The debate about employees working remotely has ended for the time being. Driven by the response to the COVID-19 pandemic that is threatening life and livelihood, working-from-home is the new normal. All you have to do is look at the sharp increase in the use of remote conferencing software and accompanying skyrocketing stock prices of companies such as Zoom. As society hunkers down to ride out this pandemic, companies are rushing to enable their employees to work from home, frequently leaving the security systems that kept them safe in the office behind.
The pandemic is causing tremendous emotional turmoil, and cyber criminals are having a field day. As people thirst for information and answers, crooks are exploiting and defrauding them – primarily using sophisticated email phishing campaigns, but also more advanced approaches such as weaponized Coronavirus-themed mobile apps that steal user information as they delivery pandemic updates.
How can companies avoid serving up their users to cyber crooks? Best practices include issuing company-owned and hardened devices, enforcing the use of strong passwords and multi-factor authentication (MFA), and having employees use a virtual private network (VPN) to connect to the company firewall. However, the reality for many companies is that these measures are difficult or impossible to effectively put in play:
- Companies may not have laptops, much less hardened ones, to issue to all employees. Additional devices, especially mobile ones, are expensive to buy and difficult to service and manage.
- Installing, configuring and training users on MFA can be challenging, and MFA may not be supported by the systems users are accessing. Some VPN solutions provide MFA, but only for access to internal network apps. Cloud-based apps have their own MFA controls that companies don’t control.
- What happens when users go home, connect to the VPN and access apps in the cloud? Companies are now backhauling all of that traffic to their corporate firewall for inspection, only to send it back out over the same network connection to the internet. Firewall, VPN and internet service that is sized for employees working in an office often won’t scale for a remote workforce.
As a result, many companies are faced with the unpleasant decision to either issue all employees hardened laptops and upgrade their existing firewall, VPN and internet service, or allow employees to use their personal computers (BYOD) to access internal company resources while bypassing security controls altogether for company resources in the cloud. It is easy to see how this plays right into the hands of cyber criminals who are keen to profit from this mad rush to remote work.
Fortunately, there is another option…
SASE for Secure Remote Access
The new normal, where workers are remote and apps are in the cloud, has fundamentally changed network traffic patterns, rendering existing network and security models obsolete. Traffic patterns are now inverted, forcing a change from data-center/corporate-office centric architectures to a model that pushes the security inspection and access control to the edge, where the endpoint and user are – an architecture called secure access service edge (SASE, pronounced “sassy”).
With SASE, it doesn’t matter where employees are working from (home or office), or what apps they are using (on premise or in the cloud). Why? Because users and all of their devices securely connect to a high-performance, auto-scaling security fabric in the cloud.
How can IT management pivot quickly to keep the organization running and your employees healthy and safe?
Discover why a secure access service edge (SASE) architecture is timely for shifting remote-access and remote-work requirements.
Listen to the Webcast, “Scalable Secure Remote Access for Mobile Users.”
Read the white paper, “How SASE Architecture Enables Flexible, Scalable, and Performance Remote Access for Workforces.”
A rapid cultural reversal on remote work has accelerated the need for a secure network edge.
Not too long ago workplace bosses and company policy enforcers (HR and recruiting) reminded us time and time again that the luxury of working remotely, aka telecommuting, or from home, should be viewed as a privilege, not a right.
Think back to the 1990s, if you’re old enough, and that occasional blizzard or day you had to stay home for family or personal reasons. We all had loved ones. Yet still it was difficult to ask your boss for permission to work from home for dread of that snotty answer, reflecting then-fair company policy: “We need all employees in the office unless it’s an emergency. No exceptions.”
But the shift to remote work has gained “gradual” momentum over the years… From the network guys and gals, “Okay, two days a week, you’re worth it. We’ll extend our VPN and endpoint coverage out to where you require access.”
By 2019, the reins on telecommuting had greatly loosened, and surveys indicated 63% of U.S. companies have remote workers, according to a 2018 Upwork survey.
Enter potential disaster COVID-19, and now abruptly, the ability to work remotely is vital, a key to business continuity and survival. As remote and mobile professionals, we’ve come a long way.
In a flash, our world has changed due to the COVID-19 pandemic, and remote work / working from home is an emergency requirement for business and human health. Now, remote work adoption is probably somewhere in the 90s percent range across most enterprise and individual categories, and we shall never forget to honor those still out there by societal need providing medical and public services in communal exchanges.
Exactly what did enterprises have to lose in the past by enabling network and data access to remote employees, and what does it still risk losing now?
The Remote Work Stigma
Well first let’s get supervision of these employees… babysitting, if you prefer… out of the way. We’re no longer in sight, and supervisory suspicion builds, maybe it should given today’s cybercrime schemas and scams, and human tendency to rest…. We’ve all had that manager who wanted us to respond while working remotely within 10 minutes of a request. Sheesh, I take bathroom breaks longer than that. We’ve all had that skeptical supervisor who didn’t think we’d be conscientious toward the job; presumed us loafers who didn’t care.
Less personally maybe there is security and performance monitoring of these distributed assets. Is the employee using company equipment or his or her own personal device? As a network administrator, CISO, or IT manager do you trust the device or virtual connections into your private data or cloud apps?
It’s been a network access avalanche, a sudden, enormous shift in networking resources… There’s a disastrous threat to business, both physical-world and ecommerce continuity; a virus that’s slowing down the human supply chain and people are dying and we can’t even get toilet paper online or during a scarf-filtered trip to the grocery store.
From a less physically granular perspective, from the virtual network management perspective, the sudden remote access demand is growing to a network tipping point. Do you have disaster recovery mechanisms in place that protect more than your initial digital attack surface through basic antivirus updates? Using converging network and security edge service provisioning (aka SASE), can your preparedness strategy empower employees to immediately work from home and safely use resources on premise or in the cloud, while empowering IT managers to sector off core enterprise data and backup?
We’re talking about preparedness, and this brings to memory a prophetically timely 2001 presentation in pre-911 America by Gartner infrastructure and security analyst William Malik on the topic of disaster recovery and how IT managers and employees could prepare for sudden blows to the business or wider market-striking agents that affect customers, supply chain members and people’s lives. It was a lesson in outward, disaster-scenario thinking, every detail being planned out with anecdotes about where your data might be co-located and how you might feed and support your physical front lines. Decades later, these are the types of details IT management teams are scrambling for now during COVID-19 and the demand for secure remote access.
Read the secure remote access white paper.
– Explores the changing considerations toward remote work, now essential for business continuity, as well as the need to shift network traffic and distributed data access patterns to address performance, security, and customer needs. Discover why a secure access service edge (SASE) architecture is timely for these shifting remote access requirements.
Mobile and small office/home office (SOHO) workers require connectivity to the same resources your campus-based, firewall-protected employees regularly access from the data center, private network, and now increasingly from the cloud. This poses problem and risk: Network IT departments have low visibility into the configurations, security defenses, and points of access for these employees and devices accessing data remotely.
SOHOs and mobile employee workstations consist of affordable, consumer-oriented network equipment (often BYOD) and security software, all of which is not as sophisticated, protectable and secure as the computing tools in corporate offices. Many IT departments, smaller offices, and remote workers are dependent on public Wi-Fi, inexpensive home-based routers, iffy VPN use, and basic-AV-protected computers to protect their confidential internal and customer data at the edge.
The equipment used in the outlying areas of your network represent the weak link for hackers, the low-hanging fruit, increasing the overall security risk for the organization and its B2B/B2C partners. Common risks include spying, infection of connected devices, and the ransoming of the wider network ecosystem. Compromised endpoint network equipment such as computers and routers can set the stage for sophisticated botnet attacks and the spread to other systems, networks and servers, including those of partners.
Are you going to regularly mobilize truckloads out to every possible remote router site to try to secure these new connections? More sophisticated security equipment requires technical expertise, something most home office workers and many branch offices lack. Constant truck-hauls to every distributed site add up from an overall cost standpoint. Bolting on security through software patches can be a struggle, especially when managing updates and renewals across several security vendors and your busy workforce.
In response to these security and cost challenges, best practices for protecting remote equipment endpoints include:
- Frequent, automatic software updates that don’t harass business-focused, non-technical home officer workers. Leverage security-as-a-service (SECaaS) to rapidly orchestrate and automate advanced security and smart cyber risk management.
- Virtual firewall as a service (FWaaS) that blocks unwanted traffic from your defined and controllable network endpoints, including wandering user devices.
- A VPN, or similar secure tunnel, that segments ISP traffic from private network traffic. This VPN capability should be “always on,” noninvasively coating the attack surface and protecting company used-devices from breach and deeper infection.
- Multifactor authentication (MFA), which helps to ensure the person or system trying to access a device, network or system is the same person or device authorized for access. MFA includes passwords, security tokens, and, in some cases, biometric identification.
- Cloaking of a device’s and network’s unique identifiers or presence, making it difficult for other people and devices in range to detect.
- Encryption and private circuit use to mitigate outsiders from viewing, stealing or ransoming sensitive data.
- Device hardening, so the endpoint can block legacy or unnecessary ports and services that act as doors for easy infiltration.
- DNS filtering. These are the oft-color-coded listings and commands, which involve preconfiguring devices with software agents to prevent infection from dangerous sites and other network entities.
- Avoidance of direct peer-to-peer computing or peer-to-private-server communication approaches. Remote Desktop Protocol and similar P2P network services are an easy gameboard for hackers. RDP sessions store credentials which can be stolen and wielded in “pass the hash” attacks. If you use P2P apps, it’s critical to orchestrate advanced, layered security mechanisms, including identity access control, encryption, and zero trust architecture.
- Seamless support of the latest Wi-Fi authentication and encryption standards, which can help to protect on-device data and access points.
Securing Your Mobile, Remote Workforce
Every digitally transforming organization has its traveling users, the consummate contributors; the mobile warriors. They are a worrisome potential target for close-encounter cyber-takeovers.
Wandering human endpoints access different networks. They use whatever means available to keep their device batteries charged and to stay connected. Sometimes these individuals work in crowded, cramped seating areas where strangers are in physical proximity or router range.
Common behaviors that put remote worker security at risk include:
- Connecting via unsecure, unencrypted Wi-Fi, or failing to authenticate through the corporate VPN while working from home, in a hotel, or coffee shop. Without the filtering and blocking of a leading firewall or VPN service, the employee can mistakenly land on a phony site or host (e.g., a man-in-the-middle attack), or click on a link from which malware can be delivered, infecting the device and from there seeking to spread.
- Directly accessing SaaS applications in the cloud beyond the visibility and control of corporate IT security. Employees are at risk of man-in-the-middle attacks in this scenario, and hackers can steal credentials from the endpoint device and use that private data to gain unauthorized entry to cloud servers or back into the enterprise network.
- Physically plugging into public charging stations, or attaching untrusted devices including other computers, flash drives and USB ports. Conversely, someone else might gain physical access to the network endpoint device and plug in a flash drive or perform some other type of direct tampering.
- Falling for phishing attacks. Social engineering schemes are getting more effective at fooling curious, emotional human beings into clicking on links that appear to be legitimate but aren’t. These IP spoofing, phishing, and websites appear authentic but have surreptitiously rerouted the user to an ersatz click-on/sign-in with credentials page…
Your mobile warriors need help identifying and avoiding these deceptive man-and woman-in-the-middle attacks.
OPAQ Provides a Secure Access Service Edge Through Security-as-a-Service
Your network’s edge needs easier IT security reinforcement; a cost-effective, circulating burst of easily distributed security-as-a-service software from the cloud.
OPAQ provides strong endpoint protection as a service to ensure secure access at the network edge, empowering what Gartner calls the secure access service edge (SASE). Harness your expanding workforce. To support your remote employees and protect your network and business ecosystem, reinforce protection at the network endpoint and workstation level with help from the cloud.
Visit our secure access service edge (SASE) page.
In the Past. B.C., Before the Cloud…
“All right, employees. Hunker down in this luxurious, windowless cube area where we’ve provided all the computing hardware, software and information you need to do your job. Nothing beats good ol’ on-the-premises client/server… Oh, did we tell you we’re expanding? We’re opening a new sales office in New Jersey? Attention IT department, give the New Jersey office access to our data center and connectivity with our staff here at HQ.”
*In Charlie Brown / Peanuts-like phone garble: “WHUH-WANT-WHUH-WANT-WANT…”
“What? Okay, yeah, set up the new branch firewall and enforce a strict VPN policy on private data access… Err, what’s that gonna run us?”
“That much? Really?… What? The Colorado office wants a sensible work-at-home policy? You gotta be kittin’ me. Ohhh, all right. Make sure they use the VPN.”
“So if I understand you correctly, employees are accessing unsanctioned applications and uploading and downloading stuff on the Web? They’re doing it remotely, too, without using the VPN? Shut’em down!”
“What? Digital transfor-what? They actually need this cloud and Web stuff to do their jobs? Our customers and partners need access to these apps, too? Oh, brother… Can’t we just put a firewall everywhere?”
Liberated! A.D. Away from the Data Center
Before the cloud, the enterprise data center was the true center of the digital business universe. It’s where key business data resided, the place where traffic and payload mostly got sent and scrubbed in hub-and-spoke pattern from a networking and security perspective. However, with user demands from mobile and edge computing increasing and the attack surface widening, the data center can’t be the center anymore because it carries heavy bandwidth and operations costs, and long-distance traffic hauls can negatively impact performance and quality of experience. Think of all the times, you personally logged off an app when it didn’t deliver service right away.
With edge computing, business is happening in real-time, outside the enterprise firewall, out on far-off frontiers. It’s occurring at public Internet access points, over Wi-Fi, on portals, and upon employee bring-your-own devices that might require internal data access as well.
The good news, and what digital transformation brings, is that your people are mobilizing, reaching out, connecting to engage. We’re not taking about people ‘galavanting’ all day long, or posting cat photos on Facebook. We’re talking about engaged employees and people in the business ecosystem connecting outside the network, outside the data center, and even outside IT visibility, for work and to do business. Enabled near-real-time connectivity empowers people to share information and value with each other digitally, when meeting in-person isn’t doable. Point is, business is getting done, transactions are being initiated outside the static office. People are in motion, branching out, making connections, growing communities, partnering, trading this for that, making money. That’s all good, right?
But this mobile scenario poses risks from compromised user devices and man-in-the-middle attacks, which seek network pathways into private data on the device; in the cloud, and on your local servers. Network distribution and mobility also creates significant trade-offs – either leave this business traffic uninspected or bring it back to a more centralized policy enforcement and inspection function; either skimp on security or create performance and architecture headaches.
Business software consumption [think storage-as-a-service] is moving from the data center to the cloud and Web. This can expose your employees, their devices, and your data to a wider spectrum of potential assaults, while offering hackers a larger attack surface. Attacks targeting network endpoints have spread to cripple municipalities, and put commercial enterprises out of business.
Protect Digital Transformation with Zero Trust, Network Edge Security
The OPAQ zero trust network security edge empowers transformational organizations to regain control over a graying network perimeter; at the edge where the Internet, cloud and private network intersect. OPAQ provides zero-trust network security software- as-a-service from the cloud to enable organizations to quickly deploy router, firewall and VPN functionality across hybrid, globally distributed environments.
OPAQ makes this secure network modernization easy as you pursue business initiatives such as growth, the establishment of new sites, SD-WAN, remote worker security, direct Internet access, data center transformation, and keeping SaaS apps private.
OPAQ Endpoint Protection
The workplace is no longer confined by walls. Your users are connecting to your network remotely – from the home, airport, hotel, coffee shop, and other places. On-device anti-virus/malware protection by itself is only marginally effective, and firewalls are not properly located to protect remote users who directly access cloud applications and sensitive corporate data. Virtual private networks (VPNs) help, but aren’t full-proof, especially when the VPN connection is lost or not accessed in the first place. And VPNs often impact performance, frustrating users and causing lost productivity. This is why always-on protection for roaming mobile edge devices is crucial.
OPAQ Endpoint Protect secures network traffic all the time from the cloud. OPAQ offers always-on protection to users and devices by ensuring they are always connected to the OPAQ Cloud. All network traffic – not just Web traffic – to and from the user device traverses OPAQ’s highly performant and reliable network. It’s the easy button for enterprise-grade security during digital transformation. The advanced security is layered to protect private data at the endpoint but also your core data as those endpoints reach out to the vulnerable, connective edge of today’s morphing semiprivate network.
Find out more:
Read the Securing Remote Workers report.
Data is virtually everywhere, and computing devices, whether stationary or on the move, are accessing external circuits, servers, websites and portals. From an enterprise standpoint, network IT teams must be able to support employee business access needs, and protect employees, their devices, and the network from cyberattack. Anyone using digital computing devices subscribes to sources of interest, consumes outside network or app services, accesses and shares sensitive data, some of which is stored or provided from the cloud. For network IT staff, this network expansion requires management, and IT departments must ensure the growing bandwidth use doesn’t cost them, and that the software utilized on the network is safe.
These multicloud/hybrid connections are occurring at your network’s edge, posing both opportunity and risk.
Multicloud Access: Opportunity or Risk?
Multicloud access is increasingly attractive because signals no longer have to be beamed back into the data center for network handshake authorization. Application workloads can be run in a multicloud environment that doesn’t require the organization to move data — rather, users can access the data locally over secure, low-latency connectivity. This can minimize the risks of data loss and theft, while the local access and storage via clouds can satisfy the majority of geopolitical data privacy laws.
The risk in this bold strategic transformation is your attack surface gets bigger. Just because you use a cloud platform provider doesn’t mean you’re no longer vulnerable to breaches or no longer responsible for network and data security and privacy. Cloud server to cloud server protection isn’t complete network cybersecurity. It isn’t foolproof or impregnable coverage for your organization’s wandering endpoints, where a lot of data is being kept on devices and can be vulnerable.
Workstations and mobile computing devices are largely under-protected and represent a wandering flock, sometimes passing through windows of exposure, as they connect far and wide. Laptops, desktops and other portables are coated with mainstream antivirus programs and status scans, but hackers and malware are nevertheless getting in at the endpoint and attempting to spread. They are getting better at luring humans into their web. From a cybersecurity perspective, these growing connections at the private network edge, whether trusted or not, must continuously be added to firewall and VPN policies and memory logs. These appliances are getting increasingly costly to manage and refresh, and are often bypassed during “in the cloud” traffic migrations.
So, James from the sales department just opened an email from the CFO detailing a new company reorganization. (Little does James realize but the transmission is not from the CFO but an ersatz CFO, aka, a clever hacker.) Curiosity kicks in and James, while feeling secure after confirming the sender’s email address, opens the attachment on his laptop.
Boom! James clicks on the spoofing/phishing attack and malware compromises the data he’s collected and his network endpoint, exfiltrating sensitive data, without him or the IT department even knowing about it. Sometimes a breach at one or two network endpoints is sufficient to launch massive infiltration attacks such as zero day and ransomware.
Cities and organizations of all sizes have been hacked and ransomed. As you move to cloud environments, you still need to protect your branch offices and portable workstations, so you continue to try and inspect all traffic internally before sharing it with recipients. Direct access connections to the cloud can be slowed and made unnecessarily cost prohibitive by having to backhaul traffic around to your static network and security enforcement equipment. Business user expectations and overall quality of experience can suffer during this traffic hair-pinning, and there are remote out-of-the-cloud access fees for your company to pay. Can’t we just trust the Internet traffic and payload traversing private network endpoints, whether through the cloud or over any foundational network infrastructure such as Wi-Fi or VPN?
Some say, “Yeah, but my organization is ‘All in the Cloud,’ I don’t have to worry about workstation or internal data center security anymore…” Not so fast. It is crucial at this transitional point to remember the human element, the various points of endpoint access and how you protect these individuals, your workforce and the private network and business ecosystem.
Multicloud Access Security Demands a Secure Access Service Edge
An OPAQ white paper explains how organizations and managed security service providers can:
- 1) Secure Internet access and gateways, and separate these from cloud and private data repositories, as part of a holistic hybrid and multicloud access security strategy.
- 2) Rapidly implement consistent, centralized network security policy across the private network, and to and from cloud and Internet access points. (Network security from the cloud enables organizations to quickly deploy router, firewalls and VPN functionality where needed across hybrid, distributed environments.)
- 3) Bolster vulnerable endpoints, particularly those endpoint devices in motion… which often expose themselves to untrusted hosted networks. Embrace identity as the new perimeter via strong identity and access management and always-on workstation protection.
- 4) Extend your security perimeter out to the WAN without boundaries, and orchestrate security and network segmentation rapidly through high-performant zero-trust network- and security-as-a-service.
Whether your IT organization is cloud-friendly or not, consumption of services from the cloud is happening, and private network administrators are being tested to provide access while ensuring security on those and budding Web connection points.
OPAQ provides the encryption, authentication, segmentation, and always-on end-user protection growing companies need out at the edges of the network.
Learn more about OPAQ networking and security from the cloud.
You might call it ‘living on the edge.’ A growing number of organizations are moving computing out of the data center, out to the edge of the network. The various reasons for this include increasing numbers of mobile devices and remote users requiring access, expanding digital opportunities, cloud adoption, reduction of network latency and backhaul costs, and more. Making this edge computing possible are technologies such as SDN, SD-WAN and cloud access service broker (CASB) capabilities, all of which provide points of presence (POPs) where distributed workforces need them.
Traditionally, however, easy provision of good security has NOT been one of the drivers for this pivot to the network edge. Hence, many companies that have transformed their network architectures haven’t yet modernized their security architectures. They continue to indirectly route traffic to security engines (tromboning, hairpinning, backhauling), defeating the whole latency advantage and racking up in-house equipment costs. Or worse, they’re not adequately inspecting the edge traffic and payload, leaving their users, network endpoints, cloud data and internal network data exposed to increasingly sophisticated cyberattacks.
That’s all changing with the convergence of computer networking and security at the edge, something IT analyst firm Gartner dubbed the secure access service edge (SASE), pronounced “Sassy.”
The secure access service edge is an emerging solution category combining wide-area network (WAN) functions with security capabilities such as secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero trust architecture (ZTA) to support a wide range of digital transformational requirements.
SASE merges edge computing’s distributed approach – bringing computation and data storage closer to the location where it is needed – along with the advanced security near or at these points of access.
Cloud Security-as-a-Service for Your Edge Computing
However, SASE isn’t a security scenario that data center-based hardware appliances are going to feasibly address. When modernizing your network, your traditional security equipment can get bypassed in your traffic’s shift to a software-defined perimeter. Alternatively, equipment deployments and reconfigurations (in your data center and remote sites) may struggle to keep up with today’s pace of secure connectivity requirements.
Your distributed workforce is accessing cloud providers for things like SaaS applications, while your branch offices and mobile workers take advantage of direct Internet access. Meanwhile, the resultant data is no longer being centrally stored on, or accessed from, the premises. More users, devices, applications, services and data are located outside of an enterprise than inside, according to Gartner. With organizations still responsible for data privacy and security of individual employees and customers, that’s a lot of scattered data to protect.
The edge requires agile management, and this is where security software and software-defined perimeters step in.
From a cybersecurity perspective, protection can now come closer to where access is needed. A software-centric SASE approach can deliver zero trust security best practices over Web gateways, cloud access points, tunnels, and the devices themselves, while eliminating inefficient hairpinning of traffic inspection to your data center or nearest branch-office hardware.
The OPAQ SASE Cloud provides more ubiquitous and local points of presence, with the zero trust architecture capabilities you need to ensure secure access, control and segmentation.
The OPAQ Zero Trust Secure Access Service Edge (SASE)
Whether it’s a branch office, remote workstation, router, or VM, all of these endpoint identities need network access. Before they connect into your private network and data, they must be identified, authenticated, and properly segmented.
OPAQ delivers a Zero Trust Secure Access Service Edge that bases decisions on the identity of the entity at the source of the connection (user, device, branch office, edge computing location, time of day, risk assessment of the user device, and the sensitivity of the data or app being accessed).
Primary components of this Zero Trust SASE architecture include:
- User Authentication: IP spoofing, phishing, social engineering, identify theft, and bot break-ins demand a zero trust view of access. Is the device, person, or service attempting to enter into the network authentic? If access is allowed, what might happen next from a security impact perspective? OPAQ checks for a number of factors including user credentials, MFA, access privileges, device certificates, and more.
- Access Control: Access has moved out to the edge, largely outside of the reach of a perceived private enterprise network. The OPAQ Cloud keeps inspections away from your private data containers, and secures traffic and performance at the edge closer to where access and QoE is sought. Tunneling to the nearest POP, OPAQ SASE provides end-to-end encryption of each session, including over public Wi-Fi networks (cafes, airports, malls, etc.).
- Segmentation: Ransomware and other malware seek to spread and capture data and control as they go about their damaging business. Endpoint connections are underdefended by basic on-device antivirus updates, opening the door for the latest sophisticated attacks. OPAQ continuously extends layered next-generation security across the dissolving network perimeter, reinforcing workstations, VMs and other endpoints, and then making sure that distributed endpoints don’t expose vulnerable in-roads into your core network and data.
- Device State: What are your wandering workstations connecting to? Are these devices adequately protected with antivirus, anti-malware, intrusion detection, and more? How are the devices behaving, and are they putting your network and data at risk? OPAQ device state analysis and control secures multidirectional access for your wandering workforce and stationary endpoints and what they can safely connect to.
Transformational edge computing requires a rotating shield of SASE protection.
In a revival that would satisfy both retro stylists and fictional FBI agent Fox Mulder, the approach to security known as Zero Trust is back and as strong as ever.
Why has Zero Trust – a model that ‘trusts no one’ and seeks to verify everything – returned to the forefront of security?
In a 2019 study, Gartner found that “More users, devices, applications, services and data are located outside of an enterprise than inside.” Doing business digitally is no longer solely about the trusted private network. It is about expanding the business horizons into unchartered network waters, into often shadowy connection points, where you might not know who or what is lurking on the other end and what he, she or it is carrying and trying to inject into your computer code and company network…
In a world of spamming, scamming, spoofing, phishing, catfishing, and ransomware, where individuals never can really be certain of the identity of the party on the other side of the connection, legitimate enterprises need all the help they can get when it comes to establishing trust and security.
The Zero Trust model is back.
Trust no one, Scully.
Zero Trust Networks and Architectures
Created in 2010 by then-Forrester analyst John Kindervag, Zero Trust was never wholly forgotten, but its forceful reemergence and renewed emphasis make sense in today’s interconnected reality where exposure to untrusted networks and apps and cybercriminals is unavoidable, and where ID spoofing, identity theft, and business-reputation damage are common occurrences. Attack methods have gotten more sophisticated… as has malware… and just one naïve or ill-advised click can infect a computer and surreptitiously attempt to spread. Detection can take months, allowing contagions to get rooted and then deliver a fatal blow to an organization, including through Zero Day exploits.
All access from within the network, from your cloud workload environments, and from remote users connected via VPN to your network, must be contained using a ‘least privilege approach.’ Access must be denied where not approved. Said another way, every user is verified, their devices validated, and their actions limited to just those that have been granted.
Ransomware still targets specific computers but has matured to now easily challenge network control. Ransomware operators such as SamSam are focused and lethal. They update their malware frequently in an effort to avoid antivirus and other endpoint defenses. In one tale of horror, the WannaCry ransomware attack was able to knock out 200,000 computers across 150 countries, including some hospitals, over the course of four days in 2017.
Once the malware gets a foothold it immediately attempts to spread laterally and infect multiple computers on a network. Some of the tools in use include Mimikatz and Bloodhound. Mimikatz is a tool for post-exploitation that dumps passwords from memory, PINs, and network authentication protocol lists. Bloodhound is a tool that can map out an entire domain and highlight where the next target might be. This makes lateral movement within a network easier for hackers and their malware.
Zero Trust powered by OPAQ allows organizations to quickly and easily set up a robust zero-trust architecture.
OPAQ Zero Trust Secure Access and Segmentation
Secure Internet Access
OPAQ Zero Trust cybersecurity protects your organization with multi-layered advanced security out to cloud and Internet access points while safely segmenting endpoint access and traffic patterns across lateral and core-data lines of movement. In addition to wrong clicks, identity spoofing, and distributed brute force attacks, devices can be lost or stolen and hackers can gain network access through computers left unattended. You want to make sure you stop the spread through layered security in the form of multi-factor authentication (MFA), access control and segmentation.
Using the OPAQ security-as-a-service, network security policy follows users wherever they go, protecting them as they perform their jobs, whether on the private network, or through a separate secure tunnel while using the public Internet or apps in the cloud. Zero Trust model rules can be based on any combination of host, host group, Active Directory user/group, port, protocol, service, range, and blacklist policy, while allowing for MFA when connecting to specific systems.
True Least Privilege Segmentation
Building effective network segments used to be hard work, and doing it with physical switches is expensive and time consuming. The consequence is that even relatively well segmented networks are not truly restricted to a least privilege level, i.e., strong access and control rules. OPAQ enables segments to be configured on the fly, and can provide network segments based on user groups rather than IP addresses or physical switch configuration. This capability affords granular, least privilege segments that enable employees to access the systems they need to do their jobs, and nothing more.
East-west traffic (lateral LAN traffic) is protected via security policies that provide software-defined network segmentation, while also providing hardware and software asset inventory, and instant quarantine capabilities. Users on the network can be granted or denied access to resources depending on their role, device state, and/or MFA.
Much of the work your organization is doing is no longer on the private network. Protect against infection, unauthorized access, and lateral spread by orchestrating security in a way in which trust is earned, not given, and by treating every connection with zero trust.
Zero Trust Architecture web page.