performing a Cloud Foundation Framework engagement. Cloud experts assessed the company’s existing infrastructure components (from compute/storage to bare metal devices), security and governance posture, and application portfolio. Then, they worked with the company to align its business outcomes with technical capabilities in Azure and created a design blueprint for the new environment.

The blueprint defined all the technical specifications required to extend the company’s on-premise environment into Azure. It addressed cloud configurations and platform governance, identity and access management requirements and integration, network and interconnectivity needs, security services, and operational processes.

Armed with the blueprint, Lightstream’s technical specialists then built the Azure environment. This provided a safe, compliant destination or landing pad for the company’s application portfolio migration.

To ensure ongoing compliance, the company selected Lightstream Cloud Managed Services—a comprehensive service offering that manages cloud security, spending, and technology—to oversee management and operation of its Azure environment.

Business Outcomes

Improved Governance and Security Posture

The Cloud Foundation Framework helped the company design its Azure environment to meet the strict security and regulatory requirements of the financial services industry. This improved their overall security posture and enabled them to deploy applications with confidence. In addition, Cloud Managed Services has enabled the company to improve governance over the new environment by providing operational expertise and proactive management to ensure compliance as new applications are developed and deployed.

Reduced Time-to-Market for Application Development

With a secure, compliant foundation built in Azure, the company was able to design and deploy   a new mortgage lending application faster than it could have in a legacy environment. The Azure environment also provides the foundation needed for the company’s DevOps team to develop new applications to satisfy the evolving needs of their customers. This enables the company to deploy new services and capabilities faster, improve service to its existing customers, and attract new consumers.

Improved Operating Environment

Azure provides a number of improvements to the company’s operating environment. There is an improved communication landscape, reducing application latency and improving operational processes. And the new environment eliminates concerns over scalability.

Contact Information

To learn more about how Lightstream Managed Services can help your business build a secure hybrid cloud environment that will help you modernize your applications and improve customer experience, visit www.lightstream.tech/solutions/managed-services/.