Posts

Securing SOHOs, Remote Workers and Your Private Data Network

Mobile and small office/home office (SOHO) workers require connectivity to the same resources your campus-based, firewall-protected employees regularly access from the data center, private network, and now increasingly from the cloud. This poses problem and risk: Network IT departments have low visibility into the configurations, security defenses, and points of access for these employees and devices accessing data remotely.

SOHOs and mobile employee workstations consist of affordable, consumer-oriented network equipment (often BYOD) and security software, all of which is not as sophisticated, protectable and secure as the computing tools in corporate offices. Many IT departments, smaller offices, and remote workers are dependent on public Wi-Fi, inexpensive home-based routers, iffy VPN use, and basic-AV-protected computers to protect their confidential internal and customer data at the edge.

The equipment used in the outlying areas of your network represent the weak link for hackers, the low-hanging fruit, increasing the overall security risk for the organization and its B2B/B2C partners. Common risks include spying, infection of connected devices, and the ransoming of the wider network ecosystem. Compromised endpoint network equipment such as computers and routers can set the stage for sophisticated botnet attacks and the spread to other systems, networks and servers, including those of partners.

Are you going to regularly mobilize truckloads out to every possible remote router site to try to secure these new connections? More sophisticated security equipment requires technical expertise, something most home office workers and many branch offices lack. Constant truck-hauls to every distributed site add up from an overall cost standpoint. Bolting on security through software patches can be a struggle, especially when managing updates and renewals across several security vendors and your busy workforce.

In response to these security and cost challenges, best practices for protecting remote equipment endpoints include:

  • Frequent, automatic software updates that don’t harass business-focused, non-technical home officer workers. Leverage security-as-a-service (SECaaS) to rapidly orchestrate and automate advanced security and smart cyber risk management.
  • Virtual firewall as a service (FWaaS) that blocks unwanted traffic from your defined and controllable network endpoints, including wandering user devices.
  • A VPN, or similar secure tunnel, that segments ISP traffic from private network traffic. This VPN capability should be “always on,” noninvasively coating the attack surface and protecting company used-devices from breach and deeper infection.
  • Multifactor authentication (MFA), which helps to ensure the person or system trying to access a device, network or system is the same person or device authorized for access. MFA includes passwords, security tokens, and, in some cases, biometric identification.
  • Cloaking of a device’s and network’s unique identifiers or presence, making it difficult for other people and devices in range to detect.
  • Encryption and private circuit use to mitigate outsiders from viewing, stealing or ransoming sensitive data.
  • Device hardening, so the endpoint can block legacy or unnecessary ports and services that act as doors for easy infiltration.
  • DNS filtering. These are the oft-color-coded listings and commands, which involve preconfiguring devices with software agents to prevent infection from dangerous sites and other network entities.
  • Avoidance of direct peer-to-peer computing or peer-to-private-server communication approaches. Remote Desktop Protocol and similar P2P network services are an easy gameboard for hackers. RDP sessions store credentials which can be stolen and wielded in “pass the hash” attacks. If you use P2P apps, it’s critical to orchestrate advanced, layered security mechanisms, including identity access control, encryption, and zero trust architecture.
  • Seamless support of the latest Wi-Fi authentication and encryption standards, which can help to protect on-device data and access points.

Securing Your Mobile, Remote Workforce

Every digitally transforming organization has its traveling users, the consummate contributors; the mobile warriors. They are a worrisome potential target for close-encounter cyber-takeovers.

Wandering human endpoints access different networks. They use whatever means available to keep their device batteries charged and to stay connected. Sometimes these individuals work in crowded, cramped seating areas where strangers are in physical proximity or router range.

Common behaviors that put remote worker security at risk include:

  • Connecting via unsecure, unencrypted Wi-Fi, or failing to authenticate through the corporate VPN while working from home, in a hotel, or coffee shop. Without the filtering and blocking of a leading firewall or VPN service, the employee can mistakenly land on a phony site or host (e.g., a man-in-the-middle attack), or click on a link from which malware can be delivered, infecting the device and from there seeking to spread.
  • Directly accessing SaaS applications in the cloud beyond the visibility and control of corporate IT security. Employees are at risk of man-in-the-middle attacks in this scenario, and hackers can steal credentials from the endpoint device and use that private data to gain unauthorized entry to cloud servers or back into the enterprise network.
  • Physically plugging into public charging stations, or attaching untrusted devices including other computers, flash drives and USB ports. Conversely, someone else might gain physical access to the network endpoint device and plug in a flash drive or perform some other type of direct tampering.
  • Falling for phishing attacks. Social engineering schemes are getting more effective at fooling curious, emotional human beings into clicking on links that appear to be legitimate but aren’t. These IP spoofing, phishing, and websites appear authentic but have surreptitiously rerouted the user to an ersatz click-on/sign-in with credentials page…

Your mobile warriors need help identifying and avoiding these deceptive man-and woman-in-the-middle attacks.

OPAQ Provides a Secure Access Service Edge Through Security-as-a-Service

Your network’s edge needs easier IT security reinforcement; a cost-effective, circulating burst of easily distributed security-as-a-service software from the cloud.

OPAQ provides strong endpoint protection as a service to ensure secure access at the network edge, empowering what Gartner calls the secure access service edge (SASE). Harness your expanding workforce. To support your remote employees and protect your network and business ecosystem, reinforce protection at the network endpoint and workstation level with help from the cloud.

 

Learn more.

8 Achievable Steps to Remote Security.

Visit our secure access service edge (SASE) page.

 

A Zero Trust Secure Access Service Edge for a Distributed Data World

You might call it ‘living on the edge.’ A growing number of organizations are moving computing out of the data center, out to the edge of the network. The various reasons for this include increasing numbers of mobile devices and remote users requiring access, expanding digital opportunities, cloud adoption, reduction of network latency and backhaul costs, and more. Making this edge computing possible are technologies such as SDN, SD-WAN and cloud access service broker (CASB) capabilities, all of which provide points of presence (POPs) where distributed workforces need them.

Traditionally, however, easy provision of good security has NOT been one of the drivers for this pivot to the network edge. Hence, many companies that have transformed their network architectures haven’t yet modernized their security architectures. They continue to indirectly route traffic to security engines (tromboning, hairpinning, backhauling), defeating the whole latency advantage and racking up in-house equipment costs. Or worse, they’re not adequately inspecting the edge traffic and payload, leaving their users, network endpoints, cloud data and internal network data exposed to increasingly sophisticated cyberattacks.

That’s all changing with the convergence of computer networking and security at the edge, something IT analyst firm Gartner dubbed the secure access service edge (SASE), pronounced  “Sassy.”

The secure access service edge is an emerging solution category combining wide-area network (WAN) functions with security capabilities such as secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero trust architecture (ZTA) to support a wide range of digital transformational requirements.

SASE merges edge computing’s distributed approach – bringing computation and data storage closer to the location where it is needed – along with the advanced security near or at these points of access.

Cloud Security-as-a-Service for Your Edge Computing

However, SASE isn’t a security scenario that data center-based hardware appliances are going to feasibly address. When modernizing your network, your traditional security equipment can get bypassed in your traffic’s shift to a software-defined perimeter. Alternatively, equipment deployments and reconfigurations (in your data center and remote sites) may struggle to keep up with today’s pace of secure connectivity requirements.

Your distributed workforce is accessing cloud providers for things like SaaS applications, while your branch offices and mobile workers take advantage of direct Internet access. Meanwhile, the resultant data is no longer being centrally stored on, or accessed from, the premises. More users, devices, applications, services and data are located outside of an enterprise than inside, according to Gartner. With organizations still responsible for data privacy and security of individual employees and customers, that’s a lot of scattered data to protect.

The edge requires agile management, and this is where security software and software-defined perimeters step in.

From a cybersecurity perspective, protection can now come closer to where access is needed. A software-centric SASE approach can deliver zero trust security best practices over Web gateways, cloud access points, tunnels, and the devices themselves, while eliminating inefficient hairpinning of traffic inspection to your data center or nearest branch-office hardware.

The OPAQ SASE Cloud provides more ubiquitous and local points of presence, with the zero trust architecture capabilities you need to ensure secure access, control and segmentation.

The OPAQ Zero Trust Secure Access Service Edge (SASE)

Whether it’s a branch office, remote workstation, router, or VM, all of these endpoint identities need network access. Before they connect into your private network and data, they must be identified, authenticated, and properly segmented.

OPAQ delivers a Zero Trust Secure Access Service Edge that bases decisions on the identity of the entity at the source of the connection (user, device, branch office, edge computing location, time of day, risk assessment of the user device, and the sensitivity of the data or app being accessed).

Primary components of this Zero Trust SASE architecture include:

  • User Authentication: IP spoofing, phishing, social engineering, identify theft, and bot break-ins demand a zero trust view of access. Is the device, person, or service attempting to enter into the network authentic? If access is allowed, what might happen next from a security impact perspective? OPAQ checks for a number of factors including user credentials, MFA, access privileges, device certificates, and more.
  • Access Control: Access has moved out to the edge, largely outside of the reach of a perceived private enterprise network. The OPAQ Cloud keeps inspections away from your private data containers, and secures traffic and performance at the edge closer to where access and QoE is sought. Tunneling to the nearest POP, OPAQ SASE provides end-to-end encryption of each session, including over public Wi-Fi networks (cafes, airports, malls, etc.).
  • Segmentation: Ransomware and other malware seek to spread and capture data and control as they go about their damaging business. Endpoint connections are underdefended by basic on-device antivirus updates, opening the door for the latest sophisticated attacks. OPAQ continuously extends layered next-generation security across the dissolving network perimeter, reinforcing workstations, VMs and other endpoints, and then making sure that distributed endpoints don’t expose vulnerable in-roads into your core network and data.
  • Device State: What are your wandering workstations connecting to? Are these devices adequately protected with antivirus, anti-malware, intrusion detection, and more? How are the devices behaving, and are they putting your network and data at risk? OPAQ device state analysis and control secures multidirectional access for your wandering workforce and stationary endpoints and what they can safely connect to.

Transformational edge computing requires a rotating shield of SASE protection.

Learn more.

Easy, Advanced Security Orchestration for Business Growth and Workforce Distribution

Digitally transforming organizations have to support increasingly distributed business workforces. This saddles IT teams with a balancing act of providing Internet access, enterprise-network connectivity, and assuring that the resulting network traffic doesn’t contaminate private channels and expose sensitive data. New offices are opening, the deployment clock is ticking, and IT personnel has to mobilize to install firewall appliances at every added site in order to centralize smart enterprise network and security management. Or do they?

Security-as-a-service (SECaasS) represents a cost-effective best practice and ‘firewall alternative’ for enterprises of all sizes as they attempt to manage the Internet and multicloud access of remote workers and various offices across the country or globe.

The Need for Advanced Security Orchestration

When the digital business is growing faster than the IT staff’s capacity, it gets challenging to protect headquarters and multiple offices – a dozen branch offices by some averages. The security management responsibilities get even unwieldier when you add the growing number of remote users who might be squatting over an Internet access point that is untrusted. If network IT teams don’t keep up with the latest preventions, digital transformation (and its growing pains) can expose the business. Internally managed firewall appliances can get bypassed during new traffic flows over the Internet or in the cloud, resulting in network dark spots and newly introduced avenues for exposure.

If they could see granularly at the endpoint, some CIOs and IT managers might find their networks rapidly drifting into unfamiliar waters. Protecting distributed branch offices and remote users with legacy and static tools is no longer sufficient given the growing variety of Internet access points, IP addresses, application types, and threats in play. Meanwhile, limited resources, including a lack of personnel and advanced cybersecurity skills, leave IT management spread thin toward ensuring connectivity, performance, visibility and up-to-date security across network endpoint equipment and the graying private network perimeter.

IT managers, who have a lot of different business and security systems to manage, want to make network security systems easier for themselves, their technical staffs and business customers to use. Rather than IT and business workforces serving the IT system, the IT system ideally should work for them, reducing monotonous manual tasks. Too often, maybe because of a regular cadence of truck hauls or software license renewals, each system itself becomes a chore (a monolith to worship) versus being a strategic and operationally efficient business tool. These on-premise, in-house installation projects limp to keep up with the spontaneous access privilege and security requirements that crop up across a grid you can’t control. As a result, small IT staffs struggle to equip, welcome and protect a growing workforce, while meeting network service rollout and data privacy timeframes.

Security-as-a-Service (SECaaS)

How do you get branch offices and remote employees up and running and contributing without months of delay? Do you have to rely on multiple security equipment vendors? The answer is to streamline security orchestration via a security-as-a-service (SECaaS) cloud platform.

The OPAQ cloud is purpose-built to simplify and tighten control by applying a consistent security policy across an organization’s branch offices, and mobile and remote users. Organizations achieve centralized visibility over their network through a secure cloud controller, which delivers monitoring and reporting capabilities.

It’s manually exhaustive and expensive to manage multiple firewalls and intrusion prevention systems, across multiple locations, and to make sure all your network security policies are configured properly. OPAQ provides an infusion of intelligence into the enterprise IT network infrastructure, allowing you to secure multiple branch office locations within assigned timelines, while also providing greater visibility and control over the widening, distributed network.

OPAQ security-as-a-service (SECaaS)  empowers organizations to:

  • Centralize and accelerate branch office security, with easy-to-deploy advanced network endpoint protection and segmentation all in one.
  • Facilitate remote office security policy distribution to support business growth and agility. Activate branch offices in one day from the OPAQ cloud and security-as-a-service.
  • Eliminate gaps or darks spots in protection coverage through secure Web gateways, secure cloud access points, and advanced endpoint security and workstation segmentation.
  • Adapt quickly to new business requirements or security threats by adding new infrastructure to the OPAQ security cloud.
  • Eliminate redundant security products. One security-as-a-service (SECaaS) solution staves off traditional security equipment product redundancy. No new hardware is required on premises (none to acquire or manage). The maintenance is all built-in so regular upgrade and software-flaw fire-drills go away.

Reduce network security costs, simplify advanced security, and reduce CAPEX via advanced security orchestration. Equip your CIO and core IT security staff with a smart system aggregating and dashboarding network security data across segmented network endpoints. Grow your business with confidence through the OPAQ cloud.

Learn more about OPAQ advanced security orchestration and security-as-a-service (SECaaS).

Watch the Sandy Alexander video case study:

Discover OPAQ for rapid branch enablement.

 

SECaaS: How Cybersecurity-as-a-Service Can Enhance Coverage; Shrinks Costs

In our digital world, we tend to talk about the cloud, automation and virtualization as if every business professional and organization is consciously adopting virtual assets and deeply indoctrinated and invested in these technologies. Let’s face it… the cloud and virtual machines (cloud-hosted computers, databases and servers) are predominantly a large-enterprise, high-tech or platform-provider perspective bias, and those of us with a technologist bent tend to assume that every real-world company is digitally transformed in this regard.

However, it’s not so simple when you look beyond basic business network computing, Internet access and mainstream cloud app usage (AWS and Office 365).

Today’s reality is most network IT teams are still forced to patch and reconfigure hardware and software on an as-available human-resource basis versus leveraging automation as a way to try to stay ahead of evolving threats. For most companies, physical equipment is still predominant. It’s often still on premises, whether that’s a regional office or small branch office.

Most companies are still managing firewall hardware; some even have no firewall at all. They still treat network and security management as if the perimeter is ‘fixed in place,’ and trust their users will log into the company VPN when outside the fixed LAN security perimeter.

Meanwhile, end-user employees, coated only with antivirus protection, are roaming on their portable devices, connecting on this network host to that IP address. Ahh, digital business transformation… Your people want to expand their connections and help you to grow your business, but this wandering presents big IT security risk. Denial of service attacks, ransomware, phishing, identity spoofing, and increasingly sophisticated malware can breach and then tunnel into your digital network like a worm through an apple.

Digital transformation is an ongoing journey, a continuum, not a lasting status that an organization one day crowns itself with and then uses to rule over the market for many years while everyone else uses less-advanced tools. Because of this fluctuating landscape, small and midsize organizations can take giant leaps via digital-economy equalizers in the cloud that enable them to catch up or achieve strategic edge.

One of these digitally transformational accelerators is network- and security-as-a-service. There’s an IT skills shortage; network and cybersecurity expertise (the two often go hand in hand) are in short supply.

With an estimated 74% of organizations affected by a cybersecurity skills shortage, it’s ‘Advantage Hackers.’ One recent study reported 94 percent of IT security professionals believe the advantage has tilted to cyber-adversaries over cyber-defenders. (ISSA and ESG.)

This can lead to struggles in defending against the latest, most sophisticated cyber-attack or cybercriminal methods as well as the inability to patch software and hardware vulnerabilities rapidly. It can also leave your enterprise employees, workstations, networks and servers reliant solely on one or two static barriers, instead of a sounder, multilayered security architecture.

Exacerbating this cybersecurity skills shortage is network complexity, product overlap, and product fatigue. As the workforce becomes more distributed, network endpoints are moving and changing, making them difficult to inventory and manage. Meanwhile, backhauling all branch office and remote worker traffic through the core network is many times more expensive than providing these individuals with direct Internet access, and can introduce QoE latency. From both a business access and security perspective, small network and IT teams just can’t keep up across the many products, pieces of computing equipment and user access needs they have to manage across distributed sites.

Help for the network IT staff can come from automation and the cloud.

Security as a Service (SECaaS) for the Changing Network Architecture

What is security as a service (SECaaS) and why is it so important in a network without boundaries world?

At a high level, SECaaS is a rapid deployment that immediately solidifies both your network perimeter and lateral traffic security. It accomplishes this by providing key advantages over traditional IT security deployments.

  • Speed. With advanced cybersecurity skills in low supply, do you wait for the on-device reconfiguration to be performed, or do you deliver advanced security agents that don’t require routine in-house patch releases? SECaaS is distributed network security protection in minutes versus weeks or months.
  • Cost. The cloud empowers organizations, large and small, to more easily and rapidly facilitate less-expensive remote-office activation and branch-to-Internet connections. In this cost-efficient environment, SECaaS enables organizations to receive advanced security capabilities previously accessible only to deep-pocket large enterprises, and to do so without myriad tool acquisition and maintenance costs.
  • Network Performance. You don’t have to compromise on security or performance as you migrate some of your traffic off the private network and into the cloud. Conduct your traffic with greater precision and quality of service, taking advantage of less-expensive yet high-performant network transports while orchestrating and automating advanced network security across distributed domains.
  • Advanced Protection Against Targeted End Users. Firewalls do a good job of protecting the perimeter against north-south invasion, but when something inevitably does slip through the cracks (perhaps by compromising a device outside the firewall or VPN), it can spread laterally like wildfire. Secure your flexing and fluxing network, with always-on protection at the endpoints, which also defends against lateral movement leading to widespread infection, hijacks or outages.
  • Central Management. Hackers prey upon inconsistent security policy enforcement across distributed network infrastructures. SECaaS enables central enforcement of policy, which is automatically applied throughout the entire distributed network, strengthening protection and closing loopholes.
  • Simplicity. Whether you’re a managed security service provider or public or private network operator, OPAQ brings automation, easy orchestration and simplicity to your complex distributed network or networks. This IT service agility also makes it easier to meet regional and vertical compliance regulations.

Security-as-a-service can lead to easier, more holistic network security coverage for digitally transforming managed service providers and enterprises alike.

Visit our security-as-a-service (SECaaS) page.