Story image

Exclusive: Aura on designing a secure IT infrastructure

17 Sep 2018

Despite growing recognition of the importance of cybersecurity to organisations in Australia, more often than not, it’s still regarded as an afterthought in the implementation of new solutions.

For most of boards, it’s difficult to justify the expense on security until after it’s too late and its already suffered the consequences of a cyber attack.

SecurityBrief spoke to Aura Information Security Australia country manager Michael Warnock about what it means to implement secure IT systems from the ground up.

What are the most common challenges CSOs face when building security into their IT systems?

A security by design approach enables CSOs to proactively identify the security risks in their business early on enabling them to remediate vulnerabilities when it is most time and cost effective.  

After all, if companies don’t have the visibility of the information security risk they are introducing, then the organisation is potentially leaving more valuable information assets wide open for cybercriminals.

The most common challenge continues to be to articulate the value of implementing versus the risk of not implementing, and secondly evaluating current staff skills and the development needed to be able to ‘code’ securely. 

However, it should be also noted that being secure by design is an ongoing process and not one that is forgotten as soon as a project is complete.  

IT systems aren’t static.  

They are modified and patched once deployed and have an inherent risk that needs to be managed by IT teams as part of any risk and compliance management program.

How can CSOs overcome these challenges?  

Organisations should look to augment their recruitment and look for developers who are trained in DevSecOps.

Working with a partner like Aura which can implement training and development programs for their teams is also worthy of consideration.  

CSOs should also add secure code reviews to a development program which will provide insight into any issues in a development plan early on in the cycle avoiding the challenges where these are normally ‘tested’ very late in the program.

Aura considers a secure by design approach to include the following four-phase process:

  1. Design Phase – potential security risks are identified by software and infrastructure security architects.
  2. Build Phase - our consultants help CSOs check that they are building their systems in a secure way.
  3. Test Phase – conduct of end-to-end penetration tests to ensure any security flaws are remediated and provision for full visibility.
  4. Operate Phase – ongoing analysis, reporting and security optimisation occurs for the duration of the system’s operating life.

How can organisations with fewer resources protect themselves if they realise they’re being attacked?

There is a saying that goes, “you can only protect against what you know is attacking you”.  

When a vulnerability is identified, the need to defend against this is time critical.  

By deploying a shield approach to vulnerability management the physical source code ‘recoding’ allows for a wall to be established faster defending you from the bad guys.

The philosophy Aura promotes is that any prudent security program should have code remediation as an element, so we don’t say don’t fix your code, but use a shield to give you time to get that done correctly.  

ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
Infoblox appoints channels head for A/NZ
Kenneth Cartwright’s appointment extends Infoblox’s position in secure cloud-managed network services throughout the region.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.
Hackers increasingly ‘island hopping’ – so what does it mean?
Carbon Black's Rick McElroy discusses this new trend and what it means for the new age of cybercrime.
Trust without visibility is blind – Avi Networks
Enterprises are wanting to gain the trust of their customers, but are often found blindly defending themselves.