3 Fundamental Best Practices for Enterprise Security

At the beginning of March this year, hackers attempted to break into the email accounts of World Health Organisation staff members. Around the same time, the Department of Health and Human Services (HHS) faced a security breach.

Lakshmi Devan

Senior Manager Content at Builder.ai
· 6 minute read
business dirty door security

Who is Builder.ai?

We are on a mission to unlock everyone’s potential with the power of software! Our combined approach of AI, automation and talented humans means that your background, tech knowledge or budget will never hold you back.

Learn more about us

It goes without saying that COVID-19 pandemic has upended every aspect of our daily lives - from work and financial security to mental health and leisure. And Builders, unfortunately it doesn’t end there. At this time of heightened vulnerability, business institutions across the globe have also been witnessing an alarming rise in cyber-attacks.

At the beginning of March this year, hackers attempted to break into the email accounts of World Health Organisation staff members. Around the same time, the Department of Health and Human Services (HHS) faced a security breach. After picking up on the increase in activity, security employees monitored and fought the breach for several hours.

In case you missed it, recently the National Cyber Security Centre (NCSC) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory against government-backed hackers attacking healthcare and research institutions during COVID-19. “CISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations,” the agencies said in a statement.

But there is enough evidence to prove that the interest of attackers goes beyond just these institutional giants. If you ask us, every business irrespective of the industry, from finance, law, nonprofits to fashion and education, both big and small, are equally at risk.

So, that brings us to the big question:

What can you do as a business owner to protect your data in 2020?

Since cybercriminals continue to get more innovative and find new ways to breach, the ideal practice is to keep your business’ cyber security policies up to the minute. Smart businesses recognise threats and eliminate risks early to keep their data safe and avoid any breaches. Don’t worry; we are here to help you get started. Be warned; this may get technical. We hope you have your tech dictionaries open, Builders.

Here are our 3 fundamental best practices for enterprise security in 2020:

1. A risk-based strategic approach to security.

Every industry and business within comes with its own set of specific hidden risks, and therefore, meeting standard regulations isn’t entirely enough. We recommend regular risk assessment wherein you identify all valuable assets and the efficacy of the current cyber security set up, and the new strategy required to counter any new threats. This simple practice will help you avoid fines for failing to comply with regulations, remediation costs for potential breaches, and the losses from missing or inefficient processes.

2. Timely data backups

Ever since ransomware got introduced into our lives, having a full and current backup of all data has become almost a standard practice in information security and deserves a mention here. Just to give you a clearer picture, here are some of our data back and retention policies at Builder.ai:

· We have enabled EC2 server backup through AWS Lifecycle Manager and set a cloud watch event for that function, which runs at every midnight taking backup of EC2 server by making an AMI of that EC2 server.

· And the second option is that we have scripts for taking backup of EC2 server, for this we have launched a minimum configuration server and have that script on that server, which runs every midnight and makes AMI of that particular server.

· We have set the retention period to delete the AMI after 7 days of creation and for that we have configured lambda function and cloud watch event for that. The second option is the script for deleting 7 days old AMI. And for our RDS we have enabled Automatic backup of RDS DB servers.

3. The principle of least privilege

Critically evaluate and determine stakeholders that absolutely require privileged access to sensitive data and restrict access wherever possible. The opposite scenario, where all new employees are granted privileges by default increases the probability of data compromise by giving away sensitive data as soon as any of the employee accounts is hacked. For instance, here are our authority, access and data security policies at Builder.ai:

  • Access to information shall be restricted to authorized users who have a required business need to access the information.
  • Authorization to access the customer accounts must be granted by the designated business owner. An email from a customer and/or designated owner will be considered as approval.
  • We will provide required access on a least privilege basis to all services.

AWS Console and API Access

  • MFA shall be enabled for Root users of Builder.ai and all customer accounts.
  • Root users shall not be used for any operational activity.
  • Builder.ai resources shall use their Builder.ai IAM or SSO user with MFA enabled to access customer resources accounts.
  • Builder.ai Admin shall delegate client access to resources as per requirement.
  • All programmatic access shall be via IAM roles.
  • All users will only have access to the privileges they need and no more.
  • An IAM user shall have either password or the keys. Passwords shall be used to access AWS console and keys for programmatic access only. One IAM user shall never be used for both purposes.
  • We check MFA activation every 3 month for all AWS accounts.

Remote Access to client servers by Builder.ai resources

  • Builder.ai has its own Private Cloud Infrastructure in AWS.
  • All Builder.ai Windows laptop devices shall be secured by Windows defender Antivirus.

Direct Access

  • Builder.ai resources shall use their Builder.ai user with MFA to access customer resources accounts.
  • Records of all the users having access to specific internal and customer information are maintained.
  • Furthermore, here are some of the top recommendations we share with our customers:
  • Firewall ports such as SSH and DB ports should be restricted for public access, SSH should only be allowed from specific IP’s DB ports should only be opened from private IP address of the EC2 servers.
  • Use “Bastion” host and keep our Instance in private mode so that there is no chance to access those Instances directly.
  • Keep their password protected and don't share the password with anyone else.
  • Use NACL rules which restrict the in and out of one or more subnet, network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic, by default it allows all inbound and outbound Ipv4 traffic and, if applicable, Ipv6 traffic.
  • Use VPC endpoint to transfer data to one AWS resource to another e.g. To transfer data from EC2 to S3 using VPC endpoint so that the data should travel on AWS private network, which makes the data more secure and also increases the transfer speed.
  • Use IPsec VPN to transfer data from on premise DCs to AWS so the data transfers securely.

Data security may be a moving target, but choosing the right partner for your business can get you a lot closer to it. And we pride ourselves in being one of the most secure choices for our clients. So, if you’re looking for a partner in your digital transformation journey, we are here to support you with all your needs including cloud adoption and software after-care. Does that sound good to you? Then click right here and reach out to us for more information.

Join the Builder.ai community

Stay up-to-date with the latest industry trends

By proceeding you agree to Builder.ai's privacy policy and terms and conditions

Lakshmi Devan

Senior Manager Content at Builder.ai

Lakshmi is a communications professional with over 6 years of experience across industries- from digital media and fashion to health and technology. She specialised in Integrated Marketing and Communications cum laude, and naturally, can work her magic best when handling public relations, marketing and editorial content and communication. Most people find her moderately introverted, conspicuously sassy, significantly energetic, and massively dog-loving.

Your apps made to order

Trusted by the world's leading brands

BBC logoMakro logoVirgin Unite logoNBC logoFujitsu logo
Your apps made to order

Related articles

Builder Fam: Meet our Head of Enterprise European Sales, Graeme Lipschitz

Builder Fam: Meet our Head of Enterprise European Sales, Graeme Lipschitz

Find inspiration to become a great leader in uncertain times here.

Greig Robertson

· 4 minute read
3 Enterprise Business Intelligence trends that can benefit your business

3 Enterprise Business Intelligence trends that can benefit your business

Your business is set to prosper when you work smart by keeping these industry trends in mind.

Lakshmi Devan

· 5 minute read
3 reasons enterprises fail at digital adoption (and how you can succeed)

3 reasons enterprises fail at digital adoption (and how you can succeed)

Make the most of 2020 with a new digital project? Don't fall into these most common mistakes. Read how here.

Lakshmi Devan

· 5 minute read

Real success stories from real customers

See how companies like yours used Builder.ai’s app platform to help them achieve their business goals

How we helped the BBC run a world-class event experience

BBC Click producers needed an app that enabled their live audience to interact with polls and questions, which Builder.ai delivered in double-quick time.

How we saved Makro 98.3% on order management software costs

Asia’s largest cash and carry needed software that could scale with their rapid growth, so we built them something that allowed them to onboard new customers without technical hiccups.

How we helped Moodit’s users “crowdsource” positivity

With our help, Dr Hassan Yasin created a mental health app designed to help children and adolescents express their worries and improve their social connectedness.

Got questions?

Head to our FAQ page for in-depth answers

Read FAQs