Get Granular with a New Feature: User Configuration Profiles
Reading Time: 3 minutes

The ABCs of proper network security start with A, of course. A is for Access, and it’s the basic idea that lies at the heart of any secure organization. Employees connecting to essential corporate resources shouldn’t have the same access policies, or else they all represent an equal threat to the organization’s data, and present a wide attack surface to hackers.

Just as you wouldn’t give every employee the same access privileges, configuring their security software the same way is also something to avoid. No two employees connect in the exact same way, and designing security as if they do is a mistake. That’s why we’ve recently released the newest of many layers in our multi-layer network security platform: User Configuration Profiles.

Scalable Security Starts with Configuration

Some of the most dangerous security blunders involve mismanaged software configurations, and according to a recent Threat Stack survey, over 73% of companies were able to identify at least one serious misconfiguration happening in their own networks. One wrongly-toggled setting can create wide gaps in security that aren’t easily identified, because they may not happen to every user, and because misconfiguration is a problem that doesn’t call a lot of attention to itself – unlike breaches like DDoS attacks which occur overtly.

To combat configuration mishaps, it’s important to configure each employee’s security software in a way that complements their unique situation. Legacy solutions don’t provide this capability, forcing companies to use the same configuration for all users, or they force IT teams to work manually and configure each employee on a case-by-case basis.

When creating a User Configuration Profile, you can define how the Perimeter 81 agent or web platform is configured – down to the granular details – and then assign it to a relevant user or group of users in your network. Profiles allow you to differentiate configurations for users with different roles, devices, locations, operating systems, and more, and save and reprioritize them so they can quickly be assigned to new users.

How Does It Work?

Account managers and admins can find the User Configuration Profiles tool under Settings, after logging in to the Perimeter 81 web platform. After clicking on User Configuration Profiles under Settings, you’ll see the menu where your previously-created profiles live. There will already be one Default Profile here, which includes all your users.

Clicking on the Add Profile button brings up the screen where you’ll name the profile and assign it to a predefined group of users: these are the only two fields required for your profile to be listed on the previous screen.

Below the fold, you’ll be able to tweak this profile’s configuration options for both the Perimeter 81 web platform and the agent. Specifically, configuration options include General Settings, Network Settings, and OS-Level Settings.

General Settings: Available for both the web platform and the agent. General settings include the ability to automatically log users out after a certain period of time, to connect users to a specific public gateway, to connect on launch, to enforce automatic upgrades and other basic options.

Network Settings: Only available for the agent, network settings let admins determine how and when traffic through these users’ devices is encrypted. Options like our patented Automatic Wi-Fi protection automatically activate a VPN connection on unsecured networks, while Always-On VPN cuts the internet if encryption falters, even momentarily. Other options include a VPN kill switch and the ability to specify Trusted Wi-Fi networks.

OS-Specific Settings: Another agent-only configuration option, OS-specific settings determine how users on different operating systems can connect. The central utility here is that the profile’s users are protected with a VPN encryption protocol chosen specifically for their OS, for example you can enable IPSec encryption for Mac users and WireGuard for Windows users, or any combination in-between.

Configurations Galore

Perimeter 81 customers will notice that multiple users can be assigned to one configuration profile, but also that a single user might be a part of multiple configuration profiles. With the additional ability to swap the priority of active configuration profiles, customers will enjoy newfound customization and granular control over an often underestimated element of network security.

We look forward to adding new security and networking features that further strengthen our customers against data theft. For now, we recommend you get acquainted with User Configuration Profiles, and the best place to get started is our helpful knowledge base article.

Read More
IT Report Banner
What Do Successful IT Leaders Identify as Their Top Remote Work Challenges?
Reading Time: 5 minutes

Network security is our expertise at Perimeter 81. With this in mind, we are excited to announce that we have released our State of Network Security report for 2020. The purpose of the report was to get a better understanding of the different secure network access challenges, facing IT managers from companies of all sizes and industries. We sought to determine the key IT and security insights they encountered since the shift to remote work, and the result provides insights into the IT landscape and how its leaders think during these transformative times.

The COVID-19 Pandemic Accelerated Remote Work

2020 has proven how important network security truly is. Due to COVID-19 health concerns, businesses were required to enforce company-wide work-from-home policies overnight. For many organizations, this new reality found entire teams working remotely for the first time ever. It was common for employers to focus the first two months of quarantine on ensuring that employees were healthy, devices were connected and projects continued to move forward, all while adjusting to the home becoming the new office. Now, with no real end in sight, businesses are facing the possibility that they will be managing their remote teams permanently, at least for some portion of the traditional workweek.

More than ever remote work is now considered a key element of effective business operation due to results including greater agility, employee satisfaction and productivity, and reduced costs. This incoming shift has created an unprecedented set of challenges for IT managers, however, who may not have experience leading their businesses’ networking and security remotely. 

With more employee devices and endpoints, IT teams are experiencing the challenge of lower visibility and potential network exposure, as their legacy security infrastructures can’t cover an increasingly dispersed and cloud-reliant workforce. With each passing month, IT and security teams are implementing more cloud-based SaaS vendor solutions on top of their network. While this may help businesses gain agility and boost productivity, it comes with security and networking challenges that must be addressed sooner rather than later.

Key Takeaways From The Report 

IT-report-

Majority of Organizations Poised to Adopt Cloud-Based Security Solutions

As technology advances by the day so do business networks. Thanks to the cloud, networks are now faster and more accessible than ever. However, as more devices connect and transfer large amounts of data between off-premises resources, it puts a massive obstacle in front of IT and security teams.

IT-report-2

These obstacles exist because until now, IT secured remote workforces with legacy technology, which creates bottlenecks and limits network visibility in situations where workers exclusively connect from home. Legacy solutions like VPNs – currently in use by 66% of IT managers – and firewalls make security difficult, because they are unable to scale to many different connections, each with various characteristics and risks.

To ensure that their growing number of remote employees are connecting securely to their hybrid-cloud network, no matter where they work from, IT and security teams are overwhelmingly looking to adopt secure information access solutions to replace or complement their legacy tools. This has meant an embrace of cloud-friendly security for a multitude of reasons.

IT-report-3

According to IT managers, their organizations are now more likely to invest in modern, secure information access solutions to support the remote workforce. With it they can complement their existing cloud infrastructure and replace old solutions that limit agility, security, and cost-effectiveness.

Increased Remote Worker Productivity But Network Performance Presents Obstacles

With remote work further ramping up investment in the cloud, companies are now concerned with making their hybrid-cloud networks as efficient as possible. The cloud is already beneficial in terms of reducing infrastructure costs and boosting accessibility for remote workers, but to maximize ROI, organizations want to help employees using the cloud perform as best as they can. For many, this has meant achieving the same low latency conditions that workers used to experience when they accessed resources that were hosted nearby.

In a network that’s accessible to remote workers, a wide array of different connections occur simultaneously across multiple resources. Unsurprisingly, for the majority (43%) of respondents, latency is sometimes experienced across these networks. This comes in the form of lag time when users connect and input data or commands into applications.

IT-report-4

Scalability, Budget Top Challenges for IT Leaders as Remote Work Becomes Permanent

A corporate network that is optimized for remote workers is crucial for satisfying operational goals and ensuring business continuity in the “new normal”, but these aren’t the only concerns for a growing company. The survey results reflect this idea well. Because new resources (such as SaaS applications) and users are added to the network as the organization matures, the scalability and visibility of user access enters the picture.

IT-report-5

With time, it’s possible for IT to make any remote access solution work well for a static number of apps or users. If they don’t do it in a scalable manner, however, the team must invest similar effort every time the network changes slightly. Accordingly, when asked about obstacles in the way of a secure remote workforce, most companies agreed that difficulty finding a scalable technical solution will likely loom the largest.

IT-report_5

Another interesting takeaway is that scalability and budget availability are neck-and-neck regarding secure remote work challenges, at 39% and 38%, respectively. In many ways, this makes sense: What’s the point in finding a scalable remote access solution if there’s no room in the budget for it, or alternatively, what’s the use in a non-scalable yet affordable solution?

Ultimately, workforces everywhere are already embracing the remote work status quo, and organizations have added tools that help them do their jobs from anywhere. The issue has then become how to increase the efficiency of the remote work security apparatus now that it’s in place.

Final Thoughts 

Remote work is here to stay, during and after COVID-19. The change it’s had on the business world, or more specifically the information technology supporting the business world, has IT managers thinking differently than they once did. Data gathered on various topics posed to these managers, surrounding remote work and networking trends, gives us a glimpse into how decision-makers in the industry see things moving forward.

Read additional valuable takeaways from this research and access the full report 

Read More
cybersecurity awareness month
5 Security Tips in Honor of Cybersecurity Awareness Month
Reading Time: 3 minutes

Each October, security professionals kick off Cybersecurity Awareness Month. First launched by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security in October 2004, Cybersecurity Awareness Month is helping internet users all over the world stay safe and secure through awareness and training.

In 2020, cybersecurity awareness has taken on a new meaning. While in the past, IT and security teams have carried the main burden of securing their organization’s network, data, and resources, the last six months have proven that this is not enough. Now that home is the new office and entire organizations have shifted to remote work, each employee shares equal responsibility for the safety and security of their company’s network.

Before the transition to working from home, it may have been enough to require employees to lock their computers when leaving their desks, or enforce frequent password updates. Now, each employee has become the CISO of their home office, and most of them lack the proper training, opening the door to security hacks and breaches with simple mistakes.

Cybersecurity awareness and training for employees has always been important, but with the work from home model here to stay, CISOs and IT managers have been adjusting their business continuity plans and cybersecurity strategies accordingly. Whether working from home, from the office, a combination of both, or on the go, employee awareness should always be at the top of the security team’s mind.

In honor of Cybersecurity Awareness Month, we’ve compiled our top 5 tips for protecting your organization’s network and employee data, whether your workforce is remote or back in the office.

1. Increase employee awareness

“Only amateurs attack machines; professionals target people.” This quote by famous cryptographer Bruce Schneier in 2000 is still true 20 years later. Hackers seek out vulnerabilities in human beings – phishing attacks, social engineering, weak passwords, etc. Making employees aware of the different types of attacks and explaining their significance will put employees on alert to questionable links and downloads. Instilling the idea of shared responsibility among all workers is paramount to protecting everyone’s sensitive information.

2. Train employees on an ongoing basis  

The Aberdeen Group found that security awareness training for employees can reduce the risk of socially engineered cyberthreats by up to 70%. However, they emphasized the importance of ongoing training to counter the different methods of cyberattacks that are constantly evolving. It is important to not only make your employees aware of the various risks, but to have ongoing training that is both engaging and interactive.

3. Implement a Zero Trust solution

Even the most security-aware employees might occasionally drop the ball. The Zero Trust model means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. While we want to believe that everyone in our organization is trustworthy, we can’t make this assumption. Limiting access to resources to only those who are authorized can significantly lower the risk of attacks and data breaches.

4. Audit and monitor your network

Log management plays a key role in your digital security strategy. Collecting logs and monitoring your network is important in order to respond to a security incident in real-time. Complete network visibility is pertinent in order to focus on network events of interest and react accordingly to potential threats. Additionally, collecting logs and monitoring your network will help you to learn employees’ behavior and to adjust your training and awareness plan accordingly.

5. Ensure that your security strategy is user-friendly 

End-users should not be preoccupied with security issues yet must be able to adhere to the guidelines laid out by the security team. Adopting user-friendly solutions presented clearly and effectively (and not highly-technical documentation that will be lost on the average layperson) is paramount in having employees cooperate with the security strategy.

While your organization may rely on the security and IT teams to create and implement a strategy, employees share responsibility to adhere to the guidelines set out by security professionals. Above all, educating employees and increasing awareness will help your team manage cybersecurity risks and vulnerabilities. If everyone does their part, we decrease the risk of data hacks and breaches, creating a safer world for everyone.

Read More
A Day in the Life of a Security Incident Response Expert
Reading Time: 6 minutes

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we discussed the NorthShore data breach and interviewed Reut Menashe of Tetrisponse about security incident responding. 

Breach of the Month: NorthShore Foundation

On July 22nd, NorthShore University HealthSystem announced they were part of a data security breach which potentially had affected over 348,000 people. They were informed about the breach from a company named Blackbaud, a software services provider to thousands of nonprofit fundraising entities worldwide, including NorthShore Foundation. According to Blackbaud, the breach occurred due to a ransomware attack on its systems between February 7 and May 20, during which time unauthorized individuals accessed and extracted some of Blackbaud’s client files.

NorthShore determined that patients’ full name, date of birth, contact information, admission and discharge dates and more information were accessible by the attackers. This incident was not a breach of NorthShore’s internal applications or systems; that means no patient medical records were accessed. 

In this episode, I talked to Reut Menashe to learn more about her experience as an incident response expert and how she helps companies when they experience a cyberattack.

Interest In Computers Cemented Her Career 

Like many security experts, Reut’s interest in computers started when she was young. “I loved computers when I was little. I remember playing with a computer that my parents bought me and because I was the only one who understood computers really at the time, I taught myself how to use them. This was the start and from year to year I quickly understood that I’m a self-learner. I learned a lot online over the internet with friends and when I joined the Israeli Army of course, it gave me a lot of knowledge and this is where I learned my roots/”

Despite being an early adopter for computers, she isn’t a fan of programming. “I never liked really programming, but I did learn it when I was in high school. My first computer was 386. This was the model of the processor, the CPU. We are talking about the middle of the ‘90s, maybe a little bit before the start of the ‘90s when the internet was beeping and making weird noises before you connected to the world wide web. In school, we learned assembly. This is a very hard language. It’s like a very low level. Basically, I remember I developed the calculator in this language. It’s a very basic program but it was very challenging at that time.” 

Like many security experts in Israel, Reut gained interest in cybersecurity due to her time in the Israel Defense Forces. “My service was actually the start of the era of understanding that information security is also not physical. It’s very much related to computers. So the defense methodology started to heat up in the army and I think I was one of the first to be part of information security in the defense of the Israeli Forces Army.” 

Many security experts take their knowledge from their army service and use it in their professional careers. In Reut’s case, it built her career. “I finished my service and just started to work in the industry here in Israel. I worked as an information security consultant in one of the local companies. It was a very global company named GRC and because of my skill of exploration and curiosity, I think this is something that helped me a lot to develop and to make a new skill set during these years. I love to learn. So everything that I don’t understand or I feel a little bit uncomfortable with, I have the need to go and research and to understand it. So this is one of the most important skillsets for hackers I think, curiosity. So you can’t be a good one without it.”

Life As a Security Incident Responder 

One of the more interesting jobs in the security field is being an incident responder. For Reut, her expanded skill set has helped her thrive in her job. “To work in incident response you need to collect a lot of skill sets in the tech world. You need to understand how networks work and what kind of infrastructure organizations are using and how the technology of the infrastructure is being deployed and you need to understand the operating system. Your familiarity with specific databases needs to be specific with specific technological SOC  and how developers are working. So you need to have vast experience in a lot of technological topics in order to be good incident responders. Over the years I have collected a lot of information. I gain a lot of knowledge within the technological world from the security perspective of course.”

Unlike many jobs in the tech world where you are more or less doing the same task every day, Reut’s day looks completely different every day. “Basically we will get a phone call from a company that has an issue and they don’t know how to solve it because most of the companies are not familiar with information security. They don’t know how to approach it and possibly they have like maybe a ransomware attack or maybe someone who tries to manipulate them or one of their assets is being leaked or such. There are a lot of scenarios.

When I meet with a company that I have no familiarity with, I don’t know how they’re working. I don’t know what kind of technology they have. I have to learn this very fast and to understand how I’m going to contain the incident and to make the attacker go away and mitigate and minimize the reason that the attacker put into this company’s life. You need to be very experienced in order to tackle and to handle an attacker that knows exactly what they are doing most of the time.”

To understand the attacker’s mindset, Reut uses her love for security and expertise to understand how a company was attacked. “I bring my expertise and my passion together in order to help those companies to go back to their day-to-day job and this is the main goal.”

No One is Truly Secure

When asked what steps businesses should take to be more prepared for attacks, Reut recommends that businesses need to know they are never completely secure. “You need to understand that you need to do something before the attack is happening. There isn’t a company that is always safe, there is no such thing. Everyone is hackable, if you understand this, this is a good approach. You can say to yourself, “Oh, I don’t have anything interesting. Why are the hackers going to come to me? It’s not true. Hackers have a lot of scenarios that they can exploit in order to make them grow and make them prosper. So it doesn’t matter if you are dealing with highly classified information or with money or with the information that it’s not classified at all. Hackers are going to come everywhere where they can make benefit from. So this is the first thing to understand.”

Reut highlights the importance of security posture can be another layer of defense versus attackers. “Second thing to understand and when you know that you need to be prepared, you need to understand what your security posture is. What are the threats that your company is going to deal with? Not every company has the same threat, of course. You need to analyze the threats and think about what I am protecting from. What I’m protecting inside the company. What do I want to gain in order to protect the company? When you start thinking like this, this is already a step forward into more mature information security because you engage within a company, internally and externally. You start initiating the process and you start making things happen.”

Importance of Security Communities 

Security experts love to share their expertise for the better good, according to the Reut security communities is a great place to learn more. “I’m part of two communities, BSides TLV and Leading Cyber Ladies. I think communities especially in the COVID-19 era are something that we should very much try to be part of our life. If you join a community, it doesn’t matter which community. We’re talking about information security and cyber communities of course. It’s a place where you can gain knowledge. It’s a place where you can meet new people and you can listen to new approaches to understand what’s going on in other people’s industries and cyber worlds. So this is a good place where you can start in order to gain more knowledge and to be more familiar with the – what’s going on in the cyber world community.” 

Other than being part of a security community, Reut has co-founded different communities. “Maybe you can run your own communities if you find something that you feel very passionate about, and this is what happened to me with BSidesTLV, which is the biggest hackers community in Israel and Leading Cyber Ladies, which is a community that started in 2015 and that established the community here in Tel Aviv and I joined two years later and we start to be global. Sivan Tehila opened a New York chapter of Leading Cyber Ladies. We’re willing to open more communities, more in other locations in the world. 

So this is something I’m very passionate about, to bring more women into the industry and help them to be – to stay in the community, right? It’s not only to start in the community. You need to keep yourself in the community as well. So this is something I’m really passionate about and I learn a lot because I meet a lot of new people that teach me all the time.”

To hear the entire interview with Reut please listen to the full podcast here. You can follow Reut on [email protected]Reutooo. If you’re in need of incident response, you can reach out to Reut by email at [email protected]

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More
Edge Security and Our Strengthening Data Center Backbone
Reading Time: 3 minutes

The cloud is synonymous with data centers, making the term much more grounded than its airy nickname lets on. Behind the buzzword, it’s common knowledge that most companies in the world rely on a number of infrastructure, hosting, and computing providers that can be counted on one hand.

Providers of the public cloud have been hard at work centralizing their enormous collections of servers, and eating away at the empty space in the industry until the competition has mostly been gobbled up. Most opportunities for new providers are now on the “edge”, away from giant server warehouses and closer to cloud consumers.

The edge is simply where users are, it’s that simple. It’s where applications are being accessed, rather than where the servers sit. Computing, storage, and other ideas have moved to the edge to better serve users, and it stands to reason that security should be on the edge as well. Otherwise, processes like authentication and encryption occur over much longer distances and place limits on productivity – largely due to high latency.

Perimeter 81 Serves Security from the Edge

As both resources and network infrastructure management make transition to the cloud, it no longer makes sense to conduct security through legacy solutions, which were designed to protect the classically defined network perimeter. The perimeter has dissipated, and is now where users are – and especially in the era of remote work, it makes sense to apply security practices at network nodes that are outside the traditional core. 

The edge must be secured with the same ideas required by the core, including:

  • Visibility of all resources, not just those that are on-premises
  • Monitoring that encompasses users and endpoints on the edge
  • Data and traffic privacy at all times and states
  • Resource access policies that incorporate the cloud

A quickly growing number of remote workers with access to the cloud means that countless endpoints have direct access to company data, so the same security processes that used to happen between office PCs and office servers now must happen between a mobile phone and a local data center. To help our customers achieve this feat, we’ve been building a backbone of global data centers that better supports edge networking and security.

Perimeter 81 Customers: Deploy a Custom Cloud Edge

With five new self-managed gateways being added to our already strong backbone of global data centers, Perimeter 81 customers are able to orchestrate access more safely and efficiently from the edge of their networks. These five gateways also offer customers a greater degree of control over their local hardware.

New Data Centers:

  • New York
  • London
  • Silicon Valley
  • Dallas
  • Israel

Now in production, customers are able to set up new network gateways in New York City, Dallas, London, Silicon Valley, and Israel. A crucial part of this infrastructure is that it’s proprietary and not set up by a third party, allowing Perimeter 81 (and our customers by extension) granular knowledge and control over specifications and configurations, downtime, and more.

Exercise Greater Gateway Control:

  • Proprietary managed and set-up hardware
  • Tailored configuration, downtime and other details
  • Redundant internet connectivity
  • Connections routed through our IPs, not public
  • Priority bandwidth

We offer priority bandwidth in these locations, and do not route customer connections to our gateways through the internet or cloud providers: All connections are direct on our own IPs, which prevents customers from being blocked due to public or ISP origins, and also allow the fastest speeds and lowest latency possible. 

In addition, all gateways come with redundant internet connections that keep your users productive even on the rare occasion that an ISP drops. This is a new and beneficial precedent that we’re setting for our customers, who we want in the future to be able to customize their networks and receive the most secure, low-latency, and streamlined experience possible.

Read More
work_from_anywhere
Can You Prove ‘Work From Anywhere’ Employees Are Secure?
Reading Time: 5 minutes

Before 2020, the idea of working from anywhere wasn’t the way most companies operated. A small number of open-minded organizations were the early adopters of a more flexible way of working but not many. Despite further adoption of remote workers, popular tech giants, corporate companies, and even startups weren’t as open to the idea.

While working remotely isn’t a new idea it has gained more traction in recent years due to an expanding array of benefits for organizations and their employees. Some of the benefits include increased work productivity, better retention of employees and cost savings. One of the key benefits that people tend to forget is work-life balance. As organizations allow their employees to work from anywhere they choose, whether it’s from home, a cafe, or even a different country, the flexibility of where and when you want to work can provide employees a mindfulness that adds to productivity and job satisfaction.  

buffer_report

More disparate branch offices and employees isn’t the only factor that is encouraging more organizations to go remote; we can’t forget about the technology. The idea is like the chicken and the egg: technology has advanced remote workforces and remote workforces demand more powerful technology. With the help of tech advancements made on behalf of remote workforces and the modern shift in our collective work culture, the future of work from anywhere is brighter than ever.

From a Benefit to a Necessity

Before COVID-19, most organizations saw remote work as a benefit to dole out to trusted employees, and less as a necessity. This has been thrown out the window in our current pandemic driven lifestyle. Over the past year, we have all experienced this idea – that in some way part of our professional responsibilities have gone mobile, and that is may likely become the new norm.

Close to 70% of businesses are in favor of shifting to work from anywhere permanently. Ironically, some of the major tech giants who were originally against working from anywhere have become its biggest supporters, largely due to their success during the pandemic. By 2030, Facebook said it expects that at least half of its 50,000 employees will be working from home permanently.

While the idea of everyone working from anywhere sounds ideal, it’s not without challenges. One of the most pressing is that it creates many security and networking obstacles for IT teams. IT managers need to protect hundreds or thousands of users, devices and faraway cloud applications even when they have no idea where users are connecting from – and even worse – who they are or what they’re doing in the network.  

This ongoing challenge has frustrated every security professional in every organization since early March. When their users suddenly were forced to work from home, IT teams scrambled to make sure these users could easily and securely connect to their network and resources overnight. They also discovered that the task was harder than initially anticipated.

Working from Anywhere Comes With Network Challenges

While the idea of working from anywhere comes with many benefits, organizations need to implement the right technology that will offer users a fast and secure network connection that isn’t lagging. Most remote users are connecting to their work environments that reside on the cloud, so security teams need to make sure that their security model can provide connections that are both secure and fast, no matter the location of the user. This means doing away with outdated security models.

By offering a more user-centric approach for secure network access it will allow for quick and secure connections to corporate resources and applications. Organizations that continue with the site-centric approach will be stuck with slower connection speeds which will result in decreased productivity for their workforce – and no stronger security to show for it. 

Organizations that will continue to depend on outdated network security technology will experience ongoing difficulties to the endless number of perimeters and endpoints that come with the transition to remote work. By not offering more modern and cloud-friendly network security policies, organizations’ attack surfaces are wider, and leave more doors to critical resources open for hackers. 

Even if it’s an easy social engineering attack or a spear-phishing attack, when not adopting the most up-to-date network security technology, organizations are not equipped to adequately protect a growing pool of remote employees, roles and identities, devices, and sources of data. This has forced many organizations to ask themselves how they can secure connections to the cloud when employees are working from outside the office.

Organizations Need to Be Security Ready for the Unthinkable

Organizations need to rethink how they will offer their remote workers secure access to work applications and resources. Until recently, the average organization forced employees to work with a VPN to gain remote access to corporate resources on the cloud. While this was a good idea at the time, this approach creates challenges such as latency issues when users are exclusively remote. A domino effect occurred which also reduced visibility over the organization and therefore risked compliance as well.

Instead of neglecting the proper up-to-date network security technology, organizations need to get with the times and adopt cloud-edge-based, secure remote access solutions that can integrate with the resources in use within the organization and help segment them for custom access policy. Automated policies, monitoring, and edge-networking deconstruct the barriers that previously bottlenecked IT and standard workflows. Companies can also be sure that their remote employees will stay productive no matter what unforeseen situations arise. 

The Hunt for the Right Security Solution for Remote

Organizations can adopt what they think is the right solution for secure remote access, but there will always be a risk of data exposure to attackers. It’s essential that organizations understand which network and security features are best suited to their ‘work from anywhere’ workforces. 

Here are three key features that every secure remote access solution should provide for better secure access.

Complete Network and Data Visibility

Full visibility of corporate resources, data and network are critical when working with unmanaged devices. When organizations don’t have the capability to clearly see and manage user network activity to all company endpoints, it reduces agility in threat response, which can result in hackers gaining data access within the network to exploit it. 

It is vital that the organization’s IT teams are provided complete visibility and control over data across all resources on the network. By adopting a software-defined solution that promotes interoperability within cloud and local resources, organizations can ensure that unauthorized access from malicious actors is harder to obtain and more visible should it ever occur. 

Identity and Access Management

Identity and access management should be a requirement for all secure remote access solutions. By implementing identity and access management solutions like multi-factor authentication (MFA) IT teams can put an extra verification barrier in front of would-be attackers. What’s great about MFA for organizations is that it requires their employees to provide a second form of identity verification that authenticates identities to ensure the user is who they say they are.

Organizations should also require that employees implement a single sign-on (SSO) feature as it securely authenticates users across all their cloud applications with one (strong) password. By simplifying the authentication process for remote workers, security and efficiency are a result. 

Agentless Security

Organizations should implement agentless security when protecting corporate resources and data for their remote workers. IT teams that are continuously using agent-based tools or solutions will require ongoing software update installments on remote devices which will decrease productivity and the privacy of each device. Organizations that adopt agentless tools will help IT and security teams to offer their remote users better compliance and security without needing any updates on the user side. When network teams take advantage of agentless security, they provide a more agile and seamless work environment for remote workers.

Future of Remote Workers

As working from anywhere is here to stay, IT and security teams need to look at the current status of their network solutions and understand the different roadblocks they put in front of remote workforces – and their security. It’s important to clearly understand what’s working and what isn’t and to quickly acclimate to the new network shape that we all experience. By enabling less obtrusive security that suits remote workforces, companies are safer and more agile, bringing operational goals in line with IT.

Read More
Can Companies Afford IoT Inclusivity?
Reading Time: 4 minutes

The Internet of Things grows more massive with each passing year, as devices gain internet connectivity and impart new convenience on our lives – and in many cases new novelty. No matter if the “thing” in question is a manufacturing robot or a Brita that automatically reorders filters upon expiration, if it can receive instruction from and send data to the greater internet, then there’s an IT guy somewhere worrying about how it may expose his or her network.

This goes double for IT personnel in companies that make good use of IoT for work purposes, but bad use of IoT security by neglecting to factor in the network’s exposure. Addressing this idea is now part of IT’s list of responsibilities, and when creating a plan for how to walk the line between trusting IoT and being wary of it, multiple factors come into play. Thankfully, this part of the job is getting easier.

IoT’s Slow Security Onboarding

IoT is useful for countless industries, and its benefits far outweigh security risks in any circumstance. In healthcare, for example, IoT data is used to more deeply understand what conditions patients are in, and how practitioners should respond. Internet-connected devices that record patient outputs such as heartbeat, blood pressure, blood sugar levels and other biological metrics feed their data to centralized IT systems, telling hospital admins where frontline staff are most urgently needed, and how.

But IoTs vital role in cases like these is also its weakness. IoT boosts mobility in many business environments, so much so that security is something that it has always grappled with as an afterthought. For businesses, the advantages of IoT have meant securing these devices is a second step, and the world is slow to wake up to the careful security deliberation that IoT requires. Ransomware, for instance, used to be hardly considered a credible threat to networks.

Ransomware attacks on IoT devices were long thought of as low-value for hackers and therefore not a pertinent worry for IT, given that these devices had little to no information on them (mostly in the cloud). There are also so many types of IoT devices that the economics of hacking them doesn’t work in the hacker’s favor – it’s too expensive and not worthwhile. Besides, even those hacked would likely never pay the ransom, because IoT devices aren’t known for having screens that relay information (like a ransom note).

Increasing IoT Popularity Opens Paths for Attack

However low-value IoT devices used to be, they’re now ubiquitous and hold a lot of importance for critical business functions. Security implications have changed as well, as hackers have changed their strategy, and no longer seek to crack the devices for their data but to interrupt these functions and create urgency and the risk of lasting damage. Take for example the IoT controller that adjusts how much of certain ingredients are added to drugs, an IoT-connected pacemaker, or a hacked power grid controller that determines electricity consumption for a small town. The ability to power these down or alter with their settings is dangerous enough to justify a ransom.

Traditionally weak entry points on IoT devices need to be shored up if we want IoT benefits to continue to outweigh its risks. However, most of the time patching is on the manufacturer, and low prevalence of hacks thus far has prevented manufacturers from acting with urgency, so companies using IoT devices are often unprotected from within and without. The internal awareness isn’t there yet, with many IoT connections unencrypted when connecting to the network, offering hackers a way inside when the device relays to or receives info from the internet. 

In the split second it takes for the device to grab data, hackers can slide in undetected and set up shop in an undefended company’s network. Hijacked or rogue IoT devices were present in over 46% of companies this year, according to a report on “shadow IoT” devices found on their corporate networks, demonstrating just how prevalent this dangerous exploit is. 

IoT Security Solutions Must Provide Visibility

Fortunately, most of the issues stemming from IoT come from how invisible they are on the network, and how unrestricted their permissions tend to be. IoT devices are easily discoverable by hackers, even using public resources like Shodan, so they must be at least this visible to internal IT teams as well. The key to allowing IoT freedom to participate in the network but also to respect its boundaries resides in some of the components of a single solution – Secure Access Service Edge – which was introduced just last year and seems nearly purpose built for IoT.

SASE is a cloud-based networking and security product, unified in its functionality and present on the edge of an organization’s network. A foundation of SASE is software-defined networking ideas, which are more inclusive to a variety of devices connecting to the network because there is no hardware setup required, and cloud nativity to easily match the infrastructure of any ecosystem. When an IoT device connects to the network, it will be easily visible in the cloud admin panel, but more importantly this identification also empowers IT to set identity-based access policies, which limit the extent to which specific parts of the network are exposed to these endpoints.

Enforcement is also about security and not just about how much attack surface is laid bare to IoT devices. Pushing all networking through a centralized, software-defined system also enables IT to demand all network connections happen through encrypted tunnels exclusively, so any IoT device (or company laptop, or mobile phone) that isn’t encrypted cannot connect to the network in the first place. It also helps IT layer even more security on top of IoT devices, even solutions like SSO, so that password management across thousands of devices will finally be feasible (and safe).

Why SASE Brings IoT Home

The combination of visibility, network access restriction, and security enforcement for IoT devices gives SASE a winning use case, and it’s already making headway. Internets, whether world wide webs or “of Things”, are deep and murky. Companies pushing for maximum interoperability can be free to brave the IoT waters confidently with SASE to help them stay on course, and avoid the icebergs lurking out there for us all.

Read More
intent_based_networking
Programming Intent: IT Teams Take a Shortcut to Better Security
Reading Time: 4 minutes

In today’s fast paced business world, organizations have been forced to become more proactive and faster to react to their customers’ requests. Despite this shift to a more agile business mindset, IT and security teams have been slow to catch up. 

Today, these teams are often forced into a no-win scenario. They are constantly critiqued about how fast they can deploy their organizations’ applications, features and network augmentations, while also making sure the data is secure from an increasingly threatening landscape. This is much harder to manage than one might think.  

When rolling out a new feature or application to the cloud, the time table that ensures security and segmentation complement one another often spans from days to weeks. But it’s all worth it: Syncing security and communication between applications plays a major factor in ensuring that unauthorized access will not occur by malicious actors.

To refrain from adding new vulnerabilities with each new feature, teams will run through hundreds of different in-house security checkpoints before deploying on corporate servers. Ignoring any of these policy rules can create major security and networking risks for IT and security teams, even if it means faster deployment and pleased superiors.

Instead of looking to cut corners on security policies or worse – build a burdensome and ever-growing security checklist – IT teams need to be more communicative about the different challenges they encounter when working on a project. The moment they have an idea of what their intent is for deployment, IT teams need to know how to communicate this and translate it into automated changes that occur on the network level. This is where intent-based networking comes into place.

What is Intent-Based Networking?

       Image Credit: Cisco, 2018

Intent-based networking is the idea that IT teams need to simply explain what their intentions are and devise how the network can easily translate their intent into policy. This means creating suitable configuration settings across the network environment while relying on the use of automation. 

Until recently, this task required hours of manual effort by network engineers to modify each server and device that would be affected by each change. Intent-based networking increases the speed at which implementations happen and leverage machine learning and AI to make sure that the newly deployed applications are behaving as intended.

What makes intent-based networking crucial for agile IT teams is when automated policies fail.  Intent-based network systems then recognize the failure and notify the networking team to suggest an action that will aid the reconfiguration process, once more ensuring the networks are compliant with the organization’s policies. 

While intent-based networking is still being designed and adopted by different organizations, the roots for intent-based networking are in front of our eyes. Early adopters of Software-Defined networking are already familiar with automated network access policies, for example, and more will soon see the benefits of intent-based networking architecture.

To deliver proper intent-based networking, organizations must include these three key elements:

Intent: The first and most important element is intent. In simple terms the “intent” is what you want to accomplish, it’s what you want the objective or outcome to be. The intent is communicated via the network system, which translates it into a policy that can be implemented across the network no matter which infrastructure is deployed. Intent is therefore itself supported by technology and prearranged processes. The idea is to simplify all operations and compliance conditions into policies that define user access level and security while also providing a more continuous understanding of the network. 

Automation: Once IT teams have established their intent and policies, it’s key to success to automate all processes if possible. By adopting automation network teams save time when implementing current and future changes that are needed on the network. As organizations grow in the number of employees and other new factors (IoT, remote workers and the cloud), automation will be a vocal element to help network admins reach the business and security demands of the organization.

Assurance: The last element but possibly the most crucial is the ability to assure that services put in place are working. Assurance begins with complete network visibility throughout the network and connected endpoints. The intent and visibility shouldn’t be only limited to devices but in fact should provide complete visibility of the user’s interactions with machines, applications on the cloud and the user’s location. 

The intent-based networking system will need to provide network-wide interactions and offer the option for predicting the results of changes with the intent and policies in place. To achieve this network environment, machine learning and AI are required. By enforcing real-time detection in the network your organization will be able to mitigate risks in a fraction of the time. 

Moving Forward with Intent-Based Networking 

As the network expands and more sophisticated security risks evolve, the importance of adopting a more agile intent-based network will become more clear for organizations. It will offer IT teams a system that allows them to detect and respond to incoming threats on the network while leaning on responsive policies that will provide another layer of defense versus attacks.

Most importantly to executives, intent-based network security in place provides organizations the opportunity to invest their attention in more pressing business needs, while being able to assume that network applications are being maintained and managed automatically. Total forward momentum on the business end, without leaving security behind.

Read More
WireGuard: The New Gold Standard for Encryption
Reading Time: 4 minutes

It’s easy to underestimate the impact of complexity on an average enterprise-level organization’s security strategy. Solutions like firewalls, multi-factor authentication, traffic encryption, DNS security, and more are carefully orchestrated to together defend against any and every type of attack, yet the “security sprawl” approach is getting a lot of bad press in the industry lately. 

As IT teams struggle to manage the exposure resulting from a growing number of security tools, endpoints, and attack vectors, simplification is a prerequisite to defense. Efforts to streamline have resulted in the embrace of consolidated cloud solutions like SASE, which enable more manageable security tactics like Zero Trust. Simpler also applies to encryption with the WireGuard protocol.

What is WireGuard?

Originally developed by Jason Donenfeld, WireGuard is one of the most relevant examples of how simplicity can transform and improve upon the oldest parts of the status quo: secure network traffic. In a time when more people are working remotely, secure access to organizational resources has spiked as well, leading to widespread adoption of traditional VPNs. 

Yet these solutions and the older encryption protocols they use – OpenSSL and IPSec, for instance – are relics of the past. They are overengineered and ill-equipped to gracefully handle our collective traffic in the “work from home” era, hard to set up, and known to suffer from crashing or hanging tunnels when burdened by too many clients at once. 

WireGuard is a speedier and more flexible encryption protocol that has until now been merely a third-party addition to many security solutions. Standing next to other commonly-used VPN implementations, WireGuard is significantly smaller in terms of raw code, at just 4,000 lines versus the 600,000 that make up OpenSSL, or the 400,000 lines of code inside an IPSec VPN installation. 

That it’s two full orders of magnitude less heavy gives WireGuard a relatively tiny attack surface, and enables it to be audited quickly by a single security professional rather than teams of them. And fully audited it is: by countless security researchers and professionals. While this means a lot less can go wrong, and fewer flaws can be found, it also means that WireGuard is much simpler to set up.

Besides being astonishingly basic, WireGuard also uses stronger and more modern cryptography, which despite its smaller cryptographic keys, gives it unique advantages and makes it likely to replace other protocols as the foundation for a new era of performance-centric traffic privacy.

WireGuard Performance

WireGuard has a noticeable speed advantage over alternative protocols.

 

Latency is lower when connecting via WireGuard

Benefits of WireGuard

WireGuard’s addition to the default Linux kernel in March 2020 comes just in time. This is because it has already proven the gold standard of encryption, being both simpler and stronger than alternatives, and useful for a time when VPN usage is through the roof. 

Now that WireGuard is available in all operating systems, downstream users and solutions will be able to benefit from its smaller attack surface, easy configuration, stronger algorithms, faster connections, and stealthier operation.

Easy Configuration: The point of WireGuard is that its configuration is just about the least amount of data necessary to create an encrypted tunnel. Streamlined in its genetic makeup, WireGuard abandons the concept of “cryptographic agility”, meaning there is no choice of different encryption, hashing, or key exchange algorithms. Its limited yet thoroughly audited cryptographic primitives are very difficult to set up incorrectly.

Fewer configuration options means that less needs to be negotiated between the client and the server in order to create a secure tunnel. Accordingly, less is observed about the connection for hackers operating a Man in the Middle attack, and less can go wrong in the orchestration of WireGuard with one’s technology stack.

Stronger Algorithms: In place of cryptographic agility, WireGuard relies on crypto versioning, which means that if one of its foundational primitives is compromised, a new version of WireGuard (2.0, for example), can quickly be agreed upon by the client and server rather than negotiating each primitive or key one-by-one. The basic cryptographic primitives that WireGuard relies on are as follows:

  • Symmetric Encryption: ChaCha20 authenticated with Poly1305. This is better performing than AES, especially on embedded CPUs which don’t accelerate cryptographic hardware.
  • Elliptic Curve Diffie-Hellman (ECDH): Curve25519
  • Hashing/Keyed Hashing: BLAKE2s, which is faster than SHA-3.
  • Hashtable Keys: SipHash24
  • Key Derivation: HKDF

Faster Connection: The long handshake time common among OpenSSL VPNs, for example, begs the addition of text inside the client that assures users that “something” is happening while they wait. WireGuard’s own benchmarks show that connection time and connection speed are both up to four times faster than alternative protocols on the same hardware. This also means that if the connection drops (a lower chance of this happening as well), that reconnection takes significantly shorter, and you’ll be back in your tunnel almost without realizing anything occurred.

Stealthier Operation: WireGuard is designed to run unobtrusively, and even to hide its presence against network scans. Since the protocol doesn’t respond to packets from unrecognized peers, it’s difficult to tell that it’s even there. Moreover, peers are able to act as both clients and servers at the same time, and can silence their connection when data isn’t being transferred between them.

A New Standard for a New Era

At a time when VPNs are the bare bones security solution for remote access, and the en masse transition to working from home is still in full swing, reinforcing security ideas with simpler and stronger pillars (like encryption) is a must. It’s no coincidence that WireGuard made its way into the Linux kernel during the peak of the COVID-19 pandemic, but it will prove useful well into the future and slowly replace alternatives. It’s rare that a shift in the security landscape has such a drastic impact on end users, making it hard to overstate the importance of WireGuard’s rise.

Read More
Zero Trust Brings Shadow IT Into the Light
Reading Time: 4 minutes

Shadow IT is an aptly-named phenomenon. It’s the notion that obscured in the shade of official information technology processes, companies often have unofficial tools that aren’t in IT’s direct line of sight. As sources of data, employees who input sensitive information or integrate into unsupported applications will unintentionally expose their companies to untold cyber risk. This isn’t entirely the fault of IT teams, but also managers and employees who choose to use applications that they prefer, rather than the ones chosen by experts looking out for their best interests.

The funny thing about shadow IT is that it often makes these managers’ or employees’ working lives more convenient, or is even a boon for the business. By not going through the proper channels, however, shadow IT can have a severe cost to the organization: one that is often paid with its security. To avoid being on the receiving end of this bill, companies are removing trust from their network access models, to help regain visibility over where their datastreams are exposed, and at the same time reinforce the parts of shadow IT that aren’t necessarily bad.

Shadow IT’s Besmirched Name

At its core, shadow IT is a cultural issue. If managers and veteran employees – the ones ultimately responsible for leading by example – feel like they can sidestep IT guidelines and introduce new products into the network then other employees will feel safe doing the same. This practice is surprisingly common, even for organizations that pride themselves on education, personal security hygiene, and a strong overall security posture.

Employees engaging in shadow IT are usually only trying to make their tasks easier to accomplish, and this is something to applaud, when done correctly. According to a Gartner report, IT now sets aside over 40% of its enterprise budget for shadow IT, and some measurements put the number over 50%. It’s only natural that employees would gravitate towards technology that makes their lives easier. But if IT isn’t supplying or supporting it, then the problem isn’t only that it doesn’t acknowledge or secure shadow IT, it’s that IT isn’t aligned with greater business goals.

For this reason, it’s important for IT professionals to embrace good shadow IT and make fighting bad shadow IT a part of their responsibilities. That means identifying solutions that defend the corporate network from security threats, while also letting employees pursue productivity. Technologies that enable an idea called Zero Trust are most relevant to finding this balance, and with some supplementation offer a quick win against bad shadow IT.

Zero Trust is Low-Touch, High-Security

Bad shadow IT is the IT department focusing on its own goals and ignoring the possibility of employees using unsecured tools to interact with company data. Good shadow IT is the IT team’s recognition that employees will always chase convenience and that this is generally good for the business. It’s also the support for this notion: providing a forum for employee tech discussion, using flexible self-service solutions and incorporating technology that enable an idea called Zero Trust.

IT can use Zero Trust to address some bad shadow IT risks, simply by reducing the impact that any single individual can possibly have on the overall network. If they decide to use an unsupported tool, the damage they can do should their user be hacked is limited – and also immediately obvious to administrators. This is accomplished by revamping the perimeter-based security models of yesteryear, and replacing them with tools that refocus access policies and permissions on users, not on resources. 

To refocus IT teams on supporting employee tech preferences, organizations should first establish the correct processes and technologies. In an age when most of the tools employees choose are cloud-based, adding Cloud Access Service Broker (CASB) and micro-segmentation to the network security arsenal ensures IT has control over all cloud-adjacent tools. 

This software-defined model extends and deepens security policies beyond the traditional network perimeter, limiting users’ mobility and trust within the network. Most importantly, it also monitors their activity at all times, to watch for breaches of official shadow IT guidance.

Fight Bad Shadow IT with ZT and DevOps

The Zero Trust model described above is designed to be a relatively effective safety net for the inevitable breach of shadow IT policy. Even with an IT department that encourages employees to bring new tools into the fold, this process alone will always create too much friction for the busy salesperson, for instance, resulting in bad shadow IT. 

For this reason, employees need as much productivity encouragement as they do security enforcement, and while Zero Trust helps, it does not proactively stop employees from engaging in shadow IT, it merely limits the damage they do and helps IT become aware of it.

To truly combat poor shadow IT practices, the best long-term solution for any organization is to invest in a DevOps department whose purpose is to align with overall business goals, understand departmental pain points, and push the IT team to implement them. A good strategy that DevOps might target is to find tools that allow employees to self-service rather than find a workaround. It could take the form of a data platform where employees can generate reports themselves, and avoid waiting for their ticket or request to be pushed through the BI team.

These types of technology implementations are only possible with a DevOps team that runs parallel to the business needs instead of IT goals. It shows employees that their tech preferences are heard, and can be integrated seamlessly at the speed of business. With this type of corporate culture and with Zero Trust as a backdrop, bad shadow IT is outpaced by worker productivity.

 

 

Read More
digital nomads
Fostering Digital Transformation One Nomad at a Time: How Both Organizations and Employees Benefit from Remote Work Strategies
Reading Time: 4 minutes

Digital Nomad, a term coined twenty years ago by Hitachi executive Tsugio Makimoto in his book by the same name, predicted that technology combined with our natural urge to travel would let people live, work, and exist on the go rather than being tied to an office desk or physical work location.

Today, 4.8 million independent workers in the United States describe themselves as digital nomads with 17 million more aspiring to become nomadic workers according to findings by MBO Partners. Digital nomads are defined as a population of independent workers that embrace a location-independent, technology-enabled lifestyle that allows them to travel and work remotely, anywhere in the world.

The rise of the digital nomad also embodies the essence and promise of digital transformation. The Workplace Evolution study by the Harvard Business Review found that “Digitization is impacting every aspect of business, radically changing the ways in which companies grow and compete. The speed and scale at which technological breakthroughs are emerging have no historical precedent and have created an imperative for businesses across industries to respond rapidly with their own digital transformations in order to drive growth and create competitive advantage.”

Organizations that move forward with new digital transformation strategies, products, services, cloud computing infrastructures and business models, also must develop new ways for their global ecosystem of workers to engage and add value. A worker’s ability to connect anywhere, anytime to collaborate with coworkers can determine the level of productivity possible within an enterprise, beyond independent contractors that would normally be considered remote workers. The Workplace Evolution study also found that an organization’s workplace strategy can be a key enabler of or hindrance to digital transformation illustrating the need for organizations to adopt new modes of work to maximize productivity.

Digital Native Expectations

By 2025 digital natives, those technologically adept with the expectations of a nomadic work lifestyle will make up 75 percent of the global workforce, according to a future of work-study by Microsoft. This new breed of workers expects work flexibility including where and when they work with flexible office spaces on demand to connect and collaborate with coworkers when necessary. Generationally, digital natives demand the lifestyle afforded to digital nomads, something that 75 percent of Millennials would like to do more of. Millennials and Generation Z are also looking for increased employer flexibility about where and when they work with staying connected being key to both their work and personal lives.

Digital natives have grown up with technologies such as smartphones and social media being the primary way they communicate with friends and coworkers. “For them, forming and conducting relationships with people through mobile technology tools and platforms is simply how the world is supposed to operate, including at work. These digital natives are also more likely to prioritize a sense of purpose when considering where to work and are often motivated as much by the desire to ensure their work has a positive impact on society as they are by more traditional measures of success,” states Microsoft.

Benefits of Working Remotely

In the last 20 years, the number of remote workers has quadrupled. And today 43% of all U.S. employees work off-site at least part-time, according to Gallup’s State of the American Workplace report. Research also shows that employees believe working remotely is not a productivity barrier with the majority of Americans believing that remote workers are just as productive as those who work in an on-site office.

Providing employees with the ability to work remotely benefits both businesses and workers. According to Microsoft, in addition to increased productivity, businesses save over $11,000 per remote worker per year on decreased real estate costs, electricity, staff turnover and absenteeism.

Enabling employees to work remotely also benefits the environment by reducing greenhouse gas emissions by 54 million tons per year, roughly the equivalent of taking 10 million cars off the road. With the average round-trip work commute standing at 54 minutes a day, employees who work from home can save the equivalent of 30 work days per year that normally would have been spent in a car.

Online Security for Digital Nomads and Remote Workers

As companies embrace both digital nomads and digital natives desiring remote teamwork and open information sharing, online security is becoming more critical than ever as organizations must plan to protect their digital assets and customer data in a new work world. With 85 percent of corporate assets already digital and more information existing outside of a company than inside a company due to the rise of cloud computing, an unprecedented rise in cyberattacks is taking hold.

In 2017, the number of security breaches more than doubled compared to the previous year. For businesses, the stakes are high as it takes companies an average of more than 99 days to discover a security breach and roughly 50 days to address the breach itself. A study of 65 public companies that experienced cyber attacks since 2013 found stock market valuations fell by as much as 15 percent in the most severe cases. And it is estimated that cybercrime will cost approximately $6 trillion per year on average through 2021. 

Even more critical is the potential impact on brand reputation and trust: data breaches that expose customer information can be devastating not only to a company’s reputation but also its balance sheet.

Identity as the New Perimeter

 As the methods that malicious online actors use to attack organizations continue to evolve and increase in sophistication, organizations must stay ahead and deploy strategies to protect both their critical information assets and workers.

Organizations cannot rely solely on the traditional model of securing an organizations’ perimeters as identity itself has become the new perimeter due to digital transformation and remote workers, contractors, partners and suppliers all interacting with critical and private data across the globe on a daily basis. The need to identify who is accessing what information or online resource and when is quickly becoming a critical component of every modern cybersecurity strategy today.

With more businesses adopting open and collaborative work cultures that embody the ethos of the digital nomad, they are also risking the security of their information assets by allowing the open flow of data across devices, people, and physical locations.

The future of work styles enabled by digital technology and cloud computing necessitates a new way to secure and protect information as perimeters become porous with the distance between attacker and employee or contractor being only access credentials. New security models must start with an individual’s identity to identify data and digital resource breaches at the worker level so that the breach can be quickly stopped before they spread.

Companies today and in the future will need to deploy security solutions that maximize worker productivity while balancing the desire for digital nomads and digital natives to work and collaborate freely with coworkers globally. By providing remote workers, contractors, partners or suppliers with remote access tools and technologies that include critical identity access solutions, organizations will be able to protect not only their own information assets but also their worker’s data, devices and apps and resources any time, anywhere.

Read More
Podcast-Ep.5---Blog
Why AppSec is Key for Your Dev Toolbox
Reading Time: 6 minutes

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we discussed the Poshmark data breach and interviewed Avi Douglen from Bounce Security about Application security risks.

Breach of the Month: Poshmark

On August 1, clothing marketplace Poshmark confirmed they had experienced a data breach. Poshmark is said to have some 50 million users.

The looted data includes customers’ full names, genders, cities, email addresses, linked social media profiles, and account passwords—but in a hashed cryptographic form. 

Due to the breach, the company is telling its customers to watch out for phishing emails, especially those that look like they are coming from Poshmark.

In a blog post by Poshmark, they warned their users with the following statement, “Be aware that Poshmark would not ask for personal information such as your login information or password in email communications. If an email you received asks you for this information, the email was not sent by Poshmark and may be an attempt to steal your personal data.”

In this episode, I talked to Avi Douglen to learn more about his experience in application security and why businesses should look into adopting an application security program internally. 

Not The Common Career Path to Security

There is no one true path to a career in cybersecurity. Some people will have the aspiration from a young age to work in security and some will learn on the go. In Douglen’s case, he was at the right place at the right time: “I actually kind of fell into it. I started my career doing software development of a product that I was working on and the security always seemed a bit dodgy. But whatever, you know. I’m a new programmer. What do I know about it? But then I got recruited to go work actually at the Israeli Police as a developer of security software, security infrastructure for all the very sensitive systems as I’m sure you can imagine. While I was there, of course, we’re developing security products. So I was part of identity management, permission controls and access controls before that was even a thing.

Like many security professionals, Douglin gained his security experience on the go. “I learned from actually testing things out because this was back before security was so popular. There were so many things and it was like OWASP was barely starting and this was back in like 2001. I discovered all the security aspects as we went on and kind of as the requirements came from the field and from the developers that had their own requirements but we don’t know how to deal with these.”

By gaining this experience over time, it led Douglin to a career in application security. “I got recruited into a security consulting company and I came in knowing a lot about security requirements from the developer side. So from there, I kind of found my home so to speak in application security and software security.”

Application Security is a Shared Responsibility

When asking Douglin what his thoughts were about those whose responsibility it is to conduct application security, he commented that it’s a tough thing to answer. “That’s a really interesting question and I would push that back to say, OK, who’s responsible for the quality of software? Well, sure, it’s the organization and sure you do expect a developer to be responsible for the quality of the code they put out, right? Obviously you’re not going to hire somebody to write code if they don’t know how to write code. But the organization absolutely needs to support that. You need to have time and the right tools for application security. You need to have the education and process, methodology and it needs to really be treated – from my perspective, it needs to be treated exactly like the quality of software and it’s one aspect of quality. You can’t be an excellent programmer if you’re not also doing security. It really comes down to how you’re producing software.”

Douglin believes that it’s not only on the developers who are actually writing the code. “I don’t think it should all be on the developer side, not at all. But it definitely needs to be one part of it. There are definitely organizations and there are developers that try to push the code out as fast as possible and don’t really care about bugs or passing tests or even if it really works. You know, if it compiles on my machine, I will push it to GitHub, right? On the other hand, obviously we can’t fault all on the developer side because not all software security is in code and I really think that security just needs to be one other aspect of everything that everybody does. So DevOps folks are doing DevOps and security needs to be part of it. Their pipeline needs to be secure and if they’re doing unit testing and things like that, they obviously need to be security unit testing.”

Organizations Still Have Room For Growth With AppSec  

When asked are organizations more equipped with application security, Douglin commented it depends on the organization. “There are two completely different types of organizations and you really can’t correlate them. Some of the more mature, more responsible, more security-minded organizations will distribute across the graph as you would expect and some of them are early in their journey and some of them don’t have a full program and some of them do, some of them are more evolved.  On the other hand, some that you would expect to be more evolved and have a full program don’t necessarily and they never will and even if you try and push it into them, it will not succeed and just too much heavy decades of legacy, legacy of code, legacy of process, legacy of people sometimes, that you – that will never change. So breaking it down to your question, I would say it’s a tough question because I think most companies are not where they should be. Many are on the right path.”

Douglin highlighted the importance of open source security tools as something that developers at organizations can start adopting in their application security toolbox. ”There are some great static analysis products called SAST, static application security testing, which basically is an automated way to scan your code and these are great and you got some tools which will monitor your dependencies and your components. Open source components can have a known vulnerability in one of the versions of the components that you’re using and usually, most products will have several dozen dependencies, external dependencies at least in a trivial application. Sometimes it could easily be hundreds or more. So there are some great tools out there. I just saw one of the vendors come out with an open-source plug-in for a visual studio code that will monitor in code and it will tell you that this library actually has vulnerabilities. You should upgrade or use a different library.” 

Huge Advocate of OWASP Projects 

Douglin is extremely active in the OWASP community and in his spare time, he is taking part in his own OWASP project. And when asked which projects he recommends listeners to check out the list goes on. “There are a bunch of great projects out there. I am part of a sub-project which is a Threat Modeling Cookbook, which is starting to put out a whole bunch of “recipes,” kind of like threat patterns. So if you put in a bunch of Docker microservices. Then there’s a set of threats that you need to consider and take care of and you don’t need to spend two days of threat modeling this infrastructure and you have a set of common standard mitigations that you can use without having to consult the security expert. So all these things is – that’s where we’re headed to try and create that and flesh that out”

OWASP has an endless amount of projects for free for developers and security experts. When asked which projects Douglin recommends listeners to check out,  the list goes on. “There’s a lot of great projects depending on where you’re coming from. First I will call out to OWASP ZAP. That’s an interactive proxy which does a lot more than that. Not only does it monitor and intercept any requests being sent between your browser and the server. It has a lot of dynamic attack functions. So it would kind of test your web application as you’re testing it and it supports a great API. So you can integrate this and I know a lot of QA teams and DevOps teams that have integrated this in automated tests and yeah, you can definitely invest and get a great commercial product, web scanners, you know. But this integrates better than some of the other products out there and the ZAP API is great.”

Douglin also recommended how noobs can get started with OWASP projects. “Go to OWASP.org, click on projects. You get a whole library of projects there. Another project that I really like especially for people starting to discover this field of application security is what’s called the OWASP Juice Shop which I say is the best place to never ever, ever, ever buy juice online. It’s basically a modern webshop to buy juice except that you never actually get the juice. What you do get is a whole bunch of built-in vulnerabilities, which are common for modern applications. So it’s great for exercising, for learning and for practicing different vulnerabilities and finding out how SQL injection works and how cross-site scripting works and dozens of others. It’s one of the best capture-the-flag apps out there.”

To hear the entire interview with Avi please listen to the full podcast here. You can follow Avi on Twitter @sec_tigger. To sign up for OWASP Appsec Israel visit https://appsecil.org/

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More