Four Multicloud Access Security Considerations for Your Ongoing Digital Transformation

Data is virtually everywhere, and computing devices, whether stationary or on the move, are accessing external circuits, servers, websites and portals. From an enterprise standpoint, network IT teams must be able to support employee business access needs, and protect employees, their devices, and the network from cyberattack. Anyone using digital computing devices subscribes to sources of interest, consumes outside network or app services, accesses and shares sensitive data, some of which is stored or provided from the cloud. For network IT staff, this network expansion requires management, and IT departments must ensure the growing bandwidth use doesn’t cost them, and that the software utilized on the network is safe.

These multicloud/hybrid connections are occurring at your network’s edge, posing both opportunity and risk.

Multicloud Access: Opportunity or Risk?

Multicloud access is increasingly attractive because signals no longer have to be beamed back into the data center for network handshake authorization. Application workloads can be run in a multicloud environment that doesn’t require the organization to move data — rather, users can access the data locally over secure, low-latency connectivity. This can minimize the risks of data loss and theft, while the local access and storage via clouds can satisfy the majority of geopolitical data privacy laws.

The risk in this bold strategic transformation is your attack surface gets bigger. Just because you use a cloud platform provider doesn’t mean you’re no longer vulnerable to breaches or no longer responsible for network and data security and privacy. Cloud server to cloud server protection isn’t complete network cybersecurity. It isn’t foolproof or impregnable coverage for your organization’s wandering endpoints, where a lot of data is being kept on devices and can be vulnerable.

Workstations and mobile computing devices are largely under-protected and represent a wandering flock, sometimes passing through windows of exposure, as they connect far and wide. Laptops, desktops and other portables are coated with mainstream antivirus programs and status scans, but hackers and malware are nevertheless getting in at the endpoint and attempting to spread. They are getting better at luring humans into their web. From a cybersecurity perspective, these growing connections at the private network edge, whether trusted or not, must continuously be added to firewall and VPN policies and memory logs. These appliances are getting increasingly costly to manage and refresh, and are often bypassed during “in the cloud” traffic migrations.

So, James from the sales department just opened an email from the CFO detailing a new company reorganization. (Little does James realize but the transmission is not from the CFO but an ersatz CFO, aka, a clever hacker.) Curiosity kicks in and James, while feeling secure after confirming the sender’s email address, opens the attachment on his laptop.

Boom! James clicks on the spoofing/phishing attack and malware compromises the data he’s collected and his network endpoint, exfiltrating sensitive data, without him or the IT department even knowing about it. Sometimes a breach at one or two network endpoints is sufficient to launch massive infiltration attacks such as zero day and ransomware.

Cities and organizations of all sizes have been hacked and ransomed. As you move to cloud environments, you still need to protect your branch offices and portable workstations, so you continue to try and inspect all traffic internally before sharing it with recipients. Direct access connections to the cloud can be slowed and made unnecessarily cost prohibitive by having to backhaul traffic around to your static network and security enforcement equipment. Business user expectations and overall quality of experience can suffer during this traffic hair-pinning, and there are remote out-of-the-cloud access fees for your company to pay. Can’t we just trust the Internet traffic and payload traversing private network endpoints, whether through the cloud or over any foundational network infrastructure such as Wi-Fi or VPN?

Some say, “Yeah, but my organization is ‘All in the Cloud,’ I don’t have to worry about workstation or internal data center security anymore…” Not so fast. It is crucial at this transitional point to remember the human element, the various points of endpoint access and how you protect these individuals, your workforce and the private network and business ecosystem.

Multicloud Access Security Demands a Secure Access Service Edge

An OPAQ white paper explains how organizations and managed security service providers can:

  • 1) Secure Internet access and gateways, and separate these from cloud and private data repositories, as part of a holistic hybrid and multicloud access security strategy.
  • 2) Rapidly implement consistent, centralized network security policy across the private network, and to and from cloud and Internet access points. (Network security from the cloud enables organizations to quickly deploy router, firewalls and VPN functionality where needed across hybrid, distributed environments.)
  • 3) Bolster vulnerable endpoints, particularly those endpoint devices in motion… which often expose themselves to untrusted hosted networks. Embrace identity as the new perimeter via strong identity and access management and always-on workstation protection.
  • 4) Extend your security perimeter out to the WAN without boundaries, and orchestrate security and network segmentation rapidly through high-performant zero-trust network- and security-as-a-service.

Whether your IT organization is cloud-friendly or not, consumption of services from the cloud is happening, and private network administrators are being tested to provide access while ensuring security on those and budding Web connection points.

OPAQ provides the encryption, authentication, segmentation, and always-on end-user protection growing companies need out at the edges of the network.

Learn more about OPAQ networking and security from the cloud.

Read the multicloud access security white paper.

 


IoT Systems are Complex, and so is Securing Them

Brian Russell is Chief Engineer, Cyber Security Solutions at Leidos.  In this role, he defines and implements cyber security controls for Internet of Things (IoT) and cloud products and systems. Russell is the co-author of “Practical Internet of Things Security” and is Chair of the Cloud Security Alliance (CSA) IoT Working Group.

OPAQ: How do security risks for IoT devices and applications differ from mobile security or web app security?

BR: Some of the risks related to IoT devices are similar to risks we’re already familiar with, such as those identified by the Open Web Application Security Project (OWASP): security misconfigurations, sensitive data exposure, using components with known vulnerabilities, and privacy risks.  Where we run into differences compared to mobile and web app security relates to the physical nature of IoT devices, acquisition and deployment models for IoT devices, enablement of automation across IoT devices and privacy associated with IoT devices.

For example, we might see IoT products deployed across a city such as smart parking meters or road-side units (RSUs).  These devices need comprehensive physical protections built into them to prevent theft and extraction of firmware for further security analysis.  It’s also important that access controls for these devices are explored thoroughly.  We’ve already seen plenty of scenarios where product makers have used shared credentials across a family of devices.  These configurations make it unnecessarily easy on malicious actors.

The IoT is similar also in some instances to the concept of BYOD in that employees or customers may bring connected products, such as smart watches into the organization.  Or, employees might install smart TVs on corporate networks, and those devices could send data out to the manufacturer.  Security teams need to be on the lookout for these connected devices and make sure that they don’t open avenues to export company data to the outside.

As relates to new acquisition models, a company may decide to lease an expensive connected asset instead of purchasing it. Often, the asset is remotely managed by the vendor.  This opens new interfaces to the organizations’ networks that must be locked down.

OPAQ: What are the top enterprise risks from IoT?

BR: First, it’s useful to understand the core ways that enterprises are using IoT data. We are seeing that manifest in two ways:  the IoT device feeds data into analytics systems that companies rely upon for decision making purposes and secondly, the IoT systems could enable automated decision making within control systems, such as sensors that collect system status data to decide whether to continue or stop a running process.

From an analytics perspective, we must protect against data tampering.  If we do not have confidence in the provenance of the data then decisions made based on that data must come into question.  So, we must apply lifecycle security protections to the data to enforce data integrity. This can be accomplished through cryptographic hashing algorithms for example.  Organizations that collect sensitive data from individuals must not only protect it such as with encryption, but they must recognize that they are collecting sensitive data in the first place. If for example, you’re collecting blood pressure data from your patients, that piece of data alone isn’t necessarily sensitive.  But, when combined with identifying information, the aggregate data is subject to regulatory compliance rules.

If a malicious actor gains access to an IoT-enabled industrial control system, then they can cause unexpected physical actions to occur, which put the safety of the enterprise’s stakeholders at risk.  For example, by increasing the pressure in an oil pipeline, attackers could cause an explosion.  That’s why I usually like to recommend performing at least a rudimentary safety analysis for any IoT system being implemented.

OPAQ: Is security a barrier right now for the adoption of/broader potential of IoT?

BR: What is a bit concerning is that I don’t necessarily know that security is a barrier right now for the adoption of IoT solutions.  IoT-based innovation continues at a rapid pace, even in safety-critical industries.  Connected and autonomous cars are already on the road, medical devices are being connected, control systems are being connected, and the home /consumer IoT market continues to expand.  It seems that many of us are willing to take a chance on new technologies enabled by the IoT and then update those devices when we find that a security flaw has been discovered.

OPAQ: What kind of advice would you give IT departments regarding implementing IoT security plans – whether that’s from employees bringing in personal IoT devices and apps– or from the company having business IoT technology in place?

BR: First, sit down and think about what policies you might need to institute, such as what devices people can bring into a space and what they can connect to the network.  Also, keep track of IoT-related vulnerabilities and make sure to tune your detection processes based on what might be in use in your organization.  For organizations putting business IoT technology in place, make sure that you aren’t infringing on anyone’s privacy with these systems (e.g., conduct a Privacy Impact Assessment) and make sure that you aren’t jeopardizing the safety of users, either. Perform a threat model to identify the high value assets and the data flows within your system and lock them down appropriately.  Apply integrity controls to your data at all points within your systems.  Keep track of all of the IoT assets in your enterprise, which includes tracking the physical locations of your assets and the versions of firmware/software running on these assets.  And, of course, put a plan in place to keep all of your IoT assets updated.