Feb 12, 2019

Cloud Security FAQ: Handling Breaches, Compliance and Audits


How much is a stolen credit card worth? What about a passport?

People on the dark web pay anywhere from $5 to $110 for a card and $1000 to $2000 for a U.S. passport—perhaps more modest than most people might guess.

But what does a stolen credit card database cost a company? With the recent breach of a major hotel chain, which affected 383 million people, the number may total in the billions across multiple class action lawsuits and lost stock value—let alone the intangible hit that the brand’s reputation will take.

Needless to say, in the era of daily reported (and more unreported) breaches, it’s important for every organization to take a close look at their security posture to ensure that they are doing everything they can to protect the personal information entrusted to them by customers and employees alike, in addition to intellectual property and financial records.

But where should organizations start? Maintaining the strictest standards and best practices for compliance must be the foundation for any effective strategy.

How Do You Prepare for the Inevitable Data Security Breach?

This is probably not the first time you’ll hear this—and it definitely won’t be the last—but it bears repeating: At some point, every organization will experience a breach on some level, and it’s best for security professionals to approach it as an inevitability and then plan accordingly.

Here are some helpful tips:

Segregate important data from unprivileged users and data.
Keep your crown jewels separate; after all, you don’t store all of your belongings in a safe—only the important ones. Doing so also helps focus the scope of your compliance.

Have a detailed incident response plan.
Understand how to deal with a compromised system: For starters, determine the scope and scale of the compromise, whether or not to take the system offline immediately (always a safe step), and whose help you are going to enlist to mitigate the compromise.

Maintain good backups.
Often, the only way to be sure that you have removed the vulnerability is to roll back to a time before the compromise occurred.

Log everything.
Firewalls, file integrity monitoring, web application firewalls, system logs, antivirus, etc. Using a centralized Security Event and Incident Management (SEIM) tool can also allow you to piece together and audit how you were compromised and what happened after a security event has occurred.

Encrypt wherever possible.
This will limit any hacker’s ability to read critical info.

Use two-factor authentication.
This limits the danger of phishing.

Stay up to date on security and software patches.
It typically takes time to weaponize software vulnerabilities, so stay ahead of them by keeping up to date.

Security is always an ongoing effort.
It should not and cannot be a “set it and forget it” task on your check list.

What Are Compliance Frameworks, and Why Do They Matter?

Most compliance frameworks—such as PCI (to protect credit card data), HIPAA (to protect health care information) and ISO27001 (a general standard popular in the EU)—include “have-to-have” security technologies, policies and procedures. For example, being PCI-compliant and being able to prove it via an Attestation of Compliance (AoC) is necessary to do business with customers with PCI requirements.

Meeting the requirements of compliance frameworks is a good start to any security program but should not be considered the gold standard or sufficient alone. Frameworks are only updated on a yearly basis, and they’re typically built for a lowest-common-denominator security program. Technologies and practices should be evaluated and updated often, especially for high-value targets.

For organizations without robust compliance teams or experience, service partners and MSPs can support compliance initiatives, providing their time and expertise, while also demonstrating a commitment to protecting valuable customer data beyond the standard compliance frameworks.

What’s a Compliance Audit, and What’s the Most Effective Way to Pass?

Audits involve a third-party security firm (often licensed for the particular audit they are performing) that is brought in to evaluate how the company’s security program is applied to ensure it is in line with the relevant compliance or security framework. An audit is often a requirement for any company that handles sensitive information, as well as for any contractors, third parties or MSPs that are involved in the handling of the sensitive data.

For any company, the desired outcome is a clean bill of health, but often, infractions or vulnerabilities are found and then reported as findings. Regardless of the outcome, an audit can be a stressful time for any company, especially since not all companies have the in-house security teams required to accomplish an entire audit front to back.

This is where having an MSP to partner with makes sense. The MSP is able to handle the portions of the audit they are responsible for, which reduces the load on both the company as well as the auditor, saving money and valuable time.

Working with a managed service or cloud provider that doesn’t ensure the strictest standards of compliance requires that those providers be pulled into the company’s audit, which may cost extra time and money to both the service provider and the auditor. It also can be a pain to schedule and manage across multiple parties, and this can cause delays in the audit, which may result in gaps in compliance.

If your MSP or cloud provider has already independently audited their infrastructure, it does not need to be audited again by the customer’s auditor. Instead, the auditor can use the AoC provided by the MSP or cloud provider to cover that portion of the audit.

For customers with requirements like PCI, a non-clean audit may have a large impact on a line of business’s operations and the entire business, depending on the significance and size of the vertical.  This can include fines, lawsuits and additional culpability in case of a breach or even credit card companies refusing to do business with the company.

How Can a Managed Service Provider Help With Compliance?

Managed service or cloud providers can do the heavy lifting of compliance-related work so you don’t have to. Here at INAP, we maintain a robust, PCI-compliant management platform for dedicated hosting. For customers that require it, we can provide an AoC that speaks to the compliance we maintain for critical pieces of our customers’ infrastructure.

Our technical and solutions engineering teams can also help you design and build a secure environment from start to finish, advising you on new technologies and advanced security procedures to protect your critical information and that your company has a best-of-breed security stance. By leveraging our security and management tools, we can be an “easy button” for your security needs.

Explore HorizonIQ
Bare Metal


About Author


Read More