Posts

Four Cornerstones for Cloud Security

October is Cyber Security month.  In what seems like a never-ending process, we continue to face new and advancing threats to the integrity of our data, identities, and businesses.  For those of use with small and midsize businesses, we need to ensure our systems and information are secure. At the same time, we want to keep our IT systems simple and manage our budgets.

Strategy

To strike the right balance, we need to assess our current security foundation, identify gaps, and fill in services where needed. Doing so creates a security foundation that covers your basic needs.  From there, you can add services and build the security footprint you need to meet industry expectations and regulatory requirements.

A sound cloud security foundation is built on four cornerstones for cloud security.

1 Basic C/I/A

Ensure the confidentiality, integrity, and availability (C/I/A) of information you create, receive, maintain, or transmit.

This cornerstone establishes your basic security infrastructure that protects against attacks and prevents breaches across your IT systems.  It also creates your ability to respond to issues and recover, key to ensuring business continuity and resilience.

2 External Threat Protection

Identify and protect against reasonably anticipated threats.

This cornerstone focuses on the attacks and threats from outside your business. From phishing, ransomware, and business email compromise, to DNS and advanced persistent threats, the focus is on protecting your data, applications, systems,  and people from harm.

3 Data Loss Protection

Identify and protect against reasonably anticipated uses and disclosures.

Data breaches and data loss result from configuration issues, application errors, and individual actions. Permission errors, inappropriate sharing, and other actions are often accidental, resulting from a lack of understanding of policies and/or how systems work. They can, however, result from intentional acts of misconduct. Solutions that set this cornerstone protect against these internal risks and threats.

4 Compliance

Ensure workforce and business compliance.

Nearly all businesses must meet basic legal requirements to protect sensitive information. Most businesses must also adhere to industry and additional legal requirements.  This cornerstone encompasses the policies and procedures that ensure your team, and your business meet your compliance requirements. IT also includes the tools and methods to enforce policies and report on compliance.

Tactics

To ensure your cornerstones are set and your security foundation is place, conduct a security footprint assessment.  For each cornerstone, identity the services you have in place and those that may be needed. The assessment should cover the “CPRs” of security:

  • Communication/Education
  • Protect / Prevent
  • Respond / Recover

For more information, send us an email or complete our contact form.

Where to Look for IT Savings

Almost all of our businesses are feeling the impact of COVID-19.  Revenues and cash flows are down and some costs are rising. We are all looking to cut expenses. Information technology and services can be a good place to find savings.

Most businesses can find savings in their IT services. Here are some places to look.

Unused Accounts

It is a common practice to hold onto the accounts for past employees or projects with the expectation that we may want or need to access the information at some point in the future. Often, these accounts incur costs as they remain billable within your systems. Here are some methods that you can use to clean up old accounts in Microsoft 365 and G Suite without losing data:

  • Transfer ownership of files and other data to other employees before removing an account.
  • Transfer ownership of files and other information to a designated archive account that will hold historical information for multiple past employees
  • Use a backup service to snapshot the account(s) and verify you can restore the data. Most cloud backup services let you restore to an alternate user and the licenses are significantly less than the Microsoft 365 or G Suite account.
  • Export data from past employee accounts into searchable format as an archive
Redundant Services

We see businesses sign up for new services, or keep existing services, even when they already have similar capabilities.  A lack of awareness and training can lead to redundant IT services. In most cases, even with feature differences taken into consideration, these redundant services are not needed — or are only needed by a few specific people.

If you are running Microsoft 365, you can use …

  • Teams for
    • Video conferencing instead of paying for Zoom, Webex, or GoToMeeting
    • Audio conferencing instead of paying for a third party service
    • social communication and teamwork, instead of paying for Slack
  • Teams Live to stream/broadcast events to large private groups or the public
  • OneDrive, SharePoint, and/or Teams for sharing files with others, instead of paying for DropBox
  • SharePoint for secure internal and secure external portals
  • Planner for project and task management instead of Trello and other third party applications
  • Bookings for appointment setting instead of paid services like ScheduleOnce and Calendly
  • Shared Inboxes and Groups for simple service desk / call center functions

If you are running G Suite, you can use …

  • Google Meet for video conferencing instead of paying for Zoom, Webex, or GoToMeeting
  • Google Meet audio conferencing instead of paying for a third party service
  • Chat for social communication and teamwork, instead of paying for Slack
  • YouTube Studio to stream/broadcast events to large private groups or the public
  • My Drive and Shared Drives for sharing files with others, instead of paying for DropBox
  • Sites for secure internal and secure external portals
  • Shared Inboxes and Groups for simple service desk / call center functions
Shadow IT

Chances are, if you scan your environment, your company charges, and expense reports, you will find employees using one-off or personal IT services that you have not approved or authorized.  In addition to costing you money, these services remove data from your systems and expose you to the risks of data loss and liability. In many cases, employees turn to “Shadow IT” services because they perceive these services as more convenient or easier to use than company resources.  Here are ways to reign in Shadow IT:

  • Actively look for employees using Shadow IT services.  Scan your environment, credit card fees, and expense reports. You can also use tools like Blissfully to find and quantify these services.
  • Find out why employees are using the services.  Is it a missing capability or are they unfamiliar with how use the capabilities of company systems?
  • Educate and train employees, rather than discipline
  • If shadow IT is filling a need, find a way to provide the capability within company systems if possible
Move to Scalable Services

While it may sound counter-intuitive, now may be a good time to migrate some IT services to solutions that will scale better as you company continues to adjust to changing markets and business conditions.  Moving from in-office, co-located, or hosted file servers to cloud file services, for example, replaces fixed assets and operating costs with services that can scale up and down with staffing levels and/or business volume.  Moving to scalable services may be even more appropriate if you are facing hardware or system end of life, or if doing so will simply and improve access to applications and files for those working from home.

Be Careful with Your Cuts

It may be tempting to cut services you feel that you rarely use.  Be careful, however, that you do not make short term savings decisions that will cost you much more later. See our companion post to learn more.


For help evaluating your IT environment for efficiency, please contact us to schedule a free Cloud Advisor session, or take a look at our Recovery Road Map Assessment.