Business Continuity Plan Blog Post
Business Continuity Planning: 5 Actions CISOs Need to Take Now
Reading Time: 4 minutes

Organizations around the globe are engrossed in one of the major network revolutions of all time. The COVID-19 pandemic forced organizations to quickly adapt to different challenges over the past six months. With the sudden transition to working from home, organizations were required  to rethink their digital strategy in order to deal with the new normal.   

Remote work policies are changing the way we work. As new remote technology is introduced into the organization strategy, it’s important for the entire organization to understand the importance of how it affects their daily work routine. 

With the changes in technology and the location of the working environment, the organization’s management team needs to think about the different challenges facing them. One of the more important but less headline-grabbing threats that all businesses need to think about is their business continuity plans.

Business continuity is coming up with a plan for a company to deal with serious incidents and disasters in order to ensure the business can continue functioning within a reasonably short period. In the case of COVID-19, most organizations were unprepared for this unprecedented shift to remote work, something they had not previously considered and therefore not included in their business continuity plan. Too often we see business continuity plans to be over technical or high level for the casual employee which usually results in the lack of actual actionable items to implement. 

Now that we are currently over six months into the new reality and remote work is inevitable for the foreseeable future, organizations should be updating their BCPs. Chief Information Security Officers (CISO) and Chief Information Officers (CIO) have invested time and responsibility in the effectiveness of their business continuity plans. In today’s day and age, a cybersecurity strategy is an integral part of keeping businesses running while workers are remote. 

In order to gain insights into actions that CISOs can take to improve their organization’s business continuity plan, we spoke with experts who gave us their top tips. 

Be Involved In the Process But Delegate

Business continuity is an essential part of the survival planning for every business and organization. Too often it is erroneously assigned to the Information Security leader when in essence it is a business project and process that involves the key decision-makers in the C-Suite. Of course, a good CISO needs to be involved in the process, but should not own it.

“Any viable Business Continuity Plan must be tied and coordinated with a Disaster Recovery Plan. Essentially, a business must go on regardless of any type of interruption. If that requires manual systems to be brought up and be put into place, which is sometimes the case, then a good contingency plan to do this must be well-thought-out and everyone needs to know their part. Building a Business Continuity Team is the important first step and as it must include sponsors at the decision-making level. Additionally, the CISO, CIO, CFO, Legal, Human Resources, and Risk also need to be on this team.” – Richard Greenberg, Founder and CEO of Security Advisors LLC.

Make Sure Recovery Locations Are Useable

One of the biggest lessons people have learned during the pandemic is that business continuity planning needs to account for the fact that the recovery location(s) might also not be usable. The option of working from home was always viable but it was assumed by business continuity planners to be only a few employees and not the entire business. 

COVID totally put that idea out to pasture. The idea that everyone would have to work from home was a total game-changer. Organizations were caught without equipment to make WFH viable thus having to rely on bring your own device (BYOD) which brings a lot of potential risks as well as finding ways to minimize and manage those risks. Some had to re-engineer multi-factor authentication (MFA) to allow for use of Google and Microsoft Authenticator solutions by their employees. They found that their infrastructure was unable to scale, even in the cloud.” – Jeff Hall, Senior Manager of Auditwerx.

Don’t Forget Security

An effective business continuity plan enables employees to continue their work safely and effectively, no matter the circumstances. When working from home, cybersecurity should be one of the main aspects of the continuity plan. 

“To make security stringent your company should follow basic and advanced cybersecurity measures. Always prefer using a secure remote access solution as it provides you with security and privacy over the internet. Similarly, always encourage using systems issued for office work only. Additionally, make sure that your official documents are only shared with the restricted persons this way no irrelevant person will be able to open it even if it’s shared over email. “- Shahid Hanif CTO and Co-founder of Shufti Pro.

Educate Your Employees

Educating your employees about the new security protocols and technology being implemented is an integral part of business continuity. This requires more than just a single briefing, but instead, a regular and ongoing plan of educating employees. 

“With everyone working remotely, it’s a mistake to suggest that the business security only falls on the IT and security teams. Organizations should schedule a virtual security session to prepare employees with the new tools and protocols that the business has implemented. Additionally, security teams should educate employees about the different security risks and attacks that are on the rise with everyone working from home. By educating your staff you will be one step ahead of potential attacks and risks inside your organization.” – Sivan Tehila, Director of Solution Architecture of Perimeter 81.

Test Business Resiliency Capabilities

Given the new and possibly unique user requirements working from home under the current circumstances, are real-time operating systems and a recovery point objective and determined in a pre-COVID world still reasonable, logical, appropriate under the current operating conditions?

“By continuously testing your ability to recover critical business processes with your entire recovery team not being physically in the same location you will be more as a business. I suggest that you check if you can effectively coordinate your recovery team and individual assigned duties via communications tools such as Zoom and Webex. Additionally, you need to check if individual recovery team members have, at their home locations, sufficient Internet capacity to coordinate recovery activities (with multiple other company employees), while at the same time competing for local bandwidth with other in-home Internet capacity demands.” – Al Marcella, President of Business Automation Consultants.

Moving forward 

While COVID-19 will pass, the different actions and experiences can help businesses moving forward. With the right business continuity plan in place, you can provide transparency with your business in the case of recovery should another pandemic or emergency occur. The stronger the business continuity plan the fewer future headaches. 

Read More
Security Solutions Escort Banks Through the Cloud Shift
Reading Time: 4 minutes

Data is a commodity that has value just like any other: It can be used to pay for products and services (most free apps use your data in exchange for access), it can be bought and sold, and as we all know, it can change hands. Unfortunately, it doesn’t always fall into the right ones, and so for a bank – which is responsible for both our money and our priceless financial data – security is of the utmost importance.

As they say, “If it ain’t broke, don’t fix it.” So most banks having already found the right security approach for their legacy, closed off, and internal IT systems means that they are hesitant to embrace new technology – this might tip the scales in the favor of hackers. It might also make them more profitable, but upgrading infrastructure comes with new security complications that are a roadblock – because a data breach trumps any business advantage. Right now, cloud technology is in the epicenter of this dilemma.

Is the Cloud a Compromise?

If there are two sides of the fence, on one side is the cloud’s immense potential for bank customer service and competitiveness, and on the other, the need for significant investment and security due diligence that comes with any change to the status quo. The cloud can help banks diminish their core costs and overheads by eliminating hardware and the need to maintain it. It can also help to roll out new financial products and services to customers more quickly, and scale them inexpensively as demand waxes and wanes.

Despite these benefits the transition to the cloud is daunting, and outside of retail or commercial banks, it is happening at a snail’s pace. Of total spending on the cloud, banking accounts for only 10.6% in 2020, according to IDC. Reasons for hesitation include difficulties configuring cloud solutions to both work together and with legacy tools, which may create unanticipated (and intolerable) gaps in defense. Furthermore, banks may feel as if they lose control by offloading internal processes to third-party cloud providers, putting them at these providers’ mercy. Compliance is an obvious issue to be concerned about as well, and the extra degree of separation between banks and their cloud-based resources doesn’t inspire confidence at first.

This hesitation is more unfounded as time passes, however, because the cloud is changing quickly and so is the security surrounding it. For their part, banking perspectives on the issue are changing in tandem.

Lift, Shift, and Uplift

Banks can now be relatively confident that security will be tight as they embrace the cloud, since data isn’t the only thing that’s been commoditized; so has security. Cloud providers invest heavily in their defenses and for many industries, they offer greater safety out-of-the-box than customers can achieve with their own investment in IT. Banks appreciate these assurances, but still have enough at stake to need more. 

In their efforts to avoid a long and complicated process, reduce risk, and front load cloud benefits, executives sometimes see cloud adoption as an “all or nothing” idea. However, the “lift and shift” approach is getting more traction, as it moves parts of their infrastructure to the cloud in piecemeal fashion, based on the importance of the workload and other factors. Many banks are adopting this hybrid cloud model and taking their first baby steps into the 21st century, but if the piecemeal approach is going to be taken, their networks will get complicated quickly and will be in constant transformation. 

This requires a security solution that is more comprehensive than what providers offer, and one that can flex as the network perimeter shifts.

Elastic Security for an Extended Transformation

A bank requires a simple security solution that makes data protection easy, no matter how mix-and-match their infrastructure looks during the various stages of its cloud migration. While hybrid cloud models help banks meet the expectations of demanding and digitally adept customers, they also allow banks to keep sensitive processes internal, and to encourage data protection in diverse environments. Hybrid cloud security is also easier for banks to obtain these days, with SaaS security solutions that more easily integrate into both local and cloud environments.

Network as a Service products help IT professionals apply a plethora of security tools such as DNS filtering, Wi-Fi security, VPN encryption, and multi-factor authentication across the various resources that make up a bank’s network – no matter if it’s local server storage or a popular software consumed “as a Service”. The seamless level of integration covers more bases as the network slowly migrates to the cloud, but NaaS is also especially suited to the hybrid approach because it allows IT to segment the network and restrict access within it, not just into it.

Accordingly, just-migrated bank resources can enjoy multilayered security and yet also be inaccessible to only the roles (and devices) held by IT higher-ups, until they are confident that compliance is achieved. Security can be easily tuned to the changes made to a bank’s network throughout its cloud transformation, with scalable and secure access policies and a quilt of tools that will have any hacker think twice about attempting to get at its data. With time otherwise spent on maintenance, IT is freed up to pursue profit-seeking initiatives.

Security Ups Its Game for a Tough Customer

It takes a lot for banks to be confident in their security, but cloud advancements have extended to security ideas, and make upgrading infrastructure a win-win proposition. With confidence in the cloud’s compliance and safety, banks are able to morph in pursuit of better service, without concern for how customers or their data are affected. Now that this piece of the puzzle is finally in place, banks can go full speed ahead into the cloud, and soon, customers will feel the change in both better financial services and the gradual yet pronounced lack of big hacks hitting the headlines. It’s hard to estimate which will be more welcome.

Read More
FWaaS Prevents the Cloud from Going Up in Flames
Reading Time: 4 minutes

Firewalls are aptly named, because they stop the spread of flames beyond the wall, and help to preserve the building itself from falling down or burning to a crisp. The metaphor works just as well with malware defense as it does fire safety, but now that we’ve moved to the cloud en masse, “fire” can spread further and faster than ever. No longer are we protecting on-site resources. Our hardware and resources are thousands of miles away, and sometimes we don’t know if ignition has been sparked before it’s too late – for ourselves and the millions of others sharing the same cloud.

Firewall as a Service (FWaaS) has emerged to bring the concept of a firewall to the cloud, and among the other security tools that companies have relied on, it has been a helpful tool in escorting companies through a safe cloud transition free of malware and unauthorized access. But they haven’t always been as necessary as they are now. For compounding reasons, FWaaS is more than ever a mandatory component of the security toolkit in place for businesses of any size. 

Security’s Slow Cloud Transition

Resources moving to the cloud is a natural pursuit of more efficiency, which is a business staple. For organizations, it’s easier to consume storage and bandwidth as a service than it is to run the hardware supplying these things. For their part, cloud providers have also benefited immensely by switching from selling hardware to renting it over the internet. These are basic concepts to nearly everyone who has used computers in the last 20 years, but cloud computing is actually much older than we tend to realize, and this context is important to understanding the rise of FWaaS.

Though we like to think in terms of when we started uploading photos to iCloud or using Google Drive, cloud computing actually began way back in the 1950s with the first mainframe computer, and evolved from there. However, only recently have firewalls evolved alongside virtual machines and increased bandwidth availability through the internet, taking the very concept of a physical appliance, and transplanting it into cloud infrastructure.

Because security reacts to the trends happening elsewhere, and molds itself to be the antithesis to the latest attacks, it is always late to the party, and especially to the cloud as entertainment and commercial ideas took priority. This meant that firewalls weren’t on the cloud until many other things were first, so most companies still applied clunky physical appliances to their growing cloud networks. Another reason that FWaaS hadn’t appeared at the forefront of the cloud movement was because it’s purpose is to protect infrastructure, and IaaS (Infrastructure as a Service) didn’t become popular until long after SaaS.

The blooming of SaaS before IaaS was largely due to the ease with which a SaaS product can be hosted – even on a single machine under your desk – so it made sense why a physical firewall would suffice as SaaS matured. No longer. Now, the increasing embrace of IaaS and the wholesale movement of entire departments onto the cloud has meant that firewalls simply must be a part of this environment.

FWaaS is Now a Must

As companies move to the cloud, their IT teams have discovered that relying on old firewalls is more than inefficient for configuration and integration. It also reduces visibility over the network and resources within the network that are now a few degrees of separation from the office premises itself. The old perimeter guard approach, where firewalls are the sentinels standing inside the moat of the “network castle”, doesn’t work when resources are no longer inside the walls and are not thoroughly protected by cloud providers.

Moreover, a quickly-multiplying number of mobile devices are now connecting to these cloud resources, so IT teams struggle to define their network perimeter, let alone protect it. FWaaS solves this problem by integrating easily with third party cloud infrastructure, giving IT a looking glass into how users are accessing SaaS products such as Salesforce, AWS, and Google Suite, and the centralized, cloud-based access management panel for them to control traffic through these resources and fight malware.

Cloud Accelerating Changes FwaaS Too

As workers move from offices to their homes, FWaaS has become a central tool that IT teams can use to provide safer remote access. This idea hasn’t changed, but the way it’s being delivered to businesses is, as single-purpose security tools “as a Service” are going through the same cloud consolidation process that productivity and entertainment products did not long ago. Firewalls and other things like VPN tunneling and Single Sign-On are better for security in today’s mobile environment, but when orchestrated independently of one another are still risking network security.

This is why a new idea in the industry, SASE (Secure Access Service Edge) has zeroed in on FWaaS as one of its cornerstones. Security providers are racing to provide SASE platforms since Gartner introduced the idea late last year, but they must first collect and provide the tools that deliver SASE’s promise: unified network security on the cloud edge. FWaaS, CASB, SWG, MFA, VPN, and other security services are part of this single unified platform. FWaaS is one of the most important pieces of the SASE puzzle and one of its core functions, because it has a unique job that other components can’t do.

Thanks to growing SASE platforms like Perimeter 81 and the FWaaS functionality provided as part of this consolidated, cloud-native offering, organizations are able to aggregate their traffic effectively from all resources and enjoy total visibility across them, with no hardware involved. Though it’s true that the acronym FWaaS is now standing in SASE’s immense four-letter shadow, it cannot be discounted.

Because even alone, FWaaS has merit when paired with some other basic security tools like VPNs. Companies with simpler networks, a few SaaS resources, and smaller teams can rely on a basic setup like this to mime the cloud security chops of SASE until growth demands an even more scalable solution. FWaaS is central to a safe future on the cloud any way you slice it, and will 

Read More
Can SASE Reinforce Remote Voting?
Reading Time: 4 minutes

The risks behind remote voting

Election interference is the new normal, or perhaps it quietly has been for some time now. Until recently, though, it has escaped the limelight because the process of voting in most places has barely changed since the dawn of democracy. People show up their designated voting booth, wait in line, verify their identities and cast their ballots – but in the era of COVID-19 this idea is more complicated than it once was – and also more compromised. 

Obviously, the ideals of democracy must be upheld even during a pandemic in which the pathogen at large is airborne, and people must be empowered to vote even if they aren’t able to stand in line. Especially as an important US Presidential election approaches at the end of the year, the idea of remote voting has emerged as a potential solution to the obstacles put in its place by coronavirus – but solutions must also be found for securing the remote vote itself.

A Rocky Start to Remote Voting

Rather than mail-in ballots, which require immense administrative efforts to corral, count, and authenticate, remote voting would entail using technology to mimic the same processes but in a streamlined digital manner. In the midst of COVID-19, governments have already embraced digital alternatives for physical processes steeped in tradition and respect – just look at the testimony of Dr. Anthony Fauci, who recently appeared in front of the Senate via Zoom.

Thanks to H.R. 965, which was passed in mid-May during the throes of the pandemic, members of the House have been alpha testing remote voting at a very small scale. While Senators must still show up and have their Yeas and Nays tallied on paper, House members are able to send in their votes via encrypted email and have them counted. This is still an early and rudimentary solution, and there’s no doubt that rolling out digital voting to the greater USA or even individual States would require something much more complex.

So far, some States are experimenting with digital voting, but they are doing so against the advice of Homeland Security’s recent report, which highlights remote voting as extremely high risk. This is no doubt a remnant of 2016, when hackers successfully breached online voter registration systems in an attempt to sway results of the election – or simply to test the water in advance of the “real” interference attempts which are soon to come. The wagons haven’t circled yet, and any efforts to advance remote voting efforts now are as undefended as they were then.

Remote is a (Necessary) Risk

Evidence points to the fact that the varied and disparate digital systems that already exist can’t be capably secured, meaning any attempts to institute remote voting will be built on a flimsy foundation and cause even more trouble. This would create an untenable situation in which both election results and faith in the system can be challenged, so any efforts to help US citizens vote from afar must also come with accompanying security technology.

Attempts to secure local and state voter registration systems so far have focused on the lowest-hanging fruit: patching software and hardware, and “backing up” incoming digital votes by writing them down on paper. This approach is smart, because it’s often the most basic exploits that hackers use to disrupt the voting process. The remote voting apparatus, in the States where it currently exists such as Delaware and West Virginia, is extremely flimsy and reliant on a stack of tools that are each capable of being compromised in different ways.

Hackers don’t necessarily need to infiltrate systems and change votes themselves, they can simply disrupt the process by deleting or multiplying votes, adding false data, compromising signature-verification software, or overloading them via DDoS. This can occur for the ballots, voting machines, Secretary of States or registration websites, and other weak links in the chain. Accordingly, the entire voting flow must be secured from the moment a citizen logs on, through the verification process and until the final vote is tallied.

SASE a Secure Voting Solution

Remote voting is coming whether we’re prepared for it or not, because if you ask election officials, it’s more important to re-enfranchise those who are disenfranchised than it is to secure the systems we use to accomplish it. Though problems are bound to arise, given that in classic federal government style it’s up to individual States and the agencies within them to choose relevant security vendors and solutions, a new type of unified product is emerging that will kill many of these issues with one stone.

Coined by research firm Gartner, SASE is a cloud-based security product that by nature is capable of being integrated directly into all resources in use across government offices, regardless of where they are physically. It essentially weaves an impressive array of different networking and security solutions into each resource deployed in the digital voting process, ensuring that participatory voters and officials across the country are protected, given custom access privileges, and closely monitored for suspicious activity.

If a SASE product is deployed then the State of Florida, for example, could mandate that voters logging into whichever voting application Florida chooses will first need to authenticate with 2FA. During the vote, a SASE product would encrypt the voter’s connection to State applications with IPSec tunnelling, and even automatically disconnect them from the internet if the application should fail. Because SASE is both ubiquitously integrated and built on software-defined architecture, officials tallying votes and doing other administrative election work could be assigned role, location, and even device-specific least-privilege access policies which would limit the attack surface for hackers.

Elections to Evolve in the Near Future

If government IT teams match the variety of remote voting hardware and software with a similarly disparate selection of security tools, then their efforts will be further distracted from ensuring an accurate vote and go instead towards managing their teetering software stack. What’s necessary is one security solution encompassing all tools that States need to protect their voters, and one that fits natively into the systems they’ve already begun implementing and is therefore easily onboarded as other States come “online”. 

SASE looks to be a promising contender, though the security industry has some catching up to do before it’s ready for elections. That’s alright, because poorly deployed security would do more harm than good, and it’s important to be airtight: The point of elections isn’t to pick the winner but to remove any doubt in the mind of the loser that results can be argued. For this reason a robust and proven security solution is necessary if remote voting is to be the status quo.

Read More
Tightening Security on Microsoft Teams
Reading Time: 4 minutes

Remember driving down to your local computer store and picking up a shiny new copy of the latest Microsoft Word? Sleek in its box, the neatly wrapped Microsoft product had both disc and license inside, but it also came with something you didn’t bargain for: responsibility for its successful, safe operation. 

As a physical offline copy, security issues in operating this relic of the past could be placed squarely on you. But now that Microsoft Word has gone through multiple cycles of product consolidation and emerged as a vital business pillar, security considerations surrounding the whole Office suite, and now Teams, deserve another look.

Microsoft Teams allows collaboration and communication across the various services that are included in Office 365. Make no mistake, Teams users can be confident in the safety of their data, but when more weight lands on the solution as a productivity cornerstone, it’s smart for organizations to supplement Microsoft’s built-in safety mechanisms

From discs to on-demand software, the now fully-integrated nature of Teams makes it a powerful tool, but one that sits at the epicenter of a bustling cloud encapsulating both good and bad actors. 

Consolidation of Products, and of Problems

Exemplified primarily by Microsoft, products that were once sold separately eventually congeal into a single platform that offers them all as functions conveniently packaged together. This is what happened to Word, Excel, PowerPoint and other Microsoft software that turned into the Microsoft Office 365 “as a service” solution. 

With Teams, increasing sophistication and connectivity in the name of a good user experience has also created new ideas in the world of security, as most innovations do. Teams represents a single window into the virtual Office, where employees can discuss projects happening in real time, talk over chat, voice or video call, and work on shared documents together. This shiny front end doesn’t bely any backend complication, but it’s there. 

For each “team” you create, the backend gets a new SharePoint site, Office 365 group and other assets in places like OneNote and more. This doesn’t include other integrations that your organization might choose, such as ZenDesk, Salesforce, Mailchimp and other popular platforms. With an impressive level of integration comes an intricately complicated environment for security professionals, especially as companies expand and lean on Teams even more. 

Licenses are online, so much of the functionality that Teams offers is largely available when an organization is connected to the web. Moreover, since November 2019 Microsoft has allowed Enterprise customers to grant guest access to contractors and other non-licensed individuals who work with them. Suddenly, file sharing of sensitive documents and resources is happening outside the network and unfamiliar entrants are streaming in, so managing the chaos becomes necessary.

Integrated Solutions Beg Integrated Security

Both in how Teams is secured and used, and in the tools that IT security teams must enforce for users, care should be taken so that data inside Teams doesn’t sprawl outside of its boundaries, or alternatively, become concentrated and offer hackers a single ripe target. Much like Slack, Teams users can create different channels where they communicate about specific subjects or tasks related to this department or the other. 

While users should be encouraged to create new and different channels for their conversations, it’s crucial to maintain control and ensure that loose ends (dead, repeat, underused channels) don’t occur, and that sensitive information isn’t overly shared or replicated in multiple different places or with people who don’t need to see it.

Integrations are crucial to any organization relying on Teams, and when implemented correctly they are amazing productivity boosters. However, one of the most underestimated issues that occurs in a highly integrated environment is configuration: Sometimes the integration may work well but the most minor settings might create a security gap that leaves the network exposed. 

When many third parties are a part of your Teams installation, whether they’re services or service providers, it’s recommended to layer an extra security blanket over the whole thing. Teams has built-in two-factor authentication, and IT should require it before users are able to log in. Don’t stop there, though, extra effort to track devices and endpoints should be taken as it will also help IT prevent downloads from Teams to unmanaged devices, or those that haven’t passed through the gates of “Zero Trust”. 

Because Teams is a nucleus of business activity and by definition holds assets that might spell trouble in the wrong hands, a strict least-privilege access model should be instituted. Another integrated solution is suitable, but one that simplifies the security functions that can plug into Teams, and with a purpose to remove trust from the equation, full stop.

Teams Turns Zero Trust

In few organizations does each employee need access to the full list of functions and capabilities that Teams provides. Microsoft understands that not every employee will need access to SharePoint, for example, and supports Teams separately as a cloud app for Azure Active Directory and the conditional access policies it offers. To take advantage, however, administrators must ensure that the correct policies exist on all applications inside the Teams installation such as Exchange. 

This can take some maintenance and oversight, so it’s easier to find a more unified, seamless Zero Trust solution where all this is done from a single admin panel. Security providers pursuing the Network as a Service model are already being used for this purpose, and when integrated with Teams are able to better streamline the orchestration of necessary security tools. Network as a Service solutions reside on the network layer and therefore allow organizations to easily define custom access policies for segments of their local and cloud resources (like Teams, or parts of it). 

This way, IT controls which roles, devices, and locations are allowed into specific parts of Teams and other network areas with greater ease. Additional security tools can’t hurt, and add a safety net to Teams in a couple different ways. Though Microsoft has 2FA, Single Sign-On and the encryption of files, a wider array of options is helpful. 

Support for other MFA and SSO providers is nice, as is the option between SSL, IPSec, and WireGuard in terms of encryption, for instance. One idea which should surely not be forgotten is better network activity monitoring. This is one of the most important points for complex Teams installations: logging and monitoring is a lynchpin to proactive threat detection and compliance alike. 

Integrating these functions directly into Teams doesn’t complicate it. Why? Simply because they’re all offered under the umbrella of a single security provider which integrates directly into Teams and saves IT from fiddling around with different settings between Exchange, SharePoint, Word, Azure, and others. Teams is an amalgamation of multiple useful software tools, but there’s no question that productivity is the primary reason for its existence, and that third-party security services improve it is neither a surprise nor takes from its impressive reputation.

Read More
SASE_Gov
SASE: Evolving Government’s Cloud and Network Security Strategy
Reading Time: 4 minutes

Even though cloud technology has become the new normal for the private sector, it has a less than tenuous grasp on government. In 2018, cloud neglect in the public sector prompted the White House to launch its “Cloud Smart” policy, designed to promote the idea that government agencies should begin adopting this useful breed of computing technology. 

At the time, relevant agencies didn’t jump quickly on the opportunity due to security concerns such as data storage and the sharing of information. However, the time is now ripe. With cloud computing over a decade old and long proven as a pragmatic solution to many administrative problems, it’s time for lagging governments to bring themselves up to speed. 

Despite some public offices embracing a cloud-first approach or cloud-only policy, the majority of the United States government is woefully behind, and still in the dark about the risks and benefits that come with moving network resources to the cloud. Most concerns circle the notion of privacy or security, but these days they’re addressed more easily than they once were.

Cloud Security a #1 Priority  

In the United States, there are more than 90,000 government offices that comprise a patchwork of different approaches for cloud computing and cloud security. In most cases, local and state governments are more open to adopting cloud solutions and services as opposed to the federal government.

These government offices are finally clueing into the tangible benefits that the cloud provides: low costs, ease-of-use and higher productivity. With these advantages within reach, ensuring that preferred cloud solutions are secured has become the top priority for governments. Any and all benefits can be ignored if the implemented cloud services or solutions aren’t totally secure, and this is why analog processes have reigned supreme for so long.

As government offices begin to push their networks onto cloud infrastructure and connect them with remote workers and IoT devices, the number of endpoints that hackers can attack has climbed significantly. As we saw in March 2018, the City of Atlanta was attacked by hackers with ransomware that shut down government services for six days. Likely a victim of the SamSam exploit on Java-based servers, this is an example of how ditching self-managed hardware for a provider’s cloud would likely add a barrier between hackers and government property.

Gov_breaches

It is also just one of many examples for how governments have become a more popular target. In response to the growing sophistication of attacks, cloud security must now go beyond malware defense, and so government IT teams are forced to look at the big picture. Instead of focusing on specific types of attacks, they need to promote efforts to gain omniscience within the network. In the past, governments tended to only pay attention to the data leaving their network perimeter, but today they need to be just as cognizant of permissioned users and data being accessed by government employees. The rise of the remote workforce has pushed visibility even further into government IT teams’ awareness.  

Taking Control of the Network 

As more governments adopt network security solutions for their work environment, an increasing number of security events and alerts have overwhelmed governments’ security teams, which actually distracts from the idea of better network visibility. IT teams need to have complete knowledge of what is occurring on their network at any given time, across public and private clouds, applications running on the network, and more. Where numerous unqualified alerts create a swarm blocking proper visibility, hackers can use the hubbub to muffle their steps and make a quiet entrance into government agencies’ networks. 

To fight visibility and network control concerns, governments should adopt Security Information and Event Management (SIEM) systems. These systems accumulate the data from different sources and recognize which are outside normal parameters, and also provide an appropriate response. SIEM systems play a huge part in helping IT and security teams to detect and prevent security risks across governments’ infrastructures in an intelligent manner. 

More Solutions, More Headaches 

For any modern government cloud security strategy, it’s often recommended to implement a range of products that deal individually with a wider range of common network attacks. Until recently, this strategy worked well, but now we are seeing that it creates a bigger problem. Adding a large number of products to IT’s stack causes misconfiguration and exposed deployments of various software solutions. This, together with ensuing hybrid IT complexity, is creating a tangle of security challenges for IT teams.

This challenge has a label; “tool sprawl”. It is the idea of investing in a range of security products that work together, yet make it harder for IT teams to manage and orchestrate them in the network. In order to achieve a more flexible and productive network and cloud security strategy, governments have to move away from the multi-vendor tool sprawl approach and look to adopt a unified platform model. It’s especially true for governments that are looking to ensure the privacy and security of their data against outside threats. This is where SASE comes into play.  

Perfect Cloud Security Model for Governments 

By adopting edge data security, government agencies can enhance their security hygiene with the help of quicker, integrated, and more elastic solutions that simultaneously keep government employees connected from afar. This approach has become more relevant with the introduction of Secure Access Service Edge (SASE).

Secure Access Service Edge (SASE) was introduced by Gartner in August 2019. SASE is a new cloud-based network security model that combines multiple network technologies delivered as a service, including SWG, CASB, FWaaS and ZTNA with WAN capabilities (i.e., SD-WAN) to support dynamic secure access to organizational assets. The SASE model allows government IT and security teams to easily connect and secure all of their networks and users in an agile, cost-effective and scalable way through the cloud.

By adopting a SASE platform, government offices can enable the delivery of integrated secure network security services that support digital cloud transformation, edge computing, workforce mobility, identity and access management. This new model will help governments get over the hump of doubt that has built up around the cloud. It will allow governments to manage all of their security and network solutions from one platform, fight off new threats and secure employees’ data no matter their location. On the near horizon is a cloud security strategy for the future and one that has no more relevant home than government.

Read More
Cloud Policies
Why Your Organization’s Security Strategy Starts with a Cloud Security Policy
Reading Time: 4 minutes

The IT industry has made significant strides with cloud computing security and many organizations remain anxious about emerging cloud security risks. A new generation of malware and hacking techniques continue to threaten different organizations’ data and apps on the cloud. We are seeing many different cloud security vulnerabilities being introduced through bringing your own device (BYOD) risks, web application risks and incomplete cloud visibility. 

To fight off these cloud risks, organizations need to act quickly to seek the cloud’s advantages while maintaining control over their assets. So how do organizations grow with the cloud and ensure they’re acting responsibly when it comes to cloud security? 

The Cloud is Not as Secure as You Think

When we think of cloud security, the first thing that comes to mind is data loss but that is the wrong way to think about it. When organizations implement different cloud services, one of the main security factors that is focused on is if the network and resources are safe. Instead, we should be additionally focusing more on how employees are using cloud services. One of the lesser-known challenges with the cloud is if your team is implementing and taking the appropriate cautionary steps when deploying resources.

Organizations need to implement different cloud security tools that encrypt data and access control and implement organization-wide cloud policies. By implementing these tools they will fix or play safeguard with the appropriate amount of cloud security hygiene. But at the end of the day, it all starts with a strong cloud security policy.

What is a Cloud Security Policy?

With the increasing global adoption of cloud computing, having a cloud security policy is essential for every organization. Cloud security policies are the guidelines under which companies operate in the cloud, often implemented in order to ensure the integrity and privacy of company-owned information.

When most organizations migrate to the cloud, they often mistakenly indicate that the current security policy will cover the cloud security rules in their policy. While there is some sense to this, it’s rather lacking and it can create specific holes exposed to potential risks. However, organizations need to consider incorporating the importance of cloud security into their existing security policies and standards. A cloud security policy needs to be flexible and interchangeable in order to meet the new security rules of the organization. 

Your policy must be simple to understand by all of your employees. In order to keep training costs down, it’s best to avoid overcomplication and technical complexity in the policy. The best security policy will be one that is clear and concise. Don’t be afraid to state the obvious, as that way nobody can claim to have missed the point. Every cloud security policy should start with a definition of intent, which clearly outlines the whole point of the policy. 

The Key Principles of a Successful Cloud Security Policy 

The policies for your organization’s cloud security must come from all corners of an organization; from your developers, security team, management team, and so on. These policies are the basis for all cloud security planning, design and deployment. These policies should be able to provide direction on how the issues should be handled and what are the best technologies to be used. 

While security policies are very easy to decide on, the main issue is to implement them properly. The organization’s security policies depend on the different content on which they are implemented. These security policies of an organization are required to protect the cloud security of an organization.

Here are the key principles of successful cloud security policies that you can implement at your organization:

Implementing Security Awareness Program

Educating users on the need for security is important as it will help them understand the importance of cloud security, and how it will benefit them in their daily work. Implementing a security awareness program is a major step with your cloud security policy. 

The program should explain why security is everyone’s responsibility and show the users about their role in maintaining security. This is because people often tend to think that only the security team’s responsibility in protecting the security of their company.

Clear Communication

Once an organization has implemented the policy, it has to be clearly communicated to all the people responsible for enforcing and complying with it. It can include employees, service providers, and other relevant users. 

The policy can be introduced to the employees during their start at the organization and incorporated into the company’s Employee Handbook. A key part of the communication process is to establish a record that those involved have read, understood, and agreed to abide by the policy. It is a challenge to ensure that users understand and accept the policy that governs them. A clear, concise, coherent, and consistent policy is more likely to be accepted and followed.

Authorized Access Regulations

To prevent any unauthorized access to your cloud network environment or cloud resources, organizations need to implement precise access control regulations internally. By implementing access regulations it will prevent potential holes in your organization’s network on the cloud. 

By implementing these regulations in your cloud security policy you will be only giving access to the users that actually need access for their day to day job. The policy should include authentication protocols, identity and authorization management, authorization, and authentication protocols, like in the Zero Trust security model.

Encrypting Cloud data

When creating a cloud security policy one of the most important sections has to be data encryption. By enforcing cloud data encryption, organizations will be more secure knowing that only authorized users will be able to access sensitive data and cloud resources. Additionally, organizations should encrypt data and cloud resources that are being uploaded to the cloud to ensure that they are secure and protected.  

We recommend that you schedule a monthly data encryption update to make sure that your data and resources on the cloud are secure and protected.

Monitoring your cloud environment

Monitoring is a critical component of cloud security policy. By implementing automated tools helps your organization get a macro view of your entire network. Cloud monitoring provides an easier way to see different activity patterns and any potential vulnerabilities in your network on the cloud.  By implementing an effective cloud monitoring solution it will put the organization’s security and compliance team at ease knowing there is a system in place. 

An organization’s cloud security policy can be a decisive factor when deciding the right direction by implementing different cloud services and resources. However, it shouldn’t change the organization’s mission. With that in mind, it’s important to create an employee-friendly cloud security policy that is aligned with an organization’s culture and helps the employee work more smoothly without interfering with their day to day work environment. In conclusion, a more complete cloud security policy will keep your company safe but don’t forget the policy starts with your employees. 

Read More
Cloud Security_5_Steps
5 Steps to Improving Your Cloud Security
Reading Time: 4 minutes

The adoption of the cloud has come a long way in the past decade. In the early 2010s “The Cloud” was initially introduced as a buzzword, but today most organizations are employing the cloud for their business. Seventy-two percent of all businesses globally are dependent on some form of the cloud in their daily work life and that number will increase even more for personal use. The adoption of the cloud is changing the way businesses and organizations are running globally as everyone and everything is becoming dependent on technology.

The cloud market is estimated to be worth $411 billion by 2020 and the number will only continue to increase with more and more organizations moving from on-premise to the cloud. 

While cloud usage is rapidly increasing, one of the major concerns for all organizations with the adoption of the cloud is security. Every year we are seeing a continuous increase in the number of cloud-related security breaches leading organizations to carefully contemplate whether to adopt cloud services or stay on-premises.

In the early years of cloud adoption, the cloud was less secure than we know it today. However, service providers have learned from their past mistakes and implemented new security features that can fight off different cloud risks. Better security tools and processes have been developed to make the cloud safer than on-premises solutions in many cases, but for complete cloud security, organizations need to emphasize the priority of cloud security. 

Security Has to Become a Priority 

Organizations are stepping up their adoption of cloud services and are becoming more at ease and familiar with the importance of working securely in the cloud. The reasoning behind the increasing adoption of cloud services is that organizations are implementing the common shared-responsibility model of cloud security which is the idea that organizations and their cloud service providers are in agreement to split up different responsibilities for the cloud deployment. The cloud provider will be responsible for cloud deployments such as networks and operating systems and the organizations will be responsible for the rest. Yet working with well-known cloud providers doesn’t always mean that your cloud resources are secure. It is extremely important for organizations to invest in cloud security in order to avoid security risks in their network and to defend against internal and external cloud threats. However, while this is an obvious priority for security teams, it also needs to become a priority for all employees.

The decision-makers need to have a better understanding and commitment to the importance of cloud security. Instead of just delegating every security risk to the security team, it has to become a decision maker’s issue as well because the result of failure can potentially collapse a business. Any organization may be only a data breach away from catastrophe.

5 Steps to Improving Your Cloud Security 

With the constant threats against networks and web applications increasing, it’s time for a refresher on how to secure your organization’s cloud security in just five steps.

Deploying Authentication Tools

Adopting a multi-factor authentication solution inside your organization provides another layer of security by challenging users to prove they are who they say they are. It provides IT security teams with broad visibility into the organization’s network and application. 

Encouraging your employees to sign in with one or more extra authentication tools on top of their username/password is a simple and efficient way to provide an additional layer of protection.  

Manage Your User Access

Most of your employees won’t need access to every application, resource or critical information belonging to your organization. Setting proper levels of authorization ensures that each employee can only have access and work on the applications or resources necessary for them to do their job.

Stolen user accounts are major concerns for organizations’ cloud security. This headache can be fixed if we limit what users can access. So even though we still require verification for every user, by providing employees with a minimal level of privileges, this will make it harder for hackers to access the organization’s critical resources and networks.

Monitoring User Network Activities

Real-time monitoring and analysis of network users’ activities can help you point out anomalies from the normal activity patterns of your employees. For example, unknown users logging in from unauthorized devices, IP addresses, locations and more.

Logging user data will allow you to prove to auditors that your networks and applications are secure and you can provide a full activity report at any given time and location in case of a serious breach. These irregular activities could display a potential breach in your system, and discovering them early on will allow you to fix security issues.

Encrypt Your Data

By failing to encrypt sensitive data you risk putting both your organization and customers at risk. It is the responsibility of the cloud provider to make sure that data is encrypted, and that the data can be properly decrypted once it’s taken from the cloud. 

IT teams should have the encryption and decryption keys in a secure location, and they should never be stored with the data on the cloud. This encrypted data is very hard to crack, especially if the cloud provider and organization use different encryptions on the data.

Educate Your Team 

One of the key steps for better cloud security is to educate employees. Human error accounts for 90% of data breaches and it can be very easy to accidentally introduce malware into an organization’s network. It is important to train employees on security policies and to explain the rationale behind those policies.

Employees won’t care about creating a strong password or watching for phishing emails if they don’t understand the risks behind them. You don’t need to teach employees about every technical detail in security protocols, but they should know which risks can impact their jobs. Organizations should frequently run training sessions to keep their employees up to date with security best practices. 

Secure Networks with Cloud Security

Improving your cloud security starts with prioritizing the importance of cloud adoption and the correct security hygiene throughout the organization. Start with adopting a Zero Trust Network as a Service that incorporates the Software-Defined Perimeter model such as Perimeter 81, which allows you to deploy authentication tools, manage user access and monitor network activities in all in one platform.

Your cloud security strategy should be flexible and upgraded to cope with the different security threats. By implementing the 5 steps above and utilizing a Zero Trust Network as a Service, your organization will have a more complete and secure cloud security.

 

Read More
Capitol One Breach
The Capital One Data Breach: How Crisis Could Have Been Averted
Reading Time: 3 minutes

One of the largest hacks in 2019 was made by a former Amazon employee who stole credit card data, including 80k bank account numbers and 140k Social Security numbers affecting millions of Americans and Canadians. Here’s how this crisis could have been averted.

The largest category of information which was accessed is related to consumers and small businesses who applied for credit cards between 2005 and early 2019, according to a statement from Capital One. 

The stolen information included names, addresses, postal codes, phone numbers, email addresses, dates of birth, and self-reported income, as well as other bits of important data that may be used by criminals to carry out fraud. 

Who Let the Data Out?

The cause of the breach was a cloud firewall configuration vulnerability, which Capital One said it has since fixed. The unauthorized access took place on March 22-23, 2019 when the attacker exploited a firewall misconfiguration which permitted commands to reach the impacted server. 

This exploit allowed a hacker to execute a series of commands on the bank’s servers. Once through the perimeter, the intruder commandeered the credentials for an administrator account, gaining access to Capital One’s data stored on their AWS servers. The file contained code for three commands:

The first command obtained security credentials from an administrator account that had access for web application firewalls. The second listed the number of buckets or folders of data in an Amazon Web Services (AWS) database. The final command by the hacker was to copy the data from the Capital One repository. After successfully exfiltrating the data from Capital One’s servers, the hacker posted the stolen data to GitHub for a brief while before dropping a dime on herself on Slack. Despite her use of tools aimed at keeping her anonymous, it created a digital trail for their potential arrest. 

Is Capital One to Blame? 

Data breaches on cloud storage services are occurring more often, primarily because more companies are using the cloud and attackers are seeing this as a fruitful platform. Despite the migration to cloud services, companies are still responsible for their own security even on the cloud. When implementing a cloud storage service there are many financial and logistic benefits but companies must not forget the importance of cloud storage security. 

There is no denying that cloud computing is the way of the future, but when financial institutions that house so much sensitive customer data approach the cloud, implementing the proper security measures is an absolute must. In the case of the Capital One breach, despite being cloud innovators, security wasn’t up to par.   

Capital One has been a major advocate in the banking world for cloud services. The company is migrating more of its applications and data to the cloud and plans to be done with its data centers by the end of 2020. Other financial institutes have been more cautious of implementing cloud services, largely for security reasons.

Cloud-hosting services such as AWS are very appealing to companies looking to cut costs as data centers carry a hefty price tag, often tens of millions of dollars. When it comes to data security, AWS, like most providers, the cloud storage model is the Shared Security Responsibility model. This assures certain layers of infrastructure and software security, but the customer is ultimately responsible for how data is used and accessed.

Clearly, there were mistakes with how Capital One was protecting this AWS bucket as it appears someone was able to access the data it contained pretty easily. The Capital One breach is proof that companies have a lot to learn when it comes to deploying security technology effectively and especially the importance of access to cloud storage must be defended and protected by adopting security strategies like a AWS security solution.

Stay on Top with Secure Network Access 

Many organizations still rely on outdated hardware-based VPN technology with a distributed management system and other complicated client applications. These systems are complex, costly, require extensive management, and most notably, they are not cloud-friendly.

Access to cloud storage must be defended and protected by adopting security strategies, like the Zero Trust security model, which enforces multiple layers of verification before granting resource access. Furthermore, this breach highlights the need to embrace cloud-compatible cybersecurity solutions. 

To prevent similar risks such as the Capital One breach, organizations should use Software-Defined Perimeter technology and the Zero Trust model or SASE to close their cloud environments and SaaS services so that they can only be accessed by authorized devices, users and locations.

The shift to the cloud is inevitable, so it is key that financial institutions also adopt cybersecurity services that are well designed to integrate with major cloud providers. Our Zero-Trust Network Access solution allows direct access to cloud resources and applications while evaluating the user permissions and related metadata. With Perimeter 81, organizations can ensure that only authorized connections are being established while leaving their cloud environments completely hidden from attacks.

To learn more about Perimeter 81’s Zero Trust Network as a Service be sure to request a complimentary demo.

Read More
How to Improve Cloud Security and Productivity Through IP Whitelisting
Reading Time: 4 minutes

Manually whitelisting IP addresses can be a time-consuming process that needs constant management which is why utilizing a service that does this for you can boost employee productivity and improve cloud security.

IP whitelisting allows IT administrators to assign any team member a single, static outgoing IP address. This capability enables new types of cloud and on-premises configurations that are only possible with static IP addresses.

Instead of blocking access to identified risks and threats, such as in the case of blacklisting applications, web pages or IP addresses, IP whitelisting allows you to identify and permit access to trusted resources. By whitelisting IP’s, you are granting only trusted users within a specified IP address range permission to access specific domains or network resources such as emails, applications, URLs or more.

However, manually whitelisting IP addresses can be time-consuming and requires constant management. Here’s how you can automatically whitelist IPs so that you can boost employee productivity and improve cloud security for your entire network.

Whitelisting Usage and Benefits

Implementing IP whitelisting not only improves security but also promotes a more productive workforce by providing a secure and easy way for users to access private network resources from both personal and corporate mobile devices.

  • Improve Cloud Security
    By implementing IP whitelisting, you can improve system security by preventing unauthorized access to your account. If someone tries to access your network with an IP address that isn’t whitelisted, they will be denied access. With Perimeter 81, we provide IT administrators and owners the ability to define user access for every employee in the network, group them with users of similar access limits, and automatically whitelist the group’s IP address.
  • Increase Productivity
    Without a service like Perimeter 81 to whitelist IP addresses for you, IT administrators are left to manually whitelist IP addresses for users, websites, and other gated resources which can take a significant amount of time. With whitelisting, businesses can also limit access to unsecured or distracting sites that can reduce productivity and cut into profits. In fact, 50 percent of businesses take whitelisting very seriously because of these reasons.
  • Secure Remote Access
    Whitelisting enables organizations to secure remote access to the network, including BYOD (Bring Your Own Device) that allow employees to utilize their own devices. With remote access security, businesses can mitigate both cloud and on-site risks that could negatively impact your company’s projects or profits.

How to Whitelist IPs with Perimeter 81

Utilizing Perimeter 81’s secure network access service, all Internet traffic is fully secured and encrypted. Using the unified management portal, IT administrators can easily block out threats, grant user access to approved resources and automatically whitelist specific IP addresses.

How it Works

Perimeter 81’s private gateway feature provides IT administrators with the power to whitelist IP addresses, thereby enabling all team members to share a single, static outgoing IP address accessible by your organization or partners. For example, remote users can always connect to the Perimeter 81 private gateway first, then have their IP address whitelisted.

With Perimeter 81, you can give each user access to the necessary resources they need from any IP address by assigning users to groups. Each user signs in via Identity Provider integration, username and password, and/or two-factor authentication and is then able to access resources according to the roles and permissions assigned to them. This keeps IT administrators from having to manually whitelist every user’s IP address.

After the whitelist is configured with users and permissions, the user list should be audited on a routine basis as employees are hired and leave companies on a regular basis. In addition, partners that access IP whitelisted resources come and go and IT administrators should have full user access visibility through IP whitelisting.

Perimeter 81 IP Whitelisting in the Cloud

Because remote users can always connect to a gateway first and then have their IP address whitelisted to a security group, cloud service platforms including AWS, Azure, Office Firewall, SalesForce, or Zendesk can all be configured to work with Perimeter 81.

Using AWS, for instance, inbound traffic from Perimeter 81 to AWS can be authorized by whitelisting the Perimeter 81 Private Network IP address to your Security Groups (AWS Virtual Firewall).

AWS Security Groups enable the control of IP traffic to your instance, including traffic that can reach instances and services both in the cloud and on-premises. To whitelist IPs, you can allow computers from only your Perimeter 81 Private Server to access your instance using SSH, or use a web server that allows all IP addresses to access your instance using HTTP or HTTPS, so that external users can browse the content on your web server only once connected to Perimeter 81.

Example: How to Whitelist IPs in AWS

Following is a walkthrough of how to use AWS Security Groups to enable the control of traffic to an AWS instance, including traffic that can reach both instances and services:

  • Step 1: Create a Private Network IP Address
    First, create a Perimeter 81 Private Server and then obtain its static public IP address..
  • Step 2: Add an EC2 Security Group Rule  
    Add an EC2 Security Group Rule for Inbound Traffic from Perimeter 81 to the required resources by whitelisting access to the Perimeter 81 Private Network to other instances, databases and related security groups.

    • In the navigation pane of the Amazon EC2 console, choose Security Groups.
    • For every security group you’d like to allow secured access over your Perimeter 81 Private Network, add an Inbound Rule:
      • Specify the related Type (ALL TRAFFIC, SSH, HTTP/HTTPS etc..).
      • Under the Source, enter the Perimeter 81 Private Network IP address including the subnet mask. For example, for IP address 129.42.24.22, enter 129.42.24.22/32 (CIDR notation).
      • Click Save.

Whitelist IP - Perimeter 81

Add access from Perimeter 81 Private Network to your AWS Environment, Instances or databases

Whitelisting Isn’t the Full Solution

For most businesses, whitelisting IP addresses can be overwhelmingly beneficial. However, even though whitelisting can improve cybersecurity, boost productivity and benefit your bottom line, it’s important to remember that each line of security is important. Whitelisting should not replace other security measures, but instead, be used as a complementary piece of a comprehensive security solution.

We hope you found this post helpful! Feel free to let us know if you have any questions and follow us on social media if you’d like to continue receiving all the latest business security news.

 

Read More
HIPPA Compliance - Perimeter 81
How a VPN Can Help with HIPAA Compliance
Reading Time: 3 minutes

HIPAA compliance affects healthcare organizations, insurance agents and more. In this recent podcast, we’ve outlined the easiest way to secure your data so that you can meet HIPAA compliance obligations easily and cost-effectively.

Public Wi-Fi is dangerous for both people and businesses, especially for those dealing with confidential and sensitive data. Due to a lack of encryption and open passwords, unsecured networks can be hacked in a matter of seconds.

We’ve already seen many significant healthcare data breaches this year. The HIPAA Journal reported that there were 29 breaches in May of 2018 alone with unauthorized access being the most numerous type of breach with an incident of 51 percent.

Introducing the Cloud VPN

With a Virtual Private Network (VPN), organizations can easily protect data transmission, secure data with strong encryption and meet other compliance requirements to secure electronic Protected Health Information (ePHI).

When you connect to a VPN, you create an encrypted tunnel that protects your data from hackers and third parties. This allows you to set up a completely private and secure connection to another network, enabling remote employees to securely access the network while they’re outside of the office.

Our service actually takes this one step further with Wi-Fi Security – a patent-pending feature that automatically activates military-grade encryption the moment an employee connects to an unsecured Wi-Fi network. This keeps all data being transferred over the network hidden from hackers – even if their mobile device is locked and inside their pocket.

More, our DNS Filtering Solution prevents the employees to access spammy websites that could endanger the company’s network security.

How Does a VPN Supplement HIPAA Compliance?

Majority of ePHI breaches result from compromised mobile devices or networks that contain unencrypted data which can result in loss of trust, substantial fines, criminal charges, and even civil action lawsuits.

To secure confidential data, organizations can implement a VPN to encrypt all transmitted data over the network, securing protected health information both on-site and remotely. Cloud VPNs integrate seamlessly with major cloud providers and can ensure that sensitive data located in cloud environments are fuly protected and secured.

The Benefits of Using a Cloud VPN

  • Lockdown Confidential Data and Databases to a Specific IP Address

    When you deploy a private server, you essentially restrict access to certain resources using a specific IP address. This allows you to designate certain team members to have access to only that server or IP address, limiting data access and segmenting the network.

  • Nonstop Security with VPN Kill Switch

    A VPN kill switch ensures that if the VPN disconnects for any reason, the Internet connection is stopped and no data is transferred. That means that no data will ever be transmitted over the network without encryption so that no third party can see your data in plain text.  

  • Full Visibility with a Unified Management Platform

    Not all software based VPN services offer advanced visibility and management features. With our VPN service, you can easily invite team members, deploy private servers and view all network activity in one unified place.

  • Two-Factor Authentication and Identity Provider Integration

    Two-factor authorization is key to security because it prevents hackers from accessing your account even if they were to obtain your login credentials. By requiring an additional layer of security via SMS push notifications or Google Authenticator, user access can be easily maintained.

Achieve HIPAA Compliance with a Full-Service Security Solution

At Perimeter 81, we’re highly aware of data storage and logging privacy because it’s critically important in both the business and consumer spaces. Even before GDPR came into effect, we were ready to address these security issues for our customers.

Cloud-based VPN technology offers much-needed scalability, affordability and increased compatibility with cloud storage environments. We are GDPR compliant, SOC-2 compliant and ISO 27 001 compliant so that we can offer a highly effective solution for any organizations’ HIPAA compliance needs. 

If you’d like to learn more about using a VPN for HIPAA compliance, please don’t hesitate to request a demo at www.perimeter81.com/demo or contact our sales team at [email protected].

Read More