In my first blog post of 2014, I wish you a Happy New Year and good tidings both personally and professionally.
We’re busy preparing for our “Payment Island Deconstructed” webinar next week (register here) and it strikes me that the best way to start the year is to understand and adopt some general security concepts that are part of our Payment Island. While that service is specifically designed for companies bound by Payment Card Industry requirements, it is rooted in a number of general security principles that should be requirements for any cloud infrastructure partner with whom you work.
Regardless of the regulated data your business deals in – PCI, HIPAA, SOX or something else – working with a service provider that employs the following best practices will help you keep your data secure, limit your compliance scope and get through audits faster and with less cost.
- Layered security: I’ve said it before and will continue to say it – your security practices drive compliance success, and are only as good as your weakest link. Employing a multi-faceted approach to security is the best defense against an offense that’s growing more sophisticated every day. The right combination of perimeter security, DDoS mitigation, Web application firewalls, IP filtering and IDS, and more will help lock down the cloud infrastructure, secure your data and help you meet your compliance mandates.
- Define responsibility: You’re working with a service provider, but who’s managing what? It doesn’t matter if we’re talking credit card data or patient healthcare records, if it’s not clearly defined who’s responsible for which pieces, big problems can ensue. Your security program will be stronger when there’s clear delineation of responsibilities between you and your service provider.
- Decoupled data: Tiny Hayes, research director for industry analyst, Gartner, was referring specifically to payment information when he recommended network segmentation as a way to reduce scope, but the idea is true for other regulated data. Leaving sensitive data in a monolithic IT environment makes it vulnerable to threats, increases your compliance scope, and slows down audit times, which increases your cost. By decoupling regulated data from your local infrastructure, you restrict access to it making it more secure and lessening your compliance burden.
- Limiting and controlling administrative access: Taking the idea of decoupled data a step further, restricting access to your data immediately improves its security. Human threat has always been – and will always be – the greatest risk to IT security. Putting administrative controls in place that segregate sensitive data from your corporate active directory permissions affords you the opportunity to tighten up who can access what, further protecting your data from internal threats.
If you are working with a cloud service provider and your business deals with data that has a compliance mandate attached to it, your best bet to start the New Year is to ensure these general best practices are in place. Here at Armor, we are taking our own advice on this – watch for more services that follow this prescription by the end of Q1.