Skip to content
Portnox_Logo_White
Portnox Logo

  • About
  • Contact Us
  • Login

  • Products
    • PORTNOX CLOUDZero trust access control
    • ZTNACloud-native zero trust access control & security
          • How it worksVendor agnostic, cloud-native security
          • What's NewAI-driven with IoT fingerprinting & profiling
          • PricingClear and easy pricing
          • Why PortnoxManage your security with ease
          • How to Leverage the Principle of Least Privilege for Stronger Network SecurityHow to Leverage the Principle of Least Privilege for Stronger Network Security
            The principle of least privilege (PoLP) is an information security concept that gives applications or users minimum required network permissions to perform their jobs. Therefore, PoLP is an important aspect of privilege access management (PAM).  Implementing the principle of least privilege provides network security by avoiding needless exposure. For example, a user and employee access limit reduces the risks of cybercriminals getting hold of critical files.  Having easy access to the most critical assets of an organization is vitally important. The only users with full access should be the current administrator or the executives in the company. For newly hired personnel within the organization,  the lowest permission levels should be implemented at the onset. Full permissions should be granted  after screening and a background check. Bear in mind that background checks are  always cheaper than data breaches.  Why is PoLP Important? Putting the least privilege in place goes beyond having a single or limited number of admins for internal operations. Subsequently, many organizations give users over-privileged access to information that has nothing to do with them. The bitter truth is that half of the users share their credentials with someone else.  Cyber threats occur inside or outside, and both attackers operate alike. Criminals from outside leverage user account to gain control over endpoints and to acquire targeted access to valuable data. Insiders leverage  the access they have or any compromised accounts. With that, they can leverage data and applications for malicious activities.  The principle of least privilege ensures that access to critical assets and high-value data gets protected. It applies to not only  just users, but also  to applications, connected devices, and systems that require access as well.   The principle of least privilege allows the minimum amount of access necessary for employees to complete their job without restriction. It gives a form of balance, keeps systems safe, and facilitates productivity.  There primary goals of least privilege include:   To bring a balance between usability and security protections.  To implement a minimum access policy for managing and securing privileged credentials.   Flexible controls are needed to balance compliance requirements with cybersecurity, end-user experience, and operational functions.  Users only need access to the minimum amount of required privileges.  There’s a need to give users a frictionless experience while keeping the system highly secure.   Key Benefits of Least Privilege Reducing the Potential for Insider Threats Cyber actors on the inside use  access to get all accessible data  for exfiltration or destruction. In order to successfully prevent an insider threat, use a comprehensive security policy that contains procedures to prevent and detect misuse. There should also be guidelines for conducting misuse investigations and potential consequences and restricting employee access to  critical infrastructure. There should have a place for locking up sensitive information and isolating high-value systems requiring tight verification access. If necessary,  biometric authentication can be used to prevent  employees from using another staff key card.  Reducing the Attack Surface An attack surface refers to all possible points where unauthorized users could gain access to a system and extract data. Organizations with already over-privileged users need to implement the least privilege principle to eliminate unnecessary access. A smaller attack surface is easier to protect. One way to go about it is by determining user roles and privilege levels, to help  understand the particular behaviors of users and employees.   Limiting Malware Propagation or Infection The principle of least privilege prevents malware from spreading on a network. Malware often requires local administrator rights to gain access. Meanwhile, an administrator with access to various network resources has the potential to spread malware to others.   Having fewer users with elevated rights helps in reducing malware infections. In the event of any attack, it becomes easier to contain, thereby preventing the spread to the entire system. In addition, PoLP reduces users’ ability  to install or download unauthorized applications, which can often include malware.  Increased System Stability Organizations often have to deal with human errors from within the work environment. For instance, an employee could mistakenly tamper with a file and cause major organizational issues . The principle of least privilege is a great way to prevent high-impact human error and thus guarantee greater network and system stability.  Applications running with restricted privileges  are  less likely to crash the entire system. PoLP also helps limit the downtime associated with a crash or data breach. As a result, an organization practicing PoLP enjoys more stability, enhanced fault tolerance, and improved work productivity.   Challenges with PoLP Implementing the PoLP comes with numerous benefits, though certain roadblocks can impede its full success. These might include:  Diverse and Complicated Networks The least privilege comes with the need to centralize accounts to accommodate users and machines. Modern computing environments use numerous complex  platforms – both cloud and on-premise. The implication is multiple endpoints for applications and heterogeneous operating systems. As a result, it becomes quite challenging to guarantee the five most important concerns for the security of an organization’s network.   These five concerns include the constant protection of networking equipment, security from computer operating system attacks on , preservation of computer hardware , and maintaining data integrity and confidentiality..   Cloud Computing and Environments Companies that use cloud environments experience challenges regarding  a lack of segmentation, excess privileges, and account sharing due to cloud-native computing. The misconfigurations that stem from cloud permissions often leave an organization vulnerable to potential cybersecurity attacks. Therefore, implementing the principle of least privilege requires strategies beyond a single tool or product.   Default Settings Challenges Operating systems focus more on ease of use than security. Moreover, the software conditions come with default credentials that are easy to find online. These operating systems shy away from enforcing a minimum access policy as default. The implication is that users have the power to carry out actions like creating backups and deleting files. which can negate the principle of least privilege and expose a network to potential attacks.  How to Implement PoLP The Implementation of PoLP need not be a complex task. A simple restriction preventing end-users from exfiltrating certain information is a good start. Organizations that want to successfully implement the principle of least privilege can start with the following:   Conducting privilege audits by reviewing all existing accounts, programs, and processes to ensure there is no loophole.   Starting or converting all accounts to least privilege  to put the necessary checks and balances in place.  Organizations can also add privileges based on the access required to perform specific tasks.   Separating privileges requires distinguishing between lower-level privilege accounts and higher-level-privilege accounts.  Track and trace user or individual employee actions through one-time-use credentials. It goes a long way to avoid potential damage.  Examples of the Principle of Least Privilege The principle of least privilege has opportunities for every level of a system. It covers applications, databases, end users, networks, systems, processes, and all other facets of an IT environment. Here are some examples of accounts that need PoLP:    User Accounts: The principle of least privilege only gives users or employees the necessary rights for carrying out their tasks or responsibilities. If the user’s computer gets compromised, it limits the lateral spread of that threat. A major challenge arises when an employee has root access privileges, which can cause   MySQL Accounts: When several accounts perform unique tasks, a MySQL setup needs to follow the PoLP. When the online setup allows users to sort data, the MySQL account with sorting privileges becomes an issue of compulsion. That way, a hacker who gains access to exploits  only gains the power to sort records. However, there comes a big problem if the account has the power to delete records, as the hacker then has the ability to wipe out the entire database.  Just in Time Accounts: Users who rarely need root privileges should only receive reduced privileges the rest of the time. Organizations must make it a policy only to retrieve passwords from a vault when needed. Using disposable credentials equally goes a long way to guarantee cyber security. It serves as a great way to increase the traceability of a network.  Final Thoughts Network security best practices call for implementing the principle of least privilege. It serves as  an efficient method for ensuring mission-critical data does not fall into the wrong hands. With such high stakes, it is crucial to learn how to properly implement PoLP  across your organization’s network. [...] Read more...
            6 Tips for Enhancing Security Across Your Remote Workforce6 Tips for Enhancing Security Across Your Remote Workforce
            Before the pandemic, 17% of employees in the US worked from home five days or more per week – a share that catapulted to 44% during the pandemic, and more than 60% after the pandemic.  The COVID-19 pandemic climaxed the remote working trend, as workers were forced to work from home – a trend that continues as many organizations have embraced remote work within their company culture. With this growing trend, organizations should enlighten employees on data security and how everyone is responsible for protecting it.  They should also create certain practices and steps to strengthen their organization’s data security. Remote workers must prioritize safe practices, data security education.  Since 2020 began, the expectations that surround remote work have dramatically changed. The levels at which employees are looking for work-from-home jobs at an increasing rate, and employers are adopting the technologies, culture, and processes to make it happen. Across the globe, more businesses have implemented flexible schedules where employees can work on-site, remotely, or both. An estimate by Upwork stated that 36.2 million Americans will be working remotely by 2025, an 87% increase from pre-pandemic levels.  While these flexible work options bring a huge range of benefits for both employer and employee, they also bring some challenges, particularly around data protection. The increase in working remotely must prompt organizations also, to level up their network security. Organizations can no longer rely on traditional network security to prevent unwanted network access. What to do is not difficult. It just requires technologies that enable enhancing security.  One of the main perks of working remotely is location flexibility,  but now that telecommuting has become commonplace data security is more of a concern. This stems from employees using unsecured Wi-Fi networks or bringing company devices with confidential data to public locations. It was reported that 86% of organizations believe that remote workers increase the chances of an organization‘s data security breach.  So, what can organizations with large remote workforces do to properly secure network access? Here are some viable ways to get started:  Enhancing Security with a Formal Cybersecurity Policy The first step in protecting an organization’s data is ensuring all employees view data security as a priority. Believe it or not, today, so many employees might still not know that data security is one of those things they should be highly concerned about, at both professional and personal levels.  Employees may assume that if they are not working directly with customer data or  higher in the organization’s hierarchy, that they don’t need to worry over data security. Organizations should not assume that their employees know anything about their role or best practices in cybersecurity.  The best place to start is by creating a cybersecurity policy. Make all existing and new employees sign and review the policy so that everyone in the company holds responsibility for protecting employer data.  Ensure All Internet Connections Are Secure The most common way to open your company to a data security breach is to use an unsecured Wi-Fi network. As a remote worker, you know and understand the need to get out of your house now and then. Here, remote workers need to be aware of how to ensure they keep company data secure.  The easiest way is to ensure employees use a virtual private network (VPN). When they use VPNs before signing into public Wi-Fi networks, the employee’s internet traffic  will be encrypted and monitored for any signs of infection. Remote workers can freely step out of the house, and companies can guarantee that their data is secure.  Note that not all VPNs are created equal. To ensure your organization uses the appropriate VPN, verify the VPN you are using and ensure it covers every factor you need, not just last-stage encryption. Once you decide on the standards you want, review the reputation of the VPN provider and conduct a cost comparison.  Keep Strong, Varied Passwords & Use a Password Manager Another easy way to protect your organization’s data is using strong password hygiene. Many people still don’t consider password safety an important step to prevent data breaches. Many even admit that they use the same password across various programs and devices but informing remote workers about password protection is one of the major keys to securing your company’s data.  Using a password manager to randomly generate passwords for you is another way to lessen cyber risk. The password manager will store all your passwords safely and prevent the need to remember their different passwords.  Enhancing Security with Two-Factor Authentication Many organizations are adopting two-factor authentication to improve their data security. This method authenticates the user by requiring a username and password, along with either entering a PIN sent to their cell phone or answering a secret question. Though passwords can often be stolen or compromised, two-factor verification, it is unlikely for another person to have the PIN or answer a security question.  Enhancing security even further, organizations could move to multi-factor authentication that requires additional verification, including voice or fingerprint recognition, face identification and voice recognition. This is typically more expensive and complex, but could be warranted depending on the level of security needed by an organization.  Use Encryption Software Encryption software is another way organizations, and their remote workers can protect data. Suppose an employee’s device gets lost or stolen. In this case, the information on the lost or stolen device can find its way into the wrong hands and open the company to vulnerabilities and data breaches. Encryption software protects organization data by barring access from unauthorized or third-party users of those devices.  In addition, the organization should be mindful that any programs used for chatting, applications, or email should use end-to-end encryption. Popular programs like Adobe Acrobat and Microsoft Office, for instance, can easily encrypt documents and files that your remote workers use and share amongst each other.   Don’t Forget Firewalls, Antivirus Software & Antimalware Ensure remote workers have up-to-date antivirus software, anti-malware and firewalls on all their devices. In cases where devices are stolen, organizations might also want to wipe the lost or stolen devices remotely. Mobile device management platforms can perform most or all of these services by allowing remote workers to continue using their devices while ensuring the safety of company data.   Employees might need the help of their employer in ensuring that their devices have these protections installed in them. Employees don’t always have the same technical expertise, so organizations concerned about data security should be ready to offer technical support help. This could mean creating partnerships with tech support services close to their remote workers or forming an internal tech support team that can guide employees through the necessary steps.  Remote work does not have to negate data security. Once these top cybersecurity procedures are implemented and remote workers are educated, they can become standard practices quickly that the entire organization can easily commit to. .  Final Thoughts on Enhancing Security for Remote Workers Diligence from all management and employees is required to ensure these security measures are followed. Following the above guidelines can strengthen your organization’s security posture while keeping your data safe and secure.   [...] Read more...
            Portnox & Cisco Meraki: Better Together When Securing & Controlling Access for Cloud Managed ITPortnox & Cisco Meraki: Better Together When Securing & Controlling Access for Cloud Managed IT
            The Rise of Cloud Managed IT Digital transformation is engulfing enterprise IT, with many legacy solutions migrating to the cloud. Paired with the Bring-Your-Own-Device (BYOD), Internet of Things (IoT), cloud adoption and mobile workforce trends, CISOs, network admins and IT teams are faced with new and complex challenges in securing their risk-based perimeter. As that perimeter extends off campus to remote environments, the need arises for convenient access that will encourage productivity and increase efficiency, while enforcing security policies and controlling exposure to emerging cyber threats.   Access Control Meets Cloud Managed IT The Cisco Meraki and Portnox NAC-as-a-Service partnership helps enterprises realize the potential of cloud managed IT by providing complete visibility, control and management capabilities for network access. As enterprise begins to implement digital transformation, through BYOD, Internet of Things, the mobile workforce and cloud infrastructure, pervasive security tools are required to ensure that access is secured across the risk-based perimeter.  Together, Meraki and Portnox provide mid-market organizations and enterprises with the cloud and compliance infrastructure they need to embrace the benefits of digital transformation, while securing, controlling and appropriately managing access across all network endpoints.   Quick and easy deployment, low operational costs and flexible on-boarding of network endpoints makes the Meraki-Portnox collaboration an essential security tool for the innovative enterprise.   The Key Features of Our Joint Offering Enhanced Security: Secure access in all locations and at all times for wired, wireless, and VPN access. 802.1x provides top-notch user authentication, adding a layer of multi-factor authentication (MFA) to VPN.  Full Visibility: Achieve full visibility into all network endpoints, from operating systems through to open ports and onto running applications. Carry out persistent posture assessments on devices and determine their level of access based on a machine learning devised risk score.   Zero-Touch Deployment: Start controlling network access today with a pre-deployed and integrated environment including certification authority (CA), RADIUS, user databases and more.   Complete Control Over Access: Discover all network endpoints and authorize access regardless of the endpoint’s credential validity to allow for gradual deployment of 802.1x access protection.   Flexible On-Boarding: Add devices to wired/wireless networks based on a variety of pre-defined or unique parameters, as well as an option for secured persistent access for contractors and guests.   Deep Dive into Devices: Gain context on the devices connecting to your network to better understand their level of risk including information on installed applications, services, certificates, users, open ports and user locations.  Widen Switch Support: The joint solution supports 802.1X, certificate, domain and MAC authentication, as well as group-based dynamic VLAN assignments.  Move from CAPEX to OPEX: Make the capital expenditure you continually invest in maintaining legacy security solutions operational expenditure that is investor based on level of need and degree of service use.  Compliance Compatible: Easily implement compliance directives automate policy management and enforcement across the network.  Stable and Secure Enterprise Grade Solution: With a highly available yet secured RADIUS Server, as well as agent support for all platforms, ensure business continuity no matter the circumstances.  Support for MSP/MSSP Model: Service providers can easily manage their existing subscriptions together with Portnox, making the solution part of its repertoire of services, including rebranding options as needed.  Portnox-Meraki Use Cases Portnox and Meraki’s joint offering is great news for network security, access and control. Here’s how the solutions work together, providing benefits that are made possible by joining forces:  Persistent risk assessment of employee and contractor workstation to devise a network access control policy based on usage, location and a number of other endpoint characteristics.  Perform risk assessments and provide access through a one-time password when accessing over the VPN.  Simply control network segmentation based on VLAN assignment and Active Directory Groups.  Certificate-based authentication across the entire enterprise – ideal for a multi-site environment.  Allow for sponsored guest access, making it easier for guests and contractors to access what they need on the network, while controlling the method and scope of access permissions based on endpoint compliance and risk score.   About Cisco Meraki Cisco Meraki is a cloud managed IT company that offers comprehensive solutions for organizations to manage all of their IT needs in one place. Meraki’s set of services include: wireless, switching, security, communications, EMM, security cameras and more, all managed through Meraki’s web-based dashboard interface. Meraki was founded in 2006 by Sanjit Bishwas, John Bicket and Hans Robertson and was acquired by Cisco in 2012.   About Portnox Portnox offers cloud-native network and endpoint security essentials that enable agile, resource-constrained IT teams to proactively address today’s most pressing security challenges: the rapid expansion of enterprise networks, the proliferation of connected device types, and the increased sophistication of cyberattacks. Hundreds of companies have leveraged Portnox’s award-winning security products to enforce powerful network access, endpoint risk monitoring and remediation policies to strengthen their organizational security posture.   By eliminating the need for any on-premises footprint common among traditional information security systems, Portnox allows companies – no matter their size, geo-distribution, or networking architecture – to deploy, scale, enforce and maintain these critical security policies with unprecedented ease. Portnox has offices in the U.S. and Israel. For information visit www.portnox.com.  [...] Read more...
            How To Use SASE To Establish & Enable Zero-Trust Network AccessHow To Use SASE To Establish & Enable Zero-Trust Network Access
            As working environments evolve, we must rethink our network security approach. The traditional “castle-and-moat” network security model, where everyone inside the network is trusted by default, but no one outside can access the data inside, is no longer fit for purpose. Faced with cloud computing, virtualization, and remote working, having a clear perimeter protecting a trusted inside zone no longer works. Today, users work within and outside the trusted zone, and our networks are becoming increasingly complex.   To combat this issue, a growing number of organizations are adopting zero trust network access (ZTNA) and secure access service edge (SASE). Crucially, this isn’t about an either/or approach, pitting the two against each other and deploying the winner. Instead, tight integration between ZTNA and SASE can deliver a whole host of benefits and safeguard organizations against attack.   What Is Zero-Trust Network Access (ZTNA)? Coined by Forrester Research in 2010, zero-trust network access is a set of technologies and functionalities that provides secure remote access to an organization’s applications, services, and data, based on clearly defined access control policies. In simple words, ZTNA eliminates the concept of implicit trust for network access control (NAC). In practice, this means that no user or device will ever be granted access to network resources based solely on their location on the network. So, for example, using IP addresses as a basis for granting access wouldn’t be allowed in ZTNA.   ZTNA emerged out of a need for a more robust approach to network security in a world where users and sensitive data may be located anywhere – at home, in the cloud, in the corporate office, and so on. It replaces traditional approaches to NAC with solid authentication and authorization tools. As a result, network administrators can apply granular access controls, fine-tuning access control lists based on the concept of least privilege. For example, they can limit or grant users access to an application based on their role or leverage contextual information to authorize access.   What is Secure Access Service Edge?  Coined by Gartner in 2019, SASE is an emerging network security approach combining several cloud-native security technologies to connect users, endpoints, and systems securely. It combines ZTNA, SD-WAN, cloud access security brokers (CASB), secure web gateway (SWG), firewall-as-a-service (FWaaS), SaaS, and more, into a single, integrated cloud-based platform.   The SASE model allows companies to do away with siloed infrastructure that may leave gaps in security. It also enables complete visibility across hybrid environments, provides consistent monitoring and reporting, is less complex, and often cheaper.   Why SASE and ZTNA Are Better Together  Both SASE and ZTNA are crucial components of modern security architecture, but they’re not the same thing. You can think of SASE as a higher-level design philosophy that encompasses ZTNA in addition to other technologies. So, while SASE is a comprehensive and multi-faceted security framework, ZTNA is much more narrowly focused. For example, ZTNA is primarily concerned with limiting network resource access, which is one component of SASE, but not all of it.   When used together, SASE and ZTNA can provide a more robust and comprehensive solution that protects applications and data no matter where the end user is located. But how? Let’s look at some specific benefits of using both SASE and ZTNA.   Supporting Remote Access  The dramatic shift toward remote access over the last several years is one of the primary drivers of both ZTNA and SASE. In the past, companies would rely on multiple solutions like firewalls, SWGs, and remote access VPNs. However, with more and more applications moving to the cloud, this approach was no longer working. Cloud traffic no longer needs to go through a VPN, and companies were struggling to get complete visibility over their applications and data due to the sheer number of cloud-based apps in use. In addition, VPNs are often prohibitively expensive at scale.   SASE offers a better approach to remote access because it connects users to points of presence (PoPs) close to their location instead of routing them to a central data center. At the same time, ZTNA enables more granular and extensive network access control policies, improved scalability, and greater simplicity.   Boosted Agility and Resilience  With a SASE-based solution, companies only have one configuration repository to update – there’s no switching between solutions to ensure everything is patched and working correctly. This supports greater agility and allows network teams to focus on other tasks. Similarly, ZTNA provides boosted resiliency against attacks because it ensures total session protection, regardless of whether a user is on or off the corporate network.  Easier to Scale  As we mentioned earlier, application and device sprawl makes VPNs challenging to manage as the network grows. SASE and ZTNA combat this issue by bringing the scalability of a multitenant cloud-native platform.   Reducing the Attack Surface  SASE and ZTNA can help reduce the attack surface and mitigate the risk of data breaches. These solutions allow organizations to establish a hardened perimeter that cyber criminals can’t easily penetrate. At the same time, ZTNA ensures that only authorized devices and users can access sensitive data and systems and that users only have access to the resources they need to do their jobs.   Policy Enforcement Across the Network  Together, these solutions help companies with policy enforcement across their entire network. This means stronger network security, lower costs, a single view of the whole network, and streamlined network management.   Significant Cost Savings  Deploying security at scale can be expensive, particularly when buying and managing multiple products. Instead, using a single SASE solution with robust ZTNA dramatically reduces costs while ensuring robust and comprehensive security.   Final Thoughts on SASES & ZTNA Faced with an increasingly severe cyber threat landscape and constantly evolving workplace environments, the castle-and-moat approach to security is becoming increasingly risky. Instead, organizations are moving toward more modern and robust approaches, like ZTNA and SASE. When used in unison, these approaches protect organizations today and prepare them for the future.   [...] Read more...
            802.1x: The Gold Standard of Network Authentication Protocols802.1x: The Gold Standard of Network Authentication Protocols
            What is 802.1x? IEEE 802.1x is a standard for port-based network access control (PNAC) that determines how to manage authentication for endpoints to connect to each other on a LAN. It can be used to manage access for both wired and wireless networks. It is broadly utilized at both company headquarters and branch enterprise networks to ensure secure endpoint authentication and network access control.  How does the 802.1x protocol work? Initiation: The authentication or supplicant conveys a session initiation request. A supplicant conveys an EAP-response message to the authenticator, which summarizes the message and forwards it to the authentication server.  Authentication: To validate several pieces of information, messages pass between the authentication server and the supplicant through the authenticator.  Authorization: Once the credentials are verified, the authentication server informs the authenticator to provide the supplicant access to the port.  Accounting: User and device details, session types, service details and session records are kept by RADIUS accounting.  Termination: The termination of sessions is done by disconnecting the endpoint device or using management software.   Why is 802.1x authentication important? 802.1x is the golden standard of network authentication security. It can stop over-the-air theft attacks, and is more secure than Pre-Shared Key (PSK) environments common among personal networks.  Governments, individuals, and large organizations alike all require strong network security, beginning with network authentication and access control. Securing all aspects of online data and information has become essential with the increased reliance on technology, and as corporate networks continue to expand, data security continues to be one of the most critical issues for organizations to consider.   While no network is immune to attacks, an efficient and stable network security apparatus is important to protect client data. A strong network security system helps limit the risk of falling victim to data theft and can help to guarantee that shared data across an enterprise network is securely kept.  [...] Read more...
            NAC, SDP, ZTNA & The Future of Access ControlNAC, SDP, ZTNA & The Future of Access Control
            The Future of Access Control For over a decade, Virtual Private Networks (VPNs) have been providing businesses with secure access for remote workers and end users. As cyberthreats become more rampant and dangerous, communication and network requirements are continuously changing in response. VPNs have begun to show their limited capabilities as they fail to address various security concerns in this ever-changing landscape.   The current VPN technology in use today may not be able to modernize and adapt to the evolving security threats of today. As a result, Software-Defined Perimeters (SDP), Zero Trust Network Access (ZTNA) and Network Access Control (NAC) come into play. Their collective purpose is like a VPN, but they serve as more comprehensive network security solutions.   Network Access Control (NAC) NAC is a technology designed to provide endpoint authentication and network access controls to ensure only authorized devices are granted access to a network.  Research has demonstrated that NAC and SDP have become essential elements in the development of Zero Trust Networks as they enable monitoring, visibility, and control at the network access layer. Therefore, NAC is a critical foundation for cybersecurity resilience at the access layer.  Moreover, NAC is a technology that utilizes other core technologies in achieving ZTNA. As a result, NAC vendors should provide easy deployment options and software integration. Although network infrastructure evolvement is rapidly changing, many organizations keep hybrid or legacy environments. NAC can be deployed through both on-prem or virtual appliances.   Software-Defined Perimeter (SDP) SDP solutions are designed to apply the principle of least privilege (POLP), and are software-centric rather than hardware based. It is made to conceal network infrastructure so as not to be seen by external parties and attackers. Once the device and the user are authenticated, SDP builds a one-to-one connection between the server and the device.  To understand how the SDP solution works, think of a door that is always kept locked. Because it is locked, no one can enter the door or even look inside unless the person inside verifies who the person is and what they are doing. When the visitor centers, the person in the house locks the door again.  Zero Trust Networks Access (ZTNA) ZTNA is a security solution that provides secure remote access to data and services based on defined access control policies. ZTNA is different from VPN as it only grants authenticated users access to the resources needed to perform their job. and helps to eradicate gaps in other secure remote access methods and technologies. In this way, ZTNA works similarly to SDP as they utilize the concept of a dark cloud to stop users from seeing network resources that they are not authorized to access.   [...] Read more...
            Leveraging Machine Learning for Behavior-Based Access ControlLeveraging Machine Learning for Behavior-Based Access Control
            Enterprises today need to be able to interact dynamically and share information with the right people at the right time. As a result, organizations continually add more interconnected systems to their network to allow information to be readily accessible to those that need it.   However, while this interconnectedness is crucial for modern businesses to thrive, it also leaves them vulnerable to cyberattacks. And as enterprise environments become more complex, it’s becoming clear that traditional approaches to access control and threat monitoring simply aren’t sufficient in an increasingly severe cyber threat landscape. But some leading cybersecurity researchers think there could be a better way – Behavior-Based Access Control (BBAC).   What Is Behavior-Based Access Control (BBAC)? In simple words, Behavior-Based Access Control is a way of analyzing actor behavior and assessing the trustworthiness of information in real-time using machine learning algorithms. But before we can truly understand BBAC, we first have to understand how enterprises tackle these issues today.   The Current State of Access Control Companies currently use a combination of different technologies and methodologies to monitor their systems and grant access to information.  The way we approach access control has evolved considerably over time and now includes methods like role-based (RBAC), team-based (TMAC), attribute-based (ABAC), context-based (CBAC), and Situation-Based (SitBAC) access control, among others. But while these approaches do a decent job of locking down information to authorized users, they’re not without drawbacks.   Crucially, most current access control methods are grounded in static policies governed by access control rules. And this presents some significant security risks. For example, what happens if a bad actor steals an access card? Or if an insider performs illegitimate actions within their privilege realm? With traditional access control methods, bad actors can potentially go undetected for a considerable amount of time, exfiltrating data or wreaking havoc on the network.   Misuse of information should be a top priority for any modern enterprise. Still, the situation becomes especially serious for companies that deal with highly sensitive data, like those in the healthcare, finance, and government sectors. And companies in these sectors (or sufficiently large companies in any industry) are increasingly moving towards large-scale distributed systems, where various components are spread across multiple computers on a network. But these systems are often as complex as they are large. As a result, managing access control at scale quickly becomes unmanageable, and errors often slip through the net.   The Current State of Threat Monitoring On the monitoring side, companies leverage technologies like the Snort or Bro network intrusion detection system or the Host-Based Intrusion Detection System (HIDS). And while these cybersecurity monitoring systems help safeguard corporate systems, they have several limitations. Namely, these types of solutions are typically signature-based and narrowly focused on specific parts of the overall systems. Signature-based monitoring can’t account for sophisticated attacks, like zero-day attacks, where signatures are yet unknown.   Lastly, while companies today often collect vast amounts of useful security such as server logs, they don’t analyze this data in real-time. Instead, this data is used for offline forensics, potentially days, weeks, or even months after a security event. By this time, attackers have likely already completed their nefarious activities and are long gone.   How BBAC Works BBAC leverages machine learning to dynamically analyze actors’ intent and assess the trustworthiness of information within the system. But how?   BBAC uses a combination of rule-based behavior signatures with statistical learning methods to create a more robust and flexible way of assigning and managing trust. So, for example, BBAC can analyze patterns in the network and adjust access over time and as needed. It can also respond to potential security events in real-time. For example, the machine learning algorithm can create a baseline for expected user behavior by using historical and real-time data. Anything that falls outside of this could be considered suspicious and warrant immediate action, either manually or through automation.   This is contrary to how isolated traditional rule-based systems work, whereby once an actor gains access, they can essentially operate with impunity within their access rights.   The idea here is that BBAC can diminish the risk of misplaced trust and deter the abuse of authorized privileges by continuously monitoring behavior. It analyzes observable behaviors on several different layers in real-time to check for intricate patterns that would otherwise go unnoticed. And by employing this type of sophisticated analysis, IT teams eliminate the need for draconian deny rules at specific layers in the system.    At the same time, user-based BBAC can help alleviate some of the problems companies face when defining access. For example, let’s say a particular policy is set up to deny access to specific files if a user isn’t in an approved location. The machine learning model might detect that users continually request this type of access and alert the security team. Armed with this information, businesses can adjust their policies to allow more flexibility within certain contexts.   The Nuts & Bolts of BBAC So, what’s actually going on here? How does this machine learning thing really work? Machine learning is all about getting computers to “learn” and make decisions without explicit instructions. And for a machine-learning algorithm to learn, it needs to process vast amounts of data.   For BBAC, the significant data comes in the form of network flow information (TCP and UDP), Higher-level transport protocols like (HTTP, XMPP, and SMTP), audit records (like those produced by web and DNS servers), and application-level content like PDF documents or email and chat messages.   So, that’s the data that feeds the model, but what about the model itself? BBAC models are still in their infancy, but current examples use a combination of supervised and unsupervised machine learning to achieve full BBAC functionality.   Supervised learning leverages labeled datasets designed to train or supervise the algorithm in classifying data and accurately predicting outcomes. So, for example, the algorithm becomes competent at separating data into specific categories, like expected network traffic and unexpected network traffic. This is called classification. The regression supervised learning method can also be used to understand the relationship between dependent and independent variables, which can be useful for predicting outcomes using numerical data.   By contrast, unsupervised learning uses unlabeled datasets and allows the algorithm to discover hidden patterns without human intervention.   Wrapping Up Behavior-based access control has enormous potential to make enterprise environments more secure, flexible, and responsive. And as we progress through the 2020s, we expect to see more research in this area and likely adoption of this technology by reputable firms. The Department of Defense is actively interested in BBAC, so that should tell you something about where this approach is heading!     [...] Read more...
            How Organizations Can Properly Secure Network Access for Remote WorkforcesHow Organizations Can Properly Secure Network Access for Remote Workforces
            IT security policies have traditionally been perimeter-based, primarily concerned with the network activity within their own office and corporate network. While remote work certainly existed before, it has now become a standard – even an expectation among employees – no matter the industry or job function.  This rapid expansion of remote workforces has created significant operational and cultural changes for companies worldwide – particularly when it comes to IT and securing corporate digital eco-systems. Many organizations were not fully prepared for such an immense transition of expanding corporate edges and countless new endpoints.   With so many workers now scattered beyond the walls of their physical offices, this has created a considerable challenge for IT departments that find themselves struggling to monitor and gauge the real security posture of their networks, and the endpoints in use across them. The weakest link is no longer in the cubicle next to you – it can be halfway around the world in the home office of an employee using a VPN on a compromised laptop.  Secure Network Access for Remote Workers: Challenges Today There are numerous potential risks for companies when it comes to enabling secure network access for remote workforces: Limited Network & Endpoint Visibility: Remote work environments can make it considerably more difficult for an organization to maintain visibility and control over the data security of its employees. A lack of visibility inhibits IT and security teams from achieving operational and security objectives, while putting the business at increased risk.   Increased BYOD Use: An increasing number of employees these days use personal devices to access company networks. This is especially true as employees find themselves working from home with greater regularity. In many cases, these devices are often not fully compliant with their employer’s security policies. Unsecured personal devices can provide potential attack vectors for cybercriminals to target a corporate network.   Social Engineering Attacks: As organizations have bolstered their cybersecurity measures over time, tit has become more difficult for cybercriminals to exploit security posture vulnerabilities. In turn, many have favored more cost-effective tactics to breach networks like phishing emails that capitalize on human error and trust. Social engineering tactics need only an unwitting or distracted employee to succeed, and therefore typically require less technical knowledge to pull off.   What’s Needed to Secure Network Access for Remote Workers Here are some critical considerations when it comes to enabling secure network access for remote workers:  Firewall: Serving as somewhat of an electric fence to your network, firewalls remain a basic but essential extra layer of protection for remote workers. One pitfall is that many employees may disable their firewall if they believe it to be slowing down their device, keeping it from blocking malicious traffic.   Antivirus: A just as essential, yet often forgone staple in your security stack is antivirus software. In addition to providing protection from all sorts of malware, the Next-Generation Antivirus (NGAV) of today utilizes predictive analytics driven by AI and machine learning for advanced threat detection. This includes determining root causes from endpoint data and responding to previously undetected emerging threats.  Managing Endpoint Visibility: Unmonitored remote devices can bring an abundance of potential threats to a network if they are not up-to-date and properly configured. Visibility is a key issue here. By implementing solutions like NAC, companies gain insight into every user and device on their network, allowing them to pinpoint any weaknesses within it. With this visibility they can then control, adjust, or deny access for any device as needed.   VPN: While it’s common for many companies to offer secured VPN connections for remote employees, VPN can’t serve as a comprehensive security solution. A VPN alone can leave you in the dark about the security posture and compliance level of the device connecting to it. You could unknowingly be giving safe passage for a compromised device directly to your network.  Device Risk Monitoring & Mitigation: With the help of an agent or MDM, NAC solutions like Portnox CLEAR can work alongside a VPN, offering two factor authentication based on user identity and endpoint risk score. Continuous monitoring is key here for keeping countless users and devices in compliance, no matter their location. By knowing the security posture of remote devices, IT teams can adjust their security policy and mitigate potential threats.  Employee Training & Awareness: Employees are more likely to be lax with their security habits outside the office, and cybercriminals are no stranger to this reality. Maintaining employee awareness of these potential threats is key for risk mitigation. Whether regarding proper password management, compliance policies, or how to spot phishing attempts, it’s highly beneficial to offer employee education and training in security best practices.  [...] Read more...
            Leading UK Loan Lender Deploys Portnox Cloud-Native NAC Across 75 SitesLeading UK Loan Lender Deploys Portnox Cloud-Native NAC Across 75 Sites
            Everyday Loans is the UK’s leading independent loan lender, operating dozens of branches across the country and boasting a personal, hands-on approach to lending, uncommon in today’s digitally anonymous financial services industry. Today, personal lending in the UK has grown to become an industry approaching 24 billion GBP, with recent acceleration due to widespread financial uncertainty and hardship in the wake of the COVID-19 pandemic. The company’s IT department, led by Head of IT Tony Sheehan, experienced the tangible impact of this market growth as more and more customers walked through the doors of Everyday Loans’ many branches, and as the company increased its employee headcount in response to demand. With more guests and customers on-site as well as a growing workforce, Sheehan and his team began to assess potential cybersecurity vulnerabilities – beginning with the corporate network. Sheehan describes the company’s initial network security vulnerabilities: “We have a presence online, but we’re predominantly a face-to-face lender. We have over 75 offices with many new and repeat customers coming in to discuss a loan, as well as part-time staff for cleaning, security and maintenance. As a result, we knew network authentication was an obvious vulnerability.” Shifting Focus to Network Authentication Implementing a solution for network authentication was a logical next step for Sheehan’s IT team. Given the increased branch foot traffic, the company needed to ensure it had total device awareness across the network. “This was a concern voiced to our new CTO when he came on board. He agreed, so we went about looking at different tools for network authentication and access control,” said Sheehan. Another factor driving a focus on NAC was staff turnover. “Like every company, we have staff that leave us, and we need to ensure they can no longer access our network after they’ve departed,” said Sheehan. At that point in time, Everyday Loans knew that it’s usage of a hidden SSID paired with a PSK was not up to snuff from a security standpoint. As Sheehan and his team began to research potential solutions for network authentication and access control, two requirements became apparent: They had no desire to build upon their existing on-prem or virtual footprint; adding maintenance tasks to the laundry list of other IT responsibilities was a non-starter The company wanted a SaaS solution that could support its existing cloud-native hardware – primarily Meraki network devices and ChromeBox endpoints Considering Network Access Control Options Sheehan and his team found themselves at a crossroads as they mulled over these requirements. “We were either going to double down and stand-up another datacenter as part of a general infrastructure expansion initiative which would also enable us to deploy network access control on-premises, or we were going to go out and find a cloud-native NAC solution that fit our needs,” Sheehan said. Portnox CLEAR was the only true cloud-native NAC we could find with the deployment and support model we wanted. -Tony Sheehan, Head of IT at Everyday Loans Having considered Microsoft NPS for RADIUS authentication and 802.1X, and Cisco ISE for full network access control, Sheehan and Everyday Loans’ IT team made the executive decision that neither tool was suited to their existing network security needs, internal skillsets, resource bandwidth or networking infrastructure. “We came across Portnox CLEAR fairly quickly thanks to the help of our partner, Haptic Networks,” Sheehan continued. “It was the only true cloud–native NAC we could find with the deployment and support model we wanted. Each of the other vendors had some solutions that were close in functionality, but in the end, they didn’t cover our needs totally – either functionally or operationally in terms of their ease-of-use. Ultimately, we went with Portnox CLEAR since it provided coverage across all our network devices and connected endpoints.”  Up & Running with Portnox CLEAR After beginning a proof of concept of Portnox’s cloud-native NAC-as-a-Service, Everyday Loans ruled out competing alternatives. “It worked as expected. After comparing Portnox CLEAR’s robust, easy-to-use functionality to that of the other vendors up for consideration, we soon dismissed alternatives as they did not meet our technical security requirements,” Sheehan said. The trial continued and Sheehan’s team threw every possible authentication and access control use case they could conjure up at the system to test its durability. “Anyone with good network experience will pick up Portnox CLEAR with ease – it’s just a case of ensuring how you setup the network hardware and what control you have over employee and guest devices,” Sheehan went on to say. Anyone with good network experience will pick up Portnox CLEAR with ease – it’s just a case of ensuring how you setup the network hardware and what control you have over employee and guest device. -Tony Sheehan, Head of IT at Everyday Loans Everyday Loans was able to deploy Portnox CLEAR across its 75 sites with relative ease, saving the company’s headquarters for last. “Portnox CLEAR has exceeded my expectations. Now that it is fully deployed, the visibility and control we have of users authenticating to the network is unparalleled,” Sheehan concluded. “It is a huge bonus that the system easily integrates with Azure Active Directory and provides its own certificate authority out-of-the-box. Having multiple methods for authentications helps us ensure all our bases are covered. The solution has been reliable from day one.” [...] Read more...
            Cyber Security Essential #2: 802.1x Network Access ControlCyber Security Essential #2: 802.1x Network Access Control
            Why is 802.1x Network Access Control Essential? 802.1x network access control is a technology that enables organizations to enact its own unique policy for how and when endpoints (desktops, laptops, smartphones, etc.) can connect to their corporate networks. NAC solutions are typically designed to allow IT security teams to gain visibility of each device trying to access its network, and specifically the type of device and access layer being used (i.e. wifi, wired ports, or VPN). Today, 802.1x network access control provides a number of powerful features on top of what it was originally designed for years ago. These include security posture assessments for endpoints, which pinpoints any associated endpoint risks, allowing network security administrators to control network access based on their organization’s risk tolerance threshold. With the rise of cloud computing, remote workforces, bring-your-own-device (BYOD) policies, and the internet of things (IoT), network access control has become a much more critical part of the larger cybersecurity technology stack at most companies. The technology itself has also evolved quite drastically in response to these emerging trends and their impact on networking and ensuring network security. Key Functionality to Consider When Deploying a NAC Solution Network Visibility & Device Discovery A NAC solution discovers and identifies all devices/users in the network before they are granted network access, requiring continuous monitoring of the network and devices connected to it. The system enables the discovery, classification and assessment of every device connected to the network. Configuration and security state of every device is monitored, ensuring that the network and devices are compliant to the organizational security policy. Full Access Layer Coverage As today’s networks explode in size and scope, particularly with remote workforces on the rise, it’s imperative that your 802.1x network access control solution can manage access control across all existing access layers. This includes the obvious – wired ports and WiFi. It also must be able to manage the various remote access methods used within your organization. These may include VPN, Teleworker Gateways, and beyond. Authentication Services Traditionally, enterprises have enabled network authentication via usernames and passwords. As we now know today, this method of authentication can be easily compromised by bad actors, making it no longer sufficiently secure for enforcing network access control. Any NAC worth its salt should offer several methods for authentication, including: role-based, MAC authentication bypass (MAB), and certificate authority. Device On-Boarding Business units and even departments (think Finance & Accounting, for example) often have their own VLANs since they’re dealing with very sensitive, confidential data. The task of setting up such VLANs and onboarding new devices is just one of dozens of tasks overseen by frequently overburdened IT teams. So, if not done correctly at first, it can open the door to potential network vulnerabilities, such as a person gaining access to a part of the network he/she should not have the privileges for. At a small scale, managing access manually is often sufficient. For larger organizations, however, this just isn’t sustainable. As a result, many large organizations that don’t have a secure onboarding process will often compromise on network security hygiene. Policy Configuration Network security teams define and activate access control policies to control device access to the corporate network, which is ultimately based on the device authorization state. Once a device is authorized for network access, a network access policy determines which specific virtual LAN (VLAN) that device or user is directed to. On top of that, the policy also defines, for each type of authorization violation, whether to deny entry or whether to quarantine the device by assigning it to a specific VLAN or apply an access control list (ACL). Endpoint Risk Monitoring Your corporate network is only as strong as its weakest security link. This means continuous risk posture assessment is paramount. By continually monitoring the network, your network and security teams can stay ahead of cyberattacks with the ability to identify new risks in real-time, react to these risks, and take action. In a world with ever-expanding boundaries and an exponential increase in types of endpoints, continuous risk posture assessment must function no matter location, device type, or the type of data being transferred. Device Remediation Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of attacks but also allow for business continuity. Effective endpoint remediation consists of: Automated Patch Updates Across the Network – Enforce necessary patch, anti-virus, operating system, and application updates across managed and unmanaged endpoints. Immediate Incident Response – Contain ransomware events by remotely disconnecting endpoints from the network without the need for manual intervention. Armed Incident Response Teams – Arm IT professionals and network admins with the ability to remotely take actions on employees’ devices. The proliferation of IoT devices over the last decade has prompted a growing number of network security concerns. With all of these devices – printers, CCTV cameras, ATMs, MRI machines, etc. – now connected to their respective networks, it’s exponentially expanding corporate threat surfaces. Compliance Enforcement NAC is used to enforce regulatory policies and maintain compliance across the organization. In practice, this typically means: Understanding how mobile, BYOD, and IoT devices will affect and transform not only the organization but the industry and implementing the right processes and tools control them. Tracking any network related device or program in real-time via a centrally secured platform providing full and actionable visibility. Controlling access to the network and to cloud applications, even based on the geographical locations of users. Ensuring that the business is in compliance with governmental regulations like SOX, PCI DSS, HIPPA, FINRA, FISMA, GLBA among others. Strict compliance will provide legitimacy with clients and partners. [...] Read more...
            Winning the War Against Hackers in the Face Of Device ProliferationWinning the War Against Hackers in the Face Of Device Proliferation
            Expanding Network Edges & Device Proliferation With the advent of COVID-19, an enormous push to hybrid work changed the threat landscape. Many more activities have become remote, and therefore more reliant on and demanding of secure remote network connections. As more organizations expand their hybrid workforce models, the network edge continues to push out and the number of potential entry points for attackers increases. Device proliferation – specifically BYOD – is exacerbating this trend. As of 2021, 67% of employees use personal devices at work, and 59% of organizations have adopted BYOD.  IoT device proliferation is also broadening the threat surface, adding to the list of endpoints not only in the office, but also in the operating room, the factory floor and the shipping warehouse. There may be some 21.5 billion IoT devices by 2025 – a number that keeps IT security professionals up at night. From security cameras to connected multifunction copiers, IoT devices open the real potential for breaches.  The Role of Network Access Control With so many diverse, dispersed devices requesting network access, security teams must be more diligent about setting and enforcing access control policies. To maintain vigilance, security teams need to focus their efforts on network access control (NAC). In a perfect world, this means deploying a NAC that offers cloud RADIUS services, a variety of authentication methods, as well as 24/7 endpoint risk assessment and remediation across all prominent access layers – wired, wireless and VPN. Simple, yet powerful – a NAC that’s easy to use while providing the extensive security coverage needed to confront these challenges head-on is required. [...] Read more...
            Food Company Replaces Cisco ISE with Portnox Cloud-Native NACFood Company Replaces Cisco ISE with Portnox Cloud-Native NAC
            New Jersey-based Schuman Cheese has a long, storied history of delivering world-class cheese products to the U.S. market. Operating across several facilities in New Jersey, Illinois, Wisconsin and California, the company maintains a workforce of more than 400, with revenues topping $500 million annually. A Deep Dive with Portnox CORE About four years ago, Schuman Cheese went out in search of a network access control (NAC) solution to help the company manage network access across its many wired ports. Lead by IT Infrastructure Administrator, Andrew Sayegh, Schuman Cheese came across Portnox CORE while conducting research online, and determined the platform was worth pursuing. “We initially had a demo, then did a proof of concept, which was very easy to get up and running,” Sayegh went on to say. “We found that the visibility that Portnox CORE gave us for each port in use across the company was unparalleled. We really loved the platform off the bat.” We found that the visibility that Portnox CORE gave us for each port in use across the company was unparalleled. We really loved the platform off the bat. – Andrew Sayegh, IT Infrastructure Administrator @ Schuman Cheese Assessing NAC Alternatives like Cisco ISE Simultaneously, Sayegh and his team were investigating Cisco’s Identity Services Engine (ISE), a legacy onpremise NAC solution. “I had previous experience with ISE, but I still needed another engineer to help me configure and implement it. Had I done it alone, it would’ve taken me a full week or more to complete,” said Sayegh. After some time using with ISE and comparing it to Portnox CORE, Sayegh and his team felt the choice was obvious. “If ISE ever went down, we wouldn’t know how to fix it on fly. We’d have to find a temporary solution to allow people to reconnect to WiFi and wired ports. It was just always a struggle, especially with over 200 people connecting to our wireless network everyday.” Closing the WiFi Security Gap Where ISE Fell Short More recently, years after selecting to deploy Portnox CORE across the company’s wired network, Sayegh and the Schuman Cheese IT security team set their sites on trying to rectify lingering access control issues related to ISE across its wireless network. “We conducted a test of Portnox CLEAR – your cloud NAC service – for access control across our WiFi environment. It took literally ten minutes to set up with the help of Portnox’s support engineer,” Sayegh continued. “It was just so easy to use out of the gate.” The Pandemic & Cloud Adoption “Since we’re a food manufacturer, we still needed to have people in our facilities and warehouses on site during the pandemic. These folks would need to be able to connect to WiFi primarily,” said Sayegh. “The implementation of Portnox CLEAR for WiFi gave us much needed access control that was flexible and easy to enforce during this period of uncertainty.” Despite the challenges posed by the pandemic, Sayegh and his team continued a campaign of cloud adoption when it came to new security tools – of which Portnox CLEAR fit in well. “We are making a real push to adopt cloud-based tools – that was a major factor in us bringing in CLEAR to support our access control policies across WiFi alongside CORE for wired,” Sayegh stated. The hybrid use of CORE (on-premise) with CLEAR (cloud-delivered) for network access control has been exceptionally effective for Schuman Cheese, especially now as employees return to the office post-pandemic and increased wired network usage surges alongside continued WiFi reliance. Sayegh concluded: “It’s been very easy to work across both NAC solutions to enforce our network access control policies and keep the network secure. [...] Read more...
            Is Secure Access Service Edge the Future of Network Security?Is Secure Access Service Edge the Future of Network Security?
            All Hail, SASE! SASE, pronounced “sassy”, stands for Secure Access Service Edge. It is a cloud-based network security model and category, proposed by Gartner in 2019. This model includes the network security solutions in a global and cloud-native service that allows IT teams to easily connect and secure all of their organization’s networks and users in an agile, cost-effective, and scalable way. This is especially useful in the currently globally dispersed digital enterprise. According to Gartner’s analysis, SASE can be characterized as an identity-driven, cloud-native, globally distributed technology that supports and impacts all enterprise edges and IT domains. For example, this would include a branch office in LA along with the main HQ in London, while traveling/mobile team members can connect on the go. SASE addresses the numerous problems with traditional network security methods, many of which are rooted in the idea that network security architectures should be placed at the center of connectivity in the HQ or data center, where typically branch locations are more vulnerable to attack. The Fundamentals of Secure Access Service Edge According to Gartner, cloud-centric digital business, users, devices, and the networked capabilities they require secure access to are everywhere, and what security and risk professionals in a digital enterprise needs is a worldwide fabric/mesh of network and network security capabilities that can be applied when and where to connect entities to the networked capabilities they need access to. Implementing a SASE architecture would benefit enterprises by providing: Lower costs and complexity – Network Security as a Service should come from a single vendor. Consolidating vendors and technology stacks should reduce cost and complexity. Agility – Enable new digital business scenarios (apps, services, APIs), and data shareable to partners and contractors with less risk exposure. Better performance/latency – latency-optimized routing. Ease of use/transparency – Fewer agents per device; less agent and app bloat; consistent applicate experience anywhere, any device. Less operational overhead by updating for new threats and policies without new HW or SW; quicker adoption of new capabilities. Enable ZTNA – Network access based on identity of user, device, application – not IP address or physical location for seamless protection on and off the network; end-to-end encryption. Extended to endpoint with public Wi-Fi protection by tunneling to the nearest Point of Presence (POP). More effective network and network security staff – Shift to strategic projects like mapping business, regulatory, and application access requirements to SASE capabilities. Centralized policy with local enforcement – Cloud-based centralized management with distributed enforcement and decision making. SASE & Network Access Control In essence, SASE converges the functions of network and security solutions into a single, unified cloud service. This marks an architectural transformation within the realm of enterprise networking and security, and it means that IT teams can now deliver a holistic and flexible service to their businesses. The logical next step in the evolution of network security is for organizations to be able to leverage a NAC solution that’s delivered as a cloud service. This eliminates the need for costly on-site appliances and on-going maintenance. Now, all that’s needed to control network access at branches and the headquarters alike, is an internet connection. [...] Read more...
            RADIUS Authentication, Now in the CloudRADIUS Authentication, Now in the Cloud
            Understanding RADIUS Authentication Remote Authentication Dial-In User Service (RADIUS) is a protocol that was historically designed to authenticate remote users to a dial-in access server. Today, RADIUS authentication is used across an array of scenarios and is well known for it AAA capabilities — authentication, authorization, and accounting. By centralizing AAA capabilities, organizations give themselves improved security and greater efficiency. RADIUS servers provide each business with the ability to preserve the privacy and security of both the system and each individual user. A basic RADIUS accounting process includes: The process starts when the user is granted access to the RADIUS Server. The RADIUS Client sends a RADIUS Accounting-Request packet known as Accounting Start, to the RADIUS Server. The request packet comprises the user ID, network address, session identifier, and point of access. During the session, the Client may send additional Accounting-Request packets known as Interim Update to the RADIUS Server. These packets include details like the current session duration and data usage. This packet serves the purpose of updating the information about the user’s session to the RADIUS Server. Once the user’s access to the RADIUS Server ends, the RADIUS Client sends another Accounting-Request packet known as Accounting Stop, to the RADIUS Server. The packet includes information such as total time, data, and packets transferred the reason for disconnection, and other information relevant to the user’s session. Ultimately, RADIUS authentication prevents your organization’s confidential data from being leaked. It also allows easy depreciation capabilities and enables individual users to be assigned with unique network permissions based on their location, role, etc. RADIUS Authentication in the Cloud It’s well known today that RADIUS authentication is an effective way of enhancing network security, visibility and control. Just as more and more organizations move their enterprise software stack to the cloud, so too are they demanding flexibility and ease of deployment as it relates to RADIUS. This has given rise to the cloud RADIUS, a modern take on the traditional on-premise RADIUS server. Standing up a cloud RADIUS offers several benefits for your organization, including: Built-in redundancy Ease of deployment Cost efficiency Auto-scaling ..the list goes on… For these reasons, network engineers are turning cloud RADIUS solutions in droves. And as vendors like Portnox continue to make advances in machine learning, the reliability and feature sets of cloud RADIUS options become more and more appealing. Portnox CLEAR’s Cloud RADIUS Securing your network will always be a priority – no doubt one of many priorities your IT team is faced with – but it doesn’t need to be a drain on time and resources. With Portnox’s RADIUS-as-a-Service solution, companies can now efficiently and affordably authenticate to wifi, VPN, switches and network devices, while simplifying administration and enabling long-term scalability. Tired of all the heavy lifting when it comes to standing up RADIUS servers? We feel your pain, that’s why we’re making it easier than ever to securely authenticate and control wired and wireless network access for all your users and devices. How it Works [...] Read more...
            Prominent U.S. University Selects Aruba ClearPass Replacement, Opts for Cloud-Native NACProminent U.S. University Selects Aruba ClearPass Replacement, Opts for Cloud-Native NAC
            The University of Denver is a leading private research institution in the United States with nearly 13,000 undergraduate and graduate students, and roughly 4,300 staff members. The university has a prestigious reputation, often ranking among the top 100 universities in the country, and is the oldest research institution in the Rocky Mountain Region of the U.S. In late 2019, the University of Denver’s information security team, led by Marcelo Lew, went out in search of a network access control solution that would serve as an Aruba ClearPass replacement to help manage access to the institution’s guest network, as well as to its growing eduroam WiFi network roaming service. “Internally, we had an initiative to move our security stack to the cloud,” Lew said. “We’re really focused on bringing in solutions that are lightweight and don’t require an FTE to come in and manage them.” Choosing Simplicity in Uncertain Times As an existing HPE Aruba ClearPass customer, and having evaluated Cisco’s Identity Services Engine (ISE) NAC solution, Lew and his team felt that Portnox CLEAR had the potential to serve as a ClearPass replacement and deliver the needed functionality without all of the heavy systems lifting to stand up and maintain required of traditional on-premise NAC. “Some of the legacy NAC solutions out there have a million knobs, making them complex to configure and difficult to troubleshoot. Most institutions like us don’t need all of that,” Lew continued. Lew and his information security team set their sights on Portnox CLEAR NAC-as-a-Service, moving to a PoC in early 2020. The untimely rise of the Coronavirus pandemic in March of 2020 in the U.S. put a damper on the team’s initial efforts to test the platform. “COVID-19 forced the PoC to take a bit longer due to operational challenges, but in general, we really liked what we saw,” said Lew. “Portnox CLEAR really had the potential to get us where we wanted to be with regards to moving NAC to the cloud.” An Aruba ClearPass Replacement & Coverage for the Guest Network Portnox CLEAR would eventually be rolled out in full across the university’s guest network, with full coverage up to 10,000 devices. “We have hundreds and even thousands of users on our guest network at any given time. We’ve had no issues and our network engineers have found Portnox CLEAR very easy to configure. The team particularly likes that there’s no on-prem component or need to upgrade servers on a regular basis,” Lew went on to say. Starting with the guest network was a strategic decision. The university often hosts conferences and events with thousands of non-staff visiting for the day and needing wireless connectivity, making the guest WiFi network target number one for potential cyber threats. “We’re also situated in a populated neighborhood community in Denver. We’re fine with the community being able to utilize our WiFi, but we needed a mechanism to allow for this while keeping the university’s data safe,” said Lew. “After all, our motto here is A Private University Dedicated to the Public Good – that concept extends to our network as well.” Expanding to Eduroam & Beyond As Lew and his team look ahead following their decision to choose Portnox CLEAR as their ClearPass replacement, they plan to extend CLEAR’s access control capabilities to the university’s eduroam wireless network used by staff, as well as to the many wired ports across the campus. “We have a few quiet periods during the year where network activity is low – typically in the summer, and about 3-4 weeks in December. We’re planning to tackle eduroam coverage with Portnox CLEAR in the fall of 2021, and the wired ports over the Christmas break,” said Lew. The move off of its reliance on HPE Aruba ClearPass for NAC to Portnox’s cloud-delivered NAC-as-a-Service signifies a larger initiative within the institution even beyond cloud transformation. “The hard perimeter-based security approach doesn’t work anymore because devices are no longer limited to the university network,” Lew continued. “So, we cannot assume that everything inside the perimeter (or enterprise firewalls) is safe. We are working towards a zero trust but always verify environment, where for users like campus guests are given the minimum possible access needed.” [...] Read more...
            How Portnox CLEAR Can Enhance Your WiFi Network SecurityHow Portnox CLEAR Can Enhance Your WiFi Network Security
            Challenges with WiFi Network Security Today WiFi extends beyond your office walls. Employees harmlessly share company WiFi passwords with guests, contractors, business neighbors without ever stopping to think about the network and information security risks this poses to their organization. Some of the top WiFi network security challenges today include: Piggybacking – In this instance, anyone with a WiFi enabled computer in range of your access point can use your connection. The typical indoor broadcast range of an access point is 150–300 feet. This range may extend as far as 1,000 feet when outside. Wardriving – The broadcast range of a wireless access point can make internet connections available outside your home, even as far away as your street. Evil Twin Attacks – In an evil twin attack, an adversary gathers information about a public network access point, then sets up their system to impersonate it. Wireless Sniffing – Public use access points typically don’t encrypt the data it processes. This can put your sensitive communications or transactions at risk. Unauthorized Computer Access – An unsecured public wireless network combined with unsecured file sharing could allow a malicious user to access any directories and files. Should Surfing – In public areas, bad actors can simply glance over your shoulder as you type, stealing your sensitive or personal information in the process. Device Theft – Not all attackers rely on gaining access to your data via wireless means. By physically stealing your device, attackers could have unrestricted access to all of its data, as well as any connected cloud accounts. Enhancing WiFi Security with Portnox CLEAR It’s never been easier to secure your WiFi. With Portnox’s WiFi Security-as-a-Service, complex integrations and RADIUS server setups that traditionally required skilled IT staff and extensive training have been eliminated. Now, you can set-up user and device authentication that comply with security regulations in minutes. Portnox CLEAR WiFi network security benefits include: Rapid Deployment – No need to worry about pre-set infrastructure or lengthy training. Seamless Authentication – Integrate with your directory (Okta, AzureAD, etc.). Includes built-in Certificate Authority, or works with your own. Device Visibility & Accountability – See all devices on your network – no matter type or location. Zero-Touch Management – With a cloud-based RADIUS server & no on-premise hardware of software, say goodbye to on-going maintenance. Flexible Access Controls – Use device posture assessment to drive your policy with Dynamic VLAN or ACL assignments. No Vendor Lock-In – Portnox works with any wireless infrastructure. Vendor Agnostic – Enjoy built-in connectors to common directories, like AzureAD, Okta, GSuite & more. SOC-Certified – Portnox is SOC II Type II certified, with data encryption in motion or at rest. Watch How it Works [...] Read more...
            Understanding 802.1X Protocol & Network Access ControlUnderstanding 802.1X Protocol & Network Access Control
            What is the 802.1X Protocol? 802.1X is a networking protocol that provides an authentication method for devices wishing to connect to a LAN or WLAN. 802.1X has exception flexibility due to the fact that it’s based on the Extensible Authentication Protocol. EAP is a highly pliable standard, as it encompasses the range of EAP authentication methods, including MD5, TLS, TTLS, LEAP, PEAP, SecurID, SIM and AKA. An IEEE standard for port-based NAC, the 802.1X also allows network administrators to provide access control parameters across wireless access points. The increasing dependence on wireless networks in corporate offices means network security teams must now address a growing and diverse threat surface, especially if BYOD policies are in use. 802.1X allows these teams to now be able to enforce strict access control policies for their highly mobile workforces and maintain compliance with confidence. What Can 802.1X Do? The 802.1X protocol is currently used for network access control in a number of ways: Pre-admission control: Blocks unauthenticated messages Device and user detection: Identifies users and devices with pre-defined credentials or MAC addresses Authentication and authorization: Verifies and provides access. Onboarding: Provisions a device with security, management, or host-checking software. Profiling: Scans endpoint devices. Policy enforcement: Applies role and permission-based access. Post-admission control: Enforces session termination and cleanup. Additionally, 802.1X can deliver L2 control as it validates users and devices attempting to connect to physical ports in the office. How Secure is 802.1X? Today, 802.1X is the golden standard when it comes to network authentication. The protocol prevents over-the-air credential theft attacks like Man-in-the-Middle attacks and Evil Twin proxies. This authentication is significantly more secure than PKI networks. There is some variation when it comes to 802.1X protocol security, however. First, if end users are left to manually configure their devices, there’s a much higher potential for credential theft. In a perfect world, configuration would be conducted by knowledgeable IT staff. Another variation in security effectiveness relies on whether an organization is using credential-based authentication or certificate-based authentication. Certificate-based EAP-TLS is know to significantly reduce organizational risk when it comes to credential theft. This the most effective way to utilize 802.1X in a corporate networking environment. Not only can 802.1X stop credentials from being sent over the air where they can be easily stolen, but it forces users to go through an enrollment/on-boarding process that ensures proper device configuration. [...] Read more...
            Portnox & ZTNA: Elevating Your Network Access to Zero Trust & BeyondPortnox & ZTNA: Elevating Your Network Access to Zero Trust & Beyond
            Why ZTNA? Why Now? Zero Trust Network Access (ZTNA) has emerged as a new model for securing remote access to an organization’s applications, data, and services based on clearly defined access control policies. ZTNA differs from VPNs in that they grant access only to specific services or applications, where VPNs grant access to an entire network. As an increasing number of users access resources from outside the office, ZTNA is helping to eliminate gaps in other secure remote access technologies and methods. ZTNA offers a way to connect users, applications, and data – even outside of an organization’s network, a scenario that’s becoming more and more common in today’s multi-cloud environments. Companies today need to have their digital assets available anywhere, anytime, from any device by a distributed user base. ZTNA fills this need by offering the granular, context-aware access for business-critical applications, without having to expose other services to possible attackers. The ZTNA model was coined by Gartner to help eliminate the granting of excessive trust to employers, contractors, and other users who only need very limited access. The model expresses the concept that nothing is to be trusted until proven trustworthy, and more importantly that trust must be reauthenticated whenever anything about the connection (location, context, IP address, etc.) changes. Portnox & ZTNA Today, your network is expanding by the minute. Employees are using their devices – personal or work-issued – from home, hotels, airports, restaurants, or any place with an internet connection. This poses a unique security challenge, particularly as the critical resources your remote workforce needs access to consist of both cloud-based platforms AND internally-hosted business systems. The million-dollar question keeping network security professionals awake at night is: how do we extend the same level of awareness and access control as is done on the LAN to this growing number of remote devices that might not connect directly to the LAN for weeks or months? The Answer: Portnox CLEAR Portnox CLEAR has been purpose-built to easily enhance ZTNA with full endpoint risk awareness and access controls. Put simply, CLEAR delivers remote access control as a cloud service. Endpoint Risk Awareness & Access Control As a cloud-based solution, Portnox CLEAR is always aware of the current risk of remote devices, regardless of if they’re “on” or “off” the network – giving you full, continuous visibility and risk awareness. Awareness is only a piece of the puzzle, however. Actionable awareness is where Portnox CLEAR separates itself. By leveraging the current risk posture of a device – which can be configured in line with your compliance policies, like having antivirus up-to-date or the latest patches in place – Portnox CLEAR can automatically allow or block remote access through your VPN, VDI or cloud applications via Okta. Portnox CLEAR also extends this awareness to geo-location. So, for instance, if you want to allow users from the U.S, but block access attempts from North Korea, you can do so. For VPN connecting devices, Portnox CLEAR can even dynamically direct trusted devices to their proper VLANs based on policy. Ensuring Remote Device Compliance Continuous, anywhere awareness of device risk paired with the ability to dynamically control access based on policy is a critical part of the ZTNA model. Portnox CLEAR goes one step further with automated corrective and preventative actions (CAPA). With CAPA, Portnox CLEAR is able to take real-time actions on remote endpoints to ensure they remain compliant with your risk policy. This includes ensuring the firewall is always on, AV is running and updated, or even restricting the use of a USB drive for someone on the team working remotely. These are merely some examples of the proactive remediation actions that Portnox CLEAR can take to maintain that devices used by off-site employees remained trusted and healthy at all times. How it Works Portnox CLEAR works with your existing remote access infrastructure. Simply create your Portnox CCLEAR instance and define your remote access group policy within the platform (i.e. remote users/devices, risk/compliance policy, remediation policy and access control policy). Configure your VPN, VDI or Okta to connect to your Portnox CLEAR instance…and voila, you’re done! Case Study: University Federal Credit Union Profile: Based in Salt Lake City, UT 100K+ members 17 branches in operation Nearly 400 employees Challenges: Employees forced to work from home due to pandemic Initially, no ability to monitor or control VPN access Directive given to secure VPN access Very short timeframe to implement All employees using managed corporate devices Solution: Deployed Portnox ZTNA All remote employee devices on-boarded & authenticated in under one week Certainty that all devices attempting to connect are UFCU employees Can block users out of compliance in real-time Can remediate employees devices out of compliance Have extended security overlay to WiFi Currently testing on wired ports Read the case study in full here. [...] Read more...
            Zero Trust Network Access: Understanding What’s Driving AdoptionZero Trust Network Access: Understanding What’s Driving Adoption
            What is Zero Trust Network Access (ZTNA)? The idea of zero trust security has emerged as a major trend in cyber security over the last few years, with analyst firms like Gartner and Forrester touting the concept as the next big thing in network security as we move to more distributed working environments. In the wake of the COVID-19 pandemic, as remote work became the norm, many organizations reshuffled their internal security priorities, putting ZTNA among the most important items to address as we move into the 2020s. Also known as the software-defined perimeter (SDP), zero trust network access (ZTNA) is made of up a suite of technologies that adhere to an adaptive trust model, where trust is never absolute, and access is granted on a least-privileged basis defined by unique compliance policies within an organization. So, How Does ZTNA Actually Work? ZTNA is configured slightly differently by each organization or vendor. However, there are several underlying principles that remain consistent across ZTNA architectures: Application vs. network access: ZTNA treats application access separately from network access. Connecting to a network does not automatically grant a user the right to access an application. Hidden IP addresses: ZTNA does not expose IP addresses to the network. The rest of the network remains invisible to connected devices, except for the application or service they are connected to. Device security: ZTNA can incorporate the risk and security posture of devices as factors in access decisions. It does this by running software on the device itself (see “Agent-based ZTNA vs. service-based ZTNA” below) or by analyzing network traffic to and from the device. Additional factors: Unlike traditional access control, which only grants access based on user identity and role, ZTNA can evaluate risks associated with additional factors like user location, timing and frequency of requests, the apps and data being requested, and more. A user could sign in to a network or application, but if their device is not trusted, access is denied. No MPLS: ZTNA uses encrypted Internet connections over TLS instead of MPLS-based WAN connections. Traditional corporate networks are built on private MPLS connections. ZTNA is built on the public Internet instead, using TLS encryption to keep network traffic private. ZTNA sets up small encrypted tunnels between a user and an application, as opposed to connecting a user to a larger network. IdP and SSO: Most ZTNA solutions integrate with separate identity providers (IdPs), single sign-on (SSO) platforms, or both. SSO allows users to authenticate identity for all applications; the IdP stores user identity and determines associated user privileges. Agent vs. service: ZTNA can either use an endpoint agent or be based in the cloud. The difference is explained below. How Does Access Control Factor into ZTNA? In contrast to the IP-based access control traditionally used with VPNs, zero trust network access leverages identity-based authentication and access control. This differentiation enables organizations to utilize unique access control policies based on location or devices, which can be configured to prevent non-compliant devices from connecting to corporate services. Another advantage of identity-based access control via ZTNA is that it can be extended to off-campus BYOD devices as well. Inherently, these devices are typically more vulnerable, so applying different levels of access in this use case can help to better protect the network than the traditional VPN. Some agent-based ZTNA solutions provide a pre-authentication trust assessment of the connecting user and device, including device posture, authentication status, and geo-location. What’s the Connection Between ZTNA & SASE? Like SDP however, ZTNA does not provide inline inspection of user traffic from the application after the user establishes a connection. This can lead to potential security issues when a user’s device or credentials become compromised, or in the case of a malicious insider who uses their access to a resource to disrupt the application or host. Secure access service edge (SASE) solutions that incorporate ZTNA identity-based authentication and granular access control capabilities provide a more complete, holistic approach. SASE solutions provide the cloud scalability, security and network capabilities required for secure remote access management. But unlike standalone ZTNA solutions, SASE provides post-connect monitoring for signs of data loss or compromised credentials. [...] Read more...
            Portnox CLEAR vs. On-Premise NAC: A Look at Total Cost of Ownership (TCO)Portnox CLEAR vs. On-Premise NAC: A Look at Total Cost of Ownership (TCO)
            On-Premise NAC vs. SaaS NAC   Set-Up & Configuration: On-Premise NAC vs. SaaS NAC Unlike traditional on-premise NAC solutions that require hardware appliances, software, and other on-premise elements, you can create your dedicated instance of Portnox CLEAR cloud-delivered NAC-as-a-Service in minutes. Portnox CLEAR has been built from the ground up to simplify policy configuration, allowing for deployment timelines that can be measured in hours. In contrast, traditional on-premise NAC deployments can be measured in weeks or months. Set-Up Costs Eliminated with Portnox CLEAR: Need for on-site appliances, need for third-party expertise, man-hours dedicated to systems training Savings Value: HIGH   Scalability & Performance: On-Premise NAC vs. SaaS NAC As a cloud service, Portnox CLEAR eliminates the need for the capacity planning of on-premise NAC software or appliances. It also eliminates the need to expand capacity or upgrade appliances to meet future growth needs as required by traditional on-premise NAC. Portnox CLEAR can automatically control the virtual machine size and the scale up or down rules. Dedicated F5 load balancers are spun up as well as auto-scale, so you never have to be concerned with service performance or scalability – it will automatically expand as needed to meet demand. Performance Costs Eliminated with Portnox CLEAR: Man-hours dedicated to capacity planning, need for on-site appliance upgrades, need for local load balancing Savings Value: MODERATE   Lifecycle Maintenance: On-Premise NAC vs. SaaS NAC Another hidden cost of on-premise is maintenance. All you have to do is search the web – in most cases you’ll find that vendors have lengthy manuals that outline the painful steps and procedures necessary to keep the software or its associated appliances updated. These upgrades often come with time limits that can force you to start over and re-do your work. Worse yet, one simple mistake during these upgrades can take your network down for many hours or days. And guess what? You often get to go through these upgrades multiple times per year. With Portnox CLEAR, never worry about software or hardware end-of-life, or costly, complex upgrades requiring hours and days of work and a never-ending checklist of to-dos. As a cloud-delivered service, Portnox CLEAR is always running the most up-to-date version with the latest features and capabilities. At the end of the day, Portnox CLEAR customers enjoy continuous service availability with ZERO lifecycle maintenance costs. Maintenance Costs Eliminated with Portnox CLEAR: Software upgrades, NAC downtime, need for third-party expertise Savings Value: HIGH [...] Read more...
            Major Events Venue Moves from On-Prem to Cloud NAC as Part of Digital TransformationMajor Events Venue Moves from On-Prem to Cloud NAC as Part of Digital Transformation
            Founded in 2004 and located in the heart of Cardiff Bay, Wales Millennium Centre (WMC) is Wales’ national arts centre and a major events venue in the region. It seats nearly 2,500 guests, and hosts events ranging from performances by the Welsh National Opera, to concerts, West End musicals, an annual arts festival and more.   Increasingly Cloud-Friendly WMC has been a long-standing customer of Portnox, having signed on to use Portnox CORE, our on-premise network access control (NAC) solution, in 2012. By early 2020, however, WMC was in the midst an internal push for digital transformation, which focused on adopting cloud technologies in exchange for existing legacy on-premise systems. “Moving from on-prem to cloud is something we’ve begun to undertake over the last year across nearly every system that we use,” said Richard Williams, IT Infrastructure Engineer. After migrating WMC’s payroll system to the cloud, with several other systems also awaiting migration, Williams and his team began to assess the venue’s current cybersecurity posture. “For a while now, I have been looking at various aspects of security across our business. We’re looking to tighten things up, and much of that has begun with training for staff, such as teaching people to be more aware of phishing emails, etc. It’s now time to begin really assessing the systems we have in place, particularly when it comes to network security,” Williams continued. As the team turned its focus to its existing network access control capabilities with Portnox CORE, it decided that this component of the cybersecurity stack should also migrate to cloud NAC as part of the WMC’s digital transformation program.   Elevating Network Security, Considering Cloud NAC As a public venue, WMC is open to a variety of non-staffers for long periods of time throughout the day. “On a daily basis, we have large numbers of contractors, performers – all kinds of people in the backstage area – and historically we had limited visibility of what was being plugged into our network,” Williams went on to say. With a number of wired ports located throughout the building, as well as a guest wireless network that was freely accessible, this limited visibility meant that WMC’s network was especially vulnerable and could potentially be breached by anyone with a moderate level of IT know-how. “While we hadn’t fully leveraged all of the functionality available to us within Portnox CORE, I knew that Portnox CLEAR would be a much better fit for us as an organization after seeing it in action,” Williams stated. “With Portnox CLEAR, we can simply login and see exactly who is on the network, via which access layer, their device type, etc. We have much more visibility and control today as a result.” Better Agility & Visibility in Times of Crisis As the Coronavirus pandemic unexpectedly swept the globe in the early months of 2020, WMC’s choice to transition to Portnox CLEAR’s cloud NAC yielded a surprising benefit. “As a public events venue that had to shut its doors for several months due to the pandemic, we were forced to downsize our staff and send most of the remaining workforce home to continue operations,” Williams went on to say. With an uncharacteristically large remote team, Williams and his colleagues were able to extend Portnox CLEAR’s NAC capabilities to the organization’s VPN access layer, ensuring that the corporate network, resources and various enterprise cloud applications were being accessed by remote staff in a secure manner.   Future-Proofed for Whatever Lays Ahead with Cloud NAC While the future for nearly every organization remains uncertain as the pandemic drags on, Williams and WMC are confident that Portnox CLEAR will continue to deliver the needed stability, visibility and control it requires to keep its network safe. “From the end-user’s point-of-view, Portnox CLEAR is very stable. My team connects to CLEAR first thing in the morning, and simply disconnects at the end of each day. Now, we always know what’s happening on the network. There are no blind spots,” Williams explained. With Portnox CLEAR cloud NAC, WMC is future-proofed for any new network security challenges that lie ahead, thanks to the platform’s superb uptime, on-going upgrades, and flexibility to manage from anywhere if needed. [...] Read more...
            Healthcare Provider Moves from Aruba ClearPass to Portnox CLEARHealthcare Provider Moves from Aruba ClearPass to Portnox CLEAR
            AbsoluteCare is a fast-growing regional integrated healthcare provider headquartered in Baltimore, Maryland, with facilities up and down the East Coast, including Atlanta, Philadelphia, and Washington, DC. Since 2000, AbsoluteCare has provided medical assessment and treatment to tens of thousands of people through its “wrap-around” care model. “Several years ago, as the company continued to grow, many of our customers, including companies like Anthem and BlueCross BlueShield said we needed to be HITRUST certified in order to work with them,” said Chris Becker, AbsoluteCare’s National IT Director. As part of that journey towards HITRUST certification, Becker and his team discovered that they would need to implement a network access control (NAC) solution. “At that time, we looked at HP Aruba ClearPass and Cisco ISE, and decided to go with Aruba,” Becker continued. “We spent quite a bit of money to get it implemented – relying on outside consultants to get it up and running and conduct training – it’s a rather large application. We ultimately used it minimally because much of the functionally was overly complex.” In general, the company utilizes managed corporate devices across its workforce, specifically Dell laptops running Windows X, as well as a number of iPads and iPhones. “We have a small population of BYOD, but we don’t encourage it – it’s just more work to manage the compliance of those devices with the limited internal IT resources we have,” Becker stated. Migration Challenges In the summer of 2020, AbsoluteCare found itself in a bind during a datacenter migration. “We decided to move our Aruba servers from one datacenter to another, and we found out – oh my gosh – this is going to cost us like $30,000 just to move it,” continued Becker. The hidden costs didn’t end with just the migration, however. Becker and his team realized they would have to incur more fees to upgrade ClearPass because the version was nearly three years old. “We saw dollar signs. Lots of dollar signs. Not only that, but ClearPass really didn’t grow with us – you almost have to be an HP Aruba expert to really make the solution work for you the way you need it to,” Becker recalled. Headed in a Different Direction To avoid paying staggering professional services fees for the expertise needed to execute the ClearPass server transfer, Becker and his team opted to go out in search for a new NAC solution that would eliminate these hidden costs and provide a lightweight, flexible option for network access control. “We definitely wanted cloud. We’re fans of cloud – both private and public,” Becker indicated. “Portnox CLEAR definitely fit the core requirement to act as our NAC solution, but it also offered other benefits through its optional agent that made it the clear winner for us.” Out With the Old, In With the New AbsoluteCare was able to swiftly roll out Portnox CLEAR with its AgentP add-on, allowing Becker and his team to leverage the platform’s on-or-off network endpoint risk posture assessment and automatic device remediation capabilities for users on its wired and wireless networks. “This is one of the things I really liked about Portnox,” said Becker. “When we initially got access to the environment to conduct our proof of concept, we set up our account and then set a meeting for a week out to assess where we were and what we still needed to do. Well, my systems admin basically got everything configured in a few days all on his own.” For AbsoluteCare, Portnox CLEAR’s ease of use was a major selling point. “I mean, coming off of something like ClearPass, where you basically need to be a systems engineer to figure it out – Portnox CLEAR was just a piece of cake,” Becker reveled… Want to read the full case study? Download it today. [...] Read more...
            Go hack yourself: How to thwart network hacks by cybercriminals, like Iran’s state-sponsored Pay2Key attacksGo hack yourself: How to thwart network hacks by cybercriminals, like Iran’s state-sponsored Pay2Key attacks
            Originally posted on The Times of Israel Thwarting network hacks like the attempted Portnox breach Whether motivated by geopolitical power, personal gain, or mere curiosity, cybercriminals are currently embracing a renaissance. Like drifting bandits in the once-lawless American West, hackers are striking corporations and individuals with relative impunity. There’s no shortage of incidents to point to; the spate of Pay2Key ransomware attacks on Israeli companies at the end of 2020 by state-sanctioned Iranians hackers, such as the attempted Portnox breach, serves as a recent example of such activities. What we know today is that social engineering, email phishing, unpatched firewalls, password stuffing, malware and ransomware make up the bulk of these attacks. And it goes without saying: leaked data can be costly. Today the average cost of a data breach is nearly $4 million. Larger corporations aren’t the only targets. Nearly half of all network breaches target small businesses that simply can’t afford to absorb these losses. Unfortunately, you don’t need to hold a doctorate in Computer Science from MIT to learn how to identify and take advantage of network vulnerabilities and cause widespread damage to companies and individuals. Look at the Fortinet VPN hack, for example. With 50,000 hosts representing hundreds of thousands of compromised accounts belonging to some of the world’s largest banks, telecoms and government entities released into the Dark Web, even the weekend hacker has the intel and direction needed to cause destruction. There’s much to be learned and applied from these hacks, however. So, while it’s unlikely we’ll be able to eliminate these incidents in their entirety, there are ways we can mitigate network breaches. Preventing lateral movement Lateral movement is a technique used by cybercriminals to dig deeper into a network in search of sensitive data and other valuable assets. Once they’ve gained access to a network, hackers will typically maintain ongoing access by moving through the network and obtaining increasingly elevated levels of privilege, similar to what was attempted by the Iranians in the Portnox breach. There are a variety of steps that, when used in conjunction with one another, can help to prevent lateral movement. Critical among these steps is implementing adaptive network access controls. “Adaptive” effectively means several things: (1) you can monitor the risk posture of connecting devices and block/allow access based on the perceived risk level; and (2) you can block/allow access to the network based on a user’s geolocation. These types of adaptive access controls, when paired with MFA — multifactor authentication — and strong password policies, can help to fortify your network. Segmenting the network Network segmentation is the practice of dividing up a network into smaller parts, in which only assigned people have access to different parts of the network depending on their role and responsibilities. Network segmentation effectively reduces a cybercriminal’s vantage point into your larger network. Segmenting your network can be done broadly or granularly. In effect, you want to be able to ensure that application and resource servers do not trust one another, and that any attempt to cross between them requires MFA, adaptive access control and session monitoring. Implementing microsegmentation means looking at the context of the user or device – their role, location, application, etc. – and defining access privileges based on that holistic profile. Preventing attacks like the attempted Portnox breach There’s a lot to unpack here. At the end of the day, to truly mitigate network breaches requires implementing a network access control (NAC) solution that can discover, authenticate and segment users across the network, while monitoring the risk of their connected devices, remediating those devices in real-time should they fall out of compliance. By leveraging NAC, organizations can deter further exposure, potentially saving themselves millions of dollars in the process. [...] Read more...
            The 5 Key Values of Portnox CLEARThe 5 Key Values of Portnox CLEAR
            The problem with most traditional on-premise network access control solutions is their complexity across many fronts, including initial setup, configuration, scalability, and on-going maintenance and upgrades. As a truly cloud-delivered NAC service, Portnox CLEAR delivers SIMPLICITY across all of these critical areas.   VALUE 1: Setup Simplicity Unlike traditional on-premise solutions that require hardware appliances, software, and other on-premise elements, with Portnox CLEAR, you simply create your dedicated instance in Microsoft Azure using your company email or via SSO (such as Azure AD or GSuite) in a matter of just minutes! With your dedicated instance of CLEAR created, you simply check the appropriate box(s) to create your RADIUS instance. Dedicated F5 load balancers are spun up as well as auto-scale, so you never have to be concerned with service performance or scalability – it will automatically expand as needed to meet demand. Portnox CLEAR’s simplicity extends with out-of-box integration and one-click set-up for several common directory services, including: On-premise AD Azure AD G-Suite Okta Universal Directory   SIEM integration is as simple as providing the IP/port, protocol type (TCP, UDP, HTTPS), and data format (JSON/CEF).   VALUE 2: Configuration Simplicity The complexity of traditional on-premise NAC does not stop at the initial set-up of the local appliance(s), load balancing, RADIUS, and other on-premise components. As shown in the sample policy screenshots below, the complexity of traditional NAC extends to policy configuration that is often layered with multiple and nested interdependencies. From inception, the focus with CLEAR has been to simplify policy configuration, allowing CLEAR to be fully deployed and operational in a measure of hours/days vs. traditional NAC, which typically can take weeks, or in many cases, months to roll out. Intuitive, easy-to-configure access control, risk, and remediation policies are at the foundation of Portnox CLEAR as reflected in the sample screenshots below.   Risk Policies Easily configure risk-based access controls for all devices or different groups of devices (i.e. accounting, engineering, etc.), by simply assigning a risk value to each group’s relevant compliance checks. A simple slide bar easily turns risk values into action (allow, alert, block). It’s that SIMPLE! Unlike traditional NAC that monitors a device risk ONLY when it is on or connected to the network, Portnox CLEAR will monitor risk all the time regardless of if the device is on or off-network.     Remediation Policies While it is important to continuously be aware of the current risk posture of a device and to be able to use that awareness as part of access control. The ability to proactively take action on the endpoint to help assure a minimum level of compliance is always maintained can be equally important. As with all other policy configurations, setting group-specific remediation policies in CLEAR is as simple as a few clicks. Unlike traditional NAC that will take remediation actions ONLY if the device is on the network, Portnox CLEAR proactively enforces remediation actions all the time regardless if the device is on or off-network.   VALUE 3: On-Demand Auto-Scale Delivered as a cloud service, Portnox CLEAR eliminates the need for the capacity planning of on-premise software or appliances. Eliminates the need to expand capacity or upgrade appliances to meet future growth needs. Portnox CLEAR services will automatically expand on-demand to meet any demand spikes and future growth. Our Azure services are scaling up (and down) automatically based on usage and load. We can automatically control the VM size and the scale-up / down rules. For the RADIUS component, we use Azure Kubernetes to manage the instances and allow scaling based on demand. We use F5 load balancer to channel the traffic to the right instances and make sure the scaling is transparent to the end-user. VALUE 4: Ease of Integration Portnox CLEAR continues to expand native integrations and simplified out-of-band integration through and included restAPI. Current integrations include: Active Directory Azure AD GSuite MS Intune OKTA Palo Alto SIEM (any/all leading vendors)   Portnox CLEAR also integrates with all leading anti-virus providers to validate and remediate (update) as part of CLEAR compliance and remediation capabilities. Portnox CLEAR also includes a REST-full API over HTTPS that can be used in any programming language that supports REST calls or invoked directly through any HTTPS client such as cURL.   VALUE 5: Zero-Touch Maintenance As a true SaaS solution, Portnox CLEAR is truly zero-touch! No on-going software updates/patching No management of scheduled downtime No hardware or software end-of-life issues   Request a Demo of Portnox CLEAR [...] Read more...
            Segmenting Your Network with Dynamic VLANSegmenting Your Network with Dynamic VLAN
            What is Dynamic VLAN? VLANs (Virtual Local Area Networks) enable segmentation of the main organizational network. In practice, VLANs allow network administrators to keep devices and network resources separated despite being connected to the same physical network. Dynamic VLAN assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics. The flow of traffic between those VLANs is governed by a firewall or another routing device which can then enforce specific network access rules.   Why Use Dynamic VLANs? Segmenting the network is a security best practice, and in some cases is even a regulatory requirement – such as with PCI. Network segmentation is a measure that improves the effectiveness of all the current investments in other security tools, and can by itself help to prevent significant damage to critical organizational data across the network after a company has been breached. Automating VLAN assignments and eliminating the need for manual intervention has historically been a challenge for network security teams. Today, automatic VLAN assignment is best implemented by the use of a RADIUS service, which functions as follows: A device connects to one of several the network access layers: wired ethernet switch or WiFi SSID The network access layer sends a request to the RADIUS server with the user’s credentials or certificates (using 802.1X) The RADIUS server sends a reply which contains attributes that provide the switch or access point with information on the device VLAN, result in properly VLAN assignment   Common Dynamic VLAN Assignment Use Cases Network and security administrator most commonly encounter these use cases for dynamic VLAN assignment: The Sales & Marketing department does not need access to R&D resources, while R&D should not have access to the Finance Department resources. Using dynamic VLANs, each department will be placed in the correct VLAN with the required access. Devices that fail to authenticate due to wrong credentials or incorrect/expired certificate will be placed in a quarantine VLAN with internet access only. IP Phones using a dedicated voice VLAN and should be placed on that VLAN upon successful authentication. MAC bypass for devices that do not support 802.1X should be placed in their own dedicated VLAN. Devices that fail posture assessment (such as those without updated AntiVirus) should be placed in a quarantine VLAN with limited access. Employees connecting to one single WiFi SSID and get different access (VLANs) based on their authentication repository LDAP groups.   Dynamic VLAN Assignment with Portnox CLEAR As mentioned earlier, the implementation of dynamic VLAN assignment has often been challenging for organizations since additional servers were needed on-site at the datacenter. This forced network teams to manage redundancies, complex configurations, and on-going maintenance. To paint a clearer picture of this headache, consider this: Take the case of connecting a new department, branch, or merely onboarding a lot of new employees at once…this can cause a surge in demand, which will in turn cause the whole network to “shutdown,” thus not accepting anyone who tries to connect. Portnox CLEAR is a network access control solution, deployed as a cloud service, that provides all the mentioned use cases and more. CLEAR simplifies the implementation process of dynamic VLAN assignment. CLEAR allows you to easily set-up a cloud RADIUS server in a single click, and integrate with various authentication repositories like on-premise Active Directory, Azure AD, GSuite, OKTA. Plus, you can enforce your own unique access control policy to dynamically assign users to their respective VLANs. In addition to VLAN assignment based on credentials authorization, CLEAR also allows you to implement dynamic VLAN assignment based on risk violation. This means that even devices that have authenticated successfully to the wired or wireless network can be dynamically moved to a dedicated VLAN if they fall out of compliance. In the diagram above: PCs are dynamically assigned to the VLAN based on their credentials/certificate. IP Phones are assigned to the VOIP VLAN. Printers are assigned to the printers VLAN. Guests devices assigned to the internet-only access/quarantine VLAN.   How it Works – Setting up Dynamic VLAN Assignment in Portnox CLEAR: 1. Enable Cloud RADIUS In the CLEAR portal, create your one-click cloud RADIUS server: Go to Settings > Services > CLEAR RADIUS Service, and add your RADIUS service instance: And point your network equipment: wired switches and/or wireless controllers to work with these CLEAR Radius service details. 2. Creating an Access Control Policy – Dynamic VLAN Assignment: In Policies > Access Control Policies, add or edit your existing access control policy, select the required access layer and add the correct VLAN ID or VLAN name for each event you want to create dynamic VLAN assignment for: successful authentication, authentication violation, risk assessment, blocked by admin. Then, map the access control policy to the relevant groups and users. [...] Read more...
            Why It’s Important to Control What’s on Your Wireless Network at All TimesWhy It’s Important to Control What’s on Your Wireless Network at All Times
            There is no doubt that your wireless network is a critical component of business operations. Strong wireless connectivity enhances productivity and flexibility, especially for organizations that have a Bring Your Own Device (BYOD) policy, IoT infrastructure components, contractors, guest users, and so forth. A wireless network is also inherently scalable, making it ideal for companies undergoing rapid growth. There are a number of daily usage scenarios, however, that can put your wireless network at risk. Scenario 1: Rogue Devices It’s inevitable…employees will bring their personal devices (smartphones, wearable watches, etc.) to the office, and a percentage of those will attempt to connect to your wireless network (some automatically). While they may only be connected briefly, they are nonetheless connected. If you can’t see them on the wireless network, you can’t control them – and that’s an unnecessary and avoidable risk to take. Scenario 2: Guests Occasionally, an employee might bring their kids to work. Kids being kids these days, they will likely want internet access to play a game or watch YouTube videos on their smartphones or tablets. If you’re lucky, they’ll simply rely on their cellular network to load this content, but if not…guess what? They will try to connect to the corporate wireless network. In this scenario, let’s hope you’ve set up some sort of accessible, internet-only, wireless network, designed to remain separate from the professional corporate network. Scenario 3: Contractors Many businesses hire contractors or consultancies to tackle specific projects. These individuals and groups will need network access for extended periods of time and will need to be granted access to company resources and sensitive, proprietary data. In this instance, you should be employing NAC across your wireless network in order to dictate and enforce the level of access these types of individuals receive based on internal policies. How to Protect Your Wireless Network Of course, these scenarios will mostly be harmless. Mostly. They could, however, serve as an additional attack surface against your network or a base-station from which to launch a wider DDOS attack. In the past few years, there have been several DDOS attacks on corporate networks via hacked IoT devices that were used as a springboard to dive into networks, such as the 2016 Dyn cyber-attack. Considering all of these potential risks to your enterprise network, here are a few security focus points to keep your operations safe: 100% coverage and awareness of all access scenarios to your wireless network (via simplified 802.1x based authentication and authorization services). This way you will have full awareness of all connecting devices on your networks at all times. Auto-segmentation – automatically push unmanaged/unwanted devices from your wireless network to a different network (e.g. internet-only). You should be able to automatically classify and place every device connecting to your network in its correct segment based on your own classification. The right technology affords micro-segmentation by diving deeper and fine-tuning the segmentation options in your internal network and offers automated actions to enforce it. Immediate disconnect options – you should be able to remove devices from your wireless network, both automatically and manually, no matter where the devices are connecting from. WiFi provides fast and reliable connectivity for employees and visitors and enhances productivity but if you do not know (or have technology that keeps track) of devices as they attempt to connect to your network, there is not much that you can do to stop it, or to make sure that they are connecting to a harmless section of it. Awareness combined with automated protective actions will allow you to effectively navigate all scenarios while at the same time handling a large number of wireless devices in the enterprise.   [...] Read more...
            SASE & the Future of Network Access ControlSASE & the Future of Network Access Control
            The current enterprise network security practices focus on verifying the identity of the user and the device in a perimeter-less environment, where cloud-hosted technologies prevail in the enterprise and where remote sites include branch offices and employees working from home. In Gartner’s paper “The Future of Network Security is in the Cloud”, one of the key findings is that “network security architectures that place the enterprise data center at the center of connectivity requirements are an inhibitor to the dynamic access requirements of digital business.” And there is a recommendation for enterprises to move their security into the cloud, based on a networking and security model called Secure SASE, a term coined by Gartner’s leading security analysts.   What is SASE? SASE, pronounced “sassy”, stands for Secure Access Service Edge. It is a cloud-based network security model and category, proposed by Gartner in 2019, to support agile secure access to enterprise assets. This model includes the network security solutions in a global and cloud-native service that allows IT teams to easily connect and secure all of their organization’s networks and users in an agile, cost-effective, and scalable way. This is especially useful in the currently globally dispersed digital enterprise. According to Gartner’s analysis, SASE can be characterized as an identity-driven, cloud-native, globally distributed technology that supports and impacts all enterprise edges and IT domains. For example, this would include a branch office in LA along with the main HQ in London, while traveling/mobile team members can connect on the go.     “SASE capabilities are delivered as a service-based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems, or edge computing locations.” (Gartner)   SASE addresses the numerous problems with traditional network security methods, many of which are rooted in the idea that network security architectures should be placed at the center of connectivity in the HQ or data center, where typically branch locations are more vulnerable to attack.   Why should I care? What’s the problem? Network security legacy applications cannot efficiently support newer networking use cases that have moved to “the edge”, such as cloud applications, dynamic services, and distributed data in remote branch offices. Traditional on-premises architectures introduce challenges such as latency, large management overhead, networking blind spots, and continuous reconfiguration work by the IT team as vendors, services, and equipment change. Even though the SASE model is not without its own challenges, it can eliminate these issues by removing cumbersome technologies and networking complexities, while moving the entire security process to the network edge (The point where the enterprise-owned network connects to a third-party, particularly cloud technologies. Oftentimes, network administrators refer to their “WAN edge” or “internet edge”). If enterprises try to solve IT challenges as they emerge, with ad-hoc/point solutions, they will be leading themselves into technical compounds that are complex and costly to manage, and that will not necessarily work well with each other in terms of efficiency and speed. Complex and cumbersome communications between IT components slow down IT and its response rate to different business requirements. SASE can change this paradigm because as mentioned, it is identity-driven, cloud-native, globally distributed, and securely connects all edges (WAN, cloud, mobile, and IoT). With SASE, enterprises can reduce the time it takes to develop new products, deliver them to the market, and respond efficiently and appropriately to the increasing changes in business conditions.   Shift happens. In the last few years, as more organizations around the world became more decentralized, each office location is considered to be a remote site/ a branch office location, by organizational security controls. Companies either consume access security services in a costly method through data centers, implementing redundant controls in each location, or worse, neglecting the security for that part of the enterprise network altogether. In simple terms, we are talking about delivering an all-access security suite from the cloud and not from the data center. This is in line with the trend of identity brokers moving to the cloud (such as Azure, G Suite, Okta, and others) as well as the continued migration to the cloud of many other cyber-security architectures and IT services. In a scenario where you are implementing an on-premises NAC solution that goes with your on-premises network equipment, you can easily identify and authenticate the end-users. However, if your organization is distributed and like many others, has transitioned to using a cloud-delivered ID broker, then continuing to consume authentication and access services from the cloud make much more sense.     In the diagram, on the left side, we can see the price of not leaving any remote site exposed – either you pay a very high price for each location, or you need to duplicate your security mechanisms in each location which is costly. The second option is to authenticate and obtain your access rights and compliance needs via the closest, geo-redundant cloud service available.   OK, so what happens now? The sensible course of action is to plan a security strategy to be scalable and efficient in the present, while at the same time future-proofing the organization’s security. With the organizational data migrating to the network edge, it makes sense to authenticate and authorize users and devices in a cloud format, thereby assuring that regardless of the equipment and geolocation, employees can securely connect in a cost-efficient and secure method to the needed resources. [...] Read more...
            4 Things You Need to Know Before Upgrading Cisco ISE4 Things You Need to Know Before Upgrading Cisco ISE
            1. Plan for Professional Services Fees Cisco ISE is a large, cumbersome and complex application and it’s unlikely you’ll have the internal resources to throw at an upgrade. You’re not alone. This is why managed service providers exist, after all. Now with that said, you can expect to be quoted anywhere from 40-65 hours of professional services to initiate, test and complete a full Cisco ISE upgrade. Let’s hope it’s for chronological versions, and not for a significant jump if you’ve been running on a single version for years without upgrading. Depending on the firm you contract for the work, you’ll probably see a range of hourly rates – anywhere from $175-250/hour. So, if we do the math, that’s $7,000 on the low end and $16,250 on the high end. In some cases, ISE customers have even reported paying more for third-party upgrade support. Mind you, Cisco ISE is also a product you’ve already paid for. 2. Set Aside Enough Time It’s not hard to find the Cisco ISE horror stories on Reddit and other online communities where people have taken to detailing their ISE upgrade experiences. In more tragic cases, some ISE customers have taken to these threads to seek real-time help from strangers. The reality is that you cannot and should not rush an ISE upgrade. 10 times out of 10, those who have lived through it will suggest testing the upgrade in your lab before pushing live to production. This means setting aside the appropriate amount of time conduct the upgrade and minimize the failures (more on that below). Configuration is complicated, and the 50+ page system upgrade checklists are a testament to that. If you’re going to manage an ISE upgrade in-house, prepare for more than 40 hours – especially if you’re not an ISE expert. And if things go awry, don’t expect prompt support from Cisco TAC. 3. Prepare for Failure There’s a reason that Cisco provides extensive documentation for potential ISE upgrade failures – it happens a lot – especially if you opted to tackle it head on internally after balking at the above PS costs. Ultimately, planning for failure means planning for service downtime altogether. To minimize the impact on operations from service downtime, you’ll likely need to spend the weekend parsing through pages and pages of ISE upgrade instructions – missing your kid’s soccer game, unable to take your wife out to dinner, and not watching your alma mater play in the big bowl game. Sometimes, in multi-server deployments, some of your servers in the infrastructure will not upgrade successfully. If that happens, you’ll have to rebuild the server as a new node and re-join the cluster. Sounds fun, right? 4. Be Mindful of Your Subscription We all like auto-pay and auto-renew for some of our everyday subscriptions. It’s a little different when you’re talking about a large, enterprise application, however. You should be mindful that Cisco ISE subscriptions automatically renew for an additional 12-month term by default unless auto-renewal is deselected at the time of initial order. Three months before the end of the initial term, renewal notices will be sent to you, and you’ll or partner receive an invoice at the start of the new term. Now, you can cancel a renewal up to 60 days prior to the start date of the new term, but if the subscription is not cancelled 60 days prior to the start of the new term, the subscription will auto-renew. Mid-term cancellations of subscriptions for credit are not allowed. Starting with the release of Cisco ISE 3.0, licenses have changed and you should check carefully to see if you can import your old license or if you need to migrate to the new license method entirely. There IS an Alternative With Portnox CLEAR – the first and only cloud-delivered NAC-as-aService – organizations gain actionable network visibility and continuous risk monitoring of all endpoints across all access layers – no matter device type or geo-location. Portnox CLEAR determines device type, location and level of access for every user on the network. Additionally, the platform can identify operating systems, installed applications, services, certificates and more – helping your IT team ensure compliance across the entire workforce. With access control based on 802.1X protocol, network administrators can block rogue devices, quarantine noncompliant endpoints, limit access to specified resources and more – whatever your internal policy calls for. As a cloud-delivered solution, Portnox CLEAR is simple to configure, deploy and maintain. With built-in integrations to AzureAD, Okta, Microsoft Intune, Palo Alto Networks and more, you can easily mesh your network access control with your existing tech stack and remain as streamlined as ever. Portnox is SOC-certified, GDPR ready, and can help organizations in preparation for regulatory compliance, such as PCI, HIPAA and more. All customer data is encrypted in-motion or at rest, user credentials never leave the organization, and administrators can be set to use MFA. [...] Read more...
            Securing Remote Access for this Credit Union was Easy with Portnox CLEARSecuring Remote Access for this Credit Union was Easy with Portnox CLEAR
            Anticipating a New Reality University Federal Credit Union (UFCU) is a member-owned credit union and full-service financial co-operative based in Salt Lake City, Utah, that services over 100,000 members throughout the state. Founded in 1956, the credit union operates 16 branches today, and provides a variety of standard personal and business banking products. In early 2020, UFCU began to assess options for securing access through its corporate VPN for employees working remotely. By midway through the first quarter of 2020, this project had been accelerated thanks to the COVID-19 pandemic that was sweeping the globe and forcing millions of Americans to work from home – including nearly 200 employees at UFCU. With a rise in remote workers, the credit union – like many other organizations – worried about remote network threats due to unpreparedness. “At the end of the day, we wanted an easier way to disconnect someone from the VPN,” said Josh Marshall, Information Systems Manager at UFCU. “Additionally, our network security team told us we needed to be able to assure only authorized UFCU employees were connecting through the VPN, which at the time wasn’t quick or robust enough to propagate out. Requests like this began to stack up on top of one another, and we knew we’d need to start searching for a solution that could meet these needs.” With a growing list of network security requirements and a workforce being sent home seemingly overnight in the midst of a pandemic, Marshall knew time was of the essence. A Step Closer to Securing Remote Access It was a third-party contractor working alongside Marshall’s team that eventually recommended Portnox CLEAR to UFCU. As the team researched the solution, they began to realize the platform could check off many of their requirements and deliver a number of other added benefits. To sell Portnox CLEAR to our leadership internally, we focused on how the platform met our initial requirements and could also be a value add,” Marshall said. “From 802.1X authentication, a cloud RADIUS server and guest onboarding, to device risk posture assessment and real-time remediation – there were a lot of things that excited us.” The ability to bring much-needed remote access security functionality together under one roof with Portnox CLEAR would help UFCU save time monitoring network access via VPN, provide better visibility into who was connecting though the VPN and with what device, and ultimately strengthen control over who could access the network and who couldn’t. Securing & Onboarding a Remote Workforce UFCU was able to roll out VPN security through Portnox CLEAR quickly, helping to eliminate what could have been a massive IT security headache during a particularly challenging time from a business continuity perspective. “In less than a week, we got everyone’s remote devices onboarded and authenticated with Portnox CLEAR,” said Marshall. Contributing to this quick deployment was that fact that “at UFCU, no personal devices can have VPN access,” Marshall went on to say. For credit union employees, this meant that they would be sent home to work with a managed corporate computer while the COVID-19 pandemic raged on. “Not having a BYOD policy makes things a little bit easier. Since we have about 200 employees working from home, that means we only have about 200 devices out there that can connect to the VPN. Portnox CLEAR’s endpoint assessment and risk-based access control provides the assurance only those devices can connect to the VPN. What Lies Ahead for UFCU Remote workforces aren’t going anywhere – they’re around to stay, even after COVID-19 dissipates. For UFCU, this is likely to hold true as well. While most employees will return to the office when it is deemed safe, the need for trusted and controlled remote access will remain an important part of the business. “Beyond securing remote access, we will consider extending Portnox CLEAR’s network access control coverage across other access layers – starting with replacing our wifi radius setup,” said Marshall. “Right now, we’re mostly looking forward to exploring the full potential of the platform – particularly instituting risk posture assessment and remediation for devices connecting through the VPN. It’s still early days, but we’re excited to make the most of the platform.” [...] Read more...
            Your Castle has No Walls! All Hail, Zero TrustYour Castle has No Walls! All Hail, Zero Trust
            Why today’s boundless company networks are like castles without walls being protected by network security systems stuck in the middle ages. Today, your network is likely comprised of your LAN, MPLS, SD-WAN, employees’ homes, Azure, Starbucks, Marriott, any airport…you get the idea. Your network extends to wherever authorized devices connect to gain access to company resources. All of this proprietary, confidential or merely sensitive data being accessed across these parts of the network is no longer safe behind your castle walls. Access to everything (from everywhere) has changed the security dynamic. How does zero trust factor in? Enter zero trust, a new – well, maybe not that new – but let’s say in vogue network security model that is focused to address the challenges posed by today’s increasingly complex and extended corporate networks. The zero trust model does not require or expect you to have walls around your networks. With zero trust, as the name implies, NOTHING inside or outside a company is trusted. That means no devices or systems used by employees is automatically trusted. Traditional NAC meet zero trust requirements Now, this security model may seem familiar. Isn’t this just like network access control (NAC)? Well, yes and no. NAC has been around since the early 2000s, and has been primarily focused on ensuring only valid and authorized devices can access your network. Traditionally, however, NAC solutions have only focused on the LAN, as that was what existed within the castle walls of an organization. But as I’ve stressed, the typical network extends far beyond the LAN today. To truly achieve zero trust, organizations need a NAC solution that can easily and effectively work when your castle has no walls. NAC for today’s sprawling networks Since your employees are likely on the move and using several different devices (desktop, laptop, phone, etc.), any NAC would need to have device awareness no matter where the device is geo-locationally. And that means not only when it is joining the LAN, but also when it is connecting from home, from a remote office, from Starbucks – awareness anywhere and everywhere, always. Perhaps the most critical factor when assessing your network security needs is having the ability to continuously monitor endpoint risk. After all, you can’t just go around authorizing every company PC to connect if it’s not “trusted.” Ensuring endpoints are in a company compliant state, minimizing or eliminating the potential for endpoints to be hacked and used to bridge your network is crucial. This requires a NAC that is always aware of endpoint risk and can use that to allow or block access. Today, this mixture give your network the best chance of minimizing such threats. It’s the control part of NAC that ultimately brings the most added value versus endpoint-only zero trust solutions. The ability to not only allow access to your trusted devices, but also to control that access by placing them on the proper VLAN or under an appropriate access control list (ACL) adds a powerful layer of security. The answer is in the cloud Lastly, a NAC for today’s boundless network must be “light weight.” You don’t want to be deploying appliances or software in every remote location, store or office. It takes an immense amount of bandwidth and expertise to properly execute. Can’t that investment be better spent elsewhere? This is where traditional NAC solutions fall short. Since they were designed for the old castle network model, they simply aren’t equipped to give you the full visibility and control you need over your extended network to prevent breaches. The answer is NAC delivered as a cloud service. Manageable from anywhere, coverage for everywhere, and with continuous device awareness – a cloud-delivered NAC adhering to the zero trust model can future-proof your increasingly extended network. [...] Read more...
    • RADIUSCloud-native RADIUS authentication essentials
          • How it worksUnderstanding cloud RADIUS authentication
          • What's NewDevice-related security bolsters zero-trust
          • PricingClear and easy pricing
          • Why PortnoxManage your security with ease
          • Strengthening IoT Security with Cloud-Native DHCP ListeningStrengthening IoT Security with Cloud-Native DHCP Listening
            Enhanced IoT Fingerprinting & Security with Cloud-Native DHCP Listening More Like the Internet of Everything With the explosion of new devices connecting to the internet, IoT (or, the Internet of Things) really might as well be called IoE (or, the Internet of Everything.) The use cases for always-connected devices span across industries – from facilities that can now better manage energy usage according to peak customer traffic, and medical devices that can adjust medication levels in seconds, to retail warehouses that can track inventory down to the last widget. It’s undeniable that IoT has been a game-changer. That’s not to say, however, that IoT does not present some unique challenges – specifically for network security professionals. Who Are You? The devices themselves tend to run on extremely lean operating systems, which means they don’t run typical monitoring protocols like SNMP. There’s also no possibility of installing extra software like agents. They’re designed to be easy to set up; just point them at an internet connection, which means any user can add an IoT device. This creates an especially tough situation for IT administrators. After all, an essential part of zero trust security is knowing what is on your network, which means you need to make sure operating systems and firmware are patched and up-to-date to close the gap on any known vulnerabilities. But how can you know what’s on your network if the devices don’t report back specific identification in any way? This problem has become so common it has a name – “Shadow IoT” – and it’s so prevalent that 80% of IT leaders found devices on their network they didn’t know about. IoT Fingerprinting to the Rescue! To combat this, several companies that make security tools like Network Access Control software have begun offering IoT Fingerprinting. This is a way to gather information about IoT devices like model, OS or Firmware, and manufacturer without requiring the devices to report in. While an absolute game changer for helping secure these devices, it is not without its challenges. The biggest issue is that there is no real standard across devices – most don’t support Simple Network Management Protocol (SNMP) or Windows Management Instrumentation (WMI). Some devices support Universal Plug & Play (UnPNP) or Bonjour, but typically you only find that on consumer devices like a Roku or an AppleTV. Some Cisco devices support CDP (Cisco Discovery Protocol), but that doesn’t cover other vendors; some may use LLDP instead (Link Layer Discover Protocol) but typically you will find that only on phones, video conferencing equipment, and commercial IP surveillance cameras. Port scanning via Nmap & TCP have more drawbacks – they scale very poorly. Also, with increased pressure on IoT manufacturers to pay more attention to security, more and more devices are being shipped with all ports turned off. And of course, the most basic firewall will raise alarms when a port scan is detected. MAC address will get you some information, but they pose some challenges too. The first six hexadecimal digits of a MAC address are called the OUI and they identify the manufacturer. This is useful, but also not super accurate in the sense that if you find an HP device on your network, that does little to tell you what it exactly is. It also does not tell you any information about operating systems or firmware. DHCP at first seems like a great option – when a device connects to a network, its first step is typically to request an IP from a DHCP server. During the DORA process (Discovery, Offer, Request, Acknowledge) much information is passed back and forth, including information to fingerprint the device. Many enterprise switches support a process called DHCP Gleaning, where the switch listens for DHCP requests Switchport interfaces and is then captured as a device sensor and sent along with RADIUS accounting info. The problem here is that not all switches support DHCP Gleaning. For the ones that don’t, how do you get the information collected by the DHCP server to your network access control software to do the actual fingerprinting? Some solutions have you install an on-prem DHCP forwarder, which signs your IT team up to deal with deploying and maintaining yet another server, upgrades, patches, etc. Even worse, this separate forwarder creates overhead on your network that may impact your users and sensitive traffic. So, all hope is lost, and there’s no reliable way to accurately fingerprint all your IoT Devices, but there’s great news coming. Portnox’s DHCP Listener Heads to the Cloud Keep all the magic of a cloud-based solution – vendor agnostic, no maintenance, no upgrades, no worries – AND get the most accurate fingerprinting of all your IoT devices as part of your comprehensive zero-trust solution! You can easily configure your network devices to send the data your DHCP server already gathers throughout the course of handing out IP Addresses to the Portnox SaaS DHCP listener. All you need to enable is a layer 3 device on the same subnet as the devices you want fingerprinted, that is NOT also acting as a DHCP server. You will need to configure the DHCP helper, which will forward this information to us. Most devices support using a DHCP helper – in fact, most devices support running multiple, so no need to sacrifice anything in your current architecture. The helper will forward DHCP and BOOTP broadcasts on directly connected subnets and relay them to the Portnox DHCP listener on port 67. If you have bandwidth considerations, you can lay them to rest – DHCP is a very lightweight protocol, consuming less than 350 bytes per request on average. Since we are not making DHCP offers, the only bandwidth is from the clients DHCP request that is forwarded from the clients. So let’s say you have 500 clients. A DHCP lease is typically 24 hours, with clients renewing at 12 hours. That means you’d spend 175 kilobytes of total data every 12 hours…even a 28.8 baud modem could handle that request. We use this formula to calculate bandwidth: (((TOTAL # OF DHCP CLIENTS X 350BYTES) X2 FOR 24 HOURS) X8 CONVERT TO BITS)/ 86400 SECONDS IN A DAY IN EXCEL THE EQUIVALENT FORMULA WOULD READ: =(((500 *350)*2)*8)/86400 This first-of-its-kind SaaS DHCP listener is easy to set up, and opens a whole new world of accurate fingerprinting for IoT Devices – click here to get started! [...] Read more...
            How Cloud IAM Security Vulnerabilities Are Being ExploitedHow Cloud IAM Security Vulnerabilities Are Being Exploited
            What is IAM Security? IAM is an abbreviation for identity access management. Identity access management systems allow your organization to manage employee applications without checking in to each app as an administrator. IAM security solutions allow organizations to manage a variety of identities, including people, software, and hardware.   IAM Infrastructure Over the past few years, businesses have been making the move from on-prem to cloud-based operations for their business. This has been majorly contributed by the rise of SaaS applications that have allowed businesses to increase operational efficiency through the cloud.  While this brings numerous business advantages, it has further complexified the array of required appliances and services needed to keep the business running smoothly. Many organizations often use multiple different cloud service providers across numerous different services.   This has increased infrastructure complexity, while making security management more difficult. Added to this is the fact that cloud environments constantly operate and run whenever they are. This availability allows the business to run smoothly without fail, but also leaves them vulnerable to exploitation whenever a malicious actor wants to access them.   IAM security layers have become an increasingly popular attack vector as things have moved to the cloud. Such attacks utilize phishing-acquired security tokens to a devastating degree, allowing a cybercriminal to assume any role within the network.  Cloud providers such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud all have various IAM security measures when managing their platforms. Using Amazon Web Service’s IAM policies as an example, we will look at how a malicious attacker could exploit a vulnerability and assume roles.  IAM Security Roles First, we need to understand how IAM roles come into play. Authentication tokens are  assigned to each user identity in AWS. But suppose you wanted to offer network access to a third-party application, tool, or  web server.  Creating and maintaining users account for each service could prove quite difficult.   AWS considered this issue and created a solution known as the IAM role. A role lacks a username/password or access key, as it doesn’t pertain to a specific user. IAM roles serve as a distinct identity with assigned permissions that determine what the identity can and can’t do within AWS. When users can take on different responsibilities, other roles can be assigned to them.  IAM Security Vulnerabilities The complexities of enterprise cloud infrastructure have increased the exploitation of IAM security vulnerabilities. Exploitation can occur in various scenarios, such as when debugging in a DevOps environment, where an administrator is provided permissions for testing. This may be forgotten after testing is completed, allowing an attacker to potentially reuse the administrator credentials to access other parts of the cloud environment.    IAM security threats might also stem from other vulnerabilities such as:  Server-Side Request Forgery (SSRF) Assume a cyber attacker discovered a website running an unpatched application with a common server-side request forgery (SSRF) vulnerability. An SSRF vulnerability allows an attacker to force a server-side application to send HTTP queries to a random domain of the attacker’s choice. In most cases, the webpage will display the English version via eng.php. Nevertheless, if an attacker modifies the eng.php file to refer to a  another URL, the web server will comply. Since the request originated from an internal source, it will then answer if the destination of the request is from an inside resource (such as the instance metadata server).  Misconfigurations Misconfigurations are another major cause of breaches in IAM and cloud environments, often leading to data loss or unauthorized access to cloud systems. They often arise due to a poor understanding of their complex cloud environment. Fortunately, there are various tools and methods that organizations can use to address this.  Companies should implement a solution that can identify both malicious and unintentional misconfigurations in cloud setups from all entry-points, while enabling a multi-cloud environment. Along with detecting misconfigurations, this solution should offer a means to correct them.   Cloud-Native Application Protection Platform (CNAPP) Cloud-native application protection platforms offer a solution to common IAM vulnerabilities such as these. A CNAPP analyzes both the cloud infrastructure plane and workloads to give you a complete picture of both. Logging offers one such effective measure for mitigating IAM vulnerabilities by providing insight into who and what is active within a given network.   It is important for enterprises to gain complete visibility of their complex cloud environments to mitigate IAM security threats. Since entry to a network can be granted either directly or indirectly, graph models can be easily used to clearly illustrate the specific relationships between identities and their respective rights. Since each organization’s structure and demands are unique, the ability to leverage granular insight of this data is critical.   Cloud IAM Security: Final Thoughts Implementing the above steps to increase and manage your network visibility, data logging, and misconfiguration detection will help mitigate cloud IAM security vulnerabilities while preventing major security breaches before they happen. [...] Read more...
            What Can Lean IT Teams Do to Strengthen Network Security?What Can Lean IT Teams Do to Strengthen Network Security?
            Even a decade ago, the operations, systems and digital footprints of most medium to large companies had become overwhelmingly complex. Over the last ten years, these digital corporate footprints have expanded to reach and capture growth from previously untapped corners of the world. More recently, the business imperatives of the COVID-19 pandemic spurred faster adoption of enterprise software solutions – particularly Software-as-a-Service (SaaS) – that pushed data beyond the organization’s physical perimeter. This has all added significant pressure to already lean IT teams. The truth is that lean IT teams have to reassess and realign their priorities. This means leveraging technical security essentials in a way that eases the burden on them. In practice, the first step is to begin adopting network security solutions that accommodate today’s most common networking hardware; provide out-of-the-box integrations with critical security tools such as InTune, MFA, and popular SIEM solutions; and work in conjunction with firewalls and endpoint security solutions. Securing Networks is Only Getting Harder Events like the recently exploited Log4j vulnerability continue to keep IT security teams on their toes. Little can be done to plan for, let alone prevent, such wide-reaching software flaws – hundreds of Cisco, VMWare, IBM and Oracle products were affected in this instance, including more than 120 different configurations of Cisco Identity Services Engine (ISE). The unfortunate reality is that these events ultimately mean lost weekends patching systems, as well as assessing the damage done to the network and the devices. In many cases, it means bringing in more skilled professionals to investigate, diagnose, and implement – a costly endeavour you likely would not have budgeted for. Other on-going IT priorities are also inevitably pushed to the side with mitigation underway. Such exploits and subsequent critical system fixes are particularly hard felt by the mid-market. This segment is often considered the backbone of the economy, yet they’re underserved when it comes to having purpose-built network security essentials, including network access control technologies.  Lean IT Should Maximize Value For resource-strapped IT teams, these unpredictable security incidents can seem insurmountable, especially when the onus is on the customer to patch their own software. Constant fire drills lead to stress, burnout and turnover – something many organizations simply can’t afford. Instead of helping alleviate stress on lean IT teams, traditional on-premise network security vendors make the problem worse. Their solutions require extensive, ongoing integration and maintenance. Complicating matters further, specialized point solutions don’t mesh easily to provide a holistic view of the network.  This then brings us to the question of value. Wouldn’t it be more valuable to bring in IT security essentials that can reduce this stress and anxiety by eliminating the need for heavy systems maintenance? Wouldn’t it be valuable to free up that time spent putting out fires and use it to modernize your IT security stack? In practice, this means adopting and deploying network security solutions that deliver the essential functionality and capabilities we laid out earlier. It also means turning to SaaS for security. And for network security, it means choosing the right cloud-native NAC. [...] Read more...
            10 Differences Between Cloud-Native & “Faux” Cloud Security Products10 Differences Between Cloud-Native & “Faux” Cloud Security Products
            For IT and security teams with limited staff and tight budgets, cloud-native software-as-a-service (SaaS) security products offer tremendous value. Some CIOs have even mandated that new security tools be delivered in the cloud where possible. Some vendors with older on-premises products have tried to sneak in their products by claiming they are now “in the cloud,” but the truth is that that is a façade.  Let’s call these products “faux” cloud security to contrast against products that are truly “cloud native.” Vendors of faux cloud products hope that with a little marketing smoke and mirrors, they can use some “cloudy” language and potential buyers will not know the difference. When we say faux cloud, technically speaking, we mean that the vendor is just allowing the customer to host their on-premises product in the customer’s public cloud account. This means the customer still must install, configure, deploy, maintain, update, and eventually decommission that product.   In other words, you as the customer must do all the work. The only “cloud” aspect of this arrangement is that you can do all the work on a server you are renting (that is, paying for) from AWS, Azure, Oracle, Dell, etc.     Faux Cloud Security in the Real–World A real-world example of this software sleight-of-hand is Cisco’s Internet Security Engine (ISE). Cisco delivers ISE as a virtual appliance to handle network access control (NAC) – a critical component of any effective cyber security stack. As of ISE’s latest version, a customer can deploy the software in their own AWS or Azure accounts.   That is the long and short of it, however. The well-known challenges of setting up ISE – or any other network security appliance – remain. It is difficult to get your ISE server configured properly, ensuring it communicates with all your network equipment, even after having committed over 1,200 pages of ISE documentation to memory.    Cloud Native Reduces the Hassles In contrast, a truly cloud-native solution allows the customer to sign up through a web page, configure as needed, and move on – the application just works out-of-the-box. Period. Now, that’s the easy part. As your organization consumes a cloud service, it does not have to concern itself with nagging issues and questions along the way common with on-premises software (e.g., How do we roll out patches and upgrades? Is there a security vulnerability in the operating system? Who is handling system backup?). You, as the end-user, have historically been responsible for these items with legacy on-premises software.  Portnox CLEAR NAC-as-a-service is cloud-native – “born in the cloud” as it were. To deploy CLEAR, a customer just needs to visit the sign-up page, enter their wireless controller information, configure the RADIUS settings on the network device, and CLEAR will begin enforcing policies. Portnox customers have done this in as fast as 30 minutes from start to finish. As is true of cloud-native solutions in other domains, customers can see value in minutes, not days, weeks, or even months. No complexity. No hassle.    Knowing the Difference Before You Commit As a potential customer, how can you distinguish cloud-native from faux cloud security software?  There are a few telltale signs. The table below summarizes some of the most salient differences. When you evaluate a new vendor, be sure to ask questions such as who is paying for the infrastructure? Who is responsible for updates and upgrades?   [...] Read more...
            The Coronavirus & the Cloud – A Winning Combination for HackersThe Coronavirus & the Cloud – A Winning Combination for Hackers
            Originally posted on People and Computers “The combination of changing work patterns due to the coronavirus, with the increasing migration to cloud environments, creates a new and significant challenge for corporate information security managers,” said Ofer Amitai, one of the founders and CEO of Portnox, explaining how it can be answered at the identification stage. “One day, a food supplier from abroad called me. One of the company’s employees, who was fired, connected to the organization’s operating systems, changed the temperature of the meat refrigerators and caused damage and loss of goods worth millions of dollars. That’s how they understood that more vital identification is needed on the network and contacted us, “Ofer Amitai, one of the founders and CEO of Portnox, told People and Computers. “The coming period will be characterized by hybrid work. This format makes remote work an integral part of all workers’ activities, and those who have not yet dealt with a remote work method will do so today or tomorrow. It will enable regular work alongside the protection of the organization and its resources. The combination of changing work patterns due to the coronavirus, with the growing migration to cloud environments, creates a new and significant challenge for corporate information security managers, and is a winning combination for hackers,” continued Amitai. What is the main challenge for information security managers? “Above all the challenges facing the information security manager, there is a major challenge, and that is that he must understand who and what threats he is facing,” Amitai noted. “One of the most difficult challenges for the organization is the migration to the cloud – how the systems and data will be kept secure in this new environment on the one hand, and that all systems will work on the other. Israel is slightly behind cloud adoption compared to the US market. It will be like the main headquarters so that one day everything will be connected to the cloud, and the services will be consumed from it, without the need to join the offices to the branch. ” He added that “when setting up secure access control to the corporate network, make sure that application-level privileges are managed – whether via remote connection (VPN) or user management (VDI), which allows remote, virtual access to the desktop. Connection security must also be ensured via MFA – multi-step authentication of the user. Then the end station must be handled, including personal devices that employees bring from home. The goal is to maintain a consistent level of information security, regardless of the identity of the end device.” A significant promise – but also risky Portnox was established in 2007 to help organizations protect their corporate networks through the use of technology that allows them to see all devices connected to the network and to perform preventative and corrective actions that defend it from risk-prone devices. “This is a technology that makes life easier for information security managers in their day-to-day work,” Amitai explained. “When someone accesses the network – via a remote, local connection or cable – Portnox knows how to make a strong identification of the device and the user. We do not manage the end component, but its risks,” said Amitai. “Our product in the cloud, Portnox CLEAR, enables organizations to protect the enterprise network via the cloud. The solution complements the security layer for VPN and VDI solutions. Through continuous risk monitoring capabilities on end stations and devices, information security principles are maintained and enforced – regardless of physical location. The end station, whether inside or outside the organization, and owned by it, or whether it belongs to the company or the employee, thus, all stations become secure and authenticated devices, which comply with the organizational security policy – all through enforcement, by the policy definition The organization, which changes according to its needs. ” In conclusion, Amitai stated that “all the trends in the market bring with them a great promise – but also risks. They expose organizations to more hacks into their network, which makes them look for security solutions like ours – smart, easy to manage, and those who make sure the corporate network is secure. We have a wide range of enterprise and SMB clients who come from many sectors, including the medical, banking, and high-tech sectors. In the past year, we have experienced a 30% increase in revenue, and I estimate that the growth trend, which continues this year, will continue in 2022.” [...] Read more...
            Is Secure Access Service Edge the Future of Network Security?Is Secure Access Service Edge the Future of Network Security?
            All Hail, SASE! SASE, pronounced “sassy”, stands for Secure Access Service Edge. It is a cloud-based network security model and category, proposed by Gartner in 2019. This model includes the network security solutions in a global and cloud-native service that allows IT teams to easily connect and secure all of their organization’s networks and users in an agile, cost-effective, and scalable way. This is especially useful in the currently globally dispersed digital enterprise. According to Gartner’s analysis, SASE can be characterized as an identity-driven, cloud-native, globally distributed technology that supports and impacts all enterprise edges and IT domains. For example, this would include a branch office in LA along with the main HQ in London, while traveling/mobile team members can connect on the go. SASE addresses the numerous problems with traditional network security methods, many of which are rooted in the idea that network security architectures should be placed at the center of connectivity in the HQ or data center, where typically branch locations are more vulnerable to attack. The Fundamentals of Secure Access Service Edge According to Gartner, cloud-centric digital business, users, devices, and the networked capabilities they require secure access to are everywhere, and what security and risk professionals in a digital enterprise needs is a worldwide fabric/mesh of network and network security capabilities that can be applied when and where to connect entities to the networked capabilities they need access to. Implementing a SASE architecture would benefit enterprises by providing: Lower costs and complexity – Network Security as a Service should come from a single vendor. Consolidating vendors and technology stacks should reduce cost and complexity. Agility – Enable new digital business scenarios (apps, services, APIs), and data shareable to partners and contractors with less risk exposure. Better performance/latency – latency-optimized routing. Ease of use/transparency – Fewer agents per device; less agent and app bloat; consistent applicate experience anywhere, any device. Less operational overhead by updating for new threats and policies without new HW or SW; quicker adoption of new capabilities. Enable ZTNA – Network access based on identity of user, device, application – not IP address or physical location for seamless protection on and off the network; end-to-end encryption. Extended to endpoint with public Wi-Fi protection by tunneling to the nearest Point of Presence (POP). More effective network and network security staff – Shift to strategic projects like mapping business, regulatory, and application access requirements to SASE capabilities. Centralized policy with local enforcement – Cloud-based centralized management with distributed enforcement and decision making. SASE & Network Access Control In essence, SASE converges the functions of network and security solutions into a single, unified cloud service. This marks an architectural transformation within the realm of enterprise networking and security, and it means that IT teams can now deliver a holistic and flexible service to their businesses. The logical next step in the evolution of network security is for organizations to be able to leverage a NAC solution that’s delivered as a cloud service. This eliminates the need for costly on-site appliances and on-going maintenance. Now, all that’s needed to control network access at branches and the headquarters alike, is an internet connection. [...] Read more...
            RADIUS Authentication, Now in the CloudRADIUS Authentication, Now in the Cloud
            Understanding RADIUS Authentication Remote Authentication Dial-In User Service (RADIUS) is a protocol that was historically designed to authenticate remote users to a dial-in access server. Today, RADIUS authentication is used across an array of scenarios and is well known for it AAA capabilities — authentication, authorization, and accounting. By centralizing AAA capabilities, organizations give themselves improved security and greater efficiency. RADIUS servers provide each business with the ability to preserve the privacy and security of both the system and each individual user. A basic RADIUS accounting process includes: The process starts when the user is granted access to the RADIUS Server. The RADIUS Client sends a RADIUS Accounting-Request packet known as Accounting Start, to the RADIUS Server. The request packet comprises the user ID, network address, session identifier, and point of access. During the session, the Client may send additional Accounting-Request packets known as Interim Update to the RADIUS Server. These packets include details like the current session duration and data usage. This packet serves the purpose of updating the information about the user’s session to the RADIUS Server. Once the user’s access to the RADIUS Server ends, the RADIUS Client sends another Accounting-Request packet known as Accounting Stop, to the RADIUS Server. The packet includes information such as total time, data, and packets transferred the reason for disconnection, and other information relevant to the user’s session. Ultimately, RADIUS authentication prevents your organization’s confidential data from being leaked. It also allows easy depreciation capabilities and enables individual users to be assigned with unique network permissions based on their location, role, etc. RADIUS Authentication in the Cloud It’s well known today that RADIUS authentication is an effective way of enhancing network security, visibility and control. Just as more and more organizations move their enterprise software stack to the cloud, so too are they demanding flexibility and ease of deployment as it relates to RADIUS. This has given rise to the cloud RADIUS, a modern take on the traditional on-premise RADIUS server. Standing up a cloud RADIUS offers several benefits for your organization, including: Built-in redundancy Ease of deployment Cost efficiency Auto-scaling ..the list goes on… For these reasons, network engineers are turning cloud RADIUS solutions in droves. And as vendors like Portnox continue to make advances in machine learning, the reliability and feature sets of cloud RADIUS options become more and more appealing. Portnox CLEAR’s Cloud RADIUS Securing your network will always be a priority – no doubt one of many priorities your IT team is faced with – but it doesn’t need to be a drain on time and resources. With Portnox’s RADIUS-as-a-Service solution, companies can now efficiently and affordably authenticate to wifi, VPN, switches and network devices, while simplifying administration and enabling long-term scalability. Tired of all the heavy lifting when it comes to standing up RADIUS servers? We feel your pain, that’s why we’re making it easier than ever to securely authenticate and control wired and wireless network access for all your users and devices. How it Works [...] Read more...
            Go hack yourself: How to thwart network hacks by cybercriminals, like Iran’s state-sponsored Pay2Key attacksGo hack yourself: How to thwart network hacks by cybercriminals, like Iran’s state-sponsored Pay2Key attacks
            Originally posted on The Times of Israel Thwarting network hacks like the attempted Portnox breach Whether motivated by geopolitical power, personal gain, or mere curiosity, cybercriminals are currently embracing a renaissance. Like drifting bandits in the once-lawless American West, hackers are striking corporations and individuals with relative impunity. There’s no shortage of incidents to point to; the spate of Pay2Key ransomware attacks on Israeli companies at the end of 2020 by state-sanctioned Iranians hackers, such as the attempted Portnox breach, serves as a recent example of such activities. What we know today is that social engineering, email phishing, unpatched firewalls, password stuffing, malware and ransomware make up the bulk of these attacks. And it goes without saying: leaked data can be costly. Today the average cost of a data breach is nearly $4 million. Larger corporations aren’t the only targets. Nearly half of all network breaches target small businesses that simply can’t afford to absorb these losses. Unfortunately, you don’t need to hold a doctorate in Computer Science from MIT to learn how to identify and take advantage of network vulnerabilities and cause widespread damage to companies and individuals. Look at the Fortinet VPN hack, for example. With 50,000 hosts representing hundreds of thousands of compromised accounts belonging to some of the world’s largest banks, telecoms and government entities released into the Dark Web, even the weekend hacker has the intel and direction needed to cause destruction. There’s much to be learned and applied from these hacks, however. So, while it’s unlikely we’ll be able to eliminate these incidents in their entirety, there are ways we can mitigate network breaches. Preventing lateral movement Lateral movement is a technique used by cybercriminals to dig deeper into a network in search of sensitive data and other valuable assets. Once they’ve gained access to a network, hackers will typically maintain ongoing access by moving through the network and obtaining increasingly elevated levels of privilege, similar to what was attempted by the Iranians in the Portnox breach. There are a variety of steps that, when used in conjunction with one another, can help to prevent lateral movement. Critical among these steps is implementing adaptive network access controls. “Adaptive” effectively means several things: (1) you can monitor the risk posture of connecting devices and block/allow access based on the perceived risk level; and (2) you can block/allow access to the network based on a user’s geolocation. These types of adaptive access controls, when paired with MFA — multifactor authentication — and strong password policies, can help to fortify your network. Segmenting the network Network segmentation is the practice of dividing up a network into smaller parts, in which only assigned people have access to different parts of the network depending on their role and responsibilities. Network segmentation effectively reduces a cybercriminal’s vantage point into your larger network. Segmenting your network can be done broadly or granularly. In effect, you want to be able to ensure that application and resource servers do not trust one another, and that any attempt to cross between them requires MFA, adaptive access control and session monitoring. Implementing microsegmentation means looking at the context of the user or device – their role, location, application, etc. – and defining access privileges based on that holistic profile. Preventing attacks like the attempted Portnox breach There’s a lot to unpack here. At the end of the day, to truly mitigate network breaches requires implementing a network access control (NAC) solution that can discover, authenticate and segment users across the network, while monitoring the risk of their connected devices, remediating those devices in real-time should they fall out of compliance. By leveraging NAC, organizations can deter further exposure, potentially saving themselves millions of dollars in the process. [...] Read more...
            The 5 Key Values of Portnox CLEARThe 5 Key Values of Portnox CLEAR
            The problem with most traditional on-premise network access control solutions is their complexity across many fronts, including initial setup, configuration, scalability, and on-going maintenance and upgrades. As a truly cloud-delivered NAC service, Portnox CLEAR delivers SIMPLICITY across all of these critical areas.   VALUE 1: Setup Simplicity Unlike traditional on-premise solutions that require hardware appliances, software, and other on-premise elements, with Portnox CLEAR, you simply create your dedicated instance in Microsoft Azure using your company email or via SSO (such as Azure AD or GSuite) in a matter of just minutes! With your dedicated instance of CLEAR created, you simply check the appropriate box(s) to create your RADIUS instance. Dedicated F5 load balancers are spun up as well as auto-scale, so you never have to be concerned with service performance or scalability – it will automatically expand as needed to meet demand. Portnox CLEAR’s simplicity extends with out-of-box integration and one-click set-up for several common directory services, including: On-premise AD Azure AD G-Suite Okta Universal Directory   SIEM integration is as simple as providing the IP/port, protocol type (TCP, UDP, HTTPS), and data format (JSON/CEF).   VALUE 2: Configuration Simplicity The complexity of traditional on-premise NAC does not stop at the initial set-up of the local appliance(s), load balancing, RADIUS, and other on-premise components. As shown in the sample policy screenshots below, the complexity of traditional NAC extends to policy configuration that is often layered with multiple and nested interdependencies. From inception, the focus with CLEAR has been to simplify policy configuration, allowing CLEAR to be fully deployed and operational in a measure of hours/days vs. traditional NAC, which typically can take weeks, or in many cases, months to roll out. Intuitive, easy-to-configure access control, risk, and remediation policies are at the foundation of Portnox CLEAR as reflected in the sample screenshots below.   Risk Policies Easily configure risk-based access controls for all devices or different groups of devices (i.e. accounting, engineering, etc.), by simply assigning a risk value to each group’s relevant compliance checks. A simple slide bar easily turns risk values into action (allow, alert, block). It’s that SIMPLE! Unlike traditional NAC that monitors a device risk ONLY when it is on or connected to the network, Portnox CLEAR will monitor risk all the time regardless of if the device is on or off-network.     Remediation Policies While it is important to continuously be aware of the current risk posture of a device and to be able to use that awareness as part of access control. The ability to proactively take action on the endpoint to help assure a minimum level of compliance is always maintained can be equally important. As with all other policy configurations, setting group-specific remediation policies in CLEAR is as simple as a few clicks. Unlike traditional NAC that will take remediation actions ONLY if the device is on the network, Portnox CLEAR proactively enforces remediation actions all the time regardless if the device is on or off-network.   VALUE 3: On-Demand Auto-Scale Delivered as a cloud service, Portnox CLEAR eliminates the need for the capacity planning of on-premise software or appliances. Eliminates the need to expand capacity or upgrade appliances to meet future growth needs. Portnox CLEAR services will automatically expand on-demand to meet any demand spikes and future growth. Our Azure services are scaling up (and down) automatically based on usage and load. We can automatically control the VM size and the scale-up / down rules. For the RADIUS component, we use Azure Kubernetes to manage the instances and allow scaling based on demand. We use F5 load balancer to channel the traffic to the right instances and make sure the scaling is transparent to the end-user. VALUE 4: Ease of Integration Portnox CLEAR continues to expand native integrations and simplified out-of-band integration through and included restAPI. Current integrations include: Active Directory Azure AD GSuite MS Intune OKTA Palo Alto SIEM (any/all leading vendors)   Portnox CLEAR also integrates with all leading anti-virus providers to validate and remediate (update) as part of CLEAR compliance and remediation capabilities. Portnox CLEAR also includes a REST-full API over HTTPS that can be used in any programming language that supports REST calls or invoked directly through any HTTPS client such as cURL.   VALUE 5: Zero-Touch Maintenance As a true SaaS solution, Portnox CLEAR is truly zero-touch! No on-going software updates/patching No management of scheduled downtime No hardware or software end-of-life issues   Request a Demo of Portnox CLEAR [...] Read more...
            SASE & the Future of Network Access ControlSASE & the Future of Network Access Control
            The current enterprise network security practices focus on verifying the identity of the user and the device in a perimeter-less environment, where cloud-hosted technologies prevail in the enterprise and where remote sites include branch offices and employees working from home. In Gartner’s paper “The Future of Network Security is in the Cloud”, one of the key findings is that “network security architectures that place the enterprise data center at the center of connectivity requirements are an inhibitor to the dynamic access requirements of digital business.” And there is a recommendation for enterprises to move their security into the cloud, based on a networking and security model called Secure SASE, a term coined by Gartner’s leading security analysts.   What is SASE? SASE, pronounced “sassy”, stands for Secure Access Service Edge. It is a cloud-based network security model and category, proposed by Gartner in 2019, to support agile secure access to enterprise assets. This model includes the network security solutions in a global and cloud-native service that allows IT teams to easily connect and secure all of their organization’s networks and users in an agile, cost-effective, and scalable way. This is especially useful in the currently globally dispersed digital enterprise. According to Gartner’s analysis, SASE can be characterized as an identity-driven, cloud-native, globally distributed technology that supports and impacts all enterprise edges and IT domains. For example, this would include a branch office in LA along with the main HQ in London, while traveling/mobile team members can connect on the go.     “SASE capabilities are delivered as a service-based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems, or edge computing locations.” (Gartner)   SASE addresses the numerous problems with traditional network security methods, many of which are rooted in the idea that network security architectures should be placed at the center of connectivity in the HQ or data center, where typically branch locations are more vulnerable to attack.   Why should I care? What’s the problem? Network security legacy applications cannot efficiently support newer networking use cases that have moved to “the edge”, such as cloud applications, dynamic services, and distributed data in remote branch offices. Traditional on-premises architectures introduce challenges such as latency, large management overhead, networking blind spots, and continuous reconfiguration work by the IT team as vendors, services, and equipment change. Even though the SASE model is not without its own challenges, it can eliminate these issues by removing cumbersome technologies and networking complexities, while moving the entire security process to the network edge (The point where the enterprise-owned network connects to a third-party, particularly cloud technologies. Oftentimes, network administrators refer to their “WAN edge” or “internet edge”). If enterprises try to solve IT challenges as they emerge, with ad-hoc/point solutions, they will be leading themselves into technical compounds that are complex and costly to manage, and that will not necessarily work well with each other in terms of efficiency and speed. Complex and cumbersome communications between IT components slow down IT and its response rate to different business requirements. SASE can change this paradigm because as mentioned, it is identity-driven, cloud-native, globally distributed, and securely connects all edges (WAN, cloud, mobile, and IoT). With SASE, enterprises can reduce the time it takes to develop new products, deliver them to the market, and respond efficiently and appropriately to the increasing changes in business conditions.   Shift happens. In the last few years, as more organizations around the world became more decentralized, each office location is considered to be a remote site/ a branch office location, by organizational security controls. Companies either consume access security services in a costly method through data centers, implementing redundant controls in each location, or worse, neglecting the security for that part of the enterprise network altogether. In simple terms, we are talking about delivering an all-access security suite from the cloud and not from the data center. This is in line with the trend of identity brokers moving to the cloud (such as Azure, G Suite, Okta, and others) as well as the continued migration to the cloud of many other cyber-security architectures and IT services. In a scenario where you are implementing an on-premises NAC solution that goes with your on-premises network equipment, you can easily identify and authenticate the end-users. However, if your organization is distributed and like many others, has transitioned to using a cloud-delivered ID broker, then continuing to consume authentication and access services from the cloud make much more sense.     In the diagram, on the left side, we can see the price of not leaving any remote site exposed – either you pay a very high price for each location, or you need to duplicate your security mechanisms in each location which is costly. The second option is to authenticate and obtain your access rights and compliance needs via the closest, geo-redundant cloud service available.   OK, so what happens now? The sensible course of action is to plan a security strategy to be scalable and efficient in the present, while at the same time future-proofing the organization’s security. With the organizational data migrating to the network edge, it makes sense to authenticate and authorize users and devices in a cloud format, thereby assuring that regardless of the equipment and geolocation, employees can securely connect in a cost-efficient and secure method to the needed resources. [...] Read more...
            Securing Remote Access for this Credit Union was Easy with Portnox CLEARSecuring Remote Access for this Credit Union was Easy with Portnox CLEAR
            Anticipating a New Reality University Federal Credit Union (UFCU) is a member-owned credit union and full-service financial co-operative based in Salt Lake City, Utah, that services over 100,000 members throughout the state. Founded in 1956, the credit union operates 16 branches today, and provides a variety of standard personal and business banking products. In early 2020, UFCU began to assess options for securing access through its corporate VPN for employees working remotely. By midway through the first quarter of 2020, this project had been accelerated thanks to the COVID-19 pandemic that was sweeping the globe and forcing millions of Americans to work from home – including nearly 200 employees at UFCU. With a rise in remote workers, the credit union – like many other organizations – worried about remote network threats due to unpreparedness. “At the end of the day, we wanted an easier way to disconnect someone from the VPN,” said Josh Marshall, Information Systems Manager at UFCU. “Additionally, our network security team told us we needed to be able to assure only authorized UFCU employees were connecting through the VPN, which at the time wasn’t quick or robust enough to propagate out. Requests like this began to stack up on top of one another, and we knew we’d need to start searching for a solution that could meet these needs.” With a growing list of network security requirements and a workforce being sent home seemingly overnight in the midst of a pandemic, Marshall knew time was of the essence. A Step Closer to Securing Remote Access It was a third-party contractor working alongside Marshall’s team that eventually recommended Portnox CLEAR to UFCU. As the team researched the solution, they began to realize the platform could check off many of their requirements and deliver a number of other added benefits. To sell Portnox CLEAR to our leadership internally, we focused on how the platform met our initial requirements and could also be a value add,” Marshall said. “From 802.1X authentication, a cloud RADIUS server and guest onboarding, to device risk posture assessment and real-time remediation – there were a lot of things that excited us.” The ability to bring much-needed remote access security functionality together under one roof with Portnox CLEAR would help UFCU save time monitoring network access via VPN, provide better visibility into who was connecting though the VPN and with what device, and ultimately strengthen control over who could access the network and who couldn’t. Securing & Onboarding a Remote Workforce UFCU was able to roll out VPN security through Portnox CLEAR quickly, helping to eliminate what could have been a massive IT security headache during a particularly challenging time from a business continuity perspective. “In less than a week, we got everyone’s remote devices onboarded and authenticated with Portnox CLEAR,” said Marshall. Contributing to this quick deployment was that fact that “at UFCU, no personal devices can have VPN access,” Marshall went on to say. For credit union employees, this meant that they would be sent home to work with a managed corporate computer while the COVID-19 pandemic raged on. “Not having a BYOD policy makes things a little bit easier. Since we have about 200 employees working from home, that means we only have about 200 devices out there that can connect to the VPN. Portnox CLEAR’s endpoint assessment and risk-based access control provides the assurance only those devices can connect to the VPN. What Lies Ahead for UFCU Remote workforces aren’t going anywhere – they’re around to stay, even after COVID-19 dissipates. For UFCU, this is likely to hold true as well. While most employees will return to the office when it is deemed safe, the need for trusted and controlled remote access will remain an important part of the business. “Beyond securing remote access, we will consider extending Portnox CLEAR’s network access control coverage across other access layers – starting with replacing our wifi radius setup,” said Marshall. “Right now, we’re mostly looking forward to exploring the full potential of the platform – particularly instituting risk posture assessment and remediation for devices connecting through the VPN. It’s still early days, but we’re excited to make the most of the platform.” [...] Read more...
            Last Mile Security: Why It’s More Important Today Than Ever BeforeLast Mile Security: Why It’s More Important Today Than Ever Before
            It’s official: perimeter security is old news. Thanks to the rise of cloud services, SASE architecture, and global pandemics, it’s time we discussed securing   the “last mile.” Last mile security is a lot like a marathon – it’s lonely and hard to get to – but without it, you won’t get a medal at the finish line. What Constitutes the “Last Mile” Today? The “last mile” refers to all of the network components that physically sit outside of your headquarters or branch offices, and that is used to connect to enterprise systems and resources by remote workers. Typically, the initial line of demarcation beyond your organization is a router. These routers could be located within an employee’s home, at a local cafe (those places where we went to socialize prior to COVID-19…sigh), an airport, etc. As you expand out beyond the router, you start to see an expanding network of unmanaged devices such as smart TVs, wireless phones, and smart home and home security appliances in residence. Last but not least – there’s the crown jewel – the employee’s primary endpoint – the device that he/she uses to access corporate resources and data remotely. Most of these network endpoints are out of your organization’s control, and it probably makes sense to leave it that way. It would be ideal, however, to be able to have visibility of the primary device connecting to the corporate network and cloud-based enterprise applications remotely (which we’ll cover in more detail below). While many of these remote devices on the periphery shouldn’t necessarily fall under your network security team’s watchful eye, it’s important to note that there are a variety of home router flaws – some of which can result in traffic through home routers being redirected to rogue servers. It’s not hard to find an extensive list of hacked or hackable home routers, and it would probably keep you awake at night if you knew how many of your employees relied on those vulnerable devices while working from home. For the “cafe” or third-party public network, the same principle applies – they all contain untrustworthy devices, some of which are already vulnerable, some of which will be vulnerable in time, and some have likely been hacked already. Last Mile Security Essentials Ok, so we’ve set the stage for what the last mile landscape looks like today. Now it’s time to focus on how you can take steps to ensure that you’re securing the last mile and accounting for this seemingly endless list of remote access threats. Let’s start with our champion – in this case, a personal (BYOD) or company-issued laptop running windows OS or MAC OSX. This device has access to enterprise cloud applications, and may even be able to access the corporate network remotely via VPN or VDI. So, how can you institute effective last mile security in this instance? Well, there are a few basic requirements we must examine – a checklist if you will. The checklist looks at the protection of the endpoint, the identity of its user, and the prevention of common user mistakes. Let’s take a deeper dive… I. Endpoint Posture Assessment  Generally speaking, to establish a clear and secure assessment of the champion endpoint’s posture, you must roll out: Firewall – so now you don’t have to worry about what’s going on beyond your perimeter. Anti-virus / Endpoint Detection & Response (EDR) – so if something goes beyond that first line of defense, you can block it or at least be alerted in order to mitigate. Up-to-Date Patches – so no one from the outside can bypass the first two by using known vulnerabilities. In the last mile, continuous posture assessment must be enabled so threats can be discovered and managed in real-time before they become incidents. Why continuously? Because today your endpoint becomes part of the organization long before it connects through the VPN – it enters the sphere when it’s used to log into Salesforce, Office365, Box.com, or whatever cloud service that’s in use across the organization. Remember, these platforms all hold corporate data – some of which are particularly sensitive. II. Risk Prevention When employees don’t adhere to IT security best practices such as stopping the anti-virus or disabling the firewall, you not only want to know – in a perfect world you want to be to proactively prevent this from ever happening. In another scenario, say an employee inserts a smartphone, all are acting as a USB disk – a notoriously risk-prone device – into their laptop, you want to be alerted and be able to disable it before it can cause harm to the endpoint or worse. These actions sound small in the grand scheme of things, but they ultimately save time and lower organizational risk significantly. III. Identity Protection Using a strong password and updating it regularly doesn’t cut it anymore. Multi-factor authentication is now a mandatory requirement when it comes to safeguarding access to corporate assets, especially when accessing through the VPN. Today, many people tend to hold onto things that seem to work well for as long as they can. So, using the same “[email protected]” that only you thought of for your local grocery store rewards program, your primary bank account, and your VPN is probably the standard. The problem is, if anyone of those outlets were to get hacked, there’s a good chance that you’ll be subject to the old “one to rule them all” method – and all of a sudden, your company’s corporate data is at risk. It’s pretty simple really. The simplicity of this kind of breach makes MFA – which verifies your digital identity by creating a unique profile by combining your personal biometric data with the device you’re using – is so crucial. Implementing Last Mile Security Disclaimer: This is the part of the piece where we throw neutrality to the side. If you’re not ready for a gentle sales pitch, head to the next blog post. Not all organizations are created equal. In an effort to overcome these remote access threats, some companies arm their remote employees with a full remote suite, complete with a remote gateway, a workstation, and a VoIP phone. Not every business has the resources to make this happen obviously. Those that do often leverage the Meraki Z3 teleworker device, which is effectively a router that employees can bring home, giving them firewall protection and corporate network access via a VPN tunnel. Now, on top of that, you can choose to deploy a variety of products to help secure the last mile – one for MFA, another for posture assessment for specific cloud applications, and yet another for posture assessment for the cloud. But why onboard all of that functionality in disparate systems? Ok, well here’s where the sales pitch happens…in this instance, we recommend Portnox CLEAR because it unites MFA for the remote access, continuous posture assessment and active prevention of security risks – all under one roof. Oh, and did we mention that CLEAR can also work with either/ both managed corporate devices and BYOD? [...] Read more...
            Controlling Network Access in an SD-WAN WorldControlling Network Access in an SD-WAN World
            Why SD-WAN? Why Now? The rise of Software-as-a-Service (SaaS) and cloud services is resulting in decentralized data traffic flows, in turn rendering the traditionally expensive Mutliprotocol Label Switching (MPLS) inefficient for wide area network (WAN) transport. This has prompted a change in networking architecture and the means of controlling network access. The emergence of software-defined WAN (SD-WAN) in response to rising cloud adoption is significant because it promises to deliver reduced cost and enhanced performance and availability. This is a trend that is unlikely to go away. In fact, it’s set to intensify. According to Gartner. SaaS and Infrastructure-as-a-Service (IaaS) will grow at 17% and 27%, respectively, through 2022. Both are key drivers of SD-WAN adoption in that time. The Impact of SD-WAN on Networking & Network Security Today, organizations can leverage SD-WAN technology to implement software-defined branch (SD-branch) as a way of extending IT environments to any of its branches outside of its headquarters that require high-quality network connectivity. For retailers, hospitality groups (hotels, restaurants, etc.), commercial banks and other large distributed organizations, SD-branch is particularly useful as it utilizes SD-WAN technology to simplify a branch’s IT architecture – reducing the resources and budget needed to maintain operations. Branches are typically more at risk of network threats than organizational headquarters due to the fact that they’re inherently understaffed or underserved from an IT standpoint. To combat this, the SD-branch approach is to have security functions present in the IT devices at the branch so that data transmitted from the branch to another node in the WAN is as secure as other parts of the network from square one, instead of waiting until the data reaches security tools outside the branch. It’s like locking a house’s front door instead of just the bedroom doors. Controlling Network Access in a SD-WAN World The rise of BYOD, mobile workforces and IoT has driven an exponential increase in the number and types of devices that can connect to today’s corporate networks. Securing and protecting these devices – particularly agentless IoT devices – is a core principal and best practice in cybersecurity. Today, device segmentation (especially for IoT) has evolved to become the only effective option for network defense, as it enable organizations to protect themselves against lateral movements and to detect network breaches faster. Executing this requires a network access control solution be deployed – one that can not only control the port security, but also segment the network by the type of device or its user. Traditionally, network access control has necessitated a connection to the organizational headquarters, with an appliance deployed at each branch. This has historically limited the use of SD-WAN / SD-branch technologies. Side-stepping these limitations has required innovation in network access control. The logical next step in the evolution of network security is for organizations to be able to leverage a NAC solution that’s delivered as a cloud service. This eliminates the need for cost on-site appliances and on-going maintenance. Now, all that’s needed to control network access at branches and the headquarters alike, is an internet connection. With Portnox CLEAR, organizations gain unprecedented network visibility and continuous risk monitoring of endpoints across all access layers – no matter device type or branch location. All from the cloud with no on-premise components. Here’s how it works… SD-WAN is Killing MPLS, So Prepare to Replace it Now, Gartner (2018) What is SD-Branch?, SDXCentral (2019)   Request the White Paper [...] Read more...
            The Truth About MAC SpoofingThe Truth About MAC Spoofing
            The threat behind MAC spoofing When implementing any insurance policy, you need to start with estimating the level of risk, the probability of that risk, and the potential damage should that risk become a reality. One of the network risks that is often presented to demonstrate the ineffectiveness of 802.1x solutions is the ease of bypassing modern network access control (NAC) by using MAC spoofing. Usually, this involves spoofing the network printer or other vulnerable device. Now, let’s put aside the fact that network printers today can support certificate or credential-based authentication, and that certain products have remedies against such attempts even when the authentication is based on MAC. Let’s consider: is MAC spoofing a legitimate threat or an exaggerated, manageable flaw? But before I try to analyze this risk, I want to point out the biggest advantage a NAC solution can give an organization to cope with modern cyber security threats: the ability to apply dynamic segmentation based on device type or identity. Without going into too much detail, NAC is one of the only systems that can help you prevent lateral movement, indirectly allowing you to identify breaches and directly helping you to prevent the compromise of your crown jewels. The threat landscape Here are some of the most common adversaries when it comes to MAC spoofing: The employee – a disgruntled current or former employee The guest – a contractor, customer, patient, etc. who physically visits your organization for a period of time The hacker – a malicious person trying to attack your network and steal information, causing harm to your organization And here are the most common attack surfaces: Wifi Wired, ethernet switches One caveat: most wifi environments contain managed devices. So, for devices that do not have an 802.1x supplicant, and thus does not support certificate-based authentication (or credentials based), it is easy to setup an isolated segment and significantly lower the risk of attack. As such, we’ll put our focus on examining wired environments, and how they’re vulnerable to the above adversaries. Adversaries in-depth Let’s be clear – MAC spoofing requires some technical knowledge to execute, which the non-technical lay person typically does not possess. Those doing it know what they’re doing, and they know it’s wrong. With that said, it’s important to point out that a lot of damage is caused by the unintended – i.e. people clicking on a link in an email, deleting the wrong record or file, or even dropping a laptop into a pool. The employee Employees should be trustworthy. If they’re not, cyber security is likely not your problem. But, when someone is fired, laid off, or even just mistreated at work, there always exists the potential for them to hold a grudge. It’s human nature. Disgruntled employees can pose a big risk. If an employee still works for an organization and he/she is determined to do damage, that’s a problem that’s nearly impossible to prevent. The network connection alone is not going to stop he/she from stealing data or worse. This individual likely already has access through other corporate devices and the credentials to access whatever data he/she wants. At the end of the day, however, this individual’s risk of MAC spoofing can be categorized as “very low” with “low” probability and “low” potential for damage. The reason being is that the potential damage done is not necessarily related to network connection. The first line of defense against a disgruntled current of former employees is physical barriers – i.e. locked doors and other physical security. The guest A guest visiting your office might want to connect to your network. Most likely, this guest will not go to great lengths to hack your network if they are initially blocked. By supplying a guest network, such as a guest wifi, you will effectively eliminate that risk all together. Thus, like the employee, this individual’s risk of MAC spoofing can be categorized as “very low” for both probability and damage. The hacker A hacker will need physical access to your network in order to do his/her job. Today, spearhead attacks can enable hackers to access your networks from afar. Doing so, however, typically requires some sort of motive. This motivation is often dependent upon the type of business you operate. If you’re in military and defense, for example, you likely have a higher than average risk of being the target of such an attack. The same going for banking and financial services, healthcare and any other industry with highly sensitive and confidential data. For most organizations, the threat of physical access hacking is typically low, while the potential for damage could be high. Should a retailer fear physical burglary just because a new device has connected to its network? I think not. In conclusion For most organizations, the risk of MAC spoofing is almost non-existent. This is usually fairly easy for an auditor to demonstrate, and would appear as part of a comprehensive security report. So in reality, the perception of the threat is that it’s a much larger problem than it actually is. You can also prevent MAC spoofing by implementing stronger authentication methods that are fairly common today. One of the major roles of NAC is to provide secure authentication and authorization to the network. Thus, even if authentication is somehow breached, authorization serves as a second layer of defense that can limit access by putting potential individuals of risk in a specific “narrow” segment. The segmentation of specific types of MAC-based devices is a best practice in NAC. Even if spoofing occurs, such a device won’t be able to access a particularly sensitive VLAN, such as those in Finance or HR, if proper segmentation has been established through your network security policies. [...] Read more...
            What Kind of WiFi Protected Access Should You Use to Secure Your Enterprise?What Kind of WiFi Protected Access Should You Use to Secure Your Enterprise?
            When examining WiFi security, the first layer of defense is the method being used to authenticate to the network. The most widely used methods of authentication are Open authentication, WPA2-PSK (Pre-Shared Key) and WPA2-Enterprise (read more about WPA protocols below). Below, we examine these different options for WiFi protected access. Other authentication methods such as WEP (Wired Equivalent Privacy) and WPA-PSK (without the 2, also referred to as WPA-Personal) are used as well, but they are relatively easy to hack, and therefore are not really worth mentioning, besides making a general note here – to utterly avoid them. WiFi Protected Access: Open Authentication As the name implies, an open authentication network allows access to all, and users are not required to authenticate at the association level. It is important to know that open networks are not encrypted, and so everything transmitted can be seen by anyone in its vicinity. The best security practice is to completely avoid connecting to open networks. If there is an immediate need to connect, it is best not to allow devices to connect automatically but rather to select the network manually in the device settings. Open networks are easily forged, and hacking tools such as Pineapple use the fact that mobile devices are constantly searching to connect automatically to an open network. These tools perform Man-in-the-middle attacks to steal data such as passwords, credit cards, etc. WiFi Protected Access: WPA / WPA2 / WPA3 WPA stands for WiFi Protected Access. This authentication method uses different encryption algorithms to encrypt the transport. Therefore, this type of network cannot be forged easily, unlike open networks, and users get privacy. Today, WPA2 is probably the most commonly used method to secure WiFi networks. Sadly, WPA and WPA2 protocols have been hacked and are considered to be less secure. Performing a WPA2 hack requires a lot of time and is somewhat theoretical. Slowly, we are noticing a move to the WPA3 method, but for that to happen, different infrastructure is needed to support that protocol. WiFi Protected Access: WPA2-PSK WPA2-PSK (and WPA3-PSK) is WiFi Protected Access (WPA) with a Pre-Shared Key. In simple terms, it is a shared password to access the WiFi network. This method is commonly used for home and small office WiFi networks. Even in a small office setting, using this method is problematic, because each time an employee leaves the company, the password must be replaced; otherwise, the former employee could still connect to the company WiFi. Furthermore, employees tend to share the password with guests, visitors and contractors in the building, and you shouldn’t have the whole building connecting to the internet at your expense, risking the security of your data and assets in the process. WiFi Protected Access: WPA2-Enterprise This method, also referred to as WPA-802.1X mode, authenticates to WiFi by using different identities instead of a single password. An identity can be credentials (user + password) or it can be a digital certificate. This authentication method is better suited for enterprise networks and provides much better security for wireless networks. It typically requires a RADIUS authentication server as well as a configuration process to different repositories, enabling the organization to authenticate different types of endpoints. The underlying protocols to secure the authentication vary between different Extensible Authentication Protocols such as EAP-TTLS / EAP-TLS, EAP-PEAP, each one representing a different type of authentication method and level of security. With WPA2-Enterprise one can use advanced features such as assigning each endpoint after authentication to a specific VLAN or assigning ACLs (Access Control Lists) to specific sections. Additionally, enterprises can audit the connection with additional details. These features are important as they allow enterprises to properly secure their wireless networks and to make sure that they are compliant with security best practices. [...] Read more...
            Authenticating & Authorizing Corporate Endpoints During Active Directory Cloud MigrationAuthenticating & Authorizing Corporate Endpoints During Active Directory Cloud Migration
            Currently, many Network Access Control (NAC) solutions support 802.1X authentication on wireless and wired networks by using Microsoft Domain attributes, such as the credentials of domain users or computer domain membership across corporate endpoints. In addition, there are plenty of domain-group synchronization scenarios for applying access policies and posture assessments. Let’s think of an example, such as an organization where the members of a development team are allowed to connect to the corporate wireless network and are then assigned a VLAN or an access list upon successful authentication. Another example could be a finance team whose members are authorized access to the network once their endpoints are running the latest versions of antivirus and their drives are adequately encrypted, while at the same time, helpdesk team members are only required to have the most recent antivirus updates. Most NAC solutions can handle these basic scenarios with an on-premises RADIUS server and an on-premises Active Directory, but what are you going to do if your organization decides to move the Active Directory to the cloud, for example, to Azure? Azure AD, 802.1X & Corporate Endpoints As part of the global trending increase in cloud data consumption, Gartner predicts that by 2023 80% of enterprises will also adopt two or more cloud-based security services. In this category we have seen a shift in enterprises from using on-premises Active Directories to cloud-delivered Active Directories. This significant change has added the need to consider certain adjustments to corporate information security. One of these adjustments pertains to 802.1X authentication by domain attributes. Have you ever thought about 802.1X and Azure AD together? Or how network access control solutions will be able to adapt from the former on-premises legacy security vision to pure cloud-to-cloud integrations? Converting your access and authentication controls to suit Azure AD requires the ability to have visibility into all devices before they connect to the network no matter where they are connecting from – VPN, wired, wireless or cloud. If security best practices are important at your organization, this visibility should include checking each endpoint, profiling it in terms of its security posture and providing it with a certain score. Once your system has this information it is possible to mitigate risks by applying controls that either prohibit suspicious endpoints from connecting to the enterprise network or more sensitive sections of it, or forcing them to update their security to be able to gain access. Pure Cloud-to-Cloud Integrations This is where cloud-delivered NAC solutions can benefit our new Azure AD players.  One of the pioneer features in cloud-delivered NAC is pure cloud to cloud integration with Active Directory in Azure. By deploying it, you will be able to authenticate and authorize users and endpoints by AzureAD attributes without installing anything on-premises. Enabling Azure Active Directory Domain Services is not mandatory for authentication of corporate endpoints, so everything can be cloud-based and agentless. If your organization is in the middle of a migration process, and you have both on-premises and AzureAD users, the ideal solution is to enable integration with Azure via a hybrid NAC solution, where your Azure users are managed by a cloud-delivered NAC and Azure integration, and your non-Azure users are managed by an on-premises NAC Directory Broker. Furthermore, it is recommended to have a NAC solution with a readily available integration with Microsoft Intune cloud service where you will be able to use Intune agents for setting your company’s risk assessment policies and thus enhance a pure cloud-to-cloud interaction in your organizational services. [...] Read more...
            NAC is Dead? The Resurrection of NACNAC is Dead? The Resurrection of NAC
            Some argue that Network Access Control (NAC) is no longer relevant in today’s world of the mobile workforce and distributed (or decentralized) organizations that have moved to using cloud applications for the most part. Adding the fact that many organizations are allowing personal devices to be used in the corporate environment (BYOD) and the fact that IoT devices are used everywhere, some might consider this to be further evidence to the conclusion that NAC is no longer relevant or needed. In 2004 the first NAC products came on the scene and signaled the start of a new segment in Information Security. At the time, most organizations still had a physical perimeter, desktops were still the main PC to be used at the workplace and laptops were starting to make a wide appearance. BYOD (bring your own device), IoT (Internet of Things) and multi-branch, geo-distributed organizations that rely heavily on cloud services were not prevalent yet. Accordingly, the standards for NAC were very different from what they are today and mainly focused on the wired environment. NAC solutions were then primarily based on using 802.1x pre-connect enforcement with supplicants which were not part of the operating system. Organizations trying to implement NAC solutions only had the option of deploying 802.1x – which ended up with long, complex deployment and implementation, leaving them with a bad taste for NAC. Over the past 20 years, NAC technologies have evolved exponentially. Vendors introduced control and discovery techniques that have yielded better and faster deployments and ROI. Just as the enterprise network and endpoints have evolved, NAC solutions have evolved from merely allowing or blocking endpoints onto the network into a broader security solution that provides network visibility, endpoint profiling, security posture assessments, risk management and compliance. Additionally, some solutions have scaled to suit the modern workforce, heterogeneous networks, hybrid cloud and on-prem environments, diverse endpoint environments (such as IoT and BYOD) and globally distributed organizations. This increase in number of devices connecting to the network and change of working environments   has been our reality for the past 10 years and has evoked a new NAC. Hence, the resurrection of NAC continues to be upon us. Future of NAC At this point in 2019, over 60% of enterprise data is stored in cloud applications (public cloud, private cloud and a hybrid of both). By 2020, just a year from now, it is predicted that 83% of enterprise workloads will be taking place in the cloud (1). According to IDG, 77% of enterprises have at least one application or a portion of their enterprise computing infrastructure in the cloud. Additionally, more technology-dependent industries including manufacturing, high-tech, and telecom are being led by executive management to become 100% cloud-based. Therefore, it is crucial to make sure that only company owned and secured devices gain access to corporate intelectual property and information in the inner most circles of the enterprise. According to Gartner research , by 2023 80% of enterprises will adopt two or more cloud-based security services. This is no coinsidence. The complexities in the cyber security landscape alongside the increasing shortage in skilled security professionals is leading towards a greater adoption of cloud-based security services and specifically to the adoption of NAC as-a-Service. Another factor in future solutions is related to increaseing IoT adoption by enterprises and factories. Visibility and monitoring of IoT must be done by an agentless solution. We believe that having agentless solutions that are centrally controlled will be preferred by many organizations in 2019 and the years to come. Lighter, adaptable and agile solutions will be necessary in the new era. Enterprises will transition into using easier NAC solutions such as centralized NAC, agentless NAC, NAC delivered from the cloud and Software-as-a-Service. These NAC solutions will save time and money on deployment, training and implementation, while at the same time providing the visibility and accuracy needed to handle today’s complex and hybrid networks. Next-gen solutions are able to cope fully with today’s decentralized organizations and the old NAC configurations will no longer suffice as they are perimeter focused. Conclusion NAC was effective for the problem it was created to solve in the mid-2000s, but subsequent technological advancements in cloud applications and the mass-adoption of mobile computing devices by the mobile workforce, and IoT have introduced new complexities and challenges. The new computing model requires new cyber security solutions, and the new, NAC technologies are uniquely positioned to be among them. Cloud-native solutions will address concerns of lengthy deployments and geo-distribution. Agentless and centralized solutions will shorten and simplify implementations and everyday usage that were once the dread of CISOs and IT security teams in the enterprise. LogicMonitor’s Cloud Vision 2020: The Future of the Cloud Study The State of Network Security in the Cloud Era, Lawrence Orans, 2018 Gartner Security & Risk Management Summit. 2.9 million according to (ISC)2 [...] Read more...
            The Security Perimeter Is Dead. Long Live the New Endpoint Perimeter.The Security Perimeter Is Dead. Long Live the New Endpoint Perimeter.
            Originally posted on DarkReading. The network no longer provides an air gap against external threats, but access devices can take up the slack. Four potent forces have turned network security on its head: the decentralization of corporate networks; the proliferation of mobile devices; the evolution of the bring-your-own-device (BYOD) policies to include multiple devices; and the massively disruptive Internet of Things (IoT) phenomenon. One of these forces on its own is enough to weaken the best security defenses, but together they are wreaking havoc in enterprises in every industry. The impact of these forces has essentially erased the enterprise perimeter, traditionally used to protect organizations from external attacks. The fall of this wall has created a new security landscape in which each endpoint, no matter from where it connects, has become its own perimeter — a weakness that can give adversaries access to the entire network. Today, we’re seeing the rise of the new endpoint perimeter. The Fall of the Wall Decentralization caused the first bricks to crumble. The final bricks were taken away by the widespread adoption of BYOD policies and the often chaotic infiltration of IoT devices. Today, an enterprise might have multiple offices in cities across the country or across the globe, with each location potentially having different security protocols, products, and services. Meanwhile, employees connecting through public, unsecured WiFi connections, as well as contractors and other third-parties using unmanaged BYOD devices all log in to the corporate network. The Lateral Threat A significant challenge to network and information security is lateral movement of attacks such as malware or ransomware and hackers, once inside the network. Undetected, these threats can propagate from one compromised endpoint to others. In recent years, adversaries have carried out large-scale attacks by exploiting known vulnerabilities and security gaps on endpoints. WannaCry, NotPetya, and Bad Rabbit malware all used lateral movement to spread on a global scale in 2017. Using a single entry point — generally, the most vulnerable device — hackers were able to quickly take down unpatched systems. Often, the weakest points are unmanaged, unprotected IoT devices, especially those deployed on secure network segments used by important company assets. IoT devices aren’t transient and typically remain undetected by network scans. Therefore, security teams are often unaware of the attack surface they create. Best Practices in Endpoint Perimeter Security Visibility: Having full visibility of all devices connected to the network is essential. This includes gathering information such as the location and type of device, the processes and applications it is running, and how many similar devices are connected across the enterprise. Full visibility should not be limited to headquarters and includes all branches and endpoints. Use Historical Data: Historical data on endpoint usage — such as past processes, network connections, and other information — can be very useful in detecting compromised devices as well as in tracing the path of a threat once it has been identified. This data can also be invaluable for conducting rapid and accurate responses to incidents as well as preventing future attacks. Keep It Simple: Simple security configurations and deployments can translate to painless ongoing maintenance and better security in a world of increasing threats. Simplicity is crucial because enterprises are shorthanded, manage dozens of security products, and have limited time to investigate and respond to threats. Automate Monitoring and Mitigation: Continuous monitoring is the best way to prevent risks from escalating into security incidents. Organizations need the ability to automatically quarantine threats before they access crucial enterprise data or services. This allows the security teams to assess if a risk is a threat, and, if it is, to block affected endpoints. Avoid Vendor Lock-in: In a dynamic world where organizations evolve through organic growth or through merger or acquisition, they should not tie their security to a specific vendor. To prevent vendor lock-in and future-proof security operations, adopt a vendor-agnostic approach when choosing security products or services. Embrace the Cloud: A cloud service runs the latest version of software at any given moment, provides seamless upgrades, and delivers up to date capabilities. Additionally, it offers smooth scalability and distribution across the world, making it a must-have for decentralized enterprises. Another advantage of a cloud-based approach: It handles threats both inside and outside the enterprise perimeter, allowing organizations to provide remote branches the same security as their corporate headquarters. Ultimately, enterprises should consider a security approach that implements a perimeter on endpoints through continuous monitoring, risk assessment, policy enforcement, and automated containment/remediation of compromised devices. Following the previously mentioned best practices provides a good framework for re-establishing control over network security. [...] Read more...
            Palo Alto Networks & Portnox Join Forces On Cloud-Delivered Threat Response SolutionPalo Alto Networks & Portnox Join Forces On Cloud-Delivered Threat Response Solution
            Joint Threat Response Solution In recent months, Portnox and Palo Alto Networks joined forces to better deal with the current cyber security threat landscape, now offering a powerful threat response solution that’s delivered via the cloud. Network security teams in the enterprise must cope with several challenges that impact their traditional network infrastructure. Here are some of those challenges. Lateral Movement A significant challenge to network and data security is the lateral movement of cyber security hazards such as malware (or even ransomware) from one compromised endpoint to others. In recent years, cyber offenders have carried out large-scale attacks targeting organizations by exploiting known vulnerabilities and security gaps on endpoints. WannaCry, NotPetya and Bad Rabbit are malware attacks that used lateral movement to spread in large-scale campaigns during 2017. Using a single entry-point, typically the most vulnerable endpoint detected by the hackers; proliferation via lateral movement can influence an entire organization. In this way, unpatched or unprotected systems can be taken down in no time, leaving an entire organization paralyzed while the offenders achieve their goals. IoT, BYOD & Unmanaged Endpoints According to cyber security experts, the majority of harmful attacks exploit well-known vulnerabilities and security gaps on endpoints. Most organizations are unaware of a significant percentage of the endpoints on their network as these are Bring Your Own Device (BYOD), Internet of Things (IoT), guest and other unmanaged endpoints. Additionally, many IoT devices are found to be placed in network segments that are being used by other company devices and IoT endpoints are particularly vulnerable to being breached. These endpoints aren’t transient and typically go undetected by periodic scans. As such, security teams remain unaware of the attack surface on these devices. Geo-Distribution. The growing decentralization and de-perimeterisation of worldwide organizations is a crucial factor as well. Once a threat has been identified inside or outside the enterprise perimeter, security teams must be able to handle and contain the threats at HQ and at branch offices anywhere in the world; as well as to be able to secure the devices being used by traveling or telecommuting team members. Threat Detection Today’s threats are evolving rapidly. The current velocity and evasiveness of targeted and sophisticated attacks has never been seen before. These attacks rely on stealth, perseverance and the ability to overcome many cyber security defenses. Oftentimes these attacks use multiple vectors of attack and focus on acquiring crucial personal data, company intellectual property or other insider information. Unfortunately, compromised devices and data breaches can often remain undetected for weeks or months. Detecting advanced threats and infected endpoints will require new and adaptive security controls. Visibility Once a threat is detected, how can one see what kind of device has been compromised? Is it a laptop? A phone? An IoT device? Who is the user behind it? Where is it located on the network? Threat Investigation Today’s security analysts are spending too much time trying to pinpoint the compromised endpoint and figuring out who else in the organization has been affected, especially when lateral movement is such a big risk. Oftentimes data breaches remain undetected for extended periods of time (with more than 80% of breaches undetected, Gartner 2017*). Even when detected, if a threat moved laterally before being shut down, there is a lack of information regarding which other endpoints have been compromised; on or off premise. Threat Response & Control Actions must be taken. Stopping lateral movement and other endpoints from being infected is crucial. Compromised devices must be quarantined or blocked from accessing the network, regardless of how they are connected to the network (wired, wireless, VPN, cloud). Future Risk Mitigation Blocking the current threat and preventing it from infecting other endpoints is a great start, but not enough to maintain optimal network hygiene. Continuously analyzing the security posture of all organizational devices is crucial. This includes the ongoing review of existing threats and Indicators of Compromise (IOC) to determine which endpoints are granted access to the network each time. With so many challenges to factor-in and the all-time record of the number of vendors offering solutions in the cyber security space, all seemingly overlapping, it is no surprise that security teams have a difficult time sorting through many vendor claims till they finally select the services or products that will best match their security and budget requirements. The CLEAR App Solution In mid-October 2018, the Portnox CLEAR App went live on the Palo Alto Networks Application Framework. This joint solution, between Portnox CLEAR’s cloud-delivered network access control and the Palo Alto Networks firewall, allows security teams to set enforcement policies based on threats detected by the Firewall. The App prevents the lateral spread of malware throughout the organization and effectively isolates the compromised endpoints in real time. The Palo Alto Application Framework is designed from the cloud and therefore this cloud to cloud solution will allow organizations to provide remote branches the same security as at HQ, allowing for a much better handling of threats in and outside of the perimeter. Security teams can rapidly enable the App without worrying about adding any infrastructure or appliances. Additionally, organizations can create customized policy via CLEAR with the flexibility to assign the right impact on the endpoint’s continuous risk assessment and security posture. This is done by correlating advanced threat categories from the Palo Alto Networks firewall with the organization’s access and risk assessment policies for devices. In essence this will allow the organization to leverage the Palo Alto Network advanced threat detection to better secure the access of all endpoints, including BYOD and IoT devices. Accelerating Threat Response The joint solution will accelerate the response to threats by identifying all compromised devices that share the same threat using CLEAR’s unique visibility and data discovery capabilities. Palo Alto Networks next-gen firewalls identify evasive and sophisticated threats and automatically thwart them through multiple means. The technologies use analysis of all allowed traffic, using multiple advanced threat-detection and prevention technologies. Continuous Risk Mitigation Based on the advanced threat detection data received from the Palo Alto Networks firewall (i.e. detecting malware that is new or has no signature), CLEAR enables the discovery of other endpoints with the same threat. Moreover, CLEAR will provide the user ID, office location, switch location, etc., regarding the compromised endpoints. Once the advanced threat detection alerts are received in the Palo Alto Networks Application Framework, CLEAR quarantines or blocks these compromised endpoints. Automated response actions are customized and tailored by the organization’s requirements. IOCs and vulnerabilities indicated by the Palo Alto Networks firewall are correlated with the risk-score of each endpoint and the appropriate response is issued by CLEAR. CLEAR continuously monitors and evaluates each endpoint on the network, establishing a risk-score for it over and over again, whether the device is connected on or off premise. This knowledge is used to define access policies and continuous risk-monitoring takes place. Security admins can determine, customize and tailor the access policy based on the organization’s security requirements. If the risk-score is high, CLEAR will not allow access or will allow limited access by quarantining the endpoints to a certain VLAN. If the risk-score is low – CLEAR continues to monitor the endpoint. The day-to-day operation of the application will enable customers to monitor a network or endpoint threat-indications from the Palo Alto Networks Application Framework, to update the risk score of devices, and to identify all devices that share the same threat. Cloud Strengths The fact that CLEAR is delivered from the cloud as a SaaS solution, has many positive ramifications from every aspect: security, operations, cost efficiency and more. For example, CLEAR is always running the latest version, with seamless upgrades, delivering the most up to date technology advancements to the subscriber. This can save a lot of time and needless worry for the administrators and assures the usage of the best security. Additionally, using a cloud-delivered solution allows for scalability and is geo-distributed across the world, making it a must-have for decentralized and growing enterprises. All of these, contribute greatly to a substantial reduction in the Total Cost to Ownership (TCO). Additionally, cloud-delivered security solutions mean that threat response no longer needs to depend on an IT security team administrator being physically present within the perimeter of the enterprise location. Changes can be made from where the security admin is located at the time, from a central account, allowing for faster hands-on solutions as required. In our ever evolving work spaces, this is a crucial mode of operation. Conclusion With the Portnox CLEAR application on the Palo Alto Networks Application Framework, companies can continuously monitor endpoints on the network and scan for a wide variety of IOCs, for the rapid pinpointing of compromised endpoints, stopping lateral movement and completely avoiding costly data breaches. [...] Read more...
            The Best Ways to Secure Device Onboarding in The EnterpriseThe Best Ways to Secure Device Onboarding in The Enterprise
            With the prevalence of digital transformation in the enterprise, there is a clear necessity to balance IoT security issues and BYOD security measures that will prevent suspicious or malicious devices from gaining access to the enterprise’s assets and data centers, while at the same time, making sure that productivity and easy onboarding of devices is maintained. Employees, guests and contractors are bringing all kinds of Wi Fi enabled devices to the enterprise environment and they expect easy and quick network connectivity. Onboarding is the process in which new devices gain access to the enterprise for the first time. Unfortunately IT departments can sometimes experience additional workloads while endeavoring to get all the devices on the network so as not to hinder business productivity. At the same time, if they are not handling the process with top security standards in mind, they could potentially place users, devices, enterprise data and the network itself at risk. The question arises: how should IT Security teams allow for BYOD, IoT, contractors, guests, etc. to securely and quickly connect to the network without placing any of its components at risk of a breach or ransomware attack? The answer: automation. By automating the entire onboarding process enterprises can achieve the following benefits: Reducing the costs that are typically associated with manual work (including configuration and support activities). Enhancing productivity – getting team members, contractors and guests connected to work faster. Increasing end-user satisfaction – instead of hassling end-users with onboarding procedures, the whole process can and should be seamless. Decreasing the risks – unmanaged, unpatched, high-risk devices should be blocked or connected from the beginning to a separate segment of the network from where the key corporate assets are stored (the “crown jewels” of the company). Easy Device Onboarding Employees, students, contractors, partners and guests should onboard their devices once and then automatically re-authenticate after that, within an environment that continuously monitors all devices on the networks and automatically provides a risk score for every device. This ongoing scoring allows security teams to understand the security posture of the devices and the network as a whole, at any given moment. At the same time, there is no need to have end users repeatedly re-enter credentials on subsequent network connections unless a device is deemed to have a high risk-score. This way the enterprise can easily onboard BYOD devices belonging to employees that are traveling, working remotely or working at a satellite office location. Additionally, this allows onboarding of IoT and smart devices for business such as flat screens, printers and IoT devices, as well as gaming consoles, smart refrigerators and more. These items, of course, must be on a separate segment from where company assets are kept. Reducing Risks on the Network A while ago Ofer Amitai, Portnox CEO, wrote about tips for securing endpoint devices on college campuses, institutions that are always desiring a relatively simple onboarding process. He discussed how changes in onboarding and guest access policies could reduce risks and improve network visibility and control. The principals for securing the enterprise require these steps and more. Having a clear onboarding set of policies will allow IT teams to have automated actions applied (see examples in the next section). After handling the company’s initial network security audit and collecting the security posture of all devices, it is important to make sure that the enterprise authorization policies include conducting automated and continuous security assessments of the network.  This way, every device employs baseline security measures before being allowed to connect.  Additionally, the IT security team should use granular policies to govern the level of access while maintaining full visibility and control over network connected devices with the ability to revoke access at any time. Automated Device Onboarding & Network Authentication Having an automated onboarding set of policies can allow for automated actions such as: Immediately allowing Internet access Blocking/ disconnecting Segmenting a device to a separate network section Remediation actions For example, IoT devices are considered to be easy to hack.  Therefore, once connected to the enterprise network, these devices should be separated from where core assets are located.  Having different segments on the enterprise network is a good solution for that.  Additionally, if a visitor is being connected, the visitor should gain access to the Internet and not to company files, even when plugging the computer to the wired network. Two important advanced guest network onboarding features are recommended to be included: Easy guest access – allowing for simple and fast connections together with the ability to continuously monitor all devices and ensure security. Agentless access – once the IT administrators have set up the onboarding policy – contractors and guests on protected networks should be able to self-onboard without installing an endpoint agent. Acquiring Advanced Onboarding Capabilities One of the technologies that can help with safe onboarding is network access control (NAC).  In the past, companies used only desktops and laptops, connected and authenticated over a wired network, however; nowadays wireless networks and mobile technologies have introduced personal devices (via BYOD policies) and Internet of Things (IoT) to the workplace.  In addition, increasingly stringent compliance standards, such as PCI-DSS, SOX, and ISO standards require companies to openly communicate their security controls to external auditing authorities.  All of these can be achieved via NAC solutions. Network access security should be a priority for all companies moving forward. Every enterprise today must support a rapidly proliferating world of devices and platforms.  From an operational view point, this shouldn’t pose an obstruction of workflows and productivity. Ideally, the enterprise IT team will automate and secure network onboarding and authentication so that the IT helpdesk doesn’t have to intervene when guests, contractors and IoT devices need to connect. Additionally, an effective plan for secure network onboarding will on one hand improve end-user experience for BYOD, IoT, users and guests and on the other hand improve IT security as part of a layered protection strategy. Looking to set IT security policies and automate your device onboarding? Portnox CLEAR offers easy onboarding while never compromising on network security across the enterprise. [...] Read more...
            Handling Network Complexities in Today’s Highly Decentralized Organizations – Part 3: 802.1X AuthenticationHandling Network Complexities in Today’s Highly Decentralized Organizations – Part 3: 802.1X Authentication
            Implementation Issues Solved with 802.1X Authentication In parts 1 and 2 of this blog series we spoke about the idea that decentralized organizations, where mobility plays an important role in network security functionality and visibility; should seriously consider implementing NAC solutions delivered from the cloud, as-a-Service, due to the fact that endpoint risk assessment, as well as network visibility and control can be obtained for all locations and provide flexibility in terms of growing the coverage as the company grows. In this article, we look 802.1x authentication and its growing importance. When deploying 802.1X authentication via NAC as-a-Service, complaints about lengthy deployments, implementation hassles and limited capabilities do not have to be prevalent any longer. In fact, IT security teams can now succeed where others have failed and be the superheroes of network security projects. NAC doesn’t have to be complicated. With NAC as-a-Service, there is no need for physical deployment or network hardware (unless it already exists, such as RADIUS or Active Directory servers), which significantly cuts the costs and deployment-time that were previously associated with the 802.1X authentication protocol. Additionally, NAC as-a-Service allows for secure and remote access for the geo-distributed workforce, without the need for localized branch appliance deployments. It also enables business continuity, because if appliances go offline at one of the locations, the rest of the locations and endpoints can continue accessing the network without interruptions and regardless of which type of device is being used (corporate, BYOD, IoT, etc.). As you can see, the NAC as-a-Service cloud delivery model is a different approach altogether for dot1X authentication in the enterprise, as it solves key security issues with the ease, agility and efficiency of a SaaS solution. Top 5 Things to Consider for Your Next 802.1X Authentication Solution 1. SaaS delivery – With the shift to cloud-based solutions in businesses world-wide, many businesses no longer maintain their own data centers and have come to expect and rely on many solutions to be Software as-a-Service orientated. 802.1X NAC solutions provided from the cloud fit the bill and allow for easier and more cost-effective deployments and implementations. 2. Turn-key solutions with pay-as-you-go options – your next network security solution should have a low TCO – Total Cost to Ownership (both in terms of price and man hours), without forcing you to have so many pieces of equipment, installations and cumbersome access controls. These are the traits of NAC solutions which are not a good fit for decentralized organizations. A simple, pay-as-you-go model will allow you to gradually implement your NAC solution, while maintaining the highest standards for network security. While TCO is a major driver for IT infrastructure management, there is no reason to compromise on a network security project, but rather choose a solution that will provide a full and mature solution from day one. 3. A scalable and adaptive multi-branch solution with enterprise mobility and multi branch businesses that in some cases span across countries and continents (without always having an IT professional available), your NAC solution should be able to follow your company wherever it goes. Your solution should also be able to adapt to growth in the number of endpoints, locations and ports, no matter where they are and which layer of the network is being utilized (wired, wireless, VPN). 4. A Holistic approach to cyber security your 802.1X NAC solution should not be limited just to port security. It is advisable to have a system in place that can provide a full network security vulnerability assessment. Once your solution can provide full visibility of all network access layers as well as all types of devices that are currently connected on the network, your IT managers can maintain tighter controls and set up automated actions. 5. Automated policies and actions automation is a must-have option, as there are so many challenges to deal with in keeping today’s organizational network secured. Having one simple and consolidated platform that handles all access layers and all potential port security dilemmas, will allow for easier automation, configuration and segmentation (as required) of the endpoints for a connection that is based on group permissions. dot1X port control allows for full end-to-end provisioning, automated deployment, management and troubleshooting tasks. Taking these top 5 points into consideration before selecting an 802.1X solution will assure that decentralized organizations wind up with an easier deployment process in terms of time and budget, as well as a holistic solution that does not ignore any part of the network. Portnox CLEAR is the recommended solution for simple 802.1X deployment. Without compromising on security across the enterprise. By using a RADIUS and repository servers from the cloud, dot1X port control is delivered as-a-Service, and admins can embrace the benefits of dot1X authentication by deploying a zero-touch solution that eliminates geo-redundancies. Within weeks, it is easy to see and control every device connected to the network and thanks to automated monitoring, risk assessments and automated actions it isn’t necessary to be glued to the admin console ever again. [...] Read more...
            Handling Network Security in Today’s Highly Decentralized Organizations – Part 2: Cloud Solutions & Network RiskHandling Network Security in Today’s Highly Decentralized Organizations – Part 2: Cloud Solutions & Network Risk
            The Business of Network Risk Assessment Classical port security is not always understood. Originally it involved the equipment and particularly computers within the physical perimeter. At that point, NAC came into play if someone penetrated the network from a physical port, on-premise. This all changed in the last 15 years, when enterprise mobility and digital transformation took over and assessing network risk became paramount. These required different levels of authentication to fit the different devices, including managed devices (company owned), unmanaged devices (where Bring Your Own Device – BYOD policies are at play) and IoT devices. The homogenous ways of the old made way for the heterogeneous reality of the new, turning device and port security into the business of network risk assessment. Network risk assessment and full network visibility are the virtual doormen at the party who will allow the organization’s invitees to enter. Instead of naïvely allowing anyone to access the network, there should be a continuous and automated system performing risk-profiling and allowing full visibility of everything on the network. Where traditional, on premise NAC is limited to a few actions and parameters that do not reflect the complexities outlined above and in part 1 of this blog, a robust NAC solution should be able to scan all access layers and all endpoints for all users. Once this is achieved, continuous endpoint risk assessment becomes a reality, providing a wider solution that is required for today’s complex networks and decentralized organizations. 802.1X, Network Risk & Security Projects In today’s 24/7 hyper news cycle, we are constantly learning of new data breaches, costly malware attacks and the need to have solid network security solutions. 802.1X, the trusted authentication protocol used for Network Access Control (NAC) solutions, was initially considered a success when implemented on wired networks, within the framework of a traditional, on-premise solution. However, later on, as more companies became decentralized and shifted to wireless networks and VPNs, traditional on-premise 802.1X solutions no longer fit the bill. Unfortunately , many companies were burnt by these on-prem 802.1X NAC projects. True, the protocol itself is extremely trustworthy, however, with most solutions there seems to be a never-ending patching and configuration job going on. That’s assuming they have completed the labor intensive and expensive deployment that in many cases, includes moving a lot of equipment around. If this is a decentralized organization, such as a multi-national company with many access points, each location will require a way to protect all endpoints and company assets. In some cases, this could become costly and create a lack of cohesiveness within the organization. To solve these and many of the challenges discussed in part 1, lighter, adaptable and agile solutions have become necessary in the new reality. Organizations must transition into using easier NAC solutions such as NAC delivered from the cloud and Software-as-a-Service. Among other attributes, a SaaS delivery model will save time and money on deployment, training and implementation, while at the same time providing the agility, visibility and accuracy needed to handle today’s complex and multi component networks. Next-gen solutions offered as-a-Service are able to cope fully with today’s decentralized organizations and the on-prem 802.1X solutions can no longer suffice. Thankfully, there is such a solution. While it provides robust coverage, it is easy to implement in a few simple steps, the first of which is an easy software download. NAC Solutions Delivered as-a-Service from the Cloud Using a next-gen 802.1X cloud solution will allow organizations of any size and with any number of geo-locations to gain full visibility of all endpoints on the network, regardless of what the access layer is or which type of device is being used (company issued, BYOD, IoT, etc.). 802.1X is one of the most secure ways to authenticate devices connecting to the network because it is based on set protocols and a verified standard. While other authentication methods may simplify the implementation and management, as of now there are very few solutions that can match the security and strength of 802.1X authentication on all VPNs, wired and wireless networks. For those concerned with the notion of having security provided from the cloud, it should be noted that according to Gartner’s research, “by 2023, 80% of enterprises will adopt two or more cloud-based security services”. As more companies become decentralized, we believe that more of them will adopt security services delivered from the cloud. [...] Read more...
            Handling Network Security in Today’s Highly Decentralized Organizations – Part 1: Cybersecurity ChallengesHandling Network Security in Today’s Highly Decentralized Organizations – Part 1: Cybersecurity Challenges
            Today’s Top Cybersecurity Challenges 1. The Perimeter is Dead We know that our businesses are becoming more digital and connected every minute, of every hour, of every day. This is a global trend and the source of one of many emerging cybersecurity challenges. It is also the foundation for increased delivery speeds, efficiency and productivity in all organizations. Organizations these days are no longer limited to their physical office premises as they once were. In many cases, team members are allowed the flexibility of working remotely, telecommuting and working in different branches across different countries, sometimes working in shared co-work offices with other remote employees and business owners. That said, IT Security Officers have their work cut out for them, whether they are handling a large multi-national organization or a small-to-medium business. We all know and feel the incredible threats looming on our networks and the constant care that must be taken to assure the security and integrity of our organization’s assets, whether they are physical or intellectual. In this, first post of a series of three, we’ll review a few cybersecurity challenges with network security and then consider some solutions in parts 2 and 3 of this blog. 2. We Adore Our Mobility There is a lot of satisfaction that comes with the increased productivity, flexibility and mobility offered by digital transformation. Is there anyone out there who would like to trade their smartphone back to a flip phone? Their laptop for a desktop? The answer is clear: obviously – no. We all adore our mobility and digital advancements. So much so, that IDC predicts that within the next two years there will be close to 200 billion Internet connected devices. If you are reading this article, there is an excellent chance that you use 5-6 connected devices, including your smartphone, a wearable of some sort, a laptop or two and a tablet or two. Perhaps you have a few IP cameras monitoring your home and office while you are away. And that’s just you. Now think of all the people bringing their own devices to the enterprise these days. Next, let’s think of the IoT (Internet of Things) devices that are increasing their presence everywhere, according to IDC, there will be 80 billion connected IoT devices by 2025, enhancing a security concern stemming from the fact that IoT devices are almost invisible on many enterprise networks. Additionally, employees are accessing any kind of application under the sun (or florescent light), on their own devices and via the Internet on their company managed computer. These applications and websites are used for both personal and work-related purposes, placing the organizations’ assets at risk. 3. Network Complexity In today’s decentralized enterprises there are multiple access layers at play, including the use of wired, wireless and VPN connections. This is one of the core security issues with complex networks in decentralized organizations with locations in different states and countries. Multinational organizations suffer from increased risk due to their IT security loopholes and the abundance of access ports and end-users. It is no wonder then that many IT departments have settled for half-promises of asset security and network controls. They must work within the constant cyber threats that seem to be spreading faster and everywhere these days. Unfortunately, one of these half-promises leads to uncompleted NAC implementations (Network Access Control) and to lengthy and unsuccessful projects. 4. Security Vendor Fragmentation Another one of these current cybersecurity challenges is vendor fragmentation. Vendor fragmentation is an incredible headache that must be handled. It seems like there is a solution for every inch on the network, as long as you are willing to work with five different vendors.  Implementation is labor intensive and expensive. Moreover, IT leadership struggles when selecting vendor software because the solutions are diverse with no single vendor able to meet all requirements and use cases, especially with decentralized organizations. 5. Safely On-boarding All Devices On-boarding devices onto the network in a distributed organization is not hassle-free, often slowing productivity down. Additionally, compliance must be enforced across the organizational network, no matter which location around the world or which device is being used. At the same time, if one of your team members lost their computer, there should be a clear path to prevent that device from on-boarding the network. 6. Cybersecurity Posture Many CIOs and CISOs have the constant burden of dealing with and maintaining the organization’s cybersecurity posture while potentially being targeted for cyber-attacks. With cyber-attacks being on the rise and in the news every week, it is no longer a question of if, but rather a question of when one’s organization will be under attack. And so the question arises – are we as prepared as we could and should be? The network complexities outlined here may be preventing many from establishing optimal solutions and procedures for their organization, especially those that allow full visibility and risk management, not even imagining how serious the threats are till it is too late. Is it really going to take a complete data breach before we do anything about it? Can’t we just learn from other organizations’ mistakes and misfortunes? (Note the 2017 WannaCry attacks for example). Still, once IT departments have been burnt by unsuccessful NAC projects, they might be slow and cautious before initiating the implementation of a new and ideally – better – technology. [...] Read more...
            Using Blockchain to Solve IoT Device Security – Part 2Using Blockchain to Solve IoT Device Security – Part 2
            In his recent thought-provoking lecture at InfoSec Europe 2018 and in his recent article, Ofer Amitai explained that in the future blockchain technology could play a significant role in achieving increased security for IoT (Internet of Things) devices and machines due to its decentralized ledger and peer to peer communications that suit IoT machines communicating amongst themselves without human intervention. He outlined a few futuristic scenarios which he believes will become a part of our normal life routine within 5-10 years and that it will be crucial to have outstanding and solid trust-protocols to be set in place so that this future can operate seamlessly and securely. The recent lecture and article had brought up a few questions that were posed to Mr. Amitai, and in part 1 of our conversation Ofer discussed the benefits of the centralized ledger for IoT device security and privacy, as well as other forms of machine to machine communications that will be at play in the near future. Q: Some peer to peer communications (or blockchain) is already happening today, correct? The best example at the present is Space X landings that are happening via communications between machines – the rocket returning to earth communicates directly with the raft it needs to land on, whether at sea or on land, and it happens without human intervention. Peer to peer communications is available also within the field of consumer services. For example, I can request Alexa to play a song on Spotify. If I tell Alexa to call my phone there are two electronic components communicating. The more we fill our spaces with physical IoT devices and machines we will see more peer to peer communications. Still, at the end of the day it is always a person who consumes a service of some sort. IoT and all of these things are designed to serve a human requirement, even if in a remote or roundabout way. Q: When speaking about eliminating the ‘men in the middle’, there arises a concern that along with AI these technologies could, at some point in the future, supersede humans making the decisions as far as policy making. Most people would prefer that humans be setting policy. How can we make sure that AI/IoT remain technologies in our service and not the other way around? That issue is more prevalent with AI, but IoT decision-making would have moral issues as with AIs. There is a philosophical and moral dilemma there related to decision making. For example: if there is an autonomous car that is about to be in an accident, and the computer sees someone is crossing the street but that around the corner, if it avoids one person it would hit the other – the machine needs to calculate what to do, who should it hit? With autonomous IoT we could have moral dilemmas such as who makes these decisions? Whose life is worth more? Will they calculate age? The challenge exists also with issues that are not life and death. An autonomous car could decide to fill up on its electricity charge before picking me up from work for example, calculating that it is more important so that I don’t have to wait in the car while it is happening, but then picking me up later from work. The potential future complaint with IoT might be that machines could eliminate jobs that are currently filled by people. So if I have a chlorine meter in municipal pools in the city, then it could eliminate a job that in the past was filled by a person who went from pool to pool and measured acidity levels. I believe that the issue in general will be the anticipated reduction in the number of available jobs, the question is – can we create new jobs in their place? Or perhaps humanity’s future is to enjoy all the good and have machines do the work. Q: You speak of having a “trust score” that would allow IoT devices and machines to assert if they should allow transactions. Who would be the people or organizations to create this trust score? Would it operate on a country-wide scale? On a global scale? What currency should be used? Generally speaking, I believe that cryptocurrencies and normal credit cards could be used – each country will have its own cryptocurrency – like a crypto-dollar, a digital dollar, and the future will go to cryptographic coins – country currency will allow countries to continue regulating what goes on in their country, allowing everybody to do transactions without ‘men in the middle’. That is the greatness of the blockchain and the advantage of cryptocurrencies in general, the country would still control and regulate for governance purposes. We can imagine many government applications with blockchain technology but I believe that most of the applications for government will be half-centralized – as there will still be central governance; for example a ledger for land – when people agree that the data should be kept on a decentralized ledger – someone needs to manage the protocols and write the program – just as Bitcoin manages its protocols and writing the programs – these parts I believe will remain centralized- the government will be responsible for writing the program, and setting the rules of the game; and the good part here is that I do not require a government office to handle the back and forth transactions and communications, as with credit cards, approvals, bank personal identification numbers, authorization points, etc. Q: Will there be any connection between what you do at Portnox and Blockchain-of-things technology in the future? Probably not. Our interest is at the level of thought-leadership and we do actually provide network security for IoT devices. While Portnox does have solutions for monitoring and managing network security for IoT devices, I doubt that we will be researching blockchain solutions at the moment. In the end of the day, As IoT devices and machines become more integrated in our day-to-day lives and are incorporated in our working environments, there is an increasing risk that individuals and organizations would try to take over those devices and machines and we need to be prepared. There is a fear there that could potentially hold back technological advancements, and that’s not the answer either. Solutions must be found to work through the challenges. That’s what we do. There are always solutions. For example, some people are concerned about being seen involuntarily through their webcam in their laptop, so there is a small plastic cover for that, it looks like a little window. Soon, this window will be a built-in component in laptops as part of their manufacturing process. This is a real concern that consumers have, and there will be creative solutions that will be embedded into all technologies. [...] Read more...
            Using Blockchain to Solve IoT Device Security – Part 1Using Blockchain to Solve IoT Device Security – Part 1
            In his recent thought-provoking lecture at InfoSec Europe 2018 and in his recent article, Ofer Amitai, CEO and co-founder of Portnox Security, explained that in the future blockchain technology could play a significant role in achieving increased security for IoT (Internet of Things) devices and machines due to its decentralized ledger and peer to peer communications that suit IoT machines communicating amongst themselves without human intervention. He outlined a few futuristic scenarios which he believes will become a part of our normal life routine within 5-10 years and that it will be crucial to have outstanding and solid trust-protocols to be set in place so that this future can operate seamlessly and securely. The recent lecture and article have brought up a few questions that have been posed to Mr. Amitai, and in his answers he continues to outline notions regarding our global technological future. Q: Regarding blockchain tech being “tamper-evident” – If the goal is to use an IoT device to start a DDoS attack, criminal theft, etc., couldn’t the cyber offenders still get away with what they wanted to do? Amitai: “I believe hackers could check which devices do not have the latest software and security updates, according to the ledger and those potentially might be a target via the identity of the device. In a situation where an IoT machine has verification of the latest update, then it is less likely to be hacked. The blockchain will create a new data base of IoT devices: it doesn’t mean that you can locate the device, but just by looking at the ledger you can map the devices that are not updated, and hackers could potentially use that for their advantage, knowing which machines don’t have the latest security patches, updates, etc. Then again, if IoT device security programmers are using that ledger to create a trust score, then it wouldn’t help hackers because those devices would have a low trust score and ideally, they wouldn’t be able to transact with most other machines. There would be a race here between the IoT devices to become updated, and cyber offenders wishing to hack and get into the devices. The Identity on the ledger should uniquely identify the machine, but still keep it safe and anonymous on the ledger – so you wouldn’t know how to communicate with that device just by looking at the blockchain, or be able to pin point it physically, so they have some level of anonymity. You won’t be able to use it like Shodan to hack IoT devices and machines.” Q: In your lecture at InfoSec Europe you mentioned that within 5-10 years IoT connected devices and machines will be performing transactions on our behalf. Where else do you see this happening? In which industries? Where in the world? Amitai: “I believe we will see it in the area of virtual assistants, so you’ll have a lot of machine to man transactions, and also machine to machine, such as ‘please book a hotel for me online’; ‘get me a taxi please’, and the taxi is an autonomous car, and so the virtual assistant communicating with the autonomous taxi would be machine to machine communications; tourism and booking trips; transportation; hospitality. Did you see the new Google virtual assistant launch? Well in the future the conversations will be between machines. IoT household machines for example – the fridge in your home orders items from the grocery store that will deliver everything, without humans being involved. And it will be interesting to see logistically how those deliveries take place, what types of physical infrastructure will have to be in place for that to happen. Predictive maintenance is where a machine will order components like a battery that will arrive there, in order for the machine to fix itself! In other words, machines will notice when their battery isn’t going to recharge anymore and take actions to order a new one. So machines will be able to fix themselves. Pizza delivery – if I have a lot of connective points with IoT cars and smart city traffic lights I know how fast the pizza will arrive – the more data points I have, the more I can predict how fast the deliveries will reach any point in the city. It is interesting to see what happens with big shipping like ZIM containers in the future. Companies are already working on autonomous ships. Typically, you have a whole crew of people manning supply ships. It’s a big operation and those ships and crews are in danger of being kidnapped… then ransom is demanded, and if ships are working autonomously, then sure, people could still try to steal them or goods from them, but then you don’t have to worry about human lives, you can hookup security cameras all over the ships, and if someone comes to steal anything you could deploy law enforcement but at least human beings wouldn’t be in harm’s way. So potentially this type of piracy would disappear from the world. Think about parking lots. In the future, your car could drop you off at work, and then go find a parking space on its own. If the car has a good trust score it will be granted access without an issue. Then it could come back to pick you up at the end of your work day. In the end we want to have automation of processes and have less interaction as humans with machines, especially in supply chain and manufacturing, where there are areas of friction with humans. The less people are involved – the smoother it will be.” We will continue our exciting conversation with Ofer Amitai in part 2, in which Ofer will discuss examples of machine to machine communications that are already in use today; policy setting and the need to be prepared for the new security risks of tomorrow. [...] Read more...
            How to Protect Your Network When You Have a Large Remote WorkforceHow to Protect Your Network When You Have a Large Remote Workforce
            What It Means to Protect Your Network Every enterprise has a different pain point when it comes to security, whether it employs a large remote workforce or the company operates at a global scale. According to a survey by Gallup, 37% of U.S. workers have worked from home, which is up from 9% in 1995. This trend in an agile employee base allows companies to be competitive with one another when hiring talent, but it is leaving back doors and heightened risks to your network. With the right technology, you can protect your network from risks of all kinds. Here are two use cases where NAC as-a-Service can help protect your network security. You can read more in the NAC-as-a-Service eBook. Enterprises with Remote Workforces As companies adopt work from home policies, it is raising security concerns for IT departments. Remote workers and co-working spaces aren’t just for startup entrepreneurs anymore. In fact, Fortune 500 companies like GM, GE, IBM and Microsoft all rent office spaces from WeWork. According to Gallup, the average U.S. employee works remotely at least two days a month. 9% of those polled work from a remote location for at least ten days a month, whether that is from their home office or a more public location. Remote employees often connect to wireless networks that are also being accessed by other individuals whether the employee is at a coffee shop or traveling using their hotel’s guest Wi-Fi. Many companies require remote employees to authenticate their devices via a virtual private network, but enforcing VPN policies can be difficult. Using these connections may leave back doors open for hackers into the enterprise’s network. With NAC-as-a-Service, IT departments gain visibility into their network endpoints from the cloud, giving network administrators the contextual knowledge to be confident their data and networks are secure. With strong authentication credentials, NAC as-a-Service prevents unauthorized access. Global Companies Looking to Minimize Risk With the growth of BYOD, IoT and companies scaling their business globally, the need to control network endpoints and streamline security practices for the network is higher than ever. Managing global networks with multiple regional offices can be daunting. With global corporations like GE, IBM, and Microsoft encouraging co-working spaces more IT departments are sitting down to minimize the potential risks to their network. If a vulnerable device is attempting to join the network at a regional office or a shared office space like WeWork, it may put the entire global network at risk. Many traditional NAC solutions are on-premise and some regional offices may have differences in their security policies. Streamlining these policies are crucial, and with a cloud NAC solution there is no requirement for any hardware or complex installation, and can, therefore, be streamlined across a global network from the cloud. Whether you are managing regional offices or your IT department is authenticating your work at home employees, with NAC-as-a-Service small businesses and large enterprises can monitor their risks and protect your network with ease. Portnox CLEAR works to put IT department’s minds at ease with NAC via the cloud whether your company works at a global scale or you are retaining a large remote workforce. Interested in reading more about the next generation of NAC? Read our NAC-as-a-Service eBook. [...] Read more...
            NAC-as-a-Service: The Future of NAC SolutionsNAC-as-a-Service: The Future of NAC Solutions
            NAC solutions have been around since the early 2000s, serving the important purpose of authenticating and authorizing access to the corporate network. NAC solutions are historically reliable when it comes to authenticating and authorizing access based on device credentials, but with the onset of digital transformation, including, Bring-Your-Own-Device (BYOD), the Internet of Things (IoT), and a growing mobile workforce, mobile NAC solutions need to adapt to the modern enterprise landscape. Our new eBook introduces NAC-as-a-Service, offering traditional NAC capabilities including authentication, authorization, and endpoint security assessments from the cloud as-a-Service. What’s new about NAC-as-a-Service? Pricing: Traditional NAC solutions run on port-based pricing and one-time fees, but NAC as-a-Service serves as subscription-based models Location: On-premise NAC offerings typically control only on-site devices, whereas NAC as-a-Service monitors and control all devices on a network regardless of location Easy 802.1x – A NAC as-a-Service solution allows for simple deployment of 802.1x authentication, without compromising on security across the enterprise and allowing admins to embrace the trustworthy method of authenticating devices on the corporate network Automated control: Instead of manually tracking managed endpoints, NAC as-a-Service offers automated controls based on a device’s risk level Customized Policies: System admins can set up access policies, restricting devices based on qualifications, for example, setting geographical control over where the corporate network can be accessed from or restricting access from a certain operating system Why your organization needs NAC-as-a-Service? If you’re looking to adopt digital transformation trends while keeping your network secure, NAC as-a-Service is right for you. IT professionals often want to encourage their employees to use technology and reap the financial benefits that result but are concerned about the digital risks they can expose the organization to. When adopting digital transformation trends like BYOD, IoT and the mobile workforce, visibility and access controls are more important than ever. NAC as-a-Service offers network administrations visibility into all endpoints without the use of an agent, and automatically limits or restricts access if an endpoint appears to put the network at risk. With a cloud service, network access control is easier than ever. The future of NAC solutions Portnox CLEAR is a cloud-based solution that simplifies the management of emerging cyber risks in the organization, offering all the benefits of a SaaS solution paired with robust access control and network visibility capabilities. Find out more about how NAC-as-a-Service solution addresses today’s security needs in our  NAC-as-a-Service eBook. [...] Read more...
            Portnox Wins Two Cybersecurity Excellence AwardsPortnox Wins Two Cybersecurity Excellence Awards
            We’re excited to share that Portnox won the Cyber Security Excellence Award in two categories, including: Silver Winner for Most Innovative Cybersecurity Company: Portnox Bronze Winner for Cloud Security category: Portnox CLEAR “Congratulations to Portnox for being recognized as a winner in the Most Innovative Cybersecurity Company and Cloud Security categories of the 2018 Cybersecurity Excellence Awards,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the 400,000-member Information Security Community on LinkedIn that organizes the awards program. “With over 400 entries in more than 70 categories, the 2018 awards are highly competitive and all winners truly reflect the very best in today’s cybersecurity industry.” The 2018 Cybersecurity Excellence Awards are an annual program that recognizes products, companies and individuals that exhibit innovation, excellence and noteworthy leadership in the information security space, based on the strength of their nomination and the popular vote from members of the Information Security Community.  You can find Portnox listed among the winners here. Read more about Portnox CLEAR, Cloud NAC solution or simply Try it Now! [...] Read more...
            2018 Top Cybersecurity Events Not to Be Missed!2018 Top Cybersecurity Events Not to Be Missed!
            You want to stay ahead of the game? The following list of cybersecurity events will help … and they are fun too! Whether you are a security professional, software developer, security administrator, or any other role in the IT security fields, attending a conference is a great way to network with other professionals and learn about the hottest market trends, new developments, improvements, innovation and information. Plenty of great cybersecurity conferences are coming up in the months ahead and the Portnox team will attend several of these. We’ve identified these top cybersecurity events that should be on your list. Check them out and update your calendar! Cybertech Israel January 29- 31, 2018 Tel Aviv, Israel The event is positioned as a global meeting place, featuring representatives from organizations of all sizes, from multinational corporations to emerging startups. There will be a special pavilion for startups, as well as a competition in which entrepreneurs will present their ideas to a panel of international judges. Topics under discussion during the conference include the Internet of Things (IoT), big data and Finsec New in 2018 is a sister conference and exhibition, AutoTech, focusing on the future of smart mobility and the automotive. Oracle CloudWorld February 16, 2018 New York City, USA Oracle Cloud World brings together forward-looking professionals responsible for finance, operations, supply chain, human resource, sales, marketing, customer service and IT. Learn how leading companies are leveraging the cloud for competitive advantage. Experience what works, what doesn’t, and identify solutions and approaches to accelerate your innovation. Gartner Identity & Access Management Summit March 5- 6, 2018 London, UK The Gartner Identity and Access Management (IAM) Summit will focus on some of the hottest topics for the coming year, including the role of identity management in securing cloud and mobile apps, the IoT and the importance of privileged access management. For those preparing for the General Data Protection Regulation (GDPR), there is also a focus on the role of IAM as it applies to the privacy regulation. Infosec World 2018 March 19 -21, 2018 Florida, USA InfoSec World 2018 Conference & Expo is bringing together CISOs, CIOs, CTOs and other security practitioners who will share hands-on and practical advice on a wide range of security topics. From understanding your adversary to learning about the 0-day exploit market to bridging the gap between the technical and business aspects of security, InfoSec World 2018 will offer a chance for security professionals to learn something new and analyze ideas with peers. Cloud Security Expo March 21 -22, 2018 London, UK Cloud Security Expo is the fastest growing section of the Cloud Expo Europe event series attracting a record-breaking 19,926 Enterprise IT & Security Buyers and Specialists in March this year! Cloud Expo Europe Keynote Theatre hosts foremost international technology leaders, including internationally acclaimed and top-rated visionaries, senior industry speakers and executives driving a global transformative shift towards cloud computing and other disruptive technologies. Speakers will deliver their outlook on the future, plus leading CIOs and senior IT professionals will be sharing their roadmaps to digital transformation, where cloud lives in the heart of the engine room. Cloud Security Expo provides the tools, training & techniques to ensure companies are compliant and secure as they transition their business assets to the cloud. To register for the event, click here. RSA April 16-20, 2018 San Francisco, CA, USA The largest cybersecurity event in the world today. The RSA Conference USA 2018 is dedicated to information security topics including data breaches, Cyber threats, compliance, social engineering, cloud security, risk management, application security, mobile security, governance, data security, legislation and policy, law, cryptography and identity management. It brings together information security professionals from across the globe working in industries such as Computer Software Development Finance, Banking, Healthcare, Government, Pharmaceuticals, and Manufacturing. Hear from world-class speakers on topics such as “The Most Dangerous New Attack Techniques, and What’s Coming Next”. Interop ITX April 30 – May 4, 2018 Las Vegas, NV, USA Interop ITX combines a trusted Conference program with a vendor-neutral Business Hall and lots of networking events. The event is entering its 32nd year serving the IT community and it is an opportunity to learn about technologies and solutionsץ You may not realize how much the show has evolved during that time, growing from a plugfest ensuring network interoperability to an industry-oriented trade show to its current model: a week-long event centered around its conference program, including educational sessions, long-form tutorials, mainstage keynotes, sponsored content and a business hall showcasing technology. Our CEO is Speaking! Sign up for his hands-on IoT workshop here. Gartner Security & Risk Management Summit June 4- 7, 2018 National Harbor, MD, USA The Gartner Security & Risk Management Summit 2018 will focus on practices and strategies that will provide cost-effective security and risk programs in order to support digital business and drive the success of your business or organization. Among the exhibiting companies are IBM, Thales, Cylance, Varonis, Symantec, HP enterprise, Verizon, Sentinel, AT&T. InfoSec Europe June 5-7, 2018 London, UK Infosecurity Europe (Infosec) is the region’s number one information security event featuring Europe’s largest and most comprehensive conference programme and over 400 exhibitors showcasing the most relevant information security solutions and products to over 19,500 information security professionals. Each year this conference features many sessions on NAC. Watch this space! BlackHat USA August 4 – 9, 2018 Las Vegas, NV, USA Black Hat is the most technical and relevant global information security event series in the world. For more than 18 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and training are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Contact us to schedule private product demos (Portnox CORE for on-Premise NAC and Portnox CLEAR for cloud-based NAC) at one of these shows. We look forward to seeing you there and beginning a conversation with you around network security!   [...] Read more...
            How NAC Achieves CIS’s Top Security ControlsHow NAC Achieves CIS’s Top Security Controls
            The value proposition of network access control (NAC) solutions has shifted in recent years due to the onset of wireless networks, coupled with technological advancements in mobile and Internet of Things devices. Together with growing demands for the implementation compliance standards across a number of industries, companies are now required to openly communicate information about their security controls to external auditing authorities. NAC is well positioned to provide an answer to these concerns by directly addressing the Center for Internet Security’s Top 5 Security Controls, which are a prioritized set of actions to protect organizations and data from cyber threats. NAC security solutions address: collecting the inventory of authorized/unauthorized devices and software (including applications); ensuring secure configurations of hardware and software; carrying out continuous vulnerability assessments and remediation measures; and allowing for the controlled use of administrative privileges through role-based access. Find what the best NAC solutions addresses these security controls in our infographic and “The Importance of a NAC Solution” White Paper! [...] Read more...
    • TACACS+Cloud-native network device authentication
          • How it worksNetwork device administration simplified
          • The first cloud-native TACACS+Manage your security with ease
          • PricingClear and easy pricing
          • Passwordless Authentication: A Paradigm Shift in SecurityPasswordless Authentication: A Paradigm Shift in Security
            Passwordless authentication appears to be the new belle of the ball amongst tech experts. Of course, the reasons all bother on the general challenges experienced by security companies and businesses.  The security and tech world continue to advance in scope and sphere – through  developing efforts to improve existing structure.  These changes  are prompted by  the ongoing surge in security breaches in which no industry is spared.  Security issues surrounding weak passwords serve as a driving factor for these breaches — and a nightmare for IT departments. As secure as some might believe them to be,, passwords remain the weakest link in today’s workplace security network. Stolen credentials are costly to resolve and come with many negative impacts.  As organizations rethink the future of the workspace, passwordless authentication seems to be a way out.  What is Passwordless Authentication? Passwordless authentication is any method that eliminates the reliance on passwords to provide a a smoother user experience,  stronger security posture, and reduced costs.  Passwordless authentication uses methods of identity proof to  replace the use of passwords, passphrases, and other shared secrets. The replacements take OTPs as an alternate means. Authenticator apps, biometrics, hardware, and software tokens make up other forms.  Businesses encourage the adoption of passwordless authentication because it removes all vulnerabilities associated with secret-based passwords. But, there’s a constraint – the market is not fully ready for its adoption. Business enterprises struggle to cover the various use cases with a single solution.   Challenges of Password Authentication Security Limitations Passwordless authentication is not entirely foolproof, although it’s better than a password. Hackers can use malware to intercept one-time passwords. They also insert trojans into a browser to gain access.  Costs of Deployment The implementation of passwordless authentication requires high costs. It comes with new software, hardware, trained employees, and more. Passwordless authentication also entails a change in management plans and projects.   The deployment also comes with hardware installations and the purchase of gadgets. In addition, the choice of software comes with hidden costs, software administration, maintenance, and migration.   Passwordless Authentication Methods Biometric Authentication It is a method that requires using biological characteristics such as facial features and fingerprints. This authentication method allows users to instantly log into their  devices .  One-Time Passcodes (OTP)/PIN The OTP is a method that puts the responsibility of generating dynamic codes on the service provider. As a result, it eliminates having to remember passwords or downloading apps.    Foremost in this category is the time-based one-time password (TOTP). The TOTP is a transient method and must be in sync with the time zone. It works with algorithms that generate passwords on a server and client whenever there’s system authentication. A major drawback is that a user may mistakenly tap multiple times to generate a token. When this happens, they have to restart the process.  Push Notifications Authentication Push notifications work with an installed app on the user’s phone. The user receives  a notification on a registered device containing the logins date, time, and location that allows them to accept or deny access.  Magic Links Login Authentication Magic links require a user to enter an email address into the login box. An email is then sent with a link that requires clicking to log in. A user receives this magical link to ensure safety whenever there’s a login.  The Benefits of Passwordless Authentication Reduced Costs Password management and storage require a lot of resources. Resetting passwords and frequently changing password storage laws are also costly. Passwordless authentication helps to remove long-term costs.  Stronger Cybersecurity Posture Passwords no longer provide a stalwart defense as many people repeat them multiple times.   Once a password gets breached, leaked, or stolen, it’s much easier for s hacker  to gain access to your other applications.  This allows malicious actors to then commit financial fraud or sell trade secrets to rival companies. Passwordless authentication takes care of these challenges by offering protection against the most prevalent cyberattacks.  Better User Experience and Greater Productivity Users often have to generate and memorize multiple passwords, and because of this they sometimes forget them, forcing the task of then resetting them. For this reason, users use simple and uncomplicated passwords, Often using the same ones for numerous applications, with an addition of an extra character. The challenge here is that hackers find it easy to access these accounts.   Passwordless authentication eliminates these challenges, as users do not have to create or memorize their passwords. Instead, they only authenticate using emails, phones, or biometrics.  Scalability Passwordless solutions work with technology and factors that end users already possess. Therefore, it becomes easier for mobile devices and laptops to infuse the various methods. Some passwordless authentication easily integrated includes biometrics and authenticator apps, Windows Hello, and fingerprints.   Top 10 Use Cases of Passwordless Authentication Passwordless authentication can apply to a variety of use cases including:  Customer payments authentication Remote logins Logins for financial services Call center authentication Personal logins Customer balance access Record access Mobile banking Wire transfers Push notifications Changing the Security Paradigm: The Big Step Businesses that integrate passwordless authentication have a strong concern for security. Organizations now realize that many security breaches result from the use of passwords. For them, the one-time cost of implementing passwordless authentication is more rewarding.  While it’s true that passwords are still quite common,  the security risks are enough reason to make a switch. With the technology quickly gaining traction, there’s no better time to integrate passwordless authentication.   Indeed, passwordless authentication is the next digital breakthrough that offers key advantages over the traditional password including:  It helps to lower costs while also increasing revenue. Customers tend to gravitate towards such products and services that provide trust and security.  Providing a smooth user experience is preferrable to any customer.  The presence of the technology and its adoption is a vital element for trusted security.   Nonetheless, passwordless authentication remains in its early stages. While many businesses have yet to adopt the technology,  there’s a strong sentiment that its  adoption will help change the face of security in the near-term.   [...] Read more...
            Filling the Access Security Gap With Certificate-Based AuthenticationFilling the Access Security Gap With Certificate-Based Authentication
            It should come as no surprise that passwords have fallen out of favor as a reliable method of authentication. This is because passwords are often weak (easily guessable), can be forgotten, and password stores become a weak point for security (if an intruder accesses the password store, they hit the motherload). Luckily, there is a better way to reliably authenticate users – certificate-based authentication.   What Is Certificate-Based Authentication? Certificate-based authentication is a cryptographic technique that uses a digital certificate to identify a user, device, or machine before granting access to specific resources.    Certificate-based authentication isn’t new. It’s widely used by many internet security protocols, including SSL/TLS, a near-universal protocol that encrypts communications between a client and server, typically web browsers and websites or applications. However, certificate-based authentication works slightly differently for SSL/TLS than in other use cases. With SSL/TLS, the server confirms its identity to the client machine, but this happens in reverse for client certificate-based authentication.    For example, let’s say a company wants to use certificate-based authentication to grant employees access to its email servers. In this scenario, the company will issue employees with valid certificates to access the email servers, and only employees with these certificates will be granted access.   In recent years, certificate-based authentication has risen in popularity as an alternative to password-based authentication, mainly as a way to address the security gaps with usernames and passwords. For example, username/password authentication uses only what the user knows (the password). In contrast, certificate-based authentication adds another layer of security by also using what the user has (the private cryptographic key).    With that said, it’s important to note that certificate-based authentication is rarely used as a replacement for usernames and passwords but instead used in conjunction with them. By using both, companies essentially achieve two-factor authentication without requiring any extra effort from the end user (getting out their cell phone to receive a one-time password (OTP), for example).   How Does Certificate-Based Authentication Work? Before answering this question, we first have to understand what a digital certificate is. A digital certificate is an electronic password or file that proves the authenticity of a user, server, or device through cryptography and the public key infrastructure (PKI). PKI refers to tools leveraged to create and manage public keys for encryption. It’s built into all web browsers currently in use today, and organizations also use it to secure internal communications and connect devices securely.   The digital certificate file contains identifiable information about the certificate holder and a copy of the public key from the certificate holder. This identifiable information can be a user’s name, company, department, and the device’s IP address and serial number. When it comes to the public key, the key needs to be matched to a corresponding private key to verify it’s real.   So, how does this work in practice? First, the end user digitally signs a piece of data using their private key. This data and the user’s certificate then travel across the network. The destination server will then compare the signed data (protected with a private key) with the public key contained within the certificate. If the keys match, the server authenticates the user, and they’re free to access network resources.   Benefits of Certificate-Based Authentication Digital certificates are widely used by organizations today and for many reasons. Let’s dive into why.   Boosted Security Public key cryptography, also known as asymmetric encryption, is considered very secure. This is because all data encrypted with the public key can only be decrypted with the matching private key. So, when two parties communicate, the sender encrypts (scrambles) the data before sending it, and the receiver decrypts (unscrambles) the data after receiving it. The unscrambling can only happen if the keys match. And while in transit, the data remains scrambled and will appear as gibberish to a hacker.   Ease of Deployment & Use Certificate-based solutions are easy to deploy and manage. They typically come with a cloud-based management platform that allows administrators to issue certificates to new employees with ease. The same is true for renewing or revoking certificates. Moreover, many solutions integrate with Active Directory, which makes the certificate issuing process even more straightforward.   They also don’t require any additional hardware, which isn’t the case for other authentication methods like biometrics or OTP tokens.  Lastly, certificate-based solutions are very user-friendly and require minimal end-user involvement. Users don’t have to expend additional effort to get this boosted level of security. This is crucial because adding friction to any security measures tends to frustrate users and can often lead to worse outcomes. We see this happen with passwords where users typically reuse passwords to ease the burden of remembering multiple highly secure phrases.   Natively Supported by Many Existing Enterprise Applications Countless enterprise applications and networks natively support X.509 digital certificates – the typical format used in public key certificates. This means enterprises can get up and running with certificate-based authentication with just a few configuration tweaks.   Security Flaws of Certificate-Based Authentication No solution is without its drawbacks, and the same is true for certificate-based authentication.   It’s much harder to crack a key than a password, but once cracked, the results are the same. If a key is compromised, cybersecurity goes out the window. Essentially, IT can’t distinguish between a hacker and a legitimate employee if the keys match. And this is precisely why certificate-based authentication should be used in coordination with other authentication and cybersecurity measures wherever possible.   Second, certificate-based authentication is only as strong as the digital certificate. Or in other words, the stronger the cryptographic algorithms used to create the certificates, the less likely an attacker can compromise them. For this reason, organizations must ensure that the certificate authority is reputable and trustworthy.   Final Thoughts on Certificate-Based Authentication Certificate-based authentication can be an excellent addition to any organization’s cybersecurity stack. While it’s not without its drawbacks, the benefits outweigh the challenges. Certificate-based authentication allows only approved users and devices to access your network while keeping unauthorized users and rogue devices locked out.     [...] Read more...
            The Benefits of Moving Your RADIUS Server to the CloudThe Benefits of Moving Your RADIUS Server to the Cloud
            Remote Authentication Dial-In User Service (RADIUS Authentication) authenticates and authorizes users trying to access a network by sending client access requests to a RADIUS server. The requests are formatted with data such as the client’s password, username, port, and IP address which are then examined in the database for matches.  Leveraging RADIUS in your organization can strengthen your network security through centralized authentication and enhanced access controls. RADIUS servers can be very useful in many contexts, and migrating it to the cloud can be used with WiFi access points and VPNs. By shifting to the cloud, RADIUS becomes more centralized within an organization’s core infrastructure.  The Advantages of Shifting RADIUS Server to the Cloud:    Added Security Benefits: A RADIUS server gives room for unique user credentials which mitigates the threat of hackers infiltrating a network, WiFi since there is no shared fused password among several people.  Reduces the Hassle of Password Management: With unique credentials, a shared password does not need routine changing since every person manages their own. This saves time for IT administrators and eliminates the need for users to routinely update passwords.  Benefits Enterprise Networks with Multiple IT Admins: With a RADIUS server, it is extremely easy to control who and what has access and when. Only authorized users have access   sensitive information with a large organization’s network. VLAN segmentation through attributes critical characteristics of RADIUS-driven networks.  Centralizes User and System Authentication: IT admins have only one contact point for managing user’s password management, authentication, and authorization.  Easy Integrations with Existing Infrastructure: Modern RADIUS servers can easily integrate with any IT infrastructure currently in place. The extent of flexibility means that you can use cloud RADIUS with other infrastructure that you already set up, and this benefit can be enjoyed with the traditional setup.  Easy Activation and Deactivation: RADIUS servers are typically handled by a third-party provider which helps reduce workloads for resource-light IT admins point their network to the cloud RADIUS endpoints for authentication.  Secure VPN Authentication: Not only does RADIUS authentication securely connect users to WiFi networks, but it also works with VPNs. This ensures that only authorized users can access your network through your company VPN.  Enables 802.1x: 802.1x uses Extensible Authentication Protocol (EAP) for shifting authentication packets between two parts. EAP is highly versatile, making it easy to add to an existing infrastructure.   Cloud-based RADIUS servers can serve as a great authentication solution that provides immense benefits without the hassles of managing and maintaining on-prem hardware.  [...] Read more...
            Simple Certificate Enrollment Protocol (SCEP): What It Is & Why Should Network Engineers Care About ItSimple Certificate Enrollment Protocol (SCEP): What It Is & Why Should Network Engineers Care About It
            There are several factors to consider when distributing certificates to managed devices, making it a massive undertaking. These include public key infrastructure (PKI), integration, gateway setup, configuration settings, certificate enrollment, device authentication, and more.   Thanks to the Simple Certificate Enrollment Protocol (SCEP), administrators can quickly and easily enroll all managed devices for client certificates without any action from the end-user.  Here we will discuss what exactly the Simple Certificate Enrollment Protocol (SCEP) is and why network engineers should care about it.   What Is The Simple Certificate Enrollment Protocol (SCEP)?  Digital certificate issuance in big enterprises is simplified, secured, and scalable with an open-source protocol called Simple Certificate Enrollment Protocol (SCEP).  SCEP servers utilize this protocol to give users a one-time password (OTP) through an asynchronous, out-of-band mechanism (OOB). After creating a key pair, the user submits the OTP and certificate signing request to the SCEP server for verification and signature. As soon as the certificate is ready, the user may request it from the SCEP server and then install it.  Digital certificate issuing was labor-intensive until the advent of SCEP and related protocols like Certificate Management Protocol and Certificate Management via CMS. SCEP is widely used in big organizations since it is supported by products from major vendors like Microsoft and Cisco.  After its creators left SCEP inactive in 2010, the project was dormant until it was revitalized in 2015. Apart from that, it is presently a draft that anybody may see as part of the work of the open-source community – the Internet Engineering Task Force (IETF).  Why Should Network Engineers Care About SCEP?  The public key infrastructure provides the most secure and user-friendly authentication and symmetric encryption solution for digital identities. Yet, the ambiguity and scale of certificate deployment for most businesses can challenge their already overworked network engineers.    Manual deploying and maintaining certificates is tedious and error-prone. Whether an organization delivers a single certificate for a Wi-Fi router or holds several certifications across all networked devices and user identities, the whole process may take up to several hours. It leaves companies vulnerable to breaches, Man-in-the-Middle (MITM), and other forms of network disruption.  Certificates managed manually are more likely to be lost, overlooked, or expire without being replaced, putting businesses at high risk. Therefore, enterprises need the automated and well-organized certificate enrollment standard – the Simple Certificate Enrollment Protocol (SCEP) – due to the many risks associated with administering PKI certificates manually.  The significant benefits of the Simple Certificate Enrollment Protocol (SCEP) include:  Hassle-free certificate issuing.  Ensuring that certificates are correctly issued and configured across various devices.  A fully automated procedure for the issuance of certificates. As a consequence of this, it involves very little to no human participation.  A protocol that saves time, lowers operating expenses, and boosts productivity by enabling network engineers to concentrate on other duties rather than doing those chores themselves.  SCEP is a flexible solution that can meet all your network management requirements since it is compatible with most devices and server operating systems. These include Windows, Apple iOS, macOS, and Linux, as well as directory systems such as Active Directory. [...] Read more...
            Adding Windows Domain Authentication MethodAdding Windows Domain Authentication Method
            The most common endpoint OS Portnox CORE encounters is Windows, which is part of a domain. Portnox can authenticate Windows in various ways even if it is in a workgroup. In this video you will learn how to configure a windows domain authentication method and how to configure an authentication policy. In the Portnox CORE support portal you will find more information about windows authentication options, such as fine-grained permissions for the authenticated end-user, troubleshooting WMI issues and more. [...] Read more...
            New Fingerprint Authentication Method & PolicyNew Fingerprint Authentication Method & Policy
            One of the unique authentication methods employed by Portnox CORE is the OS (Operating System) Fingerprint, also known as the OSFP authentication method. The value of OSFP is that during deployment you can create the fingerprint for YOUR devices, thereby making sure that if someone were to plug a similar device to the type that you use, CORE would recognize that it is not one of yours and would block it from accessing the network. The process entails three steps: Fingerprint the endpoint Add an authentication method based on that fingerprint Add the authentication method to the enterprise policies It is recommended to authenticate the following types of endpoints via OSFP: VoIP phones, printers, different types of appliances and any IP based device that cannot be authenticate via Domain, Workgroup, SSH or SNMP. Watch this video to learn more: [...] Read more...
            Adding SSH Authentication Method & PolicyAdding SSH Authentication Method & Policy
            SSH authentication method is used to authenticate and authorize linux based devices, MAC OS, network equipment and more. Watch this video to learn more: [...] Read more...
            Setting Up HivesSetting Up Hives
            A hive is a group of network entities and components such as switches and access points. Hives are used for the graphical, hierarchical and geographical representation of an organization. A hive can be used for setting user permissions (i.e. Allowing the branch IT manager to only see his own branch network environment without visibility of other branches) and for setting up policies per each location. Watch this video to learn more about setting up hives and hive-policies: [...] Read more...
            Giving a Voucher – Temporary ExceptionGiving a Voucher – Temporary Exception
            Defining exceptions is a reality in the implementation of NAC. Portnox allows defining a temporary exception with a click. The Voucher authentication method will allow Portnox CORE admins the option of giving certain endpoints temporary access to the enterprise network. This is a convenient option when contractors and guests are expected to onboard. Watch this video to see how this is done in just a few clicks. [...] Read more...
            Defining a Resident Device with White ListingDefining a Resident Device with White Listing
            Portnox offers a secure method of white listing devices. Sometimes a device does not have an IP Address. Sometime it has an IP address but it is not reachable by any remote query. In order to cope with those situations Portnox CORE has a unique authentication method of locking a device to a certain switch port / VLAN / Switch / Hive (Group of switches). In the following movie the concept is demonstrated and explained: [...] Read more...
            Defining an Authorized HubDefining an Authorized Hub
            Portnox identifies unauthorized hubs and switches in your network. Sometimes though you will need to authorized the usage of such. In the following movie the concept is demonstrated and explained: [...] Read more...
            Defining Reactions – Enforcement ActionsDefining Reactions – Enforcement Actions
            Defining response actions is a very important step in securing the company network. Here the security administrators will determine which specific actions will be taken for each type of event. “Events” includes different scenarios, such as a rogue device connecting to the network, non-compliant devices connecting or an authenticated device connecting via an unusual access layer. The response actions can be set to blocking a device from connecting to the network, quarantine or segmenting to a specified part or running a script on a suspicious device. Please watch the following video to learn how to set up automated response actions: [...] Read more...
            Defining AlertsDefining Alerts
            CORE includes two methods for sending alerts to the IT staff – email and syslog. Email alerts are used to notify the Helpdesk/ IT Administrators / Security Administrators of any event, such as the blocking of a rogue device or a non-compliant device. Please watch the following video to see how alerts are configured on CORE: [...] Read more...
  • Solutions
    • Industry
      • Aerospace & Defense
      • Banking & Financial Services
      • Construction & Engineering
      • Education &Non-Profit
      • Hospitals & Healthcare
      • Law & Legal
      • Manufacturing
      • Oil, Gas & Chemicals
      • Real Estate
      • Technology & Telecom
    • Use Cases
      • NAC
      • BYOD
      • IoT Security
      • Compliance
  • Resources
    • Case Studies
    • Product Briefs
    • White Papers
    • Blog
  • Partners
    • Reseller Program
    • Managed Services
    • Become a Partner
    • Partner Portal
  • Request a Demo

Explore Solutions by Use Case

BYOD Security

Learn More

BYOD Security
Cloud Security

Learn More

Cloud Security
Compliance

Learn More

Compliance
Network Security

Learn More

Network Security
IoT Security

Learn More

IoT Security
Protected: Use Case Template

Learn More

Protected: Use Case Template
Network Access Control

Learn More

Network Access Control

Try Portnox CLEAR for Free Today

Gain access to all of Portnox CLEAR’s powerful NAC capabilities for 30 days!

Start Free Trial
Portnox_Logo_White
  • Blog
  • Support
  • Legal
  • Privacy
Menu
  • Products
    • NAC
    • RADIUS
    • TACACS+
  • Solutions
    • NAC
    • BYOD & Mobile
    • IoT / OT
    • Compliance
  • Resources
    • Blog
    • Case Studies
    • Products Briefs
    • White Papers
  • Partners
    • Become a Partner
    • Partner Portal
  • About
    • Why Portnox
    • News
    • Careers
    • Contact Us
    • Security Statement

©2023 Portnox. All Rights Reserved.

Gold-Microsoft-Partner
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT

Please share your location to continue.

Check our help guide for more info.

share your location