IT operations teams typically aren't responsible for designing secure software (developers do that) or assessing the overall security posture of their organizations (a task handled by security experts).
But ITOps engineers are often on the front lines of security. It falls to them to deploy applications, monitor them for risks, and respond to security risks as they arise.
To do that job well, ITOps teams must be aware of common security mistakes that can undercut the effectiveness of security operations. This article details five such risks and explains what IT operations teams can do to avoid them:
- Lack of Across-the-Stack Security Monitoring
- Ignoring Security Risks in SaaS Apps
- Lack of Recovery Planning
- User-Unfriendly Password Requirements
- Overconfidence in MFA
1. Lack of Across-the-Stack Security Monitoring
Most ITOps teams recognize the importance of security monitoring. But a common security mistake is to monitor only certain layers of the stack.
For instance, a team might monitor applications and the network for anomalies that could reveal security risks or attacks. But if they don't also monitor host servers, application orchestrators, API requests, and data storage resources, they lack the holistic visibility required to identify all types of security risks.
The key to avoiding this mistake is to deploy comprehensive, full-stack security monitoring tools, then correlate all monitoring data to gain as much contextual visibility as possible into security risks.
2. Ignoring Security Risks in SaaS Apps
SaaS applications are convenient because ITOps teams can use them without having to deploy or manage them.
That doesn't mean, however, that ITOps engineers can ignore SaaS application security risks. Even when an application is fully managed by a third-party vendor, problems like insecure integrations between the SaaS app and internal systems, or the storage of sensitive data inside SaaS apps that weren't designed for that purpose, can place your business at risk.
Vulnerabilities in third-party apps, such as security problems in SaaS email or calendar software, can also lead to major breaches inside your business if you aren't aware of them and fail to take steps to mitigate them before hackers reach your users.
That's why it's important to ensure that security monitoring and auditing extend to SaaS platforms and other third-party resources, not just the applications and infrastructure that you deploy and manage directly.
3. Lack of Recovery Planning
Backing up data is one of the core steps toward protecting against ransomware.
However, data backups are not very useful if you don't have a plan for recovering data quickly following a breach. It's a major cybersecurity mistake to assume that you're safe from attack just because you have backups in place.
Avoid this risk by creating playbooks that define exactly how to recover data following a breach. It can also be helpful to inventory your data, so that you know which data assets you have and which backups are associated with them. This information can spell the difference between a data recovery process that takes hours and one that requires weeks or months to get production systems fully back online — a delay that would be unacceptable by most business continuity standards.
4. User-Unfriendly Password Requirements
For years, the lesson was drilled into ITOps teams that they should enforce strict password requirements for users. They were instructed to require passwords to be as complex and possible, and they should force users to update them early and often.
Most traditional password guidelines hold true. But in recent years, there has been recognition that overly strict password requirements are a security mistake. If you make it unreasonably hard for users to manage passwords, they'll start doing things like writing them on Post-it notes that they paste to their monitors, which is exactly the opposite of what you want them to do.
In fact, NIST revised its password guidance in 2020 to encourage user-friendly password policies. If your ITOps team hasn't re-evaluated its password requirements in years, now's a good time to do so.
5. Overconfidence in MFA
Placing too much faith in multi-factor authentication (MFA) is another common security mistake that ITOps teams can make.
To be sure, requiring MFA is a best practice that can significantly reduce the risk of attack. The mistake that ITOps engineers may make, however, is assuming that just because systems are protected with MFA, they're virtually immune to attack.
The reality is that sophisticated attackers routinely find ways to circumvent MFA. Teams should require MFA where it makes sense, but they should treat MFA as just one additional layer of defense, not an iron-clad guarantee against breaches.
The Key to Avoiding Security Mistakes: Be Proactive
From overlooking SaaS security risks, to putting too much stock in strict passwords and multi-factor authentication, to ignoring critical security monitoring requirements and beyond, there are a variety of security mistakes that well-meaning IT operations teams can make when managing IT estates. Fortunately, with a proactive security strategy, these risks are easy to avoid or mitigate.
About the authorChristopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.