editor’s question
M?
JUSTIN FOX,
DIRECTOR
OF DEVOPS
ENGINEERING AT
NUDATA SECURITY
A MASTERCARD COMPANY
any enterprises
comply with
rigorous
standards and
regulations that
are focused on
safeguarding
employee and customer data. The
challenge is the technical implementation
within each organisation. Flexibility
means that an organisation can meet
the requirement specified in a control
while leaving a backdoor or emergency
access mechanism in place that enables
the technical implementation to be
circumvented if the need arises.
Cryptography and access control
lists are technical mechanisms for
enterprises to secure and manage
access to stored data. Let’s use a
modern web application running on the
AWS Cloud as an example of how these
controls can be used to successfully
secure a customer’s profile data. A
common pattern is to use AWS Amplify
with a web framework like Vue to create
a web application
that incorporates
Amazon Cognito for
user authentication
and with AWS IAM for
authorisation policies
to access data stored
on Amazon S3. Your static
web assets would live on
Amazon S3 and would be
served using Amazon CloudFront.
Depending on your requirements,
you might use other services like
Amazon API Gateway, Amazon
DynamoDB, and AWS Lambda.
This was a fairly simple example,
but this web app ended up needing
to use a number of different services
from the AWS Cloud in order to provide
baseline security while still providing
a mechanism for a customer to create
and manage a profile within the web
application. If you get the encryption
wrong, then employees can read
customer data even if there is no need for
it. If you get the authorisation wrong, then
customers can read each other’s data.
For an enterprise to
identify and defend
against fraudsters
who have already
stolen data, they
need to take a
layered approach to
user authentication
using advanced
technologies.
Any exposure of
customer data is
bad and has to
be immediately
remediated.
Any exposure of customer data is bad
and has to be immediately remediated.
In addition to data access controls for
protection of a customer’s data against
internal threat vectors, there is also
several controls that need to be layered
to provide protection against external
attacks. A great starting point is to
implement the top 10 web application
firewall controls recommended by the
Open Source Foundation for Application
Security (OWASP) foundation. You can
use the OWASP Zed Attack Proxy (ZAP)
to test vulnerabilities like structure
query language (SQL) injections,
man-in-the-middle proxies, insecure
deserialisations, broken authentication
and other security misconfigurations.
For an enterprise to identify and defend
against fraudsters who have already
stolen data, they need to take a layered
approach to user authentication using
advanced technologies. It is crucial
to use multiple authentication factors
during the user verification process
and protect data in accordance with
the belief that all data is valuable
to cybercriminals. The strength of
a particular authentication factor is
an important consideration. Static
authentication like username and
password is inherently broken. Dynamic
authentication like a short message
service (SMS) with code delivery, is
vulnerable to interception. u
30 Issue 24 | www.intelligentciso.com