As organizations continue to deal with the effects of the COVID-19 pandemic, CIOs must invest in activities to harden all, or most, elements of their IT infrastructures -- if they have not done so already.
Hardening IT infrastructure is simply increasing the security posture of virtually all components within the infrastructure, including devices, software, network services and facilities.
Among the infrastructure elements that must be hardened are servers of all kinds, applications, databases and OSes. They can also include network services; devices that connect to networks; equipment that secures network perimeters; facilities, including data centers and equipment rooms that contain servers and network devices; and utilities, such as power, water and sewer.
The following diagram is a basic depiction of how a hardened IT data center looks in the enterprise.
Virtually all elements in the data center have some degree of hardening. As we'll examine here, true IT hardening is more than enhancing security for servers and critical software. It's not only about hardening logical security, but also addressing the physical security as unauthorized access into a data center could result in damage that goes far beyond software damage.
The good news is that infrastructure hardening technologies are readily available and can be added to existing environments, often with minimal disruption to production activities. However, to be extra prudent, it's important to test hardening products in a test environment -- if available -- to protect the integrity of production systems.
Here are some specific tasks CIOs should lead to harden key areas of their IT environment:
In addition to the perimeter hardening technologies noted in Figure 1, CIOs should build security using a defense-in-depth approach by initiating security activities for each layer, in addition to the latest firewall and intrusion detection/prevention systems rules.
While the above are highly proactive for perimeter hardening, there are two additional initiatives that CIOs should consider: vulnerability scanning and penetration testing (pen testing). These techniques thoroughly examine the internal condition of the infrastructure and identify possible anomalies for follow-up.
Software such as virus detection, distributed denial of service (DDoS) attack analysis, ransomware analysis and phishing attack analysis provide yet another layer of defense. A strategy of continuous security posture assessment and hardening helps reduce the likelihood of cyber attacks, especially considering the sophistication of today's cybercriminals.
In addition to the hardware and software tools that act as active frontline defense methods to hardening IT infrastructures, CIOs should consider establishing policies and procedures for infrastructure hardening. It may be that hardening activities are part of day-to-day IT operations, but it also makes sense to document these activities, especially if an IT audit is being planned.
IT general controls (ITGCs) include numerous controls and metrics examined by IT auditors. Activities and initiatives mentioned above are among the ITGCs being audited. Key ITGCs include organization and management, communications, logical access security, physical and environmental security, change management, risk management, monitoring of controls, system operations, system availability, backup and recovery, incident management, and policies and procedures.
Hardening activities are included as part of the control matrix in several categories -- i.e., physical and logical security, environmental security, change management, system operations and availability, and backup and recovery.
Based on the above discussions, we've provided the following guidelines to ensure success when implementing hardening activities:
28 Sep 2020