How to Handle Security Vulnerabilities like the Heartbleed Bug
Everyone should be concerned about information security. If you're at susceptible to security vulnerabilities, like the Heartbleed Bug, what should you do?
19 June 2014
Everyone should be concerned about information security. Take a stroll down memory lane back to the discovery of the Hearbleed Bug - just a single line of code put millions of web servers and users’ information at risk.
Sadly, risks and vulnerabilities are just a part of the crazed internet-connected world we live in these days. Some organizations are already using a form of cloud like Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) to secure their data. There are vast reasons why this approach is appealing. Cloud can be flexible, more efficient, offer additional functionality and cost significantly less than other solutions.
The downside is that your IT infrastructure won’t be soundlessly resting in your data center, it will be out there in the online jungle – becoming entirely dependent on the technology and business practices of your service providers. And even if you only have one external provider, that vendor may depend on many others, making your security only as strong as the other companies that support you. So even if you have the best security practices ingrained into your company, tough luck. You could still be vulnerable to the Heartbleed Bug.
Is your security at risk?
So if you're at susceptible to security vulnerabilities, what should you do? What will your vendors do?
Threats like the Heartbleed Bug isolate those businesses that invest in information security best practices and policies from the rest of the naïve bunch. There are five steps your organization can do right now to reduce future risk:
- Know your IT partners’/vendors’ security policies and operational procedures around handling security issues.
- Make sure that your solutions have a certified, Service Organisation Control (SOC) 2 which describes how service providers should outline and implement a security policy.
- Make sure your providers have a strong, historical track record of providing top-notch security and compliance.
- Schedule a meeting with your IT providers and their security teams to align policies.
- Understand your IT ecosystem inside and out, and ask your partners for help in understanding security policies for any third-party technology or services.
When it comes to handling security vulnerabilities like the Heartbleed Bug, make sure that you have the policies and procedures already in place to be able to quickly respond to issues as they arise. Working with partners that put security and compliance first can help reduce your risk in the future.
John Landy is the chief security officer at Intralinks. Having served as chief technology officer at Intralinks for the past 5 years, he utilizes his technical background to work with clients to understand their security needs in sharing and storing sensitive information. John has been working on internal Intralinks controls for enterprise security and corporate risk and oversees a function comprising Customer Engagement, Security Architecture and a Security Operations Center.