Story image

Exclusive: Aura on designing a secure IT infrastructure

17 Sep 2018

Despite growing recognition of the importance of cybersecurity to organisations in Australia, more often than not, it’s still regarded as an afterthought in the implementation of new solutions.

For most of boards, it’s difficult to justify the expense on security until after it’s too late and its already suffered the consequences of a cyber attack.

SecurityBrief spoke to Aura Information Security Australia country manager Michael Warnock about what it means to implement secure IT systems from the ground up.

What are the most common challenges CSOs face when building security into their IT systems?

A security by design approach enables CSOs to proactively identify the security risks in their business early on enabling them to remediate vulnerabilities when it is most time and cost effective.  

After all, if companies don’t have the visibility of the information security risk they are introducing, then the organisation is potentially leaving more valuable information assets wide open for cybercriminals.

The most common challenge continues to be to articulate the value of implementing versus the risk of not implementing, and secondly evaluating current staff skills and the development needed to be able to ‘code’ securely. 

However, it should be also noted that being secure by design is an ongoing process and not one that is forgotten as soon as a project is complete.  

IT systems aren’t static.  

They are modified and patched once deployed and have an inherent risk that needs to be managed by IT teams as part of any risk and compliance management program.

How can CSOs overcome these challenges?  

Organisations should look to augment their recruitment and look for developers who are trained in DevSecOps.

Working with a partner like Aura which can implement training and development programs for their teams is also worthy of consideration.  

CSOs should also add secure code reviews to a development program which will provide insight into any issues in a development plan early on in the cycle avoiding the challenges where these are normally ‘tested’ very late in the program.

Aura considers a secure by design approach to include the following four-phase process:

  1. Design Phase – potential security risks are identified by software and infrastructure security architects.
  2. Build Phase - our consultants help CSOs check that they are building their systems in a secure way.
  3. Test Phase – conduct of end-to-end penetration tests to ensure any security flaws are remediated and provision for full visibility.
  4. Operate Phase – ongoing analysis, reporting and security optimisation occurs for the duration of the system’s operating life.

How can organisations with fewer resources protect themselves if they realise they’re being attacked?

There is a saying that goes, “you can only protect against what you know is attacking you”.  

When a vulnerability is identified, the need to defend against this is time critical.  

By deploying a shield approach to vulnerability management the physical source code ‘recoding’ allows for a wall to be established faster defending you from the bad guys.

The philosophy Aura promotes is that any prudent security program should have code remediation as an element, so we don’t say don’t fix your code, but use a shield to give you time to get that done correctly.  

Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.