How to A.C.E. Your Firm’s Security
Authentication. Communication. Encryption.
Information security is fast moving and effects many parts of an organization. The speed of change can make information security fun but can also make it difficult to manage. Cloud services add to the complexity by dramatically changing the security landscape and breaking down the traditional borders protecting our information. As things change in your environment, what should you be paying attention to around security? With the Adaptive A.C.E. security model, we’ve outlined three components of security that can help you manage changes within your on-prem or cloud environments.
It’s important to know who has access to what information in your firm, right? How users authenticate to access data and systems can impact how well you control information.
The most secure framework for authentication is a centralized system. Active Directory and LDAP configuration can be used for VPN, System, and device authentication with on-prem systems. An ID provider of your choice, such as Azure AD, ADFS, Ping, Workspace One, etc., can be used for a cloud-based SSO authentication.
Advantages to having your user accounts centrally managed include providing a single username and password for all services, reducing the number of shared accounts, easier enforcement of least access permissions, improved logging of user activity and change management, easier administration of permissions across your network, and enforcing MFA and security policies such as password complexity requirements across your entire infrastructure.
Do you want passwords to be sent in clear text? Understanding how your data in transit is secured is essential to protecting your information. Many systems have both secure and insecure options on how they can communicate. Be sure your project and systems use the secure option.
At the heart of secure communication are certificates. They allow two devices to trust each other using a public and private key pair. There are different types of certificates, including self-signed, internal, and public. Do you know how certificates are used and protected in your organization?
Ever wonder to yourself, why do I need to encrypt data, when it is in a locked data center, and there is a guard? It’s common for people to question the value of encrypting data at rest, but it is worthwhile.
Information security is a game of defense in depth. Encryption at rest is a cost-effective last line of defense for your data whenever other controls break down. This control is particularly valuable with mobile devices that are easily stolen or lost, which may contain large amounts of data.
For cloud-based services, this control has additional value. Most cloud service providers encrypt your data at rest, but they often keep the private key. This allows them to produce the contents of your data for as long as they have a copy. If a firm brings their own private key to encrypt the data, they can revoke access to the data and prevent the provider from accessing it in the future for any reason.
If you would like more information on implementing the A.C.E. security model in your firm please email firstname.lastname@example.org.