The deadly trail of Covid has so far forced corporate cybersecurity into three distinct phases. Phase one was the rush to keep the business going in the face of an uncertain pandemic. Phase two brought more calm before the storm with additional safety measures. The third phase is now beginning as we move forward into 2022, and could show the path to much better security as we all learn to coexist with the pandemic for the long haul.
Phase one started around March 2020, when Covid forced massive changes in the workforce and, crucially, demanded those changes happen in far too short a time. An example of this is that CISOs and CIOs had to create 60,000 new remote locations within days — a project that in normal times would have been carefully planned over years.
“Beyond the security complexity caused by such a sharp and rapid move to a more remote workforce, enterprises accelerated the already on-going massive shift of enterprise data to the cloud,” said Rodman Ramezanian, Enterprise Cloud Security Advisor, Skyhigh Security. “For many organizations, this meant completely moving on-premises systems to another location, while others kept some on-premises workloads, at least in phase one.”
Phase one was an emergency; CISOs and CIOs had to make these changes in the cloud and remotely almost immediately, often resulting in cutting off all the security corners needed to make it happen.
The external shift made it clear to everyone what CIOs and CISOs already knew: VPNs offered almost no meaningful security and had severe bandwidth limitations.
“When VPNs only impacted less than 10 percent of the workforce, IT and security management were willing to overlook these issues when considering simplifying the provision of access to sensitive corporate data centers, as well as receiving files. in those same data centers,” Ramezanian said. “But the Covid flip, from 10 to 90 percent, made that adoption unsustainable, with such a large portion of the business being affected.”
For many enterprises, the first sign of VPN problems appeared on the day most sites were set up. Because VPNs were not designed to support the volume and distribution of individuals, many simply failed because traffic congestion overloaded the bandwidth. IT teams had to negotiate quickly with suppliers to buy more bandwidth at prices that were not easily negotiable.
In terms of security, VPNs were never designed to do anything other than provide an encrypted tunnel for sending and receiving files. While some marketers offer VPNs as cybersecurity tools, VPNs don’t try to scan what’s in their encrypted tunnels. They simply facilitate the safe passage of traffic, whatever that traffic may be. So if cyber thieves put malware in a spreadsheet or slideshow in a remote location, the tunnel would no doubt protect and transport the malware. Rather than being a closed door, VPNs became an open back door for attackers to sneak malware into the heart of the corporate network.
Within six months things calmed down and layers of security were gradually added to new operations. It was often patchwork, like adding an extra MFA factor, but not distinguishing between robust MFA (like an encrypted app) and unencrypted SMS, which is highly susceptible to man-in-the-middle attacks and others. to attack.
Biometric capabilities have become a consideration, including facial, voice or fingerprint recognition, but they are weaker options for the retina. Worse, some biometrics default back to a simple PIN if the biometrics fail, which pretty much negates the purpose of extra security.
Covid-19 is no longer considered a temporary disruption. Rather, leaders have adapted or even accelerated cybersecurity protocols. “Remember, in March 2020, many executives worked in the belief that the disaster would blow over in a few weeks,” Ramezanian said. “Now that executives are finally realizing that this is a long-term, if not semi-permanent issue, they are exploring what they always needed to do: reshape enterprise cybersecurity to address today’s threat landscape, not the one that existed three years ago. . †
In addition to the expansion of remote sites and the cloud, as well as the related reductions in on-premises operations, the environment has changed as a result of rapidly increasing data access being granted to third-party partners, including suppliers, distributors, contractors and major customers. How can we provide this access securely?
“Then there are the critical issues of data protection and data visibility, such as coming up with the best approaches to controlling data access in the global environments, without losing the ability to inspect and block anything that doesn’t comply in real-time, said Ramezanian.
CISOs have embraced the Zero Trust concept for solving these problems for many years, but few have tackled the massive restructuring of systems it takes to do so. In 2022, many enterprises are finally gearing up to take that step by building in Zero Trust Network Access (ZTNA) – the granular, adaptive, and context-aware policy for providing secure and seamless Zero Trust access to hosted private applications. in clouds and enterprise data centers, from any remote location and any device.
According to Ramezanian, it is important that the switch to ZTNA involves the following key components:
- Gradually replacing VPNs for a secure way of interacting with the corporate network, one that includes enterprise-level authentication, and an encrypted tunnel that adds malware detection and eradication.
- A strict look at the least privileges for access control.
- Using behavioral analysis, continuous authentication and machine learning (ML) together to detect anomalies. Ramezanian notes that the tech trio could be the beginning of the path beyond passwords and PINs.
- Embed data protection capabilities into the Zero Trust architecture; and ensuring proprietary, sensitive data is secured in contexts where trust cannot be implied.
To the extent that a global catastrophe can be said to have a silver lining, it is finally forcing companies to really modernize their security operations.
Visit www.skyhighsecurity.com to learn more about how best to implement Private Access.