As Netgain’s Chief Information Security Officer (CISO), I field ongoing questions regarding our security posture – not surprising given the growing intensity and frequency of cyberattacks.
As a security-conscious organization, most questions inquire about the exact tools and technology we use or the specifics behind our policies – both of which are important elements. But interestingly, the question that I’m asked infrequently is the one I think is most important – what are the underlying guiding principles that define our approach to security?
When considering information security, there is often an out-sized emphasis on individual security products and tools used to maintain a secure environment. Yet philosophical and design changes that impact architecture and configuration coupled with a security-first mindset do far more to increase an organization’s security posture than any specific product.
The guiding principles we follow at Netgain, are imperative to achieving a security defense-in-depth model that is comprehensive, reliable, and of course secure in every aspect. With Netgain being a managed service provider (MSP) that elevates our clients to drive efficiencies, maximize productivity, and accelerate growth, ensuring our standards on security lead the industry is key. I will outline our core security principles at Netgain and then elaborate on the steps we’re taking to embody those principles.
From a high-level, Netgain has instituted a defense-in-depth approach to security that involves multiple layers of protection, combining technologies, controls, policies, and human expertise across a myriad of vectors. In doing this, we can better prevent attacks, compress detection time, minimize the attack surface, and increase resiliency and data protection. Here are some of the core philosophies that drive those protection layers.
Security by Design
As your technology partner, we know we play a critical role in defining and maintaining the security posture for our clients. That’s why we’ve adopted a Security by Design approach that combines people, process, and technology strategies into a cohesive, layered defense structure.
At its core, Security by Design means that security considerations are addressed at all stages of architecture and operations – from planning and design through to execution and remediation. This approach is a significant departure from industry norms that often attempt to retrofit security around pre-designed architecture and processes.
Across all our cloud offerings, Netgain follows this Security by Design model to ensure that information security considerations are part of every aspect of the organization, for example:
- Architecting our network with security as the foremost priority.
- Continuously training and educating our employees as part of reinforcing the human firewall.
- Calibrating key operational processes such as change management, problem resolution, incident management, etc., from a security lens.
- Investing in the next generation of security tooling to further enhance our defenses and enhance detection and prevention capabilities.
Ultimately, all these elements coalesce into a unified, multi-layered defense framework that interweaves people, process, and technology together for improved protection. This approach is applied consistently across all hosting paradigms – whether we’re managing infrastructure in our state-of-the-art private data center or in the public cloud (Azure and AWS).
With Security by Design in mind, the second key principle that Netgain is adopting is a Zero-trust architecture across our entire estate. According to the National Institute of Standards and Technology (NIST):
“Zero-trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.”
This approach minimizes the ability of an attacker to gain traction in the environments Netgain manages as there is no presumed permission level, following the principle of least privilege (POLP) – they would have to explicitly validate their authorization before getting access into distinct client environments or different areas of Netgain’s managed environment.
The Human Firewall
The third principle involves not technology or infrastructure, but rather our employees. Employees remain a critical component of a multi-layered defense framework in two different ways:
- As a human firewall and line of defense against sophisticated attacks.
- As the key participants in defined processes to mitigate risk and increase security.
At Netgain, we have invested heavily in employee awareness and training programs to educate and continually reinforce our security processes. For example, all our employees utilize Duo multi-factor authentication (MFA) and go through KnowBe4’s rigorous security awareness training year-round. In addition to ongoing periodic risk assessments and penetration tests, we frequently conduct simulated phishing exercises to help our employees effectively recognize potential risk and practice good security hygiene.
Key ITIL processes such as incident management, problem management, change management, and disaster recovery have been reconsidered with security in mind. A practical example of this is that any major infrastructure change across the organization requires a security review and sign off as a part of the change approval process.
Combining for a Multi-Layered Security Framework
The three principles outlined above are manifested most obviously in our multi-layered security framework. Netgain has adopted a layered approach to security that involves multiple barriers of defense. With this approach, we consider each layer separately and in context of the whole, evaluating and identifying the right technologies and controls, ensuring that policies are instituted with security in mind and that our employees and clients are well-trained against potential threats.
To summarize on technologies, we partner with to embody these principles, we specifically take advantage of next-generation firewall technology from:
- Palo Alto
- Advanced endpoint protection (AEP)
- Managed detection and response (MDR) services from SentinelOne
- Multi-factor authentication (MFA) from Duo
- Security awareness training from KnowBe4
- Networking techniques that completely isolate each client environment
The Bottom Line
Regardless of whether your infrastructure is hosted in Microsoft Azure, AWS, or in our state-of-the-art data center, the controls and technology outlined above remain the same. Netgain is committed to maintaining an industry-best proactive security posture, curating key innovations in security technology into a seamless managed service. Other MSP’s who are not following the above principles are taking a risk with your personal data.
As Netgain’s CISO, I’ll continue to be focused on where we can partner with our clients with a lens to continuously enhance our security posture and stay in-line with industry innovation.