Last month at the Global Azure Bootcamp 2017 in Microsoft Singapore, I presented with folks several security practices along with applying defense in depth strategy to secure your Azure IaaS deployment. In the presentation, I shared four security principles I have found myself during the time working with computer.
I’m writing a book which covers applying Defense in Depth strategy in an Azure IaaS deployment. This book also provides you hands-on lab to deploy a secure SharePoint system on Azure. The book can be pre-ordered now with only $9.99 from here. This book will be automatically delivered to your Kindle on 15 June 2017. You will not only learn practical design with defense in depth but also get your hands dirty by following hands-on lab step-by-step guidance in the book. I’m sure your Azure IaaS and security knowledge will increasingly ramped up rapidly.
To me, from the first step, I do not look for a technical and architectural framework for security. Instead, I often start with the following experimental principles I have found for myself. During the past 6 years, these principles have come helping me a lot not only in security design, incident investigation but also in educating my customers and colleagues for an effective security plan and implementation.
- Security is not a silver bullet
- Security must come firstly from an awareness
- Security by default before security by design
- No pain no gain
Security is not a silver bullet
If you do a search over the Internet, you will get to meaning of term “silver bullet”. A silver bullet is metaphorically described as a magical solution that can solve a complicated problem. It sounds like there is only one solution in the world that can be applied to everything. Ask yourself whether an only solution that addresses to every security issue. Such a solution never existed in your life. Every system or software built on it always has a security breach. It can be found today, or tomorrow or next month depending on how valuable your system is when compromised, which attackers pay attention to. Even some of the historical stories about Snowden you have heard of somewhere, the electronic repository storing top secret-classified document was leaked. Another example is that some systems in NASA (National Aeronautics and Space Administration) were compromised, revealing some high-end technologies that the organization developed. One of the world’s most popular movies Fast and Furious 8 recently has shown us the concern of car hacking in the digital transformation. It looks like a magical hacking ever in the history but it will soon become true if security is not being seen a critical factor in autonomous technology development. Such a story tells you one thing: do not expect to see a zero-security-vulnerability system in your life.
Organizations do need to combine all possible security technologies to protect them. They also need to get rid of the silver bullet thought when it comes to security.
Security must come firstly from an awareness
During my time working with many government agencies, I have realized that security awareness is very important to developing a solid security strategy for the country. Information related to computer security and personal privacy are everywhere in the country. You can catch it up when in an elevator. You can happen to see some of the data security posters in a toilet.
The idiom “The leopard cannot change its spots” would address the security awareness concern. It is hard to change who you are, no matter how hard you try. The change requires uncountable duration and time. Even when you try to educate them how big the impact is when security incident happens, and how much they may lose if their data is compromised. Training to improve security awareness is indispensable. Another perspective in security awareness is the human factor which is the target to attack. An example of lack of security awareness is the use of simple password which allows an attacker to successfully get by using brute-force technique. Low security awareness also can be seen from coding practice when your developers do not have plan for writing a secure code from the scratch. This results not only software vulnerability, but wasting efforts to remediate in the future. Whatever it can be, without security awareness in mind, your system will never be protected enough. One of the security incidents in my team a couple of months ago, allowed an attacker to successfully remotely connect to a virtual machine hosted on a public cloud after brute-force technique. In a nutshell, security would become useless without security awareness.
Security by default before security by design
Security by default is a common approach to implementing a secure system. It is to make default configuration in the system you are going to build as secure as possible, by default. An example of security by default is password complexity policy. To protect your end user, by default, your end users must set up password as complicated as defined in your policy. It can be a password of minimum eight characters, including one capitalized letter, one number and one special character. Moreover, the password is not allowed to be the last five historical ones. This familiar example can be considered as a security by default.
After security by default is applied, move on to security by design in which you plan to design a practical architecture to prevent your system being attacked, or exploited by an attacker to scan vulnerability. One of an example of security by design is using DMZ (demilitarized zone) we will discuss later in the book. The security by design often includes programming practices to implement extra security features (e.g. token validation, dynamic regression, cryptography algorithm…)
Security by default and security by design are taught in security development life-cycle to educate the project team including developer, project management, quality assurance person, tester to fully understand how security is importantly engaged in the development life-cycle.
No Pain No Gain
Why no pain no gain? This motto inspired us in the life that if you never suffered a pain, you would never feel how painful you would be, and never gain that experience from the pain. I personally believe “No Pain No Gain” is a true principle to everyone. When you try yourself applying security by default and security by design approaches, you should be optimistic to gain experience if the system is hacked by someone. From such, you would gain experience to improve your system, and make it more stable as possible by the time flying.
“No Pain No Gain” often comes with incident response management in the security context. While you can gain experience from an attack, your incident response to business users are controlled, giving them a feeling like nothing is really happening.