Covid’s deadly trail has, thus far, forced enterprise cybersecurity into three distinct phases. Phase one was the rush to keep business moving in the face of an uncertain pandemic. Phase two saw more calm to the storm with additional security measures put in place. The third phase is now kicking in as we progress further into 2022, and could showcase the path to far better security as we all learn to co-exist for the long term with the pandemic.
Phase one started around March 2020, when Covid forced massive changes to the workforce and, critically, demanded that those changes happen in far too little time. An example of this is CISOs and CIOs had to create 60,000 new remote sites within days – a project that, in normal times, would have been carefully planned over years.
“Beyond the security complexities created by such a sharp and rapid move to a more remote workforce, enterprises aggressively accelerated the already-in-motion massive shift of enterprise data to the cloud,” said Rodman Ramezanian, Enterprise Cloud Security Advisor, Skyhigh Security. “For many organizations, that meant on-premises systems were entirely shifted offsite, while others retained some on-premises workloads, at least in phase one.”
Phase one was an emergency; CISOs and CIOs needed to make these cloud and remote changes happen all-but-immediately, often resulting in cutting whatever security corners were necessary to make it happen.
The remote shift made obvious to all what CIOs and CISOs had already known: VPNs offered almost no meaningful security and had serious bandwidth limitations.
“When VPNs only impacted fewer than 10 percent of personnel, IT and security management were willing to overlook those issues for the tradeoff of simplifying the delivery of access to sensitive corporate datacenters, as well as receiving files at those same datacenters,” Ramezanian said. “But the Covid flip, from 10 to 90 percent, made those acceptances untenable, now that so much of the company was being impacted.”
For many enterprises, the first sign of VPN trouble manifested the very day that most sites were set up. Because VPNs had not been designed to support the volume and distribution of individuals, many simply failed as traffic congestion overloaded bandwidth. IT teams had to quickly negotiate with vendors to buy more bandwidth at prices that were not easily negotiable.
As for security, VPNs were never designed to do anything beyond provide an encrypted tunnel for sending and receiving files. Despite some marketers pitching VPNs as cybersecurity tools, VPNs don’t attempt to scan what is in their encrypted tunnels. They merely facilitate safe passage of traffic, no matter what that traffic happens to contain. So, if cyber thieves place malware within a spreadsheet or a slide set at a remote site, the tunnel would protect and transport the malware without question. Instead of being a locked door, VPNs became an open backdoor for the attackers to sneak malware into the heart of the enterprise network.
Within six or so months, things calmed down a bit and security layers were gradually added to new operations. It was often patchwork, such as adding in additional MFA factor, but not differentiating between robust MFA (such as an encrypted app) and unencrypted SMS, which is highly susceptible to man-in-the-middle and other attacks.
Biometrics capabilities have become a consideration including facial, voice or fingerprint recognition, however, they are weaker options against retina. Even worse, some biometrics default back to a simple PIN if the biometrics fail, which pretty much defeats the purpose of additional security.
No longer is Covid-19 considered a temporary disruption. Rather, leaders have adapted or even accelerated cybersecurity protocols. “Remember that back in March 2020, many executives were operating on the belief that the disaster would blow over in a few weeks,” Ramezanian said. “Now that executives are finally internalizing that this is long term, if not semi-permanent, they are exploring doing what they always needed to do: Reshape enterprise cybersecurity to deal with the current threat landscape, not the one that existed three years ago.”
Beyond remote site and cloud expansion, as well as related reductions in on-premises operations, the environment has changed due to the rapidly increasing data access granted to external partners, including suppliers, distributors, contractors and large customers. How can we give this access securely?
“Then there are the critical data protection and data visibility issues, such as devising the best approaches to controlling data access across the global environments, without losing the ability to inspect and block anything in real time that doesn’t meet policy,” said Ramezanian.
CISOs have agreed with the Zero Trust concept to solve these problems for many years, but few have engaged in the massive restructuring of systems that it requires. In 2022, many enterprises are finally preparing to take that step by building in Zero Trust Network Access (ZTNA) – the granular, adaptive, and context-aware policies for providing secure and seamless Zero Trust access to private applications hosted across clouds and corporate data centers, from any remote location and device.
According to Ramezanian, it’s important that the move to ZTNA entail the following key components:
- Gradually replacing VPNs for a secure means of interacting with the enterprise network, one that includes enterprise-level authentication, and an encrypted tunnel that adds malware detection and eradication.
- Taking a strict view of least privilege for access control.
- Deploying behavioral analytics, continuous authentication, and machine learning (ML) together for anomaly detection. Ramezanian notes that the technology trio could be the beginning of the path beyond passwords and PINs.
- Embedding data protection capabilities into the Zero Trust architecture; and ensuring proprietary, sensitive data is secured in contexts where trust cannot be implied.
To the extent that one can say that a global catastrophe has a silver lining, it is finally forcing companies to truly modernize their security operations.
Visit www.skyhighsecurity.com for more information on how to best deploy Private Access.