Skip to content

Posts from the ‘Zero Trust Security’ Category

How To Build A Business Case For Endpoint Security

How To Build a Business Case for Endpoint Security

Bottom Line:  Endpoint security business cases do much more than just quantify costs and benefits; they uncover gaps in endpoint and cyber protection that need urgent attention to avert a breach.

Bad actors and hackers prefer to attack threat surfaces that are isolated, vulnerable with out-of-date security patches, yet integrated into a corporate network to provide access. For these reasons and more, endpoints are now the popular choice for hacking attempts. Ponemon Institute’s Third Annual Study on the State of Endpoint Security Risk published in January of this year found that 68% of organizations were victims of successful endpoint attacks in 2019 that compromised data assets and IT infrastructure. Since 2017, successful endpoint attacks have spiked by 26 percent. The Ponemon study also found that it takes the typical organization 97 days to test and deploy patches to each endpoint. When the average endpoint is three months behind on updates, it’s understandable why breaches are increasing. In 2019 the average endpoint breach inflicted $8.94M in losses. The following graphic compares the escalating number of breaches and economic losses for the last three years:

How To Build A Business Case For Endpoint Security

Exploring Endpoint Security’s Many Benefits

Think of building a business case for endpoint security as the checkup every company needs to examine and identify and every threat surface that can be improved. Just as all efforts to preserve every person’s health is priceless today, organizations can’t let their guard down when it comes to keeping endpoint security strong.

The economic fallout of COVID-19 is hitting IT budgets hard. That’s why now is the time to build a business case for endpoint security. CIOs and CISOs have to make budget cuts due to revenue shortfalls. One area no one wants to compromise on, however, is allowing endpoint agents to degrade over time. Absolute Software’s  Endpoint Security Trends Report found that the more complex and layered the endpoint protection, the greater the risk of a breach. Overloading every endpoint with multiple agents is counterproductive and leaves endpoints less secure than if fewer agents were installed.  Additionally, Absolute just launched a Remote Work and Distance Learning Insights Center, providing insights into the impact of COVID-19 on IT and security controls. An example of the dashboard shown below:

How To Build A Business Case For Endpoint Security

 

Business Case Benefits Need To Apply To  IT and Operations

Absolute and Ponemon’s studies suggest that autonomous endpoints are the future of endpoint security. Activating security at the endpoint and having an undeletable tether to every device solves many of the challenges every business’s IT and Operations teams face. And with the urgency to make IT and Operations as virtual as possible with budgets impacted by COVID-19’s economic fallout, team leaders in each area are focusing on the following shared challenges. COVID-19’s quarantine requirements make hybrid workforces instantly appear and make the budgets needed to support them vanish at the same time.  The following are the shared benefits for IT and Operations that need to anchor any endpoint security business case:

  • The most urgent need is for greater IT Help Desk efficiency. While this is primarily an IT metric, the lack of real-time availability of resources is slowing down remote Operations teams from getting their work done.
  • Both IT and Operations share asset utilization, loss reduction, and lifecycle optimization ownership in many organizations today. Having a persistent, undeletable tether to every device at the hardware level is proving to be an effective approach IT, and Operations teams are relying on to track and improve these metrics. The Absolute and Ponemon studies suggest that the more resilient the endpoint, the better the asset efficiency and lifecycle optimization. Autonomous endpoints can self-heal and regenerate themselves, further improving shared metric performance for IT and Operations.
  • The more autonomous endpoints an organization has, the quicker Operations and IT can work together to pivot into new business models that require virtual operations. Education, Healthcare, Financial Services, Government, and Professional Services are all moving to hybrid remote workplaces and virtual operations as fast as they can. Using the business case for endpoint security as a roadmap to see where threat surfaces need to be improved for new growth is key.

Endpoint Security Benefits 

The following are the benefits that need to be included in creating a business case for endpoint security:

  • Reduce and eventually eliminate IT Help Desk backlogs by keeping endpoints up-to-date. Reducing the call volume on IT Help Desks can potentially save over $45K a year, assuming a typical call takes 10 minutes and the cumulative time savings in 1,260 hours saved by the IT help desk annually.
  • Reduce Security Operations staff interruptions and emergency security projects that require IT’s time to run analytics reports and analyses. Solving complex endpoint security problems burns thousands of dollars and hours over a year between Security, IT, and Operations. Having a persistent, unbreakable connection to every endpoint provides the device visibility teams need to troubleshoot problems. Assuming the 2,520 hours IT Security teams alone spend on emergency endpoint security problems could be reduced, organizations could save approximately $130K a year. 
  • Autonomous endpoints with an undeletable tether improve compliance, control, and visibility and is a must-have in the new hybrid remote workplace. For endpoint security to scale across every threat surface, having an undeletable tether to every device is a must-have for scalable remote work and hybrid remote work programs in the enterprise. They also contribute to lowering compliance costs and improve every aspect of asset management from keeping applications current to ensuring autonomous endpoints can continue to self-heal.
  • Reducing IT asset loss, knowing asset utilization, and system-level software installed by every device can save a typical organization over $300K a year. Autonomous endpoints that can heal themselves and provide a constant hardware connection deliver the data in real-time to have accurate IT asset management and security data teams need to keep software configurations up to date. It’s invaluable for IT teams to have this level of data, as it averts having endpoint patches conflict with one another and leave an endpoint vulnerable to breach.
  • Accurate asset lifecycle planning based on solid data from every device becomes possible. Having autonomous endpoints based on a hardware connection delivers the data needed to increase the accuracy of asset life cycle planning and resource allocation, giving IT and Operations the visibility they need to the device level. IT and Operations teams look to see how they can extend the lifecycle of every device in the field. Cost savings vary by the number of devices in the field and their specific software configurations. The time savings alone is approximately $140K per year in a mid-size financial services firm.
  • The more autonomous and connected an endpoint is, the more automated audit and compliance reporting can become. A key part of staying in compliance is automating the audit process to save valuable time. The Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) all require ongoing audits. The time and cost savings of automating audits by organizations vary significantly. It’s a reasonable assumption to budget at least a $67K savings per year in audit preparation costs alone.

Evaluating Endpoint Security Costs

The following are the endpoint security costs that need to be included in the business case:

  • Annual, often multi-year endpoint security licensing costs. Endpoint security providers vary significantly in their pricing models, costs, and fees. Autonomous endpoint security platforms can range in licensing costs from $750K to over $1,2M, depending on the size of the organization and the number of devices.
  • Change management, implementation, and integration costs increase with the complexity of IT security, Operations, and IT Service Management (ITSM) integration. Expect to see an average price of between $40K to over $100K to integrate endpoint security platforms with existing ITSM and security information and event management (SIEM) systems.

Creating A Compelling Business Case For Endpoint Security

The best endpoint security business cases provide a 360-degree view of costs, benefits, and why taking action now is needed.

Knowing the initial software and services costs to acquire and integrate endpoint security across your organization, training and change management costs, and ongoing support costs are essential. Many include the following equation in their business cases to provide an ROI estimate. The Return on Investment (ROI) for endpoint security initiative is calculated as follows:

ROI on Endpoint Security (ES) = (ES Initiative Benefits – ES Initiative Costs)/ES Initiative Costs x 100.

A financial services company recently calculated their annual benefits of ES initiative will be $475,000, and the costs, $65,000, will yield a net return of $6.30 for every $1 invested.

Additional factors to keep in mind when building a business case for endpoint security:

  • The penalties for non-compliance to industry-specific laws can be quite steep, with repeated offenses leading to $1M or more in fines and long-term loss of customer trust and revenue. Building a business case for endpoint security needs to factor in the potential non-compliance fees, and penalties companies face for not having autonomous endpoint security. The Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), California Consumer Privacy Act (CCPA), and other laws require audit reporting based on accurate endpoint security data.
  • Endpoint Security ROI estimates fluctuate, and it’s best to get started with a pilot to capture live data with budgets available at the end of a quarter. Typically organizations will allocate the remaining amounts of IT security budgets at the end of a quarter to endpoint security initiatives.
  • Succinctly define the benefits and costs and gain C-level support to streamline the funding process. It’s often the CISOs who are the most driven to achieve greater endpoint security the quickest they can. Today with every business having their entire workforces virtual, there’s added urgency to get endpoint security accomplished.
  • Define and measure endpoint security initiatives’ progress using a digitally-enabled dashboard that can be shared across any device, anytime. Enabling everyone supporting and involved in endpoint security initiatives needs to know what success looks like. Having a digitally-enabled dashboard that clearly shows each goal or objective and the company’s progress toward them is critical to success.

Conclusion

The hard economic reset COVID-19 created has put many IT budgets into freefall at a time when CIOs and CISOs need more funding to protect proliferating hybrid remote workforces. Endpoint security business cases need to factor in how they can create an undeletable resilient defense for every device across their global fleets. And just as every nation on the planet isn’t letting its guard down against the COVID-19 virus, every IT and cybersecurity team can’t let theirs down either when it comes to protecting every endpoint.

Autonomous endpoints that can self-heal and regenerate operating systems and configurations are the future of endpoint security management. The race to be an entirely virtual enterprise is on, and the most autonomous endpoints can be, the more cost-effective and valuable they are. The best business cases bridge the gap between IT and Operations needs. CIOs need endpoint security solutions to be low-cost, low maintenance, reliable yet agile. Operations want an endpoint solution that has a low cost of support, minimal if any impact of IT Service Help Desks, and always-on monitoring. Building a business case for endpoint security gives IT and Operations the insights they need to protect the constantly changing parameters of their businesses.

 

Five Interesting Takeaways From RSA Conference 2020

Five Interesting Takeaways From RSA Conference 2020

 

Bottom Line: Passwordless authentication, endpoint security, cloud-native SIEM platforms, and new API-based data security technologies were the most interesting tech developments, while keynotes focusing on election security, industrial control systems’ vulnerabilities and the persistent threat of state-sponsored ransomware dominated panel discussion.

This year’s RSA Conference was held February 24th to 28th in San Francisco’s Moscone Center, attracting more than 36,000 attendees, 704 speakers, and 658 exhibitors unified by the theme of the Human Element in cybersecurity. The conference’s agenda is here, with many session recordings and presentation slides available for download. Before the conference, RSA published the RSAC 2020 Trend Report (PDF, 13 pp., no opt-in). RSA received 2,400 responses to their Call for Speakers and based their report on an analysis of all submissions. The ten trends in the RSAC 2020 Trend Report are based on an analysis of all papers submitted to the conference. It’s a quick read that provides a synopsis of the main themes of the excellent sessions presented at RSAC 2020.

The following are the five most interesting takeaways from the 2020 RSA Conference:

  • Endpoint security products dominated the show floor, with over 120 vendors promoting their unique solutions. There were over 50 presentations and panels on the many forms of endpoint security as well. Instead of competing for show attendees’ attention on the show floor, Absolute Software took the unique approach of completing a survey during RASC 2020. Absolute’s team was able to interview 100 respondents, with most holding the position of a manager/supervisor or C-level executive. More than three in four respondents reported their organizations are using endpoint security tools, multi-factor authentication, and employee training and education to protect data, devices, and users. You can review their survey results here.
  • The number of vendors claiming to have Zero Trust solutions grew 50% this year, from 60 in 2019 to 91 in 2020. There continues to be a lot of hype surrounding Zero Trust, with vendors having mixed results with their product and messaging strategies in this area. A good benchmark to use for evaluating vendors in the Zero Trust market is the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019, written by Chase Cunningham and published on October 29, 2019. I’ve summarized the lessons learned in the post, What’s New on the Zero Trust Security Landscape In 2019.
  • Over 30 vendors claimed to have passwordless authentication that met the current FIDO2 standard. In keeping with the theme of this year’s RSA Conference of Human Element, vendors offering passwordless authentication were out in force. Centrify, Entrust Datacard, HID Global, Idaptive, ImageWare, MobileIron, Thales, and many others promoted their unique approaches to passwordless authentication, leveraging the FIDO2 standard. FIDO2 is the latest set of specifications from the FIDO Alliance, an industry standards organization that provides interoperability testing and certification for servers, clients, and authenticators that meet FIDO2 specifications. I’ve written a separate post just on this topic, and you can find it here, Why Your Biometrics Are Your Best Password. 
  • Cloud-based security information and event management (SIEM) systems capable of integrating with 3rd party public cloud platforms reflect the maturity nature of this market. Of the several vendors claiming to have cloud-based SIEM, Microsoft’s Azure Sentinel’s demo showed in real-time how fusion AI technology can parse large volumes of low fidelity signals into a few important incidents for SecOps teams to focus on. Microsoft said that in December 2019 alone, Azure Sentinel evaluated nearly 50 billion suspicious signals, isolating them down to just 25 high-confidence incidents for SecOps teams to investigate. The following graphic explains how Azure Sentinel Fusion works.
  • One of the most interesting startups at RSA was Nullafi, who specializes in a novel API-based data security technology that combines data aliasing, vaulting, encryption, and monitoring to create an advanced data protection platform that makes hacked data useless to hackers. What makes Nullafi noteworthy is how they’ve been able to build a data architecture that protects legacy and new infrastructures while making the original data impossible for a hacker to reverse engineer and gain access to. It desensitizes critical data so that it’s useless to hackers but still useful for an organization to keep operating, uninterrupted by a breach to your business. Nullafi is built to AWS GovCloud standards. The Nullafi SDK encrypts the data before sending it to the Nullafi API. It then re-encrypts the data within their zero-knowledge vault in the cloud (or on-premises). The result is that no sensitive data in any format is shared with Nullafi that could be used or lost, as their architecture doesn’t have visibility into what the actual data looks like. The following graphic explains their architecture:

 

10 Ways To Own Your Cybersecurity In 2020

10 Ways To Own Your Cybersecurity In 2020

Bottom Line: One of the best New Year’s resolutions anyone can make is to learn new ways to secure their personal and professional lives online, starting with ten proven ways they can take greater control over their own cybersecurity.

For many professionals, their personal and professional lives have blended together thanks to the growing number of connected, IoT-capable devices, including cars, home security systems, smartphones, virtual assistants including Amazon Echo, Google Home, WiFi routers, and more. It’s typical to find homes with two dozen or more connected devices that are relied for everything going on in a person’s life from personal interests, connecting with friends, and getting work done.

It’s Time to Secure Every Area of Your Smart, Connected World

Faced with chronic time shortages, many people rely on smart, connected devices supported by AI and machine learning to get more done in less time. They’re proliferating today because they’ve proven to be very effective at personalizing experiences while providing the added convenience of being always on and available to help. Smart, connected devices are an extension of a person’s identity today as they contain insights into buying behavior and, in some cases, actual conversations. The more these devices are protected, the more a person’s identity and most valuable resource of all – time – is protected too.

Strengthening your own cybersecurity starts by seeing every device and the apps you use as potential attack surfaces that need to be protected. Just as you wouldn’t likely leave any of the physical doors to your home unprotected and locked, you need to secure all the digital entrances to your home and person. Like the CEO and cybersecurity team of any organization who is focusing on how to reduce the risk of a breach, the same level of intensity and vigilance to personal cybersecurity needs to become the new normal.

10 Ways You Can Own Your Cybersecurity

The following are the top ten ways you can take control and own your own security. Several of the ways mentioned below are from the recent Centrify webinar, Cybersecurity Best Practices: The Basics and Beyond:

  • Replace weak passwords used on multiple accounts with a unique, longer password for each online account. Start by getting away from having the same password for multiple accounts. When a single account gets hacked, it can easily lead to all the others with the same password and comparable user ID. Passwords are proving to be the weakest attack vector there is for personal information today. World Password Day serves as a reminder every May to use stronger, different passwords on each account.
  • Start researching and choose a Password Manager that is flexible enough to match how you like to work. It’s time to get beyond Post-It notes and paper-based approaches to managing your own passwords now. Dashlane, LastPass, and OneLogin are all excellent password managers worth checking out. If you’re not sure password managers are worth it, I’ve seen them add an additional layer of security to personal and work accounts that would not have otherwise been available. Some will even notify you when an account you have might have been breached, and recommend a new password for you. A screen capture from the webinar illustrates the differences between personal, professional and Privileged Access Management (PAM) levels of password security:

10 Ways To Own Your Cybersecurity In 2020

  • Use single-sign-on (SSO) if available for systems at work, even if you’re logging in at the office. SSO systems use temporary tokens, which have proven to be more reliable than static credentials. One of the primary design goals of SSO is to authenticate your identity once, and give you access to the applications and system resources you need and are entitled to access to get work done.
  • Vault away passwords to critical systems and data. In the privileged access world of Cybersecurity operations in any organization, password vaults have become commonplace. Password vaults are similar to password managers many people use for their personal devices, web applications, and sites they regularly visit. In the case of a password vault, privileged credentials are checked in and out by admins, with each password automatically rotating to ensure greater randomization.
  • Enable security on all the devices you received over the holidays, starting with your WiFi router. If you’ve never set an admin password on your WiFi router and the two guest access points they typically have, now is a great time to do that. If you have an Amazon Echo or Google Home, manually disable the microphones. On the Echo, press the microphone button until the external ring turns red. On Google Home, use the small switch on the side to turn off the microphone..On an Amazon Alexa, it’s possible to review voice recordings associated with your account and delete the voice recordings one by one, by date range, by Alexa-enabled device, or all at once by visiting Settings > Alexa Privacy in the Alexa app or https://www.amazon.com/alexaprivacysettings. It’s a good idea to use PIN protection to disable voice purchases too. If you have Baby Monitors in your home, connect to them using a secured WiFi connection, not Bluetooth. Have everything behind your home firewall, so there’s a minimal number of threat surfaces in your home.
  • Take few of the many LinkedIn learning courses on practical cybersecurity to stay current on the latest techniques. LinkedIn Learning has 19 courses available today that are focused on practical cybersecurity steps you can take to protect your company’s systems and your own. You can find all the 19 courses here. LinkedIn Learning has 462 learning resources available today, available here. I’ve taken a few over a lunch break and have found them informative, interesting, and useful.
  •  Realize that you may be getting phishing and spear-phishing e-mails every week. Cybercriminals are becoming increasingly sophisticated in their use of browser plug-ins to pop up messages asking for your login and password information for sites. Combining the latest information from LinkedIn, Facebook, Twitter, and other sites, hackers often target new employees and with spearfishing campaigns where they impersonate a CEO and other senior-level executives. Spearfishing attempts can be easily thwarted by calling the supposed sender to ask if the request is legitimate. A second way to spot phishing and spear-fishing attempts is they will ask you for one or more of the pieces of information needed for completing a Multi-Factor Authentication (MFA) login to an account. Misspelled words, questionable e-mail addresses, and unsecured domains and websites are also a sure tip-off of a phishing attempt.
  • Bring Your Own Device (BYOD) greatly expands the enterprise attack surface. Define the success of a BYOD security strategy by how well it immediately shuts down access to confidential data and systems first. Being able to immediately block access to confidential systems and data is the most important aspect of securing any BYOD across a network. It’s common for BYOD enablement strategies to include integrations to Dropbox, Slack, Salesforce and Workday, Slack, Salesforce, and others.
  • Always use Multi-Factor Authentication (MFA) everywhere it’s offered. MFA is based on three or more factors that can authenticate who you are. Something you know (passwords, PINs, code works), something you have (a smartphone, tokens devices that produce pins or pre-defined pins) or something you are (biometrics, facial recognition, fingerprints, iris, and face scans). Google, for example, provides MFA as part of their account management to every account holder, in addition to a thorough security check-up, which is useful for seeing how many times a given password has been reused.

10 Ways To Own Your Cybersecurity In 2020

  • Determine where you and your company are from a privileged access maturity standpoint. Centrify shared the four stages of privileged access security on the webinar, and each phase is a useful benchmark for anyone or organization looking to improve their cybersecurity effectiveness. Centrify found in a recent survey that 42% of organizations are at the nonexistent phase of the model. As an organization progresses up the model, there’s greater accountability and visibility for each aspect of a cybersecurity strategy. For individuals, the progression is much the same, all leading to a lower risk of a breach and stolen privileged access credentials occurring.

10 Ways To Own Your Cybersecurity In 2020

Conclusion

While not every user in an organization is going to have privileged entitlements, it is up to every individual to take ownership of their cybersecurity hygiene to ensure they don’t become the most-easily-exploited employee in the company. That’s what the bad guys are looking for: the easiest way in. Why try to hack in against sophisticated technology when they can just guess your easy password, or get you to hand it over to them by phishing? Be cyber smart in 2020 – these ten tips might save you from being the weakest link that could cost your organization millions.

10 Predictions How AI Will Improve Cybersecurity In 2020

10 Predictions How AI Will Improve Cybersecurity In 2020

Capgemini predicts 63% of organizations are planning to deploy AI in 2020 to improve cybersecurity, with the most popular application being network security.

Cybersecurity is at an inflection point entering 2020. Advances in AI and machine learning are accelerating its technological progress. Real-time data and analytics are making it possible to build stronger business cases, driving higher adoption. Cybersecurity spending has rarely been linked to increasing revenues or reducing costs, but that’s about to change in 2020.

What Leading Cybersecurity Experts Are Predicting For 2020

Interested in what the leading cybersecurity experts are thinking will happen in 2020, I contacted five of them. Experts I spoke with include Nicko van Someren, Ph.D. and Chief Technology Officer at Absolute Software; Dr. Torsten George, Cybersecurity Evangelist at Centrify; Craig Sanderson, Vice President of Security Products at Infoblox; Josh Johnston, Director of AI, Kount; and Brian Foster, Senior Vice President Product Management at MobileIron. Each of them brings a knowledgeable, insightful, and unique perspective to how AI and machine learning will improve cybersecurity in 2020. The following are their ten predictions:

  1. AI and machine learning will continue to enable asset management improvements that also deliver exponential gains in IT security by providing greater endpoint resiliency in 2020. Nicko van Someren, Ph.D. and Chief Technology Officer at Absolute Software, observes that “Keeping machines up to date is an IT management job, but it’s a security outcome. Knowing what devices should be on my network is an IT management problem, but it has a security outcome. And knowing what’s going on and what processes are running and what’s consuming network bandwidth is an IT management problem, but it’s a security outcome. I don’t see these as distinct activities so much as seeing them as multiple facets of the same problem space, accelerating in 2020 as more enterprises choose greater resiliency to secure endpoints.”
  2. AI tools will continue to improve at drawing on data sets of wildly different types, allowing the “bigger picture” to be put together from, say, static configuration data, historic local logs, global threat landscapes, and contemporaneous event streams.  Nicko van Someren, Ph.D., and CTO at Absolute Software also predict that“Enterprise executives will be concentrating their budgets and time on detecting cyber threats using AI above predicting and responding. As enterprises mature in their use and adoption of AI as part of their cybersecurity efforts, prediction and response will correspondingly increase.”
  3. Threat actors will increase the use of AI to analyze defense mechanisms and simulate behavioral patterns to bypass security controls, leveraging analytics to and machine learning to hack into organizations. Dr. Torsten George, Cybersecurity Evangelist at Centrify, predicts that “threat actors, many of them state-sponsored, will increase their use and sophistication of AI algorithms to analyze organizations’’ defense mechanisms and tailor attacks to specific weak areas. He also sees the threat of bad actors being able to plug into the data streams of organizations and use the data to further orchestrate sophisticated attacks.”
  4. Given the severe shortage of experienced security operations resources and the sheer volume of data that most organizations are trying to work through, we are likely to see organizations seeking out AI/ML capabilities to automate their security operations processes. Craig Sanderson, Vice President of Security Products at Infoblox also predicts that “while AI and machine learning will increasingly be used to detect new threats it still leaves organizations with the task of understanding the scope, severity, and veracity of that threat to inform an effective response. As security operations becomes a big data problem it necessitates big data solutions.”
  5. There’s going to be a greater need for adversarial machine learning to combat supply chain corruption in 2020. Sean Tierney, Director of Threat Intelligence at Infoblox, predicts that “the need for adversarial machine learning to combat supply chain corruption is going to increase in 2020. Sean predicts that the big problem with remote coworking spaces is determining who has access to what data. As a result, AI will become more prevalent in traditional business processes and be used to identify if a supply chain has been corrupted.”
  6. Artificial intelligence will become more prevalent in account takeover—both the proliferation and prevention of it. Josh Johnston, Director of AI at Kount, predicts that “the average consumer will realize that passwords are not providing enough account protection and that every account they have is vulnerable. Captcha won’t be reliable either, because while it can tell if someone is a bot, it can’t confirm that the person attempting to log in is the account holder. AI can recognize a returning user. AI will be key in protecting the entire customer journey, from account creation to account takeover, to a payment transaction. And, AI will allow businesses to establish a relationship with their account holders that are protected by more than just a password.”
  7. Consumers will take greater control of their data sharing and privacy in 2020. Brian Foster, Senior Vice President Product Management at MobileIron, observes that over the past few years, we’ve witnessed some of the biggest privacy and data breaches. As a result of the backlash, tech giants such as Apple, Google, Facebook and Amazon beefed up their privacy controls to gain back trust from customers. Now, the tables have turned in favor of consumers and companies will have to put privacy first to stay in business. Moving forward, consumers will own their data, which means they will be able to selectively share it with third parties, but most importantly, they will get their data back after sharing, unlike in years past.
  8. As cybersecurity threats evolve, we’ll fight AI with AI. Brian Foster, Senior Vice President Product Management at MobileIron, notes that the most successful cyberattacks are executed by highly professional criminal networks that leverage AI and ML to exploit vulnerabilities such as user behavior or security gaps to gain access to valuable business systems and data. All of this makes it extremely hard for IT security organizations to keep up — much less stay ahead of these threats. While an attacker only needs to find one open door in an enterprise’s security, the enterprise must race to lock all of the doors. AI conducts this at a pace and thoroughness human ability can no longer compete with, and businesses will finally take notice in 2020.
  9. AI and machine learning will thwart compromised hardware finding its way into organizations’ supply chains. Rising demand for electronic components will expand the market for counterfeit components and cloned products, increasing the threat of compromised hardware finding its way into organizations’ supply chains. The vectors for hardware supply-chain attacks are expanding as market demand for more and cheaper chips, and components drive a booming business for hardware counterfeiters and cloners. This expansion is likely to create greater opportunities for compromise by both nation-state and cybercriminal threat actors. Source: 2020 Cybersecurity Threats Trends Outlook; Booz, Allen, Hamilton, 2019.
  10. Capgemini predicts 63% of organizations are planning to deploy AI in 2020 to improve cybersecurity, with the most popular application being network security. Capgemini found that nearly one in five organizations were using AI to improve cybersecurity before 2019. In addition to network security, data security, endpoint security, and identity and access management are the highest priority use cases for improving cybersecurity with AI in enterprises today. Source: Capgemini, Reinventing Cybersecurity with Artificial Intelligence: The new frontier in digital security.
10 Predictions How AI Will Improve Cybersecurity In 2020

Source: Capgemini, Reinventing Cybersecurity with Artificial Intelligence: The new frontier in digital security.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • 60% of security and IT professionals state that security is the leading challenge with cloud migrations, despite not being clear about who is responsible for securing cloud environments.
  • 71% understand that controlling privileged access to cloud service administrative accounts is a critical concern, yet only 53% cite secure access to cloud workloads as a key objective of their cloud Privileged Access Management (PAM) strategies.

These and many other fascinating insights are from the recent Centrify survey, Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments, downloadable here. The survey is based on a survey of over 700 respondents from the United States, Canada, and the UK from over 50 vertical markets, with technology (21%), finance (14%), education (10%), government (10%) and healthcare (9%) being the top five. For additional details on the methodology, please see page 14 of the study.

What makes this study noteworthy is how it provides a candid, honest assessment of how enterprises can make cloud migrations more secure by a better understanding of who is responsible for securing privileged access to cloud administrative accounts and workloads.

Key insights from the study include the following:

  • Improved speed of IT services delivery (65%) and lowered total cost of ownership (54%) are the two top factors driving cloud migrations today. Additional factors include greater flexibility in responding to market changes (40%), outsourcing IT functions that don’t create competitive differentiation (22%), and increased competitiveness (17%). Reducing time-to-market for new systems and applications is one of the primary catalysts driving cloud migrations today, making it imperative for every organization to build security policies and systems into their cloud initiatives.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • Security is the greatest challenge to cloud migration by a wide margin. 60% of organizations define security as the most significant challenge they face with cloud migrations today. One in three sees the cost of migration (35%) and lack of expertise (30%) being the second and third greatest impediments to cloud migration project succeeding. Organizations are facing constant financial and time constraints to achieve cloud migrations on schedule to support time-to-market initiatives. No organization can afford the lost time and expense of an attempted or successful breach impeding cloud migration progress.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • 71% of organizations are implementing privileged access controls to manage their cloud services. However, as the privilege becomes more task-, role-, or access-specific, there is a diminishing interest of securing these levels of privileged access as a goal, evidenced by only 53% of organizations securing access to the workloads and containers they have moved to the cloud. The following graphic reflects the results.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • An alarmingly high 60% of organizations incorrectly view the cloud provider as being responsible for securing privileged access to cloud workloads. It’s shocking how many customers of AWS and other public cloud providers are falling for the myth that cloud service providers can completely protect their customized, highly individualized cloud instances. The native Identity and Access Management (IAM) capabilities offered by AWS, Microsoft Azure, Google Cloud, and others provide enough functionality to help an organization get up and running to control access in their respective homogeneous cloud environments. Often they lack the scale to adequately address the more challenging, complex areas of IAM and Privileged Access Management (PAM) in hybrid or multi-cloud environments, however. For an expanded discussion of the Shared Responsibility Model, please see The Truth About Privileged Access Security On AWS and Other Public Clouds. The following is a graphic from the survey and Amazon Web Services’ interpretation of the Shared Responsibility Model.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • Implementing a common security model in the cloud, on-premises, and in hybrid environments is the most proven approach to making cloud migrations more secure. Migrating cloud instances securely needs to start with Multi-Factor Authentication (MFA), deploying a common privileged access security model equivalent to on-premises and cloud systems, and utilizing enterprise directory accounts for privileged access. These three initial steps set the foundation for implementing least privilege access. It’s been a major challenge for organizations to do this, particularly in cloud environments, as 68% are not eliminating local privilege accounts in favor of federated access controls and are still using root accounts outside of “break glass” scenarios. Even more concerning, 57% are not implementing least privilege access to limit lateral movement and enforce just-enough, just-in-time-access.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • When it comes to securing access to cloud environments, organizations don’t have to re-invent the wheel. Best practices from securing on-premises data centers and workloads can often be successful in securing privileged access in cloud and hybrid environments as well.

Conclusion

The study provides four key takeaways for anyone working to make cloud migrations more secure. First, all organizations need to understand that privileged access to cloud environments is your responsibility, not your cloud providers’. Second, adopt a modern approach to Privileged Access Management that enforces least privilege, prioritizing “just enough, just-in-time” access. Third, employ a common security model across on-premises, cloud, and hybrid environments. Fourth and most important, modernize your security approach by considering how cloud-based PAM systems can help to make cloud migrations more secure.

7 Signs It’s Time To Get Focused On Zero Trust

7 Signs It’s Time To Get Focused On Zero Trust

When an experienced hacker can gain access to a company’s accounting and financial systems in 7 minutes or less after obtaining privileged access credentials, according to Ponemon, it’s time to get focused on Zero Trust Security. 2019 is on its way to being a record year for ransomware attacks, which grew 118% in Q1 of this year alone, according to McAfee Labs Threat Report. Data breaches on healthcare providers reached an all-time high in July of this year driven by the demand for healthcare records that range in price from $250 to over $1,000 becoming best-sellers on the Dark Web. Cybercriminals are using AI, bots, machine learning, and social engineering techniques as part of sophisticated, well-orchestrated strategies to gain access to banking, financial services, healthcare systems, and many other industries’ systems today.

Enterprises Need Greater Urgency Around Zero Trust

The escalating severity of cyberattacks and their success rates are proving that traditional approaches to cybersecurity based on “trust but verify” aren’t working anymore. What’s needed is more of a Zero Trust-based approach to managing every aspect of cybersecurity. By definition, Zero Trust is predicated on a “never trust, always verify” approach to access, from inside or outside the network. Enterprises need to begin with a Zero Trust Privilege-based strategy that verifies who is requesting access, the context of the request, and the risk of the access environment.

How urgent is it for enterprises to adopt Zero Trust? A recent survey of 2,000 full-time UK workers, completed by Censuswide in collaboration with Centrify, provides seven signs it’s time for enterprises to get a greater sense of urgency regarding their Zero Trust frameworks and initiatives. The seven signs are as follows:

  1. 77% of organizations’ workers admit that they have never received any form of cybersecurity skills training from their employer. In this day and age, it’s mind-blowing that three of every four organizations aren’t providing at least basic cybersecurity training, whether they intend to adopt Zero Trust or not. It’s like freely handing out driver’s licenses to anyone who wants one so they can drive the freeways of Los Angeles or San Francisco. The greater the training, the safer the driver. Likewise, the greater the cybersecurity training, the safer the worker, company and customers they serve.
  2. 69% of employees doubt the cybersecurity processes in place in their organizations today. When the majority of employees don’t trust the security processes in place in an organization, they invent their own, often bringing their favorite security solutions into an enterprise. Shadow IT proliferates, productivity often slows down, and enterprise is more at risk of a breach than ever before. When there’s no governance or structure to managing data, cybercriminals flourish.
  3. 63% of British workers interviewed do not realize that unauthorized access to an email account without the owner’s permission is a criminal offense. It’s astounding that nearly two-thirds of the workers in an organization aren’t aware that unauthorized access to another person’s email account without their permission is a crime. The UK passed into law 30 years ago the Computer Misuse Act. The law was created to protect individuals’ and organizations’ electronic data. The Act makes it a crime to access or modify data stored on a computer without authorization to do so. The penalties are steep for anyone found guilty of gaining access to a computer without permission, starting with up to two years in prison and a £5,000 fine. It’s alarming how high the lack of awareness is of this law, and an urgent call to action to prioritize organization-wide cybersecurity training.
  4. 27% of workers use the same password for multiple accounts. The Consensus survey finds that workers are using identical passwords for their work systems, social media accounts, and both personal and professional e-mail accounts. Cybersecurity training can help reduce this practice, but Zero Trust is badly needed to protect privileged access credentials that may have identical passwords to someone’s Facebook account, for example.
  5. 14% of employees admitted to keeping their passwords recorded in an unsecured handwritten notebook or on their desk in the office.  Organizations need to make it as difficult as possible for bad actors and cybercriminals to gain access to passwords instead of sharing them in handwritten notebooks and on Post-It notes. Any organization with this problem needs to immediately adopt Multi-Factor Authentication (MFA) as an additional security measure to ensure compromised passwords don’t lead to unauthorized access. For privileged accounts, use a password vault, which can make handwritten password notes (and shared passwords altogether) obsolete.
  6. 14% do not use multi-factor authentication for apps or services unless forced to do so. Centrify also found that 58% of organizations do not use Multi-Factor Authentication (MFA) for privileged administrative access to servers, leaving their IT systems and infrastructure unsecured. Not securing privileged access credentials with MFA or, at the very least, vaulting them is like handing the keys to the kingdom to cybercriminals going after privileged account access. Securing privileged credentials needs to begin with a Zero Trust-based approach that verifies who is requesting access, the context of the request, and the risk of the access environment.
  7. 1 out of every 25 employees hacks into a colleague’s email account without permission. In the UK, this would be considered a violation of the Computer Misuse Act, which has some unfortunate outcomes for those found guilty of violating it. The Censuswide survey also found that one in 20 workers have logged into friend’s Facebook accounts without permission. If you work in an organization of over 1,000 people, for example, 40 people in your company have most likely hacked into a colleague’s email account, opening up your entire company to legal liability.

Conclusion

Leaving cybersecurity to chance and hoping employees will do the right thing isn’t a strategy; it’s an open invitation to get hacked. The Censuswide survey and many others like it reflect a fundamental truth that cybersecurity needs to become part of the muscle memory of any organization to be effective. As traditional IT network perimeters dissolve, enterprises need to replace “trust but verify” with a Zero Trust-based framework. Zero Trust Privilege mandates a “never trust, always verify, enforce least privilege” approach to privileged access, from inside or outside the network. Leaders in this area include Centrify, who combines password vaulting with brokering of identities, multi-factor authentication enforcement, and “just enough” privilege, all while securing remote access and monitoring of all privileged sessions.

What’s New On The Zero Trust Security Landscape In 2019

What’s New On The Zero Trust Security Landscape In 2019

  • Forrester added in Checkpoint, Forescout, Google, illumio, MobileIron, Proofpoint, Symantec, and Unisys in their latest Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers this year.
  • Forrester’s 2019 scorecard increased the weight on network security, automation and orchestration, and portfolio growth rate compared to last year, adding in Zero Trust eXtended (ZTX) ecosystem advocacy to the scorecard for the first time.
  • Microsoft and VMWare are no longer included in the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers this year.

These and many other interesting insights are from what’s new in the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019, written by Chase Cunningham and published on October 29, 2019. Chase is a leading authority on Zero Trust Security, and I was fortunate to have the opportunity to interview him earlier this year. You can read the interview here,10 Questions With Chase Cunningham On Cybersecurity. Forrester included 14 vendors in this assessment: Akamai Technologies, Check Point, Cisco, Cyxtera Technologies, Forcepoint, Forescout, Google, illumio, MobileIron, Okta, Palo Alto Networks, Proofpoint, Symantec, and Unisys. The following is the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 graphic from the free reprint offered by MobileIron here.

Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019

 

Summary of What’s New In Forrester’s Zero Trust Wave This Year

The latest Forrester Wave adds in and places high importance on Zero Trust eXtended (ZTX) ecosystem advocacy, allocating 25% of the weight associated with the Strategy section on the scorecard. Forrester sees Zero Trust as a journey, with vendors who provide the greatest assistance and breadth of benefits on a unified platform being the most valuable. The Wave makes it clear that Zero Trust doesn’t refer to a specific technology but rather the orchestration of several technologies to enable and strengthen their Zero Trust framework. Key insights from what’s new this year in the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 include the following:

  • Platforms are powering the Zero Trust landscape and delivering the greatest value to organizations on their Zero Trust journey. Forrester notes that organizations are getting the greatest benefits from choosing a single vendor who can deliver integrated, real-world capabilities instead of marketing hype.
  • Ease of use and excellent usability need to be the new normal when it comes to Zero Trust Solutions. Forrester sees a widening gap between Zero Trust solutions that take administrator and end-user experience into account and deliver the critical capabilities that make ZTX frameworks successful and those that don’t. It’s common knowledge of how challenging Zero Trust solutions and platforms are to deploy. Raising the issue of improving usability will help expand the total available market for Zero Trust solutions and increase the effectiveness of every platform installed.
  • A much stronger focus on Application Programmer Interfaces (APIs) and integration. This year’s Wave places much greater emphasis on APIs and the need to integrate every application and Web Service across a Zero Trust platform. The greater the integration expertise of any Zero Trust vendor, the faster an organization adopting their systems and platforms will attain secured stability across every threat surface.
  • Forrester advises Zero Trust vendors to concentrate on four key aspects of their strategy if they’re going to deliver overwhelming value to organizations they’re selling to. These four key aspects include actively advocating for Zero Trust as evidenced by driving product strategies that prioritize needed capabilities; supporting micro-segmentation; enforcing policy everywhere by first enabling extensive, proven integrations using well-documented and tested APIs that make it possible to enable policy definition and enforcement across enterprises; and provide identity beyond identity and access management (IAM).
  • Cyxtera Technologies, MobileIron, and Proofpoint are new to the Zero Trust World, each bringing valuable contributions to enterprises on their Zero Trust journey. Of the three, MobileIron is the most noteworthy as their approach to Zero Trust begins with the device and scales across mobile infrastructures. Forrester observes that “MobileIron’s recently released authenticator, which enables passwordless authentication to cloud services, is a must for future-state Zero Trust enterprises and speaks to its innovation in this space.” MobileIron’s product suite also includes a federated policy engine that enables administrators to control and better command the myriad of devices and endpoints that enterprises rely on today. Forrester sees all three vendors as having excellent integration at the platform level, a key determinant of how effective they will be in providing support to enterprises pursuing Zero Trust Security strategies in the future.

Conclusion

The latest Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019, reflects the growing maturity of the Zero Trust eXtended (ZTX) Ecosystem. Adding in Zero Trust eXtended (ZTX) ecosystem advocacy and weighing it at 25% reflects how serious Forrester is about evaluating vendors on solid, real product features over marketing claims. The increased focus on platforms, APIs and integration also reflect the growing maturity of enterprises adopting Zero Trust frameworks today.

Financial Services Rely On BYOD – How Do They Stay Secure?

Financial Services Rely On BYOD – How Do They Stay Secure?

Bottom Line: 2020 is going to be the year companies launch more digital business initiatives that depend on BYOD than ever before, making Zero Trust Security a key contributor to their success.

Financial Services firms are at an inflection point going into 2020. Mobile-first products and services now dominate their product roadmaps for next year, with applications’ speed and security being paramount. In fintech, DevOps teams have been working with AngularJS for years now, and the scale and speed of their applications reflect their expertise. How well existing IT infrastructure flexes to support the new mobile-first product and services strategies depends on how quickly members of IT, customer service, and customer success teams can respond. BYOD is proving invaluable in achieving the speed of response these new digital business models require.

In 2020 more employees of Financial Services firms will rely on their mobile devices as their primary form of digital ID than has ever been the case before. A recent survey conducted by IDG in association with MobileIron found that 89% of security leaders believe mobile devices will be the primary digital ID employees use to gain access to resources and get work done. The CIOs I’ve spoken agree. A copy of the IDG and MobileIron study, Say Goodbye to Passwords, can be downloaded here.

Counting On BYOD To Deliver Responsiveness And Speed

CIO and IT bonuses are often indexed to the revenue contributions their new products and services deliver, making speed, scale, security, and responsiveness the most important features of all. Fintech CIOs are saying that BYOD is proving indispensable in scaling IT in support of new digital business initiatives as a result. By 2022, 75% of smartphones used in the enterprise will bring your own device (BYOD), up from 35% in 2018, forcing a migration from device-centric management to app- and data-centric management, according to Gartner’s Competitive Landscape: Managed Mobility Services.

Two factors continue to propel BYOD adoption in financial services, fueling the need for Zero Trust Security across every mobile device. The first is the need for real-time responsiveness from internal team members and the second is having every threat surface protected without degrading the time to respond to customers. Every CIO, IT and Product Management leader I’ve spoken with mention the race they are in to deliver mobile-first products and services early in 2020 that redefine their business.  With every identity being a new security perimeter, Financial Services firms are relying on Unified Endpoint Management (UEM), multi-factor authentication (MFA), and additional zero trust-enabling technologies as an integral part of their Enterprise Mobility Management (EMM) strategy. Their goal is to create a Zero Trust Security framework that protects every mobile device endpoint. Leaders in this field include MobileIron, who also provides zero sign-on (ZSO), and mobile threat defense (MTD) in addition to UEM and EMM solutions today.  The following are the key features every BYOD program needs to offer to stay secure, scale and succeed in 2020:

  •  Separation of business and personal data is a must-have in any BYOD security strategy. FinTechs who have the greatest success with BYOD as part of their digital initiatives are relying on Enterprise Mobility Management (EMM) to selectively wipe only the business data from a device in the event it is compromised.
  • An interactive, intuitive user experience that can be quickly customized at scale by role, department, and workflow requirements without impacting user productivity. Too often BYOD users have had to trade off having stronger security on their own devices versus using a company-provided smartphone to get remote work done. The best EMM and UEM solutions in the market today enable Zero Trust by treating every identity as a new security perimeter.
  • Define the success of a BYOD security strategy by how well it immediately shuts down access to confidential data and systems first. Being able to immediately block access to confidential systems and data is the most important aspect of securing any BYOD across a network.
  • Limit access to internal system resources based on the employee’s department, role, and function to eliminate the risk of confidential data ending up in a personal app. EMM solutions have progressed quickly, especially on the dimension of providing Zero Trust Security across BYOD networks. Look for an EMM solution that gives the administrator the flexibility of limiting mobile device access to a specific series of services and access points based on an employees’ role in a specific department and the scope of data they need access to.
  • Proven multi-operating system expertise and support for legacy internally created mobile applications and services. One of the main reasons BYOD is succeeding today as an enablement strategy is the freedom it gives users to select the device they prefer to work with. Supporting Android and IOS is a given. Look for advanced EMM and UEM solutions that also support legacy mobility applications. The best BYOD security solutions deliver device and application compatibility with no degradation in security or performance.

Conclusion – Why BYOD Strategies Need Zero Trust Now

Trust-but-verify isn’t working today. Attackers are capitalizing on it by stealing or buying privileged access credentials, accessing any system or database they choose. Financial Services firms fully expect their new products and services launching in 2020 to face an onslaught of breach and hacking attempts. Trust-but-verify approaches that are propagated across an enterprises’ BYOD base of devices using Virtual Private Networks and demilitarized zones (DMZ) impede employee’s productivity, often force login authentication. Trust-but verify doesn’t scale well into BYOD scenarios, leaving large gaps attackers can gain access to valuable internal data and systems. For BYOD users, trust-but-verify reduces productivity, delivers poor user experiences, and for new business models, slower customer response times.

By going to a Zero Trust Framework, Financial Services firms will be able to treat every identity and the mobile device they are using as their new security perimeter. Basing a BYOD strategy on a Zero Trust Framework enables any organization to find the correlation between the user, device, applications, and networks in milliseconds, thwarting potential threats before granting secure access to the device. Leaders delivering Zero Trust for BYOD include MobileIron, who provides endpoint management (UEM) capabilities with enabling technologies of zero sign-on (ZSO) user and device authentication, multi-factor authentication (MFA), and mobile threat detection (MTD).

Three Reasons Why Killing Passwords Improves Your Cloud Security

Jack Dorsey’s Twitter account getting hacked by having his telephone number transferred to another account without his knowledge is a wake-up call to everyone of how vulnerable mobile devices are. The hackers relied on SIM swapping and convincing Dorsey’s telecom provider to bypass requiring a passcode to modify his account. With the telephone number transferred, the hackers accessed the Twitter founder’s account. If the telecom provider had adopted zero trust at the customer’s mobile device level, the hack would have never happened.

Cloud Security’s Weakest Link Is Mobile Device Passwords

The Twitter CEO’s account getting hacked is the latest in a series of incidents that reflect how easy it is for hackers to gain access to cloud-based enterprise networks using mobile devices. Verizon’s Mobile Security Index 2019 revealed that the majority of enterprises, 67%, are the least confident in the security of their mobile assets than any other device. Mobile devices are one of the most porous threat surfaces a business has. They’re also the fastest-growing threat surface, as every employee now relies on their smartphones as their ID. IDG’s recent survey completed in collaboration with MobileIron, titled Say Goodbye to Passwords found that 89% of security leaders believe that mobile devices will soon serve as your digital ID to access enterprise services and data.

Because they’re porous, proliferating and turning into primary forms of digital IDs, mobile devices and their passwords are a favorite onramp for hackers wanting access to companies’ systems and data in the cloud. It’s time to kill passwords and shut down the many breach attempts aimed at cloud platforms and the valuable data they contain.

Three Reasons Why Killing Passwords Improves Your Cloud Security

Killing passwords improve cloud security by:

  1. Eliminating privileged access credential abuse. Privileged access credentials are best sellers on the Dark Web, where hackers bid for credentials to the world’s leading banking, credit card, and financial management systems. Forrester estimates that 80% of data breaches involve compromised privileged credentials, and a recent survey by Centrify found that 74% of all breaches involved privileged access abuse. Killing passwords shuts down the most common technique hackers use to access cloud systems.
  2. Eliminating the threat of unauthorized mobile devices accessing business cloud services and exfiltrating data. Acquiring privileged access credentials and launching breach attempts from mobile devices is the most common hacker strategy today. By killing passwords and replacing them with a zero-trust framework, breach attempts launched from any mobile device using pirated privileged access credentials can be thwarted. Leaders in the area of mobile-centric zero trust security include MobileIron, whose innovative approach to zero sign-on solves the problems of passwords at scale. When every mobile device is secured through a zero-trust platform built on a foundation of unified endpoint management (UEM) capabilities, zero sign-on from managed and unmanaged services become achievable for the first time.
  3. Giving organizations the freedom to take a least-privilege approach to grant access to their most valuable cloud applications and platforms. Identities are the new security perimeter, and mobile devices are their fastest-growing threat surface. Long-standing traditional approaches to network security, including “trust but verify” have proven ineffective in stopping breaches. They’ve also shown a lack of scale when it comes to protecting a perimeter-less enterprise. What’s needed is a zero-trust network that validates each mobile device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to any device or user. If Jack Dorsey’s telecom provider had this in place, his and thousands of other people’s telephone numbers would be safe today.

Conclusion

The sooner organizations move away from being so dependent on passwords, the better. The three reasons why killing passwords improve cloud security are just the beginning. Imagine how much more effective distributed DevOps teams will be when security isn’t a headache for them anymore, and they can get to the cloud-based resources they need to get apps built. And with more organizations adopting a mobile-first development strategy, it makes sense to have a mobile-centric zero-trust network engrained in key steps of the DevOps process. That’s the future of cloud security, starting with the DevOps teams creating the next generation of apps today.

Why Manufacturing Supply Chains Need Zero Trust

  • According to the 2019 Verizon Data Breach Investigation Report, manufacturing has been experiencing an increase in financially motivated breaches in the past couple of years, whereby most breaches involve Phishing and the use of stolen credentials.
  • 50% of manufacturers report experiencing a breach over the last 12 months, 11% of which were severe according to Sikich’s 5th Manufacturing and Distribution Survey, 2019.
  • Manufacturing’s most commonly data compromised includes credentials (49%), internal operations data (41%), and company secrets (36%) according to the 2019 Verizon Data Breach Investigation Report.
  • Manufacturers’ supply chains and logistics partners targeted by ransomware which have either had to cease operations temporarily to restore operations from backup or have chosen to pay the ransom include Aebi SchmidtASCO Industries, and COSCO Shipping Lines.

Small Suppliers Are A Favorite Target, Ask A.P. Møller-Maersk

Supply chains are renowned for how unsecured and porous they are multiple layers deep. That’s because manufacturers often only password-protect administrator access privileges for trusted versus untrusted domains at the operating system level of Windows NT Server, haven’t implemented multi-factor authentication (MFA), and apply a trust but verify mindset only for their top suppliers. Many manufacturers don’t define, and much less enforce, supplier security past the first tier of their supply chains, leaving the most vulnerable attack vectors unprotected.

It’s the smaller suppliers that hackers exploit to bring down many of the world’s largest manufacturing companies. An example of this is how an accounting software package from a small supplier, Linkos Group, was infected with a powerful ransomware agent, NotPetya, bringing one of the world’s leading shipping providers,  A.P. Møller-Maersk, to a standstill. Linkos’ Group accounting software was first installed in the A.P. Møller-Maersk offices in Ukraine. The NotPetya ransomware was able to take control of the local office servers then propagate itself across the entire A.P. Møller-Maersk network. A.P. Møller-Maersk had to reinstall their 4,000 servers, 45,000 PCs, and 2500 applications, and the damages were between $250M to $300M. Security experts consider the ransomware attack on A.P. Møller-Maersk to be one of the most devastating cybersecurity attacks in history. The Ukraine-based group of hackers succeeded in using an accounting software update from one of A.P. Møller-Maersk’s smallest suppliers to bring down one of the world’s largest shipping networks. My recent post, How To Deal With Ransomware In A Zero Trust World explains how taking a Zero Trust Privilege approach minimizes the risk of falling victim to ransomware attacks. Ultimately, treating identity as the new security perimeter needs to be how supply chains are secured. The following geographical analysis of the attack was provided by CargoSmart, showing how quickly NotPetya ransomware can spread through a global network:

CargoSmart provided a Vessel Monitoring Dashboard to monitor vessels during this time of recovery from the cyber attack.

Supply Chains Need To Treat Every Supplier In Their Network As A New Security Perimeter

The more integrated a supply chain, the more the potential for breaches and ransomware attacks. And in supply chains that rely on privileged access credentials, it’s a certainty that hackers outside the organization and even those inside will use compromised credentials for financial gain or disrupt operations. Treating every supplier and their integration points in the network as a new security perimeter is critical if manufacturers want to be able to maintain operations in an era of accelerating cybersecurity threats.

Taking a Zero Trust Privilege approach to securing privileged access credentials will help alleviate the leading cause of breaches in manufacturing today, which is privileged access abuse. By taking a “never trust, always verify, and enforce least privilege” approach, manufacturers can protect the “keys to the kingdom,” which are the credentials hackers exploit to take control over an entire supply chain network.

Instead of relying on trust but verify or trusted versus untrusted domains at the operating system level, manufacturers need to have a consistent security strategy that scales from their largest to smallest suppliers. Zero Trust Privilege could have saved A.P. Møller-Maersk from being crippled by a ransomware attack by making it a prerequisite that every supplier must have ZTP-based security guardrails in place to do business with them.

Conclusion

Among the most porous and easily compromised areas of manufacturing, supply chains are the lifeblood of any production business, yet also the most vulnerable. As hackers become more brazen in their ransomware attempts with manufacturers and privileged access credentials are increasingly sold on the Dark Web, manufacturers need a sense of urgency to combat these threats. Taking a Zero Trust approach to securing their supply chains and operations, helps manufacturers to implement least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, manufacturers can minimize the attack surface, improve audit and compliance visibility, and reduce risk, complexity, and costs for the modern, hybrid manufacturing enterprise.

%d bloggers like this: