Spill the IT Ep05 (Part 2): Security – who's on the door?
Welcome to the Fasthosts ProActive Podcast: Spill the IT. Each episode, we'll sit down with some of the amazing ProActive team and chat through their experiences of the ups and downs of IT infrastructure management in small businesses. There's always plenty to chat about.
The classic debate – how secure is the cloud. Our team discuss whether Cloud is a better solution or not for security.
Listen on your favourite platform!
Want to listen on your go-to platform? We're on those too...
Episode transcript:
Intro (00:05):
Welcome to the Fasthost ProActive podcast: Spill the IT. Each episode, we'll sit down with some of the amazing Proactive team and chat through their experiences of the ups and downs of IT infrastructure management in small businesses. There's always plenty to chat about.
Graham (00:29):
CJ, you and I were talking earlier about multifactor authentication, and some of the nightmares you've seen within businesses that have been affected by that. Do you want to talk just a little bit about that? Because that's a bit of a real thing, isn't it? That sometimes people can get hassled and keep on being hassled and they think, "Oh my God, yes, I'll just approve it.", and actually it's malware, or it's people acting in an inappropriate way.
CJ (00:50):
Yeah, so multifactor authentication is one of a suite of tools that you can use to help keep your security profile in a positive stance. It helps against a lot of things such as your generic phishing, typical social engineering and so forth, because it's something you have. So whenever we talk about authenticating a user, so making sure that; hey, this is the person you are saying that you are, you tend to work on two aspects. One is something you know, which is typically a password, and something you have, which is multifactor authentication. Now, that can be an app on your phone. It could be the fact that you've just received an SMS message, all of these kind of things. But once again, we need to not get complacent.
(01:31):
I've spoken to some people who say like, "Oh, well now I've got multifactor authentication. I'm not worried about how strong my password is.". It's like, "Okay, right. No, no, no.". This is part of the suite of tools, and you can't get to a point whereby you are becoming complacent, or going, "I've got multifactor authentication. I'm okay. I'm never going to get hacked.". And again, it's a story Gary and I were talking about earlier of instances whereby people have been overloaded by malicious actors, whereby they've sent hundreds of SMS messages, basically reporting to be just a failure within the multifactor authentication schema. And it gets to the point whereby people are going, "Yes, yes. Okay, fine.". Click, click, click, click. And again, if the rest of your security tool set is not up to scratch, being lulled into that false sense of security.
Graham (02:12):
I think we were talking about it previously, about this Amazon experience. We as humans, we've been talking about the human thing, haven't we?. We as human, we feel protected. If that's that multi authentication and you're going through those procedures, you just think; oh yeah, I'm covered. I'm fine. That works. Is there a complacency?
CJ (02:28):
There can be, and this is really important, is again, you're just staying on top of that mindset of making sure that yes, you don't sacrifice any part of your security tool set, because one other part of it is now looking better and is looking improved. So certainly for myself and I use multifactor authentication wherever I can, because it's an extra part of my armory, but that doesn't mean that, yes, it's okay, I can just choose a eight character password.
(02:53):
Getting into the whole subject, it's a podcast in itself talking about password security and strength and so forth. But yes, it's something I would certainly encourage anybody who's listening, that if you've got a service that provides the ability to use multifactor authentication, then use it where appropriate. Don't get me wrong, if it's not something whereby you even care whether or not... If it's your running app and it's got no sensitive data on it or whatever, and it's just too much of a pain every time you want to go for a run that you have to get your phone out to put your... Then don't worry about it, but for certainly anything with sensitive or destructive data, something which can cause harm to you, make sure it's there.
Graham (03:28):
Okay, Dan, that's the next subject for your scenario planning [inaudible 00:03:31] and that could be quite a good thing. So with the attack surface of so many organizations, IT infrastructure increasing more and more, would we feel that is the cloud better for security?
Gary (03:42):
Yeah, I think, look, better's a strong word. I think it's different and I think there are a number of factors behind that. We spoke about what should be keeping IT managers awake at night, and I think some of that is how do people keep up with trends? And one of the things that a managed cloud service can do is it can build that level of expertise and security focus into an organization that doesn't have the ability to resource that internally. To quote the Avengers, the Avengers may have a Hulk, but we have a CJ and in turn then so do all of our clients, where we can bring those best practices, we can bring that 20 plus years each of experience and lessons learned, often painfully, to organizations that perhaps don't have that capability in-house and provide that expertise.
CJ (04:47):
It's exactly that. To be honest, certainly if your business that's running an e-commerce website and you've got let's say six servers with us, six instances, and you probably can't afford to have a whole team of security professionals on your premises running all of this for you. You probably don't have the time or energy to get ISO 27,001 certified. We can bring all of that to the table, because we're big enough, it's something we live and breathe, we've got the experience in it. So cloud in itself, as a technology, is no better, no worse than an on-premise solution or a co-location solution, whatever. But because of the very nature of our teams here and the business that we run, we're bringing that expertise and experience with it.
Graham (05:31):
So do you think it's equally good for... So people who are transacting retail online and business as well, do we think there's some parallels there between; it's just as important for business, B2B businesses as opposed to B2C? So the security is just as important for both types of businesses?
CJ (05:47):
You're talking to a security professional. Security is just as important for everybody, regardless of what segment you're in or what it is you're doing. And again, part of this just comes down to be aware there is financial cost in being secure, but the financial cost of not being secure can be so much more and it's just not worth the risk.
Gary (06:04):
I think going back to the B2B and the B2C stuff, I think they're both massive, massive topics. I think with the B2C businesses, we've seen horror stories where individuals personal data has been leaked by vendors online, credit card details, addresses, all that kind of stuff. But I think also when you're looking at B2B, a great number of the security accreditations take into consideration security of your supply chain. So it's not just how secure are you, it's how secure are the people that you are then procuring services from. So that comes into it as a big factor as well.
Graham (06:47):
Dan, I can see you're nodding in there as well, in relation to what Gary's saying. What are you thinking?
Dan (06:50):
Cloud, as an infrastructure, no better, no worse. Managed cloud, better, because of resourcing, skills and just being able to do things at scale as well. But then I was also thinking about this from a software perspective as well. So a lot of the cloud platform providers have certain security features baked in. Ours certainly does, good example, DDoS protection right out the box. That's a huge benefit, because that's something that's quite expensive for individuals to put in. But I think also as the cloud infrastructure develops, more use of things like containerization, there are more services and more tools coming out there to allow users, whether that's developers or those for more in the B2B space to actually get that level of assurance around the security, from some of those cloud components that they're using.
CJ (07:53):
And this is where the cloud technology is, it doesn't solve all of the problems, but it simplifies some aspects around availability. It simplifies some aspects around your backups, it simplifies some aspects around your integrity of your data, because the very nature of how cloud is. So it just simplifies some of those topics for us. It doesn't solve them, but it means we can solve them in an easier way than we might have otherwise done with a more traditional solution. Also, going back to the availability topic, a cloud-based solution, that scalability that Dan's talking around, so horizontally scaling, if your business comes to us and all we need to provide you with is a really simple, straightforward three server solution for something and your business takes off, because you suddenly got on Dragon's Den or whatever it may well be, and you go, "We need to get this big right now.", then cloud gives us that ability to make sure your content will stay available and it won't suddenly just drown in a sea of horribleness.
Graham (08:46):
Yeah, you can imagine that, but I've never really thought about it, because you see businesses grow just on the fact that they've been on Dragon's Den.
Gary (08:51):
Yeah, whether they've won or not.
Graham (08:53):
Absolutely. People just color on whether they got invested in or not and away they go.
Gary (08:57):
But there used to be a phenomenon when I was working, actually here at Fasthost, so a while ago, which was the breakfast radio factor. And we saw it happen a number of times, where a particular website was mentioned on morning breakfast and you could see the traffic hit that particular server within minutes. So having that ability to scale quick is absolutely essential.
CJ (09:30):
And that's where the cloud wins, because let's turn the clock back 15 years or whatever. Both of us worked in the similar type of thing and it's like; if you needed to scale something up then, you had to get a bunch of engineers, go and get some physical hardware, go and install an OS on it. Okay, configure the OS. We're talking hours already here, whereas with the cloud, Gary's going to go and click a couple of buttons, spin some new infrastructure up, it's a much quicker process.
Graham (09:52):
And the great thing about it is that layer of security within that is a given. You can scale it, the security's there and we're off.
Gary (10:01):
That's the big piece, so when you need to scale and you need to scale fast, there is a risk that doing that at speed, at pace, is going to introduce human error.
Graham (10:15):
It may compromise security.
Gary (10:16):
Absolutely. So the way we design solutions here, is we have as much of that deployment process automated as possible. So we then have the ability to deploy additional infrastructure at massive speed, but retain all of the security hardening that was put in place on the very first server. So when we deploy server 30, that will be the same as server 1, 2, 3, 4, because we put that effort at the beginning to make sure that we've got that layer of automation.
Graham (10:55):
Cut, paste, cut, paste. Yeah, yeah, yeah.
Gary (10:56):
Exactly.
Dan (10:56):
And this is where software really helps us out. So what we're talking about here is orchestration and configuration management. They're two really, really important topics. And as Gary was saying, it's taking that human error out of it and just making sure that we know that this is going to be deployed in a set state and that set state is good, because we've already deployed 29 servers to the same set state.
Gary (11:17):
That's where I think complacency comes in as well. So you do a thing every single day for 30 days, you stop thinking about that thing. Most people don't have to think about breathing. I know a few that do, but what you repeat becomes automatic and that's where these mistakes can fit in.
Graham (11:38):
Yeah, so let's take ourselves back and we were talking a little bit earlier when we were about B2B, so there's been a huge, huge explosion as we've seen during COVID, of hybrid working. Has that affected security within that arena and what challenges is that giving IT right now with that explosion of hybrid working?
CJ (11:57):
Yeah, so it's been a big challenge.
Graham (12:00):
That's politely put.
CJ (12:00):
Yes, polite as I'm going to get. Part of that is because what we're taking is a bunch of people who used to be in a trusted environment. So typically your office environment, you've got your network locked down, you've given people their laptops, they've got a monitor and the keyboard and mouse they plug in, and you've provided all of that and you're fairly confident about it. You're also fairly confident, whilst people that are there at work, that they're getting on with their day-to-day work and so forth. You're taking those people out and you're giving them their kit and they're taking it home and plugging it into their home network. Now as a business, you have no way of knowing what they're running on their network at home, they could be running absolutely anything. So you are taking some of that certainty away from your own securities, typically about being certain of things.
(12:41):
They could be plugging anything from a USB device from an untrusted source into their system and that could be doing anything. There's certainly reports of that type of thing happening. Added onto all of that, you are also suddenly opening up your business and allowing access from outside your business in, which you may or may not have done beforehand. I'm not saying you're allowing that, you're allowing it to far more people. So you are increasing your potential scope for attack and you're also at the same time introducing a bunch of untrusted and unknown things to your network.
Graham (13:12):
So many variables, isn't there?
CJ (13:15):
Absolutely, so it's an absolute minefield and it's something that you need to stay on top of while still allowing these things to happen. We need to allow people to be able to work from home. COVID has taught us this 100%, but you need to make sure that you have the right processes, you have the right education, you have the right everything about allowing those users to do so.
(13:36):
And this is one thing, going back to something else we were talking about before, it's not just about safeguarding your business and making sure that you're [inaudible 00:13:43]. It's about safeguarding your employees. You give them the tools to make sure that they are protected and safe in themselves. And this ties back into this conversation I've had before, whereby when somebody leaves this company, we make sure that we revoke their accounts, their credentials and all this kind of stuff. And I remember a few years ago somebody, saying to me, it's like, "Well, do we have to do it straight away? I trust the employee, they're not going to do anything bad.".
(14:04):
It's like we have to do this straight away, because if we don't, we're not protecting that employee. If those account details get compromised and they log onto our systems with their original details, the first thing we're going to do is point a finger at this ex-employee. We're going to be going and knocking on their door saying, "Why did you do this?". If we revoke those credentials now, that employee is safe. We won't have any of these issues of finger pointing or anything else like that.
Gary (14:27):
I think for me, the big thing with security is that balance that CJ's just spoken about, the most secure IT system is one that's switched off and locked in a small room somewhere. However, it doesn't function terribly well. You've got to have the ability to allow people to work. And with hybrid working, that absolutely has been the challenge, is how do you enable people to fulfill their day-to-day functions whilst staying secure? And for most organizations, that's been a shift of going from supporting one to two offices to supporting a hundred offices, because each of your employees homes becomes part of your infrastructure.
Graham (15:13):
And where they might log on outside of home as well. That must be a big concern as well.
Gary (15:17):
Exactly that. And for me, it's a little bit like driving. You can be an awesome driver, you can be super safe, you can have done your advanced motoring. What you've got to worry about is everybody else on the road. And then that becomes more so the case in a home environment. If you are living in a shared accommodation, it's not just you you need to worry about, it's the other people there or what are my kids doing on my home network, being tempted into downloading to enhance their gaming experience for example. And that then becomes a problem for the organization as well.
(15:55):
I think one of the interesting things I saw, at the early stages of the pandemic, was how the location for the origin of junk email shifted. So one of the things that we saw at the start was the move from, I suppose, your more stereotypical Eastern Europe, China, Russia, the established IT bad guys, to being European countries. So the UK became a big origin point for junk email, Spain, Italy, a lot of countries that historically you wouldn't associate with that kind of activity became the origins, because they'd had to poke holes in infrastructure to enable people to work
CJ (16:36):
Using the driving analogy, as a security professional, there's a wonderful joke I remember from many, many years ago talking about how a woman was sat at home and heard on the radio that there was somebody driving the wrong way down a busy motorway. So she knows that her other half is on the way back from work, so rings about and says, "Just be careful there. There's somebody driving the wrong way down the motorway.", and he responds down, "It's not just one, there's hundreds of them.". And we had exactly that same kind of experience of just this sudden explosion of all of this going on or everywhere around. And as a security professional, suddenly it just felt like; yeah, there's a lot going on here that we need to suddenly take care of.
Graham (17:13):
So the current IT protection mechanisms, are they up to speed? Are they up to this? Are we getting too many players in the market? What do we think?
CJ (17:22):
It's constantly changing and if I answer that question now, it'll be wrong by the time we go out on air. So everything is changing and I think again, we're just talking about awareness here, right?
Graham (17:31):
Yeah, sure.
CJ (17:32):
So again, another old adage, I will not say that our business is 100% guaranteed to be secure against attackers. Nobody can say that. It's the same as, you can't say nobody can steal my car. What you can do is take the right precautions to make sure that other people's cars are more attractive to go and steal and all this kind of stuff. So you make sure, of course you lock your car, you got an immobilizer, you store it in a secure place, all of this kind of stuff. And again, we're constantly evolving what sort of defense mechanisms we're keeping in place against the bad guys and against human error just on our internal side as well.
(18:03):
But all of that is constantly changing, as with the technologies that are coming out as well.
Dan (18:07):
I think for me, my big wish in terms of things that are going to change is around the frameworks and the best practices. We've talked about, I said 27,001, we've talked about cyber essentials, cyber essentials plus I think the ongoing maturity of those frameworks, and not just in terms of the nuts and bolts about them telling you what to do, but actually making them accessible for small to medium business will help raise the bar in terms of security and prevention of nasty things happening to very nice people that are just trying to run their business at the end of the day.
Graham (18:46):
So I guess with skills shortages and human error and the evolution of technology, I think what I'm getting from you is unfortunately you can't say to IT managers, that they can still get a good night's sleep. There's still going to be the time when the phone rings, isn't there? And that's just a thing of doing the job.
CJ (19:03):
Absolutely. And part of that is that we're also never sure what the next breakthrough, either good or bad, is going to be. We briefly talked about AI as a concept and that's going to change the landscape. We get into things like quantum computing, that massively changes some of the technologies and certainly some of the algorithms we use in security and keeping data secret between two sets of people. We don't know, tomorrow something could come along and there could be a discovery and me and Gary are going to spend the next month trying to make sure that all of the right systems are now up-to-date with the current protocol. All of this could change tomorrow or we could go for another month and nothing changes. So it's going to be really difficult to get that good quality night's sleep.
Graham (19:43):
Sorry, IT managers.
CJ (19:43):
Yeah, sorry about that. But hopefully some of the stuff and the expertise we can bring can at least mean that you get a bit of a doze.
Graham (19:48):
Nice.
Gary (19:50):
I think it's not paranoia, they are after you is quite an appropriate phrase to use, but I think there's another one which is equally as important and that's become comfortable with being uncomfortable. What we don't want to do is say; lie awake at night sweating, because bad things are going to happen. We have to get to a point, both from a technological perspective and a human/process perspective, where we are comfortable in the fact that if the bad thing happens, we have the ability to survive that bad thing
CJ (20:27):
And we've done everything possible about it. We get them down into data security. What are we going to do if a meteor strikes the building? Now again, we actually have this kind of stuff in some of our policies and process and when we did-
Graham (20:38):
Part of Dan's scenario planning.
CJ (20:40):
Yeah, yeah, absolutely. But conversely, we've got bigger things to worry about if a meteorite takes out the data center. So there's a certain amount you need to worry and you need to [inaudible 00:20:47], but I don't lie awake at night worrying if a meteorites going to hit the data center.
Graham (20:51):
Sure. Well guys, that's been fascinating and it's been really good to talk about all things security. Again, we could probably sit here for another couple of hours, just chewing stuff over. But I think it's been really good to get that perspective from all of you, so thank you for all your time. So that's a wrap for this week's Fasthost ProActive podcast on security, and I hope you've all or everyone out there that's listens has found the subject of interest and you all feel a little bit more informed. What's coming up next? I hear you ask. Well, we're all going to be talking about deciphering infrastructure metrics and how much data do we actually need and is it all important? So Dan, Gary and CJ, thanks very much for your time this morning and we'll see you all again in a month's time.
CJ (21:33):
Stay secure.
Outro (21:36):
Thank you for listening. We hope you enjoyed this episode. You can subscribe on Spotify or Apple Podcast or visit proactive.fasthost.co.uk for more info. See you next time.