To create a key vault, you must log in to the Azure portal and search for “key vault”. Once done, you will see the above screen. Click “Create Key Vault” to continue.
In the above screen, you are asked to choose a resource group or create one. Again, in this case, I chose to create a new resource group. Then you are asked to create a unique key vault name and choose a region, and pricing tier. I chose the East US region and the standard pricing tier. There is no need to use the premium tier in this case. Once your choices are made, click “Review + Create” to create the key vault.
Step 2: Add Secret to Vault
Once the key vault has been deployed, click “Secrets” from the menu on the left side of the screen.
Now you can add the recovery services vault secret (or any secret for that matter) to the Key Vault. Be sure to label it something that makes sense and click “Create”
Finally, you should be able to see your secret in the recovery services vault.
This is a really simple way to start working with Azure Key Vault. Now you have your secret saved in a location that is not easily compromised or exposed to failure as your home PC.
You walk into the office Monday morning, attempt to login to your desktop, and realize that you can’t login because you’ve been hacked or there is a ransomware note ominously dominating your screen. The first thing you may think of is to look at logs and other use the other tools of the trade to figure out how this happened.
You find out later that this breach was caused by a phishing attack on an unsuspecting employee, this innocuous failure of operational security (OpSec) by one of your employees resulted in tremendous losses in man-hours, money, and reputation.
When we think of cybersecurity, the first thing that usually comes to mind are firewalls, endpoint protection, Security Information, and Event Management (SIEM) solutions, and the like. While these products and solutions are a vital part of cybersecurity, they can only marginally influence human behavior. This is where policies are effective; they can bridge the divide between technology and employee behavior, complementing technology by outlining expectations and defining consequences for noncompliance.
What’s the purpose?
To better understand the role of IT security policies as a part
of a cybersecurity strategy, we need to understand why we have them in the
first place and what we are trying to accomplish. Put simply, we want to keep
our organization’s information safe. We accomplish this by ensuring three
Confidentiality -information must not be made available or disclosed to unauthorized individuals, entities, or processes.
Integrity -data must not be altered or destroyed in an unauthorized manner, and accuracy and consistency must be preserved regardless of changes.
Availability -information must be accessible and usable on demand by authorized entities.
To that end, we often must build a strategy that incorporates technological and policy solutions which balance information security with the needs of the organization.
The Human Side of Tech
Now that we have briefly gone over the purpose of IT security policies, we must look at how they should be implemented. Effective policies are policies that not only protect data and help the organization avoid liability, but also take into consideration the culture of the organization and its employees. For example, an organization with a large remote workforce should have Multi-Factor Authentication (MFA) to login to applications. In contrast, a small organization with all employees working in one office could consider MFA optional.
Additionally, effective policy always reflects the following
Clear – vague policies leave confuse IT
system users and leave room for bad actors to claim a plausible
misunderstanding of the rules.
Consequential – policies without an
enforcement mechanism with clear consequences for violations are not likely to
be followed in large organizations.
Current – policies should be reviewed and
modified periodically to reflect the technology and security posture of the
organization as it is today.
Until killer robots and rouge AI become our overlords, humans will be the center and the weakest link of any cybersecurity strategy. And while the technology used will always be a huge part of cybersecurity, implementing effective IT security policies must not be overlooked.