A Zero Trust Secure Access Service Edge for a Distributed Data World

You might call it ‘living on the edge.’ A growing number of organizations are moving computing out of the data center, out to the edge of the network. The various reasons for this include increasing numbers of mobile devices and remote users requiring access, expanding digital opportunities, cloud adoption, reduction of network latency and backhaul costs, and more. Making this edge computing possible are technologies such as SDN, SD-WAN and cloud access service broker (CASB) capabilities, all of which provide points of presence (POPs) where distributed workforces need them.

Traditionally, however, easy provision of good security has NOT been one of the drivers for this pivot to the network edge. Hence, many companies that have transformed their network architectures haven’t yet modernized their security architectures. They continue to indirectly route traffic to security engines (tromboning, hairpinning, backhauling), defeating the whole latency advantage and racking up in-house equipment costs. Or worse, they’re not adequately inspecting the edge traffic and payload, leaving their users, network endpoints, cloud data and internal network data exposed to increasingly sophisticated cyberattacks.

That’s all changing with the convergence of computer networking and security at the edge, something IT analyst firm Gartner dubbed the secure access service edge (SASE), pronounced  “Sassy.”

The secure access service edge is an emerging solution category combining wide-area network (WAN) functions with security capabilities such as secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero trust architecture (ZTA) to support a wide range of digital transformational requirements.

SASE merges edge computing’s distributed approach – bringing computation and data storage closer to the location where it is needed – along with the advanced security near or at these points of access.

Cloud Security-as-a-Service for Your Edge Computing

However, SASE isn’t a security scenario that data center-based hardware appliances are going to feasibly address. When modernizing your network, your traditional security equipment can get bypassed in your traffic’s shift to a software-defined perimeter. Alternatively, equipment deployments and reconfigurations (in your data center and remote sites) may struggle to keep up with today’s pace of secure connectivity requirements.

Your distributed workforce is accessing cloud providers for things like SaaS applications, while your branch offices and mobile workers take advantage of direct Internet access. Meanwhile, the resultant data is no longer being centrally stored on, or accessed from, the premises. More users, devices, applications, services and data are located outside of an enterprise than inside, according to Gartner. With organizations still responsible for data privacy and security of individual employees and customers, that’s a lot of scattered data to protect.

The edge requires agile management, and this is where security software and software-defined perimeters step in.

From a cybersecurity perspective, protection can now come closer to where access is needed. A software-centric SASE approach can deliver zero trust security best practices over Web gateways, cloud access points, tunnels, and the devices themselves, while eliminating inefficient hairpinning of traffic inspection to your data center or nearest branch-office hardware.

The OPAQ SASE Cloud provides more ubiquitous and local points of presence, with the zero trust architecture capabilities you need to ensure secure access, control and segmentation.

The OPAQ Zero Trust Secure Access Service Edge (SASE)

Whether it’s a branch office, remote workstation, router, or VM, all of these endpoint identities need network access. Before they connect into your private network and data, they must be identified, authenticated, and properly segmented.

OPAQ delivers a Zero Trust Secure Access Service Edge that bases decisions on the identity of the entity at the source of the connection (user, device, branch office, edge computing location, time of day, risk assessment of the user device, and the sensitivity of the data or app being accessed).

Primary components of this Zero Trust SASE architecture include:

  • User Authentication: IP spoofing, phishing, social engineering, identify theft, and bot break-ins demand a zero trust view of access. Is the device, person, or service attempting to enter into the network authentic? If access is allowed, what might happen next from a security impact perspective? OPAQ checks for a number of factors including user credentials, MFA, access privileges, device certificates, and more.
  • Access Control: Access has moved out to the edge, largely outside of the reach of a perceived private enterprise network. The OPAQ Cloud keeps inspections away from your private data containers, and secures traffic and performance at the edge closer to where access and QoE is sought. Tunneling to the nearest POP, OPAQ SASE provides end-to-end encryption of each session, including over public Wi-Fi networks (cafes, airports, malls, etc.).
  • Segmentation: Ransomware and other malware seek to spread and capture data and control as they go about their damaging business. Endpoint connections are underdefended by basic on-device antivirus updates, opening the door for the latest sophisticated attacks. OPAQ continuously extends layered next-generation security across the dissolving network perimeter, reinforcing workstations, VMs and other endpoints, and then making sure that distributed endpoints don’t expose vulnerable in-roads into your core network and data.
  • Device State: What are your wandering workstations connecting to? Are these devices adequately protected with antivirus, anti-malware, intrusion detection, and more? How are the devices behaving, and are they putting your network and data at risk? OPAQ device state analysis and control secures multidirectional access for your wandering workforce and stationary endpoints and what they can safely connect to.

Transformational edge computing requires a rotating shield of SASE protection.

Learn more.

Zero Trust Resurges in Ethereal World of Borderless Networks and Other Haunts

In a revival that would satisfy both retro stylists and fictional FBI agent Fox Mulder, the approach to security known as Zero Trust is back and as strong as ever.

Why has Zero Trust – a model that ‘trusts no one’ and seeks to verify everything – returned to the forefront of security?

In a 2019 study, Gartner found that “More users, devices, applications, services and data are located outside of an enterprise than inside.” Doing business digitally is no longer solely about the trusted private network. It is about expanding the business horizons into unchartered network waters, into often shadowy connection points, where you might not know who or what is lurking on the other end and what he, she or it is carrying and trying to inject into your computer code and company network…

In a world of spamming, scamming, spoofing, phishing, catfishing, and ransomware, where individuals never can really be certain of the identity of the party on the other side of the connection, legitimate enterprises need all the help they can get when it comes to establishing trust and security.

The Zero Trust model is back.

Trust no one, Scully.

Zero Trust Networks and Architectures

Created in 2010 by then-Forrester analyst John Kindervag, Zero Trust was never wholly forgotten, but its forceful reemergence and renewed emphasis make sense in today’s interconnected reality where exposure to untrusted networks and apps and cybercriminals is unavoidable, and where ID spoofing, identity theft, and business-reputation damage are common occurrences. Attack methods have gotten more sophisticated… as has malware… and just one naïve or ill-advised click can infect a computer and surreptitiously attempt to spread. Detection can take months, allowing contagions to get rooted and then deliver a fatal blow to an organization, including through Zero Day exploits.

All access from within the network, from your cloud workload environments, and from remote users connected via VPN to your network, must be contained using a ‘least privilege approach.’ Access must be denied where not approved. Said another way, every user is verified, their devices validated, and their actions limited to just those that have been granted.

Ransomware still targets specific computers but has matured to now easily challenge network control. Ransomware operators such as SamSam are focused and lethal. They update their malware frequently in an effort to avoid antivirus and other endpoint defenses. In one tale of horror, the WannaCry ransomware attack was able to knock out 200,000 computers across 150 countries, including some hospitals, over the course of four days in 2017.

Once the malware gets a foothold it immediately attempts to spread laterally and infect multiple computers on a network. Some of the tools in use include Mimikatz and Bloodhound. Mimikatz is a tool for post-exploitation that dumps passwords from memory, PINs, and network authentication protocol lists. Bloodhound is a tool that can map out an entire domain and highlight where the next target might be. This makes lateral movement within a network easier for hackers and their malware.

Zero Trust powered by OPAQ allows organizations to quickly and easily set up a robust zero-trust architecture.

OPAQ Zero Trust Secure Access and Segmentation

Secure Internet Access

OPAQ Zero Trust cybersecurity protects your organization with multi-layered advanced security out to cloud and Internet access points while safely segmenting endpoint access and traffic patterns across lateral and core-data lines of movement. In addition to wrong clicks, identity spoofing, and distributed brute force attacks, devices can be lost or stolen and hackers can gain network access through computers left unattended. You want to make sure you stop the spread through layered security in the form of multi-factor authentication (MFA), access control and segmentation.

Using the OPAQ security-as-a-service, network security policy follows users wherever they go, protecting them as they perform their jobs, whether on the private network, or through a separate secure tunnel while using the public Internet or apps in the cloud. Zero Trust model rules can be based on any combination of host, host group, Active Directory user/group, port, protocol, service, range, and blacklist policy, while allowing for MFA when connecting to specific systems.

True Least Privilege Segmentation

Building effective network segments used to be hard work, and doing it with physical switches is expensive and time consuming. The consequence is that even relatively well segmented networks are not truly restricted to a least privilege level, i.e., strong access and control rules. OPAQ enables segments to be configured on the fly, and can provide network segments based on user groups rather than IP addresses or physical switch configuration. This capability affords granular, least privilege segments that enable employees to access the systems they need to do their jobs, and nothing more.

East-west traffic (lateral LAN traffic) is protected via security policies that provide software-defined network segmentation, while also providing hardware and software asset inventory, and instant quarantine capabilities. Users on the network can be granted or denied access to resources depending on their role, device state, and/or MFA.

Much of the work your organization is doing is no longer on the private network. Protect against infection, unauthorized access, and lateral spread by orchestrating security in a way in which trust is earned, not given, and by treating every connection with zero trust.

Learn more.

Zero Trust Architecture web page.

 

Easy, Advanced Security Orchestration for Business Growth and Workforce Distribution

Digitally transforming organizations have to support increasingly distributed business workforces. This saddles IT teams with a balancing act of providing Internet access, enterprise-network connectivity, and assuring that the resulting network traffic doesn’t contaminate private channels and expose sensitive data. New offices are opening, the deployment clock is ticking, and IT personnel has to mobilize to install firewall appliances at every added site in order to centralize smart enterprise network and security management. Or do they?

Security-as-a-service (SECaasS) represents a cost-effective best practice and ‘firewall alternative’ for enterprises of all sizes as they attempt to manage the Internet and multicloud access of remote workers and various offices across the country or globe.

The Need for Advanced Security Orchestration

When the digital business is growing faster than the IT staff’s capacity, it gets challenging to protect headquarters and multiple offices – a dozen branch offices by some averages. The security management responsibilities get even unwieldier when you add the growing number of remote users who might be squatting over an Internet access point that is untrusted. If network IT teams don’t keep up with the latest preventions, digital transformation (and its growing pains) can expose the business. Internally managed firewall appliances can get bypassed during new traffic flows over the Internet or in the cloud, resulting in network dark spots and newly introduced avenues for exposure.

If they could see granularly at the endpoint, some CIOs and IT managers might find their networks rapidly drifting into unfamiliar waters. Protecting distributed branch offices and remote users with legacy and static tools is no longer sufficient given the growing variety of Internet access points, IP addresses, application types, and threats in play. Meanwhile, limited resources, including a lack of personnel and advanced cybersecurity skills, leave IT management spread thin toward ensuring connectivity, performance, visibility and up-to-date security across network endpoint equipment and the graying private network perimeter.

IT managers, who have a lot of different business and security systems to manage, want to make network security systems easier for themselves, their technical staffs and business customers to use. Rather than IT and business workforces serving the IT system, the IT system ideally should work for them, reducing monotonous manual tasks. Too often, maybe because of a regular cadence of truck hauls or software license renewals, each system itself becomes a chore (a monolith to worship) versus being a strategic and operationally efficient business tool. These on-premise, in-house installation projects limp to keep up with the spontaneous access privilege and security requirements that crop up across a grid you can’t control. As a result, small IT staffs struggle to equip, welcome and protect a growing workforce, while meeting network service rollout and data privacy timeframes.

Security-as-a-Service (SECaaS)

How do you get branch offices and remote employees up and running and contributing without months of delay? Do you have to rely on multiple security equipment vendors? The answer is to streamline security orchestration via a security-as-a-service (SECaaS) cloud platform.

The OPAQ cloud is purpose-built to simplify and tighten control by applying a consistent security policy across an organization’s branch offices, and mobile and remote users. Organizations achieve centralized visibility over their network through a secure cloud controller, which delivers monitoring and reporting capabilities.

It’s manually exhaustive and expensive to manage multiple firewalls and intrusion prevention systems, across multiple locations, and to make sure all your network security policies are configured properly. OPAQ provides an infusion of intelligence into the enterprise IT network infrastructure, allowing you to secure multiple branch office locations within assigned timelines, while also providing greater visibility and control over the widening, distributed network.

OPAQ security-as-a-service (SECaaS)  empowers organizations to:

  • Centralize and accelerate branch office security, with easy-to-deploy advanced network endpoint protection and segmentation all in one.
  • Facilitate remote office security policy distribution to support business growth and agility. Activate branch offices in one day from the OPAQ cloud and security-as-a-service.
  • Eliminate gaps or darks spots in protection coverage through secure Web gateways, secure cloud access points, and advanced endpoint security and workstation segmentation.
  • Adapt quickly to new business requirements or security threats by adding new infrastructure to the OPAQ security cloud.
  • Eliminate redundant security products. One security-as-a-service (SECaaS) solution staves off traditional security equipment product redundancy. No new hardware is required on premises (none to acquire or manage). The maintenance is all built-in so regular upgrade and software-flaw fire-drills go away.

Reduce network security costs, simplify advanced security, and reduce CAPEX via advanced security orchestration. Equip your CIO and core IT security staff with a smart system aggregating and dashboarding network security data across segmented network endpoints. Grow your business with confidence through the OPAQ cloud.

Learn more about OPAQ advanced security orchestration and security-as-a-service (SECaaS).

Watch the Sandy Alexander video case study:

Discover OPAQ for rapid branch enablement.

 

How Sassy (SASE) Is Your Network?

Four Steps Toward Securing Your Digital Transformation

The term SASE, pronounced ‘sassy,’ is kind of cute, isn’t it? But secure access service edge (SASE) is a serious focus for organizations seeking to protect their data in the cloud, across the Internet, and within private networks.

In its Research Note, “The Future of Network Security Is in the Cloud,” global IT research and advisory firm Gartner defined SASE as “a converged cloud-delivered secure access service edge.”

Why is this security edge so important in defending data?

Best practice security is multi-layered, and establishes security intricacies along the way, seamless and nonintrusive to the digital user experience, but which effectively make it difficult for malicious parties including bots to breach the network.

Whether you believe in the cute SASE term or not, the edge (aka your network endpoint connections) is integral in perimeter security and for protecting against threats, the spread of malware, loss of control, and massive contamination and business damage. The edge is almost always the initial point of digital infection; a vector for infiltration.

In what Gartner characterized as its early stages of adoption, SASE is being driven by digital transformation, the adoption of cloud-based services, software-as-a-service (SaaS), and mobile and distributed workforces. We have to connect to do our jobs, but along the way, we might ingest malware, which can lay dormant, waiting to spread. Spoofing the identity, looking for that next jump… We all know those unfortunate individuals on Facebook, whose identities have been used to spread contagious links.

Understanding the risk that comes with digital business growth, you definitely want to filter all this traffic coming into your network, so you might run it back through your on-premises security appliances and over network resources. This eats up a lot of network bandwidth and costs more than use of the public internet, IaaS, and the cloud.

SASE enables organizations to overcome this difficult security-versus-Internet-access tradeoff; this business transformation hurdle.

SASE Business Drivers

Why get SASE in your security approach?

When the data center is the center of your network universe, it can inhibit transformational business architectures. A social, non-engineering side of your “network” wants to grow: A workforce cost-effectively using the Internet to amplify business potential, and partners and customers plugging into your network, making transactions. But amid all these new connection points, is it really your network anymore? It’s understandable to have sudden network blind spots as connections outside your visibility test you for access versus maintaining digital security.

Gartner reports, “More users, devices, applications, services and data are located outside of an enterprise than inside.”

How do you encrypt and inspect all this traffic and filter all those packets and links before you allow them into the business’s bloodstream?

Rather than hairpin traffic back through your datacenter, smart and more cost-efficient network service can be achieved through software-defined networking (SDN) and SD-WAN deployments that are secured through the infusion of security-as-a-service from the cloud.

Why Evaluate OPAQ SASE?

Digital business transformation requires anywhere, all-the-time access to business IT services, many now located in the cloud.

OPAQ enables organizations to:

  1. Shift inspections out to the session layer vs. routing the sessions to software engines that have to centrally inspect and then reroute communications. Network traffic and sensitive data storage is shifting to cloud platforms vs. enterprise data centers. Why haul it all in for costly inspection when the OPAQ SASE cloud provides a safe, cost-effective barrier?
  2. Get over the business transformational hurdle of risk aversion. Use SD-WAN and MPLS backhaul offload projects as catalysts to modernize and optimize security through enterprising software-defined perimeters. Cloud-based SASE offerings heavily reduce the need to update security at the physical or software level. Network and IT staff won’t have to spend all their time setting up equipment and performing maintenance and instead can focus on business transformation, business tools, privacy requirements, as well as advanced, next-generation security schemas.
  3. Reduce network security complexity by moving to one or two third-party providers for the key components of SASE: i.e., secure web gateways, DNS, zero trust network access (ZTNA), and workstation segmentation. This favorable software portfolio reduction can reduce agent bloat and performance issues at the end-user level. OPAQ also provides the requisite peering partnerships critical for points of presence, reducing latency for performance-sensitive apps such as video, web conferencing and VoIP.
  4. Easily bolster network segmentation to avoid kill-shots as you connect with new data sources as part of digital business transformation. OPAQ protects your organization with separate secure tunnels for: A) private enterprise data access (through MFA and monitoring for sensitive data and malware) and B) always-on protection for remote employees surfing the web for business connections and while on public WiFi.

OPAQ delivers the core SASE components to protect your digital business transformation investment:

  • Secure Web Gateways
  • Firewall-as-a-service (FWaaS)
  • Leading advanced endpoint protection and segmentation
  • ZTNA (Zero Trust network architecture)
  • CASB capabilities

Enterprise data centers, which traditionally scrubbed the network from contagion, aren’t suddenly vanishing; they just aren’t the center of the universe anymore when it comes to granting secure access. To protect endpoint connections, SASE clouds can drift more flexibly and cost-effectively to secure the fluctuating perimeter

Get secure where the user requires access with OPAQ.

Download the Secure Network Modernization white paper

Download the Securing Remote Workers solution brief

Can In-House Cybersecurity Expertise Grow Under Cloud Coverage?

The overwhelming consensus: There’s a cybersecurity skills shortage. Some surveys have identified the cybersecurity skills gap in slightly more than half of surveyed companies, while other studies calculated the deficit higher and more dire, with those lacking cybersecurity expertise registering in the high-sixties or seventies percentile. Why is this important? In a survey, ESG found […]

Ransomware, and Why Organizations of All Sizes Should Evaluate Network Segmentation

You’ve probably read or discussed the news articles and public disclosures.

A major bank gets hacked, the personal data of a 100 million customers falls into the wrong hands, and it costs the bank hundreds of millions of dollars to fix.

A major U.S. municipality is held ransom for database control, forcing it to rely on old-school data-keeping methods as it courageously defies the extortive criminal demands.

How can these kinds of attacks succeed in today’s cyber-vigilant day and age?

The aforementioned are just the high-profile cases. Below the radar of the headlines, smaller companies encounter spoofing ploys, ransomware and evolving malware, and every day too many of them get compromised or deceived into sending funds to a cybercriminal.

There will always be human errors and cyber-villains seeking to capitalize, so, what is it that we can actually change? The answer lies in an evolving security architecture and how we define next-generation network segmentation.

Traditional Security Architectures Pose Risks

Nearly every harmful corporate cyber-assault is a lesson in unsound traffic patterns, of network blind-spots, of organizations not sufficiently insulating enterprise jewels, not properly segmenting network traffic and not adequately shoring up endpoint protection and access control against powerful automated takeover attacks.

It’s nobody’s fault really. The private network has changed, gotten more complex, become a WAN without boundaries. You have users connecting into the private network while they’re plugged into data transaction points outside your network security team’s control on the Internet and in the cloud, some of these access points potentially vulnerable. Do you want to allow traffic and files from Internet and multiple cloud access points to merge with important private network traffic and databases via common pathways? From a smart central security perspective, the twain should never meet.

What’s more, cybersecurity skills, especially in cloud network security, are in short demand, and network and IT departments have to wear many other hats in their jobs. It gets challenging to structure network patterns to keep roaming users connected and satisfied while also prohibiting sneaky lateral movement of suspicious or known threats. A zero trust network approach must not result in an unintended plethora of zero-access lines. Connection hurdles can hurt your business: employees still need to get data and communicate.

Network Segmentation, Microsegmentation, and Access Control

Your users are traversing myriad websites and Internet access points, downloading tools, plugging in at public charging stations and then connecting to private enterprise assets. Network segmentation is about restricting direct gateways into the heart of the business so traffic flow patterns don’t inadvertently put the organization at high risk. But network segmentation has been difficult and expensive due to the amount of resources and effort needed to reconfigure distributed physical equipment such as VLANs, routers and switches.

A next generation of network segmentation, microsegmentation (or software-defined segmentation) is the partitioning of workloads from one another, including in the cloud, between multi-cloud access points, and between data centers and databases.

Gartner wrote: “Microsegmentation (also referred to as software-defined segmentation, zero trust network segmentation or logical segmentation) uses policy- and workload-identity-driven firewalling (typically software-based) or network cryptography to isolate workloads, applications and processes in data centers, public cloud IaaS and containers. This includes workloads that span on-premises and multiple public cloud IaaS providers.”

What this translates into from a security perspective is when some of your databases and servers are hosted they creep out of your view and control, so keeping the workloads of these different transaction points separate is mandatory in order to protect your most precious enterprise data and digital assets.

Workstation Microsegmentation

Securing this larger, more distributed attack surface without talking about endpoint agents (i.e., software-defined networking on portable laptops and other human-manned mobile workstations as well as virtual machines) is unrealistic. These devices are all part of your network, whether you’re in the cloud or not, and an initial point of potential compromise.

It’s a hybrid, multi-cloud network for many organizations, not just one big tidy cloud environment. More-granular segmentation is needed in both cloud environments and your endpoint-defined private network.

Microsegmentation tends to merely represent a granular, cloud- and data-center-workload-focused approach to segmentation. But your segmentation should not be restricted to just data centers and clouds when you have to also protect end users connecting to each other, to the cloud, and to on-premises network assets.

OPAQ offers both network segmentation and microsegmentation at the endpoints, that is, on the devices that connect or traverse Internet, cloud and multi-cloud access points. Each protected endpoint, whether stationary or mobile, carries security and segmentation policy, ensuring that these devices don’t act as the conduits for infection with each other or networks, servers or databases.

Microsegmentation doesn’t have to be impossible for small and midsize enterprises or new branch offices, all in the crosshairs of powerful distributed attacks. Neither should the ability to rapidly roll out next-gen network security policy to endpoints, which nowadays is crucial for small and midsize enterprises and large-enterprise branch offices alike. Your endpoints are your weakest links, a ‘way in’ for the sophisticated attack and bad actor. Segmenting cloud and database workloads is smart, but a lateral spread can still afflict your workforce and cost you if you don’t bolster your endpoints with advanced security policy including network segmentation by host and user groups.

Don’t underestimate the threat of malicious lateral movement through your security architecture.

Find out more.

Endpoint Control

Request a demonstration.

 

SECaaS: How Cybersecurity-as-a-Service Can Enhance Coverage; Shrinks Costs

In our digital world, we tend to talk about the cloud, automation and virtualization as if every business professional and organization is consciously adopting virtual assets and deeply indoctrinated and invested in these technologies. Let’s face it… the cloud and virtual machines (cloud-hosted computers, databases and servers) are predominantly a large-enterprise, high-tech or platform-provider perspective bias, and those of us with a technologist bent tend to assume that every real-world company is digitally transformed in this regard.

However, it’s not so simple when you look beyond basic business network computing, Internet access and mainstream cloud app usage (AWS and Office 365).

Today’s reality is most network IT teams are still forced to patch and reconfigure hardware and software on an as-available human-resource basis versus leveraging automation as a way to try to stay ahead of evolving threats. For most companies, physical equipment is still predominant. It’s often still on premises, whether that’s a regional office or small branch office.

Most companies are still managing firewall hardware; some even have no firewall at all. They still treat network and security management as if the perimeter is ‘fixed in place,’ and trust their users will log into the company VPN when outside the fixed LAN security perimeter.

Meanwhile, end-user employees, coated only with antivirus protection, are roaming on their portable devices, connecting on this network host to that IP address. Ahh, digital business transformation… Your people want to expand their connections and help you to grow your business, but this wandering presents big IT security risk. Denial of service attacks, ransomware, phishing, identity spoofing, and increasingly sophisticated malware can breach and then tunnel into your digital network like a worm through an apple.

Digital transformation is an ongoing journey, a continuum, not a lasting status that an organization one day crowns itself with and then uses to rule over the market for many years while everyone else uses less-advanced tools. Because of this fluctuating landscape, small and midsize organizations can take giant leaps via digital-economy equalizers in the cloud that enable them to catch up or achieve strategic edge.

One of these digitally transformational accelerators is network- and security-as-a-service. There’s an IT skills shortage; network and cybersecurity expertise (the two often go hand in hand) are in short supply.

With an estimated 74% of organizations affected by a cybersecurity skills shortage, it’s ‘Advantage Hackers.’ One recent study reported 94 percent of IT security professionals believe the advantage has tilted to cyber-adversaries over cyber-defenders. (ISSA and ESG.)

This can lead to struggles in defending against the latest, most sophisticated cyber-attack or cybercriminal methods as well as the inability to patch software and hardware vulnerabilities rapidly. It can also leave your enterprise employees, workstations, networks and servers reliant solely on one or two static barriers, instead of a sounder, multilayered security architecture.

Exacerbating this cybersecurity skills shortage is network complexity, product overlap, and product fatigue. As the workforce becomes more distributed, network endpoints are moving and changing, making them difficult to inventory and manage. Meanwhile, backhauling all branch office and remote worker traffic through the core network is many times more expensive than providing these individuals with direct Internet access, and can introduce QoE latency. From both a business access and security perspective, small network and IT teams just can’t keep up across the many products, pieces of computing equipment and user access needs they have to manage across distributed sites.

Help for the network IT staff can come from automation and the cloud.

Security as a Service (SECaaS) for the Changing Network Architecture

What is security as a service (SECaaS) and why is it so important in a network without boundaries world?

At a high level, SECaaS is a rapid deployment that immediately solidifies both your network perimeter and lateral traffic security. It accomplishes this by providing key advantages over traditional IT security deployments.

  • Speed. With advanced cybersecurity skills in low supply, do you wait for the on-device reconfiguration to be performed, or do you deliver advanced security agents that don’t require routine in-house patch releases? SECaaS is distributed network security protection in minutes versus weeks or months.
  • Cost. The cloud empowers organizations, large and small, to more easily and rapidly facilitate less-expensive remote-office activation and branch-to-Internet connections. In this cost-efficient environment, SECaaS enables organizations to receive advanced security capabilities previously accessible only to deep-pocket large enterprises, and to do so without myriad tool acquisition and maintenance costs.
  • Network Performance. You don’t have to compromise on security or performance as you migrate some of your traffic off the private network and into the cloud. Conduct your traffic with greater precision and quality of service, taking advantage of less-expensive yet high-performant network transports while orchestrating and automating advanced network security across distributed domains.
  • Advanced Protection Against Targeted End Users. Firewalls do a good job of protecting the perimeter against north-south invasion, but when something inevitably does slip through the cracks (perhaps by compromising a device outside the firewall or VPN), it can spread laterally like wildfire. Secure your flexing and fluxing network, with always-on protection at the endpoints, which also defends against lateral movement leading to widespread infection, hijacks or outages.
  • Central Management. Hackers prey upon inconsistent security policy enforcement across distributed network infrastructures. SECaaS enables central enforcement of policy, which is automatically applied throughout the entire distributed network, strengthening protection and closing loopholes.
  • Simplicity. Whether you’re a managed security service provider or public or private network operator, OPAQ brings automation, easy orchestration and simplicity to your complex distributed network or networks. This IT service agility also makes it easier to meet regional and vertical compliance regulations.

Security-as-a-service can lead to easier, more holistic network security coverage for digitally transforming managed service providers and enterprises alike.

Visit our security-as-a-service (SECaaS) page.

 

Strong Endpoint Security Offers Firewall Alternative for SMBs and Branch Offices

Ahh, the firewall… that invaluable tool which monitors and protects traffic to and from an organization, as employees and servers communicate with the Internet and other networks or devices.

What would we do without them? Firewalls can block unauthorized access and inspect packets and prevent malware from infecting your network. A company might have an enterprise firewall at its headquarters office in Austin, TX, and another at its branch office 1,200 miles away in Charlotte, NC, and use these firewalls to enforce traffic and security policy across its network and access points. It might open a new office location in Chicago, IL, and equip that location with a third firewall and integrate it into the traffic and protection scheme. Or, conversely, the company might turn to a cloud firewall model to eliminate the amount of investment in physical security equipment and maintenance at its various sites. Either way, the company is taking prudent steps by incorporating firewall protection to help keep its electronic databases and other assets safe from infection, corruption, misuse, theft or ransom.

But what about a company that has only one office and 50 employees distributed across the country, most of whom travel extensively and are out of the firewall’s protective range? Do we expect them to log into the VPN when they work from their home offices or while visiting a client or attending a conference? Do we trust that they will log in? Does an enterprise-firewall-with-VPN strategy do much good here? And what if this small company doesn’t have the servers, routers and other equipment in its HQ office and instead leverages infrastructure in the cloud? Is a firewall appliance or cloud firewall really the most appropriate security solution for this type of organization?

Consider this: Firewall appliances at each office are there to protect the resident users, equipment (physical and virtual), and data. If your organization becomes so distributed as to have only a few people in the office and your server and database equipment in the cloud, the whole premise of the enterprise firewall loses its purpose. With intellectual property no longer on the premises to protect, it’s smart to consider a strategy in which network and security policy follow your employees wherever they are and wherever they go as they access private enterprise data from the cloud, and share data with one another.

Security at the Endpoint

Endpoint security is a strategy in which organizations or individuals attempt to stave off cyberattacks by fortifying remote equipment with on-device cybersecurity protection. Typically, this protection consists of antivirus software and scanning and complements a firewall. But when the firewall and VPN are eliminated from the equation, endpoint security must be stronger.

Cyber-attacks target individual users and their workstations via ransomware, Web browsers, document viewers, and multimedia players that download and execute content from the Internet in the hope of gaining a beachhead into the corporate environment. One wrong click or download by the end-user and the infection can spread laterally (east-west)… within the firewall… and across the internal network. No longer limited to big organizations and brands, SMBs are in the crosshairs of cyberattacks, with 43% of cyberattacks worldwide targeting small businesses.

Strong endpoint protection doesn’t replace all rationale for firewall use, but it can supplant traditional firewall and VPN strategies in certain scenarios.

  • In organizations in which many IT applications (e.g., Office 365 and Salesforce) and/or sensitive digital assets are no longer hosted in internal network datacenters. Often, traffic from remote workers is backhauled over the VPN to an enterprise control center, from which it is then routed back over another VPN connection to IT services in the cloud. This method of backhauling traffic is expensive, unreliable, and slow.
  • In organizations in which there are few or no company offices, and employees operate outside any firewall protection… Here, the workforce is largely distributed and transient, connecting to enterprise apps hosted in the cloud. In this scenario, endpoint protection needs to be more advanced and adaptive than static antivirus and firewall protection, and the flexing protection must be always-on.
  • In small organizations consisting of an owner and one or more 1099 employees, where workstations are limited to computers located in remote offices. Firewall and VPN protection for these companies may seem heavy-handed, while host-based antivirus and scanning may not be enough to enforce security concerns and Zero Trust best practices.

In these scenarios an organization wants to be able to protect its remote workers from cyberattacks, protect these users’ connections to Internet and cloud access points, and prevent the spread of malicious code or file-less malware. The firewall becomes obsolete in some environments, and the VPN impractical. Strong endpoint protection and network segmentation become a smart, effective defense.

OPAQ Endpoint Coverage

OPAQ Endpoint Protect provides easy-to-deploy advanced security-as-a-service for your distributed endpoint users. Organizations can employ it as a complement to the firewall or when firewall or VPN protection doesn’t make sense – for example, small offices of 25 to 50 users.

OPAQ secures remote workers and the private network from the latest threats. Security follows users wherever they go – whether they are in a coffee shop, inside an airport or on a plane or train. The protection goes beyond host-based antivirus signatures and scans and includes:

  • Network intrusion prevention and detection (IPS/IDS)
  • Network anti-virus/malware/spyware
  • External IP inspection and filtering
  • Network URL inspection and filtering
  • Zero-Day protection
  • Internet exposure minimization
  • Protection from both DNS- and Web-based assaults.

Meanwhile, OPAQ Endpoint Control governs your lateral traffic, providing secure access control and network segmentation. Using OPAQ Endpoint Control, organizations can place sensitive IT applications on the open Internet or in the cloud, while ensuring that only authorized users can access those applications. It can also be used to lock down internal networks, closing off unnecessary avenues for lateral movement by attackers who have compromised devices behind the corporate firewall.

Benefits:

Firewall displacement: Is a physical firewall at every office a waste? Are your remote users not logging into the VPN? OPAQ offers always-on advanced protection that doesn’t require your staff to invest and maintain the equipment.

Tightened endpoint security. Endpoint Protect ensures that every Internet connection initiated by the endpoint goes through OPAQ’s security cloud. This model provides affordable cloud-delivered enterprise-grade security for organizations that previously couldn’t afford or manage advanced security.

Stopping stowaways. The best approach to distributed security is to segment internal networks using software to contain the spread of attacks. OPAQ Endpoint Control is a network segmentation solution that gives you the visibility to see suspicious activity, quickly search for malicious network processes across your user base, and stop all network communication from infected endpoints.

Backhaul offload. Many organizations today are stuck backhauling full tunnel VPN traffic from remote workers to their enterprise. IT applications are increasingly hosted in private clouds, which are reached over endless VPN connections. Using OPAQ Control, organizations can break free from this inefficiency, moving to a model where trust is anchored in the user and the device, rather than the network they are on.

Security cannot be a static defense. To protect remote workers harnessing the cloud, leave the firewall behind and leverage strong, smart endpoint protection that is always on and evolving ahead of the latest threat.

Learn more about OPAQ EndPoint Protect

Read about Securing Remote Workers

The Virtual Private Network Is Dead Again? Not so fast…

Regardless of what you call it, the VPN concept remains crux in your defensive blueprint for secure Internet access.

The virtual private network (VPN), which must have more lives than a cat, has reportedly died again, and according to some industry prognosticators and influencers, VPN is now a bad word. It’s a term to be avoided by unblinking believers of the marketing-driven sleight-of-digit and word-wizardry mesmerism claiming the VPN is no longer an important concept for security. Don’t say VPN, they tell you. Be cool and use alternatives such as software-defined perimeter and secure Internet access instead.

Okay, I’ll try to remember that, I tell myself.

Then I see the new Spider-Man movie, “Spider-Man: Far From Home,” and the VPN term comes up in dialogue between the two main characters. Mary Jane advises Peter Parker (aka Spider-Man) to download a VPN on his phone so he can’t be digitally spied on. So, the hottest new movies are treating VPNs as still relevant, and even Spider-Man is consuming a cool VPN app that he can use to protect himself when ‘far from home.’

VPN. There, I said it. It’s just a word, right? A word we should be able to continue to use to describe a discipline and extended-zone principle that means more than Vendor A and B’s product marketing du jour. From a sound security standpoint, VPN is not just some product you have to buy and manage. It is still an important scheme in your WAN without boundaries defensive strategy.

The technical definition of VPN is a secure, often encrypted connection between trusted device and private network or server. With the network expanding and your mobile employees going wider into unsafe waters, do you want to stop focusing strategically on virtual private networks? All a VPN is an extended zone of protection. You can’t just magically wave a wand and say you’re protected without extending network security policy out to endpoint devices.

Industry projections support the VPN’s immediate survival, dispelling some of this zeitgeist semantical doomsday talk which can be misleading from an overall security perspective. As organizations expand their networks, or outsource some or all of their IP backbone, applications or services in the cloud, the VPN doesn’t disappear; it just gets more virtual like the cloud itself.

The cloud VPN market is estimated to grow at a CAGR of over 21% by 2024, led by increasing shift toward virtual applications and the surge in demand for cloud services, according to Global Market Insights. Another report from Market Research Future puts the VPN market CAGR at 18% through the end of 2022.

So what is all this hog-splash about VPN being a dirty word, a nonexistent thing, a strategy component that some vendors would have you strike from your lexicon, something to be hidden from your transformative security strategy?

Authentication: A Pain in the Protective VPN Ring

Maybe this sustained campaign to bury the VPN – or call it something else – is because the VPN carries associations in which remote user traffic is backhauled to data centers hundreds of miles away, resulting in latency and the use of expensive private lines.

Maybe it’s because traditional VPNs often hassle end-users for constant sign-ins and additional passwords, and users don’t bother using the VPN when they work on company devices, leaving the organization exposed. Although organizations strongly encourage employees to use the VPN when remote or using public networks, the majority of the time employees don’t bother. Requiring additional authentication by end-users can mean more pain, and this has emboldened some vendors to get into semantics hype, or maybe they’re attempting to skirt privacy issues. There’s no more VPN, but you’re safe, they say. Voila. Never mind the man behind the curtain.

What product marketers are actually getting at is they are replacing the traditional prompt-based authentication and authorization with less-jarring solutions under the veil of buzzwords like software-defined networking and software-defined perimeters (SDPs). We’re doing SDN and SDP, too, but for those looking to protect all traffic from the IP layer (Layer 3) and up, VPN is still a requirement.

Engaged employees want access to data and tools that empower them to get the information they need, without being pulled aside for additional verification.

Whether it’s a VPN that is always on, or the same principle through SDP, when your employees use the Internet, protection should follow them wherever they go.

Virtual private network (VPN) is a concept, a best practice, not a now-obsolete product term as some would play you a fool for in telling you to strike from your vocabulary. Virtual private networks still provide us with structure, an easy-to-grasp overall term meaning extended private network security and protection across a constantly flexing network perimeter.

Our world feels less physical… Even venerable virtual private networks are getting more virtual, more seamless and less overtly intrusive for end users. VPNs help to defend us, and in instances where they require interaction with us for additional verification, we tolerate the balance between our productivity, privacy, and enterprise security.

Cyber Risk Management: Avoiding Business Disruption as You Digitally Transform

What is cyber risk management? For too many budget-restricted small-to-midsize enterprises, cyber risk management means trying to protect the network and datacenter by establishing antivirus and firewall security safeguards against known attack vectors and across known parts of the network. But cyberattacks are getting more technologically advanced, and malware and social engineering ploys regularly slip past these basic perimeter defenses, regardless of an organization’s size or brand.

Industry surveys estimate that between 43% and 58% of cyber-attacks worldwide target small businesses. Cisco found that 53% of SMBs have reported a breach, while, according to the Better Business Bureau, about 36% of small businesses that reported being a target of a cyberattack ended up losing money.

The attacks often start by popping an end user – a digital mobile warrior or someone in a remote office – taking advantage of human error, under-inspected email links and attachments, or the Internet access points these employees use to consume or share data. These vulnerable network endpoints and access points can represent dark holes in your network visibility, i.e., blind spots outside your private network. Your network can then get infected without you even knowing about it, with industry breach detection medians and averages ranging between 70 and 200 days. The existing level of defense is just not enough anymore.

Are you able to protect computing devices that are communicating in public places where airwaves are shared, where login redirects are easy for hackers to host, and where open ports back into your network can jeopardize the sanctity of your network and data? Are you able to detect and stop the intrusion once it breaches your perimeter and attempts to spread laterally?

The use of digital computing, social networking and ‘app sharing’ for business agility brings a new and widening set of challenges and evolving types of cyber-attacks… attack vectors that are different than the ones we may have heard about last week. It’s difficult to keep up.

The malicious code itself is being recompiled and is getting better at penetrating networks and fooling static defenses and human judgment. Digital and wireless points of transaction left unattended or poorly protected against compromise allow your user’s credentials to be stolen and then used in attacks on your network, data, partners, finances, and the future of your enterprise. Don’t be the low-hanging fruit due to a static level of defense.

Continuously evolving advanced security is needed to protect you, your users, and data. However, keeping security strong traditionally involves costly rollouts and updates at the physical equipment level. Exacerbating the challenge is that there are other parts of the business that need the investment more and you just can’t afford additional cyber risk management practices. Or you’re uncertain what to do about the risk, business disruption, or potential (or yet-to-be-detected) damage to your organization. For example, as your business grows, you may not be sure what to do about regional privacy law violations if you discover that the data of your employees or customers has been hacked…

Advanced Cybersecurity and Risk Management

Cyber risk management is a discipline practiced by organizations to protect themselves from cybercrime and digital threats that can disrupt business. Cyber risk management typically consists of threat assessment, cyber protection tools, and security controls and guidance, with advanced security and cyber insurance often being the missing components. Only between 15% and 38% of small to midsize businesses have cyber insurance coverage. Seek out cyber insurance partners with programs designed to suit the needs of small-to-midsize businesses (SMBs). Policies should be transparent about the details of coverage and be flexible and affordably priced to help SMBs to incorporate cyber insurance into their risk management programs.

Modern, holistic cyber risk management is hard. It can be difficult to manage and afford by yourself, which is why too many SMBs fall back on the most rudimentary cyber defenses. It doesn’t have to be that difficult or costly anymore.

Digital business transformation is about adopting new technological competitive advantages and efficiencies, and adapting process for opportunities and risks. This can be harnessed from the cloud, giving small and midsize enterprises a more level playing field on which to compete.

Make sure a hack doesn’t disrupt your business. Check out this turnkey cyber risk management solution that’s purpose-built for SMBs.

More information: