NewPush started using VMware technologies from its inception in 1999. At the time the first dot com boom was just heating up. Many virtualization technologies were emerging for the Intel platform. Over the years we kept focusing on providing enterprise-grade infrastructure. Meanwhile, we have kept increasing the role of VMware as we understood that for Intel-based hardware VMware provided the most reliable enterprise solutions. As a result, we have moved the use of VMware from our development labs to our production systems and data-centers. Since the 2010’s we are formally a VMware partner providing VMware Cloud solutions. Most noteworthy, the last few years have shown a tremendous growth in the capabilities VMware Cloud delivers. Therefore it is our pleasure to announce that once again, CIO Review has recognized NewPush as a top 20 VMware technology provider.
VMware Cloud Solutions
Important milestone for NewPush
This recognition for the second time in a row is a milestone that is important to us. We have worked hard to pioneer and to be successful in deploying state of the art VMware based cloud technologies, and we have worked harder even to maintain a leadership position in this crowded space. Our work continues to focus on NSX, vSAN, and the vRealize suite. As we continue our quest to provide the best cloud services to our customers, we look forward to deploy advanced analytics capabilities centered around Splunk Enterprise security essentials.
Cloud technologies keep changing at an ever-increasing pace. In this year’s edition of CIO Review, we dive deeper in iGRACaaS, identity governance, risk and compliance as a service. Companies who stay ahead are going to continue to have a competitive advantage, by providing a better customer experience. By partnering for technology decisions with NewPush, you can spend more time with your core business, while ensuring that you have a trusted partner with a proven track record to help you keep a competitive edge on the IT front. If you would like the NewPush advantage for your company, please do not hesitate to get in touch today. We are here to help 24 hours a day, seven days a week.
Cybersecurity is complex and affects business. If you are an executive, have you considered whether you are fulfilling your fiduciary duty through cybersecurity strategy? If you are a CISO, have you taken a methodical approach to every increasing cybersecurity topic? If you are a non-IT person, have you wondered whether your enterprise information is secure?
The Ugly Truth
100% security does not exist and cybersecurity is a journey: even if you truly minimize the threats today, these are ever-evolving. Individual hackers get the power they didn’t dream of from IaaS (Infrastructure as a Service). Organized hacking groups – state or private – execute hacking as a well-run software project: they do reconnaissance, design, plan, execute and lessons learned in a well-oiled project loop.
It’s not only commercial proprietary information worth hundreds of millions which can get stolen, but government secrets causing prime ministers to resign. The latest downfall has been Nawaz Sharif, the prime minister of Pakistan, whose downfall was caused by the country’s Supreme Court based on the information from the leaked Panama Papers. While it may be argued that it’s good for some of the confidential information saw the light of the day, let’s also remember the Sony employees whose confidential records – social security numbers, medical records etc. – were published after the Sony hack in December 2014 or the massive WannaCry attack which paralyzed many companies, incl. UK’s National Health Service, putting life of patients at risk. Ransomware has evolved to the point that some ransomware “providers” sell their products and even provide customer service to hackers who prefer to pay for 3rd party software than to write their own.
How should we minimize the likelihood of a successful security breach?
The old rule stating “your system is as secure as its most vulnerable component” still stands. The challenge is that there are many components, and in the software area solutions contain subcomponents which may be difficult to identify. A rule of thumb is to go through different areas of your environment, identify both the threat and its impact and then prioritize what to protect first. “Saving” on security measures is a classic component of being penny-wise and pound-foolish, as recovering from a security attack can be costly in financial terms or in reputation, as seen by some retail vendors.
Get your environment into the ‘basic’ secure state:
Upgrade all of the operating systems, RDBMS and applications to the latest releases, execute regular patching policy and implement regular monitoring
Enforce adequate login policy with frequent mandatory password changes
Educate staff (webcast, testing which each staff member has to pass, simulated phishing attacks etc.)
Establish management dashboards and reporting
Make sure you have an adequate backup policy and your backups can be successfully restored
Consider Disaster Recovery (DR) for vital applications
Simulate incident response and monitor incident response performance
Implement security policy across the enterprise
Create KPIs to monitor the rationalized operations
Create regular “lessons learned” sessions based on real or simulated incidents and make sure your security policies are updated with these findings
Understand compliance obligations: as an example, if you are taking credit card payments you need to be PCI compliant. If you store personally identifiable information, with health care data, you need to be HIPAA compliant. If you store data of EU customers, you need to comply with GDPR. Ignorance of the law will not be an excuse and will not decrease your liability.
If your environment has been compromised, you may need to execute “step 0” – establish a new environment and gradually migrate components from the old environment in a secure manner. Independent tools like Bitsight may help give you a better picture of your security situation.
What components do you need to examine and what are the examples of actions you may need to take?
Network: conduct perimeter analysis – e.g. network sniffing, log analysis, data flow diagram, network diagram.
Create a Bill of Materials (BOM) per application. BOM is defined as a table of a list of components – application name, release version, a list of subcomponents within the application (this can be other commercial or open source components) together with their release number, list of ‘external’ applications components and release numbers (e.g. RDBMS, operating systems). Each component should be identified as “supported” or “not supported” by the supplier. The support expiration date should be listed for the existing version and the latest “production” version of each component stated in another column. Old components or subcomponents are often vulnerable to attacks, as witnessed by the hundreds of thousands of servers successfully compromised by WannaCry virus.
If you find that many of the applications are vulnerable, prioritize them. A good example is 3 categories – vital to a business, important but not critical and the rest. Harden the applications in this priority order.
Create an inventory of compliance for each application.
Segment your network so that applications are isolated, and vital applications are protected. The segmentation will also reduce the compliance burden.
Review incident response process
Implement Identity Management. Leaks of internal data can be more devastating than external attacks due to volume and importance, as seen on many occasions.
A Russian cybersecurity expert once said, “if I stop seeing attacks, it means that the attackers are already in.” Cybersecurity is everyone’s responsibility given the increase in cybersecurity crime. It’s not a question of “if” you will be hacked, but “when.” Being prepared consists of 2 steps: a) minimizing the chance of a successful attack, b) being able to recover quickly if such an attack succeeds. Examples provided in this blog illustrate the complexity of the task, yet being prepared optimizes cybersecurity expense and time, and it is critical to success. NewPush can help on this journey through cloud and cybersecurity offerings.