HITRUST Fills in the Blanks for HIPAA and PHI Security
Reading Time: 4 minutes

HIPAA carries a lot of weight, but it is merely a set of guidelines that healthcare companies (and technology providers who work with them) must follow when handling Patient Health Information (PHI). For people imagining a team of inspectors showing up unannounced to offices worldwide for a surprise checkup, or to administer a results-oriented audit before gaining compliance, know that this isn’t the case when it comes to HIPAA. 

In fact, the lack of any official certifying entity makes it possible for businesses handling PHI to give themselves a badge of compliance based on their technology and processes alone. A HIPAA icon found on a healthcare provider’s or security vendor’s website is not meaningless, however. These organizations know penalties from the Office for Civil Rights (OCR) pack a rightfully devastating punch, and so they must invest in the song and dance of showing they have the power to protect PHI, even without proof that their systems are actually doing so.

Despite the superficial nature of HIPAA compliance, providers are still under pressure to “prove” that they have a clean bill of health when it comes to the guidelines. They can currently do this via self-assessments involving documentation of access policies, technology settings, employee standard operating procedure manuals, backups and more. Compliance is a necessary effort for providers, but because the result of these settings and technologies lives on paper alone, patients don’t realize HIPAA doesn’t provide as much value as it should. 

Entities like HITRUST have sprouted up to deal with this gap by both using technology to proactively and reactively enforcing HIPAA compliance, and to help providers make it a core pillar of their operational success rather than an obstacle to it. The tools available today enable risk management and PHI security to be vital for healthcare providers, and HITRUST takes full advantage. It is designed to strengthen the foundations of information security and make compliance easier to achieve than ever. But how?

What is HITRUST?

While HIPAA is a solid framework for protecting medical records, and gives patients privacy regarding who can gain access to their information, it is also subjective on the part of providers. HITRUST is not simply a template that allows healthcare providers to say all the right things regarding their compliance – it goes beyond this. Technically, HITRUST is the group that built and continues to manage the CSF, or Common Security Framework, which is both certifiable and combines multiple different compliance models including HIPAA, notably, but also PSI, ISO, NIST, FTC, COBIT and others.

According to the HITRUST website, it is “a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.”

The approach taken by HITRUST is simple yet thorough. Crucially, a HITRUST certified provider is also a HIPAA certified provider, and can offer more than a hollow pledge to follow the rules sans any audit to see that the security controls put in place are actually working. To maintain HITRUST compliance requirements, an organization can choose to self-assess or complete a third-party audit, but either way it must pass all 19 parts of the CSF test every two years:

  • Healthcare Data Protection & Privacy
  • Information Protection
  • Wireless Protection
  • Transmission Protection
  • Network Protection
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Third Party Security
  • Physical & Environmental Security
  • Configuration Management
  • Vulnerability Management
  • Password Management
  • Incident Management
  • Risk Management
  • Access Control
  • Audit Logging & Monitoring
  • Education, Training & Awareness
  • Business Continuity Management & Disaster Recovery

With each idea outlined in the CSF, providers have a bolder template to follow, which makes preparing for the whole gamut of required certifications less of a guessing game. Medical practices and healthcare providers are therefore able to unify their compliance efforts with one process, and guarantee protection for their patients rather than offer a mere promise. Thankfully, unification is also occurring in the security industry, lowering the barrier to compliance even further.

Unified Security Models a Must

To give providers peace of mind over their compliance, HITRUST’s universal security framework is complemented by security vendors that take a similarly consolidated approach. While no single security vendor is yet able to deliver total CSF compliance, this is the direction the industry is heading. Network as a Service, for example, empowers providers to deploy network and security tools in an integrated manner with existing local and cloud resources. Consuming just one product for both access management and data security tools makes it much easier for would-be compliant companies to quickly pass multiple sections of their CSF audit.

With both security technologies and compliance frameworks aligned in their increasing simplicity, providers will soon be rid of their confusion over compliance. Most important, however, is that those who see a HITRUST compliance badge can be confident that the healthcare they receive employs the most up-to-date, and proven data security tools. This will encourage a more accountable healthcare sector, and prevent the all-too-common idea of a PHI breach from impacting the trust between patients and practices.

 

Read More
Podcast Ep.2
Beyond The Perimeter Podcast, Episode 02: Young Startup: Are You Ready for a CISO Onboard?
Reading Time: 6 minutes

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we explained how millions of Chrome users might be affected by the Google Chrome security breach and we interviewed Ms. Reut Weitzman who is the COO and Cybersecurity Consultant at QMasters to learn about her experience and insights as a CISO at a startup. 

 

Breach of The Month: Google Chrome Browser  

On June 18th security researchers at Awake Security reported to Reuters that millions of Chrome users were exposed to a record spyware breach linked to extensions downloaded from Google’s official Web Store. The discovery is believed to be one of the biggest attacks of its kind and resulted in Google removing more than 70 malicious extensions.

Most of the free browser extensions – downloaded about 32 million times – claimed to warn users about unsafe websites or convert files from one format to another. Instead, they were accessing users’ browsing history and website logins. It is still unclear who was behind this attack as the developers of the Chrome extensions supplied fake contact information when they submitted the extensions to Google.

Our suggestion when downloading third-party Chrome extensions is not to grant access to data or other information on your machine or device. Google can not guarantee 100% security on all of their third-party add-ons so you must be careful.

To learn more about being a CISO at a startup, I interviewed Ms. Reut Weitzman who shed light on the CISO challenges in lean startup, where the budget is low, people are techies and security is an afterthought.

Reut specializes in designing complicated cyber-defense architecture aligned with business and technology strategy, that is up to date with emerging cyber threats and vulnerabilities. One of her leading projects is providing on-going CISO service for a cryptocurrency startup.

Learning and Being Mentored Early On  

Cybersecurity has become the trendiest topic in the news today. From cyber attacks, data breaches, ransomware and election hacking, everyone wants to be part of cybersecurity. Luckily for Reut, she has been part of the security industry from early on. Learning and experiencing the security industry helped Reut become who she is today as CISO. “When I started my career in cybersecurity, the dot net had just bloomed and I was young, curious and eager to learn everything possible about this exciting industry. So I took courses, read a lot, researched, asked and learned on the job of course.”

Reut described how fellow colleagues and mentors helped her early on. “I was lucky to work with talented, supportive people, and being a people person myself, I kept in touch with many of them over the years. I actually still keep in touch with my first boss from 20 years ago. So I found that this helped me a lot in my career. I always had someone to consult with and whether it was professional or career issues and since it’s such a small industry in Israel, I worked with many of my previous peers and colleagues again and again in different projects and different companies. I always had someone to speak with and ask questions and consult. In some aspects of my career, I always found someone to talk to. So it really helped.”

Becoming a CISO 

After years of working in the field, Reut started the transition to CISO. Her years of experience in cybersecurity and tech brought her the insights and knowledge to the position. “I was consulting and working with different sectors, I’ve seen how every organization has a different approach when it comes to cybersecurity management and over the years. I saw how organizations handled cyber-attacks, how they managed cyber operations and different approaches to security strategies. I learned from project to project to gain experience and that allowed me to feel confident in my knowledge and ability to spot vulnerabilities and needs.”

After experiencing different roles in cybersecurity and her business background it was the perfect time for Reut to become a CISO. “With the years came the experience. So it goes hand in hand and also I had some business – I had a lot of business background. I did a strategy project and management project. So it’s all combined together. I also have – in addition to all the technology experience and certificates, I also have an MBA. So it worked perfectly together.”

First 90 Days As a CISO 

You’ve just been given the responsibility to lead the security transformation in your organization. Where do you begin? How will you approach the situation? For Reut, it started with a strategy to protect the organization’s data. “ My duty as a CISO was to develop a strategy to protect the company’s data. This should always be done by working with IT and business teams. Full cooperation is required to identify, develop, implement and maintain cyber policy and processes across an organization.  So for the first 30 days, I worked on establishing relationships and trust. I took the time to understand organizational structure, who is who, how they used to work, what technology do they use, where’s the data. Do they print? Do they have access to data from mobile phones? Since they already encountered a security incident, I ask different people what happened and how they feel about it and so on.”

Reut mentioned trust was a key factor for security success in her role. “It was important to me to get my peers to trust me and get on board for the good of the company. One of the things that I emphasized was that this is not an audit and I’m not looking for fraud. I’m looking to understand how they are used to work, so I could assist them to do it in a secure way.”

In the final two months, Reut spent most of her time working with the IT team to find where the holes were” For the following 60 days, I worked in security assessment and gap analysis. I worked with the business unit managers and with leading personnel in those units to map the critical business processes and find cyber vulnerabilities.

The Challenges 

Every new job comes with challenges. Reut didn’t let those challenges affect her work, but the help of her colleagues made the process easier. “The biggest challenge I experienced was inventory. Data systems, storage and physical devices. The little documentation that they actually had wasn’t updated. So in fact I had to start from scratch and I had assistance from department heads for data. I asked the IT manager to help with systems and applications. DevOps helped me with storage information and I asked the office manager for help with all the physical assets.”

To help internal security awareness, Reut implemented security training for the company’s employees which in the end helped employees become more comfortable to bring up security questions or comments to Reut.  “I started raising cyber risk and security awareness, I sent periodic updates of cyber incidents relevant to the industry and sent do and don’t tips and so on. So at that time, everyone already knew who I was and started consulting with me about phishing emails, mobile security questions and also some personal questions such as how to know if the gaming application that our kids are using is actually safe.” 

Reut quickly caught that security hygiene was very limited within the employees. “People at startups are tech-savvy. They’re agile. They’re in front of tech news. Nevertheless, I found out their cyber risk awareness is very limited. It shows little things such as leaving the workstation unlocked when they take a break or mobile phone passcode is one to six. Everyone knows what – that there is something called phishing. But most of them will fall for a spear-phishing attack that would be slightly more sophisticated than the usual spam.”

How Startups Can Avoid Security Challenges

Most startups can easily fall to prey when it comes to security challenges. Reut explains how it can be avoided with the right processes.” They say in security, we divide everything to – according to the golden triangle of challenges before process and technology. So in terms of processes, it is rare to find a startup with structured security policies or procedures. The work procedures are not consistent and are usually open to interpretation and new employees just learn how things work from their buddies and not in a formal way.”

Reut highlighted that a major challenge for startups is proper user permission and access to resources.” One of the biggest challenges for me was lack of consistency in – that there was no one central domain to manage user’s permissions and access to data resources. Also, the lack of group policy, with every change of configuration or any OS or application updates required an IT person to take each and every computer and install or update manually.

Reut suggested that most starts provide freedom to their employees to install or do whatever they want which causes a lack of visibility when it comes to security.” In many cases, employees have the main rights on their computers and they could just install whatever they want freely. Well, in fact, software installation should be done by IT professionals and also be documented. So the company will have an updated inventory.” 

To hear the entire interview with Reut please listen to the full podcast here. You can follow Reut on Twitter @reutweitzman.

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More
Female Security Pioneers Who Are Inspiring Other Women In The Industry
Reading Time: 5 minutes

Cybersecurity has long been considered a man’s domain. According to Cybersecurity Ventures, there will be up to 3.5 million job openings by 2021. Meanwhile, women make up only 20% of the cybersecurity workforce. 

The reason for the gender imbalance in the security realm is multifold. Starting from a young age, girls are not encouraged to pursue STEM degrees or hobbies. Additionally, there exists an “unconscious gender bias” when hiring women in the field, and an even more difficult time retaining women due to wage disparity and lack of female colleagues and mentors. Women in security are often “the only woman in the room” – but there are a few professionals who have dedicated their time to changing this. 

While there are a number of reasons that women are underrepresented in the industry, we have chosen to focus on a few women who are pioneers in their field by breaking barriers and smashing stereotypes in the field. Whether for their innovation, leadership, or integrity, these women are inspiring and empowering other women to pursue a career in cybersecurity.  

One of the best ways to bring more women into cybersecurity (and to keep them there) is to lead by example, create spaces and opportunities for women to enter and grow within the industry. Networking with women in the field, lifting and supporting others, joining groups and communities for women by women – these are some of the ways that female professionals can inspire and encourage women to join this line of work and grow within the security industry. 

Read about the women that are breaking the gender stereotype in security and encouraging others to do so as well: 

Chani Simms

Her accomplishments:

When talking about inspirational women in security, it’s impossible not to mention Chani Simms. An award-winning cybersecurity leader and TEDx Speaker, Chani has been in the IT industry for nearly 20 years. Originally from Sri Lanka, Chani co-founded Meta Defence Labs UK in 2014, a Cybersecurity and IT Infrastructure service provider. Under her leadership, Meta Defence Labs UK has garnered international recognition and accolades and she expanded its operations into Sri Lanka to offer cybersecurity expertise and skills to south Asian communities. 

How she’s helping women in security:

Chani’s passion for cybersecurity combined with her enthusiasm for women’s empowerment led her to found SHe CISO Exec., an initiative aimed at empowering a new generation of talent in the world of information security. SHe CISO Exec. provides a bootcamp and mentoring platform for women (open to men as well) in cybersecurity and focuses on bridging the skills and diversity gap in the industry. 

Watch her TedX Talk:

 

Tanya Janca

Her accomplishments:

If Wonder Woman was an ethical hacker with a stylish fringe, her name would be Tanya Janca. Tanya is a computer scientist and the founder, security trainer and coach of SheHacksPurple, a learning platform dedicated to teaching Application Security, DevSecOps, and Cloud Security. In addition to running her own Open Web Application Security Project (a nonprofit foundation that works to improve the security of software) chapter in Ottawa for 4 years, she co-founded a new OWASP chapter in Victoria and co-founded the OWASP DevSlop open-source and education project.

How she’s helping women in security:

Tanya is also an advocate for diversity and inclusion, and co-founded the international women’s organization WoSEC (Women of Security) a free community for women to meet in person in cities around the globe to network, vent frustrations, find peers, and make new friends. She started the online #MentoringMonday initiative, and personally mentors, advocates for and enables other women in her field. She actively writes on her blog, Twitter, LinkedIn, and promotes videos on YouTube, spreading her security research for free in order to contribute to the security community.

Follow Tanya on Twitter @shehackspurple

 

Jane Frankland

Her accomplishments:

While Jane Frankland is an award-winning entrepreneur, best-selling author and international speaker, she states that her three children are her greatest achievement. She has been working in cybersecurity for over 20 years and has held senior executive roles at several large PLCs, as well as founded Cyber Security Capital, a training and consulting company. Her diverse and impressive resume includes being nominated as a Young British Designer, LinkedIn Top Voices, a Top 20 cybersecurity global influencer and Top 100 in UK tech. She built her own global hacking firm and has been actively involved in OWASP, CREST and Cyber Essentials. 

How she’s helping women in security:

Before she turned 30, Jane built a 7-figure global business (as a single parent) and claims, from experience, this is not the hardest thing in business to do (rather, to turn around a failing company.) She has also authored the Amazon Best Seller IN Security: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe. She specializes in business strategy and high performance and is a world authority on attracting and retaining women in cybersecurity. 

Check out her YouTube channel

 

Bonnie Butlin

Her accomplishments:

If you haven’t heard of “Canada’s First Lady of Security” Bonnie Butlin, it’s time to get familiar with this impressive entrepreneur. Bonnie is an award-winning expert in security and intelligence and co-founder and Executive Director of the Security Partners’ Forum (SPF), the first-of-its-kind agile international network of security professionals within NATO. Over the past decade, Bonnie has received 20 international and national-level awards and honors related to security and resilience including the “Women of the Decade” Award presented at the Women Economic Forum in 2018.

How she’s helping women in security:

Bonnie created Women in Security and Resilience Alliance (WISECRA) which engages a growing network of women in security around the world. Organizations and businesses around the world look to Bonnie to help increase the number of women in security. Bonnie is considered an inspiration to young women entering the profession and has actively been mentoring and involved in public speaking engagements for women and young professionals in both physical and cybersecurity. 

Listen to a podcast interview with Bonnie Butlin at #AISACON17 by MySecurity Media

 

Sivan Tehila

Her accomplishments:

This list of women would not be complete without mentioning our very own Director of Solution Architecture, Sivan Tehila. Sivan is a modern-day Superwoman and we just don’t know how she does it all. Her impressive resume includes serving for 10 years in the Israel Defense Forces in roles such as Information and Cyber Security Officer, CISO of the Research and Analysis Division, and Head of Information Security Unit of the Intelligence Corps. Sivan also devotes her time to educating the future generation of cybersecurity leaders as an Adjunct Professor at Yeshiva University.

How she’s helping women in security:

Sivan is dedicated to increasing female representation in cybersecurity. In 2019, Sivan founded  Cyber Ladies NYC in order to create a safe and empowering environment for women to share knowledge, mentor others, and become role models for young women at the beginning of their careers. She often engages in speaking engagements around the world and contributes articles and thought leadership pieces to renowned security publications. 

Learn more about Leading Cyber Ladies NYC: 

The women in this article are just a small representation of those working towards a more inclusive and diverse cybersecurity workforce. We hope you were inspired by the stories and accomplishments of the women above, whether to pursue a career in cybersecurity, encourage other women to pursue one, or to hire more women in your organization. If you would like to nominate additional female security professionals for future blog posts, please email us at [email protected] 

Read More
ZTNA
ZTNA: A World Where You Won’t Be Afraid to Grant Permissions Access
Reading Time: 3 minutes

The word trust is a common theme in cybersecurity when it comes to network breaches, yet the idea of lack of trust is what’s highlighted in these breaches. A company’s feeling of safety and security can disappear in a nanosecond once their network has been infiltrated, and all control of networks and applications is lost. For all tech-forward organizations, the feeling of lost control becomes more universal with every new breach to hit the headlines.

While in some industries this scary feeling may be up and coming, in the network security landscape it is not a new phenomenon. Whether from malware, ransomware, or your classic unauthorized access network breach like we saw with Capital One, zero optimism is entertained concerning the safety of companies and individuals from hackers. Awareness of one’s level of a vulnerability is a prerequisite to safety and enables one to take pragmatic steps to secure their data. 

Rethink the Approach for Network Security 

Until recently, the organization’s IT and security teams primarily focused all their security efforts on fighting off different attacks on the perimeter. While this was the right approach when everyone worked in the same office, times have changed. Due to COVID-19 accelerating the “work from anywhere” approach, we need to rethink network security strategies and pivot them around the user instead of where the network is based. 

With more employees working outside the physical office, there is a quickly growing number of endpoints for hackers to attack. In most organizations, the typical employee uses multiple devices to do their daily job. Is each device secure? The answer is probably yes – but you can’t be certain. With each unsecured every device, organizations’ networks are taking an unnecessary risk. When networks are breached, the process of understanding where and how access was gained is not instant and by the time you have your answers, it is too late.

IT and security teams need to change their approach, and instead of solely emphasizing perimeter security, transform their employees’ permissions and access policies. One of the most common mistakes organizations make is trusting their users when it comes to authorized access. When you provide unrestricted access to any user or device in your network, you simply open the gates for your organization’s network to be breached. 

Once a user or organization is compromised, their credentials can easily be used to infiltrate the network, especially with different attacks. This presents the idea that organizations need to have better visibility when it comes to authorized user access to their network. So how can organizations trust their employees once again?

Zero Trust Helping Us Trust Again 

Can we trust our employees once again, and reduce their responsibility and impact as guards of the organization’s network against hackers? I believe we can, as humans are meant to be trusted even though in many instances human error puts that trust in doubt. People aren’t perfect, we all make mistakes, but we must account for them proactively.

A common approach that has gained popularity over the past decade for secure network access is by implementing the Zero Trust model. Zero Trust was originally proposed by Forrester in 2010, with the motto “never trust, always verify”. This is the idea that until the user can verify him or herself via authentication, they will not receive access to the network. Adopting Zero Trust is not a specific product or architecture, instead, it’s taking a more modern approach of setting up organization-wide guidelines inside the company’s resources. 

By implementing the ZTNA model for secure network access, IT teams will have full control over who is granted access, enters and leaves the network at all times. For each network, resource or application, there should be a set of rules and policies in place enforced by the key elements of the Zero Trust model: multi-factor authentication, proper device management, limited privileged access and network segmentation using software-defined architecture.

ZTNA The Approach Not the Model 

Organizations that take the right approach with ZTNA can erase the concept of trusting in their employees and won’t fear to grant access. To achieve secure network access inside your organization you will need to have the proper principles implemented and distributed throughout the company. Treat Zero Trust Network Access as a manual for how organizations should strategize and “trust” their employees with the keys to the kingdom. 

Read More
Can SASE Reinforce Remote Voting?
Reading Time: 4 minutes

The risks behind remote voting

Election interference is the new normal, or perhaps it quietly has been for some time now. Until recently, though, it has escaped the limelight because the process of voting in most places has barely changed since the dawn of democracy. People show up their designated voting booth, wait in line, verify their identities and cast their ballots – but in the era of COVID-19 this idea is more complicated than it once was – and also more compromised. 

Obviously, the ideals of democracy must be upheld even during a pandemic in which the pathogen at large is airborne, and people must be empowered to vote even if they aren’t able to stand in line. Especially as an important US Presidential election approaches at the end of the year, the idea of remote voting has emerged as a potential solution to the obstacles put in its place by coronavirus – but solutions must also be found for securing the remote vote itself.

A Rocky Start to Remote Voting

Rather than mail-in ballots, which require immense administrative efforts to corral, count, and authenticate, remote voting would entail using technology to mimic the same processes but in a streamlined digital manner. In the midst of COVID-19, governments have already embraced digital alternatives for physical processes steeped in tradition and respect – just look at the testimony of Dr. Anthony Fauci, who recently appeared in front of the Senate via Zoom.

Thanks to H.R. 965, which was passed in mid-May during the throes of the pandemic, members of the House have been alpha testing remote voting at a very small scale. While Senators must still show up and have their Yeas and Nays tallied on paper, House members are able to send in their votes via encrypted email and have them counted. This is still an early and rudimentary solution, and there’s no doubt that rolling out digital voting to the greater USA or even individual States would require something much more complex.

So far, some States are experimenting with digital voting, but they are doing so against the advice of Homeland Security’s recent report, which highlights remote voting as extremely high risk. This is no doubt a remnant of 2016, when hackers successfully breached online voter registration systems in an attempt to sway results of the election – or simply to test the water in advance of the “real” interference attempts which are soon to come. The wagons haven’t circled yet, and any efforts to advance remote voting efforts now are as undefended as they were then.

Remote is a (Necessary) Risk

Evidence points to the fact that the varied and disparate digital systems that already exist can’t be capably secured, meaning any attempts to institute remote voting will be built on a flimsy foundation and cause even more trouble. This would create an untenable situation in which both election results and faith in the system can be challenged, so any efforts to help US citizens vote from afar must also come with accompanying security technology.

Attempts to secure local and state voter registration systems so far have focused on the lowest-hanging fruit: patching software and hardware, and “backing up” incoming digital votes by writing them down on paper. This approach is smart, because it’s often the most basic exploits that hackers use to disrupt the voting process. The remote voting apparatus, in the States where it currently exists such as Delaware and West Virginia, is extremely flimsy and reliant on a stack of tools that are each capable of being compromised in different ways.

Hackers don’t necessarily need to infiltrate systems and change votes themselves, they can simply disrupt the process by deleting or multiplying votes, adding false data, compromising signature-verification software, or overloading them via DDoS. This can occur for the ballots, voting machines, Secretary of States or registration websites, and other weak links in the chain. Accordingly, the entire voting flow must be secured from the moment a citizen logs on, through the verification process and until the final vote is tallied.

SASE a Secure Voting Solution

Remote voting is coming whether we’re prepared for it or not, because if you ask election officials, it’s more important to re-enfranchise those who are disenfranchised than it is to secure the systems we use to accomplish it. Though problems are bound to arise, given that in classic federal government style it’s up to individual States and the agencies within them to choose relevant security vendors and solutions, a new type of unified product is emerging that will kill many of these issues with one stone.

Coined by research firm Gartner, SASE is a cloud-based security product that by nature is capable of being integrated directly into all resources in use across government offices, regardless of where they are physically. It essentially weaves an impressive array of different networking and security solutions into each resource deployed in the digital voting process, ensuring that participatory voters and officials across the country are protected, given custom access privileges, and closely monitored for suspicious activity.

If a SASE product is deployed then the State of Florida, for example, could mandate that voters logging into whichever voting application Florida chooses will first need to authenticate with 2FA. During the vote, a SASE product would encrypt the voter’s connection to State applications with IPSec tunnelling, and even automatically disconnect them from the internet if the application should fail. Because SASE is both ubiquitously integrated and built on software-defined architecture, officials tallying votes and doing other administrative election work could be assigned role, location, and even device-specific least-privilege access policies which would limit the attack surface for hackers.

Elections to Evolve in the Near Future

If government IT teams match the variety of remote voting hardware and software with a similarly disparate selection of security tools, then their efforts will be further distracted from ensuring an accurate vote and go instead towards managing their teetering software stack. What’s necessary is one security solution encompassing all tools that States need to protect their voters, and one that fits natively into the systems they’ve already begun implementing and is therefore easily onboarded as other States come “online”. 

SASE looks to be a promising contender, though the security industry has some catching up to do before it’s ready for elections. That’s alright, because poorly deployed security would do more harm than good, and it’s important to be airtight: The point of elections isn’t to pick the winner but to remove any doubt in the mind of the loser that results can be argued. For this reason a robust and proven security solution is necessary if remote voting is to be the status quo.

Read More
ZTNA_2020
Perimeter 81 Recognized in Gartner’s 2020 Market Guide for Zero Trust Network Access
Reading Time: 3 minutes

Perimeter 81, the Secure Network as a Service solution for the modern and distributed workforce, has been included in the 2020 Market Guide for Zero Trust Network Access by Gartner Inc., a leading IT research and advisory company.

We were named as a representative vendor in the “ZTNA as a Service” category in the 2020 report. This year’s report was written by Analysts Steve Riley, Neil MacDonald, Lawrence Orans. Zero Trust network Access (ZTNA) describes the emerging market that is recommending organizations to replace their outdated traditional remote access VPN technologies with a more modern model that improves security while supporting a larger amount of use cases and enhancing the end-user experience.

Unlike stand-alone ZTNA solutions, as-a-service offerings require less setup and maintenance. According to Gartner, ZTNA as a Service solutions like Perimeter 81 typically require provisioning at the end-user or service side and route traffic through the vendor’s cloud for policy enforcement. Stand-alone offerings require customers to deploy and manage all elements of the product. In addition, several of the major IaaS cloud providers offer ZTNA capabilities for their customers. 

What Is the Market Guide for Zero Trust Network Access?

Every year, Gartner publishes the Market Guide for Zero Trust Network Access. The annual report helps security and risk management leaders choose the best ZTNA solution for their organization’s needs, specifically application-centric and demand-driven connections.

In this year’s report, Gartner highlights how digital business transformation is affecting enterprises worldwide. According to Gartner, “ZTNA augments traditional VPN technologies for application access and removes the excessive trust once required to allow employees and partners to connect and collaborate. Security and risk management leaders should pilot ZTNA projects as part of a SASE strategy or to rapidly expand remote access.” (1)

Perimeter 81’s Secure Zero Trust Network As a Service Offering  

Gartner recommends deploying “a ZTNA product that relies on multiple contextual aspects to establish and adapt trust for application-level access” and to “stop relying primarily on IP addresses and network location as a proxy for trust.”

ZTNA, the modern replacement for cloud VPN, removes excessive trust placed in physical networks in favor of adaptive, identity-aware, precision access that is application-oriented.

At Perimeter 81, it is our mission to simplify secure network, cloud and application access for the modern and distributed workforce. To do so, we have built a holistic SASE (Secure Access Service Edge) solution that provides both customizable networking and the highest levels of security.

Unlike hardware-based legacy VPN and firewall technology, our scalable SaaS solution offers greater network visibility, seamless onboarding and full integration with major cloud providers, giving companies of all industries and sizes the power to be fully mobile and completely cloud confident. 

Our cutting-edge zero Trust network security solution features:

  • Secure Cloud and Network Access 

Ensure user-centric and adaptive, policy-based network access to on-premise resources, SaaS applications, and cloud environments. 

  • Zero Trust Application Access 

Reduce the attack surface. Implement zero trust, fully audited access to web applications (Layer 7) via HTTP/S, SSH, RDP, or VNC, without an agent. 

  • Cross-Platform Endpoint Protection

Enable single sign-on access and two-factor authentication across iOS and Android devices as well as PC and Mac desktops.

  • Site-to-Site Interconnectivity

Bridge the gap with fully customizable networking. Interconnect your cloud environments and different network branches.

Industry Recognition 

Being recognized as a representative vendor of ZTNA as a Service in the 2020 Market Guide for Zero Trust Network Access from such a reputable resource confirms our continuous effort in changing the way organizations consume network security. 

“We believe our inclusion as a Representative Vendor in the Gartner Market Guide validates why leading organizations adopt the Perimeter 81 solution to manage user access to their cloud resources,” said Amit Bareket, CEO and Co-Founder of Perimeter 81. “The Perimeter 81 team has worked tirelessly to deliver a secure, network as a service solution that collectively provides secure networking and data science technologies in a way that overcomes the limitations of traditional security solutions. We feel that to be recognized by Gartner is a tremendous validation for the work the Perimeter 81 team has accomplished.”

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

(1) Gartner, Market Guide for Zero Trust Network Access, 2020, Steve Riley, Neil MacDonald, Lawrence Orans, June 2020.   

Have any product questions or suggestions? Don’t hesitate to contact us at [email protected] 

To learn more about Perimeter 81’s Zero Trust Network as a Service be sure to request a complimentary demo.

Read More
Podcast Ep.1
Beyond The Perimeter Podcast: Episode 01 – Turning a Hobby Into a Career
Reading Time: 4 minutes

Listen to this podcast on Spotify, Soundcloud or wherever you find your favorite audio content.

We’re excited to have launched the Beyond The Perimeter Podcast: the podcast where we discuss everything security. 

Each week, we will discuss the latest and biggest breaches to hit the news and talk to different security experts to learn about their experiences in the security industry. In this edition of the Beyond the Perimeter Podcast, we tackle the EasyJet Breach and learn from independent security researcher Ryan Nolette how he made a hobby into his career.  

Breach of The Month: EasyJet 

On May 19th, British low-cost airline group EasyJet announced that they had suffered a data breach. They declared that the highly sophisticated cyber-attack affected over nine million customers. Details from the breach included full names, email addresses and travel data such as departure, arrival and booking dates. While the breach itself occurred in January 2020, EasyJet notified the UK’s Information Commissioner’s Office at that time, but waited four months to notify its customers. EasyJet did not immediately give details on how the breach occurred, but said it had “closed off this unauthorized access”. It’s most probable that a phishing attack was the culprit of the breach.  Our advice for all EasyJet customers is to change their passwords and check for any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further personal information.

For more security tips and insights, I interviewed independent security researcher Ryan Nolette who explained his experience with information security at a young age and how it formed his career today. Ryan has held roles in the InfoSec field and consulted on threat research, incident response, and every level of security operations. He is an active speaker and writer on threat hunting, cloud security, and endpoint security.

Attracted To Information Security From an Early Age

If you ask security enthusiasts, many of them will tell you that their interest in security started at a young age. In Nolette’s case, movies and books about hackers, as well as early discussions with his school IT worker, sparked his interest in Information Security. “Infosec has always kind of been an interest to me. The movies that I was starting to watch, the Hackers trilogy and The Art of Deception by Kevin Mitnick came out and a colleague of my dad at the time told me to go check out that book and it was very interesting actually reading about the experience, the stuff that he went through and then how that related to the movies there.”

Initial introduction sparked into more of personal interest to Nolette. “From there it just kind of really – the interest grew and grew as I started researching the topic more and more. We started off with people doing pranks to each other in class and whatnot. You know, pop out the CD-ROM of your neighbor’s computer, things along those lines and it kind of escalated to well, you take those concepts and now we expand them out into these overarching, more in-depth topics that are enterprise-level and now instead of your adversary being your classmate, now your adversary is whoever the attacker is in the world and it’s just a change in scope and severity. I had a pretty interesting IT or a general worker for our school system that I went to had an open conversation about technology in general and we’ve learned an awful lot about my school’s network and the town network worked through that.”

Learning From Security Experts over the Years

In the late 1980s and early 1990s, the number of places to learn about networks and security was limited. Nolette described how he learned on the go and through experiences. “It was more of a silo for me. I didn’t know those forums existed at the time. How I learned things was from some of my schoolmates who were interested in computers and operating systems. It was definitely an interesting experience and unfortunately, at that time, it was very hard to get the information, to gather if you didn’t know where to go look.

The times have changed and now it’s much easier to learn security practices from experts around the world. “Now it’s significantly easier since I started in the industry and I’m really, really a big fan of that and that kind of leads into – if you want to get started in the industry, just go to a conference. There are free and cheap ones all over the world. I’m on the East Coast of the United States and there’s a BSides conference in pretty much every state and that’s a wonderful, affordable conference to go to and they handle a very large group of attendees, whether they’re the presenters or the attendees on their own. They really foster a collaborative environment. So you can go in and ask questions. You can attend one day of a conference and learn about 10 or 20 different vectors of security and that kind of lets you figure out what you’re actually interested in.”

Endless amount of Security Content While Remote  

With the majority of the world working remotely, the face to face events have been canceled. Nolette highlights the different virtual opportunities for security minds like himself to learn remotely. “One of the best things that came about from this is I’m a big Reddit fan. So there’s a couple of different security subReddits and they have curated lists of virtual conferences, free online training and discounted tools and training. They’ve kept them pretty up-to-date and it’s just spreadsheets of these different resources that are available to you. So definitely check that out as a starting point and get a bunch of things online.”

With the current remote situation, the security community has gotten a bit creative to spread their knowledge. “While I know there are a few new conferences that even launched because of the work from home and the virtual conference idea. A new conference is basically going to put all the attendees on a Zoom call without any of the security restrictions on it and just kind of see what happens. So there should be some fun stuff like that.”

You can follow Ryan on Twitter and read his latest content on his Github page.  

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on Soundcloud or wherever you listen.

Read More
VPN_SASE
VPNs Are Out and Scalable Remote Access Solutions Are In
Reading Time: 4 minutes

COVID-19 has accelerated the world’s digital transformation and lately this has headed in an inevitable direction: the adoption of remote work. We can no longer assume that employees are working from the office and the “new normal” that the world is experiencing will likely bring about permanent changes to how and where we work. Tech giants such as Facebook, Twitter and Google have announced they plan to keep their employees working remotely until at least the end of 2020, and possibly beyond. While this approach is gaining popularity by the day, it’s far from a new concept. 

Remote work has been a popular method for companies for the past two decades due to benefits like flexibility, productivity and cost-savings. In late 2019, Gartner predicted that by 2020, half of the US workforce would be working remotely. Here we are six months into 2020, and no one could have predicted that 62% of the U.S. workforce would go home to work remotely due to the COVID-19 outbreak. 

Are Traditional VPNs Still Relevant? 

Over the past 20 years, organizations adopted different tools in order to support and secure their remote workforces. The most popular solution that organizations relied on was an enterprise VPN technologies for remote network access. The value that VPNs once provided is diminishing by the day due to organizations’ transition to the cloud, however, and remote employees no longer need to connect to their corporate headquarters’ network. 

Due to COVID-19, the majority of global organizations are requiring that their workforces connect to business resources on the cloud or to the corporate network remotely, creating an overload of traffic on the VPN’s they previously implemented. Originally, the idea of installing a remote access VPN was the right approach, however it’s now providing more cons than pros. 

VPNs can expose organizations’ data and resources, making them more vulnerable to different attacks on the remote workforce. The traditional VPN provides remote workers with unlimited access to organizational resources, creating an attractive, ripe environment for hackers to get inside the company’s network. With legacy VPNs, organizations are unable to restrict access to specific network resources, making VPNs one of the weakest points of failure with respect to identity access and credential management as there is no segmentation, audit or control.

VPN has other limitations, such as a lack of network visibility and network segmentation, which limits unauthorized user access and overall network security. The tech was not designed to deal with dynamic networks that organizations are creating today. This is due to VPNs requiring constant hardware updates, the need to be properly managed and the absence of network or server flexibility. All of the above make it more complicated to scale and rapidly adjust for new users and network locations, and increasingly difficult to effectively manage hybrid and cloud-based computing architectures.

Scalability: The Key Factor of Today’s Workforce 

The idea that one day an organization may need to increase the number of users to thousands or more is possibly one of the most important factors when deciding which solution to implement, especially with remote access needs. VPNs’ scalability hasn’t been their strongest characteristic; actually their lack of scaling capability to hundreds or thousands of users has been more of an Achilles heel.

VPNs were initially designed to only handle a small percentage of the global workforce. In today’s day and age, with thousands of organizations looking to scale their entire workforce remotely, the need for remote access solutions is more demanding than ever. With a massive increase in users, organizations are seeing congestion and latency in network access and a lack of quality of service.  

In the past, when there were just a few remote workers in an organization, IT teams were required to designate a small amount of network access for them alone. When companies transform to a more remote workforce, organizations will need to adopt solutions that will have the capacity to support their networks and applications for everyone remotely. In the case of VPNs, network over-usage and older architecture results in slower user experience and creates headaches for IT and remote workers simultaneously. 

Additionally, the implementation of new users and networks with a VPN can take up to weeks to fully onboard, creating a major hole in the company’s network. So which kind of solutions should organizations look for when trying to scale access to remote employees?

SASE: The Scalable Model For Remote Access

Instead of thinking about how we can make the VPN more secure, flexible and scalable, we should look for a different secure remote access solution. The answer lies in SASE: Secure Access Service Edge. Unlike VPNs, SASE is a solution for the increasing demand for scalable network access. So what is SASE and why is it the answer?

SASE, which was coined by Gartner in August 2019, is the cloud architecture model that combines the different functions of network and security solutions into a unified cloud security platform. This delivered “as a service” offers scalable secure access to the organization’s resources and networks. The new model will allow organizations to simply connect and secure their networks and remote workers with a cost-effective and instantly integrated approach.

Unlike the traditional networking solutions or modern VPNs, the SASE model recommends that organizations should instead connect their employees and networks on a more user-centric level to a cloud-based service. While in the past, the majority of networks for organizations were concentrated at the central data center for user access, this didn’t provide a suitable model for remote workers. Gartner suggests that this site-centric approach is outdated and not effective as organizations are turning to edge platforms, SaaS solutions and cloud services. While the concept of organizations providing a data center for user access won’t disappear overnight, it will become less relevant as the majority of services are moving to the cloud. 

By adopting the SASE model, organizations will have a more flexible and scalable opportunity to connect remote employees to applications, cloud services, and APIs no matter their location. 

Scaling for the Future 

The SASE model for secure zero trust network access and additional vital security features provides organizations with scalability, flexibility, ROI and most important of all, secure access for their remote workforces.

When seeking the right remote access solution, look past the legacy VPN and change your approach with a more flexible and user-friendly SASE platform to secure your network, resources, and employees. 

Read More
Tightening Security on Microsoft Teams
Reading Time: 4 minutes

Remember driving down to your local computer store and picking up a shiny new copy of the latest Microsoft Word? Sleek in its box, the neatly wrapped Microsoft product had both disc and license inside, but it also came with something you didn’t bargain for: responsibility for its successful, safe operation. 

As a physical offline copy, security issues in operating this relic of the past could be placed squarely on you. But now that Microsoft Word has gone through multiple cycles of product consolidation and emerged as a vital business pillar, security considerations surrounding the whole Office suite, and now Teams, deserve another look.

Microsoft Teams allows collaboration and communication across the various services that are included in Office 365. Make no mistake, Teams users can be confident in the safety of their data, but when more weight lands on the solution as a productivity cornerstone, it’s smart for organizations to supplement Microsoft’s built-in safety mechanisms

From discs to on-demand software, the now fully-integrated nature of Teams makes it a powerful tool, but one that sits at the epicenter of a bustling cloud encapsulating both good and bad actors. 

Consolidation of Products, and of Problems

Exemplified primarily by Microsoft, products that were once sold separately eventually congeal into a single platform that offers them all as functions conveniently packaged together. This is what happened to Word, Excel, PowerPoint and other Microsoft software that turned into the Microsoft Office 365 “as a service” solution. 

With Teams, increasing sophistication and connectivity in the name of a good user experience has also created new ideas in the world of security, as most innovations do. Teams represents a single window into the virtual Office, where employees can discuss projects happening in real time, talk over chat, voice or video call, and work on shared documents together. This shiny front end doesn’t bely any backend complication, but it’s there. 

For each “team” you create, the backend gets a new SharePoint site, Office 365 group and other assets in places like OneNote and more. This doesn’t include other integrations that your organization might choose, such as ZenDesk, Salesforce, Mailchimp and other popular platforms. With an impressive level of integration comes an intricately complicated environment for security professionals, especially as companies expand and lean on Teams even more. 

Licenses are online, so much of the functionality that Teams offers is largely available when an organization is connected to the web. Moreover, since November 2019 Microsoft has allowed Enterprise customers to grant guest access to contractors and other non-licensed individuals who work with them. Suddenly, file sharing of sensitive documents and resources is happening outside the network and unfamiliar entrants are streaming in, so managing the chaos becomes necessary.

Integrated Solutions Beg Integrated Security

Both in how Teams is secured and used, and in the tools that IT security teams must enforce for users, care should be taken so that data inside Teams doesn’t sprawl outside of its boundaries, or alternatively, become concentrated and offer hackers a single ripe target. Much like Slack, Teams users can create different channels where they communicate about specific subjects or tasks related to this department or the other. 

While users should be encouraged to create new and different channels for their conversations, it’s crucial to maintain control and ensure that loose ends (dead, repeat, underused channels) don’t occur, and that sensitive information isn’t overly shared or replicated in multiple different places or with people who don’t need to see it.

Integrations are crucial to any organization relying on Teams, and when implemented correctly they are amazing productivity boosters. However, one of the most underestimated issues that occurs in a highly integrated environment is configuration: Sometimes the integration may work well but the most minor settings might create a security gap that leaves the network exposed. 

When many third parties are a part of your Teams installation, whether they’re services or service providers, it’s recommended to layer an extra security blanket over the whole thing. Teams has built-in two-factor authentication, and IT should require it before users are able to log in. Don’t stop there, though, extra effort to track devices and endpoints should be taken as it will also help IT prevent downloads from Teams to unmanaged devices, or those that haven’t passed through the gates of “Zero Trust”. 

Because Teams is a nucleus of business activity and by definition holds assets that might spell trouble in the wrong hands, a strict least-privilege access model should be instituted. Another integrated solution is suitable, but one that simplifies the security functions that can plug into Teams, and with a purpose to remove trust from the equation, full stop.

Teams Turns Zero Trust

In few organizations does each employee need access to the full list of functions and capabilities that Teams provides. Microsoft understands that not every employee will need access to SharePoint, for example, and supports Teams separately as a cloud app for Azure Active Directory and the conditional access policies it offers. To take advantage, however, administrators must ensure that the correct policies exist on all applications inside the Teams installation such as Exchange. 

This can take some maintenance and oversight, so it’s easier to find a more unified, seamless Zero Trust solution where all this is done from a single admin panel. Security providers pursuing the Network as a Service model are already being used for this purpose, and when integrated with Teams are able to better streamline the orchestration of necessary security tools. Network as a Service solutions reside on the network layer and therefore allow organizations to easily define custom access policies for segments of their local and cloud resources (like Teams, or parts of it). 

This way, IT controls which roles, devices, and locations are allowed into specific parts of Teams and other network areas with greater ease. Additional security tools can’t hurt, and add a safety net to Teams in a couple different ways. Though Microsoft has 2FA, Single Sign-On and the encryption of files, a wider array of options is helpful. 

Support for other MFA and SSO providers is nice, as is the option between SSL, IPSec, and WireGuard in terms of encryption, for instance. One idea which should surely not be forgotten is better network activity monitoring. This is one of the most important points for complex Teams installations: logging and monitoring is a lynchpin to proactive threat detection and compliance alike. 

Integrating these functions directly into Teams doesn’t complicate it. Why? Simply because they’re all offered under the umbrella of a single security provider which integrates directly into Teams and saves IT from fiddling around with different settings between Exchange, SharePoint, Word, Azure, and others. Teams is an amalgamation of multiple useful software tools, but there’s no question that productivity is the primary reason for its existence, and that third-party security services improve it is neither a surprise nor takes from its impressive reputation.

Read More
SASE_Gov
SASE: Evolving Government’s Cloud and Network Security Strategy
Reading Time: 4 minutes

Even though cloud technology has become the new normal for the private sector, it has a less than tenuous grasp on government. In 2018, cloud neglect in the public sector prompted the White House to launch its “Cloud Smart” policy, designed to promote the idea that government agencies should begin adopting this useful breed of computing technology. 

At the time, relevant agencies didn’t jump quickly on the opportunity due to security concerns such as data storage and the sharing of information. However, the time is now ripe. With cloud computing over a decade old and long proven as a pragmatic solution to many administrative problems, it’s time for lagging governments to bring themselves up to speed. 

Despite some public offices embracing a cloud-first approach or cloud-only policy, the majority of the United States government is woefully behind, and still in the dark about the risks and benefits that come with moving network resources to the cloud. Most concerns circle the notion of privacy or security, but these days they’re addressed more easily than they once were.

Cloud Security a #1 Priority  

In the United States, there are more than 90,000 government offices that comprise a patchwork of different approaches for cloud computing and cloud security. In most cases, local and state governments are more open to adopting cloud solutions and services as opposed to the federal government.

These government offices are finally clueing into the tangible benefits that the cloud provides: low costs, ease-of-use and higher productivity. With these advantages within reach, ensuring that preferred cloud solutions are secured has become the top priority for governments. Any and all benefits can be ignored if the implemented cloud services or solutions aren’t totally secure, and this is why analog processes have reigned supreme for so long.

As government offices begin to push their networks onto cloud infrastructure and connect them with remote workers and IoT devices, the number of endpoints that hackers can attack has climbed significantly. As we saw in March 2018, the City of Atlanta was attacked by hackers with ransomware that shut down government services for six days. Likely a victim of the SamSam exploit on Java-based servers, this is an example of how ditching self-managed hardware for a provider’s cloud would likely add a barrier between hackers and government property.

Gov_breaches

It is also just one of many examples for how governments have become a more popular target. In response to the growing sophistication of attacks, cloud security must now go beyond malware defense, and so government IT teams are forced to look at the big picture. Instead of focusing on specific types of attacks, they need to promote efforts to gain omniscience within the network. In the past, governments tended to only pay attention to the data leaving their network perimeter, but today they need to be just as cognizant of permissioned users and data being accessed by government employees. The rise of the remote workforce has pushed visibility even further into government IT teams’ awareness.  

Taking Control of the Network 

As more governments adopt network security solutions for their work environment, an increasing number of security events and alerts have overwhelmed governments’ security teams, which actually distracts from the idea of better network visibility. IT teams need to have complete knowledge of what is occurring on their network at any given time, across public and private clouds, applications running on the network, and more. Where numerous unqualified alerts create a swarm blocking proper visibility, hackers can use the hubbub to muffle their steps and make a quiet entrance into government agencies’ networks. 

To fight visibility and network control concerns, governments should adopt Security Information and Event Management (SIEM) systems. These systems accumulate the data from different sources and recognize which are outside normal parameters, and also provide an appropriate response. SIEM systems play a huge part in helping IT and security teams to detect and prevent security risks across governments’ infrastructures in an intelligent manner. 

More Solutions, More Headaches 

For any modern government cloud security strategy, it’s often recommended to implement a range of products that deal individually with a wider range of common network attacks. Until recently, this strategy worked well, but now we are seeing that it creates a bigger problem. Adding a large number of products to IT’s stack causes misconfiguration and exposed deployments of various software solutions. This, together with ensuing hybrid IT complexity, is creating a tangle of security challenges for IT teams.

This challenge has a label; “tool sprawl”. It is the idea of investing in a range of security products that work together, yet make it harder for IT teams to manage and orchestrate them in the network. In order to achieve a more flexible and productive network and cloud security strategy, governments have to move away from the multi-vendor tool sprawl approach and look to adopt a unified platform model. It’s especially true for governments that are looking to ensure the privacy and security of their data against outside threats. This is where SASE comes into play.  

Perfect Cloud Security Model for Governments 

By adopting edge data security, government agencies can enhance their security hygiene with the help of quicker, integrated, and more elastic solutions that simultaneously keep government employees connected from afar. This approach has become more relevant with the introduction of Secure Access Service Edge (SASE).

Secure Access Service Edge (SASE) was introduced by Gartner in August 2019. SASE is a new cloud-based network security model that combines multiple network technologies delivered as a service, including SWG, CASB, FWaaS and ZTNA with WAN capabilities (i.e., SD-WAN) to support dynamic secure access to organizational assets. The SASE model allows government IT and security teams to easily connect and secure all of their networks and users in an agile, cost-effective and scalable way through the cloud.

By adopting a SASE platform, government offices can enable the delivery of integrated secure network security services that support digital cloud transformation, edge computing, workforce mobility, identity and access management. This new model will help governments get over the hump of doubt that has built up around the cloud. It will allow governments to manage all of their security and network solutions from one platform, fight off new threats and secure employees’ data no matter their location. On the near horizon is a cloud security strategy for the future and one that has no more relevant home than government.

Read More
The Digital Transformation Finally Comes to Security
Reading Time: 4 minutes

There are few phrases more buzzword-y than “the digital transformation”, but its broad scope means that the term has never meant a static, single thing. Digital technology is always changing, so the organizations that use it are changing as well. Going through a transformation from analog business flows to digital ones is something that started happening decades ago and we haven’t yet found the limit of this idea’s benefits, so it makes sense that there are multiple phases of digitization that have occurred over the decades.

Technology constantly gets smaller, faster, and more powerful, spilling like water into new industries and applicable ideas over time. These include infrastructure assets and machines, operations and business processes such as online payments, eCommerce, and supply chain management, and most of all organizations’ workforces by creating new roles and platforms they use to do their jobs. Much of digitization has been less about technology and more about self-reference, by cleaning up the digitization process itself and simplifying the array of vital tools and processes that pile up.

This is the theme of what is perhaps the most notable trend in the last year: and it comes from an unexpected sector.

Security a Silent Cornerstone of Digitization

In addition to incorporating the cloud into a business strategy or growing your data intelligence department, there’s a background of digitization that makes these processes easier and safer – because the risks inherent in going digital are many. The security sector exists to recognize how this new world is threatened and from where, and is important for ensuring that organizations’ digitization efforts don’t needlessly expose their data or put customers at harm’s way.

Since the 1970s, cybersecurity has been there to respond with pragmatic solutions, when a growing array of technology gets ahead of itself. From the early ARPANET “creeper” which led to the first antivirus program, and through years like 1989 which were devastated by both the first DDoS and malware attacks, it has nearly always taken some digital travesty to shed light on the security industry’s importance. 

Moving storage and services into the cloud is the latest and greatest example. These days, the cloud is a cornerstone of digitization, with migration tools abound and services like AWS and Salesforce, which come with an arsenal of useful onboarding functions, single-click business processes, storage solutions, and more.

With mobile devices and applications getting more capable, however, it has meant that data moves farther than ever and exchanges more hands. That has given a larger opportunity for hackers to steal this data, and so the security sector has had to identify where the gaps appear and how to close them to enterprising bad actors. This is hardly a surprise to those who are familiar with the idea of cybersecurity, but even IT professionals “in the know” aren’t aware of how far along this simple idea has taken digitization in 2020.

Putting Security Ahead of the Curve

Unfortunately, the limits of cloud computing have been tested recently as remote work gets infinitely more popular. In terms of both security and speed, we’ve seen online platforms overclocked and put to the test in greater numbers, and not always with stellar results for IT. The use of many business-critical services together may work, but a greater number of endpoints and carelessly strung together solutions puts even the most diligent IT teams in a bind.

Many organizations realize this, and to lighten the burden they’ve enforced the use of basic security tools like a VPN. While a VPN will raise the lowest hanging fruit for a lazy hacker, they’re not perfect, and don’t make the digital transformation much easier. They just add another tool for IT to be responsible for configuring and managing, on top of storage, CRM, ERP, and other platforms. The required hardware for a VPN puts a price tag on security in terms of labor and more, and they don’t perform well under the conditions that networks are currently in. IT teams are then learning more about ideas such as Zero Trust security, which lets them segment their networks into custom-sized pieces, and implement unique access policies on top of the capabilities of a traditional VPN.

SASE Reminiscent of Past Tech Consolidation

This has solved some problems but not others. Zero Trust is indeed much better for security and easily scalable, but it’s still another tool stacked on top of the network. The old problem – that knowledge workers only spend 39% of their days actually working, thanks to platform overload – isn’t solved. Teams implementing Zero Trust are indeed considered cutting edge, but the last year has brought a relevant idea into the spotlight: SASE. Billed by research firm Gartner – the acronym’s creator – as a unified network security platform, SASE merges many of the network access and security tools that IT relies on.

With CASB, FWaaS, Wi-Fi security, IPSec tunneling and encryption, multi-factor authentication and SWG all easily consumed in one place, SASE turns ideas that used to be full-fledged and separately consumed platforms into features of a single platform. This is reminiscent of what Microsoft Office 365 did in 2011 – combining multiple pieces of software into a single, cloud-based “as a Service” solution. Now that it’s happening in security, as companies go through implementation in greater numbers the turbulence of the last decade, rife with consecutive record-breaking data breaches, may finally be recognized as a speed bump instead of the status quo.

Read More
SDWAN
The 5 Most Common Mistakes That Organizations Make with SD-WAN Security
Reading Time: 5 minutes

The traditional brick and mortar, 9-5 office was previously seen as the central database for all employees trying to connect to the company’s network and resources. While this model worked in the past, currently it’s extremely outdated due to slow network connection time to data centers. Instead of placing the networks where the company is based, organizations must rethink how their network architecture needs to be designed. 

While many organizations still make the branch sites the center of networking, they should make their employees’ location the key factor of how their company’s networking should be implemented. Due to the ongoing digital and cloud transformation, employees are seeking quick access to data and company resources in their work environments, no matter their location. 

As a result of the modern employee needs, the once traditional static MPLS connections are not the answer for today’s modern networking between the user and the office branch. Due to the evolving network technology, organizations started to adopt SD-WAN solutions for quicker, flexible, effective, and more affordable networking. 

What is SD-WAN and What are its Benefits?  

An SD-WAN, also known as a software-defined wide-area network, is a virtualized network that is abstracted from data center or branch office hardware to create an easily configurable and scalable overlay wide area network distributed across local and global sites. It’s also an application of Software Defined Network (SDN) technology that is more reliable and scalable than VPN-based WAN solutions because it takes a software-based approach to build and extend enterprise networks beyond the core SDN.

Organizations today can use SD-WAN solutions to connect branch offices to their corporate networks instead of using traditional and expensive multiprotocol label switching (MPLS) connections, firewalls or proprietary hardware.

SD-WANs offer many benefits for organizations looking to leverage the cloud ranging from network topology simplification, internet traffic prioritization, and cost reduction to scalability and integrated security. SD-WAN management solutions allow IT managers to automate deployment and configuration processes of their network which reduces the complexity of managing a WAN network. Additionally, applications can also be integrated and managed from an SD-WAN portal, further simplifying SD-WAN management.

Despite the numerous benefits and the advancement of SD-WAN solutions, most organizations leave security at the door when implementing SD-WAN solutions. 

Security is Essential for SD-WAN Success

When organizations are adopting new technologies, security is top priority when choosing a service of solution. This is the same with SD-WAN. According to a Gartner survey, 72% of executives see security as their biggest SD-WAN concern.

As each organization implements new networking infrastructures, they need to think and prepare for the different security risks and challenges. Many of the outdated security solutions cannot address these modern security challenges. 

Adding to that problem, SD-WAN falls under most networking teams, which creates an even bigger issue where security isn’t even brought to their attention. Some might say it’s a mix of employees’ neglect or misguided advice but it’s just simply leaving an easy target for hackers to attack your organization’s network. 

SD-WAN Security Mistakes Happen

Some might think that SD-WAN security is simple: you install the solution, it encrypts the data, and then sends it to the user from one location to the next. However, like every other cybersecurity solution, you need to strategize and instead of separating security and networking, you need to think of it as one solution where networking and security go hand in hand. Other security mistakes can and will occur.  Here are our 5 security mistakes that organizations tend to make with SD-WAN and how to fix them:

Not Including SD-WAN Security in Your Organization’s Security Strategy

One of the biggest SD-WAN security mistakes that organizations commonly make is thinking that SD-WAN security is not part of the organization’s overall security strategy. SD-WAN should not be perceived as a standalone solution and just another connectivity tool that provides a level of data encryption. SD-WAN needs to implement the advanced security policies that other networking infrastructures are implementing.  

To avoid further security risks, organizations must implement a more advanced security approach that looks past WAN capabilities that integrate policy-based control rules into their company security strategy. This new approach will allow security teams to monitor the data with a more holistic SDN managed detection response model. By prioritizing SD-WAN security and integrating it into your cloud security strategy, your organization will have an extra layer of defense when fighting off malicious actors’ attacks on your organization’s network. 

Treating SD-WAN With a ‘Set It and Forget It’ Mentality

A continuous mistake we are seeing is when organizations implement a new technology in place and then they move on from it. This is the same issue with SD-WAN. To stay clear of this common mistake, organizations should have an ongoing monitoring and updating strategy in place to make sure everything is going smoothly. 

By adopting this always monitoring approach with SD-WAN, it will allow organizations to expand network visibility and properly manage their network on a daily basis. As the security landscape is continuously changing so is your SD-WAN solution, so it’s best to always stay up to date and monitor your network instead of setting it up and forgetting about it.

Encrypting SD-WAN Traffic is a Must 

A major networking challenge that organizations are experiencing is switching from an MPLS connection to a more public broadband connection. Unfortunately, this doesn’t bode well with their cloud environments and services. Due to this, more organizations are implementing SD-WAN solutions to create more private broadband connections that link the cloud resources to the organization’s main network. Adding more and new connections causes a domino effect which results in adding more holes in your network, opening the door to attacks. 

To solve this issue, organizations need to encrypt their SD-WAN traffic to protect their critical information that is being accessed by the organization.  It is recommended to adopt a SASE platform that encrypts all network traffic that transforms into a fundamental security layer in your SD-WAN solution. By having that extra layer of security it’s essential for organizations to provide a high performance secure networking connection to its employees.  

Implementing the Wrong Solution For Your Needs 

When seeking the right SD-WAN solution for your organization, you need to consider if this is the right fit for your networking needs. Another common mistake made by organizations is that they deploy another stand alone solution or the wrong solution. By looking for a tool that helps with network visibility or device policy management, organizations need to understand if this tool will secure our network and not complex the tough challenge of securing the network. 

Therefore, the first thing organizations need to check when considering an SD-WAN solution is whether it will easily integrate into its network and security strategy. By adopting the correct SD-WAN solution for its organization it will help increase security posture for the entire network security strategy.  

Forgetting about Security Entirely

Ignoring security might be the simplest mistake that an organization can make when adopting SD-WAN solutions. While SD-WAN tends to fall under the networking teams at organizations, the idea of a cost-saving solution usually forgets to include the importance of security.  

Instead of just thinking SD-WAN as another networking tool, organizations need to include their security teams when managing SD-WAN to ensure there is the proper security in place after adopting the solution. While this common mistake is a simple one it comes with major consequences. By implementing an unsecured solution can open the door to hackers and can create major security issues for the organization’s network and critical resources. 

Improving SD-WAN Security

In just over a few years, SD-WAN has shown its great value by providing a quicker and more flexible option for network transformation. Despite the continuous advancement of SD-WAN, they don’t entirely provide protection against more sophisticated attacks that we are seeing with today’s network environments. 

Moving forward, Organizations need to think about which advanced security functionalities need to be easily integrated into their SD-WAN solution instead of thinking security afterward. By adopting a more secure SD-WAN solution with the correct security functions integrated it will help organizations to detect and intercept attacks on its network moving forward.  

Read More