Skip to content
Portnox_Logo_White
Portnox Logo

  • Blog
  • About
  • Contact Us
  • Login

  • Products
    • PORTNOX CLOUDZero trust access control
    • ZTNACloud-native zero trust access control & security
          • How it worksVendor agnostic, cloud-native security
          • What's NewAI-driven with IoT fingerprinting & profiling
          • PricingClear and easy pricing
          • Why PortnoxManage your security with ease
          • SEC Cyber Reporting Requirements: Tailoring Your Security StrategySEC Cyber Reporting Requirements: Tailoring Your Security Strategy
            The Securities and Exchange Commission (SEC) has made a significant stride in promoting transparency in the corporate sector. It has introduced new regulations obligating publicly traded companies to reveal significant cybersecurity incidents, offering investors a more transparent view of their cybersecurity risk management, strategy, and governance. Aimed at fostering informed investment decisions, the new SEC cyber reporting requirements mark a turning point in how public companies handle cybersecurity risks. The SEC Rules Unraveled At the heart of these rules is a requirement for public companies to announce material cybersecurity incidents within four business days of identifying their material nature. Materiality is discerned based on factors like the incident’s scale and character, repercussions on company operations, and possible effects on financial standing. Additionally, these rules compel public companies to provide more comprehensive information about their cybersecurity risk management, strategy, and governance. Disclosure Obligations for Public Companies After determining a cybersecurity incident is material: Companies must disclose on Item 1.05 of Form 8-K the incident’s nature, scope, and timing along with its impact on the company’s operations and financial health within 4 business days. Details regarding compromised data and ongoing or completed remediation efforts should also be included. Registrants must provide details on Form 10-K (Regulation S-K Item 106) that discuss how they assess, identify, and manage material risks from cybersecurity threats. Details on board oversight of risks from cybersecurity threats and management’s role in assessing and managing them must also be included . Foreign private issuers are required to provide similar disclosures for material cybersecurity incidents and to detail cybersecurity risks management, strategy, and governance on Form 20-F. The new regulations will be enacted in December or 30 days after publication in the Federal Register. Smaller companies will be allowed an additional 180 days to submit their Form 8-K disclosures. Additionally, disclosures may be delayed if the United States Attorney General determines that immediate disclosure would pose significant national security or public safety risks and notifies the Commission of this in writing. Tailoring Your Security Strategy for Optimal Compliance These technologies and frameworks can provide a multi-layered approach for compliance: Network Access Control: Your First Line of Defense In the face of the SEC’s new regulations, the implementation of Network Access Control (NAC) can be a game-changer. NAC solutions provide real-time visibility of all devices connected to the network, along with their user credentials and activities. By enforcing strong access policies, a NAC can ensure only authorized users and devices gain access to critical data, keeping potential threats at bay while aligning with the SEC’s push for improved cybersecurity risk management. Trust but Verify: Leveraging the Zero Trust Framework Additionally, adopting a zero trust framework provides a structured and secure approach to compliance. Zero trust operates the belief that no user or device – whether inside or outside the network should be trusted by default. Each access request is verified before access is granted, significantly reducing the risk of breaches while allowing easier compliance with SEC regulations. Passwordless Authentication: The Future of Secure Access Password-based systems have long been a weak link in the cybersecurity chain. By making the move towards passwordless authentication, companies can address this issue head-on. Replacing easily cracked, often forgotten passwords for stronger alternatives like biometrics, hardware tokens, or one-time passcodes, offer a user-friendly approach that bolsters security measures while meeting SEC directives. Closing Thoughts As we embrace the digital era, public companies face escalating cybersecurity risks. The new SEC cyber reporting requirements shine light on the traditionally opaque world of cyber risk in public companies, while increasing critical transparency with investors. By leveraging a multi-layered security approach, companies can secure an effective path to compliance while mitigating malicious threats. [...] Read more...
    • RADIUSCloud-native RADIUS authentication essentials
          • How it worksUnderstanding cloud RADIUS authentication
          • What's NewDevice-related security bolsters zero-trust
          • PricingClear and easy pricing
          • Why PortnoxManage your security with ease
          • Crime-as-a-Service (CaaS): Unveiling the Cyber Black MarketCrime-as-a-Service (CaaS): Unveiling the Cyber Black Market
            The rise of Crime-as-a-Service (CaaS) mirrors the expansion of digital services across industries. With businesses using various “as-a-Service” models to grow and adapt, cybercriminals have found their version in CaaS, making sophisticated cybercrime tools accessible to a broader audience. This marks a trend that has greatly contributed to the rise in cyberattacks the world over. The Rise & Expansion of CaaS Cybercrime has always been a lucrative industry, but CaaS has supercharged it. Cybersecurity Ventures predicts the cost of cybercrime to reach $8 trillion this year. CaaS has contributed significantly to this figure by democratizing access to an array of high-level cyber-attack services such as: Ransomware-as-a-Service: Arguably one of the most notorious, this services offers platforms providing customizable ransomware strains, allowing attackers to specify ransomware amounts, payment methods, and even the ransom note’s content. Phishing-as-a-Service: Equipped with templates and tools, these platforms simplify the deployment of phishing campaigns. From fake bank login pages to scam eCommerce sites, the goal is to deceive users into providing sensitive data or installing malicious software. DDoS-as-a-Service: Denial-of-service attacks flood website or online services with excessive traffic, causing shutdowns. With DDoS-as-a-Service, cybercriminals can rent botnets – large collections of compromised endpoints – to inundate targets with requests, leading to service outages. Hacking-as-a-Service: Why learn to hack when you can outsource it? This service does just that. It provides a platform where individuals can hire seasoned hackers for specific tasks – be it infiltrating a system, acquiring data, or planting malware. Data-as-a-Service: This is the digital black market’s storefront. Here, cybercriminals can purchase everything from stolen credit card information to breached databases. With the rising value of data, these marketplaces have become bustling hubs of illegal trade. Botnets-as-a-Service: Essentially, it’s a rent-a-crowd for malicious activities. Users can hire networks of compromised endpoints (which can even include IoT) to carry out tasks like sending spam emails or mining cryptocurrency. Given the scale, these networks can wreak havoc. The Ever-Evolving Landscape of CaaS While the above paints a broad picture of CaaS, it’s essential to realize this landscape is in constant flux. With technological advancements, we’re seeing more niche CaaS offerings. For instance, specialized offerings targeting mobile devices or Internet-of-Things (IoT) platforms are gaining momentum. CaaS platforms are becoming more refined, user-friendly, and diversified, reinforcing the importance of vigilance in the cybersecurity realm. Empowering Your Defense: The Merits of NAC & Certificate-Based Authentication Tackling the advanced techniques that CaaS brings to the table demands robust coutnermeasures. Network Access Control (NAC) and certificate-based authentication stand as frontrunners in this fight. Network Access Control: Envision NAC as the vigilant sentry of your digital domain. Beyond just restricting network access, it assess the credibility of users and devices, determining their permissions and logging their activity. It seamlessly integrates authentication, authorization, and accounting functions, ensuring that every device meets specific security benchmarks before granting access. Certificate-Based Authentication: Bypassing the pitfalls of traditional password systems, certficate-based authentication offers a fortified barrier against unauthorized access. By assigning unique digital certificates, it validates the identity of users and devices without them having to memorize or input complex passwords. It’s an efficient way to enhance security, all while streamlining the user experience. Closing Thoughts: Charting a Safer Path in the CaaS Age The evolution of CaaS mirrors technological progression, always adapting, always expanding. Consequently, taking proactive security measures becomes more than just a recommendation; it’s an imperative. Leveraging multifaceted tools like NAC, and embracing the future with certificate-based authentication positions us several steps ahead of potential threats. Knowledge, paired with these advanced techniques, acts as our compass in this ever-evolving cybersecurity terrain. [...] Read more...
    • TACACS+Cloud-native network device authentication
          • How it worksNetwork device administration simplified
          • The first cloud-native TACACS+Manage your security with ease
          • PricingClear and easy pricing
          • Filling the Access Security Gap With Certificate-Based AuthenticationFilling the Access Security Gap With Certificate-Based Authentication
            It should come as no surprise that passwords have fallen out of favor as a reliable method of authentication. This is because passwords are often weak (easily guessable), can be forgotten, and password stores become a weak point for security (if an intruder accesses the password store, they hit the motherload). Luckily, there is a better way to reliably authenticate users – certificate-based authentication.   What Is Certificate-Based Authentication? Certificate-based authentication is a cryptographic technique that uses a digital certificate to identify a user, device, or machine before granting access to specific resources.    Certificate-based authentication isn’t new. It’s widely used by many internet security protocols, including SSL/TLS, a near-universal protocol that encrypts communications between a client and server, typically web browsers and websites or applications. However, certificate-based authentication works slightly differently for SSL/TLS than in other use cases. With SSL/TLS, the server confirms its identity to the client machine, but this happens in reverse for client certificate-based authentication.    For example, let’s say a company wants to use certificate-based authentication to grant employees access to its email servers. In this scenario, the company will issue employees with valid certificates to access the email servers, and only employees with these certificates will be granted access.   In recent years, certificate-based authentication has risen in popularity as an alternative to password-based authentication, mainly as a way to address the security gaps with usernames and passwords. For example, username/password authentication uses only what the user knows (the password). In contrast, certificate-based authentication adds another layer of security by also using what the user has (the private cryptographic key).    With that said, it’s important to note that certificate-based authentication is rarely used as a replacement for usernames and passwords but instead used in conjunction with them. By using both, companies essentially achieve two-factor authentication without requiring any extra effort from the end user (getting out their cell phone to receive a one-time password (OTP), for example).   How Does Certificate-Based Authentication Work? Before answering this question, we first have to understand what a digital certificate is. A digital certificate is an electronic password or file that proves the authenticity of a user, server, or device through cryptography and the public key infrastructure (PKI). PKI refers to tools leveraged to create and manage public keys for encryption. It’s built into all web browsers currently in use today, and organizations also use it to secure internal communications and connect devices securely.   The digital certificate file contains identifiable information about the certificate holder and a copy of the public key from the certificate holder. This identifiable information can be a user’s name, company, department, and the device’s IP address and serial number. When it comes to the public key, the key needs to be matched to a corresponding private key to verify it’s real.   So, how does this work in practice? First, the end user digitally signs a piece of data using their private key. This data and the user’s certificate then travel across the network. The destination server will then compare the signed data (protected with a private key) with the public key contained within the certificate. If the keys match, the server authenticates the user, and they’re free to access network resources.   Benefits of Certificate-Based Authentication Digital certificates are widely used by organizations today and for many reasons. Let’s dive into why.   Boosted Security Public key cryptography, also known as asymmetric encryption, is considered very secure. This is because all data encrypted with the public key can only be decrypted with the matching private key. So, when two parties communicate, the sender encrypts (scrambles) the data before sending it, and the receiver decrypts (unscrambles) the data after receiving it. The unscrambling can only happen if the keys match. And while in transit, the data remains scrambled and will appear as gibberish to a hacker.   Ease of Deployment & Use Certificate-based solutions are easy to deploy and manage. They typically come with a cloud-based management platform that allows administrators to issue certificates to new employees with ease. The same is true for renewing or revoking certificates. Moreover, many solutions integrate with Active Directory, which makes the certificate issuing process even more straightforward.   They also don’t require any additional hardware, which isn’t the case for other authentication methods like biometrics or OTP tokens.  Lastly, certificate-based solutions are very user-friendly and require minimal end-user involvement. Users don’t have to expend additional effort to get this boosted level of security. This is crucial because adding friction to any security measures tends to frustrate users and can often lead to worse outcomes. We see this happen with passwords where users typically reuse passwords to ease the burden of remembering multiple highly secure phrases.   Natively Supported by Many Existing Enterprise Applications Countless enterprise applications and networks natively support X.509 digital certificates – the typical format used in public key certificates. This means enterprises can get up and running with certificate-based authentication with just a few configuration tweaks.   Security Flaws of Certificate-Based Authentication No solution is without its drawbacks, and the same is true for certificate-based authentication.   It’s much harder to crack a key than a password, but once cracked, the results are the same. If a key is compromised, cybersecurity goes out the window. Essentially, IT can’t distinguish between a hacker and a legitimate employee if the keys match. And this is precisely why certificate-based authentication should be used in coordination with other authentication and cybersecurity measures wherever possible.   Second, certificate-based authentication is only as strong as the digital certificate. Or in other words, the stronger the cryptographic algorithms used to create the certificates, the less likely an attacker can compromise them. For this reason, organizations must ensure that the certificate authority is reputable and trustworthy.   Final Thoughts on Certificate-Based Authentication Certificate-based authentication can be an excellent addition to any organization’s cybersecurity stack. While it’s not without its drawbacks, the benefits outweigh the challenges. Certificate-based authentication allows only approved users and devices to access your network while keeping unauthorized users and rogue devices locked out.     [...] Read more...
  • Solutions
        • Objectives
        • Network Visibilty
        • Network Authentication
        • Network Access Control
        • Endpoint Risk Monitoring
        • Endpoint Remediation
        • Network Device Administration
        • Guest Management
        • Initiatives
        • Passwordless
        • ZTNA
        • SASE
        • SD-WAN
        • BYOD
        • IoT / OT
        • Capabilities
        • 802.1X
        • RADIUS
        • PEAP
        • EAP-TLS
        • SCEP
        • TACACS+
        • Integrations
        • Active Directory
        • MDM
        • SIEM
        • EDR / XDR
        • RESTful API
  • Resources
        • Resources
        • Case Studies
        • eBooks
        • Infographics
        • Product Briefs
        • Webinars
        • White Papers
        • Cloud Documentation
        • Compliance Center
          Find out how Portnox's zero trust access control supports a wide range of compliance requirements.
        • Regulations
          CISA
          CCPA
          GDPR
          PCI-DSS
          GLBA
          SOX
          FERPA
          HIPAA
          FISMA
          NYDFS
          Explore All »
          Frameworks
          CMMC
          NCUA ACET
          COBIT
          NIST
          Cyber Essentials
          DSPT
          CIS Controls
          Explore All »
  • Partners
    • Reseller Program
    • Managed Services
    • Become a Partner
    • Register a Deal
  • Request a Demo

Portnox Blog

Catch up on the latest surrounding network security, cyber threats, and all things Portnox.

Filling the Access Security Gap With Certificate-Based Authentication
Read more» →
Windows Authentication
Adding Windows Domain Authentication Method
Read more» →
Fingerprint Authentication
New Fingerprint Authentication Method & Policy
Read more» →
SSH Authentication
Adding SSH Authentication Method & Policy
Read more» →
Setting Hives
Setting Up Hives
Read more» →
Vouchers
Giving a Voucher – Temporary Exception
Read more» →
Resident Device
Defining a Resident Device with White Listing
Read more» →
Unauthorized Hub
Defining an Authorized Hub
Read more» →
Reactions - Enforcement
Defining Reactions – Enforcement Actions
Read more» →
Alerts
Defining Alerts
Read more» →
Portnox_Logo_White
  • Blog
  • Support
  • Legal
  • Privacy
Menu
  • Products
    • ZTNA
    • RADIUS
    • TACACS+
    • Pricing
  • Solutions
    • Passwordless
    • ZTNA
    • 802.1X
    • IoT Security
    • Guest Access
  • Resources
    • Blog
    • Case Studies
    • Products Briefs
    • White Papers
    • Webinars
    • Cloud Documentation
  • Partners
    • Reseller Program
    • Managed Services
    • Become a Partner
    • Partner Portal
  • About
    • Why Portnox
    • News
    • Careers
    • Contact Us
    • Security Statement

©2023 Portnox. All Rights Reserved.

Gold-Microsoft-Partner
AICPA SOC
ISO 27001
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT

Don't miss the passwordless revolution! Download our new white paper today.

Download
X