Category

Blog

How are corporate endpoints going to be Authenticated and Authorized when your Active Directory is migrated to the Cloud?

By | Cloud Security | No Comments

Currently, many Network Access Control (NAC) solutions support 802.1X authentication on wireless and wired networks by using Microsoft Domain attributes, such as the credentials of domain users or computer domain membership. In addition, there are plenty of domain-group synchronization scenarios for applying access policies and posture assessments.

Let’s think of an example, such as an organization where the members of a development team are allowed to connect to the corporate wireless network and are then assigned a VLAN or an access list upon successful authentication. Another example could be a finance team whose members are authorized access to the network once their endpoints are running the latest versions of antivirus and their drives are adequately encrypted, while at the same time, helpdesk team members are only required to have the most recent antivirus updates.

Most NAC solutions can handle these basic scenarios with an on-premises RADIUS server and an on-premises Active Directory, but what are you going to do if your organization decides to move the Active Directory to the cloud, for example, to Azure?

Azure AD and 802.1X

As part of the global trending increase in cloud data consumption, Gartner predicts that by 2023 80% of enterprises will also adopt two or more cloud-based security services. In this category we have seen a shift in enterprises from using on-premises Active Directories to cloud-delivered Active Directories. This significant change has added the need to consider certain adjustments to corporate information security.

One of these adjustments pertains to 802.1X authentication by domain attributes. Have you ever thought about 802.1X and Azure AD together? Or how network access control solutions will be able to adapt from the former on-premises legacy security vision to pure cloud-to-cloud integrations?

Converting your access and authentication controls to suit Azure AD requires the ability to have visibility into all devices before they connect to the network no matter where they are connecting from – VPN, wired, wireless or cloud. If security best practices are important at your organization, this visibility should include checking each endpoint, profiling it in terms of its security posture and providing it with a certain score. Once your system has this information it is possible to mitigate risks by applying controls that either prohibit suspicious endpoints from connecting to the enterprise network or more sensitive sections of it, or forcing them to update their security to be able to gain access.

Pure Cloud to Cloud Integrations

This is where cloud-delivered NAC solutions can benefit our new Azure AD players.  One of the pioneer features in cloud-delivered NAC is pure cloud to cloud integration with Active Directory in Azure. By deploying it, you will be able to authenticate and authorize users and endpoints by Az-AD attributes without installing anything on-premises. Enabling Azure Active Directory Domain Services is not mandatory for authentication, so everything can be cloud-based and agentless.

If your organization is in the middle of a migration process, and you have both on-premises and AD-Az users, the ideal solution is to enable integration with Azure via a hybrid NAC solution, where your Azure users are managed by a cloud-delivered NAC and Azure integration, and your non-Azure users are managed by an on-premises NAC Directory Broker.

Furthermore, it is recommended to have a NAC solution with a readily available integration with Microsoft Intune cloud service where you will be able to use Intune agents for setting your company’s risk assessment policies and thus enhance a pure cloud-to-cloud interaction in your organizational services.

For those interested in reviewing the future of simplified cloud-delivered network security, I would recommend reading more about how it works here.

network access control gartner

NAC is dead? The Resurrection of NAC

By | Cloud Security, Network Access Management, Network Security | No Comments

Some argue that NAC (Network Access Control) is no longer relevant in today’s world of the mobile workforce and distributed (or decentralized) organizations that have moved to using cloud applications for the most part. Adding the fact that many organizations are allowing personal devices to be used in the corporate environment (BYOD) and the fact that IoT devices are used everywhere, some might consider this to be further evidence to the conclusion that NAC is no longer relevant or needed.

In 2004 the first NAC products came on the scene and signaled the start of a new segment in Information Security. At the time, most organizations still had a physical perimeter, desktops were still the main PC to be used at the workplace and laptops were starting to make a wide appearance. BYOD (bring your own device), IoT (Internet of Things) and multi-branch, geo-distributed organizations that rely heavily on cloud services were not prevalent yet. Accordingly, the standards for NAC were very different from what they are today and mainly focused on the wired environment. NAC solutions were then primarily based on using 802.1x pre-connect enforcement with supplicants which were not part of the operating system. Organizations trying to implement NAC solutions only had the option of deploying 802.1x – which ended up with long, complex deployment and implementation, leaving them with a bad taste for NAC.

Over the past 20 years, NAC technologies have evolved exponentially. Vendors introduced control and discovery techniques that have yielded better and faster deployments and ROI. Just as the enterprise network and endpoints have evolved, NAC solutions have evolved from merely allowing or blocking endpoints onto the network into a broader security solution that provides network visibility, endpoint profiling, security posture assessments, risk management and compliance.

Additionally, some solutions have scaled to suit the modern workforce, heterogeneous networks, hybrid cloud and on-prem environments, diverse endpoint environments (such as IoT and BYOD) and globally distributed organizations. This increase in number of devices connecting to the network and change of working environments   has been our reality for the past 10 years and has evoked a new NAC. Hence, the resurrection of NAC continues to be upon us.

Future of NAC
At this point in 2019, over 60% of enterprise data is stored in cloud applications (public cloud, private cloud and a hybrid of both). By 2020, just a year from now, it is predicted that 83% of enterprise workloads will be taking place in the cloud (1). According to IDG, 77% of enterprises have at least one application or a portion of their enterprise computing infrastructure in the cloud. Additionally, more technology-dependent industries including manufacturing, high-tech, and telecom are being led by executive management to become 100% cloud-based. Therefore, it is crucial to make sure that only company owned and secured devices gain access to corporate intelectual property and information in the inner most circles of the enterprise. According to Gartner research , by 2023 80% of enterprises will adopt two or more cloud-based security services. This is no coinsidence. The complexities in the cyber security landscape alongside the increasing shortage in skilled security professionals is leading towards a greater adoption of cloud-based security services and specifically to the adoption of NAC as-a-Service.

Another factor in future solutions is related to increaseing IoT adoption by enterprises and factories. Visibility and monitoring of IoT must be done by an agentless solution. We believe that having agentless solutions that are centrally controlled will be preferred by many organizations in 2019 and the years to come.

Lighter, adaptable and agile solutions will be necessary in the new era. Enterprises will transition into using easier NAC solutions such as centralized NAC, agentless NAC, NAC delivered from the cloud and Software-as-a-Service. These NAC solutions will save time and money on deployment, training and implementation, while at the same time providing the visibility and accuracy needed to handle today’s complex and hybrid networks. Next-gen solutions are able to cope fully with today’s decentralized organizations and the old NAC configurations will no longer suffice as they are perimeter focused.

 

Conclusion

NAC was effective for the problem it was created to solve in the mid-2000s, but subsequent technological advancements in cloud applications and the mass-adoption of mobile computing devices by the mobile workforce, and IoT have introduced new complexities and challenges. The new computing model requires new cyber security solutions, and the new, NAC technologies are uniquely positioned to be among them. Cloud-native solutions will address concerns of lengthy deployments and geo-distribution. Agentless and centralized solutions will shorten and simplify implementations and everyday usage that were once the dread of CISOs and IT security teams in the enterprise.

 

***

You can see the ease of use and the benefits of cloud-delivered NAC by starting your own a free trial of CLEAR (Cloud-delivered solution) today.

Read the following to learn more about the NAC as-a-Service solutions, and how they simplify cloud access control.

You can also schedule a demo for CORE (on-premises solution) and learn more about agentless and centralized NAC as well as regulatory compliance.


  1. LogicMonitor’s Cloud Vision 2020: The Future of the Cloud Study
  2. The State of Network Security in the Cloud Era, Lawrence Orans, 2018 Gartner Security & Risk Management Summit.
  3. 2.9 million according to (ISC)2

Top Five Cybersecurity Trends to Expect in 2019

By | Network Security | No Comments

From a certain perspective, 2018 hasn’t been as dramatic a cyber-security year as 2017, in that we haven’t seen as many global pandemics like WannaCry. Still, Ransomware, zero-day exploits, and phishing attacks, were among the biggest threats facing IT security teams this year. 2018 has not been a dull year as far as breaches. The cycle of exploit to discovery to weaponization has become shorter, and unfortunately, it has become more difficult to protect the enterprise network and the various devices connected to it. In 2017, roughly 63% of organizations experienced an attempted ransomware attack, with 22% reporting these incidents occurred on a weekly basis (*ESG Master Survey Results, 2018 IT Spending Intentions Survey, December 2017). We expect to wind up with close statistics for 2018.

Here are five trends we believe will dominate cyber security in 2019.

  1. Security and Privacy Merge.
    Despite the fact that everyone is still trying to understand the new privacy landscape and perhaps because they haven’t fully grasped the new realities, everyone is paying attention. Perhaps it is our ever increasing focus on privacy in general and GDPR specifically. Perhaps it is because more organizations will be working long hours to embrace the compliance measures that are needed to protect privacy that we won’t see a major lawsuit against a company. All we know is that we have seen an increase in companies seeking NAC solutions to keep up with all the new compliance regulations and it is very satisfying to hear that sigh of relief, when a company has implemented their solution.
  2. AI + ML = forensics and investigations.
    Artificial Intelligence (AI) and Machine Learning (ML) are going to be implemented into the arena of practical usage in cyber security – mainly for forensics and identification of culprits in cyber events. Investigating security events is costly both in terms of time and the expertise required. We believe that AI and ML are well positioned to help in these investigations for obvious reasons, relating to computing power and specialized programming of what to look for and the ability to learn. AI and ML enable the clustering and analysis of monumental volumes of data that would otherwise be impossible to do within a reasonable amount of time even if you had the best trained minds in the business working on the investigation.
  3. Ransomware – more targeted attacks are expected against wealthy and famous individuals.
    Social networks offer a world of insights and information on almost anyone who has an account. Unfortunately, it provides a lot of details that assist cyber offenders in the monetization of attacks (due to bitcoin) and the ease of performing spear phishing attacks – all will be combined for a more targeted approach.
  4. IoT security issues will increase.
    IoT will be deployed in more business usages and scenarios. The risk will rise and eventually this will cause more issues with a few headlines of devices that were used to hack networks.
  5. The conversation – Whose job it is to protect organizations in the public and private sector?
    Nationwide attacks on large businesses will bring up the discussion of who should protect a country and a business from cyber security attacks. Should the state and country be active in the defense of the private sector? In the same respect, you wouldn’t expect a bank branch to deploy anti-missile defense systems against the possibility of an offending country.

At Portnox, we will continue to innovate our network security and risk control tools to provide solutions to all, empowering our customers with valuable, holistic solutions to protect their networks.

From all of us here at Portnox, we wish you happy holidays and a great new year!

frost and sullivan

Portnox Named Network Access Control Market Leader for Midsize to Large Organizations by Frost & Sullivan

By | Our Technology | No Comments

“Easy NAC”… Easier said than done?

As you know, the enterprise network no longer sits within traditional and secured walls in offices. The enterprise intellectual property, data bases, workflows and communications have been moving in a perimeter-less environment for a while now, extending to any place where employees and data travel. Mobility, digitization, and IoT have changed the way we live and work, resulting in ever expanding networks and increasing complexities in resource management and disparate security solutions.

The fact that organizations are decentralizing has made it more important than ever to have solid network security and controls for every endpoint, no matter which access layer is being used to connect with the network. For this reason, having centralized and software-based network access controls (NAC) are more important than ever. No matter where your employees are connecting from and through which devices, no matter which contractors or guests are requesting access; IT security teams can now offer smooth continuity of workflows and productivity while maintaining full visibility and implementing security-controls on any endpoint accessing the enterprise network.

Simplicity.

Over here at Portnox, we must take all of the latest changes to the network into consideration as we continue to innovate and craft our solutions. It helps that the main focus point at Portnox has always been to deliver a simple experience to the end-user as well as the IT administrator. Portnox solutions simplify onboarding, operations and maintenance by offering simplified architecture in a centralized, software-based solution for easy deployment and management. Our team does not deal with physical appliances but rather delivers software solutions – whether using the on-prem or cloud options. All solutions function across all access layers, providing 100% coverage and visibility of the network and continuous risk-monitoring.

For these reasons, among the main NAC vendors, Portnox has been named the leader for network access control products in the category of midsize to large organizations with a 22% market share by global research firm Frost & Sullivan. In the new report, analyst Tony Massimini said: “Portnox’s simplified architecture, which supports both 802.1X authentication and SNMP based control, sets it apart from competitors.” A full copy of the report is available here.

The Frost & Sullivan report highlighted several Portnox innovations, including:

  • Agentless architecture (but includes optional agent) for specific use cases, including continuous risk monitoring for roaming devices, remote access and cloud access.
  • Vendor agnostic design that connects directly to network infrastructure equipment via native protocols
  • Support for both 802.1X and non-802.1X devices
  • Powerful RESTFul API which enables customers to automate threat response workflows
  • Unique, profiling (fingerprinting) technology

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).

Oftentimes, SMB to Large organizations turn to Managed Service Providers and Managed Security Service Providers (MSP/MSSPs) to handle their cyber security protective services.

In reviewing the key factors to growth in the NAC market in 2018, the report cited, among other things, the severe shortage in skilled security professionals that challenges all organizations, but more so the SMB-to-large segments than large enterprises. Next-generation NAC provides tools to offload many of the functions and automate workflows, thereby helping these organizations to overcome this shortage in skilled IT security professionals. At the same time, NAC will insert great relief to the many overworked and busy IT teams that are handling Network security and administration responsibilities.

This same automation and ease is extended to the management of customers by MSP/MSSPs. Portnox offers convenient and scalable NAC as-a-Service that allows MSP/MSSPs to serve their customers quickly, to keep track of what they are using and to handle growing organizations efficiently.

Vision

No matter the circumstances of the organization, Portnox is proud to offer a solution that is flexible and simple enough for anybody:

  • On premises Vs. cloud-delivered network security platforms
  • 802.1x protocols Vs. non-802.1X systems
  • Agentless Vs. agent (based on use case)

Read all about it in the full report available here

Here’s to a secure, productive and prosperous 2019!

Palo Alto Networks and Portnox Join Forces On Cloud-Delivered Threat-Response Solution

Palo Alto Networks and Portnox Join Forces On Cloud-Delivered Threat-Response Solution

By | Cloud Security | No Comments

In recent months, Portnox and Palo Alto Networks joined forces to better deal with the current cyber security threat-landscape. Network security teams in the enterprise must cope with several challenges that impact their traditional network infrastructure. Here are some of those challenges.

Lateral Movement.

A significant challenge to network and data security is the lateral movement of cyber security hazards such as malware (or even ransomware) from one compromised endpoint to others.
In recent years, cyber offenders have carried out large-scale attacks targeting organizations by exploiting known vulnerabilities and security gaps on endpoints. WannaCry, NotPetya and Bad Rabbit are malware attacks that used lateral movement to spread in large-scale campaigns during 2017. Using a single entry-point, typically the most vulnerable endpoint detected by the hackers; proliferation via lateral movement can influence an entire organization. In this way, unpatched or unprotected systems can be taken down in no time, leaving an entire organization paralyzed while the offenders achieve their goals.

IoT, BYOD & Unmanaged Endpoints

According to cyber security experts, the majority of harmful attacks exploit well-known vulnerabilities and security gaps on endpoints. Most organizations are unaware of a significant percentage of the endpoints on their network as these are Bring Your Own Device (BYOD), Internet of Things (IoT), guest and other unmanaged endpoints. Additionally, many IoT devices are found to be placed in network segments that are being used by other company devices and IoT endpoints are particularly vulnerable to being breached. These endpoints aren’t transient and typically go undetected by periodic scans. As such, security teams remain unaware of the attack surface on these devices.

Geo-Distribution.

The growing decentralization and de-perimeterisation of worldwide organizations is a crucial factor as well. Once a threat has been identified inside or outside the enterprise perimeter, security teams must be able to handle and contain the threats at HQ and at branch offices anywhere in the world; as well as to be able to secure the devices being used by traveling or telecommuting team members.

Threat Detection.

Today’s threats are evolving rapidly. The current velocity and evasiveness of targeted and sophisticated attacks has never been seen before. These attacks rely on stealth, perseverance and the ability to overcome many cyber security defenses. Oftentimes these attacks use multiple vectors of attack and focus on acquiring crucial personal data, company intellectual property or other insider information. Unfortunately, compromised devices and data breaches can often remain undetected for weeks or months. Detecting advanced threats and infected endpoints will require new and adaptive security controls.

Visibility.

Once a threat is detected, how can one see what kind of device has been compromised? Is it a laptop? A phone? An IoT device? Who is the user behind it? Where is it located on the network?

Threat Investigation.

Today’s security analysts are spending too much time trying to pinpoint the compromised endpoint and figuring out who else in the organization has been affected, especially when lateral movement is such a big risk. Oftentimes data breaches remain undetected for extended periods of time (with more than 80% of breaches undetected, Gartner 2017*). Even when detected, if a threat moved laterally before being shut down, there is a lack of information regarding which other endpoints have been compromised; on or off premise.

Response & Control.

Actions must be taken. Stopping lateral movement and other endpoints from being infected is crucial. Compromised devices must be quarantined or blocked from accessing the network, regardless of how they are connected to the network (wired, wireless, VPN, cloud).

Future Risk Mitigation.

Blocking the current threat and preventing it from infecting other endpoints is a great start, but not enough to maintain optimal network hygiene. Continuously analyzing the security posture of all organizational devices is crucial. This includes the ongoing review of existing threats and Indicators of Compromise (IOC) to determine which endpoints are granted access to the network each time.

With so many challenges to factor-in and the all-time record of the number of vendors offering solutions in the cyber security space, all seemingly overlapping, it is no surprise that security teams have a difficult time sorting through many vendor claims till they finally select the services or products that will best match their security and budget requirements.

The CLEAR App Solution.

In mid-October 2018, the Portnox CLEAR App went live on the Palo Alto Networks Application Framework. This joint solution, between Portnox CLEAR’s cloud-delivered network access control and the Palo Alto Networks firewall, allows security teams to set enforcement policies based on threats detected by the Firewall. The App prevents the lateral spread of malware throughout the organization and effectively isolates the compromised endpoints in real time. The Palo Alto Application Framework is designed from the cloud and therefore this cloud to cloud solution will allow organizations to provide remote branches the same security as at HQ, allowing for a much better handling of threats in and outside of the perimeter.

Security teams can rapidly enable the App without worrying about adding any infrastructure or appliances. Additionally, organizations can create customized policy via CLEAR with the flexibility to assign the right impact on the endpoint’s continuous risk assessment and security posture. This is done by correlating advanced threat categories from the Palo Alto Networks firewall with the organization’s access and risk assessment policies for devices. In essence this will allow the organization to leverage the Palo Alto Network advanced threat detection to better secure the access of all endpoints, including BYOD and IoT devices.

Accelerating the Response to Threats.

The joint solution will accelerate the response to threats by identifying all compromised devices that share the same threat using CLEAR’s unique visibility and data discovery capabilities.

Palo Alto Networks next-gen firewalls identify evasive and sophisticated threats and automatically thwart them through multiple means. The technologies use analysis of all allowed traffic, using multiple advanced threat-detection and prevention technologies.

Continuous Risk Mitigation.

Based on the advanced threat detection data received from the Palo Alto Networks firewall (i.e. detecting malware that is new or has no signature), CLEAR enables the discovery of other endpoints with the same threat. Moreover, CLEAR will provide the user ID, office location, switch location, etc., regarding the compromised endpoints. Once the advanced threat detection alerts are received in the Palo Alto Networks Application Framework, CLEAR quarantines or blocks these compromised endpoints. Automated response actions are customized and tailored by the organization’s requirements. IOCs and vulnerabilities indicated by the Palo Alto Networks firewall are correlated with the risk-score of each endpoint and the appropriate response is issued by CLEAR.

CLEAR continuously monitors and evaluates each endpoint on the network, establishing a risk-score for it over and over again, whether the device is connected on or off premise. This knowledge is used to define access policies and continuous risk-monitoring takes place. Security admins can determine, customize and tailor the access policy based on the organization’s security requirements. If the risk-score is high, CLEAR will not allow access or will allow limited access by quarantining the endpoints to a certain VLAN. If the risk-score is low – CLEAR continues to monitor the endpoint.

The day-to-day operation of the application will enable customers to monitor a network or endpoint threat-indications from the Palo Alto Networks Application Framework, to update the risk score of devices, and to identify all devices that share the same threat.

Cloud Strengths.

The fact that CLEAR is delivered from the cloud as a SaaS solution, has many positive ramifications from every aspect: security, operations, cost efficiency and more. For example, CLEAR is always running the latest version, with seamless upgrades, delivering the most up to date technology advancements to the subscriber. This can save a lot of time and needless worry for the administrators and assures the usage of the best security. Additionally, using a cloud-delivered solution allows for scalability and is geo-distributed across the world, making it a must-have for decentralized and growing enterprises. All of these, contribute greatly to a substantial reduction in the Total Cost to Ownership (TCO).

Additionally, cloud-delivered security solutions allow that managing risks and threats will no longer depend on an IT security team administrator being physically present within the perimeter of the enterprise location. Changes can be made from where the security admin is located at the time, from a central account, allowing for faster hands-on solutions as required. In our ever evolving work spaces, this is a crucial mode of operation.

Conclusion.

With the Portnox CLEAR application on the Palo Alto Networks Application Framework, companies can continuously monitor endpoints on the network and scan for a wide variety of IOCs, for the rapid pinpointing of compromised endpoints, stopping lateral movement and completely avoiding costly data breaches.

onboarding your device

The Best Ways to Secure Device Onboarding in The Enterprise

By | Cloud Security, Network Security | No Comments

With the prevalence of digital transformation in the enterprise, there is a clear necessity to balance IoT security issues and BYOD security measures that will prevent suspicious or malicious devices from gaining access to the enterprise’s assets and data centers, while at the same time, making sure that productivity and easy onboarding of devices is maintained. Employees, guests and contractors are bringing all kinds of Wi Fi enabled devices to the enterprise environment and they expect easy and quick network connectivity.

Onboarding is the process in which new devices gain access to the enterprise for the first time. Unfortunately IT departments can sometimes experience additional workloads while endeavoring to get all the devices on the network so as not to hinder business productivity. At the same time, if they are not handling the process with top security standards in mind, they could potentially place users, devices, enterprise data and the network itself at risk. The question arises: how should IT Security teams allow for BYOD, IoT, contractors, guests, etc. to securely and quickly connect to the network without placing any of its components at risk of a breach or ransomware attack? The answer: automation.

By automating the entire onboarding process enterprises can achieve the following benefits:

  • Reducing the costs that are typically associated with manual work (including configuration and support activities).
  • Enhancing productivity – getting team members, contractors and guests connected to work faster.
  • Increasing end-user satisfaction – instead of hassling end-users with onboarding procedures, the whole process can and should be seamless.
  • Decreasing the risks – unmanaged, unpatched, high-risk devices should be blocked or connected from the beginning to a separate segment of the network from where the key corporate assets are stored (the “crown jewels” of the company).

Easy Onboarding

Employees, students, contractors, partners and guests should onboard their devices once and then automatically re-authenticate after that, within an environment that continuously monitors all devices on the networks and automatically provides a risk score for every device. This ongoing scoring allows security teams to understand the security posture of the devices and the network as a whole, at any given moment. At the same time, there is no need to have end users repeatedly re-enter credentials on subsequent network connections unless a device is deemed to have a high risk-score. This way the enterprise can easily onboard BYOD devices belonging to employees that are traveling, working remotely or working at a satellite office location. Additionally, this allows onboarding of IoT and smart devices for business such as flat screens, printers and IoT devices, as well as gaming consoles, smart refrigerators and more. These items, of course, must be on a separate segment from where company assets are kept.

Reducing Risks on the Network

A while ago Ofer Amitai, Portnox CEO, wrote about tips for securing endpoint devices on college campuses, institutions that are always desiring a relatively simple onboarding process. He discussed how changes in onboarding and guest access policies could reduce risks and improve network visibility and control. The principals for securing the enterprise require these steps and more. Having a clear onboarding set of policies will allow IT teams to have automated actions applied (see examples in the next section).

After handling the company’s initial network security audit and collecting the security posture of all devices, it is important to make sure that the enterprise authorization policies include conducting automated and continuous security assessments of the network.  This way, every device employs baseline security measures before being allowed to connect.  Additionally, the IT security team should use granular policies to govern the level of access while maintaining full visibility and control over network connected devices with the ability to revoke access at any time.

Automated Device Onboarding and Network Authentication

Having an automated onboarding set of policies can allow for automated actions such as:

  • Immediately allowing Internet access
  • Blocking/ disconnecting
  • Segmenting a device to a separate network section
  • Remediation actions

For example, IoT devices are considered to be easy to hack.  Therefore, once connected to the enterprise network, these devices should be separated from where core assets are located.  Having different segments on the enterprise network is a good solution for that.  Additionally, if a visitor is being connected, the visitor should gain access to the Internet and not to company files, even when plugging the computer to the wired network.

Two important advanced guest network onboarding features are recommended to be included:

  • Easy guest access – allowing for simple and fast connections together with the ability to continuously monitor all devices and ensure security.
  • Agentless access – once the IT administrators have set up the onboarding policy – contractors and guests on protected networks should be able to self-onboard without installing an endpoint agent.

Acquiring Advanced Onboarding Capabilities

One of the technologies that can help with safe onboarding is network access control (NAC).  In the past, companies used only desktops and laptops, connected and authenticated over a wired network, however; nowadays wireless networks and mobile technologies have introduced personal devices (via BYOD policies) and Internet of Things (IoT) to the workplace.  In addition, increasingly stringent compliance standards, such as PCI-DSS, SOX, and ISO standards require companies to openly communicate their security controls to external auditing authorities.  All of these can be achieved via NAC solutions. Network access security should be a priority for all companies moving forward.

###

Every enterprise today must support a rapidly proliferating world of devices and platforms.  From an operational view point, this shouldn’t pose an obstruction of workflows and productivity. Ideally, the enterprise IT team will automate and secure network onboarding and authentication so that the IT helpdesk doesn’t have to intervene when guests, contractors and IoT devices need to connect. Additionally, an effective plan for secure network onboarding will on one hand improve end-user experience for BYOD, IoT, users and guests and on the other hand improve IT security as part of a layered protection strategy.

Looking to set IT security policies and automate your device onboarding?

Portnox CLEAR offers easy onboarding while never compromising on network security across the enterprise.

Sign Up for Your CLEAR 30 Day Trial Now

Handling Network Complexities in Today’s Highly Decentralized Organizations Part 3: 5 Things Your Next 802.1X Authentication Solution Must Do

By | Cloud Security | No Comments

Implementation Issues Solved with 802.1X NAC Delivered from the Cloud

In parts 1 and 2 of this blog series we spoke about the idea that decentralized organizations, where mobility plays an important role in network security functionality and visibility; should seriously consider implementing NAC solutions delivered from the cloud, as-a-Service, due to the fact that endpoint risk assessment, as well as network visibility and control can be obtained for all locations and provide flexibility in terms of growing the coverage as the company grows.
With that in mind, today I will explain the five points that we believe are essential in choosing your next network security solution.

When deploying 802.1X NAC as-a-Service, complaints about lengthy deployments, implementation hassles and limited capabilities do not have to be prevalent any longer. In fact, IT security teams can now succeed where others have failed and be the superheroes of network security projects. NAC doesn’t have to be complicated. With NAC as-a-Service, there is no need for physical deployment or network hardware (unless it already exists, such as RADIUS or Active Directory servers), which significantly cuts the costs and deployment-time that were previously associated with the 802.1X authentication protocol.

Additionally, NAC as-a-Service allows for secure and remote access for the geo-distributed workforce, without the need for localized branch appliance deployments. It also enables business continuity, because if appliances go offline at one of the locations, the rest of the locations and endpoints can continue accessing the network without interruptions and regardless of which type of device is being used (corporate, BYOD, IoT, etc.).

As you can see, the NAC as-a-Service cloud delivery model is a different approach altogether for dot1X authentication in the enterprise, as it solves key security issues with the ease, agility and efficiency of a SaaS solution.

Here are the top 5 items you should look for in selecting your next 802.1X NAC solution.

I. SaaS delivery – With the shift to cloud-based solutions in businesses world-wide, many businesses no longer maintain their own data centers and have come to expect and rely on many solutions to be Software as-a-Service orientated. 802.1X NAC solutions provided from the cloud fit the bill and allow for easier and more cost-effective deployments and implementations.
II. Turn-key solutions with pay-as-you-go options – your next network security solution should have a low TCO – Total Cost to Ownership (both in terms of price and man hours), without forcing you to have so many pieces of equipment, installations and cumbersome access controls. These are the traits of NAC solutions which are not a good fit for decentralized organizations. A simple, pay-as-you-go model will allow you to gradually implement your NAC solution, while maintaining the highest standards for network security. While TCO is a major driver for IT infrastructure management, there is no reason to compromise on a network security project, but rather choose a solution that will provide a full and mature solution from day one.
III. A scalable and adaptive multi-branch solution – with enterprise mobility and multi branch businesses that in some cases span across countries and continents (without always having an IT professional available), your NAC solution should be able to follow your company wherever it goes. Your solution should also be able to adapt to growth in the number of endpoints, locations and ports, no matter where they are and which layer of the network is being utilized (wired, wireless, VPN).
IV. A Holistic approach to cyber security – your 802.1X NAC solution should not be limited just to port security. It is advisable to have a system in place that can provide a full network security vulnerability assessment. Once your solution can provide full visibility of all network access layers as well as all types of devices that are currently connected on the network, your IT managers can maintain tighter controls and set up automated actions.
V. Automated policies and actions – automation is a must-have option, as there are so many challenges to deal with in keeping today’s organizational network secured. Having one simple and consolidated platform that handles all access layers and all potential port security dilemmas, will allow for easier automation, configuration and segmentation (as required) of the endpoints for a connection that is based on group permissions. dot1X port control allows for full end-to-end provisioning, automated deployment, management and troubleshooting tasks.

Taking these top 5 points into consideration before selecting an 802.1X solution will assure that decentralized organizations wind up with an easier deployment process in terms of time and budget, as well as a holistic solution that does not ignore any part of the network.

Portnox CLEAR is the recommended solution for simple 802.1X deployment. Without compromising on security across the enterprise. By using a RADIUS and repository servers from the cloud, dot1X port control is delivered as-a-Service, and admins can embrace the benefits of dot1X authentication by deploying a zero-touch solution that eliminates geo-redundancies. Within weeks, it is easy to see and control every device connected to the network and thanks to automated monitoring, risk assessments and automated actions it isn’t necessary to be glued to the admin console ever again.

To find out how 802.1X authentication delivered from the cloud works, read more in the White Paper, “802.1X Authentication Is Simpler Than You Think“.

Sign Up for Your CLEAR 30 Day Trial Now

The IoT Security Revolution is Upon Us

By | IoT | No Comments

It is a long-known fact that most IoT manufacturers neglect IoT security while designing their devices and machines. If you are still amongst those who do not hold this view point, please join our webinar showing just how easy it is to brute-force IP security cameras by using hacking methods that are practically as old as those used in the 90’s. I also recommend catching up on the 2015 Jeep hack and the St. Jude Cardiac Devices hacks that started occurring in 2014. These hacks prove that even companies dedicated to life-saving technologies, often neglect to produce the necessary security measures to go with them.

Register for The Live IoT Hack Webinar

While attending BlackHat 2018, I saw a few jaw-dropping demonstrations. One of these demonstrations was on ATM break-ins. Typically, one might expect a machine containing money to have a more robust security system protecting the cash therein; and yet, the machines were broken into. Additionally, I attended demonstrations of hacks into crucial medical devices and medical networks that are instrumental in keeping people alive.

It was astonishing to find out that companies manufacturing medical devices such as implants, insulin therapy devices (radio-based devices) and pacemakers, completely ignore current security research. One example for this research is the extraordinary work done by Billy Rios & Jonathan Butts (in their free time I might add) in which they discovered many IoT vulnerabilities. This research will no doubt make our world a much safer place.

It was no less appalling to discover the deep contrasts existing between cloud security standards and IoT security standards; or rather, the lack-thereof. Cloud-based enterprises are applying major security standards such as SOC2 to ensure the security of cloud infrastructure and turning certain working procedures into the standard requirement for all. Simultaneously, when it comes to IoT devices, we are living in the proverbial wild west. There are currently no official industry security standards for IoT. In the healthcare industry physicians prescribing the use of these devices have no understanding of their lack of security and I don’t believe that they should be required to have it. However, at this point in time, it is a life-preserving piece of information to know that these devices have feeble security mechanisms in place and are therefore targeted for hacks.

All of this is taking a positive turn as Ijay Palansky, an attorney, stated in his presentation at BlackHat; with the first IoT related lawsuit being launched against Jeep, following the vulnerability discovered back in 2015 that had allowed a remote attacker to control the car’s steering and brakes.

The impressive aspect of this lawsuit is that while no car was damaged or controlled by the attackers beyond the proof-of-concept, there is still a legal bases on which to build the case. Even if FCA US LLC (Jeep’s brand owner) were able to successfully defend itself as far as the damage caused, this case will cause tremendous damage to the company in reputation and in dollars lost.

This lawsuit should be viewed as a striking warning sign for companies manufacturing IoT devices while ignoring security vulnerabilities. This practice will no longer go unnoticed. Manufacturers will have to take responsibility for securing these devices or face the consequences. Hopefully, we are at the beginning of a new security revolution for IoT devices, leading eventually to a healthier and device-secured world.

Looking for better IoT visibility and control? Look no further.
Now, there is another way. Portnox CORE offers a solution that allows for simple implementation, without compromising on security across the enterprise, allowing for visibility, control and segmentation options for IoT devices via a simple network access control solution.

Handling Network Security in Today’s Highly Decentralized Organizations – Part 2: Adopting Cloud Solutions

By | Cloud Security | No Comments

The Business of Risk Assessment

Classical port security is not always understood. Originally it involved the equipment and particularly computers within the physical perimeter. At that point, NAC came into play if someone penetrated the network from a physical port, on-premise. This all changed in the last 15 years, when enterprise mobility and digital transformation took over. These required different levels of authentication to fit the different devices, including managed devices (company owned), unmanaged devices (where Bring Your Own Device – BYOD policies are at play) and IoT devices. The homogenous ways of the old made way for the heterogeneous reality of the new, turning device and port security into the business of risk assessment.

Register for the Decentralization Webinar

Risk assessment and full network visibility are the virtual doormen at the party who will allow the organization’s invitees to enter. Instead of naïvely allowing anyone to access the network, there should be a continuous and automated system performing risk-profiling and allowing full visibility of everything on the network. Where traditional, on premise NAC is limited to a few actions and parameters that do not reflect the complexities outlined above and in part 1 of this blog, a robust NAC solution should be able to scan all access layers and all endpoints for all users. Once this is achieved, continuous endpoint risk assessment becomes a reality, providing a wider solution that is required for today’s complex networks and decentralized organizations.

802.1X Network Security Projects

In today’s 24/7 hyper news cycle, we are constantly learning of new data breaches, costly malware attacks and the need to have solid network security solutions. 802.1X, the trusted authentication protocol used for Network Access Control (NAC) solutions, was initially considered a success when implemented on wired networks, within the framework of a traditional, on-premise solution. However, later on, as more companies became decentralized and shifted to wireless networks and VPNs, traditional on-premise 802.1X solutions no longer fit the bill.

Unfortunately , many companies were burnt by these on-prem 802.1X NAC projects. True, the protocol itself is extremely trustworthy, however, with most solutions there seems to be a never-ending patching and configuration job going on. That’s assuming they have completed the labor intensive and expensive deployment that in many cases, includes moving a lot of equipment around. If this is a decentralized organization, such as a multi-national company with many access points, each location will require a way to protect all endpoints and company assets. In some cases, this could become costly and create a lack of cohesiveness within the organization.

To solve these and many of the challenges discussed in part 1, lighter, adaptable and agile solutions have become necessary in the new reality. Organizations must transition into using easier NAC solutions such as NAC delivered from the cloud and Software-as-a-Service. Among other attributes, a SaaS delivery model will save time and money on deployment, training and implementation, while at the same time providing the agility, visibility and accuracy needed to handle today’s complex and multi component networks. Next-gen solutions offered as-a-Service are able to cope fully with today’s decentralized organizations and the on-prem 802.1X solutions can no longer suffice. Thankfully, there is such a solution. While it provides robust coverage, it is easy to implement in a few simple steps, the first of which is an easy software download.

NAC Solutions Delivered as-a-Service from the Cloud

Using a next-gen 802.1X cloud solution will allow organizations of any size and with any number of geo-locations to gain full visibility of all endpoints on the network, regardless of what the access layer is or which type of device is being used (company issued, BYOD, IoT, etc.). 802.1X is one of the most secure ways to authenticate devices connecting to the network because it is based on set protocols and a verified standard. While other authentication methods may simplify the implementation and management, as of now there are very few solutions that can match the security and strength of 802.1X authentication on all VPNs, wired and wireless networks.

For those concerned with the notion of having security provided from the cloud, it should be noted that according to Gartner’s research, “by 2023, 80% of enterprises will adopt two or more cloud-based security services”. As more companies become decentralized, we believe that more of them will adopt security services delivered from the cloud.

***Tune in next week for part 3: The 5 “must-haves” in your 802.1X NAC solution. ***

Looking for an easier NAC project?
Now, there is another way. Portnox CLEAR offers a solution that allows for simple deployment, without compromising on security across the enterprise.

Sign Up for Your CLEAR 30 Day Trial Now

Handling Network Security in Today’s Highly Decentralized Organizations – Part 1: The Challenges

By | Cloud Security | No Comments

The Perimeter is Dead

We know that our businesses are becoming more digital and connected every minute, of every hour, of every day. This is a global trend and the foundation for increased delivery speeds, efficiency and productivity in all organizations. Organizations these days are no longer limited to their physical office premises as they once were. In many cases, team members are allowed the flexibility of working remotely, telecommuting and working in different branches across different countries, sometimes working in shared co-work offices with other remote employees and business owners. That said, IT Security Officers have their work cut out for them, whether they are handling a large multi-national organization or a small-to-medium business. We all know and feel the incredible threats looming on our networks and the constant care that must be taken to assure the security and integrity of our organization’s assets, whether they are physical or intellectual. In this, first post of a series of three, we’ll review a few challenges with network security and then consider some solutions in parts 2 and 3 of this blog.

Register for the Decentralization Webinar

We Adore Our Mobility

There is a lot of satisfaction that comes with the increased productivity, flexibility and mobility offered by digital transformation. Is there anyone out there who would like to trade their smartphone back to a flip phone? Their laptop for a desktop? The answer is clear: obviously – no. We all adore our mobility and digital advancements. So much so, that IDC predicts that within the next two years there will be close to 200 billion Internet connected devices.

If you are reading this article, there is an excellent chance that you use 5-6 connected devices, including your smartphone, a wearable of some sort, a laptop or two and a tablet or two. Perhaps you have a few IP cameras monitoring your home and office while you are away. And that’s just you. Now think of all the people bringing their own devices to the enterprise these days.

Next, let’s think of the IoT (Internet of Things) devices that are increasing their presence everywhere, according to IDC, there will be 80 billion connected IoT devices by 2025, enhancing a security concern stemming from the fact that IoT devices are almost invisible on many enterprise networks. Additionally, employees are accessing any kind of application under the sun (or florescent light), on their own devices and via the Internet on their company managed computer. These applications and websites are used for both personal and work-related purposes, placing the organizations’ assets at risk.

Network Complexity

In today’s decentralized enterprises there are multiple access layers at play, including the use of wired, wireless and VPN connections. This is one of the core security issues with complex networks in decentralized organizations with locations in different states and countries. Multinational organizations suffer from increased risk due to their IT security loopholes and the abundance of access ports and end-users. It is no wonder then that many IT departments have settled for half-promises of asset security and network controls. They must work within the constant cyber threats that seem to be spreading faster and everywhere these days. Unfortunately, one of these half-promises leads to uncompleted NAC implementations (Network Access Control) and to lengthy and unsuccessful projects.

Security Vendor Fragmentation

Vendor fragmentation is an incredible headache that must be handled. It seems like there is a solution for every inch on the network, as long as you are willing to work with five different vendors.  Implementation is labor intensive and expensive. Moreover, IT leadership struggles when selecting vendor software because the solutions are diverse with no single vendor able to meet all requirements and use cases, especially with decentralized organizations.

Safely On-boarding All Devices

On-boarding devices onto the network in a distributed organization is not hassle-free, often slowing productivity down. Additionally, compliance must be enforced across the organizational network, no matter which location around the world or which device is being used. At the same time, if one of your team members lost their computer, there should be a clear path to prevent that device from on-boarding the network.

Cybersecurity Posture

Many CIOs and CISOs have the constant burden of dealing with and maintaining the organization’s cybersecurity posture while potentially being targeted for cyber-attacks. With cyber-attacks being on the rise and in the news every week, it is no longer a question of if, but rather a question of when one’s organization will be under attack. And so the question arises – are we as prepared as we could and should be?

The network complexities outlined here may be preventing many from establishing optimal solutions and procedures for their organization, especially those that allow full visibility and risk management, not even imagining how serious the threats are till it is too late. Is it really going to take a complete data breach before we do anything about it? Can’t we just learn from other organizations’ mistakes and misfortunes? (Note the 2017 WannaCry attacks for example). Still, once IT departments have been burnt by unsuccessful NAC projects, they might be slow and cautious before initiating the implementation of a new and ideally – better – technology.

Looking for an easier NAC project?

Now, there is another way. Portnox CLEAR offers a solution that allows for simple deployment, without compromising on security across the enterprise.

Sign up for your FREE 30 DAY TRIAL with PORTNOX CLEAR NOW.