Security Solutions Escort Banks Through the Cloud Shift
Reading Time: 4 minutes

Data is a commodity that has value just like any other: It can be used to pay for products and services (most free apps use your data in exchange for access), it can be bought and sold, and as we all know, it can change hands. Unfortunately, it doesn’t always fall into the right ones, and so for a bank – which is responsible for both our money and our priceless financial data – security is of the utmost importance.

As they say, “If it ain’t broke, don’t fix it.” So most banks having already found the right security approach for their legacy, closed off, and internal IT systems means that they are hesitant to embrace new technology – this might tip the scales in the favor of hackers. It might also make them more profitable, but upgrading infrastructure comes with new security complications that are a roadblock – because a data breach trumps any business advantage. Right now, cloud technology is in the epicenter of this dilemma.

Is the Cloud a Compromise?

If there are two sides of the fence, on one side is the cloud’s immense potential for bank customer service and competitiveness, and on the other, the need for significant investment and security due diligence that comes with any change to the status quo. The cloud can help banks diminish their core costs and overheads by eliminating hardware and the need to maintain it. It can also help to roll out new financial products and services to customers more quickly, and scale them inexpensively as demand waxes and wanes.

Despite these benefits the transition to the cloud is daunting, and outside of retail or commercial banks, it is happening at a snail’s pace. Of total spending on the cloud, banking accounts for only 10.6% in 2020, according to IDC. Reasons for hesitation include difficulties configuring cloud solutions to both work together and with legacy tools, which may create unanticipated (and intolerable) gaps in defense. Furthermore, banks may feel as if they lose control by offloading internal processes to third-party cloud providers, putting them at these providers’ mercy. Compliance is an obvious issue to be concerned about as well, and the extra degree of separation between banks and their cloud-based resources doesn’t inspire confidence at first.

This hesitation is more unfounded as time passes, however, because the cloud is changing quickly and so is the security surrounding it. For their part, banking perspectives on the issue are changing in tandem.

Lift, Shift, and Uplift

Banks can now be relatively confident that security will be tight as they embrace the cloud, since data isn’t the only thing that’s been commoditized; so has security. Cloud providers invest heavily in their defenses and for many industries, they offer greater safety out-of-the-box than customers can achieve with their own investment in IT. Banks appreciate these assurances, but still have enough at stake to need more. 

In their efforts to avoid a long and complicated process, reduce risk, and front load cloud benefits, executives sometimes see cloud adoption as an “all or nothing” idea. However, the “lift and shift” approach is getting more traction, as it moves parts of their infrastructure to the cloud in piecemeal fashion, based on the importance of the workload and other factors. Many banks are adopting this hybrid cloud model and taking their first baby steps into the 21st century, but if the piecemeal approach is going to be taken, their networks will get complicated quickly and will be in constant transformation. 

This requires a security solution that is more comprehensive than what providers offer, and one that can flex as the network perimeter shifts.

Elastic Security for an Extended Transformation

A bank requires a simple security solution that makes data protection easy, no matter how mix-and-match their infrastructure looks during the various stages of its cloud migration. While hybrid cloud models help banks meet the expectations of demanding and digitally adept customers, they also allow banks to keep sensitive processes internal, and to encourage data protection in diverse environments. Hybrid cloud security is also easier for banks to obtain these days, with SaaS security solutions that more easily integrate into both local and cloud environments.

Network as a Service products help IT professionals apply a plethora of security tools such as DNS filtering, Wi-Fi security, VPN encryption, and multi-factor authentication across the various resources that make up a bank’s network – no matter if it’s local server storage or a popular software consumed “as a Service”. The seamless level of integration covers more bases as the network slowly migrates to the cloud, but NaaS is also especially suited to the hybrid approach because it allows IT to segment the network and restrict access within it, not just into it.

Accordingly, just-migrated bank resources can enjoy multilayered security and yet also be inaccessible to only the roles (and devices) held by IT higher-ups, until they are confident that compliance is achieved. Security can be easily tuned to the changes made to a bank’s network throughout its cloud transformation, with scalable and secure access policies and a quilt of tools that will have any hacker think twice about attempting to get at its data. With time otherwise spent on maintenance, IT is freed up to pursue profit-seeking initiatives.

Security Ups Its Game for a Tough Customer

It takes a lot for banks to be confident in their security, but cloud advancements have extended to security ideas, and make upgrading infrastructure a win-win proposition. With confidence in the cloud’s compliance and safety, banks are able to morph in pursuit of better service, without concern for how customers or their data are affected. Now that this piece of the puzzle is finally in place, banks can go full speed ahead into the cloud, and soon, customers will feel the change in both better financial services and the gradual yet pronounced lack of big hacks hitting the headlines. It’s hard to estimate which will be more welcome.

Read More
Podcast-Ep.3-
Beyond The Perimeter Podcast, Episode 03: Hacking with a Purpose: Life as a White Hat Hacker
Reading Time: 6 minutes

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we discussed the Twitter hack which saw many famous celebrity accounts being hijacked which resulted in spreading a cryptocurrency scam. We also interviewed Len Noe who is a white hat hacker and cyber security specialist.

Breach of The Month: Twitter Hack

On July 15th we saw one of the most high profile breaches of the year. At least one hacker known for hijacking high-profile Twitter usernames gained access to an internal “admin” tool on Twitter’s network, hijacked a ton of celebrity accounts — Joe Biden, Bill Gates, and Elon Musk to name a few — to spread a cryptocurrency scam. The hacker made over $120,000 in just a few hours. But how the hacker got in and whether an employee helped remains a mystery. It is likely the hacker found their way into Twitter’s Slack account where they found a set of credentials. 

Twitter announced that the hack was done through social engineering. In this type of attack, hackers tend to trick their victims into providing their login credentials for access. Some 130 accounts were affected by the breaches. Twitter later said eight users had their data downloaded — including their DMs. But the company refused to say if the hacker read anyone else’s DMs — even though they’re believed to have had access. The breach could’ve been so much worse, even having serious implications for national security, given that this is an administration that frequently uses Twitter to dictate policy. On July 31st, authorities arrested the  17-year-old hacker who was behind the hack.

In this episode,  I talked to white hat hacker Len Noe to get a better understanding of why hackers might transition into becoming a white hat hacker and why organizations should look into implementing white hacker programs, 

Attracted to the Art of Hacking Early On  

Most hackers will tell you that their interest in hacking started at a young age. In Noe’s case, it started when he learned he could make small code edits which would change the outcome of a program. “I got into hacking early on. It all started for me back in the Commodore 64 days and the truth is there was a magazine that you could get that would actually give you some very simple, rudimentary programs that you could write for your Commodore 64 and the one that got me was Frogger, the old video game.

“During the time where I was trying to code the game, I messed up some of the code while I was programming and for some reason my frog would not die. It just opened up a whole new world to me if you do something in the background, it can affect what’s going to happen. So that was kind of what really sparked it for me was the idea that I was in control and even though the way that the game was supposed to be played, I could play the game the way I wanted to play it.”

Unlike today where hackers can easily find online different how-to guides and learn from other hackers, back in the ‘80s, Noe had to learn the trade through trial and error. “It was mostly trial and error. I mean you got to remember, this was back in like the pre-Pentium days. We’re talking 386 DX2, 486 with the math coprocessors so you could have the floating decimal point. There were a lot of bulletin board systems and many techniques came from a good understanding that I don’t think a lot of people get these days.

When I was going through this originally, this was when the personal computers were first coming out. You learned how to use a terminal and it was before any real GUI, before OS was available. I just knew how things worked and it was a lot of trial and error and logging in to other like-minded individuals like myself who are into this kind of thing and it was kind of the pre-birth of the hacker collectives. I mean we weren’t hackers at the time because there really wasn’t a term. At the time, we were just geeks.”

Evolving From a Black Hat Hacker to a White Hat Hacker

Life as a black hat hacker early on wasn’t as dangerous as it is known today according to Noe. “Being a black hat was simpler, at the time, there was no real hacker. There wasn’t any kind of GDPR or any type of disclosure laws in the US. You know, if you got caught hacking, they would slap your hand. Maybe you weren’t allowed to use a computer until you were 18. But it wasn’t until after the 9/11 incident in the United States where any type of hacking really started to become a major issue and started to command heavy jail times and fines.I was always very interested in hacking and I always have had that innate sense of wanting to know not just the fact that it worked but how it works. My father was a mechanic and always told me if you understand the basics, then any of the complicated things become very simple if you break it down to its rudimentary form.”

When asked why he transitioned from a black hat hacker to a white hacker it was simple for Noe. “I don’t like the idea of state-funded vacations. The idea of being locked away just really didn’t appeal to me. I mean I’ve never been one of those – even when I was a black hat, I was never one of those kinds of guys that would go after people and try to steal their personal information or try to ransomware somebody or blackmail somebody. For me, it has always been more about just the puzzle and I like those people who always say, ‘I’m secure.’ Really? Let’s test that theory and I’m a firm believer. If you think you can get into my stuff, come on. If you can get past the securities and the preventative measures that I’ve put in place, then you deserve it.

“For me, it was always am I smarter than the guy that set up the security? I know there are people better than me and there’s an old expression, Those who exalt themselves will be humbled but those who humble themselves will be exalted. Be humble with your security. Know what you’re doing and don’t brag. I’ve seen it so many times in my life where they’re those people who are basically taunted to attack and they always wind up sorry for it in the end.” 

Implementing White Hat Hacker Programs 

Over the past decade, we are seeing more organizations stepping up their internal security team. Noel believes implementing white hat hackers in the internal security teams comes with its advantages. “I think having a red team and white hats on staff is a great idea. It keeps you fluent. It keeps people updated on the types of attack factors that are new and it’s going to keep fresh eyes and people that are actually in this community. 

“But at the same time, I also think that even if you do implement a red team or a white hat on your payroll, I think once a year, it’s still a good idea to get an external pen test done or invoke the services of a third party just to keep everybody honest. Always look at security from the sense that it is going to always be as strong – only as strong as your weakest link. Get those fresh eyes and unbiased opinions every now and then. Keep your red teams and your white hats on staff just because these are people that are going to be tuned into what’s going on and what’s current.”

Endless Amount of  Resources Available 

When asked what his advice is for young security enthusiasts looking to become a white hat hacker, Noe emphasized on the importance of taking advantage of the numerous resources online. “ Play, get out there. YouTube is an amazing resource. But study up on YouTube. The one thing I will say about the cybersecurity community is for the most part, we are pretty open with our information. Go to our GitHubs. Go to our YouTube channels. You will find gists of information. You will find example videos of different attack scenarios and different attack applications. 

“I have a GitHub repo on my GitHub that is just links for new cybersecurity people. You know, sites like Packet Storm, Vulnhub. One of my biggest recommendations for newbies and a lot of people think I’m stupid for making this recommendation. Vulnhub, if you’re not familiar with it, is a site where you can just go download premade capture-the-flag VMs for VMWare or VirtualBox and a lot of the times, you can actually go to Google or DuckDuckGo and you can search for a walkthrough of that capture-the-flag. For newbies, it’s a great way to actually see and walk through the entire process and at the end of it, you actually are able to complete the capture-the-flag.”

To hear the entire interview with Len please listen to the full podcast here. You can follow Len on Twitter, Github, Youtube and SlideShare. 

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More
Sauce Labs Webinar - Blog BG - 768X432
6 Tips to Securely Manage a Global Remote Workforce
Reading Time: 3 minutes

Written By: Justin Dolly, CSO, Sauce Labs

With the global COVID-19 pandemic still raging in many countries around the world, many workplaces are still remote and will stay that way for the foreseeable future. Given this, how do we support high levels of security in a remote workforce, all while maintaining required levels of productivity? It’s a challenge for IT teams, to be sure—but not an insurmountable one. In this article, Sauce Labs CSO Justin Dolly offers six tips for teams wrestling with this conundrum.

1. Be Flexible

Security has to be present wherever remote workers are, and it must enable employee productivity, not prohibit it. If we aren’t flexible enough with how we’re asking employees to get things done, they may take matters into their own hands and go elsewhere, thereby opening up your organization to vulnerabilities.  It’s important to communicate to your users the security technologies and processes that you’ve put in place and to ensure they are robust and flexible enough to support a workforce that’s remote.

2. Encrypt All Drives

Laptops and mobile devices can present a huge risk. Encrypting drives can protect organizations from accidental data loss. If an employee accidentally leaves a device at a coffee shop, for example, the organization can feel secure that the sensitive data and the business at large will not be compromised thanks to the encryption capability in place.

3. Enforce Multi-Factor Authentication (MFA)

Enforce multiple layers of authentication for access to any system of information that is deemed sensitive. Modern, adaptive methods should be employed since two-factor authentication has been compromised in certain scenarios.

4. Don’t Forget the Endpoints

Your security program needs to provide a 360-degree view of what employees are using to access company assets. BYOD is an ongoing concern especially in a remote environment, so you must put security measures in place to know which endpoints have access to what resources. Also, Intelligent software installed at the endpoint will protect devices from modern malware and provide the necessary visibility at the endpoint.

5. Implement Both Defensive and Offensive Strategies

Defensive measures include tools that make it difficult for your environment to be attacked. Offense means you need to constantly be testing yourselves to make sure the defensive elements you put in place are working as they should. This may be more difficult in a remote environment, but it’s no less important.

6. Don’t Just Communicate—Overcommunicate

Communication is always important, but especially during a time of remote work. When everyone is dispersed to their homes, it’s critical to be in close touch when you can’t get into a room with everyone to hash out plans. This goes double for dealing with a security incident and roles and responsibilities must be clearly defined and communicated, along with the critical network and data recovery processes that are needed for the team’s incident response. Even outside technical teams, communication about security issues is paramount: You need to respond to all stakeholders, whether inside or outside the company, in a timely and appropriate way.

Conclusion

The remote workforce has shined a light on the importance of security. At Sauce Labs, we talk a lot about digital confidence, meaning that we enable organizations to feel confident that their web and mobile apps are performing exactly as intended. As security professionals, we owe that same confidence to the customers using our Continuous Testing Cloud. Even and especially during a pandemic, we have the opportunity to address security and make sure remote work and other concerns don’t impact your business in a negative way. Following these guidelines will get you started on the way to successfully managing security for your organization—even while remote.

Perimeter 81 and Sauce Labs recently hosted a joint webinar about how organizations’ networks and connections must be secured in order to add another layer of protection against hackers trying to breach the testing environment. Watch the replay here.

About the Author

Justin Dolly is Chief Security Officer at Sauce Labs, where he oversees the development and implementation of the company’s long-term security strategy, ensuring its customers have the highest level of protection to support their digital goals. He is a Certified Chief Information Security Officer (CCISO) with more than 20 years of experience in building and implementing a culture of security within global organizations.

Read More
5G
Why Secure Network Access is the Key to 5G
Reading Time: 4 minutes

While technology continues to evolve, wireless networks are vital due to trends like IoT, smartphones, tablets and laptops. Now, just as 4G is becoming irrelevant for users and businesses, 5G is introduced. 

Since its emergence, 5G has taken the world by storm. The global phenomenon of quicker networks has everyone buzzing, especially tech companies. 5G offers companies faster and more reliable internet, with lower latency issues for their employees — no matter where they are or what device they use. 

As 5G is rolling out in the United States and companies are already reaping its benefits, enterprise networking is still in the early stages of the 5G revolution. The transformation of mobile networks comes with risks that cannot be ignored. Instead of solely focusing on the numerous benefits 5G offers, such as a redesign of mobile networks which enables efficiency, cost-effectiveness and greater agility, we need to also be aware of the new security challenges that come with developing and implementing this new infrastructure.

5G Security: An Ongoing Issue

With new network technologies such as 5G, security needs to be more involved during the early stages of development. This wireless network evolution will see many different shifts occur as 5G moves from early-stage to the norm for mobile networks. 

Mobile networks with security risks is not a new concept, yet the number of attacks from different endpoints is increasing as networks are transforming. Companies that are early adopters of 5G networks could possibly experience security threats due to their implementation of an early-stage version of 5G. 

Among the security challenges that 5G presents are visibility issues, increased exposure to attacks due to new entry points for bad actors, and increased risks from major dependencies on suppliers.

Network experts might recommend organizations not to implement technology that was designed for 5G networks as it comes with different security challenges. While this is taking a more cautious route, organizations need to rethink their entire security strategy when it comes to 5G networks. IT and security teams need to implement the right amount of security policies in place to secure their network for 5G. Without doubt risks and issues will happen with new technology but having a security strategy implemented will veer away from simpler security challenges that can occur with 5G. 

5G Security Challenges Aren’t a Quick Fix

When organizations are designing their network security strategy, IT and security teams are continuously taking the same approach, how quickly can we patch vulnerabilities while updating the network at the same time? Instead, organizations need to look at the entire security strategy, not just a quick fix.  One security risk often overlooked is testing new networks during the implementation period. IT teams will regularly run a group of network tests that check for common vulnerabilities and risks in the network. Once the tests are completed, the networks can be implemented.

Adopting the ‘set it and forget it’ approach when it comes to testing creates another challenge of its own. Without continuously testing your network for vulnerabilities and security risks you are putting your network at risk. 

IT experts might suggest that when first implementing new networks, your infrastructure needs to properly communicate and pass data from network to network. Additionally, you need to properly integrate the network security from your 4G networks to your new 5G networks. If this is not done correctly, your organization could experience major network security risks that could harm the security of your infrastructure and networks.  

Some organizations will try to fix 5G security challenges with the latest security solutions, even if they are not designed for 5G infrastructures and networks. These solutions could be a quick band-aid for your 5G networks but once your networks are implemented, the security challenges will become more obvious. With the wrong solution in place, it can create more endpoints and entry points for hackers to infiltrate. Instead of adopting different solutions for your network, organizations should implement a 5G friendly secure network access solutions to dissolve the potential security challenges. 

5G allows Smoother Secure Network Access 

As more and more organizations start to adopt 5G networks, they will experience the different benefits they offer such as quicker communication and low-cost deployment. These network benefits will enable their employees to connect and send more data to their network. However by more devices quickly connecting and transferring large amounts of data it can put a massive strain on IT and security teams when ensuring that their organization is connecting securely to the networks. 

To ensure that the entire organization is connecting securely to the new networks, IT and security teams should look to adopt models that are designed to make sure that the proper employees gain access to the network. One such model is Zero Trust Network Access (ZTNA). 

The Zero Trust Network Access model has gained popularity with organizations of all sizes since the rise of cloud adoption. While Zero Trust Network Access is not a new approach, it has become one of the more popular models to implement when fighting security risks that 5G present. By addressing your security concerns head-on with a Zero Trust model, your IT team will be able to fully monitor the network and user access activity. 

Adopting Zero Trust Network Access allows IT teams to specifically assign restricted access to users and their devices to their network, lowering the chances for hackers to infiltrate your network. Additionally, the Zero Trust model for network access will allow organizations to easily authenticate and establish the authorized access per user and devices throughout the network.

Moving Forward 

With the advancement of 5G, organizations will experience different security challenges in their network which will result in the importance of prioritizing full visibility and monitoring of its networks. With the proper authentication and identification policies in place and adopting a Zero Trust Network Access (ZTNA) solution, your network security will be more equipped for any 5G network challenge that is presented. 

Read More
FWaaS Prevents the Cloud from Going Up in Flames
Reading Time: 4 minutes

Firewalls are aptly named, because they stop the spread of flames beyond the wall, and help to preserve the building itself from falling down or burning to a crisp. The metaphor works just as well with malware defense as it does fire safety, but now that we’ve moved to the cloud en masse, “fire” can spread further and faster than ever. No longer are we protecting on-site resources. Our hardware and resources are thousands of miles away, and sometimes we don’t know if ignition has been sparked before it’s too late – for ourselves and the millions of others sharing the same cloud.

Firewall as a Service (FWaaS) has emerged to bring the concept of a firewall to the cloud, and among the other security tools that companies have relied on, it has been a helpful tool in escorting companies through a safe cloud transition free of malware and unauthorized access. But they haven’t always been as necessary as they are now. For compounding reasons, FWaaS is more than ever a mandatory component of the security toolkit in place for businesses of any size. 

Security’s Slow Cloud Transition

Resources moving to the cloud is a natural pursuit of more efficiency, which is a business staple. For organizations, it’s easier to consume storage and bandwidth as a service than it is to run the hardware supplying these things. For their part, cloud providers have also benefited immensely by switching from selling hardware to renting it over the internet. These are basic concepts to nearly everyone who has used computers in the last 20 years, but cloud computing is actually much older than we tend to realize, and this context is important to understanding the rise of FWaaS.

Though we like to think in terms of when we started uploading photos to iCloud or using Google Drive, cloud computing actually began way back in the 1950s with the first mainframe computer, and evolved from there. However, only recently have firewalls evolved alongside virtual machines and increased bandwidth availability through the internet, taking the very concept of a physical appliance, and transplanting it into cloud infrastructure.

Because security reacts to the trends happening elsewhere, and molds itself to be the antithesis to the latest attacks, it is always late to the party, and especially to the cloud as entertainment and commercial ideas took priority. This meant that firewalls weren’t on the cloud until many other things were first, so most companies still applied clunky physical appliances to their growing cloud networks. Another reason that FWaaS hadn’t appeared at the forefront of the cloud movement was because it’s purpose is to protect infrastructure, and IaaS (Infrastructure as a Service) didn’t become popular until long after SaaS.

The blooming of SaaS before IaaS was largely due to the ease with which a SaaS product can be hosted – even on a single machine under your desk – so it made sense why a physical firewall would suffice as SaaS matured. No longer. Now, the increasing embrace of IaaS and the wholesale movement of entire departments onto the cloud has meant that firewalls simply must be a part of this environment.

FWaaS is Now a Must

As companies move to the cloud, their IT teams have discovered that relying on old firewalls is more than inefficient for configuration and integration. It also reduces visibility over the network and resources within the network that are now a few degrees of separation from the office premises itself. The old perimeter guard approach, where firewalls are the sentinels standing inside the moat of the “network castle”, doesn’t work when resources are no longer inside the walls and are not thoroughly protected by cloud providers.

Moreover, a quickly-multiplying number of mobile devices are now connecting to these cloud resources, so IT teams struggle to define their network perimeter, let alone protect it. FWaaS solves this problem by integrating easily with third party cloud infrastructure, giving IT a looking glass into how users are accessing SaaS products such as Salesforce, AWS, and Google Suite, and the centralized, cloud-based access management panel for them to control traffic through these resources and fight malware.

Cloud Accelerating Changes FwaaS Too

As workers move from offices to their homes, FWaaS has become a central tool that IT teams can use to provide safer remote access. This idea hasn’t changed, but the way it’s being delivered to businesses is, as single-purpose security tools “as a Service” are going through the same cloud consolidation process that productivity and entertainment products did not long ago. Firewalls and other things like VPN tunneling and Single Sign-On are better for security in today’s mobile environment, but when orchestrated independently of one another are still risking network security.

This is why a new idea in the industry, SASE (Secure Access Service Edge) has zeroed in on FWaaS as one of its cornerstones. Security providers are racing to provide SASE platforms since Gartner introduced the idea late last year, but they must first collect and provide the tools that deliver SASE’s promise: unified network security on the cloud edge. FWaaS, CASB, SWG, MFA, VPN, and other security services are part of this single unified platform. FWaaS is one of the most important pieces of the SASE puzzle and one of its core functions, because it has a unique job that other components can’t do.

Thanks to growing SASE platforms like Perimeter 81 and the FWaaS functionality provided as part of this consolidated, cloud-native offering, organizations are able to aggregate their traffic effectively from all resources and enjoy total visibility across them, with no hardware involved. Though it’s true that the acronym FWaaS is now standing in SASE’s immense four-letter shadow, it cannot be discounted.

Because even alone, FWaaS has merit when paired with some other basic security tools like VPNs. Companies with simpler networks, a few SaaS resources, and smaller teams can rely on a basic setup like this to mime the cloud security chops of SASE until growth demands an even more scalable solution. FWaaS is central to a safe future on the cloud any way you slice it, and will 

Read More
CRN® Recognizes Perimeter 81 on the 2020 Emerging Vendors List
Reading Time: 3 minutes

Tel Aviv Israel – July 20th, 2020 – Perimeter 81, a leading Secure Access Service Edge (SASE) provider,  announced today that CRN®, a brand of The Channel Company, has named Perimeter 81 to its 2020 Emerging Vendors list in the security category. This annual list honors new, rising technology suppliers that exhibit great promise in shaping the future success of the channel with their dedication to innovation. The list recognizes channel-focused organizations across eight categories: Cloud, Data Center, Security, Big Data, Internet of Things (IoT), Storage and Networking/Unified Communications. 

This list recognizes recently founded, up-and-coming technology suppliers that are shaping the future of the IT channel through unique technological innovations. In addition to commemorating these standout companies, the Emerging Vendors list serves as a valuable resource for solution providers looking to expand their portfolios with cutting-edge technology. 

Partners of Perimeter 81 recognize the advantages of deploying cloud-based network security instead of traditional security solutions. Not only does this facilitate greater security and performance for their clients but also allows predictable recurring revenues and the simplicity of managing network security 100% remotely from an intuitively designed multi-tenant partner dashboard.

“It’s an honor to be named among the select few companies chosen as part of CRN’s Emerging Vendors in Security for 2020,” said Amit Bareket, CEO and Co-Founder of Perimeter 81. “This recognition not only serves as a validation of our success but it also demonstrates our channel-centric approach in delivering enterprise-level network security solutions to our partners.”

CRN’s Emerging Vendors recognizes pioneering technology suppliers in the IT channel that are driving innovation and growth. This list serves as a valuable resource for solution providers in search of the latest technologies.  

The Emerging Vendors list is selected by CRN’s esteemed editorial team. These vendors are inspiring the IT channel with groundbreaking technologies and best-in-class offerings that are elevating businesses – driving success with solutions built to battle the challenges of the IT channel. 

“CRN’s 2020 Emerging Vendors list recognizes vendors that are revolutionizing the IT channel with innovative solutions that meet the complex demands of our industry,” said Blaine Raddon, CEO of The Channel Company. “It honors inspirational new vendors that are driving channel growth with state-of-the-art technologies that will continue to shape the channel into the future.” 

The 2020 Emerging Vendors list will be featured in the August 2020 issue of CRN Magazine and online at www.CRN.com/EmergingVendors

About Perimeter 81

Perimeter 81 is a Zero Trust Secure Network as a Service that is simplifying network security for the modern and distributed workforce. Based in Tel Aviv, the heart of the startup nation and a global hub for innovative technology development, Perimeter 81 was founded by two IDF elite intelligence unit alumni, CEO Amit Bareket and CPO Sagi Gidali. Perimeter 81’s clients range from small businesses to Fortune 500 corporations across a variety of sectors, and its partners are among the world’s foremost integrators, managed service providers and channel resellers. Earlier last year, Gartner selected Perimeter 81 as a Cool Vendor in Network and Cyber-Physical Systems Security.

About The Channel Company 

The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers, and end-users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace. www.thechannelco.com 

Follow The Channel Company: Twitter, LinkedIn and Facebook 

©2020 The Channel Company, LLC. CRN is a registered trademark of The Channel Company, LLC. All rights reserved. 

The Channel Company Contact: 

Jennifer Hogan The Channel Company [email protected] 

Read More
Webinar Recap: What will cyber security look like in the post-COVID-19 world?
Reading Time: 3 minutes

In addition to all of the demographic, economic, and healthcare implications brought on by COVID-19, the once-familiar 9-to-5 office environment as we know it has changed dramatically. Remote work, once expected to be the future, is now our new reality. Even though Gartner predicted that by 2020, half of the US workforce would be working remotely, no one could have anticipated it to become ubiquitous during the COVID-19 outbreak. Now, nearly everyone has been forced to work from home for the foreseeable future. Organizations have been seeing an increase in productivity from employees and have extended their work from home policies until the end of 2020, or even indefinitely.

Along with all of its benefits, remote work also brings a host of cyber security risks that are harder to tackle outside of the office. Additionally, with millions of people connecting to their corporate networks from their homes, network infrastructure is being taxed like never before, creating new issues of internet overload and skyrocketing VPN usage.

While the future remains uncertain, organizations are embracing the new normal, and now is the time for CISOs and IT managers to start thinking about how they will continue securing their teams while working remotely. Industry analyst Richard Stiennon and Perimeter 81 Co-founder and CEO Amit Bareket joined forces in early July for a webinar to discuss, review, and make predictions about the future of cyber security in the post-COVID-19 world.

Watch the webinar on-demand:

 

From your experience in security, what has changed dramatically over the past decade? 

Stiennon, who has been in the industry for nearly 30 years, focused on the digital transformation which morphed into the cloud transformation and the use of SaaS services. Bareket added employee mobility to the security challenges that have developed over the past ten years and the need for security appliances to keep up with these trends. 

How has COVID-19 changed the way we consume cyber and network security?

Stiennon kicked off the conversation with the fact that organizations that were unaccustomed to working remotely and did not have a solution for secure remote access were forced to move their entire workforce remote almost overnight and with zero preparation. Now that the urgency to find a solution for securing remote access has died down, organizations are focusing on long-term strategies for securing their remote workforce. Following with experience from Perimeter 81’s customers over the past few months, Bareket gave examples of organizations that may have previously been more “traditional” in their approach to security and cloud, that are now making the transformation. As COVID-19 has accelerated the adoption of cloud and mobility, organizations are rethinking their security policies and strategies.

What do you think is the biggest pain in the cybersecurity space right now? 

Bareket clearly sees the challenge as now that employees are working remotely/from home, organizations must open their infrastructure to be open to the outside and from unmanaged devices, compromising security. Stiennon added that security professionals have to break loose from their current mindset of “boxes” and change their vision to include the cloud. Additionally, now these professionals are charged with the responsibility of not only protecting resources but also protecting employees. 

What do you think the future of security has in store over the next 2 years? 

Stiennon believes that new threats that have come about from the age of remote work are adding to the revelation of new vulnerabilities and by this fall we will be seeing massive breaches announced, that are starting during this time period. On the flip side, we are also working more securely as more vendors are offering more security capabilities and organizations are consuming these services. From the vendor perspective, Bareket believes security services overall is moving away from on-prem to cloud-based and user-centric solutions. Additionally, various services will start joining together in order to unify under one platform in order for any business of any size to consume. 

Which challenges and solutions will we be seeing in the near future? 

Bareket discussed Gartner’s SASE (Secure Access Service Edge), the unification of security and infrastructure to be offered from the cloud edge. Stiennon added that the fact that government offices, law firms, medical practices, and the like (approximately 80% off all businesses and organizations) are all late adapters to new technologies and security software. 

After a riveting discussion with predictions and surmisings, the panelists moved on to answer questions from the audience. If you were unable to tune in live but still would like to address questions to the speakers, feel free to reach out to us on LinkedIn, Twitter, or Facebook

 

Read More
Gartner_Hype_Cycle
Perimeter 81 Recognized as a Sample Vendor In Gartner’s 2020 Hype Cycles For Network Security and Enterprise Networking
Reading Time: 3 minutes

Perimeter 81, the Secure Network as a Service solution for the modern and distributed workforce, has been recognized in the latest Hype Cycles by Gartner Inc., a leading IT research and advisory company. 

We are proud to be named a sample vendor in the Zero Trust Network Access ( ZTNA) category in the Hype Cycle for Network Security, 2020, and the Hype Cycle for Enterprise Networking, 2020. This industry recognition affirms the success we’ve had in developing the next generation of innovative network access and network security products. 

Over the past years, ZTNA vendors have replaced the need for the traditional Business VPN. As stated in the report, “As more organizations suddenly find themselves transitioning to much more remote work, hardware-based VPNs exhibit limitations. ZTNA has piqued the interest of those seeking a more flexible alternative to VPNs.” (1)

What is the Hype Cycle?

Gartner Hype Cycles provides a graphic representation of the maturity and adoption of technologies and applications, and how they are potentially relevant to solving real business problems and exploiting new opportunities. Gartner Hype Cycle methodology gives you a view of how a technology or application will evolve over time, providing a sound source of insight to manage its deployment within the context of your specific business goals.

In each report under the Zero Trust Network Network Access  (ZTNA) category, Gartner Analyst, Steve Riley discusses how ZTNA provides a more immediate and modern solution in place of the traditional VPN. The ZTNA model offers better network visibility which most VPNs are lacking. Additionally, ZTNA allows organizations to enable a cloud transformation that will be more geared to their corporate network resources and applications.

In this year’s reports, Gartner highlights the different business impacts that ZTNA has to offer.  “ZTNA brings significant benefits in user experience, agility, adaptability and ease of policy management.” (2) Additionally, the report lists the different vendors that offer a ZTNA solution and the benefits that are being offered such as an increasing number of points of presence (Pop) which are helping organizations with network latency.

The Perimeter 81 Network Security Offering 

In each report, Gartner mentioned that with cloud-based ZTNA offerings, scalability and ease of adoption are additional benefits. At Perimeter 81, we are providing secure access to local network, applications and cloud infrastructures with one unified platform. By transforming the outdated, hardware-based security appliances into a cloud-based SaaS solution, we are simplifying network security for the modern and distributed workforce. 

As a holistic SaaS solution providing customizable networking and the highest levels of security in the cloud, Perimeter 81 is revolutionizing the way organizations consume network security. 

Our Zero Trust Network Access (ZTNA) solution provides policy enforcement and protection by isolating applications and segmenting network access based on user permissions, authentication, and verification. The platform’s comprehensive software-defined perimeter (SDP) solution offers simple cloud migration security, seamless least privilege access to resources and secured access to cloud environments including IaaS and PaaS.

Unlike hardware-based legacy VPN and firewall technology, our scalable SaaS solution offers greater network visibility, seamless onboarding and full integration with major cloud providers, giving companies of all industries and sizes the power to be fully mobile and completely cloud confident. 

Global Recognition 

Being recognized as a representative vendor in both the 2020 Hype Cycle for Network Security report and the 2020 Hype Cycle for Enterprise Networking report from such an esteemed resource validates our ongoing effort in the enterprise cybersecurity market.

“We are pleased to have been included in the Gartner Hype Cycle,” said Amit Bareket, CEO and Co-Founder of Perimeter 81. “We believe we are shaping the future how businesses will consume network security and this recognition validates the depth and breadth of our innovative offering. Being named by Gartner as a sample vendor reinforces the value of our approach to helping our clients with a more secure network connection to their cloud services and resources.”

  1. Gartner, Hype Cycle for Network Security, 2020, Pete Shoard, 30 June 2020.
  2. Gartner, Hype Cycle for Enterprise Networking, 2020, Danellie, Young, Andrew Lerner, 8 July 2020.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Have any product questions or suggestions? Don’t hesitate to contact us at [email protected] 

To learn more about Perimeter 81’s Zero Trust Network as a Service be sure to request a complimentary demo.

Read More
HITRUST Fills in the Blanks for HIPAA and PHI Security
Reading Time: 4 minutes

HIPAA carries a lot of weight, but it is merely a set of guidelines that healthcare companies (and technology providers who work with them) must follow when handling Patient Health Information (PHI). For people imagining a team of inspectors showing up unannounced to offices worldwide for a surprise checkup, or to administer a results-oriented audit before gaining compliance, know that this isn’t the case when it comes to HIPAA. 

In fact, the lack of any official certifying entity makes it possible for businesses handling PHI to give themselves a badge of compliance based on their technology and processes alone. A HIPAA icon found on a healthcare provider’s or security vendor’s website is not meaningless, however. These organizations know penalties from the Office for Civil Rights (OCR) pack a rightfully devastating punch, and so they must invest in the song and dance of showing they have the power to protect PHI, even without proof that their systems are actually doing so.

Despite the superficial nature of HIPAA compliance, providers are still under pressure to “prove” that they have a clean bill of health when it comes to the guidelines. They can currently do this via self-assessments involving documentation of access policies, technology settings, employee standard operating procedure manuals, backups and more. Compliance is a necessary effort for providers, but because the result of these settings and technologies lives on paper alone, patients don’t realize HIPAA doesn’t provide as much value as it should. 

Entities like HITRUST have sprouted up to deal with this gap by both using technology to proactively and reactively enforcing HIPAA compliance, and to help providers make it a core pillar of their operational success rather than an obstacle to it. The tools available today enable risk management and PHI security to be vital for healthcare providers, and HITRUST takes full advantage. It is designed to strengthen the foundations of information security and make compliance easier to achieve than ever. But how?

What is HITRUST?

While HIPAA is a solid framework for protecting medical records, and gives patients privacy regarding who can gain access to their information, it is also subjective on the part of providers. HITRUST is not simply a template that allows healthcare providers to say all the right things regarding their compliance – it goes beyond this. Technically, HITRUST is the group that built and continues to manage the CSF, or Common Security Framework, which is both certifiable and combines multiple different compliance models including HIPAA, notably, but also PSI, ISO, NIST, FTC, COBIT and others.

According to the HITRUST website, it is “a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.”

The approach taken by HITRUST is simple yet thorough. Crucially, a HITRUST certified provider is also a HIPAA certified provider, and can offer more than a hollow pledge to follow the rules sans any audit to see that the security controls put in place are actually working. To maintain HITRUST compliance requirements, an organization can choose to self-assess or complete a third-party audit, but either way it must pass all 19 parts of the CSF test every two years:

  • Healthcare Data Protection & Privacy
  • Information Protection
  • Wireless Protection
  • Transmission Protection
  • Network Protection
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Third Party Security
  • Physical & Environmental Security
  • Configuration Management
  • Vulnerability Management
  • Password Management
  • Incident Management
  • Risk Management
  • Access Control
  • Audit Logging & Monitoring
  • Education, Training & Awareness
  • Business Continuity Management & Disaster Recovery

With each idea outlined in the CSF, providers have a bolder template to follow, which makes preparing for the whole gamut of required certifications less of a guessing game. Medical practices and healthcare providers are therefore able to unify their compliance efforts with one process, and guarantee protection for their patients rather than offer a mere promise. Thankfully, unification is also occurring in the security industry, lowering the barrier to compliance even further.

Unified Security Models a Must

To give providers peace of mind over their compliance, HITRUST’s universal security framework is complemented by security vendors that take a similarly consolidated approach. While no single security vendor is yet able to deliver total CSF compliance, this is the direction the industry is heading. Network as a Service, for example, empowers providers to deploy network and security tools in an integrated manner with existing local and cloud resources. Consuming just one product for both access management and data security tools makes it much easier for would-be compliant companies to quickly pass multiple sections of their CSF audit.

With both security technologies and compliance frameworks aligned in their increasing simplicity, providers will soon be rid of their confusion over compliance. Most important, however, is that those who see a HITRUST compliance badge can be confident that the healthcare they receive employs the most up-to-date, and proven data security tools. This will encourage a more accountable healthcare sector, and prevent the all-too-common idea of a PHI breach from impacting the trust between patients and practices.

 

Read More
Podcast Ep.2
Beyond The Perimeter Podcast, Episode 02: Young Startup: Are You Ready for a CISO Onboard?
Reading Time: 6 minutes

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we explained how millions of Chrome users might be affected by the Google Chrome security breach and we interviewed Ms. Reut Weitzman who is the COO and Cybersecurity Consultant at QMasters to learn about her experience and insights as a CISO at a startup. 

 

Breach of The Month: Google Chrome Browser  

On June 18th security researchers at Awake Security reported to Reuters that millions of Chrome users were exposed to a record spyware breach linked to extensions downloaded from Google’s official Web Store. The discovery is believed to be one of the biggest attacks of its kind and resulted in Google removing more than 70 malicious extensions.

Most of the free browser extensions – downloaded about 32 million times – claimed to warn users about unsafe websites or convert files from one format to another. Instead, they were accessing users’ browsing history and website logins. It is still unclear who was behind this attack as the developers of the Chrome extensions supplied fake contact information when they submitted the extensions to Google.

Our suggestion when downloading third-party Chrome extensions is not to grant access to data or other information on your machine or device. Google can not guarantee 100% security on all of their third-party add-ons so you must be careful.

To learn more about being a CISO at a startup, I interviewed Ms. Reut Weitzman who shed light on the CISO challenges in lean startup, where the budget is low, people are techies and security is an afterthought.

Reut specializes in designing complicated cyber-defense architecture aligned with business and technology strategy, that is up to date with emerging cyber threats and vulnerabilities. One of her leading projects is providing on-going CISO service for a cryptocurrency startup.

Learning and Being Mentored Early On  

Cybersecurity has become the trendiest topic in the news today. From cyber attacks, data breaches, ransomware and election hacking, everyone wants to be part of cybersecurity. Luckily for Reut, she has been part of the security industry from early on. Learning and experiencing the security industry helped Reut become who she is today as CISO. “When I started my career in cybersecurity, the dot net had just bloomed and I was young, curious and eager to learn everything possible about this exciting industry. So I took courses, read a lot, researched, asked and learned on the job of course.”

Reut described how fellow colleagues and mentors helped her early on. “I was lucky to work with talented, supportive people, and being a people person myself, I kept in touch with many of them over the years. I actually still keep in touch with my first boss from 20 years ago. So I found that this helped me a lot in my career. I always had someone to consult with and whether it was professional or career issues and since it’s such a small industry in Israel, I worked with many of my previous peers and colleagues again and again in different projects and different companies. I always had someone to speak with and ask questions and consult. In some aspects of my career, I always found someone to talk to. So it really helped.”

Becoming a CISO 

After years of working in the field, Reut started the transition to CISO. Her years of experience in cybersecurity and tech brought her the insights and knowledge to the position. “I was consulting and working with different sectors, I’ve seen how every organization has a different approach when it comes to cybersecurity management and over the years. I saw how organizations handled cyber-attacks, how they managed cyber operations and different approaches to security strategies. I learned from project to project to gain experience and that allowed me to feel confident in my knowledge and ability to spot vulnerabilities and needs.”

After experiencing different roles in cybersecurity and her business background it was the perfect time for Reut to become a CISO. “With the years came the experience. So it goes hand in hand and also I had some business – I had a lot of business background. I did a strategy project and management project. So it’s all combined together. I also have – in addition to all the technology experience and certificates, I also have an MBA. So it worked perfectly together.”

First 90 Days As a CISO 

You’ve just been given the responsibility to lead the security transformation in your organization. Where do you begin? How will you approach the situation? For Reut, it started with a strategy to protect the organization’s data. “ My duty as a CISO was to develop a strategy to protect the company’s data. This should always be done by working with IT and business teams. Full cooperation is required to identify, develop, implement and maintain cyber policy and processes across an organization.  So for the first 30 days, I worked on establishing relationships and trust. I took the time to understand organizational structure, who is who, how they used to work, what technology do they use, where’s the data. Do they print? Do they have access to data from mobile phones? Since they already encountered a security incident, I ask different people what happened and how they feel about it and so on.”

Reut mentioned trust was a key factor for security success in her role. “It was important to me to get my peers to trust me and get on board for the good of the company. One of the things that I emphasized was that this is not an audit and I’m not looking for fraud. I’m looking to understand how they are used to work, so I could assist them to do it in a secure way.”

In the final two months, Reut spent most of her time working with the IT team to find where the holes were” For the following 60 days, I worked in security assessment and gap analysis. I worked with the business unit managers and with leading personnel in those units to map the critical business processes and find cyber vulnerabilities.

The Challenges 

Every new job comes with challenges. Reut didn’t let those challenges affect her work, but the help of her colleagues made the process easier. “The biggest challenge I experienced was inventory. Data systems, storage and physical devices. The little documentation that they actually had wasn’t updated. So in fact I had to start from scratch and I had assistance from department heads for data. I asked the IT manager to help with systems and applications. DevOps helped me with storage information and I asked the office manager for help with all the physical assets.”

To help internal security awareness, Reut implemented security training for the company’s employees which in the end helped employees become more comfortable to bring up security questions or comments to Reut.  “I started raising cyber risk and security awareness, I sent periodic updates of cyber incidents relevant to the industry and sent do and don’t tips and so on. So at that time, everyone already knew who I was and started consulting with me about phishing emails, mobile security questions and also some personal questions such as how to know if the gaming application that our kids are using is actually safe.” 

Reut quickly caught that security hygiene was very limited within the employees. “People at startups are tech-savvy. They’re agile. They’re in front of tech news. Nevertheless, I found out their cyber risk awareness is very limited. It shows little things such as leaving the workstation unlocked when they take a break or mobile phone passcode is one to six. Everyone knows what – that there is something called phishing. But most of them will fall for a spear-phishing attack that would be slightly more sophisticated than the usual spam.”

How Startups Can Avoid Security Challenges

Most startups can easily fall to prey when it comes to security challenges. Reut explains how it can be avoided with the right processes.” They say in security, we divide everything to – according to the golden triangle of challenges before process and technology. So in terms of processes, it is rare to find a startup with structured security policies or procedures. The work procedures are not consistent and are usually open to interpretation and new employees just learn how things work from their buddies and not in a formal way.”

Reut highlighted that a major challenge for startups is proper user permission and access to resources.” One of the biggest challenges for me was lack of consistency in – that there was no one central domain to manage user’s permissions and access to data resources. Also, the lack of group policy, with every change of configuration or any OS or application updates required an IT person to take each and every computer and install or update manually.

Reut suggested that most starts provide freedom to their employees to install or do whatever they want which causes a lack of visibility when it comes to security.” In many cases, employees have the main rights on their computers and they could just install whatever they want freely. Well, in fact, software installation should be done by IT professionals and also be documented. So the company will have an updated inventory.” 

To hear the entire interview with Reut please listen to the full podcast here. You can follow Reut on Twitter @reutweitzman.

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More
Female Security Pioneers Who Are Inspiring Other Women In The Industry
Reading Time: 5 minutes

Cybersecurity has long been considered a man’s domain. According to Cybersecurity Ventures, there will be up to 3.5 million job openings by 2021. Meanwhile, women make up only 20% of the cybersecurity workforce. 

The reason for the gender imbalance in the security realm is multifold. Starting from a young age, girls are not encouraged to pursue STEM degrees or hobbies. Additionally, there exists an “unconscious gender bias” when hiring women in the field, and an even more difficult time retaining women due to wage disparity and lack of female colleagues and mentors. Women in security are often “the only woman in the room” – but there are a few professionals who have dedicated their time to changing this. 

While there are a number of reasons that women are underrepresented in the industry, we have chosen to focus on a few women who are pioneers in their field by breaking barriers and smashing stereotypes in the field. Whether for their innovation, leadership, or integrity, these women are inspiring and empowering other women to pursue a career in cybersecurity.  

One of the best ways to bring more women into cybersecurity (and to keep them there) is to lead by example, create spaces and opportunities for women to enter and grow within the industry. Networking with women in the field, lifting and supporting others, joining groups and communities for women by women – these are some of the ways that female professionals can inspire and encourage women to join this line of work and grow within the security industry. 

Read about the women that are breaking the gender stereotype in security and encouraging others to do so as well: 

Chani Simms

Her accomplishments:

When talking about inspirational women in security, it’s impossible not to mention Chani Simms. An award-winning cybersecurity leader and TEDx Speaker, Chani has been in the IT industry for nearly 20 years. Originally from Sri Lanka, Chani co-founded Meta Defence Labs UK in 2014, a Cybersecurity and IT Infrastructure service provider. Under her leadership, Meta Defence Labs UK has garnered international recognition and accolades and she expanded its operations into Sri Lanka to offer cybersecurity expertise and skills to south Asian communities. 

How she’s helping women in security:

Chani’s passion for cybersecurity combined with her enthusiasm for women’s empowerment led her to found SHe CISO Exec., an initiative aimed at empowering a new generation of talent in the world of information security. SHe CISO Exec. provides a bootcamp and mentoring platform for women (open to men as well) in cybersecurity and focuses on bridging the skills and diversity gap in the industry. 

Watch her TedX Talk:

 

Tanya Janca

Her accomplishments:

If Wonder Woman was an ethical hacker with a stylish fringe, her name would be Tanya Janca. Tanya is a computer scientist and the founder, security trainer and coach of SheHacksPurple, a learning platform dedicated to teaching Application Security, DevSecOps, and Cloud Security. In addition to running her own Open Web Application Security Project (a nonprofit foundation that works to improve the security of software) chapter in Ottawa for 4 years, she co-founded a new OWASP chapter in Victoria and co-founded the OWASP DevSlop open-source and education project.

How she’s helping women in security:

Tanya is also an advocate for diversity and inclusion, and co-founded the international women’s organization WoSEC (Women of Security) a free community for women to meet in person in cities around the globe to network, vent frustrations, find peers, and make new friends. She started the online #CyberMentoringMonday initiative, and personally mentors, advocates for and enables other women in her field. She actively writes on her blog, Twitter, LinkedIn, and promotes videos on YouTube, spreading her security research for free in order to contribute to the security community.

Follow Tanya on Twitter @shehackspurple

 

Jane Frankland

Her accomplishments:

While Jane Frankland is an award-winning entrepreneur, best-selling author and international speaker, she states that her three children are her greatest achievement. She has been working in cybersecurity for over 20 years and has held senior executive roles at several large PLCs, as well as founded Cyber Security Capital, a training and consulting company. Her diverse and impressive resume includes being nominated as a Young British Designer, LinkedIn Top Voices, a Top 20 cybersecurity global influencer and Top 100 in UK tech. She built her own global hacking firm and has been actively involved in OWASP, CREST and Cyber Essentials. 

How she’s helping women in security:

Before she turned 30, Jane built a 7-figure global business (as a single parent) and claims, from experience, this is not the hardest thing in business to do (rather, to turn around a failing company.) She has also authored the Amazon Best Seller IN Security: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe. She specializes in business strategy and high performance and is a world authority on attracting and retaining women in cybersecurity. 

Check out her YouTube channel

 

Bonnie Butlin

Her accomplishments:

If you haven’t heard of “Canada’s First Lady of Security” Bonnie Butlin, it’s time to get familiar with this impressive entrepreneur. Bonnie is an award-winning expert in security and intelligence and co-founder and Executive Director of the Security Partners’ Forum (SPF), the first-of-its-kind agile international network of security professionals within NATO. Over the past decade, Bonnie has received 20 international and national-level awards and honors related to security and resilience including the “Women of the Decade” Award presented at the Women Economic Forum in 2018.

How she’s helping women in security:

Bonnie created Women in Security and Resilience Alliance (WISECRA) which engages a growing network of women in security around the world. Organizations and businesses around the world look to Bonnie to help increase the number of women in security. Bonnie is considered an inspiration to young women entering the profession and has actively been mentoring and involved in public speaking engagements for women and young professionals in both physical and cybersecurity. 

Listen to a podcast interview with Bonnie Butlin at #AISACON17 by MySecurity Media

 

Sivan Tehila

Her accomplishments:

This list of women would not be complete without mentioning our very own Director of Solution Architecture, Sivan Tehila. Sivan is a modern-day Superwoman and we just don’t know how she does it all. Her impressive resume includes serving for 10 years in the Israel Defense Forces in roles such as Information and Cyber Security Officer, CISO of the Research and Analysis Division, and Head of Information Security Unit of the Intelligence Corps. Sivan also devotes her time to educating the future generation of cybersecurity leaders as an Adjunct Professor at Yeshiva University.

How she’s helping women in security:

Sivan is dedicated to increasing female representation in cybersecurity. In 2019, Sivan founded  Cyber Ladies NYC in order to create a safe and empowering environment for women to share knowledge, mentor others, and become role models for young women at the beginning of their careers. She often engages in speaking engagements around the world and contributes articles and thought leadership pieces to renowned security publications. 

Learn more about Leading Cyber Ladies NYC: 

The women in this article are just a small representation of those working towards a more inclusive and diverse cybersecurity workforce. We hope you were inspired by the stories and accomplishments of the women above, whether to pursue a career in cybersecurity, encourage other women to pursue one, or to hire more women in your organization. If you would like to nominate additional female security professionals for future blog posts, please email us at [email protected] 

Read More
ZTNA
ZTNA: A World Where You Won’t Be Afraid to Grant Permissions Access
Reading Time: 3 minutes

The word trust is a common theme in cybersecurity when it comes to network breaches, yet the idea of lack of trust is what’s highlighted in these breaches. A company’s feeling of safety and security can disappear in a nanosecond once their network has been infiltrated, and all control of networks and applications is lost. For all tech-forward organizations, the feeling of lost control becomes more universal with every new breach to hit the headlines.

While in some industries this scary feeling may be up and coming, in the network security landscape it is not a new phenomenon. Whether from malware, ransomware, or your classic unauthorized access network breach like we saw with Capital One, zero optimism is entertained concerning the safety of companies and individuals from hackers. Awareness of one’s level of a vulnerability is a prerequisite to safety and enables one to take pragmatic steps to secure their data. 

Rethink the Approach for Network Security 

Until recently, the organization’s IT and security teams primarily focused all their security efforts on fighting off different attacks on the perimeter. While this was the right approach when everyone worked in the same office, times have changed. Due to COVID-19 accelerating the “work from anywhere” approach, we need to rethink network security strategies and pivot them around the user instead of where the network is based. 

With more employees working outside the physical office, there is a quickly growing number of endpoints for hackers to attack. In most organizations, the typical employee uses multiple devices to do their daily job. Is each device secure? The answer is probably yes – but you can’t be certain. With each unsecured every device, organizations’ networks are taking an unnecessary risk. When networks are breached, the process of understanding where and how access was gained is not instant and by the time you have your answers, it is too late.

IT and security teams need to change their approach, and instead of solely emphasizing perimeter security, transform their employees’ permissions and access policies. One of the most common mistakes organizations make is trusting their users when it comes to authorized access. When you provide unrestricted access to any user or device in your network, you simply open the gates for your organization’s network to be breached. 

Once a user or organization is compromised, their credentials can easily be used to infiltrate the network, especially with different attacks. This presents the idea that organizations need to have better visibility when it comes to authorized user access to their network. So how can organizations trust their employees once again?

Zero Trust Helping Us Trust Again 

Can we trust our employees once again, and reduce their responsibility and impact as guards of the organization’s network against hackers? I believe we can, as humans are meant to be trusted even though in many instances human error puts that trust in doubt. People aren’t perfect, we all make mistakes, but we must account for them proactively.

A common approach that has gained popularity over the past decade for secure network access is by implementing the Zero Trust model. Zero Trust was originally proposed by Forrester in 2010, with the motto “never trust, always verify”. This is the idea that until the user can verify him or herself via authentication, they will not receive access to the network. Adopting Zero Trust is not a specific product or architecture, instead, it’s taking a more modern approach of setting up organization-wide guidelines inside the company’s resources. 

By implementing the ZTNA model for secure network access, IT teams will have full control over who is granted access, enters and leaves the network at all times. For each network, resource or application, there should be a set of rules and policies in place enforced by the key elements of the Zero Trust model: multi-factor authentication, proper device management, limited privileged access and network segmentation using software-defined architecture.

ZTNA The Approach Not the Model 

Organizations that take the right approach with ZTNA can erase the concept of trusting in their employees and won’t fear to grant access. To achieve secure network access inside your organization you will need to have the proper principles implemented and distributed throughout the company. Treat Zero Trust Network Access as a manual for how organizations should strategize and “trust” their employees with the keys to the kingdom. 

Read More