When security integrator Optiv Security Inc. went into lockdowns more than a year ago, Chief Information Officer Sujan Turlapaty immediately realized what he was up against. “We went from managing 20 to 30 branch offices to 2,500 remote offices,” he said. “The attack surface was much bigger.”
That has prompted the firm to overhaul its cybersecurity defenses for the long term. Optiv has accelerated its shift to a more flexible software-defined network over the past year and plans to deploy a suite of cloud security services. It’s also adopting zero-trust security principles that assume that nobody and nothing on the business network can be trusted. “Zero trust is what we preach to customers,” Turlapaty said, “so we are applying that to us.”
More than a year into the COVID-19 pandemic, U.S. businesses are preparing to reopen in the wake of an experience that will permanently change the way they secure systems and workforces. The tools and practices they adopt will ultimately make them stronger, experts believe, but the transition period will be fraught with risk, given unprecedented changes in the workforce.
Although most knowledge workers will return to offices in some capacity, nearly one-third don’t want to go back full-time, according to a 9,000-person survey conducted by Slack Technologies Inc. PricewaterhouseCoopers LLP reported early this year that 65% of executives believe employees need to be in the office three days a week or less. “Most companies are heading toward a hybrid workplace where a large number of office employees rotate in and out of offices,” the consulting firm wrote.
That means traditional security strategies that focused on preventing bad guys from breaching the corporate network but did little to limit them once they logged in will have to change. And as work shifts rapidly outside the four walls of the organization to the public cloud, the time for a security reboot is right.
Picking up the pace
In the same way that COVID-19 accelerated cloud migration and digital transformation initiatives that had been bubbling under the surface for some time, the crisis has also prompted organizations to pick up the pace in overhauling security practices for the age of the cloud. Despite notable recent events such as the ransomware attack on a major U.S. fuel pipeline and the SolarWinds Worldwide LLC breach, organizations are moving quickly to a new crop of promising cloud-based defenses.
In particular, they’re ramping up the use of cloud-based identity access management or IAM services, zero-trust tactics and ultimately Secure Access Service Edge or SASE. That last term is a concept defined by Gartner Inc. in 2019 that combines software-defined wide-area networks with a collection of cloud-based tools such as security brokers, secure web gateways and virtual firewalls. The underlying theme is to move away from perimeter-based protection to cloud services that enable employers to monitor and control what people do when they aren’t connected to the corporate network.
Gartner predicts that more than 40% of enterprises will have SASE adoption plans in place by 2024, up from fewer than 1% at the end of 2018. “I have never seen anything take off so fast,” said Jason Clark, chief security and strategy officer at cloud security provider Netskope Inc.
The new breed of cloud security services focuses on people rather than computers. Identity and access management software grants permissions after users prove that they are who they say they are, with thresholds defined by their employers. That’s in contrast to traditional practices that limited access based on the identity of devices, which were easily compromised.
A survey of more than 1,300 senior executives in the U. S., Europe and Australia by Ping Identity Holding Corp. shows how quickly the transition is occurring.
- 69% plan to increase investment in identity access management over the next 12 months.
- 64% say more than half of their people now use multifactor authentication, up from 38% before lockdowns began.
- 55% have invested in new identity security capabilities as a direct result of the pandemic.
- 82% have deployed or are deploying or zero-trust principles, with 71% expecting to invest more in that initiative over the next 12 months.
However, cloud-based protections are relatively new and still developing. The same survey found that two-thirds of executives said process issues are hampering their use of new technology and nearly 90% said IAM isn’t functional enough for their needs.
There’s also the issue of managing expectations as organizations make the transition away from policies that granted logged-on employees wide latitude to a more granular set of restrictions. “When you connected to the network a year ago, you had access to everything. Now my role might limit my access,” said Joe Leonard, chief technology officer at GuidePoint Security LLC. “That changes our culture and how we work.”
It’s clear that few organizations will go back to the walled city approaches of old, however. “Security should never have been based on just a perimeter approach, putting efforts just into keeping the bad guys out,” said Stephen Cavey, co-founder of Ground Labs Pte Ltd.
That’s where the pandemic has presented an opportunity. Security practices that organizations put in place during a decade-long transition to the cloud were piecemeal and uncoordinated. The crisis has presented an opportunity to reevaluate strategies from the ground up. “CIOs are stepping back and looking at their architecture because a lot of it was done ad hoc,” Leonard said.
Many are paying particular attention to virtual private networks, which nearly every large business uses to enable remote access. Introduced in the 1990s, VPNs establish a “tunnel” over the public internet to create a secure private connection to the corporate network. That worked pretty well when most work went on behind the corporate firewall, but the profusion of cloud-based software-as-a-service applications has made VPNs a bottleneck and even a security risk.
VPN servers require all traffic to funnel through an organization’s data center, even when it’s going back out to the public cloud. For organizations with thousands of home-based workers, that meant squeezing massive amounts of internet traffic through a tiny straw. “You shouldn’t have to throttle everything through the corporate network,” said Deborah Golden, U.S. cybersecurity and risk lead at Deloitte LLP.
Many VPNs choked under the sudden load of thousands of remote connections. As the capacity of existing VPN appliances maxed out, information technology organizations rushed to order more servers from their suppliers, only to be told that they’d have to wait months for supplies that were stuck on quarantined loading docks.
“Those that had hardware-defined remote access technology struggled the most,” said Shawn Bass, chief technology officer for end-user computing at VMware Inc. Older VPN devices lacked the ability to scale up through software, so organizations had to purchase more servers.
“There was a finite capacity in most organizations that were in the midst of trying to respond to a shift to a 90% remote workforce,” Bass said. “Even though the outward perception was that everyone moved smoothly, the reality is that many customers took months.”
Compounding the problem was what Bass called “egress bandwidth,” or the capacity for IT organizations to connect to managed personal computers in the field. That limited their ability to apply patches to protected employees’ devices. Inside the firewall, IT organizations use relay servers to offload patching from production systems, but that luxury was no longer an option.
“Once everybody was remote, they didn’t have the tiered relay and that added even more load,” he said. “We’ve spent quite a bit of time with larger customers who were saying, ‘I don’t ever want to be in a position again where I can’t flex or grow my infrastructure.’”
VPNs also created new security problems. As existing servers slowed to a crawl, many users abandoned them altogether and connected directly to cloud services, exposing themselves to Wi-Fi hijacks or “man-in-the-middle” attacks. People who used their computers for both personal and business purposes were also at risk of becoming infected with malware while disconnected from the VPN and then delivering it onto the corporate network upon reconnection.
And VPNs themselves became a focus for attackers, in particular nation-states, that turned their attention to exploiting known vulnerabilities in an effort to unlock a trove of authentication credentials. “Nation-state attacks on VPNs are going through the roof,” said VMware’s Bass.
Despite the risks, VPNs are so entrenched in most IT organizations that it will be a long time before they disappear. A survey by network security firm NetMotion Software Inc. last summer found that 87% of enterprises use a VPN today and 45% intend to still use one for at least three more years.
“I don’t think VPNs are going anywhere, but there’s an acknowledgment that they’re best limited to accessing corporate resources,” said Dan Kennedy, senior research analyst at 451 Research Inc. “Having that chokepoint in an environment where a lot of stuff isn’t in traditional IT is not going to work anymore.”
Cloud-based software VPNs are an increasingly popular alternative, and the NetMotion survey found that more than half of organizations began using them for the first time last year. The larger shift will be toward software-defined networking that does away with the need to manage individual devices entirely. Prescient & Strategic Intelligence expects the global SD-WAN market to surge from $1.4 billion in 2019 to $43 billion by 2030, a compound annual growth rate of more than 30%. Many other research firms have issued similar forecasts.
Disconnected and exposed
Offline work introduced its own set of issues. With VPN performance deteriorating, some employees simply disconnected and worked locally. “That’s a problem when companies traditionally had a default policy of saving documents automatically to the company file share,” Cavey said.
Local files on a remote PC don’t enjoy the protection of corporate firewalls. There are also numerous tricks desktop applications use for versioning or to protect against accidental deletion that creates hidden copies.
“Microsoft Word auto-recover makes a temporary copy in a hidden directory,” Cavey said. “Those temporary files often build up on endpoints.” And as most people know by now, deleted files aren’t erased but simply removed from file directories.
Cavey’s company scans computers for hidden sensitive data. Ninety percent of the time it finds something that shouldn’t be there, Cavey said. IT organizations “scan where they think the data is, but quite often the data that’s stolen is in places they didn’t know about,” he said.
Then there are the security risks in cloud services themselves. Although well-known software-as-a-service providers such as Salesforce.com Inc. and ServiceNow Inc. generally have world-class protections in place, that isn’t always true for the thousands of second- and third-tier companies that deliver niche services, often through mobile apps and browser plug-ins.
“There are 50,000 SaaS apps out there and most big companies have over 1,000 in use,” said Netskope’s Clark. Many small providers “may have only 20 employees and no security people.”
Small SaaS providers may also have data-sharing relationships with others that are disclosed or are documented in the fine print of license agreements nobody reads. Clark routinely turns off auto transcription features for that reason. “There could be 100 providers that have access to my data,” he said. “I guarantee one of them will have bad security practices.”
The human touch
But technology won’t solve human carelessness, which continues to be the leading cause of breaches and data theft incidents by a wide margin. The incidence of ransomware attacks — most of which spread through phishing emails containing malicious links people click on after getting fooled into think they’re from someone they know — jumped more than 400% last year, according to one study.
The growing willingness of organizations to pay ransoms only encourages the assailants. “The human layer continues to be the weakest link,” said Optiv’s Turlapaty. “All it takes is one click.”
Indeed, it appears that cybercriminals are doubling down on tried-and-true tactics that exploit user naïveté. Cloud security provider GreatHorn Inc. reported that executive impersonation attacks increased over 130% from the first quarter of 2020 to the same quarter this year. Nearly 60% of the companies that responded to the survey said at least one executive had been the target of a so-called whaling attack. Both tactics involve impersonating senior leaders in an organization in an attempt to authorize fraudulent payments or gain access to sensitive data.
“The vast majority of cybercriminals were observed using three basic strategies: malicious attachments, links to malicious web pages and enticements to perform transactions,” VMware reported. “Perimeter security solutions such as anti-virus, anti-malware and anti-phishing tools are ineffective against advanced email-based threats.”
The only solution to user error is education, but resource-stretched security operations have little time to beef up training during a crisis. A survey of 5,800 people working from home by anti-malware developer PC Matic Inc. found that 47% said they didn’t receive technical assistance from their employer last year and 62% use personal devices for work purposes because the employer didn’t issue one.
Yet education is one of the most cost-effective cybersecurity practices an organization can implement. Issuing inexpensive software-based password managers to employees and instructing them on their use can significantly reduce one of the greatest risks, which is the use of weak passwords. When combined with multifactor authentication, the strategy all but eliminates vulnerability to credential theft, which was a factor in 80% of breaches in 2020, according to Verizon Communications.
The pandemic experience may trigger a return to basics. “I see a lot of organizations reconfirming the maturity level of their basic cyberhygiene,” said Deloitte’s Golden.
Optiv’s IT organization formed a committee to prepare employees for the long-term challenges of working remotely through common-sense tactics such as using approved browsers, installing mobile device management and never clicking on unknown links. “It was an opportunity for us to reinforce that message through training,” Turlapaty said.
Illustrating the notion that what doesn’t kill us makes us stronger, COVID-19 may prove to have been a blessing in disguise for the cybersecurity field. Even if progress will be measured for some time to come, at least everyone is pulling in the right direction.
At Raptor IT Consultants, our goal is establishing a foundation for your business network that empowers its users to work efficiently, while leveraging technologies that save time and money, and offering scalable IT solutions that work with any business model. #raptoritnetwork