Securing SOHOs, Remote Workers and Your Private Data Network

Mobile and small office/home office (SOHO) workers require connectivity to the same resources your campus-based, firewall-protected employees regularly access from the data center, private network, and now increasingly from the cloud. This poses problem and risk: Network IT departments have low visibility into the configurations, security defenses, and points of access for these employees and devices accessing data remotely.

SOHOs and mobile employee workstations consist of affordable, consumer-oriented network equipment (often BYOD) and security software, all of which is not as sophisticated, protectable and secure as the computing tools in corporate offices. Many IT departments, smaller offices, and remote workers are dependent on public Wi-Fi, inexpensive home-based routers, iffy VPN use, and basic-AV-protected computers to protect their confidential internal and customer data at the edge.

The equipment used in the outlying areas of your network represent the weak link for hackers, the low-hanging fruit, increasing the overall security risk for the organization and its B2B/B2C partners. Common risks include spying, infection of connected devices, and the ransoming of the wider network ecosystem. Compromised endpoint network equipment such as computers and routers can set the stage for sophisticated botnet attacks and the spread to other systems, networks and servers, including those of partners.

Are you going to regularly mobilize truckloads out to every possible remote router site to try to secure these new connections? More sophisticated security equipment requires technical expertise, something most home office workers and many branch offices lack. Constant truck-hauls to every distributed site add up from an overall cost standpoint. Bolting on security through software patches can be a struggle, especially when managing updates and renewals across several security vendors and your busy workforce.

In response to these security and cost challenges, best practices for protecting remote equipment endpoints include:

  • Frequent, automatic software updates that don’t harass business-focused, non-technical home officer workers. Leverage security-as-a-service (SECaaS) to rapidly orchestrate and automate advanced security and smart cyber risk management.
  • Virtual firewall as a service (FWaaS) that blocks unwanted traffic from your defined and controllable network endpoints, including wandering user devices.
  • A VPN, or similar secure tunnel, that segments ISP traffic from private network traffic. This VPN capability should be “always on,” noninvasively coating the attack surface and protecting company used-devices from breach and deeper infection.
  • Multifactor authentication (MFA), which helps to ensure the person or system trying to access a device, network or system is the same person or device authorized for access. MFA includes passwords, security tokens, and, in some cases, biometric identification.
  • Cloaking of a device’s and network’s unique identifiers or presence, making it difficult for other people and devices in range to detect.
  • Encryption and private circuit use to mitigate outsiders from viewing, stealing or ransoming sensitive data.
  • Device hardening, so the endpoint can block legacy or unnecessary ports and services that act as doors for easy infiltration.
  • DNS filtering. These are the oft-color-coded listings and commands, which involve preconfiguring devices with software agents to prevent infection from dangerous sites and other network entities.
  • Avoidance of direct peer-to-peer computing or peer-to-private-server communication approaches. Remote Desktop Protocol and similar P2P network services are an easy gameboard for hackers. RDP sessions store credentials which can be stolen and wielded in “pass the hash” attacks. If you use P2P apps, it’s critical to orchestrate advanced, layered security mechanisms, including identity access control, encryption, and zero trust architecture.
  • Seamless support of the latest Wi-Fi authentication and encryption standards, which can help to protect on-device data and access points.

Securing Your Mobile, Remote Workforce

Every digitally transforming organization has its traveling users, the consummate contributors; the mobile warriors. They are a worrisome potential target for close-encounter cyber-takeovers.

Wandering human endpoints access different networks. They use whatever means available to keep their device batteries charged and to stay connected. Sometimes these individuals work in crowded, cramped seating areas where strangers are in physical proximity or router range.

Common behaviors that put remote worker security at risk include:

  • Connecting via unsecure, unencrypted Wi-Fi, or failing to authenticate through the corporate VPN while working from home, in a hotel, or coffee shop. Without the filtering and blocking of a leading firewall or VPN service, the employee can mistakenly land on a phony site or host (e.g., a man-in-the-middle attack), or click on a link from which malware can be delivered, infecting the device and from there seeking to spread.
  • Directly accessing SaaS applications in the cloud beyond the visibility and control of corporate IT security. Employees are at risk of man-in-the-middle attacks in this scenario, and hackers can steal credentials from the endpoint device and use that private data to gain unauthorized entry to cloud servers or back into the enterprise network.
  • Physically plugging into public charging stations, or attaching untrusted devices including other computers, flash drives and USB ports. Conversely, someone else might gain physical access to the network endpoint device and plug in a flash drive or perform some other type of direct tampering.
  • Falling for phishing attacks. Social engineering schemes are getting more effective at fooling curious, emotional human beings into clicking on links that appear to be legitimate but aren’t. These IP spoofing, phishing, and websites appear authentic but have surreptitiously rerouted the user to an ersatz click-on/sign-in with credentials page…

Your mobile warriors need help identifying and avoiding these deceptive man-and woman-in-the-middle attacks.

OPAQ Provides a Secure Access Service Edge Through Security-as-a-Service

Your network’s edge needs easier IT security reinforcement; a cost-effective, circulating burst of easily distributed security-as-a-service software from the cloud.

OPAQ provides strong endpoint protection as a service to ensure secure access at the network edge, empowering what Gartner calls the secure access service edge (SASE). Harness your expanding workforce. To support your remote employees and protect your network and business ecosystem, reinforce protection at the network endpoint and workstation level with help from the cloud.

 

Learn more.

8 Achievable Steps to Remote Security.

Visit our secure access service edge (SASE) page.

 

Backhaul to Oblivion – The Future of Security Is the Point of Access

In the Past. B.C., Before the Cloud…

“All right, employees. Hunker down in this luxurious, windowless cube area where we’ve provided all the computing hardware, software and information you need to do your job. Nothing beats good ol’ on-the-premises client/server… Oh, did we tell you we’re expanding? We’re opening a new sales office in New Jersey? Attention IT department, give the New Jersey office access to our data center and connectivity with our staff here at HQ.”

*In Charlie Brown / Peanuts-like phone garble: “WHUH-WANT-WHUH-WANT-WANT…”

“What? Okay, yeah, set up the new branch firewall and enforce a strict VPN policy on private data access… Err, what’s that gonna run us?”

“WHUH-WANT-WHUH-WANT-WANT…”

“That much? Really?… What? The Colorado office wants a sensible work-at-home policy? You gotta be kittin’ me. Ohhh, all right. Make sure they use the VPN.”

“WHUH-WANT-WHUH-WANT-WANT.”

“So if I understand you correctly, employees are accessing unsanctioned applications and uploading and downloading stuff on the Web? They’re doing it remotely, too, without using the VPN? Shut’em down!”

“WHUH-WANT-WHUH-WANT-WANT.”

“What? Digital transfor-what? They actually need this cloud and Web stuff to do their jobs? Our customers and partners need access to these apps, too? Oh, brother… Can’t we just put a firewall everywhere?”

Liberated! A.D. Away from the Data Center

 

Before the cloud, the enterprise data center was the true center of the digital business universe. It’s where key business data resided, the place where traffic and payload mostly got sent and scrubbed in hub-and-spoke pattern from a networking and security perspective. However, with user demands from mobile and edge computing increasing and the attack surface widening, the data center can’t be the center anymore because it carries heavy bandwidth and operations costs, and long-distance traffic hauls can negatively impact performance and quality of experience. Think of all the times, you personally logged off an app when it didn’t deliver service right away.

With edge computing, business is happening in real-time, outside the enterprise firewall, out on far-off frontiers. It’s occurring at public Internet access points, over Wi-Fi, on portals, and upon employee bring-your-own devices that might require internal data access as well.

The good news, and what digital transformation brings, is that your people are mobilizing, reaching out, connecting to engage. We’re not taking about people ‘galavanting’ all day long, or posting cat photos on Facebook. We’re talking about engaged employees and people in the business ecosystem connecting outside the network, outside the data center, and even outside IT visibility, for work and to do business. Enabled near-real-time connectivity empowers people to share information and value with each other digitally, when meeting in-person isn’t doable. Point is, business is getting done, transactions are being initiated outside the static office. People are in motion, branching out, making connections, growing communities, partnering, trading this for that, making money. That’s all good, right?

But this mobile scenario poses risks from compromised user devices and man-in-the-middle attacks, which seek network pathways into private data on the device; in the cloud, and on your local servers. Network distribution and mobility also creates significant trade-offs – either leave this business traffic uninspected or bring it back to a more centralized policy enforcement and inspection function; either skimp on security or create performance and architecture headaches.

Business software consumption [think storage-as-a-service] is moving from the data center to the cloud and Web. This can expose your employees, their devices, and your data to a wider spectrum of potential assaults, while offering hackers a larger attack surface. Attacks targeting network endpoints have spread to cripple municipalities, and put commercial enterprises out of business.

Protect Digital Transformation with Zero Trust, Network Edge Security

The OPAQ zero trust network security edge empowers transformational organizations to regain control over a graying network perimeter; at the edge where the Internet, cloud and private network intersect. OPAQ provides zero-trust network security software- as-a-service from the cloud to enable organizations to quickly deploy router, firewall and VPN functionality across hybrid, globally distributed environments.

OPAQ makes this secure network modernization easy as you pursue business initiatives such as growth, the establishment of new sites, SD-WAN, remote worker security, direct Internet access, data center transformation, and keeping SaaS apps private.

OPAQ Endpoint Protection

The workplace is no longer confined by walls. Your users are connecting to your network remotely – from the home, airport, hotel, coffee shop, and other places. On-device anti-virus/malware protection by itself is only marginally effective, and firewalls are not properly located to protect remote users who directly access cloud applications and sensitive corporate data. Virtual private networks (VPNs) help, but aren’t full-proof, especially when the VPN connection is lost or not accessed in the first place. And VPNs often impact performance, frustrating users and causing lost productivity. This is why always-on protection for roaming mobile edge devices is crucial.

OPAQ Endpoint Protect secures network traffic all the time from the cloud. OPAQ offers always-on protection to users and devices by ensuring they are always connected to the OPAQ Cloud. All network traffic – not just Web traffic – to and from the user device traverses OPAQ’s highly performant and reliable network. It’s the easy button for enterprise-grade security during digital transformation. The advanced security is layered to protect private data at the endpoint but also your core data as those endpoints reach out to the vulnerable, connective edge of today’s morphing semiprivate network.

Find out more:

Secure Access Service Edge (SASE)

Endpoint Protection.

OPAQ Endpoint Protect

Read the Securing Remote Workers report.

Four Multicloud Access Security Considerations for Your Ongoing Digital Transformation

Data is virtually everywhere, and computing devices, whether stationary or on the move, are accessing external circuits, servers, websites and portals. From an enterprise standpoint, network IT teams must be able to support employee business access needs, and protect employees, their devices, and the network from cyberattack. Anyone using digital computing devices subscribes to sources of interest, consumes outside network or app services, accesses and shares sensitive data, some of which is stored or provided from the cloud. For network IT staff, this network expansion requires management, and IT departments must ensure the growing bandwidth use doesn’t cost them, and that the software utilized on the network is safe.

These multicloud/hybrid connections are occurring at your network’s edge, posing both opportunity and risk.

Multicloud Access: Opportunity or Risk?

Multicloud access is increasingly attractive because signals no longer have to be beamed back into the data center for network handshake authorization. Application workloads can be run in a multicloud environment that doesn’t require the organization to move data — rather, users can access the data locally over secure, low-latency connectivity. This can minimize the risks of data loss and theft, while the local access and storage via clouds can satisfy the majority of geopolitical data privacy laws.

The risk in this bold strategic transformation is your attack surface gets bigger. Just because you use a cloud platform provider doesn’t mean you’re no longer vulnerable to breaches or no longer responsible for network and data security and privacy. Cloud server to cloud server protection isn’t complete network cybersecurity. It isn’t foolproof or impregnable coverage for your organization’s wandering endpoints, where a lot of data is being kept on devices and can be vulnerable.

Workstations and mobile computing devices are largely under-protected and represent a wandering flock, sometimes passing through windows of exposure, as they connect far and wide. Laptops, desktops and other portables are coated with mainstream antivirus programs and status scans, but hackers and malware are nevertheless getting in at the endpoint and attempting to spread. They are getting better at luring humans into their web. From a cybersecurity perspective, these growing connections at the private network edge, whether trusted or not, must continuously be added to firewall and VPN policies and memory logs. These appliances are getting increasingly costly to manage and refresh, and are often bypassed during “in the cloud” traffic migrations.

So, James from the sales department just opened an email from the CFO detailing a new company reorganization. (Little does James realize but the transmission is not from the CFO but an ersatz CFO, aka, a clever hacker.) Curiosity kicks in and James, while feeling secure after confirming the sender’s email address, opens the attachment on his laptop.

Boom! James clicks on the spoofing/phishing attack and malware compromises the data he’s collected and his network endpoint, exfiltrating sensitive data, without him or the IT department even knowing about it. Sometimes a breach at one or two network endpoints is sufficient to launch massive infiltration attacks such as zero day and ransomware.

Cities and organizations of all sizes have been hacked and ransomed. As you move to cloud environments, you still need to protect your branch offices and portable workstations, so you continue to try and inspect all traffic internally before sharing it with recipients. Direct access connections to the cloud can be slowed and made unnecessarily cost prohibitive by having to backhaul traffic around to your static network and security enforcement equipment. Business user expectations and overall quality of experience can suffer during this traffic hair-pinning, and there are remote out-of-the-cloud access fees for your company to pay. Can’t we just trust the Internet traffic and payload traversing private network endpoints, whether through the cloud or over any foundational network infrastructure such as Wi-Fi or VPN?

Some say, “Yeah, but my organization is ‘All in the Cloud,’ I don’t have to worry about workstation or internal data center security anymore…” Not so fast. It is crucial at this transitional point to remember the human element, the various points of endpoint access and how you protect these individuals, your workforce and the private network and business ecosystem.

Multicloud Access Security Demands a Secure Access Service Edge

An OPAQ white paper explains how organizations and managed security service providers can:

  • 1) Secure Internet access and gateways, and separate these from cloud and private data repositories, as part of a holistic hybrid and multicloud access security strategy.
  • 2) Rapidly implement consistent, centralized network security policy across the private network, and to and from cloud and Internet access points. (Network security from the cloud enables organizations to quickly deploy router, firewalls and VPN functionality where needed across hybrid, distributed environments.)
  • 3) Bolster vulnerable endpoints, particularly those endpoint devices in motion… which often expose themselves to untrusted hosted networks. Embrace identity as the new perimeter via strong identity and access management and always-on workstation protection.
  • 4) Extend your security perimeter out to the WAN without boundaries, and orchestrate security and network segmentation rapidly through high-performant zero-trust network- and security-as-a-service.

Whether your IT organization is cloud-friendly or not, consumption of services from the cloud is happening, and private network administrators are being tested to provide access while ensuring security on those and budding Web connection points.

OPAQ provides the encryption, authentication, segmentation, and always-on end-user protection growing companies need out at the edges of the network.

Learn more about OPAQ networking and security from the cloud.

Read the multicloud access security white paper.

 


A Zero Trust Secure Access Service Edge for a Distributed Data World

You might call it ‘living on the edge.’ A growing number of organizations are moving computing out of the data center, out to the edge of the network. The various reasons for this include increasing numbers of mobile devices and remote users requiring access, expanding digital opportunities, cloud adoption, reduction of network latency and backhaul costs, and more. Making this edge computing possible are technologies such as SDN, SD-WAN and cloud access service broker (CASB) capabilities, all of which provide points of presence (POPs) where distributed workforces need them.

Traditionally, however, easy provision of good security has NOT been one of the drivers for this pivot to the network edge. Hence, many companies that have transformed their network architectures haven’t yet modernized their security architectures. They continue to indirectly route traffic to security engines (tromboning, hairpinning, backhauling), defeating the whole latency advantage and racking up in-house equipment costs. Or worse, they’re not adequately inspecting the edge traffic and payload, leaving their users, network endpoints, cloud data and internal network data exposed to increasingly sophisticated cyberattacks.

That’s all changing with the convergence of computer networking and security at the edge, something IT analyst firm Gartner dubbed the secure access service edge (SASE), pronounced  “Sassy.”

The secure access service edge is an emerging solution category combining wide-area network (WAN) functions with security capabilities such as secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero trust architecture (ZTA) to support a wide range of digital transformational requirements.

SASE merges edge computing’s distributed approach – bringing computation and data storage closer to the location where it is needed – along with the advanced security near or at these points of access.

Cloud Security-as-a-Service for Your Edge Computing

However, SASE isn’t a security scenario that data center-based hardware appliances are going to feasibly address. When modernizing your network, your traditional security equipment can get bypassed in your traffic’s shift to a software-defined perimeter. Alternatively, equipment deployments and reconfigurations (in your data center and remote sites) may struggle to keep up with today’s pace of secure connectivity requirements.

Your distributed workforce is accessing cloud providers for things like SaaS applications, while your branch offices and mobile workers take advantage of direct Internet access. Meanwhile, the resultant data is no longer being centrally stored on, or accessed from, the premises. More users, devices, applications, services and data are located outside of an enterprise than inside, according to Gartner. With organizations still responsible for data privacy and security of individual employees and customers, that’s a lot of scattered data to protect.

The edge requires agile management, and this is where security software and software-defined perimeters step in.

From a cybersecurity perspective, protection can now come closer to where access is needed. A software-centric SASE approach can deliver zero trust security best practices over Web gateways, cloud access points, tunnels, and the devices themselves, while eliminating inefficient hairpinning of traffic inspection to your data center or nearest branch-office hardware.

The OPAQ SASE Cloud provides more ubiquitous and local points of presence, with the zero trust architecture capabilities you need to ensure secure access, control and segmentation.

The OPAQ Zero Trust Secure Access Service Edge (SASE)

Whether it’s a branch office, remote workstation, router, or VM, all of these endpoint identities need network access. Before they connect into your private network and data, they must be identified, authenticated, and properly segmented.

OPAQ delivers a Zero Trust Secure Access Service Edge that bases decisions on the identity of the entity at the source of the connection (user, device, branch office, edge computing location, time of day, risk assessment of the user device, and the sensitivity of the data or app being accessed).

Primary components of this Zero Trust SASE architecture include:

  • User Authentication: IP spoofing, phishing, social engineering, identify theft, and bot break-ins demand a zero trust view of access. Is the device, person, or service attempting to enter into the network authentic? If access is allowed, what might happen next from a security impact perspective? OPAQ checks for a number of factors including user credentials, MFA, access privileges, device certificates, and more.
  • Access Control: Access has moved out to the edge, largely outside of the reach of a perceived private enterprise network. The OPAQ Cloud keeps inspections away from your private data containers, and secures traffic and performance at the edge closer to where access and QoE is sought. Tunneling to the nearest POP, OPAQ SASE provides end-to-end encryption of each session, including over public Wi-Fi networks (cafes, airports, malls, etc.).
  • Segmentation: Ransomware and other malware seek to spread and capture data and control as they go about their damaging business. Endpoint connections are underdefended by basic on-device antivirus updates, opening the door for the latest sophisticated attacks. OPAQ continuously extends layered next-generation security across the dissolving network perimeter, reinforcing workstations, VMs and other endpoints, and then making sure that distributed endpoints don’t expose vulnerable in-roads into your core network and data.
  • Device State: What are your wandering workstations connecting to? Are these devices adequately protected with antivirus, anti-malware, intrusion detection, and more? How are the devices behaving, and are they putting your network and data at risk? OPAQ device state analysis and control secures multidirectional access for your wandering workforce and stationary endpoints and what they can safely connect to.

Transformational edge computing requires a rotating shield of SASE protection.

Learn more.

Zero Trust Resurges in Ethereal World of Borderless Networks and Other Haunts

In a revival that would satisfy both retro stylists and fictional FBI agent Fox Mulder, the approach to security known as Zero Trust is back and as strong as ever.

Why has Zero Trust – a model that ‘trusts no one’ and seeks to verify everything – returned to the forefront of security?

In a 2019 study, Gartner found that “More users, devices, applications, services and data are located outside of an enterprise than inside.” Doing business digitally is no longer solely about the trusted private network. It is about expanding the business horizons into unchartered network waters, into often shadowy connection points, where you might not know who or what is lurking on the other end and what he, she or it is carrying and trying to inject into your computer code and company network…

In a world of spamming, scamming, spoofing, phishing, catfishing, and ransomware, where individuals never can really be certain of the identity of the party on the other side of the connection, legitimate enterprises need all the help they can get when it comes to establishing trust and security.

The Zero Trust model is back.

Trust no one, Scully.

Zero Trust Networks and Architectures

Created in 2010 by then-Forrester analyst John Kindervag, Zero Trust was never wholly forgotten, but its forceful reemergence and renewed emphasis make sense in today’s interconnected reality where exposure to untrusted networks and apps and cybercriminals is unavoidable, and where ID spoofing, identity theft, and business-reputation damage are common occurrences. Attack methods have gotten more sophisticated… as has malware… and just one naïve or ill-advised click can infect a computer and surreptitiously attempt to spread. Detection can take months, allowing contagions to get rooted and then deliver a fatal blow to an organization, including through Zero Day exploits.

All access from within the network, from your cloud workload environments, and from remote users connected via VPN to your network, must be contained using a ‘least privilege approach.’ Access must be denied where not approved. Said another way, every user is verified, their devices validated, and their actions limited to just those that have been granted.

Ransomware still targets specific computers but has matured to now easily challenge network control. Ransomware operators such as SamSam are focused and lethal. They update their malware frequently in an effort to avoid antivirus and other endpoint defenses. In one tale of horror, the WannaCry ransomware attack was able to knock out 200,000 computers across 150 countries, including some hospitals, over the course of four days in 2017.

Once the malware gets a foothold it immediately attempts to spread laterally and infect multiple computers on a network. Some of the tools in use include Mimikatz and Bloodhound. Mimikatz is a tool for post-exploitation that dumps passwords from memory, PINs, and network authentication protocol lists. Bloodhound is a tool that can map out an entire domain and highlight where the next target might be. This makes lateral movement within a network easier for hackers and their malware.

Zero Trust powered by OPAQ allows organizations to quickly and easily set up a robust zero-trust architecture.

OPAQ Zero Trust Secure Access and Segmentation

Secure Internet Access

OPAQ Zero Trust cybersecurity protects your organization with multi-layered advanced security out to cloud and Internet access points while safely segmenting endpoint access and traffic patterns across lateral and core-data lines of movement. In addition to wrong clicks, identity spoofing, and distributed brute force attacks, devices can be lost or stolen and hackers can gain network access through computers left unattended. You want to make sure you stop the spread through layered security in the form of multi-factor authentication (MFA), access control and segmentation.

Using the OPAQ security-as-a-service, network security policy follows users wherever they go, protecting them as they perform their jobs, whether on the private network, or through a separate secure tunnel while using the public Internet or apps in the cloud. Zero Trust model rules can be based on any combination of host, host group, Active Directory user/group, port, protocol, service, range, and blacklist policy, while allowing for MFA when connecting to specific systems.

True Least Privilege Segmentation

Building effective network segments used to be hard work, and doing it with physical switches is expensive and time consuming. The consequence is that even relatively well segmented networks are not truly restricted to a least privilege level, i.e., strong access and control rules. OPAQ enables segments to be configured on the fly, and can provide network segments based on user groups rather than IP addresses or physical switch configuration. This capability affords granular, least privilege segments that enable employees to access the systems they need to do their jobs, and nothing more.

East-west traffic (lateral LAN traffic) is protected via security policies that provide software-defined network segmentation, while also providing hardware and software asset inventory, and instant quarantine capabilities. Users on the network can be granted or denied access to resources depending on their role, device state, and/or MFA.

Much of the work your organization is doing is no longer on the private network. Protect against infection, unauthorized access, and lateral spread by orchestrating security in a way in which trust is earned, not given, and by treating every connection with zero trust.

Learn more.

Zero Trust Architecture web page.

 

Easy, Advanced Security Orchestration for Business Growth and Workforce Distribution

Digitally transforming organizations have to support increasingly distributed business workforces. This saddles IT teams with a balancing act of providing Internet access, enterprise-network connectivity, and assuring that the resulting network traffic doesn’t contaminate private channels and expose sensitive data. New offices are opening, the deployment clock is ticking, and IT personnel has to mobilize to install firewall appliances at every added site in order to centralize smart enterprise network and security management. Or do they?

Security-as-a-service (SECaasS) represents a cost-effective best practice and ‘firewall alternative’ for enterprises of all sizes as they attempt to manage the Internet and multicloud access of remote workers and various offices across the country or globe.

The Need for Advanced Security Orchestration

When the digital business is growing faster than the IT staff’s capacity, it gets challenging to protect headquarters and multiple offices – a dozen branch offices by some averages. The security management responsibilities get even unwieldier when you add the growing number of remote users who might be squatting over an Internet access point that is untrusted. If network IT teams don’t keep up with the latest preventions, digital transformation (and its growing pains) can expose the business. Internally managed firewall appliances can get bypassed during new traffic flows over the Internet or in the cloud, resulting in network dark spots and newly introduced avenues for exposure.

If they could see granularly at the endpoint, some CIOs and IT managers might find their networks rapidly drifting into unfamiliar waters. Protecting distributed branch offices and remote users with legacy and static tools is no longer sufficient given the growing variety of Internet access points, IP addresses, application types, and threats in play. Meanwhile, limited resources, including a lack of personnel and advanced cybersecurity skills, leave IT management spread thin toward ensuring connectivity, performance, visibility and up-to-date security across network endpoint equipment and the graying private network perimeter.

IT managers, who have a lot of different business and security systems to manage, want to make network security systems easier for themselves, their technical staffs and business customers to use. Rather than IT and business workforces serving the IT system, the IT system ideally should work for them, reducing monotonous manual tasks. Too often, maybe because of a regular cadence of truck hauls or software license renewals, each system itself becomes a chore (a monolith to worship) versus being a strategic and operationally efficient business tool. These on-premise, in-house installation projects limp to keep up with the spontaneous access privilege and security requirements that crop up across a grid you can’t control. As a result, small IT staffs struggle to equip, welcome and protect a growing workforce, while meeting network service rollout and data privacy timeframes.

Security-as-a-Service (SECaaS)

How do you get branch offices and remote employees up and running and contributing without months of delay? Do you have to rely on multiple security equipment vendors? The answer is to streamline security orchestration via a security-as-a-service (SECaaS) cloud platform.

The OPAQ cloud is purpose-built to simplify and tighten control by applying a consistent security policy across an organization’s branch offices, and mobile and remote users. Organizations achieve centralized visibility over their network through a secure cloud controller, which delivers monitoring and reporting capabilities.

It’s manually exhaustive and expensive to manage multiple firewalls and intrusion prevention systems, across multiple locations, and to make sure all your network security policies are configured properly. OPAQ provides an infusion of intelligence into the enterprise IT network infrastructure, allowing you to secure multiple branch office locations within assigned timelines, while also providing greater visibility and control over the widening, distributed network.

OPAQ security-as-a-service (SECaaS)  empowers organizations to:

  • Centralize and accelerate branch office security, with easy-to-deploy advanced network endpoint protection and segmentation all in one.
  • Facilitate remote office security policy distribution to support business growth and agility. Activate branch offices in one day from the OPAQ cloud and security-as-a-service.
  • Eliminate gaps or darks spots in protection coverage through secure Web gateways, secure cloud access points, and advanced endpoint security and workstation segmentation.
  • Adapt quickly to new business requirements or security threats by adding new infrastructure to the OPAQ security cloud.
  • Eliminate redundant security products. One security-as-a-service (SECaaS) solution staves off traditional security equipment product redundancy. No new hardware is required on premises (none to acquire or manage). The maintenance is all built-in so regular upgrade and software-flaw fire-drills go away.

Reduce network security costs, simplify advanced security, and reduce CAPEX via advanced security orchestration. Equip your CIO and core IT security staff with a smart system aggregating and dashboarding network security data across segmented network endpoints. Grow your business with confidence through the OPAQ cloud.

Learn more about OPAQ advanced security orchestration and security-as-a-service (SECaaS).

Watch the Sandy Alexander video case study:

Discover OPAQ for rapid branch enablement.

 

How Sassy (SASE) Is Your Network?

Four Steps Toward Securing Your Digital Transformation

The term SASE, pronounced ‘sassy,’ is kind of cute, isn’t it? But secure access service edge (SASE) is a serious focus for organizations seeking to protect their data in the cloud, across the Internet, and within private networks.

In its Research Note, “The Future of Network Security Is in the Cloud,” global IT research and advisory firm Gartner defined SASE as “a converged cloud-delivered secure access service edge.”

Why is this security edge so important in defending data?

Best practice security is multi-layered, and establishes security intricacies along the way, seamless and nonintrusive to the digital user experience, but which effectively make it difficult for malicious parties including bots to breach the network.

Whether you believe in the cute SASE term or not, the edge (aka your network endpoint connections) is integral in perimeter security and for protecting against threats, the spread of malware, loss of control, and massive contamination and business damage. The edge is almost always the initial point of digital infection; a vector for infiltration.

In what Gartner characterized as its early stages of adoption, SASE is being driven by digital transformation, the adoption of cloud-based services, software-as-a-service (SaaS), and mobile and distributed workforces. We have to connect to do our jobs, but along the way, we might ingest malware, which can lay dormant, waiting to spread. Spoofing the identity, looking for that next jump… We all know those unfortunate individuals on Facebook, whose identities have been used to spread contagious links.

Understanding the risk that comes with digital business growth, you definitely want to filter all this traffic coming into your network, so you might run it back through your on-premises security appliances and over network resources. This eats up a lot of network bandwidth and costs more than use of the public internet, IaaS, and the cloud.

SASE enables organizations to overcome this difficult security-versus-Internet-access tradeoff; this business transformation hurdle.

SASE Business Drivers

Why get SASE in your security approach?

When the data center is the center of your network universe, it can inhibit transformational business architectures. A social, non-engineering side of your “network” wants to grow: A workforce cost-effectively using the Internet to amplify business potential, and partners and customers plugging into your network, making transactions. But amid all these new connection points, is it really your network anymore? It’s understandable to have sudden network blind spots as connections outside your visibility test you for access versus maintaining digital security.

Gartner reports, “More users, devices, applications, services and data are located outside of an enterprise than inside.”

How do you encrypt and inspect all this traffic and filter all those packets and links before you allow them into the business’s bloodstream?

Rather than hairpin traffic back through your datacenter, smart and more cost-efficient network service can be achieved through software-defined networking (SDN) and SD-WAN deployments that are secured through the infusion of security-as-a-service from the cloud.

Why Evaluate OPAQ SASE?

Digital business transformation requires anywhere, all-the-time access to business IT services, many now located in the cloud.

OPAQ enables organizations to:

  1. Shift inspections out to the session layer vs. routing the sessions to software engines that have to centrally inspect and then reroute communications. Network traffic and sensitive data storage is shifting to cloud platforms vs. enterprise data centers. Why haul it all in for costly inspection when the OPAQ SASE cloud provides a safe, cost-effective barrier?
  2. Get over the business transformational hurdle of risk aversion. Use SD-WAN and MPLS backhaul offload projects as catalysts to modernize and optimize security through enterprising software-defined perimeters. Cloud-based SASE offerings heavily reduce the need to update security at the physical or software level. Network and IT staff won’t have to spend all their time setting up equipment and performing maintenance and instead can focus on business transformation, business tools, privacy requirements, as well as advanced, next-generation security schemas.
  3. Reduce network security complexity by moving to one or two third-party providers for the key components of SASE: i.e., secure web gateways, DNS, zero trust network access (ZTNA), and workstation segmentation. This favorable software portfolio reduction can reduce agent bloat and performance issues at the end-user level. OPAQ also provides the requisite peering partnerships critical for points of presence, reducing latency for performance-sensitive apps such as video, web conferencing and VoIP.
  4. Easily bolster network segmentation to avoid kill-shots as you connect with new data sources as part of digital business transformation. OPAQ protects your organization with separate secure tunnels for: A) private enterprise data access (through MFA and monitoring for sensitive data and malware) and B) always-on protection for remote employees surfing the web for business connections and while on public WiFi.

OPAQ delivers the core SASE components to protect your digital business transformation investment:

  • Secure Web Gateways
  • Firewall-as-a-service (FWaaS)
  • Leading advanced endpoint protection and segmentation
  • ZTNA (Zero Trust network architecture)
  • CASB capabilities

Enterprise data centers, which traditionally scrubbed the network from contagion, aren’t suddenly vanishing; they just aren’t the center of the universe anymore when it comes to granting secure access. To protect endpoint connections, SASE clouds can drift more flexibly and cost-effectively to secure the fluctuating perimeter

Get secure where the user requires access with OPAQ.

Download the Secure Network Modernization white paper

Download the Securing Remote Workers solution brief

Can In-House Cybersecurity Expertise Grow Under Cloud Coverage?

The overwhelming consensus: There’s a cybersecurity skills shortage. Some surveys have identified the cybersecurity skills gap in slightly more than half of surveyed companies, while other studies calculated the deficit higher and more dire, with those lacking cybersecurity expertise registering in the high-sixties or seventies percentile. Why is this important? In a survey, ESG found […]

Ransomware, and Why Organizations of All Sizes Should Evaluate Network Segmentation

You’ve probably read or discussed the news articles and public disclosures.

A major bank gets hacked, the personal data of a 100 million customers falls into the wrong hands, and it costs the bank hundreds of millions of dollars to fix.

A major U.S. municipality is held ransom for database control, forcing it to rely on old-school data-keeping methods as it courageously defies the extortive criminal demands.

How can these kinds of attacks succeed in today’s cyber-vigilant day and age?

The aforementioned are just the high-profile cases. Below the radar of the headlines, smaller companies encounter spoofing ploys, ransomware and evolving malware, and every day too many of them get compromised or deceived into sending funds to a cybercriminal.

There will always be human errors and cyber-villains seeking to capitalize, so, what is it that we can actually change? The answer lies in an evolving security architecture and how we define next-generation network segmentation.

Traditional Security Architectures Pose Risks

Nearly every harmful corporate cyber-assault is a lesson in unsound traffic patterns, of network blind-spots, of organizations not sufficiently insulating enterprise jewels, not properly segmenting network traffic and not adequately shoring up endpoint protection and access control against powerful automated takeover attacks.

It’s nobody’s fault really. The private network has changed, gotten more complex, become a WAN without boundaries. You have users connecting into the private network while they’re plugged into data transaction points outside your network security team’s control on the Internet and in the cloud, some of these access points potentially vulnerable. Do you want to allow traffic and files from Internet and multiple cloud access points to merge with important private network traffic and databases via common pathways? From a smart central security perspective, the twain should never meet.

What’s more, cybersecurity skills, especially in cloud network security, are in short demand, and network and IT departments have to wear many other hats in their jobs. It gets challenging to structure network patterns to keep roaming users connected and satisfied while also prohibiting sneaky lateral movement of suspicious or known threats. A zero trust network approach must not result in an unintended plethora of zero-access lines. Connection hurdles can hurt your business: employees still need to get data and communicate.

Network Segmentation, Microsegmentation, and Access Control

Your users are traversing myriad websites and Internet access points, downloading tools, plugging in at public charging stations and then connecting to private enterprise assets. Network segmentation is about restricting direct gateways into the heart of the business so traffic flow patterns don’t inadvertently put the organization at high risk. But network segmentation has been difficult and expensive due to the amount of resources and effort needed to reconfigure distributed physical equipment such as VLANs, routers and switches.

A next generation of network segmentation, microsegmentation (or software-defined segmentation) is the partitioning of workloads from one another, including in the cloud, between multi-cloud access points, and between data centers and databases.

Gartner wrote: “Microsegmentation (also referred to as software-defined segmentation, zero trust network segmentation or logical segmentation) uses policy- and workload-identity-driven firewalling (typically software-based) or network cryptography to isolate workloads, applications and processes in data centers, public cloud IaaS and containers. This includes workloads that span on-premises and multiple public cloud IaaS providers.”

What this translates into from a security perspective is when some of your databases and servers are hosted they creep out of your view and control, so keeping the workloads of these different transaction points separate is mandatory in order to protect your most precious enterprise data and digital assets.

Workstation Microsegmentation

Securing this larger, more distributed attack surface without talking about endpoint agents (i.e., software-defined networking on portable laptops and other human-manned mobile workstations as well as virtual machines) is unrealistic. These devices are all part of your network, whether you’re in the cloud or not, and an initial point of potential compromise.

It’s a hybrid, multi-cloud network for many organizations, not just one big tidy cloud environment. More-granular segmentation is needed in both cloud environments and your endpoint-defined private network.

Microsegmentation tends to merely represent a granular, cloud- and data-center-workload-focused approach to segmentation. But your segmentation should not be restricted to just data centers and clouds when you have to also protect end users connecting to each other, to the cloud, and to on-premises network assets.

OPAQ offers both network segmentation and microsegmentation at the endpoints, that is, on the devices that connect or traverse Internet, cloud and multi-cloud access points. Each protected endpoint, whether stationary or mobile, carries security and segmentation policy, ensuring that these devices don’t act as the conduits for infection with each other or networks, servers or databases.

Microsegmentation doesn’t have to be impossible for small and midsize enterprises or new branch offices, all in the crosshairs of powerful distributed attacks. Neither should the ability to rapidly roll out next-gen network security policy to endpoints, which nowadays is crucial for small and midsize enterprises and large-enterprise branch offices alike. Your endpoints are your weakest links, a ‘way in’ for the sophisticated attack and bad actor. Segmenting cloud and database workloads is smart, but a lateral spread can still afflict your workforce and cost you if you don’t bolster your endpoints with advanced security policy including network segmentation by host and user groups.

Don’t underestimate the threat of malicious lateral movement through your security architecture.

Find out more.

Endpoint Control

Request a demonstration.

 

SECaaS: How Cybersecurity-as-a-Service Can Enhance Coverage; Shrinks Costs

In our digital world, we tend to talk about the cloud, automation and virtualization as if every business professional and organization is consciously adopting virtual assets and deeply indoctrinated and invested in these technologies. Let’s face it… the cloud and virtual machines (cloud-hosted computers, databases and servers) are predominantly a large-enterprise, high-tech or platform-provider perspective bias, and those of us with a technologist bent tend to assume that every real-world company is digitally transformed in this regard.

However, it’s not so simple when you look beyond basic business network computing, Internet access and mainstream cloud app usage (AWS and Office 365).

Today’s reality is most network IT teams are still forced to patch and reconfigure hardware and software on an as-available human-resource basis versus leveraging automation as a way to try to stay ahead of evolving threats. For most companies, physical equipment is still predominant. It’s often still on premises, whether that’s a regional office or small branch office.

Most companies are still managing firewall hardware; some even have no firewall at all. They still treat network and security management as if the perimeter is ‘fixed in place,’ and trust their users will log into the company VPN when outside the fixed LAN security perimeter.

Meanwhile, end-user employees, coated only with antivirus protection, are roaming on their portable devices, connecting on this network host to that IP address. Ahh, digital business transformation… Your people want to expand their connections and help you to grow your business, but this wandering presents big IT security risk. Denial of service attacks, ransomware, phishing, identity spoofing, and increasingly sophisticated malware can breach and then tunnel into your digital network like a worm through an apple.

Digital transformation is an ongoing journey, a continuum, not a lasting status that an organization one day crowns itself with and then uses to rule over the market for many years while everyone else uses less-advanced tools. Because of this fluctuating landscape, small and midsize organizations can take giant leaps via digital-economy equalizers in the cloud that enable them to catch up or achieve strategic edge.

One of these digitally transformational accelerators is network- and security-as-a-service. There’s an IT skills shortage; network and cybersecurity expertise (the two often go hand in hand) are in short supply.

With an estimated 74% of organizations affected by a cybersecurity skills shortage, it’s ‘Advantage Hackers.’ One recent study reported 94 percent of IT security professionals believe the advantage has tilted to cyber-adversaries over cyber-defenders. (ISSA and ESG.)

This can lead to struggles in defending against the latest, most sophisticated cyber-attack or cybercriminal methods as well as the inability to patch software and hardware vulnerabilities rapidly. It can also leave your enterprise employees, workstations, networks and servers reliant solely on one or two static barriers, instead of a sounder, multilayered security architecture.

Exacerbating this cybersecurity skills shortage is network complexity, product overlap, and product fatigue. As the workforce becomes more distributed, network endpoints are moving and changing, making them difficult to inventory and manage. Meanwhile, backhauling all branch office and remote worker traffic through the core network is many times more expensive than providing these individuals with direct Internet access, and can introduce QoE latency. From both a business access and security perspective, small network and IT teams just can’t keep up across the many products, pieces of computing equipment and user access needs they have to manage across distributed sites.

Help for the network IT staff can come from automation and the cloud.

Security as a Service (SECaaS) for the Changing Network Architecture

What is security as a service (SECaaS) and why is it so important in a network without boundaries world?

At a high level, SECaaS is a rapid deployment that immediately solidifies both your network perimeter and lateral traffic security. It accomplishes this by providing key advantages over traditional IT security deployments.

  • Speed. With advanced cybersecurity skills in low supply, do you wait for the on-device reconfiguration to be performed, or do you deliver advanced security agents that don’t require routine in-house patch releases? SECaaS is distributed network security protection in minutes versus weeks or months.
  • Cost. The cloud empowers organizations, large and small, to more easily and rapidly facilitate less-expensive remote-office activation and branch-to-Internet connections. In this cost-efficient environment, SECaaS enables organizations to receive advanced security capabilities previously accessible only to deep-pocket large enterprises, and to do so without myriad tool acquisition and maintenance costs.
  • Network Performance. You don’t have to compromise on security or performance as you migrate some of your traffic off the private network and into the cloud. Conduct your traffic with greater precision and quality of service, taking advantage of less-expensive yet high-performant network transports while orchestrating and automating advanced network security across distributed domains.
  • Advanced Protection Against Targeted End Users. Firewalls do a good job of protecting the perimeter against north-south invasion, but when something inevitably does slip through the cracks (perhaps by compromising a device outside the firewall or VPN), it can spread laterally like wildfire. Secure your flexing and fluxing network, with always-on protection at the endpoints, which also defends against lateral movement leading to widespread infection, hijacks or outages.
  • Central Management. Hackers prey upon inconsistent security policy enforcement across distributed network infrastructures. SECaaS enables central enforcement of policy, which is automatically applied throughout the entire distributed network, strengthening protection and closing loopholes.
  • Simplicity. Whether you’re a managed security service provider or public or private network operator, OPAQ brings automation, easy orchestration and simplicity to your complex distributed network or networks. This IT service agility also makes it easier to meet regional and vertical compliance regulations.

Security-as-a-service can lead to easier, more holistic network security coverage for digitally transforming managed service providers and enterprises alike.

Visit our security-as-a-service (SECaaS) page.