IT Security Strategy

Strategy is nothing but the road map for information infrastructure protection to support business goals for 5 years. It can be short term also like a year like suppose implementing controls like cloud security, SIEM integration. It is to understand the vision and mission of an organization. Based on the business process / requirements given by the respective owners the CISO formulates the Information Security Strategy.

• Suppose a company is planning for an HR system like ADP, there will be necessary controls to protect the payroll data. IT security development occurs to protect the acquisition, creation, storage, use, and exchange of digitally encoded information assets against unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure. IT security deployment is implementing measures designed for safeguarding digitally encoded information assets utilizing various technology configurations. Thereby, IT security attempts to preserve the value, confidentiality, integrity, availability, intended use, and the permitted processing of digitally encoded information assets.
• For those of you who might be new to the field, let’s start with the basics. Cybersecurity revolves around three core principles: Confidentiality, Integrity, and Availability. Confidentiality means keeping your data private, Integrity ensures your data remains accurate and unaltered, and Availability means your systems are up and running when you need them.
• Let’s look at some of the common threats. 

1. BYOD: Bring Your Own Device. There are problems associated with people taking their own computer/device (laptop) into the workplace for the purpose of work and then, taking the device home again and using it for their own personal use and/or allowing their children to download computer games on it and play a game without realising that they had downloaded a computer virus, which then spread malware and deleted or stole/copied organisational files that were stored on the device and spread the computer virus into the existing organisational computer system and destroyed files or stole data from them.

• Insider threats: malicious insiders pose the greatest threat to an organization and that the best control against it is the preventive control of providing them with security awareness training and developing a security-conscious culture within the organization. We can have controls like DLP (data loss prevention) to prevent the unauthorized movement of sensitive information. For example, a dynamic DLP solution can prevent sensitive information from being stored on an external USB attached storage device or transmitted through email.

• Quantum computers: The emerging technologies like cryptography stands out as a promising area for the application of quantum computing, as it has the potential to decrypt numerous encryption methods that are presently in use.

• All these pose risk to the organisation. Risk is nothing but probability of occurrence into impact. So let’s look at the ISO 31000 framework which is for Risk Management. It’s the framework for internal control over financial reporting, risk management, and fraud prevention. So to assess risk. 

1. Identify and record current assets. Maintain an up-to-date and accurate record of all IT assets required to deliver services and ensure alignment with configuration management and ensure baseline is in place which is nothing but minimum controls in place.
2. Identifying the threats to the assets along with the vulnerabilities that may be exploited. This is an analysis of how the assets may be compromised.
3. Identifying the impacts that losses of confidentiality, integrity and availability of the assets may have on the business. In this step, the organization determines what would be the impact or lost value to the organization if the asset was compromised.
4.  Assessing the realistic likelihood of a security failure leading to the compromise of the asset. With the completion of this step, the organization can calculate the risks it faces, make a conscious decision to accept individual risks, or set priorities on the implementation of security controls to mitigate the risks.

Let’s think realistically. Company is developing a product, they will have a product diagram too. We need to start incorporating security at the initial phase.

We need to reduce the attack surface so it becomes tough for bad actors to access the IT ecosystem. We can have baseline configuration which means the minimum amount of controls in place. Use a firewall to separate the business network from external sources. 

Disable or remove unnecessary accounts, especially those with default configurations.

Keep the operating system and third-party software up to date with the latest security patches. 

Integrating security from the design phase not only reduces vulnerabilities but also saves costs in the long run. In production, we often see issues like default passwords or misconfigured firewalls. We can have regular checks and automated tools to prevent these loopholes in the system.

How do we do that? ArgoCD is a continuous delivery (CD) tool for Kubernetes that automates the deployment and management of applications. CD deploy an application in Dev, Test, UAT, Production environment in an automated manner. It follows GitOps principles, where the desired state of an application is stored in a Git repository, and ArgoCD continuously ensures that the deployed state in the cluster matches the state defined in the Git repository. So there is version control in place. There needs to be role-based access controls. The person writing the code should not be able to push the code into production. The person who is making change shouldn’t be approving it. There should be different developers, testing and production environments.