IT organizations around the world have been forced to make it possible for millions of previously in-office workers to become remote employees, often with no more than a day or two to prepare. Ensuring that everyone has the tools and access they need to be productive was, of course, the priority. But now that people are, for the most part, able to work from home, IT needs to consider the security issues created by rapidly moving people to a work-from-home model. Cybercriminals are quick to take advantage of weaknesses to launch attacks and IT needs to address these new vulnerabilities as soon as possible.
By Dan Perkins, Director of Products & Solutions, Edgewise Networks
To illustrate just how quickly some organizations had to convert to remote, we have customers in sensitive industries that require high security whose employees were working on desktops in isolated, segmented-off networks. These companies faced a tough choice: send employees home without the ability to do their critical work or load their desktops into their cars so they can continue to be productive using their personal Wi-Fi service. They chose to send them home with their workstations. Further complicating the issue was that those desktop machines were connected to their segmented networks in the office via ethernet and had to be adapted to work on employees’ home Wi-Fi networks.
Most IT organizations didn’t face a choice quite that stark, but most recognized they’d just have to send devices home and figure out the security issues later. And the security issues are serious.
For starters, with employees now working from home and connecting to the Internet and corporate resources through their personal Wi-Fi or via a cable to a router, organizations have exponentially expanded their attack surface, which increases risk. What’s more, most companies centralize scanning for malware, unusual network behavior and threat signatures. With employees all working from their individual home internet connections, that kind of traffic inspection is no longer possible.
Those home networks, themselves, can also pose a serious security risk. Let’s say a cybercriminal wants to target an organization. It’s not hard to track down specific employees by title on LinkedIn who likely possess the privileges that they need to access the data they want. Once identified, it’s a trivial exercise to find their address, park within range of their home Wi-Fi signal and brute-force their way in.
On top of that, the VPNs may themselves be insecure. After all, few organizations were prepared to support remote work for their entire workforce, which means that IT admins had to hurriedly configure and scale their VPN infrastructure to accommodate a huge surge of connections. VPNs are complex to manage, as anyone who’s worked with them can tell you, and especially given the short time frame IT was given to expand VPN access, they are likely to have insufficiently strong policies and misconfigurations that will create vulnerabilities attackers can exploit. A classic example is split tunneling, which allows the VPN to communicate simultaneously with both the local and remote networks. This simple configuration error can give attackers remote access through the VPN.
But even if cybercriminals don’t compromise VPNs to tunnel into the corporate network, with nearly all employees working outside of the firewall, remote workers have unprotected egress, which increases the risk of data exfiltration by bad actors.
Phishing is also a much higher risk during the pandemic. with people on edge about the virus and the severe economic shocks it has already produced. Hackers are creating highly targeted attacks that prey on people’s hopes and fears, masquerading as inquiries about government assistance, virus treatments and health information. Employees are understandably anxious and working outside of the office and without the protections in place possessed by corporate networks, they’re more likely to click through a well-crafted phishing email.
Solving remote security issues through zero-trust
The central theme that runs through all these threats is this: centralized control for monitoring threats typically relies on a physical network connection, a security model that the current crisis has broken. Very few have a physical connection to their corporate network these days, which means we need a different model, in which security follows devices. We’re already seeing this shift for cloud security, where appliance-based control isn’t feasible. To protect corporate data and IT assets during the current lockdowns, security must reside in the device itself.
Identity-based zero-trust security offers a solution. In a zero-trust environment, all internal communications are treated as potentially hostile, and only authorized communications between verified applications and devices are allowed to go through. To accomplish this, we first need to map the entire network to identify all assets in the environment. That’s historically been a huge barrier to microsegmentation and enabling zero-trust, but thanks to the advent of machine learning (ML), this process can be automated, which is not only more accurate, but also can be accomplished in just a few days instead of months.
Once that’s accomplished, the next step is to reduce the attack surface by eliminating unnecessary communications pathways. Again, this is a task best left to ML. Typically, more than 90% of existing pathways can be shut down without any impact on the environment. Once this is accomplished, the environment needs to be microsegmented with policies defined according to software and device identity.
Identity is the key to effective zero-trust policies. In the past, microsegmentation and zero-trust relied on trusted network addresses, which is a problematic approach. For starters, networks change constantly, which means policies need to be constantly updated as applications and devices move. Plus, they’re completely ineffective in the cloud and other autoscaling environments where IP addresses are ephemeral.
But even if the system were able to continually update policies to reflect network changes, it’s still ineffective because there’s no way for IT to determine what is communicating, only how it is doing so. It’s as if the police intercept a conversation between two gangsters, and, as soon as they realize they’re speaking in English over the regular phone system, the officers assume that the gangsters’ communications are completely innocent. That’s almost exactly what network-based security systems do. They look at the protocol and the network address. So long as they check out, communications are allowed, even though IT has no idea what or who, exactly, is trying to communicate.
In an identity approach to microsegmentation, each device and software asset is assigned an immutable, unique identity based on dozens of properties of the asset itself, such as a SHA-256 hash of a binary or the UUID of the bios. Because the identity is based on intrinsic attributes, this method prevents spoofed or altered software, devices and hosts from communicating.
So, once zero-trust is operational in the company network, it’s a simple process to extend it to employee endpoints. First, IT creates a segment for the remote devices and verifies the identity of all the software trying to communicate over the VPN. After IT segments the endpoint and creates policies, it’s best to leave it in simulate mode for a couple of days to ensure that policies work as expected without blocking necessary communications. If the test shows everything is working as expected, simply enforce the new policies and your remote user is now working in a zero-trust environment. As a result, even if their machine or VPN is compromised, attackers will be unable to communicate with the corporate network to wreak havoc.
Organizations do not have to settle for sub-par security while everyone is remote during the current pandemic. Identity-based zero-trust segmentation can extend from the cloud or data center to follow desktops and laptops to ensure everyone is working safely.
About the Author
Dan Perkins is Director of Products and Solutions for Edgewise Networks, where he oversees the direction and development of Edgewise’s zero-trust platform. Prior to Edgewise, Dan was Director of Product Management at Infinio, where he was responsible for product vision and the ongoing quality and applicability of Infinio’s solution. He also previously served in several software engineering and quality assurance roles for Citrix. Dan holds a B.S. in computer engineering from Northeastern University.
CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.