/info/alibaba/security

Basic Security Concepts:

  • Create security policies. Document what your security requirements are, how these policies will be implemented, how to monitor and enforce these policies and consequences for not following policy. If you have not written down your security policies, how do you expect anyone to implement your security goals into their work? Once you create your security policy educate everyone on a recurring basis.

  • A security policy is not a static document. A security policy is a dynamic document that evolves over time. Security needs to be constantly reviewed, monitored and improved.

  • Assume that your system will be breached, forgotten about or discarded. Unless absolutely necessary, do not store critical information such as passwords, certificates or encryption keys on equipment.

  • You must design security into everything. This means end-to-end security. This means considering the desktops or clients that access the network, the network itself, the data that is stored and the processes (services) that access the data.

  • Understand the three AAAs. Authentication, Authorization and Accounting. Make sure that all of these items are part of your security policy.

  • Understand the term CIA. Confidentiality, Integrity and Availability. Make sure that all of these items are part of your security policy.

  • Unless absolutely necessary do not implement your own Identity Service. There are a number of companies that provide this service such as Facebook, Google, Twitter, etc.

  • Do not store passwords anywhere. Passwords are usually the weakest link in any security policy.

  • Encrypt everything and create a strong encryption key management policy. Remember, lose the encryption key, lose the data.

  • Your network infrastructure must be as secure as your servers. This includes wireless access points and Ethernet wall jacks.

  • Physical security. You must manage access to servers, networks, routers, firewalls, etc. If someone can physically access a piece of hardware, assume that it will be breached.

  • Carefully review and consider security as a service versus implementing your own homebrew system. For example, Alibaba offers KMS to manage encryption keys. How much time and effort will be required on your part to do a better job? The same concepts apply to identity services.

  • Carefully review endpoint security. Laptops, desktops and cell phones often have the keys to your kingdom. Assume that these devices will be lost or breached. How will you manage and protect yourself?

  • You are more likely to be breached by an employee, a former employee or a contractor (service company or individual) then a "hacker". You must implement security that protects your company from the inside as well as the outside.

  • Make your security policy part of your employment policy. If an employee can affect your security then you need policies in place to manage this. Password or key rotation, terminating access, etc. are just a few of the items that must be implemented.



15220 Main Street, Bellevue, WA 98007
T: 425-528-8500 - F: 425-528-8550 - E: neoprime@neoprime.io

Copyright 2018 NeoPrime LLC