@CloudExpo Authors: Ed Featherston, Yeshim Deniz, Dalibor Siroky, Liz McMillan, Rostyslav Demush

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Microsoft Cloud, Agile Computing, Cloud Security

@CloudExpo: Article

Proverb: When a Door Closes, Just Make Sure You Don't Leave a Window Open

Not every employee leaves a company with a gold watch and a handshake.

Earlier this month I attended a local cloud developers group, and I met a gentleman who consults with companies to engage in deep dive forensic examinations of their networks. He looks for the virtual fingerprints of misdeeds, fraud, and misdoings that can be used for e-discovery in legal cases. He essentially gets down to the bits and bytes of how much information flows to certain IP addresses to ascertain whether or not proprietary data has been tampered or stolen.

He confirmed something that I long believed to be true. One of the greatest threats to an organization comes from within. Not everyone who exits a company leaves with a handshake and a gold watch. Often time there are hard feelings; that the employer wronged the former employee and that employee will exact a matter of revenge or feel justified to extract some sort of perceived compensation. This includes everything from the outright theft of sales leads and databases, to accessing their company email account to send “nasty-grams” to customers and other employees, to malicious sabotage. I am aware of several specific incidents where someone knowingly introduced malware into the company network.

Now this isn’t meant for you to look sideways at the person sitting in the next cubicle. However, access policies  needs to be a part of any company’s  internal risk assessment and security policy.

One of the easiest ways to prevent the disgruntled employees is to bar their access. Seems straight-forward enough, right? If it were the case, it really wouldn’t continually rank as one of the top threats to networks. The problem is that there are so many moving parts to properly dismiss an employee.  Sure there’s someone watching them pack up their physical belongings and making sure they don’t leave a little goodbye gift on the network on their way out. But if the tap is left on, the employee can come in hours, days or weeks later and create unnecessary havoc.

And the more diverse the enterprise (multiple divisions, brands, franchises, etc…), the harder it is to keep tabs on the coming and going of legitimate employee access.

Case in point:  I know of a national enterprise that franchises their individual locations to independent operators. Each franchisee is free to hire and fire their own staffs. Every staff member has a corporate email account and is allotted certain access to corporately managed applications. So, we are talking thousands of employees with a large enough churn rate to raise some issues with corporate headquarters.

There is a definitive need to promote franchise autonomy while still assuring adherence to corporate access and usage policies. The quick answer is a policy of provisioning and de-provisioning. There are plenty of solutions that accomplish this. Identity management and access management is not a new concept…even via the cloud. The trick is to create an easy-to-use, cost effective process to create self-service that allows the franchisee to add new employees and automatically give them certain rights based on their role. Conversely, when an employee leaves the company, there must be an equally simple way to retire the account and prevent anyone from using that account to access corporate information.

The key word is automatically.

So before the termination paperwork reaches the headquarters in Fort Meyers, Florida, the franchise manager in Rhode Island or Honolulu can inactivate the employee’s access via self-service. With a single keystroke in the IDM solution and their access to email ceases; their ability to get on the network and access files is blocked; their accounts to every application is removed. Even if  a manager forgets, the central system can take steps to assess usage. If an account is dormant for 10 days or 3 weeks (examples not hard and fast rules), it is marked for inactivity and retired.

But bolting the door behind them, doesn’t mean they don’t know how to pick the lock. This is part of our cautionary tale that keeps the forensic investigator busy.

This is also where the benefit of unified security comes into play. You’ve used your IDM investment to remove the credentials, but that doesn’t mean the motivated insider won’t try. Because of continuous monitoring practices (in real time) you can generate alerts if anyone tries to access retired accounts, tries to change a password, or generates multiple login failures in a short period of time. A system that leverages IDM with SIEM and log management, not only receives the alert, but sees the IP address (and other identifying attributes) of who is attempting access.

Now for argument’s sake, let’s say they were particularly bright and used some shadow IT shenanigans to back door into your network. Real time monitoring will still catch the access attempt and also recognize if any proprietary asset is changed, downloaded or modified. In that it is real time and not simply logged, gives you a strong chance to repel or immediately respond to the attack. As I have said in several blogs, unless you have the budget, the IT sophistication and the resources, having all of these concurrent initiatives can be seen as a luxury—unless you package them as a security as a service platform from the cloud. The ability to leverage a variety of capabilities—have them “talk” to one another across multiple information silos, physical locations, various applications and divisions. When you can centralize them, it creates a unique advantage that strengthens your position to ensure  a former employee cannot take advantage of your sensitive data and proprietary assets.

And before I forget…make sure in your written employment policies you address BYOD. That way you retain the option/right to completely or partially wipe their personal devices upon termination of employment.

I’ll leave you with another old proverb: “The key that opens is also the key that locks.”

Kevin Nikkhoo

Cloud Access

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@CloudExpo Stories
Blockchain. A day doesn’t seem to go by without seeing articles and discussions about the technology. According to PwC executive Seamus Cushley, approximately $1.4B has been invested in blockchain just last year. In Gartner’s recent hype cycle for emerging technologies, blockchain is approaching the peak. It is considered by Gartner as one of the ‘Key platform-enabling technologies to track.’ While there is a lot of ‘hype vs reality’ discussions going on, there is no arguing that blockchain is b...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settle...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
The need for greater agility and scalability necessitated the digital transformation in the form of following equation: monolithic to microservices to serverless architecture (FaaS). To keep up with the cut-throat competition, the organisations need to update their technology stack to make software development their differentiating factor. Thus microservices architecture emerged as a potential method to provide development teams with greater flexibility and other advantages, such as the abili...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Blockchain is a shared, secure record of exchange that establishes trust, accountability and transparency across business networks. Supported by the Linux Foundation's open source, open-standards based Hyperledger Project, Blockchain has the potential to improve regulatory compliance, reduce cost as well as advance trade. Are you curious about how Blockchain is built for business? In her session at 21st Cloud Expo, René Bostic, Technical VP of the IBM Cloud Unit in North America, discussed the b...
The use of containers by developers -- and now increasingly IT operators -- has grown from infatuation to deep and abiding love. But as with any long-term affair, the honeymoon soon leads to needing to live well together ... and maybe even getting some relationship help along the way. And so it goes with container orchestration and automation solutions, which are rapidly emerging as the means to maintain the bliss between rapid container adoption and broad container use among multiple cloud host...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Services at NetApp, described how NetApp designed a three-year program of work to migrate 25PB of a major telco's enterprise data to a new STaaS platform, and then secured a long-term contract to manage and operate the platform. This significant program blended the best of NetApp’s solutions and services capabilities to enable this telco’s successful adoption of private cloud storage and launching ...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
Imagine if you will, a retail floor so densely packed with sensors that they can pick up the movements of insects scurrying across a store aisle. Or a component of a piece of factory equipment so well-instrumented that its digital twin provides resolution down to the micrometer.
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they responded to were some very unique security capabilities that we have," explained Mark Figley, Director of LinuxONE Offerings at IBM, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and co...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory? In her Day 2 Keynote at @DevOpsSummit at 21st Cloud Expo, Aruna Ravichandran, VP, DevOps Solutions Marketing, CA Technologies, was jo...
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...