Cloud Security Requirements -part 2

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: DevSecOps and CI/CD

Sub-DomainReq. NameReq. Description
GovernanceApplication Risk CategorizationAll applications shall be categorized by risk. Risk can be categorized as internal, external, or strategic (e.g., weak cryptographic standards can get the app compromised during production phase. So this can be marked as high risk.) 
ConstructionThird-Party ComponentsAny third-party components that may be used in any software development cycle shall be documented
VerificationAutomated Code Analysis Tools — SecurityAutomated code analysis tools with specific components for monitoring for security issues shall be used
VerificationPenetration TestingPenetration tests prior to release to production shall be performed
DeploymentThird-Party Components Security UpdatesThird-party software components’ websites for any security-related updates shall be regularly reviewed
DeploymentPatch Management ProcessSingle process for applying upgrades and patches to applications shall be used
DeploymentOperational Environment AutomationSoftware Engineering shall use automated tools to evaluate operational environment and application-specific health
DeploymentSecurity Alerts and ErrorsSecurity-related alerts and error conditions for all released applications
DeploymentChange Management ProcessUse of common change management process, and all software engineers shall be trained on the process
DeploymentSecure Code SigningAll released code for a single consistent process shall be securely signed on

Are you ready to audit and secure your cloud environment? Contact our security specialists, today!

Cloud Security Requirements -part 1

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: Governance Risk and Compliance

Sub-domainReq. NameReq. Description
Governance and OversightManagement SupportSecurity through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities shall be actively supported. This includes Senior Leadership review of the security policy at planned intervals (or when significant change occurs) to coordinate and update changes that enable alignment and relevance to business, legal, or other requirements
Governance and OversightArchitectureReference architectures that addresses the following shall be developed:
*  Cloud architecture
*  Development environment
*  Test environment
*  Support environment (including remote access, administrative workstations)
The reference architectures shall delineate points of demarcation of responsibilities between different groups and identify the security controls in place
Governance and OversightSecurity Program Audit/AssessmentAudit and assessment plans to validate and track compliance with internal and external requirements at scheduled intervals and required intervals shall be developed. This includes:
a. Develop a security assessment plan that describes the scope of the assessment including:
    i. Security controls and control enhancements under assessment
    ii. Assessment procedures to be used to determine security control effectiveness
    iii. Assessment environment, assessment team, and assessment roles and responsibilities
b. Assess the security controls in the information system at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
c. Produce a security assessment report that documents the results of the assessment
d. Provide the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative
e. Employ an independent assessor or assessment team to conduct an assessment of the security controls in the information system
Governance and OversightData RetentionHandle and retain both information within and output from IT systems, in accordance with applicable national and local laws, executive orders, directives, policies, regulations, standards, and operational requirements
Governance and OversightPoliciesA set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. Policies shall include the following:
*  Encryption
*  User access
*  Privileged access
*  Monitoring
*  Coordination with law enforcement
Governance and OversightPolicy EnforcementInformation security policies shall be enforced by management
Governance and OversightStandardsStandards shall be developed and implemented for:
*  Separation of development, test, and operational environments
*  Security testing before and after implementations
*  Secure configuration of systems (hosted, development, administrative)
Operating Model and Business AlignmentSegregation of DutiesConflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets
Operating Model and Business AlignmentRoles and ResponsibilitiesSecurity roles and responsibilities of employees, contractors, and third-party users shall be clearly defined and documented in accordance with the information security policy
Risk ManagementRisk and Mitigation TrackingTrack risks and develop and execute mitigation efforts so that risks are mitigated to an acceptable level (based on established risk criteria) within reasonable timeframes and executive approval
Risk ManagementNon-compliance managementProcedures shall exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis
Risk ManagementRemediation TrackingRemediate and track progress toward remediation for areas of noncompliance to include:
a. Developing a plan of action and milestones for the information system to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls, and to reduce or eliminate known vulnerabilities in the system
b. Updating existing plan of action and milestones at each quarter, based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities
Security CultureTraining and AwarenessA training and awareness program focused on cloud product security shall be in place. The program shall include:
*  Reviewing risks
*  Reviewing actions each group shall take to treat risks
*  Training and testing participants in their responsibilities
*  Requires passing before being allowed to participate in the development and support of cloud products
Security CultureSecurity PoliciesInformation security policies and procedures shall be established and made readily available for review by all impacted personnel and external business relationships. Information security policies shall be authorized by business leadership (or other accountable business role or function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership.

Documented procedures shall be used to facilitate the implementation of the information security policy and associated controls. Documented procedures shall address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and will cover, at a minimum, the following areas:
a. Access control
b. Security awareness and training
c. Audit and accountability
d. Security assessment and authorization
e. Configuration management
f. Contingency planning
g. Identification and authentication
h. Incident response
i. Information system maintenance
j. Media protection
k. Physical and environmental protection
l. Security planning
m. Personnel security
n. Risk assessment
o. System and services acquisition
p. System and communications protection
q. System and information integrity

Are you ready to audit and secure your cloud environment? Contact our security specialists, today!

COVID-19 brings unexpected IT challenges

How do we rapidly enable work from home while protecting corporate resources?

Enabling a remote workforce is no trivial challenge in the best of times, and it can seem especially daunting when rolling out during a global crisis.
Many organizations needed to transition their workforce to remote work overnight.

We face several challenges simultaneously:

  • We must ensure our people can be productive while working remotely – that includes making sure they have the right tools. We may need to get people new devices or enable use of personal devices.
  • We’re all experiencing serious spikes in remote app access, which puts a lot of pressure on VPN scalability for on-premises app access.
  • And, of course, bad actors are looking to take advantage of the crisis – we’re seeing increases in cybersecurity threats attempting to exploit the situation.

Contact us today for a FREE security consultation! Let our security experts audit and propose security fixes to your environment.

Secure remote work – part 3

What remote work symptoms are the customers experiencing?

  • We are worried about our data now that everyone is working remotely.
  • New cybersecurity threats are rapidly increasing due to the remote work situation–especially phishing.
  • Risk of confidential information getting
    leaked out of the company.
  • Don’t have a handle on all of the cloud app usage–and the potential security risks.

We can help you get a handle on protecting your apps and data as work gets done remotely, while easing the burden of stopping new attacks.

Contact us today for a FREE security consultation!

Secure remote work – part 2

What remote work symptoms are the customers experiencing?

  • All of our workers are remote, which makes managing their devices a challenge.
  • We expect that some people will be using
    their own devices to get work done.
  • We need to get new devices quickly
    provisioned and shipped to our remote workers.
  • We’re struggling with managing the device lifecycle remotely.

We have a solution for your problems: We can help you simplify the management of your remote devices, and protect the apps and organizational data that lives on those devices.

Contact us today for a FREE security assessment of your remote work environment!

Secure remote work – part 1

All the customers have a dual challenge: They have to keep their organization moving while protecting against new security threats that have emerged due to the rapid and universal move to remote work.

What remote work symptoms are the customers experiencing?

  • Keeping up with the sheer volume of remote workers who need access to apps and info.
  • Remote workers are scattered across the globe.
  • We need to provide access to vendors and third parties to get the work done.
  • Mixed apps that include on-prem and cloud make it hard to provide consistent access.
  • Worried about VPN scalability.

Solution: We can help you quickly provide secure and scalable access to your apps, whether they are on-prem or cloud-based by enabling remote access to apps.

Contact us today for a FREE security consultation about your remote work environment!

Top 4 questions to ask yourself about security

Is your nonprofit prepared to handle increasing cybersecurity threats?

  • Do you know who is accessing your data?

Go beyond passwords and protect against identity compromise, while automatically  identifying potential breaches before they cause damage.

  • Can you manage access to your data and assets based on risk in real time?

Manage organization-owned and employee-owned devices to encrypt data and ensure compliance, automatically detect suspicious activities, and quickly block, quarantine, or wipe compromised devices.

  • Can you quickly find and react to a breach?

Help proactively guard against threats, use advanced analytics to identify breaches, and automate responses organization wide.

  • Can you help protect your data on devices, in the cloud, and in transit?

Safeguard content in creation, transit, and consumption. Use cloud applications without putting organization information at risk, by adding protections ranging from access privileges to data encryption.

Protect your nonprofit from unnecessary security risks.

As a Microsoft partner, we can help you better manage your identity and access controls, secure links and attachments in  emails, and stop breaches before they escalate in severity. If your answers to the questions above have raised concerns about manage cybersecurity in your organization, contact us to learn how Microsoft 365 can help protect you against today’s evolving security threats.

Contact us for a free security assessment and to learn more.

Customer Story: Think Up Consulting

Looking to streamline operations, increase efficiency and remain secure?  

Learn from the experience of Think Up Consulting — a young, fast-growing agency in South Carolina that uses Microsoft Teams, Microsoft 365 Business and Windows 10 to increase productivity and do more. 

With 39 team members and 45 ongoing projects at any given time. Think Up Consulting is always exploring and adapting new technology to increase efficiency and better meet customer needs.  

Check out Think Up’s story and contact us to learn how NovaQuantum can help your company use Windows 10 and Microsoft 365 Business to increase productivity and security.

Windows 10 + Microsoft 365 benefits

Work better together and increase productivity

Windows 10 and Microsoft 365 help teams work better together with better tools—from any location:

  • Streamline collaboration—Integrate team chats, meetings, and files in one place to increase productivity with Microsoft Teams.
  • Improve performance with intelligent capabilities—Gain instantaneous analysis from intelligent services like Editor, Designer, and Smart Lookup with capabilities built into Microsoft 365.
  • Enable work from almost anywhere, on any device—Provide secure remote access to employees working from personal devices.

Simplified for you and reduce cost

Free up resources and reduce IT costs over time with Microsoft by simplifying device management and staying up to date:

  • Receive more value—Windows 10 and Microsoft 365 come with features and apps as they are added at no additional cost.
  • Deploy intelligent applications and tools—Work smarter, not harder, with the latest Office apps and intelligent capabilities to enable your employees.
  • Save time on device management—Windows 10 and Microsoft 365 continually update across all apps, so you don’t have to worry about updates, giving you time back.

Securely run and grow your business with enhanced security

Protect against external threats and leaks with security and compliance tools built into your devices.

  • Leverage built-in automated threat intelligence—Threat-protection technologies in Windows 10 help protect against spam, malware, viruses, phishing attempts, malicious links, and other threats.
  • Ensure secure remote access across all devices—Windows 10 and Microsoft 365 continually update across all apps, so you don’t have to worry about upgrades, keeping you compliant and secure.
  • Control access to sensitive business information—Proactively safeguard your organization with enterprise-level security on all apps and devices.