I recently interviewed Stephen Northcutt, President of the SANS Technology Institute, about how the security problems have remained the same for the last twenty years. He reminded me of the SANS 20 Critical Security Controls:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based on Need to Know
- Continuous Vulnerability Assessment and Remediation
- Account Monitoring and Control
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Wireless Device Control
- Data Loss Prevention
- Secure Network Engineering
- Penetration Tests and Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training to Fill Gaps
The majority of these controls existed twenty years ago. The specific details of how we provide security around each of the controls has changed, but the basic principles have not changed.
As we move to Cloud Computing environments, consider these questions:
- In a shared environment where your data is hosted by a third-party, what is to prevent someone at your supplier from using their administrator privileges from accessing your data and making it available to your competitors (#8)?
- How will you provide fine-grained control to your data and applications based on individual rights within your application (#9)?
- Does your vendor immediately inform you of any invalid use of your accounts (#11)?
- How does your vendor conduct pentration testing and if so do they report the results to you (#17)?
The questions may be the same, but you might be surprised at the answers that you get.