It would seem reasonable to assume that the average enterprise has well defined security procedures – everything from ensuring that the proper endpoint solutions are in place, to having a plan for when an incident is detected. For mission critical assets, there are higher security requirements. You would expect a bank to implement the highest possible security measures for their online banking functions in order to protect both themselves and their customers against fraud. For such assets, encryption, Web application protection, and DDoS protection are pretty much a given cost of doing business.
The internal IT team generally has a good idea what assets exists in their datacenters. Routine internal network scans help to identify anything that wasn’t tracked properly, or that one test VM that you were playing with just before vacation and forgot to shut down. Networks are ever-changing, and subject to drift over time, it’s rare to scan a network twice and get the same results. With proper IT procedures, however it is possible (though not always easy) to have a good idea what is living in your datacenter.
Over 90% of organizations have some assets in the cloud, there’s a high chance that you also have some assets running outside of your datacenter. How do you inventory those servers? A good cloud provider will give you the ability to have instant insight what you have running there, after all, that’s how they get paid. The majority of the large cloud vendors focus on providing infrastructure, with a basic level of security. It’s on the customer to make sure the security is up to their standards. Again, this can be solved via strong IT governance and proper procedures.
What about those other external sites that don’t fall under the IT departments control? The ones that got set up when your marketing department created an event page for customers to register to your seminar, or when HR put up a site for employees to RSVP to the internal kick-off. These tend to be run for a short time, or by an external agency. We call these assets “sites on the town”. Those sites created outside of the organizational IT, outside of IT-department budgets and control. It’s not unusual that these are created and hosted at cheaper hosting alternatives, hosting sites which IT wouldn’t normally accept, and therefore can’t be integrated into the existing security solutions. Sometimes this is done as a way to work around the policies set forth by the IT department. Although these might fall outside of the IT-department’s control, they also may fall under regulations such as the GDPR and NIS-directive.
Does your organization have any forgotten assets?
So what are the risks with “sites on the town”? Since they aren’t part of your security regime, they could potentially act as a stepping stone into your organization, leak customer or employee data stored there, and end up ultimately impacting the bottom line. When a breach occurs, the public won’t care that it was an external site that got hacked and not your main asset. It has your name and logo on it, that’s what matters.
This isn’t to say that these external sites are ‘bad’. They offer the various aspects of the business greater speed and flexibility in many situations. As IT’s main role is to enable the business, the question becomes ‘How can we reduce our risk and make sure these sites are up to our security standards?’
What you need in these situations is a way to centrally protect all these assets, regardless of where they might be. This is one of the problems we at Baffin Bay Networks wanted to solve when we created Riverview. Our service delivers multiple layers of security to all your assets, whether routed from your internal network, to your cloud provider, or your sites on the town. Even your disposable assets will be protected against threats such as DDoS, Web application attacks, malware and exploit attempts, all from a centrally managed service with all the other assets. We feel this gives the IT department the ability to say ‘yes’ to these requests, and provide high security while enabling other parts of the business to move forward.
By: James Tucker, Director of System Engineering