rvlsoft - Fotolia
5 IT security measures to safeguard distributed environments
In today's complex IT landscape, it's easy to make mistakes that leave applications and data vulnerable. Follow these five tips to create a comprehensive security plan.
When asked, every IT or business leader will identify security as a top priority.
Security, however, is only one factor among many -- such as performance and availability -- that IT leaders and application developers must consider when prioritizing financial and personnel resources. And while most organizations are willing to dedicate time and budget to IT security initiatives, those efforts can't crowd out other priorities -- which contributes to the continual onslaught of successful attacks.
It isn't easy to install and maintain tight IT security measures, and organizations need advice that exceeds vendor-pitched technologies and instead addresses the gamut of threat vectors and attack techniques.
Here are five key tips for IT leaders and DevOps teams to bolster security for a distributed environment and workforce.
1. Track and prioritize IT inventory and assets
The easiest path for a burglar is through an unlocked door -- especially one the homeowner didn't even know about. The same holds for software attacks, where orphaned VMs, shadow IT servers and unmonitored -- or forgotten -- applications can be a gateway into one's data center, and lead to more sophisticated attacks on critical systems.
Maintain an updated inventory of system and software assets and prioritize their business value so that critical systems receive the most stringent security protections.
2. Develop and practice an incident-response plan
People make mistakes and no process is perfect, so security incidents occur even in well-protected organizations. A thorough and tested response process for defense failure minimizes damage, reassures customers and employees, and reduces business disruption. This IT security measure must include periodic testing via an independent -- usually third-party -- white hat penetration testing firm that can simulate advanced attacks. Ideally, these sessions are unannounced to maximize realism and prevent security teams from going on high alert with temporary measures before the test.
3. Patch, update and scan systems regularly
Too many attacks succeed by finding well-known security holes that software vendors already patched. Unless an OS or software patch creates problems for a particular application, strive to update everything to the latest patch levels. Additionally, run security scans regularly on systems to find open ports or APIs, or other weaknesses that IT security teams can tighten without disrupting operations or users.
4. Require and fortify credentials
A strong IT security posture requires credentials for all users, system accounts and APIs -- and banned account sharing. Anything -- whether a person, application or machine -- that accesses other resources needs a separate identity and strong, unique password. Use multifactor authentication (MFA), which combines a password with one or more of the following:
- A hardware security key, such as YubiKey or Google Titan;
- A code-generation app, such as Google or Microsoft Authenticator apps, or Authy;
- Mobile device biometrics; or
- An SMS-delivered PIN to protect against potential SIM-swapping attacks.
MFA is a must for all admin accounts, as well as any accounts that manage application or system certificates and shared secrets for data encryption keys.
5. Fight phishers with training, zero-trust
Hackers exploit human gullibility and credibility with phishing attacks that present malware-loaded attachments or booby-trapped web links under the guise of a routine business email or text message. Such attacks bypass most internal defenses because they are initiated from the inside; the most effective prevention is employee training on proper IT security measures.
Once these basics are established, implement a zero-trust security environment, as described in Google's hypothetical case study, BeyondCorp. Zero-trust replaces centralized authentication and policies with a granular structure that moves policy enforcement to the edge and requires authenticated access for all services, systems and data.