Cyber Security — coping with Covid-19s effect on organizations digital transformation
Zero Trust (ZT), Endpoint protection (EPP), and Cloud Access Security Broker (CASB) are topics this article will touch upon related to hardening an organization’s security in its modern IT-ecosystem.
As a result of global, national, and local regulations, workforces have been moved out of traditional office buildings, networks and into their homes, while consumer’s demand for online stores and home delivery has skyrocketed due to national lockdown and social distancing. Many businesses have moved into the cloud area as a response to the “New Normal”. In the context of a new normal, the adoption of new strategies, technology platforms, devices, and new business processes are at high speed in many organizations. What about the organizations strategic IT-security model, is that up to date and able to tackle the shift?
Zero Trust (ZT)
Zero Trust is a modern IT-Security strategy model that approaching “never trust, always verify”, Defense in Depth (DiD) — layered security control.
Which requires strict identity verification for every person and device/computer trying to access resources at different layers in the IT-environment.
Regardless of the operation is within or outside of the network perimeter. No single specific technology is associated with zero trust architecture; it is a holistic approach to IT-security that incorporates several different principles and technologies suited for a hybrid (On-premises and Cloud) or pure cloud environment.
The analyst firm Forrester Research introduced the Zero Trust model, which states that you should:
Never assume trust but instead continually validate trust.
Zero Trust can be built upon your existing architecture with the five principles listed below:
The following five principles set the scope of a zero-trust model:
- Know the protect surface (users, devices, data, services, and network, -layered approach).
- Understand the cybersecurity controls already in place (Zero Trust friendly or not?).
- Incorporate new tools and modern architecture (Micro-segmentation, Multifactor Authentication (MFA), Privileged Identity Management (PIM), next-generation endpoint security technology, etc.).
- Apply detailed policy.
- Deploy monitoring and alerting tools (AI and automation driven).
Traditional approach
Traditional IT-security strategy models have followed the “trust but verify” / “castle-and-moat” approach — also known as “Perimeter Security/Network.” This approach makes it hard to obtain access from outside a network, but everyone inside the network is trusted by default.
“Experts say that today’s enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don’t have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users — employees, partners, customers — accessing applications from a range of devices from multiple locations and even potentially from around the globe (…) They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance.”
The Edward Snowden Example: the case of Edward Snowden is a good demonstration of how a “trust but verify” approach has its weaknesses and where Zero Trust comes in to play. As Snowden was a subcontractor for NSA, he had the appropriate credentials to access the network and without a Zero Trust framework in place, once he first gained access to the network, there were no further authentication procedures required. Snowden could therefore download top-secret material without being cut. Had Zero Trust and the principle of “least privileges”, “do not trust, always verify, identify and monitor” been in place, Snowden’s activities would have been more easily discovered, if not outright prevented.
The Zero Trust model brings a lot of focus to the potential that something or someone within the network perimeter has been compromised. This has often been overlooked in most cyber-defense strategies because the focus has been on external threats, and the assumption has been that the internal network is safe and trustworthy, which is hard to state when outsourced to the cloud.
Endpoint protection (EPP)
The protection of Endpoint is the practice of protecting endpoints on a network such as laptops, desktops, smartphones, tablet computers, wearables IoT-devices, sensors, and other end-user devices. Where endpoints serve as a point of access to an enterprise network and represent points of entry that can be exploited by malicious actors.
Most companies embrace some version or combination of BYOD (bring your own device), choose your own device (CYOD), and COPE (corporate-owned, personally-enabled). The increase of these policies combined with the wide range of endpoint devices used to create multiple endpoint vulnerabilities. In addition, employees working from home or connecting to WiFi networks to work on-the-go means that the enterprise network security perimeter is more porous than ever. Additionally, the growth of the Internet of Things means that, in many industry sectors, new IP-enabled endpoint devices — sensors, cameras, lighting arrays — are getting added to enterprise networks at a breakneck pace. Adding all these factors together, cybersecurity defined threat surfaces are expanding as never before. Shifting security perimeters that lack clear definition requires new layers of security through endpoint protection.
Endpoint protection is one of the most critical components of a cybersecurity strategy. Endpoints that are not adequately protected put an entire organization at risk.
Next-Generation Endpoint protection
As the number, type, and sophistication of threats evolve, organizations require more intelligence and insight than traditional endpoint security provides. More threat actors are shifting their aim to weaknesses created by user behavior, poor cybersecurity hygiene, and shadow IT. The dramatic increase in the types of endpoint devices — including smartphones, tablets, wearable devices, and more — has overpowered first-generation endpoint security. The increasing number of potentially vulnerable endpoints can also exhaust security team resources that are relying on traditional cybersecurity defenses.
- Detecting unauthorized behaviors of users, applications, or network services
- Blocking suspicious actions before execution
- Processing data through ML and AI to identify malicious files or processes
- Stopping unauthorized data movement
- Analyzing suspicious app data in isolated “sandboxes”
- Rolling back endpoints and data to a previous state in the event of a ransomware attack
- Isolating suspect endpoints and processes
- Delivering endpoint detection and response that can continuously monitor systems and networks to mitigate advanced threats.
Gartner's Magic Quadrant over leading Endpoint protection suppliers.
NB! Do not confuse Endpoint Protection with traditional antivirus programs.
Some key differences:
- Endpoint Security vs. Network Security:
Antivirus programs are designed to safeguard a single endpoint, offering visibility into only that endpoint, in many cases only from that endpoint. Endpoint security software, however, looks at the enterprise network as a whole and can offer visibility of all connected endpoints from a single location. - Administration:
Legacy antivirus solutions relied on the user to manually update the databases or to allow updates at pre-set time. EPPs offer interconnected security that moves administration responsibilities to enterprise IT or cybersecurity team. - Protection:
Traditional antivirus solutions used signature-based detection to find viruses. This meant that if your business was Patient Zero, or if your users hadn’t updated their antivirus program recently, you could still be at risk. By harnessing the cloud, today’s EPP solutions are kept up to date automatically. And with the use of technologies such as behavioral analysis, previously unidentified threats can be uncovered based on suspicious behavior.
To read more about the differences check out this link
Cloud Access Security Broker (CASB)
CASB is a cloud and/or on-premises software that serves as a policy enforcement center, consolidating multiple types of security policy enforcement and applying them to everything your business or employees utilizes in the cloud — regardless of what sort of device is attempting to access it, including unmanaged smartphones, IoT devices, or personal laptops.
The ability of a CASB to address gaps in security extends across software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) environments. In addition to providing visibility, a CASB also allows organizations to extend the reach of their security policies from their existing on-premises infrastructure to the cloud and create new policies for cloud-specific context.
With most users now accessing corporate and private applications and data from the internet, most of the components of the transactions — that is, the users, network, and devices — are no longer under organizational control. This creates vulnerabilities, as companies no longer have their data in just one place, but often spread across cloud vendors, which makes it more difficult to have a single or centered security control for an entire network. This is where CASB has its advantages and can strengthen data security, and make sure applications and other services are compliant with the organization's IT-governance. CASB also enables the discovery of Shadow-IT.
Definition of Shadow IT
Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. It has grown exponentially in recent years with the adoption of cloud-based applications and services. While shadow IT can improve employee productivity and drive innovation, it can also introduce serious security risks to your organization through data leaks, potential compliance violations, and more.
The rapid growth of cloud-based consumer applications has also increased the adoption of shadow IT. Long gone are the days of packaged software; common applications like Slack and Dropbox are available at the click of a button. And shadow IT extends beyond work applications to employees’ personal devices such as smartphones or laptops, aka Bring Your Own Device (BYOD).
Securing Shadow IT is a key component of end-to-end enterprise data security posture.
Shadow-IT occurs most often when employees or teams decide they need to use a file-sharing application, social media platform, or collaboration tool that is not required for the entire company. For example, a marketing team may decide to use Dropbox or Box for file-sharing, without telling the IT department.
CEB estimates that 40% of all IT spending at a company occurs outside the IT department. Of course, the costs of Shadow IT go far beyond license costs. A recent study from EMC suggests that data loss and downtime cost a total of $1.7 Trillion each year.
To better help you understand the financial impact of Shadow IT, see the link on how it will impact the points listed below:
- Security and Data Breaches
- Unused Software Licenses
- Duplicate Software Licenses
- Network Costs
- Potential Fines (GDPR)
Gartner’s Magic Quadrant over leading Cloud Access Security Broker suppliers.
Thank you
The rapid digital transformation many organizations today are forced into due to regulations and restrictions as a result of the on-going pandemic can be challenging. But the focus on the security side of the transformation is as important as the transformation itself. We see almost every week that a company gets hacked and that the damage could have been minimized and even prevented had the right mechanism been in place. This article is just slightly touching the surface on some of the mechanisms, hope this can come in handy for someone at the starting point or someone in need of an update. Look down below for references and recommended readings:
