As Netgain’s chief information security officer, I field ongoing questions regarding our security posture – not surprising given last year’s security incident and the dramatic increase in high-profile ransomware attacks in the past eight months.
The bulk of these questions dive straight into specifics about the tools and technology we use or the specifics behind our policies – both of which are important elements. But interestingly, the question that I’m asked infrequently is the one I think is most important – what are the underlying guiding principles that define our approach to security?
When considering information security, there is often an out-sized emphasis on individual security products and tools used to maintain a secure environment. Yet philosophical and design changes that impact architecture and configuration and a security-first mindset do far more to increase an organization’s security posture than any specific product.
I wanted to take this post to outline our core principles as part of outlining our approach and guiding principles to security at Netgain. In addition, I will briefly elaborate on the steps we’re taking to embody those principles.
From a high-level, Netgain has instituted a defense-in-depth approach to security that involves multiple layers of protection, combining technologies, controls, policies, and human expertise across a myriad of vectors to help prevent attacks, compress detection time, minimize the attack surface, and increase resiliency and data protection. Here are some of the core philosophies that drive those protection layers.
At its core, Security by Design means that security considerations are addressed at all stages of architecture and operations – from planning and design through to execution and remediation. This approach is a significant departure from industry norms that often attempt to retrofit security around pre-designed architecture and processes.
Across all our cloud offerings, Netgain follows this Security by Design model to ensure that information security considerations are part of every aspect of the organization, for example:
- Architecting our network with security as the foremost priority.
- Continuously training and educating our employees as part of reinforcing the human firewall.
- Calibrating key operational processes such as change management, problem resolution, incident management, etc. from a security lens.
- Investing in the next generation of security tooling to further enhance our defenses and enhance detection and prevention capabilities.
Ultimately, all these elements coalesce into a unified, multi-layered defense framework that interweaves people, process, and technology together for improved protection. This approach is applied consistently across all hosting paradigms – whether we’re managing infrastructure in our state-of-the-art private data center or in public cloud (Azure, AWS).
With Security by Design in mind, the second key principle that Netgain is adopting is a Zero-Trust Architecture across our entire estate. According to the National Institute of Standards and Technology (NIST):
“Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.”
Such an approach minimizes the ability of an attacker to gain traction in the environments Netgain manages as there is no presumed permission level, following the Principle of Least Privilege (PoLP) – they would have to explicitly validate their authorization before getting access into distinct client environments or different areas of Netgain’s managed environment.
The Human Firewall
The third principle involves not technology or infrastructure, but rather our employees. Employees remain a critical component of a multi-layered defense framework in two different ways: 1) as a human firewall and line of defense against sophisticated attacks, and 2) as the key participants in defined processes to mitigate risk and increase security. At Netgain, we have invested heavily in employee awareness and training programs to educate and continually reinforce our security processes.
In addition to ongoing periodic risk assessments and penetration tests, we frequently conduct phishing exercises to help our employees more quickly recognize potential risk and practice good security hygiene. Key ITIL processes such as Incident Management, Problem Management, Change Management, and Disaster Recovery have been reconsidered with security in mind. A practical example of this is that any major infrastructure change across the organization requires a Security Review and signoff as a part of the change approval process.
Where It Comes Together: Multi-Layered Security Framework
The three principles outlined above are manifested most obviously in our multi-layered security framework. Netgain has adopted a layered approach to security that involves multiple barriers of defense. With this approach, we consider each layer separately and in context of the whole, evaluating and identifying the right technologies and controls, ensuring that policies are instituted with security in mind and that our employees are well-trained against potential threats.
On the technology front, we specifically take advantage of next-generation firewall technology from Palo Alto, Advanced Endpoint Protection (AEP), Managed Detection and Response (MDR) services from SentinelOne, Multi-factor Authentication (MFA) from Duo, and networking techniques that completely isolate each client environment.
The Bottom Line
Regardless of whether your infrastructure is hosted in Microsoft Azure or in our brand-new state-of-the-art data center, the controls and technology outlined above remain the same. Netgain is committed to maintaining an industry-best proactive security posture, curating key innovations in security technology into a seamless managed service.
As Netgain’s CISO, I’ll continue to be focused on where we can partner with our clients with a lens to continuously enhance our security posture and stay in-line with industry innovation.