SCI Friday’s, not to be confused with TGI Fridays is a mostly weekly show that NBConsult’s CEO, Nicolas Blank and CTO, Alistair Pugin run to discuss all things SCI.

My immediate reaction to hearing this was:

“I wonder what SCI means.”

If you’re in the same boat as me then this guide should hopefully be helpful to you. I’m writing this as a companion piece to SCI Fridays so anyone just discovering the show can read this and understand the basics of what the show is all about as well as some of the jargon used in it.

So welcome to SCI for dummies, by dummies!

 

What is SCI?

SCI stands for Security, Compliance, and Identity. These three domains are the foundational pillars of safety in IT. All three pillars are equally important and deeply interconnected with each other.

 

Security

Security in IT describes all the precautions taken to protect your computers, networks, and data from unauthorized access. Security:

• Protects the integrity of the data.
• Maintains the confidentiality of information stored in a network.
• Ensures those who need the data have access to it.
• Authenticates users attempting to access computer networks.
• Allows members to securely send messages through networks.

 

Different Areas Of Security

Cyber security: Focuses on protecting your data from threats that are encountered through online engagement. This is just a fancy way to say cyber security aims to protect you from external threats that you might run into while browsing the internet. If your AD blocker prevents a pop-up or your anti-virus software stops, you from getting a virus after you browsed a sketchy site (you know who you are) that would be good cyber security.

Network security: This is very similar to cyber security but protects an internal network. Network security safeguards data that gets shared within your organisations network. This prevents employees from sharing confidential information.

Endpoint security: Is the protection of any devices connected to your network.

Cloud security: Refers to the security of cloud-based applications.

Application security: Describes the steps developers take when building an app to keep users safe and minimize vulnerabilities in the app. App security prevents a website from being hacked.

 

Common Security Threats

Phishing occurs when a hacker impersonates someone else to try and trick people into giving them sensitive information. This type of attack is one of the most common, since it is one of the easiest to pull off, with a third of all breaches resulting from phishing.

Remember that prince who wanted to give you diamonds but needs your credit card details? That’s an example of Phishing.

A denial-of-service attack occurs when a network is made inaccessible to users. A bad actor might send the system significant traffic or use other means to try and force it to crash, preventing authorized users from accessing it.

For example, this type of attack might hit a website of a large, multinational organization. The DDoS attack would prevent employees from accessing company information, usually to voice displeasure or cause an inconvenience.

Ransomware is malicious software that holds vital information hostage for a ransom. Ransomware locks people or even companies out of their computers or even out of their entire networks. Ransomware is used by hackers to potentially get large sums of money. People often fall victim to this type of attack through phishing emails.

For example, an employee on a company network might open a phishing email that introduces ransomware to the system. The company then gets locked out of their accounts, with all the customer data and credit card information held hostage unless they agree to pay a large amount of money.

Malware is malicious software that harms a service or network and comes in a variety of different types.

A computer virus is a type of malware that changes how a computer or network operates. Like a typical virus, these malicious programs spread from one computer to other computers. However, computer viruses require a human user to activate them. In other words, someone must open an infected email, click a link, or open a document to release the virus into the system. The virus then makes copies of itself that allow it to spread to other devices.

 

Compliance

Put simply compliance is all about adherence to the rules and best practices set out by a regulatory body. Compliance standards are set by a variety of industry specific governing bodies, and can be government policies, security frameworks, or industry standards. For example, following the speed limit and wearing your seat belt would be compliance to traffic laws.

Compliance is the framework that provides a company the means to prove their legal and/or ethical integrity. Compliance can also represent a company’s internal set of values and rules.

Compliance and security are deeply ingrained with each other. Compliance requires security and security requires compliance. By conforming to compliance standards, you will likely achieve the bare minimum for security standards.

 

Compliance Bodies In The IT Industry

• GDPR: Protects the security and privacy of data belonging to EU citizens. The GDPR’s regulations apply to anyone who operates with such data so even if your company is not in the EU their standards can still apply to you if you work with EU data.
• NIST: Consulting firms, suppliers, and other businesses working with federal, or state agencies need to follow NIST compliance. The governing body covers various aspects of data management, including access control, risk assessment, and system integrity.
• CCPA: The California consumer act protects personal data and other data that can be sued to identify a person or household.
• ISO: Focuses on the compliance of information security management systems. ISO’s standards are designed to help you manage the security of financial information, intellectual property, employee details, or other important data.
• SOC 2: SOC 2 is an auditing procedure for software as a service (SaaS) provider and describes the security measures implemented to protect the data of their customers.

 

Compliance Considerations

While all compliance bodies have unique guidelines and requirements there are several commonalities that you can look at to get a better idea on how to improve your security posture and compliance. Ask yourself the following:

• What is your access and identity control policies?
• What control do you have over data sharing?
• What are your responses to incidents?
• Do you have disaster recovery methods?
• How are you protecting yourself against malware?
• How are you preventing data loss?
• What are your corporate security policies?
• What are your monitoring and reporting methods?

 

Identity

Identity management is a framework of policies and technologies for ensuring that the right users have the appropriate access to technology resources. Identity management systems fall under the overarching umbrellas of IT security and data management. These systems identify, authenticate and control access for individuals who will be utilizing IT resources. They also manage access to hardware and applications that employees need. Identity and access management solutions have become more prevalent and critical in recent years as regulatory compliance requirements have become increasingly more rigorous and complex.

Those are the basics of what identity management is but it’s easier to understand through the concepts and practices that embody it.

 

Important Identity Concepts

Authentication is identity confirmation. When you log into something, authentication systems will look at your login attempt and say, “Okay this is indeed who they say they are.”

Authorisation is the confirmation of an identity’s level of access. Once your identity has been successfully confirmed by the authentication systems the authorisation system will say “Okay this person is allowed to access these particular things and nothing else.”

Multi-factor Authentication (MFA) is an identity verification method. MFA requires as the name would imply multiple verification methods are needed to successfully login. MFA will typically require a traditional username and password plus something else. This something else can be anything from a fingerprint to a USB to a code sent to your phone.

Just Enough Access or Least-privilege Access will only grant a user the bare minimum level of access they need to do their job. This limits the risk of the wrong people accessing sensitive information.

Just In Time Access is like Just Enough Access but is time based. A user will be granted access to applications, systems, or data for a limited, predetermined periods of time. This limits the dangers a constant access privilege brings.

Zero Trust is a security framework whose driving philosophy is just that, Zero Trust. No one inside or outside of the organisation will be trusted unless they are explicitly verified, every login attempt is seen as a possible threat. The Zero Trust framework uses many of the previously mentioned methods to help enforce its philosophy.

 

Why SCI?

This is a difficult question to answer with any nuance beyond saying it’s essential to function effectively. Security, Compliance, and Identity are all deeply ingrained with one another, if they were to be represented by a Venn diagram there would be a lot of overlap. Improving your security posture will naturally include identity and compliance features. SCI can be seen as the blueprints, foundation, and skeleton of a good house. Before you can build that awesome double story house you need to make sure it won’t fall on your head, the plans are legal, and the eventual house is safe from intruders. That’s ultimately the value of SCI, it allows you or your business to do what you want without stress. If you have strong security your network can operate without fear of breach. If you are compliant you don’t have to worry about fines and legal repercussions. If you have strong identity management then you don’t have to worry about sensitive information getting leaked.

Maybe you aren’t in the market for SCI implementation and don’t need it sold to you. If the topic of SCI interests you but you want to learn more, then hopefully this article has provided you with a good baseline understanding of what SCI really is. Now that you have familiarity with some of the basic concepts and jargon of SCI you should have a good starting point to dive into the SCI Friday show.

 

Why SCI Fridays?

If you’re interested in learning more about SCI, then SCI Fridays are a great next step since they are in depth enough to broaden your knowledge but are short enough in length that they don’t get boring. A light tone and plenty of guests keep it interesting.

Jump in with SCI Friday’s backlog here: Regarding Azure – YouTube

Follow Nicolas Blank here: Nicolas Blank | LinkedIn

Follow Alistair Pugin here: Alistair Pugin | LinkedIn

If implementing or improving any of these concepts appeals to you or your business contact NBConsult here: Contact Us | NBConsult