Hybrid IT -management: maximum security and compliance

After my previous blog entry that focused on the core values of continuity and performance , I’m going to take a closer look this time at the core values of maximum security and compliance. How does your hybrid IT solution score in those terms? They are two aspects that often go hand in hand, so I’m going to discuss them together Good security is essential, given that legislation, certifications and other regulations mean that we have to protect a great deal of information nowadays. Numerous organizations are obliged to report on their cybersecurity, even if it’s only to show the board that intellectual property is being kept secure, for instance.

The risk of data theft increases when that data is kept at multiple locations. It is also important to determine precisely what systems are involved, what data is stored on them and where the vulnerabilities are. As well as knowing which people within the organization actually have access to it. We check all that before migrating data to the cloud and moreover look to see if the information is still relevant for your organization, because data that doesn’t matter anymore can be deleted or archived. That may sound simple, but it isn’t. It demands clear and detailed policies that are actively maintained, policies that are moreover monitored so that the requisite evidence is available in the event of an audit or other inspection. The following solutions can be hugely helpful in restricting the risks to a minimum:

Identity & Access management (IAM)

It is unfortunately far from unusual: a malicious individual posing as an employee and trying to break into the environment, your SaaS application or some other resource. That becomes all the easier when an IT environment’s hybrid nature means it is located in multiple physical locations. A good IAM solution is a help, as it prevents the user database from becoming outdated and contaminated and makes it much easier to manage. Adding multi-factor authentication (MFA) reduces the risks of unauthorized access to your environment even further. This is already mandatory for various SaaS applications. A single sign-on dashboard, so that a user only needs to log in once to get access to all the business applications through a single secure interface, offers added value to your users in terms of both adoption and ease of use and enjoyment.

Data management, risk and compliance

The type of business information that poses the greatest risk is the unstructured dataset. This refers to data that is not stored in an application or database but can still reside on a multitude of platforms and locations: file servers, SharePoint environments, e-mail environments, OneDrive, GSuite or Office 365. Such data is often outdated, uncategorized and without any identifiable owner within the organization. The security risks can be resolved by a targeted audit. Intelligently measuring whether data is still being used can let us determine whether data is still relevant and ought to be retained. Classifying it intelligently lets us determine how important data is for your organization. Rights, roles and user groups are set up on that basis so that policies are supported and compliance requirements are met. Alerting can be introduced so that abnormal data usage is automatically reported and action can be taken in time. Data management can add significant value for complying with legislation and regulations, and for certifications and your own risk awareness.

Firewall and security monitoring

Good security naturally requires a good firewall and close monitoring of the network traffic. The Next Gen Firewall not only acts as a gatekeeper but is also capable of identifying suspicious traffic, backed up by behavioural analysis and artificial intelligence. Mapping the hybrid environment rigorously lets us set up targeted gatekeepers and determine what intelligence is needed at what points in the network. This type of enterprise security monitoring can also be purchased as a service. You will then get a high-quality and up-to-date implementation of your environment at an agreeable price. And yes, you will be completely unburdened.

There are numerous other solutions, of course, such as vulnerability management, which accurately detects vulnerabilities in your technology, software, configuration and policies. The take-home message here is that good security is crucial!
But before you purchase or rent a solution, it is important to have a proper vulnerability analysis of your existing components, processes, software and services. Only then will you know precisely what will help your organization.

This blog entry has covered the second pair of key issues in this series of posts on the pitfalls of hybrid IT management and recommendations for handling it. These blogs give information for everyone who has plans to change to a Hybrid-IT concept, or who already has a Hybrid-IT concept, but wonders if this still fits. The next blog post will be about two more core values, scalability and the systems admin workload.

 

 

Hybrid IT – Maximum continuity and performance

The same principle applies to every business in every market: continuity is essential. Production may never grind to a halt. A postal company must be able to deliver its mail and parcels every day. A hospital must always be able to provide care. When you purchase part of your functionality as a digital service, continuity is often guaranteed in a Service Level Agreement (SLA). Does this guarantee uninterrupted production? No, because the chain is as strong as the weakest link. This is why, after opting for a Hybrid IT concept, you will have to map out your weakest links with regard to continuity. Where are your dependencies?

Mapping continuity risks

Let’s assume that you purchase workplace packages as a service. Office 365 has high-quality SLAs, both in continuity and in security and functionality. The service is provided via the internet and linked to your internal systems. This service from Microsoft, the internet connection and the internal link to your systems all form a chain. To fully map out the risks for your primary processes, you will have to analyse the entire chain for continuity risks.

There are a number of questions you have to ask here:

  1. 1. If this functionality fails, what is the threat to my primary process?
  2. 2. How are the SLAs interrelated? If 100% uptime is guaranteed, but the internet line has an uptime of 99%, the service may have a certain level of downtime. Do I want this and, if not, how can I resolve it?
  3. 3. Are the internal systems scaled for the continuity this service should provide? For example: which internal disruptions can prevent the entire organisation from sending emails? Examples are Firewall environments, Active Directory environments, power cuts, back-up and restore environments and procedures, etc.
  4. 4. How can I manage these environments, who is responsible for them and who coordinates this? Is this management strategy compatible with the SLAs from the service provider and the most important aspect for you as a business: how do I remain in control?
  5. 5. What is my continuity risk if my service provider goes bankrupt?

Responding to emergencies

When setting up their business continuity management, organisations often focus on the operational aspect, e.g. the presence of an alternative location in case of a calamity. However, these kinds of measures will only become effective once the critical business processes are disrupted. Simply responding to calamities is not sufficient. It is also about preventing calamities. Apart from operational measures, this requires forward thinking and a proactive approach. Business continuity is a strategic topic and must be discussed on a managerial level.

In conclusion: a proper risk analysis at all business levels is an absolute must when analysing the continuity of your IT environment. This will reveal all the risks and allows you to assign the right priorities to the various subjects. You can then map out all the mitigating measures. After all, you don’t just want to prevent risks; you also want to know what to do to minimise the consequences of these risks, should they become reality after all.

Outsourcing Hybrid IT environments

A growing number of organisations are currently opting for outsourcing constructions. For the vast majority, it is comforting to place the entire responsibility for IT as a service in the hands of a single party. This is obvious, as a hybrid IT environment has a higher risk in terms of assigning responsibilities if the service is disrupted. Choosing a single supplier generally makes the outsourcing process clearer and improves its quality, as such a party is specialised in this kind of service. Whatever client-specific wishes or processes they may face, it’s basically just more of the same to them. And this in turn benefits the continuity of the client organisation.
And its performance.

In this blog we discussed the first two core values pitfalls and recommendations in Hybrid IT management. This blog is part of a series. These blogs give information for everyone who has plans to change to a Hybrid-IT concept, or who already has a Hybrid-IT concept, but wonders if this still fits. In the next blog the core values safety and complience will be discussed.

 

Hybrid IT management: pitfalls and recommendations

Everything hinges on information technology. Well OK, a lot in any case. Organisations are largely dependent on their IT environment for both administrative processes and production processes. These operations are often largely digitally linked. This means that if IT breaks down, this is a direct threat to your primary business processes – and the continuity of your business as a result.

The computerisation of processes continues relentlessly: the future is digital. It forces companies to view their own organisation in a different light. Where can I gain efficiency, what are the risks and how can I keep my primary process under control? These issues are nothing new as such, but they have gradually become IT-related issues. The question is: is your business set up for this? Is your IT infrastructure ready for the future?

Six core values

Every company pursues the following six core values: maximum continuit and performance, maximum security and compliance, and last but not least ahoge high level of scalability with minimum management constraints. These core values are as old as the business community itself. But because IT is increasingly becoming a determining factor for business processes, these processes are more and more approached from an IT perspective.

In practice, this has resulted in a greater demand for technology that can share resources. Examples are hard- and software virtualisation, shared back-up resources, shared internet connectivity and shared email environments. Today’s IT environments are built to comply with these six core values.

Cloud

Cloud technology has accelerated this enormously. The cloud is popular, because it adds value in both the short and the long term. SaaS services are scalable, do not require investment of capital and give you easy access to “enterprise-grade” systems. All of this is at a fraction of the costs (you only pay what you purchase) and without any worries for system management and maintenance. You can adapt to changing business needs and market conditions at lightning speed. The functionalities can be set up and provided in-house or purchased as a service via the internet. “IT ready-made”: easy, effective and affordable.

Despite this, a cloud-based model is not always automatically the best solution for your business. Perhaps one size fits all does not apply to you; you may have application environments that cannot be migrated to the cloud (yet) for whatever reason. You may, for example, want to maintain control over certain data. Data that is unique to your organisation. Data that is essential to your business processes and mission, and that you want to keep in your own IaaS environment. You would like to keep part of it on-premise.

The best of both worlds: Hybrid IT

This gives birth to the concept of Hybrid IT: a mix of in-house and cloud-based services that offers the best of both worlds: the ease, the flexibility and the cost and collaboration benefits of a cloud platform, and the control and easy accessibility of having your own server. Choose the most suitable application for each workload and put your data in the best location in terms of security or regulations. Use the cloud for the rapid development and testing of prototypes before storing them in the private environment and using them. For many organisations, Hybrid IT is the best way to keep up with the rapid digital transformation.

This does not change the questions you need to ask yourself. Where can I gain efficiency, what are the risks and how can I keep my primary process under control? What is your Hybrid IT solution’s score for the six core values mentioned: continuity, performance, security, compliance, scalability and management constraints? This will decide your company’s success.

In the coming period I will be writing a blog for each core value with the following approach: pitfalls and recommendations for Hybrid IT management. They are meant for anyone who is planning to switch to a Hybrid IT concept, or who already has a Hybrid IT concept but is wondering whether it is (still) a good match.

I hope you find them enjoyable to read!

 

Vulnerabilities in our IT: how do I find them and keep them under control?

Controlling our IT environment when it comes to the vulnerabilities that are present is becoming an increasingly important topic in IT security. We will be happy to tell you how to do this!

What is a vulnerability?

A vulnerability in our IT environment is a technical flaw that cybercriminals can use to gain access to the IT environment. This may involve many different vulnerabilities. They range from gaps in the security of IP camera software to bugs in the software version of a server. You can imagine that there are so many vulnerabilities these days that it is basically impossible to keep them all under control yourself. Environments cover many different locations, such as the cloud, your own IT platform, but also “Bring your own device” equipment. Giving a virus, malware or simply a hacker access to unsecured equipment that is not being managed by the organisation is something that happens every day.

CVSS

These vulnerabilities can be tested with the Common Vulnerability Scoring System (CVSS). This is a free and open industry standard for assessing the severity of vulnerabilities in the IT environment. CVSS assigns scores to vulnerabilities, allowing us to prioritise them based on the following aspects:

  • How much effort is required to make use of the vulnerability?
  • What is the impact if the vulnerability is used?
  • What is the probability of this vulnerability being used?

CVSS assigns a score based on formulas. The score value depends on the impact on users and the possible effect of misuse. Scores vary from 0 to 10, whereby 10 is the most severe. The CVSS scores change along with the market, the standard is currently at version 3.1. CVSS provides an open standard in which almost all vulnerabilities are investigated and mapped out. This is one of the tools that we can use to obtain a clear picture of all the vulnerabilities to which the IT environment is being exposed. Every new vulnerability is also added to the CVSS database as quickly as possible, allowing the market to arm itself against them.

Penetration testing

A traditional way of checking whether there are any “leaks” in the security of the IT environment is to perform a penetration test (pen test). This is a rather labour-intensive project and includes many more angles, because IT environments have become much bigger over time. The fact that a cloud or a hybride cloud environment is often used in combination with a “Bring your own device” policy also makes it more complex to secure the environment and perform pen tests as a result. We have noticed a greater need for investigating which vulnerabilities are present prior to a pen test. The pen test is then used to validate this investigation.

You could view this as a security specialist who first carries out an inspection round on the site to be secured to map out the risks. He then determines where cameras and motion detectors should be installed and at which doors guards should be posted. A so-called “mystery guest” can then test whether he can gain access.
Vulnerability management

An increasing number of organisations have an active vulnerability policy. This is done for various reasons:

Staying abreast of the latest vulnerabilities.
A real-life check of whether/which vulnerabilities are actually present in the IT environment.
Full picture of all the equipment that connects to the network.
Project-related insight into eliminating vulnerabilities based on priority.
A great tool for the security department to check which targets have been achieved and which ones still need to be achieved.

You can imagine that manually checking the whole environment and performing all the cross-checks between software versions, equipment types and the CVSS database is a huge undertaking, even if the IT environment is not that large. So it is highly advisable to implement solutions that can do this automatically. These are vulnerability management solutions. Several of them are currently available, which really add a lot of value with the insights they provide.

Do you want more insight?

When our customers have questions about which solutions/measures should be prioritised and truly provide added value, we carry out a vulnerability assessment. This allows us to obtain an insight into the status quo of the environment in terms of vulnerabilities.

These facts provide a very clear picture of the steps to be taken and the associated investments in a financial and operational sense.

If you are curious about how this works exactly, feel free to contact me; I will be happy to tell you all about it.

Alwin Veen – Product specialist
a.veen@felton.nl
06-52869094

× Stel je vraag via Whatsapp Available on SundayMondayTuesdayWednesdayThursdayFridaySaturday