- Place your systems behind those who have the ability to protect them. Regardless of cloud or on-premise, there are some great MSSPs out there that can protect your data at the baseline level. If you need more specialization, look for more specialized providers. MSSPs are a great way to get good protection at a reasonable price --it's far less than building it yourself.
- Our data is segmented into multiple levels of sensitivity and we protect them each differently. What could you afford to lose? What must you never lose? When you get that CUI list, what level of protection and monitoring will that require? As an example, we use cloud services for some of our data for our lowest levels of sensitivity –public facing stuff, but we put motes around private data in diverse locations for more sensitive data.
- We use encryption often and we never trust SSL.
- Use VPNs to create motes around highly sensitive data.
- We model to ISO 27001.