Posts Tagged 'Corporate'

November 14, 2012

Risk Management: Securing Your Servers

How do you secure your home when you leave? If you're like most people, you make sure to lock the door you leave from, and you head off to your destination. If Phil is right about "locks keeping honest people honest," simply locking your front door may not be enough. When my family moved into a new house recently, we evaluated its physical security and tried to determine possible avenues of attack (garage, doors, windows, etc.), tools that could be used (a stolen key, a brick, a crowbar, etc.) and ways to mitigate the risk of each kind of attack ... We were effectively creating a risk management plan.

Every risk has different probabilities of occurrence, potential damages, and prevention costs, and the risk management process helps us balance the costs and benefits of various security methods. When it comes to securing a home, the most effective protection comes by using layers of different methods ... To prevent a home invasion, you might lock your door, train your dog to make intruders into chew toys and have an alarm system installed. Even if an attacker can get a key to the house and bring some leftover steaks to appease the dog, the motion detectors for the alarm are going to have the police on their way quickly. (Or you could violate every HOA regulation known to man by digging a moat around the house, filling with sharks with laser beams attached to their heads, and building a medieval drawbridge over the moat.)

I use the example of securing a house because it's usually a little more accessible than talking about "server security." Server security doesn't have to be overly complex or difficult to implement, but its stigma of complexity usually prevents systems administrators from incorporating even the simplest of security measures. Let's take a look at the easiest steps to begin securing your servers in the context of their home security parallels, and you'll see what I'm talking about.

Keep "Bad People" Out: Have secure password requirements.

Passwords are your keys and your locks — the controls you put into place that ensure that only the people who should have access get it. There's no "catch all" method of keeping the bad people out of your systems, but employing a variety of authentication and identification measures can greatly enhance the security of your systems. A first line of defense for server security would be to set password complexity and minimum/maximum password age requirements.

If you want to add an additional layer of security at the authentication level, you can incorporate "Strong" or "Two-Factor" authentication. From there, you can learn about a dizzying array of authentication protocols (like TACACS+ and RADIUS) to centralize access control or you can use active directory groups to simplify the process of granting and/or restricting access to your systems. Each layer of authentication security has benefits and drawbacks, and most often, you'll want to weigh the security risk against your need for ease-of-use and availability as you plan your implementation.

Stay Current on your "Good People": When authorized users leave, make sure their access to your system leaves with them.

If your neighbor doesn't return borrowed tools to your tool shed after you gave him a key when he was finishing his renovation, you need to take his key back when you tell him he can't borrow any more. If you don't, nothing is stopping him from walking over to the shed when you're not looking and taking more (all?) of your tools. I know it seems like a silly example, but that kind of thing is a big oversight when it comes to server security.

Employees are granted access to perform their duties (the principle of least privilege), and when they no longer require access, the "keys to the castle" should be revoked. Auditing who has access to what (whether it be for your systems or for your applications) should be continual.

You might have processes in place to grant and remove access, but it's also important to audit those privileges regularly to catch any breakdowns or oversights. The last thing you want is to have a disgruntled former employee wreak all sorts of havoc on your key systems, sell proprietary information or otherwise cost you revenue, fines, recovery efforts or lost reputation.

Catch Attackers: Monitor your systems closely and set up alerts if an intrusion is detected.

There is always a chance that bad people are going to keep looking for a way to get into your house. Maybe they'll walk around the house to try and open the doors and windows you don't use very often. Maybe they'll ring the doorbell and if no lights turn on, they'll break a window and get in that way.

You can never completely eliminate all risk. Security is a continual process, and eventually some determined, over-caffeinated hacker is going to find a way in. Thinking your security is impenetrable makes you vulnerable if by some stretch of the imagination, an attacker breaches your security (see: Trojan Horse). Continuous monitoring strategies can alert administrators if someone does things they shouldn't be doing. Think of it as a motion detector in your house ... "If someone gets in, I want to know where they are." When you implement monitoring, logging and alerting, you will also be able to recover more quickly from security breaches because every file accessed will be documented.

Minimize the Damage: Lock down your system if it is breached.

A burglar smashes through your living room window, runs directly to your DVD collection, and takes your limited edition "Saved by the Bell" series box set. What can you do to prevent them from running back into the house to get the autographed posted of Alf off of your wall?

When you're monitoring your servers and you get alerted to malicious activity, you're already late to the game ... The damage has already started, and you need to minimize it. In a home security environment, that might involve an ear-piercing alarm or filling the moat around your house even higher so the sharks get a better angle to aim their laser beams. File integrity monitors and IDS software can mitigate damage in a security breach by reverting files when checksums don't match or stopping malicious behavior in its tracks.

These recommendations are only a few of the first-line layers of defense when it comes to server security. Even if you're only able to incorporate one or two of these tips into your environment, you should. When you look at server security in terms of a journey rather than a destination, you can celebrate the progress you make and look forward to the next steps down the road.

Now if you'll excuse me, I have to go to a meeting where I'm proposing moats, drawbridges, and sharks with laser beams on their heads to SamF for data center security ... Wish me luck!

-Matthew

September 20, 2011

SoftLayer.com Website Refresh

Recently, the SoftLayer Marketing team refreshed our corporate website. You may have already seen one of the most obvious changes: an updated homepage.

While minor updates to the look and feel of the site have been made over the last two years (adding solid colors to the main tabs, increasing the use of text inside buttons, etc.), the essential layout of the homepage hasn't changed since December of 2008! We were due for a refresh.

Our updated homepage features a simplified layout with new graphics. Special offers and new products get a large-format banner, which clearly introduces visitors to what we are offering in a way that is more eye-catching than before. Check out the difference between the old-style banners and the new-style banners:

BEFORE
SoftLayer.com Homepage

NOW
SoftLayer.com Homepage

Below the main banner, we replaced the solid red banner shapes with ones that incorporate photos and colorful graphical elements. Here's the new design for our Dedicated Server and CloudLayer Computing banners:

SoftLayer.com Homepage

Our primary navigation layout has also changed. We now highlight our three main product offerings – Dedicated Severs, CloudLayer Computing, and Managed Hosting – with red tabs that contrast with our other grey tabs, as shown below:

SoftLayer.com Homepage

We have also re-organized many of our information pages to make our offerings more clear and to make content easier to find.

The list of changes goes on -- enhanced contact buttons on the right of each page to make it easier for website visitors to get ahold of us, a new approach to links at the top and bottom of every page, and so on.

And while the changes we added in this recent site update add a refreshing look and feel, we are by no means finished. You'll find a lot more going on at www.softlayer.com in the weeks and months to come.

-Brad

Categories: 
May 31, 2007

If You Can't Beat 'em - Sue 'em!!

I just ran across an article that grossly embarrasses me to be associated with the legal profession. In a recent  NetworkWorld article I found the following paragraph:

Lawsuits are a fact of life for organizations today. Recent surveys show that the average U.S. company faces 305 suits at any one time; that number jumps to 556 for companies with $1 billion or more in revenue.

As a licensed attorney I realize that legitimate disputes do exist between parties. I take no issue with legitimate disputes. I do find it hard to believe that the average U.S. Company has over 305 active lawsuits at any one time!!

As a consumer of goods and services (individual or business), you should be angered by false and litigious lawsuits because the cost is ultimately born by you - the end consumer.

The truly alarming trend in business litigation is companies suing each other for “strategic purposes.” These cases are filed and announced in press releases as the plaintiff shouts from the courthouse steps. These types of cases have very little to do with the law, include very fuzzy causes of action and seem to languish endlessly. The goal is to slow down a competitor, burn money, waste productive resources and disparage companies.

Has corporate America forgotten how to compete? Does corporate America really feel like it must lie, cheat and manipulate the legal system to achieve their business goals? Didn’t we learn from Michael Milken and his Bond trading, Enron and their financial house of cards, Tyco and the incredulous expenditures; that cheating the system never results in a long term victory? Just because other companies are doing it doesn’t make it right. Looking down the road, some company will be “the example” when the day comes to reform the system.   

Personally, I think the penalty for a plaintiff abusing the legal process by filing a “strategic suit” should be the death penalty and the lawyers should be disbarred. That should be a sufficient deterrent for potential future players. Let’s not create SarBox for the legal profession because we abused the intended use.  Business Ethics should apply all the time, not just when required by law.

-@lavosby

Subscribe to corporate