It is and how to support incident management activities for IT and data security in the cloud era. Between risks and opportunities for business continuity, here are the foundations for a successful strategy.
Security systems and IT best practices reduce but do not eliminate the risk of running into IT problems with inevitable business activities.
It is not only cyber threats or various types of fragility that jeopardize operations that can compromise access to applications or data protection, but also poor preparation in incident management (the management of incidents).
In addition to up-to-date action plans and trained teams, you need up-to-date, proven tools in step with the changing IT landscape to effectively deal with incidents.
The context of IT incidents is not limited to the perimeter of the data center; it includes distributed systems and data, services that rely on hybrid environments, cooperating in the network with multi-cloud services. Increasingly complex environments make it necessary to revisit traditional methods.
Incident management at the service of Business continuity
With the incident, management does not identify a specific technology but rather the processes used to manage adverse events effectively: the functional blocks of IT infrastructure and network to data compromise, either accidental or fraudulent and unauthorized access.
The discipline of incident management takes charge of actions to be carried out before, during, and after accidents to minimize the consequences and restore normal operations in the shortest possible time.
For these purposes, monitoring tools (to detect problems), reporting systems (to alert administrators), IT management, and orchestration tools (to manually or automatically carry out countermeasures) are used.
Alongside the actions that mitigate IT and network problems, the incident management process must consider the impacts on people and the legal requirements regarding data protection (therefore, the obligations established by the implementing regulations of the GDPR can involve heavy fines for the company).
On the one hand, the process aims to minimize the effect of accidents on the business; on the other hand, it must give maximum visibility of the problems to the management and those who must take the technical and organizational actions to reduce future accidents.
New risks and opportunities in Hybrid and Multi-cloud Environments
The use of cloud services, now increasingly everyday for corporate core business applications, expands the physical perimeter in which data processing occurs, increasing the attack surfaces for cybersecurity and the complexity of monitoring and fighting against accidents. But there is also a positive side.
The cloud has access to virtually infinite external resources (for storage, virtual machines, networks, and so on) that can be used to quickly replace compromised systems and ensure stable and secure support for incident response processes.
Resources that can only be exploited if the company has solved the problems related to the complexity of managing hybrid and multi-cloud environments, equipping itself with the most effective orchestration and control tools.
The ability to respond quickly to incidents has many points in common with the efficiency of the processes that day by day are used to carry out provisioning operations for new services, load balancing, data backup, and disaster recovery in an emergency.
Log availability from cloud providers and data integration and analysis capabilities provide the capabilities to quickly identify suspicious activity and prevent incidents.
Incident Management: The basis for a successful strategy
The creation of an effective incident management process brings into play technological and organizational resources tailored to the company’s risk management strategy, therefore chosen based on the criticalities of the sector and the functional areas concerned.
The ability to react, known as incident response, relies on tools that help teams make the most appropriate decisions, refine them over time and manage problems resulting from incidents. Speed of detection and response may vary depending on the exposure to attacks, the potential damage, and compliance with the law. The higher rates make it necessary to use automation.
For the incident response to be effective, it is necessary to prepare plans containing the most appropriate sets of procedures, guidelines for communications between the incident response team ( IRT ) and the other internal company teams (legal department, DPO, system administrators) and with external interlocutors (law enforcement, data processors, Guarantor Authority, suppliers and customers).
For incidents involving data privacy violations, the methods and timing of communication set out in Articles 33 and 34 of the GDPR and implementing rules apply.
The tools to support Monitoring and Prevention
To react promptly to incidents, it is necessary to have effective control and management tools. You need the ability to monitor on-premise and cloud systems and processes to detect anomalies and break-in attempts promptly.
Intrusion detection systems ( IDS ) are commonly used to perform these activities with software agents on endpoints capable of detecting unauthorized changes, harmful software, and generating alarms.
An important role is played by Security Information and Event Management ( SIEM ) systems which, together with antivirus and antimalware software, can detect compromises, in addition to the traffic generated by malware.
The use of artificial intelligence ( AI ) in log analysis allows the correlation of information from devices and sensors to identify abnormal patterns in network traffic or applications: situations worthy of notifications to administrators or even of blocks automatic in real-time.
Even the tools for endpoint detection and response ( EDR ) are among the safeguards that can avoid consequential damage from the connection between unauthorized devices and legitimate devices compromised by strangers.
When a device connects to the network, the EDR tools check that it is the intended device. It has the software configuration assigned with the most critical updates, automating corrective actions and reporting to administrators.
Some EDR tasks are carried out by local agents who run on the endpoint device and defend it even in the absence of a network by automatically deleting data from appliances that have been lost or stolen from users.
The importance of communication between people to mitigate the risk
The technical capabilities of the systems to detect anomalies and apply countermeasures are not enough if they are not accompanied by adequate supports for communications between business users, IT teams, and people in charge of security.
Help desk and service desk services are essential to collect and process user reports on service anomalies, credential loss, and related problems to promptly initiate the most appropriate measures.
From the contact with the users emerge the fragility of the services, the organization, the training of people, and the need to review policies, create a safety culture, and acquire defense systems to mitigate new risks or recover faster.
On the application development front, method and communication between teams are the strength of DevOps (union of development and operation) and DevSecOps (which also includes security), which put all the processes from design to action on an assembly line. of the code up to the application delivery.
The integration of the processes and the development and IT teams’ work make the identification of vulnerabilities and their solution faster, to the advantage of more stable and quality software.
