Story image

Exclusive: Aura on designing a secure IT infrastructure

17 Sep 2018

Despite growing recognition of the importance of cybersecurity to organisations in Australia, more often than not, it’s still regarded as an afterthought in the implementation of new solutions.

For most of boards, it’s difficult to justify the expense on security until after it’s too late and its already suffered the consequences of a cyber attack.

SecurityBrief spoke to Aura Information Security Australia country manager Michael Warnock about what it means to implement secure IT systems from the ground up.

What are the most common challenges CSOs face when building security into their IT systems?

A security by design approach enables CSOs to proactively identify the security risks in their business early on enabling them to remediate vulnerabilities when it is most time and cost effective.  

After all, if companies don’t have the visibility of the information security risk they are introducing, then the organisation is potentially leaving more valuable information assets wide open for cybercriminals.

The most common challenge continues to be to articulate the value of implementing versus the risk of not implementing, and secondly evaluating current staff skills and the development needed to be able to ‘code’ securely. 

However, it should be also noted that being secure by design is an ongoing process and not one that is forgotten as soon as a project is complete.  

IT systems aren’t static.  

They are modified and patched once deployed and have an inherent risk that needs to be managed by IT teams as part of any risk and compliance management program.

How can CSOs overcome these challenges?  

Organisations should look to augment their recruitment and look for developers who are trained in DevSecOps.

Working with a partner like Aura which can implement training and development programs for their teams is also worthy of consideration.  

CSOs should also add secure code reviews to a development program which will provide insight into any issues in a development plan early on in the cycle avoiding the challenges where these are normally ‘tested’ very late in the program.

Aura considers a secure by design approach to include the following four-phase process:

  1. Design Phase – potential security risks are identified by software and infrastructure security architects.
  2. Build Phase - our consultants help CSOs check that they are building their systems in a secure way.
  3. Test Phase – conduct of end-to-end penetration tests to ensure any security flaws are remediated and provision for full visibility.
  4. Operate Phase – ongoing analysis, reporting and security optimisation occurs for the duration of the system’s operating life.

How can organisations with fewer resources protect themselves if they realise they’re being attacked?

There is a saying that goes, “you can only protect against what you know is attacking you”.  

When a vulnerability is identified, the need to defend against this is time critical.  

By deploying a shield approach to vulnerability management the physical source code ‘recoding’ allows for a wall to be established faster defending you from the bad guys.

The philosophy Aura promotes is that any prudent security program should have code remediation as an element, so we don’t say don’t fix your code, but use a shield to give you time to get that done correctly.  

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.