Moving employees to a work-from-home model means your security infrastructure has to change quickly. Some recent breaches highlight the importance of cybersecurity.
TechRepublic's Karen Roby spoke with Peter Martini, president and co-founder of iBoss, about data breaches and the importance of cybersecurity architecture. The following is an edited transcript of their conversation.
Karen Roby: One of the bigger breaches that we've been talking and reading about involves Instacart. Instacart said that reused passwords were the problem for account hacks, and whatever may have led to it, unfortunately, personal data can get out there and into the wrong hands. Let's talk a little bit about some of these breaches: What you are seeing in general and why people should be concerned.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
Peter Martini: What we're seeing is actually a lot of it has to do with the overnight shift for a lot of organizations to move to remote employees and distanced working. Most organizations prior to COVID-19 were already moving to a cloud adoption, cloud security model, moving their data to the cloud, moving their security to the cloud. There were some companies that were a lot more progressive and further along that path than others. When COVID hit, what we've seen and heard from a lot of our customers, a lot of the organizations we work with, they had to, overnight, figure out how do they go from a traditional security design which is a perimeter-type security where the castle mote you secure the corporate headquarters and that becomes your security edge, to "My data and my employees now no longer live inside the castle they're outside the castle, they're accessing my data outside the perimeter. And how do I actually shift to that security so it secures those mobile users and remote workforces?"
During that gap, you can imagine, it's a free-for-all for hackers. You now have employees who traditionally had access to sensitive information and were within the windows or the walls of the corporate office. They're now outside using public networks, public Wi-Fi, homes that were never designed or likely not designed to have enterprise-grade security, firewalls, etc., now are out there accessing corporate information. So, effectively they're exposed. These employees were out there and issues like they access VPNs, the VPNs connect them back to the corporate office to then get to their corporate cloud data that's sitting inside of Azure or AWS. So, you can see where it's somewhat of a hacker's dream. You have them exposed, and they're out there on their own. That is a huge shift that a lot of organizations were scrambling to fill that gap, that void.
Karen Roby: When we talk about cloud data infrastructure and being vulnerable, what do companies do? We don't know how long many of them will have their workers at home. How do they continue to build things up so they aren't as vulnerable?
Peter Martini: What's happening, and again this is pre-COVID, the fact that their data that once resided within the corporate headquarters had begun to move to the cloud, third-party clouds like Azure and AWS the traditional perimeter as I mentioned, really shifted from the company headquarters to the individual user. Now you have users that are accessing data that no longer is in corporate headquarters. It's now in the cloud, those users are now your new perimeter. So, securing a user and the device, not the perimeter, becomes important.
SEE: Navigating data privacy (free PDF) (TechRepublic)
This was all happening before COVID and then you also have new architectures out there like ZTNAs--zero trust network access--as well as what some analysts refer to as SASE, Secure Access Service Edge. And the thesis being if they're connecting to the cloud, any user from anywhere, the security edge needs to become that cloud not back-hauling to a corporate office through a VPN and then to the internet. By doing that, we can now shift security so that it's not about who has passwords to get into a privileged access area, it's do you have the password but also how you are accessing the data, where are you accessing it from, and who's accessing it? So, you add multiple layers to protect those employees. Even in a circumstance where their password was hacked, that hacker would then need to still have the company computer and be accessing it from an approved location. You start putting these layers into a zero-trust model, and it's really almost becoming a standard requirement for a remote workforce world.
Karen Roby: For so many companies to ramp things up and to pivot on a dime and having to beef up their infrastructure, not a lot of budgets are just ready for that increase.
Peter Martini: You're right, and especially in certain verticals where they've been hit the hardest with COVID, such as hospitality, etc. The budgets there become very difficult. What you'll find is while securing the individual users provides more security, it's actually a lot more efficient. The majority of customers, I would say well over 80%, find significant savings by shifting to that design. You no longer have to spend all this capex dollars in buying equipment, stacking it up at your office, setting it all up. I mean, that costs real dollars.
You now just shift to SaaS (software as a service). I mean, it's the Microsoft Office model, where I can host it, I can run it, I can manage it, but is it just a lot cheaper to say each individual employee is going to cost me X dollars per month to secure? It's a lot more efficient design. And the security edge providers take the burden of all the backend, the updates, the patches, etc. So, it creates a lot more efficient model than you would think, and it's actually one of the catalysts of why organizations were moving that way pre-COVID, anyhow.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)