Paid features “The trust of the innocent is the most useful tool for crooks,” Stephen King wrote. At least that’s what the Internet says.
But the source of the phrase “prove” is surprisingly difficult. This is a question of trust. It is slippery, and if it is misplaced, the consequences can be catastrophic. As we have seen in cyber security, time and time again.
The pandemic highlights already widespread security issues in trust, corporate networks, and the Internet. Home and remote work means that the “network” no longer corresponds to a specific location. This in turn highlights the existing shortcomings of VPNs (the traditional secure way for remote workers to access the company’s network).
Andrew Sinclair, product lead at iomart, a UK hosting service and cloud provider, said that the entire model of a VPN is based on providing access to a location, regardless of whether the location or network is local or in the cloud. This is the problem of traditional credential-based authentication.
“People can connect to the enterprise using only a username and password. Then, once they are transmitted to the network, they are assumed to be authentic.”
But once in, users or criminals who hijacked their devices or identities are free to do whatever they want on the network, Sinclair explained. “Once connected, they can scan the entire network to discover anything of interest, and even try to access other systems.”
Sinclair said that this intruder’s ability to indulge in “lateral movement” is “the number one cause of devastating ransomware attacks for enterprises.”
This is not an abstract challenge. IDC reports that in the past 12 months, more than one-third of enterprises have suffered ransomware attacks or prevented system or data intrusion. “This is the largest conversation we have had with our customers so far, certainly in the past 24 months,” Sinclair said.
So where do customers turn?
There is no doubt that what Sinclair calls “a large number of very expensive third-party vendor network security” is being provided to customers. These not only ensure safety, but also ensure the safety of self-learning driven by artificial intelligence.
But these solutions are expensive. If they are provided as equipment, the problem facing the company is not only management security, but also management equipment itself. They may also face the prospect of repeating that expense and work in every key location.
But Sinclair said that this approach faces more fundamental challenges. “The problem with these tools is that the focus is on monitoring the business network, assuming that the business network is a safe place.”
An insecure world without borders
But in reality, companies may operate across hybrid and multi-clouds, with multiple regions and multiple clients, and there is no guarantee that security controls will remain consistent. “How do companies use TLS to ensure that their data is always safe across huge networks?” Sinclair asked. “This is an incredible challenge.”
And it doesn’t stop there. Because very few users and their data exist in a secure, closed network. Instead, he believes, “The reality is that your data is transferred from AWS to Azure, and then to data centers around the world.”
Therefore, “If you try to put the internal network back in a position of trust, then you have failed.”
On the contrary, all networks should be considered untrusted, which is the basis of zero trust, or the concept of software-defined boundaries. “The first principle is that the Internet is always considered hostile,” he said.
Once you accept this, it is easy to accept the second principle. “You should assume that external and internal threats are always present in your network.”
From there, the third principle is that “the location of the network is not sufficient to determine whether a user or device connected to that network is trusted or untrusted.”
It is easy to see how these principles map to other modern network concepts, especially SD-WAN, which abstracts the network and accesses different parts of it, away from the physical infrastructure.
So, what does this mean in practice, for example in the hosted software-defined boundary (SDP) service that iomart provides for its customers?
Safe, horizontal
The starting point for all this of the iomart service is to install the agent on the user’s Windows, Mac or Linux device.
Then, iomart’s security team “cooperated with the business, initially discovered and tried to determine where the key points of all data in the entire business are, whether it is Microsoft Azure, Amazon or the internal deployment of the data center. Then our team designs the architecture and installs you The software required by users so that these users can connect to their applications no matter where they are. This is how the SDP service connects anywhere.”
Then our team designs the architecture and installs the software your users need so that they can connect to their applications no matter where they are
Sinclair said that when it comes to a given user’s device, “we can ensure that it has passed the registration process and is an acceptable device. This provides some additional context.”
“We can prove that the device is in good health, it is fully patched, and the anti-malware agent is running and updated. “Where the device logs in from may be another context. Two years after logging in from your front office, suddenly logging in from Venezuela should really sound the alarm.
In addition to this authentication, it can also ensure that devices and users are restricted when they “enter” the network and can only access any services or data they need to complete their work.
“Trusted users no longer fall into the network. They connect directly to the applications they request. Therefore, with a single service, the challenges of lateral movement can be overcome.”
Whenever there is a security challenge or an issue that issues an alert to the SDP system, iomart’s SDP will also write its XDR service, which in turn will enter the company’s security team. The offending device is disconnected from the network, and iomart’s security team will run a script customized for each customer.
The classification process is followed by “lessons learned, figuring out how the malware got in, is it zero-day malware or something similar.”
It’s important to remember that in addition to the SDP proxy, Sinclair said, “You still need some type of anti-malware deep security. We recommend that any proxy you put in is usually some type of XDR proxy, if something goes wrong , It will report to the SIEM (Security Information and Event Management) system.”
All in all, this makes the management team “convinced that there is a layer of control-which may not have existed in the past.”
This applies to people inside and outside the office, because these policies apply to the entire enterprise, not the region.
“The management team can rest assured that when someone connects to the network, we know who they are, and we know that their equipment is healthy. And we know that they will only connect to what they should be connected to.”
For organizations that previously focused their security strategy on something very smart and very expensive, adopting this model may be a leap forward. However, Sinclair believes, “Many companies spend a lot of money investing in many expensive tools. They are still not sure what value this actually brings them.”
He said that protecting remote users is as important as advanced security controls on the server running the application, and pointed out that nine out of ten security breaches start at the client level.
Sinclair recommends that companies use mitigation techniques that can easily express their value. He said that the cost per user of SDP managed services is usually only slightly higher than the average AV service cost, which means that even the smallest enterprises can afford to significantly improve their security posture.
This brings us back to the so-called Stephen King quote about trust. It turns out that it does come from Stephen King’s novel. But to prove this is tricky and laborious. That’s another thing about trust. Sometimes it makes sense to let other people do all the hard work.
Sponsored by iomart.
