Tips and Best Practices for Network Security in the Connected Enterprise
Despite the best collective efforts of the global IT community, cybercriminals are still making their way into what many believe are secure networks. Experts now predict cybercrime damages will reach $6 trillion by 2021. And a single breach these days can cost an average business as much as $4 million, not counting the immeasurable damage from losing the trust of their customers and partners.
The simple fact is that when it comes to IT security, our businesses, organizations and government agencies remain outmatched by hackers who are becoming bolder and more sophisticated. This challenge is enhanced as the WAN evolves to connect people, places and things everywhere.
Even while the network security industry introduces more effective detection and defense solutions, the traditional fixed perimeter-based approach to network security is quickly becoming obsolete. More people and things are living outside these walls, and the walls built around data centers and branch offices are often penetrated from within by employees using unsecure personal devices and shadow IT deployments, such as unsanctioned file-sharing clouds.
The New WAN Landscape
“Work” is no longer a place you go to. It’s something you can do from anywhere. IDC predicts by 2020, 75 percent of all people will work entirely or partly in a mobile environment. And as a result, our security models will no longer be able to secure just a fixed place. The very concept of fixed locations, such as a branch or storefront, is also changing as businesses implement more pop-up kiosks and other forms of mobile points of commerce for their business.
This new WAN landscape demands an elastic edge. Unlike the fixed edge that relies on physical security and static security infrastructure, the elastic edge encompasses endpoints of people, mobile and connected devices and even vehicles that are in the field, deployed within third-party environments, and on the move. This new elastic edge creates a new range of security risks and challenges.
A Flood of IoT Devices
IT departments familiar with desktops, laptops and traditional network devices are now forced to contend with billions of IoT devices being added to their networks. It’s estimated that more than 23 billion enterprise IoT devices are installed around the world. Often, IT is not even aware these devices are being added to their networks, whether it’s a badge reader on a front door, IP cameras in the lobby or medical devices on patients.
Because many IoT devices have been developed for the consumer market or by companies with limited security experience, they introduce a new set of vulnerabilities that defy traditional security solutions and practices.
And of course, cybercriminals are quick to exploit these new vulnerabilities as an intrusion point where they can introduce malware or initiate denial of service attacks. Gartner predicts that by 2020, more than 25 percent of cyber attacks will involve IoT.
Network Within a Network
When you walk into just about any big-box retailer or convenience store, you’ll often find several other companies that have deployed their small footprint “store within a store”—all sharing the same network. It’s not uncommon to find a bank, tax preparation service, rental car company or video rental kiosk all within the confines of the store. Sharing the store’s LAN and WAN infrastructure introduces a lot of configuration complexity to utilize VLAN-based segmentation and increases the likelihood that a breach in any one of these businesses’ IT systems can facilitate “east-west” movement of the intruder.
4G LTE Connects and Protects
It’s easy to understand how 4G LTE is becoming more pervasive within the connected enterprise as the number of volume and variety of endpoints connecting people, places and things steadily increases. However, the role that LTE can play in network security is less understood. First, LTE can be used in-building as a parallel network for connecting third-party kiosks and devices. It provides both physical and logical segmentation and is much easier to configure and deploy. Second, LTE has built-in private network capabilities, called access point networks, that allow the deployment of end-to-end private networks with enhanced authentication and private IP address space. Additionally, for LTE-connected endpoints, such as IoT devices, software-defined perimeter (SD-P) technology can be utilized to provide a “virtual APN” to segment and secure internet-bound traffic.
Best Practices and Recommendations
As our security efforts evolve from the fixed edge to the elastic edge, we can keep our networks safe with a combination of traditional and new measures, including:
- Education–It never hurts to partner with HR to conduct training on network security as an ongoing development requirement. Beyond the continued reminders about not clicking into unknown links and accepting LinkedIn invitations over email, administrators should hold regular discussions with employees whenever a major breach occurs somewhere. They can use this time to explain the latest tips and techniques of how cybercriminals are gaining access to networks and the damage they’re causing.
- Automate configuration management and firmware updates–Leaving platforms prone to configuration mistakes or open to known vulnerabilities can be mitigated by automation.
- Regular security assessments–As part of the education process, IT can create simulated events so employees can see first-hand how phishing attacks occur, and recruit their help to identify potential vulnerabilities.
- Two-factor authentication–If someone is trying to access your resources from the Ukraine and you don’t have people there, it’s reasonably safe to assume it’s an unauthorized request.
- Parallel networks–4G LTE provides an easy and secure way to support store-within-a-store deployments. It provides inherent segmentation—both physically and logically—and eliminates the possibility of east-west attacks.
- Physically lock down routers and access points–It’s not difficult for someone to physically access your network routers to install credit card skimmers. Remove that temptation with a lock and key.
- Use out-of-band remote access controls–When administrators need entry points to make changes to something such as a remote IP camera, hackers can take advantage of an open firewall port to set up long-term, gradual incursions that are small enough and infrequent enough to avoid detection. Use out-of-band methods where possible for remote access rather than opening up your firewalls to inbound network attacks.
- Blended on-premises and cloud-based security measures–Combining onsite with cloud-based solutions provides administrators the ability to be virtually anywhere and everywhere, which is extremely difficult if you’re managing support for hundreds of remote locations and thousands of kiosks. Cloud-based solutions facilitate large-scale configuration changes, managing remote routers and quickly rolling out firmware updates. They can also provide software-defined perimeters to create a separate network overlay that places IoT devices on different networks to prevent hackers from using them to access the primary network.
- Adopt a Zero Trust culture: Authenticate first, connect second, segment everything–Traditionally, devices have first connected to a network before being authenticated. Now, with a huge volume of potentially vulnerable IoT devices, organizations are improving network security by authenticating devices before they connect to the network. Adding a software-defined perimeter (SDP) will hide connections from the publicly visible internet, significantly reducing the available attack surface. Each new device and user is then authenticated before being given access to the application layer. This approach is effective against most network attacks, including DDoS, man-in-the-middle, east-west traverse and advanced persistent threats.
As we move into the era of the connected enterprise and the need for more agile and pervasive networks, we need to recommit to tried and true security practices while adopting new approaches that leverage wireless, software-defined and cloud technologies.
