Intro and some history
Still 20 to 25 years ago, when IT security emerged as a new specialty area, the vast majority of individuals were already working in IT or network infrastructure, and it was them who made the transition to cyber operational roles.
Once the internet went beyond the purely academic state, and as this developed, protection devices like software of hardware firewalls made their apparition. This became more common, and somewhat democratised. As needed, the network team was assigned additional security-related tasks.
Little by little, these tasks are becoming so important and expensive that companies have created dedicated full time security positions.
The roles were, of course, badly identified, same individuals playing several such in parallel, between reviewing application security, sometimes analysing code, writing security policies, performing intrusion detection, monitoring and analysing the possible vulnerabilities, and even performing cyber awareness training for team members.
People who went through these experiences ended up by gaining “all domain” knowledge about cybersecurity. This was particularly necessary in their work context. Since then, the field has evolved so much, the technology evolved too, and most of these generalists got specialised in a technical field that interests them the most, or on the contrary, they have evolved into the management position.
With so many new things to learn, so many evolutions, an « initiate » simply does not have enough time to catch up with the historical knowledge of generalists.Thus, in the last ten years whoever enters in the cyber field, is confronted with the choice of a specialty.
This has become possible as a wide variety of security specialisation have emerged, allowing new people to match this profession to their abilities and interests. Each specialisation came with new job positions.
The main functions revolve around the three main pillars
- technical defence methods,
- security testing
- cyber attacks response
Is cyber important ?
Unfortunately, it is not uncommon to see in some organisations that all these roles end up assigned, at best, to one and only one person “the computer engineer”. Too many small businesses end up being hacked. The lack of knowledge, the obsolescence of the structure, the vulnerabilities have repeatedly done great damage.
Do you remember Wanna Cry, the famous ransomware attack of 2017?
Other than losing own data and being hacked, enterprises shall consider all data they handle which could compromise other enterprises, or individuals. Each company shall take particular attention to all sensitive or personal information they collect, use or disclose thus respecting regional or international regulations. Non respect of regulation may have huge impact on companies images or even existence.
Specific skills or just standard IT knowledge
From effectiveness perspective, specific skills have become really necessary for persons handling the companies cyber protection aspects. Very varied needs …
- to understand the organisational infrastructure, the workflows of the actors,
- to know the common cyberattacks,
- to be on the eve of the techno and the threats,
- to know how to carry out a risk analysis, to set up controls and to master the risks,
- have a healthy skeptical attitude and question everything during threat analyses,
- keep peace under pressure,
- know and apply regulations, know how to adapt to the specific local regulations for different customers,
- know how to explain and transmit cyber risks to program teams and business leaders.
The cyber world seemed to be well established, until one thing was going to turn this environment upside down … it was the Elastic Compute Cloud – a web service that was intended to provide secure, scalable, and hosted computing capacity in the « Cloud”.
Aimed at developers, it was designed to facilitate access to cloud computing resources on a web scale. Hard to think, but new services sprang up so quickly, that in 2020 Amazon led the cloud market to 100 billion and a third of the market share.
Everything (or almost) become a service – hardware, backend, infrastructure, all type databases, video, security, and even hacking. Everything is an … “aaS” …
What are the tendencies today
Next years, migration to the cloud will inevitably continue….
Cloud versus the traditional infrastructure typically allows to optimise the IT budget and improve the user experience providing scalability and virtually unlimited simplified access to data « any where any time any device » . The choice of public, hybrid or private cloud will depend on the data sensitivity or the need of respecting specific regulations.
In this context, the selection of cloud provider might become more and more complex.
The enterprises or individuals will need to assess specific cloud security requirements, will need to understand the risks inherent in the cloud. They will need to pay particular attention, evaluate and understand cloud security management, but also know the essential clauses of the Cloud contract, legal aspects and regulatory compliance…
By using virtualisation, a growing number of companies are realising substantial savings in the costs associated with the necessary hardware. However, a virtual environment cannot be secured with solutions adapted to traditional physical environments. From standard antivirus, and standard firewall, enterprises will have to migrate to new solutions.
To answer this need, the companies and cloud providers implemented new capabilities, including WAN and network security services, next generation firewalls (NGFW), secure Web Gateways (SWG), Zero-Trust Network Access profiles (ZTNA), cloud access security brokers (CASB) and more recently, Secure Access Service Edges (SASE) – an emerging strategy that combines all previous network and security functions with WAN capabilities.
Even though Must is still a young startup, privacy and security was one of the things we took very seriously from the start. Must is constantly improving his cyber posture.
Must put in place strict policies and contractual clauses for data access. The Must employees or Must partners potentially having access to personal or sensitive data, application interfaces, databases, or source code, etc. can solely access those (including data for which Must customers are data controllers) within the framework of intended purpose, strictly linked to the technical needs.
The accesses are reviewed and revoked as soon as the employee (whether permanent or service provider) changes position or leave it.
Compulsory training for employees and service providers to raise awareness of security precautions and compliance with the regulatory obligations of Regulation 2016/679 (GDPR) were also put in place.
Must is convinced of the power of new technologies. This is why we have chosen to base our implementations with a French cloud provider, allowing us to offer:
- application and data security while respecting their confidentiality, your privacy and compliance with regulations,
- performance, and an innovative user experience,
- a scalable infrastructure meeting the needs of virtual exhibitions and AI algorithms for research by partner companies,
- suitable storage with worldwide access …,
- High quality and efficient protection against denial of service attacks (DDoS),
- Monthly availability rate of >99.999% for cloud instances,
- Monthly availability rate >99.9% for the Object Storage containers (images/videos),
- Monthly data resilience rate of 100%
Must selected Cognix Systems for the information management and databases archiving (backup). In partnership with them we ensure the continuous monitoring of each of the infrastructure’s virtual machine.
Few additional partners were selected allowing to provide to our customers reach content:
- CometChat, in charge of processing and archiving the audio data, video conversations and calls used within the instant messaging feature.
- Eyeson GmbH – for Audio / video conferencing services and archiving of conference videos
- Dacast, LLC. – for meetings and conferences streaming
To just mention some of the security controls put in place, among many others:
- Must uses a Public Cloud type infrastructure with the setting up of a private network, protected by load balancing servers, restricting the access to internal private network. The entire traffic to and from the platform is subject to permanent control in allowing only legitimate flows.
- All the internal and external communications are encrypted. All data exchanged with our partners are also encrypted using strong encryption mechanisms.
- All the sensitive data is in addition protected at rest.
- Must is monitoring operating system and SOUPs vulnerabilities and with the support from Cognix Systems and OVH deploy the security patches within the platform, on its servers, without delay.
More and more will come …
Stay tuned, and welcome to Must virtual events!
Follow us on LinkedIn