Work from anywhere comes with its own baggage of data security issues. Read on to see how you can plan your security setup to ensure maximum protection
The feature layout is built with flex, like the hero layout. Don’t like our typesetting? You can update every detail in the typography section of the Style panel.
You can also add spacing between the heading and paragraph, swap a video in for the image, or add a button. Just make sure to drop your button into the div block that contains this content.
Hello Readers! We have been doing a bunch of interviews with company CXOs to unravel experiences to help us thrive in the #thenewnormal.
Remote working has been around for a while, but the scale of it being adopted today is unprecedented. While there is a lot spoken about reducing the #emotionaldistance, another critical conversation around data security is gaining ground. To gain more insights into the data security aspects, we caught up with Akash Mahajan, Co Founder Appsecco, experts in Application Security and Consulting & Training.
Fitbots Team: Tell us a little bit about Appsecco and how you got started?
Akash: Appsecco is a specialist cloud and application security company, founded in 2015, with presence in London, Bangalore and Boston. Our clients range from some of the world’s largest financial institutions and professional services firms to leading international retailers and retail brands and from large scale, heavy engineering companies to cutting edge technology companies across the globe.
We focus on testing products and applications (web and mobile) hosted in cloud environments such as AWS, Azure, GCP, Kubernetes. Wherever applications and products can be installed and run, we are able to test them for security issues.
We work with teams who are using DevOps and help them embed security best practices in their CI/CD pipelines and cover various aspects of strategy and implementation around secrets management, automating compliance activities, vulnerability management and more.
How we got started is an interesting story. I have known Gwil for over a decade. I was a security consultant at his previous company on client security matters. One of the main challenges he saw as a business owner who was buying security as a product or service was that it was a market which was loaded against buyers. Even after paying for the services, there was no way to understand if the buyer got value and more importantly if the buyer was protected against the specific threats the service was meant to mitigate.
While working together, we tackled the communication around explaining the benefits of security testing and helping people understand risk in a manner that businesses needed to. We also figured that as the world moved towards primarily using self service cloud solutions, there were not enough trained people to ensure web applications and mobile applications were configured and coded securely. This is when we figured a good place for us to start.
Fitbots Team: When it comes to security, what in your view should Product teams focus on?
Akash: When your product team must build things while being distributed and if they haven’t been doing this a lot there are a few security concerns that one should be aware of
Data security is of paramount importance. Any team which collaborates to build a product may work on all the blueprints, mind-maps, design documents. Normally these would exist on physical whiteboards inside office premises but now are digital documents. These need to be kept safe from external attackers, insider threat, unintentional publishing while being available for collaboration amongst a variety of employees across roles.
The moment we start thinking of tiered access, we need security to control such access. For example, a product roadmap may be available for everyone to view, but only editable by the product manager. Some of the collaboration tools may not support granular access and might require everyone to download the digital files on to their laptops.
Fitbots Team: What are some of the vulnerabilities you find as a Security expert?
Akash: Good question. Once the information (sensitive or otherwise) has reached the laptops of the team members, everything which is used to connect to the Internet is a potential area where they can be attacked.
Right from the web browser (hopefully patched and not containing any privacy infringing browser extensions) to the wireless ISP broadband router (hopefully not using default username and password).
Attackers can misuse trust to steal username and passwords or when someone is logged in their session information to take over accounts. Doing everything over HTTPs (TLS/SSL) and ensuring that all software being used is patched, broadband routers have secure passwords and enabling 2 factor authentication (2FA) are quick tips that would help.
Fitbots Team: We are currently sharing our work-spaces and the blur of family and professional lives are invisible, do you see any issues arising with this?
Akash: A very real problem indeed. While we can worry about sophisticated network hacking attacks, in a lot of cases, family members may just share computers or they may inadvertently privy to sensitive corporate information. One area that most of us overlook is the prevalence of smart speakers recording everything.
Examples of artefacts that should be treated with care when working from home:
Fitbots Team: OKRs are fast being adopted by Remote Teams to drive outcomes. What would be your OKR picks for product teams?
Akash : Yes, OKRs are a great way to drive the culture of security. Here are my top picks , in context I have picked a dev ops team.
Objective : Create unbreakable software platform for end users users to trust
KR 1: Centralized Console with automated threat Response for 99.9% of threat vectors
KR 2: Cyber Defence Shield for employees to reduce internal threats from 20% to less 2%
KR 3: Secure by design with 4 independent of design reviews
KR 4: 95% automated security scan coverage on code & platform
Fitbots Team: Awesome! Thanks Akash. What would you want to leave teams with?
Akash : If there is one thing that anyone who cares for security should do is remember the mantra - It is okay to trust as long as you verify.