Of all the major cybersecurity stories this year, none were as ugly as the massive Equifax disaster. Equifax has become synonymous with not only loose and careless handling of data but also insider trading and overall scandal. In many ways, the company has become the modern equivalent of “Enron” in terms of excesses and mishandling of fiduciary responsibilities. Millions of people affected, a company disgraced, it is rather senseless to think this all started with basic cybersecurity gaps.
The IT industry is predicated on constantly improving services, and much like the way sports teams analyze the post-game film to find out what could have been done better, many in the tech industry are justifiably ranking security as a top concern for 2018. With such a broad shadow cast upon the entire business, it is possible that had Equifax employed or partnered with a certified, top-tier cloud hosting provider, their issues might have been less severe.
We’ve broken it down into the following questions:
- What could have been done to prevent an Equifax-like situation?
- Could Managed Cloud hosting have helped somehow?
Better Practices = Better Security
To answer that first question, we must look at the available details of what happened in the first place. The scope of the breach received the most attention as more than 145.5 million Americans were potentially affected. Cyber forensic and investigative reports indicate that the core security issues included lax or easy to guess passwords, Personal Identification Numbers (PINs) that were comprised of the date that respective consumers signed up, and various Database IDs and passwords that were set to “admin”. Various systems were also not patched and it is likely that the company’s production system deployment practices were poor.
Anyone of those faults constitutes a significant threat, but more than anything, they indicate poor security practices. The company response following the incident has been highly criticized and there have been reports of large stock sell movements that happened after the breach and before it was known to the public. All around ugly, if true.
Equifax’s biggest failure may have been that they failed to see that security is a mindset which must be pervasive in a secured organization and there can only be an unrelenting lack of compromise. Whether institutional or procured through cloud services providers, better-applied security practices could have helped reveal or prevent the situation.
How Cloud Makes for Better Security
It is true that nothing is impenetrable. With enough resources and time, even the digital equivalent of Fort Knox is hackable. This is not meant to scare you. It’s just the reality, and proper security posture must assume that there are outsider and insider threats to be found all the time and everywhere.
Vigilance is key, and a properly secured environment focuses on maintaining security principles at every level. You start with settings first-level, often technical hurdles in place, then apply consistent, sound policies for your situation, and finally integrate the right technologies that help you get those key practice elements accomplished.
Managed Service providers and Managed Cloud providers hold an extremely high standard of security. For example:
|Cloud/Hosted Feature||Cloud/Hosted Effect|
|Providers monitor their networks via a Security Operations Center (SOC) and Network Operating Center (NOC) for unusual activity 24 x 7×365, using the latest technology||Irregular network behavior such as extracting large volumes of data, or network source information would have set off immediate, actionable alerts|
|Regular Vulnerability Scans and System Patching||Preemptive vulnerability detection and maintaining systems with the latest, stable system patches and updates would have caught the security hole and prevented access|
|Strictly Enforced Dual Factor Authentication and Account password standards||Complex password policies, account/pass lifecycle, and other identification security measures could have prevented poor passwords|
|Many providers feature industry compliant services like HIPAA, PCI, SOC. (While you may not need those for your specific industry, these are great stamps of approvals that the Managed Cloud Provider follows high standards)||Compliance is not security, but it offers numerous security elements such as account ownership, role-based administration, audit activities, and process control. Multi-level by definition, compliance decreases the potential of attacks|
|Hardened system builds
|Systems that start lifecycle service in a hardened state are better suited for security on file permissions, service permissions, and various operating parameters|
|Encrypt all data at rest||Should a breach occur, the data has another layer of protection instead of being in plain text|
That’s just a taste of the considerable security features found at a modern cloud and hosting provider. The Equifax breach could have been stopped, or at the very least, mitigated to a non-event by any one of these common cloud features.
Cloud Leaders Matter
Cloud solutions present solid security for various reasons, but the cloud provider in question is critical as well. 2017 showed us human errors that produced a litany of security misconfigurations on the AWS S3 service. Such a great tool placed in the wrong hands could add up to the next disaster. The object is not to knock any particular service, but to present a picture that is becoming increasingly complicated in today’s multi-cloud practices. Security considerations are a critical focus for companies that are looking at new technologies and providers to deliver them in a flawless and worry-free manner.
You can easily run a cloud journey all alone, but partnering with a managed service provider or a managed cloud provider that has the experience to deliver the right cloud, with the right elements, and the foundation of security that an organization needs is critical to cloud success in 2018 and beyond.