Browsing category

Identity and Access Management (IAM)

Big Data, Data Protection, Endpoint, Endpoint Protection, Endpoint Security, human error, Identity and Access Management (IAM), insider threats, Mobile Devices, Mobile Security, Mobile Threats, Social Engineering, Unified Endpoint Management (UEM),

What Is Endpoint Security Today? Big Data and Mobile Trends Point to the ‘Startpoint’

Where does “it” end?

We can probably all agree that securing and protecting the devices that communicate with our networks is a fair definition of endpoint security. Similarly, these devices are one of the best places to start when figuring out how to secure your networks because they are a particular pain point for security teams, responsible for 70 percent of breaches and a source of daily headaches.

But within this traditional definition, what, really, is the endpoint of today? How we answer that question has significant security implications.

While the conversation has focused on devices thus far, consider that the “2019 IBM X-Force Threat Intelligence Index Report” found that “human error continues to facilitate breaches,” and the 2018 edition of the report noted, “To err is human … When it comes to data security, the potentially detrimental impact of an inadvertent insider on IT security cannot be overstated.”

If human error and manipulation are sources of so much frustration, are the devices really the problem?

Data Production and Consumption Are Going Big and Going Mobile

Let’s go through some quick points before diving deeper. Threat actors are taking advantage of devices with malicious intent, but we know that humans also facilitate breaches. Trends show a rising mobile-first preference, which has attackers moving away from malware. Phishing is increasing and remains the preferred attack method, according to Microsoft. In addition, as reported by Threatpost, with more and more organizations deploying mobile devices in professional settings, employees are using these devices for personal functions.

In fact, people are going mobile-first for their internet usage at such high rates that attackers are now tailoring their tactics for mobile viewing.

For example, Threatpost described a recent campaign in which threat actors used malicious tool kits to attack Verizon Wireless customers due to their deep understanding of the provider’s infrastructure, creating spoofs of seemingly legitimate subdomains. According to Lookout security researcher Jeremy Richards, this type of attack looks sloppy and obviously not legitimate when opened on a desktop. However, when opened on a mobile device, “it looks like what you would expect from a Verizon customer support application.”

For good measure, let’s add in some data production numbers. According to Forbes:

  • Half of all web searches are conducted from a mobile phone.
  • Every minute, we send 16 million text messages and 156 million emails (and some 103 million spam emails).
  • Uber riders take nearly 46,000 trips every minute.
  • Internet of things (IoT) devices are exploding, from 2 billion devices in 2006 to a projected 200 billion by 2020.

Clearly, part of the issue is manageability. You simply cannot keep your network secure without some kind of endpoint security solution because every minute counts once you have been breached. But big data and mobile are two factors that are testing the limits of manageability, giving way to a completely new meaning of identity and access management (IAM) and how we address the problem as a whole.

Where Is the Endpoint?

From these trends, statistics and developments, we need to ask some questions that, depending on the answers, could completely change how we think about and manage endpoint security.

Unconscious Data

Unlike in the past, when users were more conscious of their data production and consumption (access a stationary terminal, use it and walk away from it), today there is a great deal of unconscious data production and consumption (mobile devices are always on, always broadcasting and always connected to some secondary device such as a health monitor or watch). How does this situation of unconscious data production and consumption alter the meaning of endpoint security?

Continuous Data

Previously, users were producing and consuming data in finite blocks, whereas today, there is a seemingly endless stream of continuous data consumption and production, mainly due to our mobile devices. This is one of the reasons we have big data, and the situation will only get worse as we integrate more IoT, wearable and peripheral devices — which, in part, explains why enterprises are adopting unified endpoint management (UEM) systems. Remember, humans are responsible for much of this data. How does this continuous stream of data alter the meaning of endpoint security?

Device or User?

Finally, given recent trends — specifically the shift to social engineering attacks — ask yourself: Is the attacker going after the device or the human to gain access to the network? Put another way, is it the device that is vulnerable, or the user? It’s not clear-cut who or what the target is anymore.

I’d assert that both the device and the human are targets because they each have their own unique vulnerabilities, and the intent will determine the method of attack. But that’s probably the easiest answer, and the nuance of the question deserves attention.

It’s the attack’s intent that throws all of this into a conundrum. Because you don’t know what you don’t know, the attacker has the upper hand. This reinforces why beginning with endpoints is a great way to protect your network.

But I’ll take it one step further: If your endpoint is the device, then your “startpoint” is the human. Attackers are always tweaking their tactics to get past the technology to the human. We haven’t even begun to discuss the human/tech interaction, but Verizon’s “Insider Threat Report” described five very possible scenarios that illustrate that interaction:

  1. The Careless Worker (misusing assets, resources and policies).
  2. The Inside Agent (stealing information on behalf of outsiders).
  3. The Disgruntled Employee (seeking to destroy company property).
  4. The Malicious Actor (stealing information for personal gain).
  5. The Feckless Third-Party (business partners compromising security).

So what’s the solution? To quote Lewis Carroll, “‘Begin at the beginning,’ the King said gravely, ‘and go on till you come to the end: then stop.’”

If Machines Are the End, Then Humans Are Very Much the Start

I don’t expect a couple generations’ worth of people to begin thinking of endpoints any differently; an endpoint will continue to be defined as a device that communicates with a network. But that definition puts into our mind that the device is the terminus point of data production and consumption. It’s a bit of a mental barrier, whether we like it or not.

Big data and mobile trends indicate that devices are not the terminus points; we are. We make the final decision to click the link. We make the final decision to send that information. We make the final decision to produce and consume data and where from.

Therefore, let’s step up our endpoint game by using technology to manage security while spending equal time addressing the problems caused by the “startpoint” of the system, the human. Looking at these issues as a looping continuum of data flow that is mobile, instead of as distinct and discrete issues with terminus points, may better position us to reduce the risk we face.

The post What Is Endpoint Security Today? Big Data and Mobile Trends Point to the ‘Startpoint’ appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: George Platsis

Access Management, IBM Security, Identity & Access, Identity and Access Management (IAM), Kuppingercole, Security Intelligence & Analytics, Security Products, Security Solutions,

KuppingerCole Report: Leadership Compass of Access Management and Federation

Part of fixing any IT issue is finding the right solution for the problem and ensuring the issue will not happen again. One of the major struggles for the IT industry is finding the right vendors to enlist as protectors.

KuppingerCole’s Leadership Compass report on access management and federation aims to close the gap between the right solution and the right vendor.

Emerging business requirements, such as onboarding business partners, providing customer access to services and adopting new cloud services, require IT to react and find solutions to these communications and collaboration conditions. Access management and federation vendors are closing in to address these needs and enable business agility.

With many vendors in this market segment, the KuppingerCole Leadership Compass provides a view and analysis of the leading vendors and their strengths and weaknesses. The report acts as a guide for the consumer to compare product features and individual product requirements.

Read the KuppingerCole Leadership Compass report

Breaking Down the Leadership Ratings

When evaluating the different vendors and products, KuppingerCole looked into the aspects of overall functionality, size of the company, number of customers, number of developers, partner ecosystems, licensing models and platform support. Specific features, such as federation inbound, federation outbound, backend integration, adaptive authentication, registration, user stories, security models, deployment models, customization and multitenancy, were considered as well.

KuppingerCole created various leadership ratings, including “Product Leadership,” “Innovation Leadership,” and “Market Leadership,” to combine for the “Overall Leadership” rating. With this view, KuppingerCole gives an overall impression of each vendor’s offering in the particular market segment.

Product Leadership is based on analysis of product and services features and capabilities. This view focuses on the functional strength and completeness of each product.

Innovation Leadership focuses on a customer-oriented approach that ensures the product or service has compatibility with earlier versions, as well as supports new features that deliver emerging customer requirements.

Market Leadership is based on market criteria, such as number of customers, the partner ecosystem, the global reach and the nature of responses to factors affecting the market outlook. This view focuses on global reach, sales and service support, and successful execution of marketing strategy.

KuppingerCole Leadership Compass: Access Management and Federation

How IBM Ranks

IBM Security Access Manager (ISAM) is ranked as a leader in the Product, Marketing and Technology Leadership categories. This rating comes from IBM ISAM having one of the largest customer bases of all vendors in the market segment, a strong partner ecosystem, mature access management and strong adaptive authentication. ISAM is among the leading products in the access management and federation market and meets organizations’ growing lists of IT security requirements with broad feature support.

Read the Full Report

Check out the complete report to discover:

  • An overview of the access management and federation market;
  • The right vendor and right solution for your business; and
  • Why IBM ISAM is a leader in Product, Marketing and Technology.

Read the KuppingerCole Leadership Compass report

The post KuppingerCole Report: Leadership Compass of Access Management and Federation appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Lappin

Artificial Intelligence (AI), Certificate Authority (CA), Credentials Theft, Cybercrime, Dark Web, Encryption, Financial Fraud, https, Identity & Access, Identity and Access Management (IAM), Malicious Domain, Man-in-the-Middle (MitM) Attack, Network, Phishing, Privileged Access, Ransomware, Risk Management, Secure Sockets Layer (SSL), Single Sign-On (SSO), Threat Monitoring, Transport Layer Security (TLS), Website Vulnerabilities,

Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

More and more, organizations and end users are embracing encryption to protect their data and traffic. By far the most visible part of this adaptation is the use of Hypertext Transfer Protocol Secure (HTTPS) for accessing websites. As opposed to the more basic HTTP, which is the plain text version, HTTPS makes use of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates to encrypt traffic between web servers and clients.

Does this mean that once you’ve implemented TLS/SSL certificates you should no longer worry? Not exactly. There are many cyberthreats that make it necessary to stay vigilant by following a zero trust security model.

Some of the latest threats originate from thriving dark web marketplaces for these certificates, which often come packaged with other cybercrime services. But before we get to that, a little more on HTTPS and TLS/SSL.

A Very Brief Introduction to HTTPS and TLS/SSL

HTTPS is HTTP with an extra layer on top, the TLS/SSL encryption layer. This layer ensures that both the client and the server can continue to speak HTTP with each other, but over a secure connection. Under normal circumstances, this serves three main purposes:

  1. Confidentiality — preventing others from reading your communications.
  2. Integrity — making sure the web content isn’t altered in transit.
  3. Authentication — ensuring that the client (your web browser, for example) connects to the intended web server.

Setting up a security layer on your web infrastructure and adding TLS/SSL certificates to your websites undoubtedly increases security and is in the interest of your customers and users. If there’s one key task you should tackle immediately it’s migrating all your existing HTTP-only sites to HTTPS versions. Although setting up HTTPS has now become a fairly easy process with the help of tutorials such as HTTPS Is Easy! and tooling such as Certbot, there are several key elements that you should be aware of.

When the secure layer is bootstrapped, a handshake happens between the server and the client in which, among other things, the server proves its identity via TLS/SSL certificates. This identity is included as a property of the certificate and describes which domain the certificate belongs to. During this handshake, the client will also check whether it trusts the certificate, or that the certificate is verified and trusted by a certificate authority (CAs) that it also trusts.

Proving Your Ownership of a Domain

To prevent people from acquiring a certificate for domains they do not own, a number of verification steps must be completed. These steps allow you to prove that you’re the rightful domain holder.

Depending on your certificate provider, you will need to prove that you control the DNS settings of the domain (by adding a TXT record, for example), have access to a specific email account belonging to that domain or are able to put up a text file on the public website of the domain.

The next level of identity checks of the domain holder happens with Extended Validation (EV) certificates. Previously, an EV certificate was represented differently in browsers via a green bar, but due to recent browser changes, these visual differences are no longer immediately noticeable for users. As such, because most users will not be able to visually differentiate between EV and non-EV certificates and because they are not necessarily more secure or cryptographically stronger than other certificates, there is really no extra value in spending on EV certificates.

HTTPS Doesn’t Mean Safe

A common misconception is that HTTPS automatically means safe. It doesn’t. It actually stands for secure, meaning that the underlying website that you access via that secure channel can still cause harm to you or your organization. This is very well demonstrated by Netcraft statistics on the number of phishing websites that make use of certificates.

But this isn’t the only threat you should be aware of when it comes to website security.

An Emerging Black Market for TLS/SSL Certificates

Research from Georgia State University and the University of Surrey, sponsored by Venafi, described the appearance of thriving marketplaces for TLS/SSL certificates on the dark web. This type of marketplace might sound strange at first. After all, you can get certificates for free, so why would you want to pay extra for obtaining TLS/SSL certificates, let alone do it on the dark web?

However, if you take a closer look at what exactly is for sale, it becomes clear that these sales do not only include a certificate, but a larger package deal.

According to the researchers, these packages include cybercrime services such as malicious websites and ransomware, but also aged domains, website design services and payment services. Some packages even offer deals that help the buyer set up a company, together with all the necessary company documents and a Data Universal Numbering System (DUNS) number. The deal is then complemented with an EV-SSL certificate from a known certificate vendor.

What Risks Are Associated With This Market?

The threats associated with these dark web offerings are not immediately linked to weaknesses in the certificates themselves, but rather to the services that are provided via the secure website that’s part of the offering.

Phishing

Phishing websites that resemble legitimate websites remain a threat. But whether a phishing site was acquired via the dark web or not doesn’t immediately increase the threat. Cybercriminals can already register new domains that resemble existing ones and acquire a valid certificate from a legitimate certificate provider outside the black market. The added advantage of these marketplaces, from an attacker’s point of view, is the inclusion of web design services and support.

Financial Loss

Another potential consequence of black market TLS/SSL certificates is financial loss due to fraud. Website visitors who assume they are dealing with a legitimate e-commerce site might be inclined to buy goods and pay for them with their credit card or other payment information.

Illicit websites often present themselves as a real online store that is protected with a proper certificate and accepts money via a trusted payment system. Even trained security professionals sometimes have a hard time differentiating between a legitimate business site and a malicious one.

Credentials Theft

Although we warn our users not to reuse passwords and request they create unique, strong passwords, we know that in practice this is not always the case. This leads us to another risk: users signing up and creating detailed accounts on legitimate-looking business websites. The threat actors behind these fake sites can not only grab any entered passwords, but they also have access to any other personal information included in setting up the profile.

From an attacker’s point of view, this becomes increasingly interesting when a victim signs up with his or her business email account or other credentials used to access corporate networks or resources. This kind of threat is typically deployed on fake online dating or job listing websites.

Man-in-the-Middle Attacks

Another risk that comes to mind with black market TLS/SSL certificates is attackers spying on encrypted traffic or conducting man-in-the-middle (MITM) attacks. This has happened in the past due to vulnerabilities in cryptographic software libraries or protocol implementations, the most prominent examples being Heartbleed, BEAST and Logjam.

Besides abusing these vulnerabilities, skilled attackers can also attempt to steal the private keys of the certificate. The latter almost always involves a breach of the company infrastructure by an attacker with advanced capabilities.

BGP Hijacking

Yet another important threat you should be aware of is Border Gateway Protocol (BGP) hijacking to obtain valid certificates — valid in the sense that the certificates have not been stolen from their rightful owner and that, according to the CA, the verification process was successful. One method involves an attacker conducting a local hijack to make the CA believe they are the owners of a targeted domain. The hijack consists of redirecting the network, especially the path used for the verification, to a network under the attacker’s control. Although this only works well if the attacker is close enough — networkwise — to the CA and the victim is relatively far, your incident response plan should take this risk into account.

How Do You Defend Against These Threats?

There is no single solution that you can apply as a defensive measure against these attacks. Instead, these are threats you can only combat with zero trust security, a layered defense model and security best practices. Get started by checking off some of these quick wins:

  • Implement certificate pinning — note that this is being overhauled by Certificate Transparency, an open framework for monitoring and auditing SSL certificates.
  • Monitor for issued certificates that closely resemble the name of your organization or products. This monitoring can alert you if attackers start targeting your brand, sometimes even before a campaign has started.
  • Monitor and possibly block domains that have a high deceptive domain score.
  • Subscribe to the feeds provided by initiatives such as Phishtank or OpenPhish to proactively block access and review the proxy logs for access attempts.
  • Filter access to newly observed domains (NODs). Be aware that some offerings in the marketplace provide packages of “aged” domains, bypassing this protection measure.
  • Subscribe to a threat feed or collaborating closely with an information sharing and analysis center (ISAC) or computer security incident response team (CSIRT) to get timely updates about new malicious sites.

Further enhance your defenses with the following best practices for zero trust security:

  • Encrypt your internal traffic, especially in environments that utilize single sign-on (SSO). It’s important that every resource that requires authentication supports an encrypted communication channel.
  • Implement role-based access and make sure that users are only put in groups that are strictly necessary to do their job. Avoid having too many users with escalated privileges.
  • Lock down the environment in which users work, possibly giving them thin clients or systems that are restored to a known good image overnight.
  • Monitor your entire IT environment, including endpoints, servers and internal network traffic, and consider applying advanced technologies such as artificial intelligence to help.

The post Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Koen Van Impe

Access Management, Authentication, Cloud, Cloud Infrastructure, Credentials, customer experience, Hybrid Cloud, Identity & Access, Identity and Access Management (IAM), insider threats, Multifactor Authentication (MFA), Password, password reuse, Single Sign-On (SSO),

Reap the Promise of One and Done Authentication With SSO

Every day, the average business employee inputs credentials to authenticate identity and access apps and sites several times — using one of the 8–12 passwords the average person has, according to the “IBM Future of Identity Report.” If you get your password wrong too many times, you’re locked out and you call the IT help center to reset it, again. Which leads you, the help center and the system administrator all to think there must be a better way. Fortunately, there is single sign-on (SSO).

What is SSO? It’s a user authentication technology that requires only one set of credentials to provide access to everything you need. Once you’re authenticated on a centralized platform in an enterprise, for example, you can use a range of applications — from on-premises programs to cloud resources to software-as-a-service (SaaS) apps such as Salesforce and Office 365 — without logging in and out again.

Eliminate the Problems With Passwords

A typical employee may start with only a few credentials, but after a few weeks or months, that number will quickly increase. Furthermore, according to the “Future of Identity Report,” only 42 percent of millennials use complex passwords (versus 49 percent of people over the age of 55) and 41 percent reuse the same password multiple times (versus 31 percent). Administrators may be sympathetic to password fatigue and interrupted user experiences, but security is an even greater concern. Verizon’s “2018 Data Breach Investigations Report” listed stolen credentials as one of the leading causes of data breaches.

What users are accessing with those passwords is also critical; another key factor behind many breaches is the abuse of access privileges. Many enterprises fail to implement access management solutions that ensure employees have only the privileges they need to do their jobs. This puts the organization at greater risk given that insider threats are at the root of 60 percent of cyberattacks.

If you’re an administrator, you oversee databases that hold passwords, permissions for access to applications and resources, help center troubleshooting and support to change credentials, and training to keep users from falling for phishing scams or other hacks that could result in a breach. That can be a lot, especially for larger companies with hundreds or thousands of employees.

The solution requires taking responsibility for security away from users by eliminating the need to have multiple passwords.

Implement SSO for Seamless User Experiences

Single sign-on changes how authentication and identity and access management work. Normally, when you want to sign up for an application, the server first verifies whether you already have an account. If not, the server securely stores your email and encrypted password in a database. The server then creates a session and sends a token confirming your identity. Your browser stores the token in a cookie that verifies your identity when you’re logged in. Next time you want to log in, the server compares your password to what’s in the database and you’re in or out.

With federated SSO, however, you get another option. You’ve probably been asked if you want to sign up for an app or site using Facebook or Google, for example. Various standards, including Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID Connect (OIDC), let these web giants give third-party apps and sites access to your information.

You choose your provider — say, Google — and the third party verifies that you’re already logged in to Google. If not, you log in and then choose what information you’re willing to share with the third party. Google verifies that both you and the third party are legitimate, then authenticates you based on its own password database and issues a token back to the site. The third-party site can now associate you with the user data you’re willing to share — such as preferences, previous sales and so on — and you can move seamlessly between applications for which you have access without logging in each time.

A Win-Win for Users and Administrators

It’s easy to see why users would love SSO, whether they’re at home or at work. In the enterprise, they can use one set of credentials to access all their apps instead of remembering, looking up and frequently resetting multiple passwords. New users can sign up for accounts easily and securely, using a provider they already trust.

Administrators, on the other hand, can securely provide access to resources and applications, whether they’re on premises, in the cloud or in a hybrid cloud. But to reduce risk, it’s critical to focus on security as well as convenience.

Ensure the Upside Isn’t a Downside

Forrester emphasizes that authentication is mission-critical infrastructure in “Now Tech: Authentication Management Solutions, Q3 2018.” If an SSO provider experiences a security breach or an authenticator goes down, users can’t get online. And if only one set of credentials is needed to access a multitude of apps and resources, the security around those credentials must be ironclad. After single sign-on implementation, compromised credentials give a threat actor entry not just to one resource, but all of them.

More secure authentication should include access without passwords, such as scanning a code with a user’s phone; frictionless biometrics, such as fingerprint, voice or face recognition; and geolocation. For example, IBM Cloud Identity provides seamless and secure authentication for native, web, mobile or cloud applications via biometrics, FIDO2, Universal Second Factor (U2F), FaceID, Touch ID, email/SMS one-time passwords or soft tokens. The solution can also reduce reliance on passwords by providing multifactor authentication (MFA) to any target system, including virtual private network (VPNs), mainframes, Linux or desktop.

An ideal solution will also incorporate risk-based authentication. For example, an employee logging in from her desktop at 2 p.m. on a workday may gain access with just a single password, but a user across the globe logging in on a new device at midnight may require MFA.

Evolving With Your Ecosystem

Perhaps the best feature of SSO is its scalability; you can future-proof access management, as this case study on POST Luxembourg showed. As your enterprise changes and grows, you can continue to provide a convenient sign-on experience to users, customers and partners and a centralized solution that gives them secure and integrated access to resources via almost any device, anytime and anywhere.

IT administrators, line-of-business managers and employees all benefit from an identity and access management solution like single sign-on. It allows registered users to access applications with one set of credentials, provides a centralized place for admins to manage all protected applications and configure access policy settings, and, best of all, the cloud has made single sign-on implementation more affordable and less time-intensive than ever.

Learn how an IAM solution can benefit you

The post Reap the Promise of One and Done Authentication With SSO appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Diana Kightlinger

Blockchain, Chief Information Security Officer (CISO), Identity and Access Management (IAM), Multifactor Authentication (MFA), patch, Patch Management, Risk Management, Security Leaders, Security Leadership, Security Professionals, Two-Factor Authentication (2FA), Virtual Private Network (VPN), Vulnerabilities,

Spring Cleaning for CISOs: Replace These 3 Bad Habits With Better Cybersecurity Practices

Spring is (almost) here, which means it’s time for some in-house security cleaning. With the holiday shopping season — one of the most treacherous times of year for security — in the rearview, organizations should take a step back to assess what is working, drop what isn’t and invest in the tools they need to take their security strategy to the next level.

With that in mind, let’s take a closer look at three cybersecurity practices chief information security officers (CISOs) need to toss this year, and three that could help reduce overall risk for the enterprise.

Clean Up Your Security Act This Spring

Regardless of the size or type of company, awareness level of employees, or maturity of the technology infrastructure, there is always room for security leaders to improve the enterprise’s overall risk posture. CISOs should crack down on these bad habits to help clean up their organizations’ security act this spring.

1. Patch Postponement

Other tasks often take priority over patching, especially if updates aren’t considered critical. What happens if patches cause app outages, network challenges or productivity loss? This is especially problematic when CISOs tackle spring cybersecurity cleaning. Given the high level of disruption that comes with annual cleanups, patches are often put off until later, but in many cases later never comes.

Here’s the good news for security hygiene: According to a Kenna Security report, less than 2 percent of published Common Vulnerabilities and Exposures (CVEs) have been actively exploited in the wild. The not-so-good news is that, with more than 3 billion vulnerabilities identified in volume two of the same study, this amounts to more than 540 million potentially problematic exploits. It’s no surprise, then, that only 30 percent of vulnerabilities are remediated within 30 days of being discovered.

To get back on track, organizations must toss the notion that patches are optional and prioritize patch progress.

2. Overvalued VPNs

Many companies still use virtual private networks (VPNs) as their preferred method of securing network access, especially for remote users. The problem is that, as reported by Tech Beacon, VPNs often provide complete network access (whether it is needed or not), are cumbersome to manage and can fragment security controls.

Consider the use case for VPNs. Designed to secure internal services when users interact with external applications, VPNs excel at encrypting traffic and obfuscating origin points. But they come with a built-in flaw: They’re natively external, introducing an inherent element of risk. This externality is contagious. The rise of mobile and cloud computing services has shifted the bulk of corporate IT outside of local server stacks, in turn reducing the efficacy of VPN offerings. Widespread use of VPNs, meanwhile, has led to an uptick in VPN-based malware; according to Top10VPN, roughly 20 percent of the top 150 free Android VPN clients may contain malicious code.

The bottom line is that while VPNs have their uses, many corporations are due for a connection cleanup to maximize their value.

3. Password Paradoxes

CISOs are stuck: While standard login security measures remain a staple of network access, they’re notoriously insecure. The proof is in the passwords, and some of the worst of this past year included “123456,” “sunshine,” “qwerty” and the ever-popular “password,” according to SplashData, making it easy for malicious actors to compromise accounts and steal data.

Common cybersecurity practices to improve password potency include asking employees to regularly change passwords or use complex combinations of characters and numbers. The problem is that, according to LastPass, only 55 percent of users change their passwords — even when hacked. Increased complexity, meanwhile, can lead to user frustration and insecure password practices such as keeping hard copies near desktop computers. Even password managers are no guarantee of safety; misconfigured cloud storage or targeted attacks can put millions of credentials at risk.

Get on Track With These Next-Level Cybersecurity Practices and Technologies

While streamlined security hygiene helps limit overall risk, deep cuts must be balanced with solid cybersecurity additions. This spring, start by bolstering your strategy with the following cutting-edge technologies.

1. Prioritize Patching With Intelligent Automation

2019 will see the rise of automated tools that can schedule patches and other maintenance around corporate needs and help avoid the problem of put-off patches. As noted by Forbes, “more organizations will combine artificial intelligence and robotic process automation to create digital workers.”

Artificial intelligence (AI) offers a more efficient way to manage the biggest problem with security patching: prioritization. Given the sheer number of vulnerabilities and patches, it’s difficult for CISOs to know what’s worth the workflow interruption and what can go (temporarily) unpatched. Intelligent automation can help streamline this process.

2. Shift to Zero-Trust IAM

Identity is everything. While VPNs exist as a catch-all — a kind of all-in-one security solution that often overprovisions access — advanced identity and access management (IAM) tools can help solve this problem by focusing on user identity as the defining factor for access.

IAM solutions focus on zero-trust paradigms, which CSO Online described as a model of “never trust, always verify.” By using multiple factors to authenticate user identities and providing IT professionals with granular management controls, it’s possible to tackle security on a per-user rather than per-connection basis and enhance the protection of critical assets.

Also in development are blockchain-based IAM technologies that link access to a shared ledger of identities. The challenge is to balance the need for ID certainty against potential privacy concerns.

3. Address Persistent Password Problems With U2F

It’s one thing to acknowledge that passwords are a problem — many IT professionals can speak at length about the issues surrounding typical access credentials. The hard truth, however, is that passwords aren’t going anywhere.

But it’s not all bad news: Companies can toss overly restrictive password management by pairing passwords with additional authentication layers. Two-factor authentication (2FA) is the most obvious choice, but recent research produced proof-of-concept attacks that can easily spy on 2FA delivery methods. Another option is universal second factor (U2F), which uses physical tokens to eliminate the possibility of man-in-the-middle (MitM) authentication attacks. With 2FA now potentially vulnerable, U2F offers a way to secure valuable assets with minimal workflow disruption.

Spring Into Action to Boost Your Security Posture

Spring offers the perfect opportunity to clean out old cybersecurity practices that are cluttering up IT environments and bolster security efforts with more effective additions.

Start with patch postponement. Instead of waiting for the worst and hoping for the best, leverage intelligent automation to prioritize application updates. Reduce corporate reliance on VPN solutions by opting for ID-based IAM, and push back against bad passwords with the secure authentication of U2F.

The post Spring Cleaning for CISOs: Replace These 3 Bad Habits With Better Cybersecurity Practices appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

CISO, Cloud, Cloud Adoption, Cloud Applications, Cloud Identity Service, Cloud Infrastructure, Cloud Security, Cloud Services, Cloud Services Provider, Identity & Access, Identity and Access Management (IAM), Identity Management, Identity Services, Software-as-a-Service (Saas),

How to Accelerate Your Cloud IAM Adoption

Cloud identity and access management (IAM) is quickly becoming a cost-effective and flexible model for modern IAM programs. According to the “2018 Gartner Magic Quadrant for Access Management,” by 2022, identity-as-a-service (IDaaS), also known as cloud IAM, will be the chosen delivery model for more than 80 percent of new access management purchases globally, up from 50 percent today.

Reducing the complexity and cost of managing and operating legacy, on-premises IAM programs often drives the need to move to a modern, cloud-based IAM architecture. Many organizations have quite a bit of technical debt: Their investment in IAM infrastructure is too low to keep their solutions up to date over time, and the cost of upgrading these on-premises deployments becomes prohibitive. As a result, cloud-delivered functionality becomes an attractive way to complement, augment and even replace legacy IAM functionality that is weighed down by this technical debt. Not to mention the many benefits to migrating IAM functionality to the cloud, including cost-efficiency, flexibility, faster deployments and simplified operations.

However, there are some significant challenges associated with moving to a cloud IAM solution, especially for larger organizations with complex operations, IT landscapes or organizational structures. Adapting to a technology platform with less room for customization requires trade-offs to make it the right solution for your organization, and your organization and IAM resources have to execute things differently than how they’re used to.

Your organization will need to plan, design, deploy and operate a cloud-based solution, often alongside existing architecture, in a hybrid manner, so the IAM processes and security policies will be completely different. These new challenges can depend on the requirements of your core IAM team, stakeholders and end users.

With all that in mind, let’s explore some steps you can take to make your transition to cloud IAM easier.

Find the Right Cloud IAM Strategy

To identify the right cloud IAM strategy for your organization, you will need to balance the requirements of many different stakeholders. First, many security and IT executives across industries are defining cloud initiatives for their organizations — these are the directives that govern how IT should navigate the evolution of its ecosystem, and they can look different for every organization. These initiatives are often shaped by compliance requirements, the privacy requests of strategic partners and other third parties, and the organization’s overall business strategy.

Next, understand the needs and expectations of your various user populations. Any major technology change in your organization will likely impact the way your end users access their resources, how IAM administrators perform identity management workflows and how auditors receive reports, just to name a few. That’s why you need to make sure any solution you design addresses these users’ most important requirements if you want to see successful adoption. This focus on user outcomes and how they relate to business goals is what drives Enterprise Design Thinking.

Lastly, these requirements must be balanced against the realities of your current business processes and IT architecture. Many organizations have requirements for IAM workflows, including approval, provisioning and onboarding, that drive heavy customization of the legacy on-premises architecture. Often, these customizations are no longer available in cloud-delivered services and teams must decide whether to keep these capabilities on-premises or adapt their business processes to the realities of the cloud-delivered tools. Many cloud-delivered solutions also have limited support for custom legacy deployments, which may make it difficult to integrate things like on-premises custom apps. In these situations, it’s important to assess the current IT landscape and build a technical solution to meet requirements.

Learn how to build and deploy a cloud IAM solution

After you know the answers to these questions, you can identify which IAM capabilities will stay on-premises and what will be delivered in the cloud and create a future-state, programwide architecture. For example, access management functions such as federated single sign-on (SSO) and multifactor authentication (MFA) may be delivered from the cloud, and functions like role management and provisioning might remain on-premises. It all depends on the requirements and feasibility of what can be migrated to the cloud.

Design and Deploy a New Cloud IAM Solution

There may be pressure from business leaders to migrate to the cloud as soon as possible to lower infrastructure costs and overall technical debt. But to do so without disrupting business operations and risking the success of the project requires a thoughtful approach to designing and deploying the right cloud IAM infrastructure.

First, stay closely aligned with users to make sure their requirements are captured at each phase of the project to help the technical teams design a phased project approach that is minimally disruptive to these users. Like in the previous step, Enterprise Design Thinking can help uncover these user needs and ensure they stay top of mind.

Second, leverage prebuilt use cases following industry best practices to help speed up deployment efforts and deliver a secure and usable solution. Combined with an agile approach, this can speed up the delivery of functionality.

Lastly, prioritize a rollout schedule to deliver success early. A good practice is to start with the easy integrations, such as SSO for Security Assertion Markup Language (SAML)-enabled software-as-a-service (SaaS) apps, to build trust in the project and keep stakeholders engaged and invested in its success.

Continuously Improve and Optimize Your Cloud IAM Solution

A successful transition to cloud IAM requires ongoing, day-to-day management of your new solution. These efforts should focus on driving continuous improvement in the new environment. An organization cannot simply adopt a set-it-and-forget-it mindset. As it expands its footprint, the IAM team should focus on prioritizing integrations and onboarding new assets in the new cloud-based IAM environment.

It’s important to consider how the organization will retrain and redeploy its IAM talent. Resources with traditional on-premises experience will need training and development on new cloud-based IAM architecture and processes. Especially during periods of dramatic technology transition, there is always a risk that employees will leave.

Therefore, it’s important to set up clear roles and responsibilities tailored to the skill sets of your current IAM talent. In doing so, you may help mitigate the loss of these important and limited resources for your organization.

Services such as IBM Cloud Identity and Access Management Services can facilitate a smooth IAM program transformation by helping security teams find, deploy and operate the right cloud IAM strategy and tools regardless of their deployment model. This insight enables IAM and security managers to focus on user outcomes, accelerate cloud IAM deployments and their integration with existing IAM processes, and optimize and continuously improve overall IAM operations.

Learn how cloud IAM can be the key to your digital transformation

The post How to Accelerate Your Cloud IAM Adoption appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Marc von Mandel

Application Security, Blockchain, Data Privacy, Data Protection, Data Security, Encryption, Encryption Keys, IBM Security, Identity & Access, Identity and Access Management (IAM), Identity Governance, Penetration Testing, Security Services, X-Force,

Blockchain: Making the Reward Much Greater Than the Risk

What is the first thought that comes to mind when someone mentions blockchain? Many of you may say bitcoin, which is what’s to be expected considering bitcoin was the first major cryptocurrency that made blockchain a household name. However, bitcoin is only one among a large variety of cryptocurrencies, and while it was the first large-scale implementation of blockchain technology, it is merely one application of many uses by which blockchain can aid society and commerce.

Blockchain technology provides a means to store data in a distributed ledger. The data is stored within a block, where it is digitally recorded and linked together with other blocks, forming a chain. The chain provides the entire history of all recorded data. Data is committed to the chain in the form of transactions. The transactions are only added after they have been validated by the blockchain network’s consensus protocol, so that there is only one version of the truth. Any data stored on the blockchain is “immutable,” meaning it cannot be changed. Also, all network participants have a copy of the data, meaning everything is transparent and everyone has the same version of truth.

The first major implementation of blockchain technology was introduced in 2008 with the release of bitcoin, but it’s only during the past few years that enterprises have come to grasp the technology’s potential. This is happening because the past decade has seen a tremendous reduction in the costs of secure storage, computation power and communications. As a result, more innovation makes its way into mainstream markets, served to average consumers.

The same applies to the business realm. Nowadays, we are starting to see more blockchain adoption across many industries, including financial, food services, healthcare, aviation, automotive and logistics. In 2017, the blockchain market was valued at $708 million. Two separate reports have estimated that by 2024–2025, the market could be valued between $20 to $60 billion. This significant growth represents up to an 8,300 percent increase in the span of less than 10 years.

We are still in the early stages of exploring this technology, and it will take time to fully realize its applications and potential. For example, it took almost 10 years for computers to reach an adoption rate of 80 percent. For enterprises, blockchain technology at scale has only been around since late 2015. So what does this mean, exactly? As we watch a new technology emerge and steadily grow, people who love to be on the cutting edge of technology are excited about the endless possibilities blockchain affords. That said, with new technology also comes new challenges, especially regarding security.

Big Implementations, Limited Experts

The people who deeply understand blockchain infrastructure are typically blockchain developers and architects, whose numbers are increasing, but are still few and far between. If you layer on blockchain security expertise, you will find that number to be even smaller. Hardly any published information or guidance exists about blockchain security.

So what are the implications of developing these full-fledged solutions with little knowledge about the potential attack vectors and risks that could bring the entire system crashing down? Inherently, the decentralized nature of blockchain, coupled with consensus protocols, helps to address some security needs, but the consequences can be dire if security isn’t fully explored.

Blockchain Is Code, and Code Can Be Flawed

As previously mentioned, at its core, the blockchain concept is simple: It is a distributed, immutable, cryptographically assured ledger that can have applications, often called “smart contracts,” interface with it.

A smart contract is made up of numerous lines of code, which are stored within the blockchain. These contracts automatically execute when predetermined terms and conditions are met. They are small programs that replicate processes or business logic and can be used to enforce an agreement between multiple parties in such a way that they can be certain of the outcome without any need for an intermediary.

For example, smart contracts may be used in the healthcare industry. Users’ data, such as blood pressure and other metrics, could be published to a chain, and once a metric rises above a specified threshold, the smart contract could execute actions such as notifying the user and/or processes such as further consultations with specialists to resolve their health problems. A flaw capable of compromising smart contracts could allow an attacker to modify critical details in the code. In the above example, what happens if an attacker is able to affect the business logic or introduce additional code to perform unintended actions?

But as with many powerful technologies, while blockchain is straightforward in concept, if improperly implemented, flaws and vulnerabilities can result in risk and security consequences. Think about what would happen if one could change the smart contract’s data before it is stored on the chain? Data on the chain is supposed to be trusted, right? What about a smart contract flaw that results in business logic not behaving as expected?

In the past few years, X-Force Red has seen a plethora of risks introduced into blockchain ecosystems where it was possible to abuse access controls at the user and administrative levels. For example, some vulnerabilities may enable attackers to inject malicious code into the network, effectively compromising all nodes.

Putting the technology aside, your standard everyday applications (i.e., web/mobile applications) still need to interface with the chain on some level. It has been possible for our penetration testers to compromise these components and pivot to backend systems where there is little to no security, giving an attacker the ability to insert data on the chain or execute any function that is exposed. Functions may include higher-privileged administrative access or accessing data that a user should not have access to. If that happens, how does an environment protect itself against malicious actions?

Raising the Bar on Blockchain Security

Security is about raising the bar high enough that attackers would be extremely hard-pressed to exploit any vulnerability. If they were to attack, they would make enough noise on the network to be detected and incident response procedures would hopefully slam the door shut. So, monitoring from both an application and network level is key to protecting blockchain implementations. Should an internal host be scanning your internal network? I think not!

Another precaution is to take a page out of the renowned television show, “The X-Files,” and trust no one:

  • Build a layered defense where each layer of the solution provides some level of distrust of all the layers above it.
  • Enforce strict access controls both at the application and blockchain layers to prevent overly permissive access and abuse.
  • Ensure there are strong governance controls and processes around the handling of all sensitive information, including key material. Should your certificate authority be disclosed to an unauthorized third party, then it’s game over; they would have full control of your blockchain environment.
  • Implement strong change control and a secure code review process to ensure all configuration settings and source code (i.e., smart contracts) are as secure as possible and do not contain any weaknesses that can be abused.

These are only a handful of basic actions that you can take to help protect the integrity, availability and confidentiality of your blockchain-enabled environment.

At X-Force Red, we have many experienced hackers with blockchain-specific skill sets to perform security assessments and penetration tests on anything within the blockchain technology and connected infrastructure.

IBM is an industry leader in blockchain technology and, as such, our X-Force Red hackers are exposed to numerous areas of the technology while working with leading experts in the field.

This all culminates into possessing a deep technical understanding and the ability to assess any blockchain-enabled solution from an end-to-end perspective. X-Force Red can review the environment from a design/architectural perspective and manually review smart contracts, access controls, configuration of critical components and more. We can also test all applications and technologies that interface with the blockchain, work with key stakeholders and developers to fully realize the potential risks they may face, and assist in reducing the risk of a compromise.

Learn more about X-Force Red’s blockchain testing services

The post Blockchain: Making the Reward Much Greater Than the Risk appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christopher Thomas

Access Management, Credentials Theft, Data Security, Encrpyption, IBM Security, Identity and Access Management (IAM), identity theft, Network Protection, patch, Patch Management, Privileged Access, Software & App Vulnerabilities, Vulnerabilities, Vulnerability Management, X-Force,

Stranger Danger: X-Force Red Finds 19 Vulnerabilities in Visitor Management Systems

Automation is pervasive across our modern world and building lobbies are the latest place affected by the changes. The friendly receptionist or security guard is being replaced by kiosks, and it is big business, with sales expected to exceed $1.3 billion by 2025. These systems are officially called visitor management systems and allow businesses to check a guest in, give them a badge and control access to restricted areas of the facility.

Unlike simple pen and paper, they have the ability to authenticate visitors and provision badges for them in an automated way without allowing anyone to see who else has visited. If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted. If the systems are not working as intended, they can provide a false sense of security to the companies deploying them.

Considering that these systems are intentionally physically exposed to outsiders and have a role in the security of an organization, they should be developed with security in mind throughout the product life cycle and should include physically present attackers in their threat model. However, our team has identified vulnerabilities in a number of visitor management system products that could prevent them from achieving that goal.

Two X-Force Red summer interns (Hannah Robbins and Scott Brink), under the guidance of the X-Force Red research team, took a closer look at the security of five popular visitor management systems and discovered 19 previously undisclosed vulnerabilities across all the vendors. If the vulnerabilities were exploited by attackers, data like visitor logs, contact information and corporate activities could be accessed. They also discovered these systems can be used to establish a foothold to attack corporate networks.

The findings included:

  • Data leakage — information disclosure of personal and corporate data;
  • Keys to the kingdom — several applications had default administrative credentials, which would allow complete control of the application; and
  • Breakout — other identified vulnerabilities could allow an attacker to use Windows hotkeys and standard help or print dialogs to break out of the kiosk environment and interact with Windows, giving an attacker control over the system with the same privileges as the software was given.

What Are the Potential Consequences?

Given control of a visitor management system, an attacker could achieve a number of goals depending on the features of the system in question and the context of how it has been deployed.

Physical access: Attackers who want to perform a physical task like stealing valuable assets or launching physical attacks to compromise computers may be able to acquire a valid badge. Some visitor management systems can even issue and provision radio frequency identification (RFID) badges, giving an attacker a key to open doors. Even if the issued badges are not capable of opening doors, they may still identify an attacker as a trusted outsider. A smile and gentle request for help opening a locked door often goes unchallenged with a valid badge.

Network access: If an attacker’s goal is simply to gain access to the internal network, they may not even need to enter the premises, since the visitor management system itself may have access to the internal network and compromising it could mean gaining a foothold on the network.

Data exfiltration: Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders. Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well.

Closing the Door to Visitor Management System Vulnerabilities

Details for the vulnerabilities disclosed by our X-Force Red team have been provided to the affected vendors in advance in order to allow time for an official fix to be developed and released in advance of this publication.

Apply the patch: Several of the vendors have updated their software or plan to with appropriate patches of changes to functions. If there is no patch, include these systems in a security testing program to confirm the exploitability and apply appropriate techniques to isolate the system from others.

Harden access: Evaluate the privileges the system has and determine if systems requires administrative privileges to run. If not, revoke the privileges and ensure default passwords are not enabled. If network access is not required for the visitor management system to function, it should not be connected to the network.

Encrypt everything: Full-disk encryption should always be used on any system accessible to the public or at risk of theft, such as laptops and kiosks. Since iOS now employs mandatory full-disk encryption backed by a hardware security module, full-disk encryption is already the norm on iOS devices.

Password integrity: If the password can be guessed, the encryption may be rendered moot, so make sure to set a strong password on the device. iOS has a kiosk mode that can be used to prevent users from accessing the full functionality of the device, and this should be employed to add an additional barrier to exploitation.

Learn more about X-Force Red and X-Force Red’s penetration testing services.

LEARN MORE ABOUT X-FORCE RED

The Vulnerabilities

The post Stranger Danger: X-Force Red Finds 19 Vulnerabilities in Visitor Management Systems appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Daniel Crowley

Access Governance, Access Management, Authentication, Authentication Systems, Data Protection, Fraud Protection, Identity & Access, Identity and Access Management (IAM), Identity Governance, Identity Management, Multifactor Authentication (MFA), Password, Password Management, Password Protection, password reuse, verification systems,

Are Passwords Killing Your Customer Experience? Try Passwordless Authentication

Creating a seamless, secure experience for your legitimate users is a challenge. Most users are good and deserve a frictionless experience, but the less than 0.1 percent of users that are suspected to be rogue actors, according to IBM Trusteer research, spoil the party for everyone. These are the users who commit online fraud, steal data, bypass formal application programming interfaces (APIs) and skew site analytics. The rest of us can thank them for the frustration associated with tedious login rituals.

We’re drowning customers in a sea of passwords and expecting them to stay afloat. Passwords are not only a pain, but incredibly easy to hack. So how is the industry combating these issues related to passwords and the pains of usability? Shockingly, many organizations are still relying only on passwords as a form of authentication, and we know they’re failing. According to a Javelin Strategy & Research survey, 1 in 5 customers fails to authenticate. This could be due to multiple factors, one of which is forgetting their own password.

How Can Companies Go Passwordless?

Let’s take a step back and think about it: As a consumer yourself, how many online accounts do you have, and how many different passwords do you need to create to outsmart fraudsters? All these credentials are nearly impossible to manage.

If we know a large percentage of our users are legitimate, then let’s deliver the seamless but secure experience they expect and, in the end, help drive digital sales. So what does going passwordless really mean, and how is it possible?

The passwordless experience is based on identifying unauthorized access to web and mobile applications and sensitive operations. Organizations can identify these issues by using risk-based authentication and continuous trust validation technologies, which provide services such as behavioral analysis, device identification and authenticity, phone number and email intelligence, identity linkages, and session and network attributes to build this trust. These forces are what make passwordless authentication possible because they identify positive users and question the high risk users.

Examples of a Passwordless Customer Experience

How does this work in practice? Below are some examples of how passwordless authentication can transform and improve your customer experience.

  • A new customer registers on a site or application by confirming his or her email or phone. For subsequent logins, the customer is auto-enrolled as a trusted user.
  • A registered user accesses a site seamlessly after the system detects no threats or compromises on the trusted device.
  • A user accesses a service from a new device by confirming the email or phone number associated with the account and entering his or her credentials. After the device is labeled as trusted, it is auto-enrolled for seamless entry.
  • A user accesses a service seamlessly and browses with continuous authentication in the background until he or she reaches sensitive information. At this point, the user is prompted to enter his or her two-factor authentication (2FA) information before accessing this data.

If you go passwordless, you’re guaranteed to improve your customer experience. A system free of clunky passwords helps streamline customers’ buying journeys and distinguish between legitimate users and fraudsters. Most importantly, it enables your users to enjoy a seamless experience on any digital platform. So what are you waiting for? Now is the time to give your customers the experience they deserve and the security they demand with passwordless authentication.

Register for the Feb. 27 webinar to learn more

The post Are Passwords Killing Your Customer Experience? Try Passwordless Authentication appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Lappin

Access Governance, Access Management, Advanced Threats, Application Security, Cloud, Cloud Adoption, Cloud Infrastructure, Cloud Security, Cloud Services, Cloud Services Provider, Cloud Strategy, Data Protection, Data Security, Encrpyption, Encryption Keys, Hybrid Cloud, Identity and Access Management (IAM), Identity Management, Public Cloud, Security by Design,

Moving to the Hybrid Cloud? Make Sure It’s Secure by Design

Many organizations have such a positive first experience with cloud computing that they quickly want to move to a hybrid cloud environment with data and workloads shared between private and public clouds. The flexibility and control that a hybrid cloud provides is why it is expected to be the dominant cloud computing model for the foreseeable future.

However, companies often don’t think about security issues until after they are well along in the process of building a hybrid cloud. This can lead to nasty surprises when they realize this environment introduces some unique security considerations that don’t exist in traditional infrastructure. That’s why a hybrid cloud needs to be secure by design.

Cloud Security Is a Shared Responsibility

Public cloud providers offer enterprise-class security, but that doesn’t absolve customers from responsibility for protecting data, enforcing access controls and educating users. Private cloud security is complicated because private clouds can take many forms. They may be hosted entirely on-site, entirely in the public cloud or some combination. Private cloud infrastructure can also be dedicated to a single tenant or shared across multiple zones with isolation providing dedicated resources. Each environment has different security demands.

The scale and dynamism of cloud computing complicates visibility and control. Many customers incorrectly believe that cloud providers take care of security. In fact, security is a shared responsibility. In my experience, most cloud security failures occur because customers don’t live up to their part of the bargain.

No single cloud security mechanism does the entire job. There is also little consensus about what the ideal cloud security environment should look like. As a result, most product offerings in this market are still evolving. Secure by design starts with assessing risk and building a framework for technology.

A New Way of Computing

Moving to the cloud doesn’t mean relinquishing total control, but it does require embracing a new security mindset based on identity, data and workloads rather than underlying platforms. Security professionals who can reorient themselves around business enablement rather than device protection are particularly well-suited to securing public clouds.

Cloud computing is highly distributed and dynamic, with workloads constantly spinning up and down. Visibility is essential for security. According to Gartner, cloud security should address three core topics that have not traditionally been an IT discipline: multitenancy risk, virtualization security and software-as-a-service (SaaS) control.

Multitenancy risk is inherent to cloud architectures because multiple virtual machines (VMs) share the same physical space. Major public cloud providers go to great lengths to mitigate the possibility that one tenant could access data in another VM, but on-premises infrastructure is susceptible if the servers are not configured properly. Changes made to one hybrid cloud environment may also inadvertently affect another.

Virtualization security refers to the unique risks of virtualized environments. While hypervisors and VMs are in many ways more secure than bare-metal environments because the operating system is isolated from the hardware, the use of shared resources like storage and networking also introduces potential vulnerabilities that don’t exist on dedicated servers.

SaaS environments require greater attention to authentication and access control because the user doesn’t own the network. Governance standards need to be put in place to ensure that users take appropriate precautions with data and that all necessary regulatory and compliance guidelines are met.

Without these new competencies, organizations will struggle to gain visibility into their hybrid cloud environments, making it almost impossible to determine which computing and storage tasks are taking place where, using which data and under whose direction. In that situation, provisioning and enforcement of policy can quickly become impractical. But if organizations practice secure-by-design principles using new cloud-native tools, they can get a single-pane-of-glass view into activity that enables policy enforcement.

Three Keys to Secure Hybrid Cloud Deployments

Three areas merit special attention: encryption, endpoint security and access control.

Encryption is the best form of data protection. Data moving to and from the public cloud should be encrypted at all stages, and sensitive data should never be left unencrypted. All cloud providers support encryption, but not necessarily by default. Customers need to choose the type of encryption that is most appropriate and secure encryption keys.

When public cloud services are accessed over the public internet, special attention needs to be paid to endpoint security to prevent the risk of creating access points for attackers or becoming targets of malware. For example, an attacker who compromises a PC and logs on as an administrator for the company’s public cloud effectively has the keys to the kingdom. Hardware firewalls aren’t protection enough.

Secure web gateways (SWGs) utilize URL filtering, advanced threat defense (ATD) and malware detection to protect organizations and enforce internet policy compliance. SWGs are delivered as both physical and virtual on-premises appliances, cloud-based services or hybrid cloud/on-premises solutions. They provide an additional layer of protection against destructive attacks such as ransomware and enable safer and more efficient adoption of cloud-based services.

Finally, cloud-specific access control is a necessity if employees, contractors and vendors are to use both public and private clouds. Single sign-on (SSO) and federated access controls can minimize inconvenience while maintaining control and security monitoring.

Identity and access management-as-a-service (IDaaS) works in both multitenant and dedicated environments. It provides identity governance and administration, access management, and analytics functions that span the organization’s entire cloud environment. IDaaS can also be integrated with existing access management software to manage access to legacy applications.

The Cloud Security Alliance has an extensive library of resources that cover practices for hybrid cloud security. Organizations should familiarize themselves with these guidelines before beginning the migration process. Building security into hybrid infrastructure from the beginning minimizes the pain and delay of backfilling later.

The post Moving to the Hybrid Cloud? Make Sure It’s Secure by Design appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kaja Narum