Security Brief

Terminology

SOFTWARE

Programs and other operating information used to perform business logic and data manipulation.

IT INFRASTRUCTURE

The composite hardware, software, network resources and services required for the existence, operation and management of an enterprise IT environment.

CLOUD HOSTING

The process of outsourcing an organization’s computing and storage resources to a service provider that offers its infrastructure services in a utility model.

SAAS

Software As A Service is the process of outsourcing an organization’s computing and storage resources to a service provider that offers its infrastructure services in a utility model.

OPERATING SYSTEM

The low-level software that supports a computer’s basic functions, such as scheduling tasks and controlling peripherals.

SECURITY POSTURE

Refers to an organization’s overall cybersecurity strength and how well it can predict, prevent and respond to ever-changing cyber threats.

ON PREMISE (ON-PREM)

An on-premise solution requires server hardware, a server operating system such as Microsoft Small Business Server, and a database, such as Microsoft SQL. Server room and power are some of the associated costs. Likewise, server software updates, server administration and responsibility for backups.

MTBF

(Mean Time Between Failures) is a measure of how reliable a hardware product or component is. For most components, the measure is typically in thousands or even tens of thousands of hours between failures. For example, a hard disk drive may have a mean time between failures of 300,000 hours

ATTACK VECTOR

An attack vector is a method or pathway used by a hacker to access or penetrate the target system.

SMB

Small to Medium Business

ISO 27001

(Formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

Brief

Iseka Service Pty Ltd is a software company based in Melbourne, Australia.  Iseka Services and LogixOne TM create software systems for business purposes for a range of different customers within different industries.  Other than personal computing devices Iseka Services does NOT provide any of its own IT Infrastructure.

Iseka Services Pty Ltd takes both the data integrity and business continuity of our customers very seriously and only utilise Tier 1 hosting providers.   At a minimum, any data or software that Iseka Services creates is hosted within ISO 27001 compliant infrastructure.

Why do we use the SaaS model? One of the main reasons is that leveraging SaaS services is the best way companies of any size can leverage the latest in not only security technology but security practices and people that are able to actively manage their own environments on an ongoing basis.  For all but the largest organisations being able to match the level of security companies such as Zoho, Google, Alibaba, Microsoft and the like provide would be basically impossible.

It is Iseka Services Pty Ltd view that leveraging the Cloud and SaaS based computing is by far the best way for companies of all sizes, especially smaller companies to secure not only their data but the business continuity processes.

 

Threats – Internal and External

The threat profile for companies that leverage technology to operate their business is ever changing.  Threats can occur from not only from external actors but also internal personnel.

These threats can come from what is known as ‘vectors’, hackers that use a range of different techniques to violate companies IT Infrastructure such as Windows Servers and other personal computing devices such as windows and MAC desktops, Android and IOS smart devices.   Hackers target the computers ‘Operating Systems’ with a range of techniques such as ‘phishing’ or ‘malware’ injection enable hackers to install in many cases undetected  software to either extract data, control or further infect other computers.

The main techniques hackers use to impact small to medium businesses (SMBs) include; Bait and Switch, Cookie Theft, Eaves-dropping, Malware, Denial of Service, key logging and Phishing in an effort to either infect more computers within the organisation, or to use tactics such as “ransom” the company by removing access to company data and systems until such time as a payment is made (commonly known as ransom ware and is currently the predominant way hackers are leveraging their capabilities).

Please see this article:   https://home.kpmg/au/en/home/insights/2020/05/rise-of-ransomware-during-covid-19.html  Source: KPMG 12th of May 2020.

The significance and prevalence of external attacks such as ransomware cannot be understated and companies hosting their own infrastructure need to be constantly working on protecting themselves by investing in expensive security technology and employing security professionals in an effort to combat this.

Another significant vector for subsequent data loss is from either intentional or non-intentional data and system downtime caused by employees.  Disgruntled or malicious employees can steal data or impact systems by gaining access to company systems.  It is also common for employees to lose data or harm IT Infrastructure un-intentionally.  This can be in the form of accidental deletion, power cycling, or even using poor internet browsing practices and through not updating operating systems.

 

SaaS and Cloud Computing – Tier 1 infrastructure for not much $’s

SaaS or Software as a Service is the provisioning of software technology and related support services on a subscription based commercial licensing agreement between the supplier and the customer or user.  Over the past decade SaaS solutions have become attractive to end-users primarily because they offer the ability to access technology that in the past, only the largest companies could afford, given they are based on shared infrastructure cost model.

By leveraging SaaS computing solutions the company or user ‘out-sources’ their security posture to the SaaS provider thereby enabling the leveraging of that providers significantly better security technology and practices.

In addition, SaaS solutions, particularly the ones Iseka Services use means that any workflow software or data is, in most cases, never bought to the desktop or to personal computing devices.  The users, other than IF they export the data, are only viewing the data.

SaaS computing not only provides the very best in security and data protection, it enables the customer, in many cases, to leverage a more cost effective software platform thereby further reducing cost.

Please review the table below for further reference.

Benefits of SaaS

On-Premise IT Infrastructure – An SMB’s Recipe for Disaster

We believe that running the very minimal amount of IT infrastructure on premises is the most appropriate strategy for companies that are considered Small to Medium for the following reasons:

  • Expensive – running on-premise IT infrastructure which has an inherent cost which in many cases cannot be isolated or even calculated in total, requires the following but are not limited to:
    • Hardware – Capital purchase and ongoing support of computers, monitors, networking equipment, backup drives, backup power supplies, etc. All of which have an inherent MTBF.
    • Software licences such as
      • Operating Systems
      • Applications
      • Supporting Apps such as antivirus, anti-malware
      • Management tools
    • Software Updates – any computing device has literally 100’s of different software applications running on it, be they system software, server or end user applications such as Chrome. The following is a snapshot of all the software that can run on ‘on-prem’ IT Infrastructure and all of which represents an ‘Attack Vector’ and as such, is a vulnerability.
      • BIOS
      • Operating System
      • Browsers
      • Browser plugins
      • End user applications
      • Device drivers
      • Antivirus software
      • Networking software
      • Databases
    • Backup – Many companies running on-prem infrastructure think they are doing backups to actually find out they are not. Running daily backups is a complicated process that requires not only more software licences but also adherence to processes which often lapse.  In the event of data loss and the need to recover from backups is very complicated and time consuming that is often not 100% successful and means the ‘system’ or access is down for an extended period of time.
    • Availability – On-prem infrastructure requires power and utilises hardware components that are susceptible to failures. These include components such as Hard-Drives, memory, motherboards, cables etc. which need to operate in unison. A breakdown in one component can bring the entire system down restricting access to employees.
    • Single Access – Running ‘on-prem server-based’ infrastructure typically means that end-users have only one connection point. They need to connect to that server for access and as such need to be either on site or need to connect remotely. Remote ‘Server-based’ connections add another level of complexity and risk to not only the ‘server’, but also to the company network and the personal computer dives connecting to it.

Iseka Services – ISO 27001 Only

Very early on in the inception of Iseka Services, we made a decision that we would only partner with the very best SaaS and Cloud hosting companies.  At a minimum, any data or software hosting provider of must have ISO 27001 certification.

Below are a list of some of our Vendor Partners and their corresponding security policies.

Zoho –                  https://www.zoho.com/security.html

Google –              https://cloud.google.com/security

Alibaba –              https://www.alibabacloud.com/trust-center

Apple –                 https://support.apple.com/en-au/guide/security/welcome/web

Further information on ISO 27001 https://en.wikipedia.org/wiki/ISO/IEC_27001#:~:text=ISO%2FIEC%2027001%20specifies%20a,successful%20completion%20of%20an%20audit.

Conclusion – Think of your needs not that of your hardware supplier

In our experience SMBs mitigate far more risk when leveraging both SaaS and cloud-based hosting services.  Apart from the significant cost reduction it allows SMBs to access both the security technology and the ‘best practices’ that large companies like Zoho and Google are able to provide.  We believe that no SMB could protect themselves to the extent these companies can.

We often hear of criticism from IT vendors regarding the use of cloud in their customer’s environment.  This is inherently motivated by their business needs to sell both hardware and ongoing support services.  Criticism’s often centre on things like:

  • “you hand over your data to someone else”. This is not only not true, it is a false equivalence in that it suggests that your data is safer when stored on “on-prem” infrastructure.   This is simply not the case, again based on the information above.  We suggest that all customers ask their hardware vendors the following question: “Please provide us an intrusion detection test and threat analysis on our IT Infrastructure”.

Small businesses need to be able to grow efficiently so that it can benefit profitably as revenue grows. This means controlling costs whilst leveraging technology, ensuring consideration of their exposure to attack.  Building complex internal data systems is not only complex it is very risky.  Cyber criminals are constantly searching for vulnerable systems and often find the server that is hidden in the cupboard has company data that can be used as a ransom.

In addition, the software technologies provided by SaaS companies run on a shared cost model. The cost to develop, design, host and support is shared by millions of paying users which allows SMBs, with help from people like Iseka Services, to afford the functionality that they could never implement themselves.