“It takes 20 years to build a reputation and minutes of cyber-incident to ruin it.” – Stephane Nappo, Vice President, Global Chief Information Security Officer Group SEB
The increasing threats companies face today, from ransomware attacks and data breaches to malware and hacking mean that cybersecurity will continue to be priority for C-level leadership across all industries. Enterprise Strategy Goup research reveals that 69% of organizations are increasing their security budgets in 2022 and a Kaspersky report indicates that 85% of surveyed IT decision-makers expect their cybersecurity budgets to increase by up to 50% in 2022. Read on to learn about strategies security officers can take to safeguard operations, without creating data silos and roadblocks.
Claim 1: Use a confidentiality, integrity and availability (CIA) triad to guide internal information security policies within your organization
Nowadays, Information Security Officers (ISOs) are rightly focusing on people and processes to ensure cyber security strategies are as resistant as possible to nefarious activities. While important, the most effective way to handle data and information is through a CIA triad, sometimes referred to as an availability, integrity and confidentiality (AIC) triad. This approach enables a three-pronged approach to information security.
The first aspect, confidentiality, means that only authorized parties can access certain data. This could be the result of internal data protection initiatives, non-disclosure agreements of specific legislation. While essentially this means that data is not compromised by parties or revealed to those without clearance, it’s not so much about limiting access as it is about organizing access. Having well-defined measures in place results in management and governance – two elements which, if implemented correctly, increase users’ confidence and trust.
The second component, integrity, refers to the quality of the data that an organization manages. Once entered into a system of given to an entity, it is paramount that data has not been changed or tampered with. Whether deliberate or accidental, any modification of data without a user’s consent corrupts this information and compromises security. This can happen during the initial uploading of data or while the data is in storage.
The last element is availability, which is not so much about who has access, but when. Authorized users need (and expect) to be able to access their information conveniently and in a timely manner. To achieve the level of availability that users demand, organizations should make sure that computing systems and infrastructures function with dependability that means no interruptions. Additionally, tight security measures should not prevent open communication channels, so that systems are resilient to cyber security threats without burdensome security protocols for users to navigate.
A CIA triad should be central to an organization’s architecture maturity model, which is a way to measure an organization’s ability for continuous improvement. An effective cyber security operaration should not just be about maintaining the status quo and neutralizing known threats, but also about anticipating potential perils.
Claim 2: Implement request authentication policies that validate JSON Web Tokens securely and swiftly from different providers
Request authentication policies specify the values needed to validate a JSON Web Token (JWT). These values include, among others, the following:
- The location of the token in the request
- The issuer or the request
- The public JWKS endpoint
To achieve a request authentication that provides maximum security, organizations are increasingly turning to Istio, a service networking layer that automates application network functions, manages different microservices and provides a credible, cloud-native application option. An open-source service mesh, Istio makes it possible for organizations to run distributed, microservices-based apps from anywhere in the world. It is also platform independent, meaning it can run in a wide variety of environments, including on-premises, cloud, Kubernetes and Mesos.
Istio ensures strong authentication between components by checking the presented token and if it is contrary to the rules in an organization’s request authentication policy, rejects requests with invalid tokens. When requests carry no token, they are accepted by default. To reject requests without tokens, provide authorization rules that specify the restrictions for specific operations, for example paths or actions.
Request authentication policies can specify more than one JWT if each uses a unique location. When more than one policy matches a workload, Istio combines all rules as if they were specified as a single policy. This behavior is enables program workloads to accept JWTs from different providers. However, requests with more than one valid JWT are not supported because the output principal of such requests is undefined.
Ever growing security threats mean that traditional two-factor authentication strategies are becoming obsolete. Increasingly organizations are employing four types of identity-confirming verification methods, naturally referred to as four-factor authentication. The four aspects are typically classified as knowledge, possession, inherence and location factors. For ultimate safety, CIOs should consider a combination of four-factor authentication and JSON Web Tokens.
Claim 3: Deploy a Web Application Firewall to ensure safe HTTP traffic
A Web Application Firewall (WAF) protects web applications from numerous types of attacks, including cross-site scripting (XSS), SQL injections and cookie poisoning, along with general breaches of data. Cyber criminals looking to exfiltrate your users’ data by compromising your systems are thwarted since a WAF does not allow unauthorized data to leave the app.
By filtering, monitoring and blocking harmful HTTP/S traffic, the role of a WAF is that of a reverse proxy, in that it protects a web app server from clients with bad intentions. The robustness of WAFS is balanced with elasticity, since they can be deployed as software, an appliance or as-a-service. Regardless of the form, WAFS are highly customizable to an organization’s security needs and business goals.
A WAF is not the only security solution organizations can implement. An intrusion prevention system (IPS) protects traffic like DNS, SMTP, TELNET, RDP, SSH and FTP, among others. Usually signature and policy-based, an IPS establishes a standard (based on a company’s parameters) and alerts security officers if incoming traffic does not comply. Once new risks are identified, the list of traffic an IPS guards against grows.
As WAFs analyze every request at the application level, they are rightly regarded as an organization’s first line of defence, especially as regards the top ten vulnerabilities, which, according to the Open Web Application Security Project (OWASP) include: injection attacks, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfigurations, cross site scripting (XSS) and insecure deserialization.
Having reliable cyber security strategies achieves peace of mind
WMware’s The State of Incident Response 2021 report indicates that 82% of surveyed organizations are concerned their company is at risk of a cyber-attack. Tellingly, the same report reveals that 49% of organizations lack the expertise and tools for adequate incident response. While using a confidentiality, integrity and availability (CIA) triad to guide internal information security policies within your organization, implementing request authentication policies that validate JSON Web Tokens securely and swiftly from different providers and deploying a WAF to ensure safe HTTP traffic are sound measures that can guard against cyberattacks, the value of partnering with an experienced team that has a proven record should not be underestimated.
That’s why companies across industries and from around the world turn to Software Mind, whose agile, cross-functional engineering teams not only develop tailor-made, evolutive software, but deliver security solutions and consultancy that secure operations, protect users and give peace of mind. To learn how our experts can support your business, fill out the contact form.
About the authorJan Jurek
Senior Software Architect
A Senior Software Architect and Team Manager with almost 15 years’ experience, Jan has developed and managed projects using a wide array of tools and technologies, especially Java. Passionate about enhancing products and services for his clients, Jan leverages his engineering background and security expertise to ensure safe and swift software delivery. When not exploring the exciting possibilities of Kubernetes, AWS and Web Application Security, he can be found giving lectures to students at various Polish universities.