03 July 2019
Something we have been banging on about for some time is the use of multi-factor authentication (MFA). A recent announcement from Microsoft advises – “We continue to see an increasing number of more sophisticated security attacks, primarily related to compromised identities. As preventive controls play a key role in an overall defense strategy to thwart security attacks, we will start enforcing a set of mandatory security requirements to help protect partners and their customers”. The full details can be viewed on the Microsoft Partner Center website.
Deploying multi-factor-authentication makes an account compromise much harder. A cloud service provider or third party that has access to your Microsoft tenancy can be tripped up if there is no MFA in place, as detailed in a recent article by Top Cyber News.
This move by Microsoft is positive, however don’t forget you need to have a clear picture and understanding of service provider or third party access. It is very important that you also have measures in place to track, limit and log their actions for securing your services.
Click here to view details of our Office 365 Security Audit Review
Build or bake it in - Transform with confidence
As an organisation goes through a technology transformation and increasingly adopts the use of the cloud it will work with new and existing suppliers to design and build systems. In doing so cyber security ideally should be built or baked in to minimise the impact of a security incident in the future.
In some instances a buyer will accept the security promise from a supplier and make no attempt at verifying the suppliers vision of security is well understood, is implemented correctly or will actually be effective. Leaving full responsibility with the supplier(s) is a high risk choice.
However, if you choose to build or bake in cyber security mechanisms during the transformation process and share the responsibility, what options exist to give you some confidence or certainty that these important measures will work as intended?
Consider the suitability of a supplier
Some points to check are -
A very effective way to ensure your security objectives will be met is to obtain independent validation. Having an independent third party expert conduct a review to assess whether the suppliers promises, statements or agreed security mechanisms stand up to scrutiny will give you some assurance that the investment in the transformation is not going to be threatened easily by a security incident.
Conduct a security architecture review
At a very early stage of the engagement it recommended that a cyber security expert reviews the technical architecture of your planned system or the system being provided by the supplier. An independent assessment of the system's design will confirm that it is well architected from a security perspective and provides a reasonable level of inherent mitigation against potential attacks. A security architecture review does not verify that once deployed the system has been properly configured or is being well maintained.
Validate controls have been implemented correctly
Confirming how security controls have been implemented and configured during the transformation project is key. A suitably qualified tester can test and validate security controls at a particular point in time and then conduct re-testing at agreed intervals in the future to maintain confidence.
Selecting someone to review, test, validate
Lastly, it is also wise to confirm your nominated independent third party expert(s) has the right skills and experience to undertake a supplier, architectural or controls review. Agree and document the scope of work to be completed and ensure there is adequate budget allocated to this work relative to the overall investment being applied to the transformation project.
Independent validation may be a key difference between a successful transformation and an embarrassing or costly incident.
For a confidential discussion on how we can help your organisation be confident your technology transformation is safe and secure contact Mike or Steve.