Secure access to computing resources has always been one of the core goals of computer security. And in modern cyber security, it remains one of the great challenges, especially as the traditional enterprise perimeter has dissolved into virtual and cloud infrastructure. Creating a proper level of secure access requires technologies such as strong authentication, authorization, encryption, and fine-grained access control. Adding to the challenge, these controls must be provided over any type of network in a variety of different settings. Implementing these controls can be difficult, but the results are worth the trouble: Reduced complexity, more granular controls, and higher levels of user satisfaction result from secure connectivity across networks with virtual borders. My friend Barry Field, CEO of Cryptzone, was kind enough to sit down with me recently, during my research for the 2017 TAG Cyber Security Annual (available for free download at https://www.tag-cyber.com/), to explain these concepts in more detail.
EA: Barry, you’ve referred in the past to secure access as requiring a ‘segment of one.’ What do you mean by this?
BF: Traditional network security tools typically allow end-users more access to the network than they actually need. In addition to allowing a user to see more than necessary, traditional access tools do not always limit users to what they can and cannot do. Secure access in today’s environments instead requires security platforms and tools that can check a user based on their context. This includes identity, device information, user location, network being used, and application sensitivity, driven by dynamic and easily configured policies. By limiting a user to the assets required to do his or her job, a so-called ‘segment of one’ is created. This ensures that businesses can control network access at a more fine-grained level, limiting users to only authorized resources, whether on-premises or in the cloud, and rendering everything else on the network invisible.
EA: Is there a way to check the integrity and security characteristics of an end-user device before it is permitted access to some resource?
BF: Yes, that is typically referred to as device context. Advanced authorization methods should include the ability to capture the posture and context of each session. For example, before allowing access, an enterprise may want to check whether the device has anti-virus software installed, what time of day it is, what the location of the device is, and other variables. These types of requirements are more and more often found in enterprise security policies.
EA: In your opinion, do you think enterprise CISO teams should be comfortable accessing public cloud assets for sensitive or critical business applications?
BF: We’ve seen tremendous uptake with organizations of all types and in all sectors moving applications to Amazon Web Services (AWS), Microsoft Azure, and other public cloud environments. The business value of using public cloud services is proven, and to not use it because of security concerns is a mistake. Using ‘segment of one’ granular access controls, such as from the Cryptzone team, businesses can use dynamic controls to secure their select IaaS environments.
EA: Enterprise CISOs today usually have to accept the existing architecture of their organization – and this is not always such a great set-up. If they want to construct a more secure virtual network on top of their existing network, what are the steps they must follow?
BF: CISOs need to consider using technologies that enable them to use the same access policies, whether they are trying to control third-party or employee access to a network-based application or one that’s in the AWS or other public cloud environment. These technologies should seamlessly control access on a per-user-session basis to significantly reduce the attack surface and enable secure. They should also ensure controlled access to privileged users and third-party organizations, regardless of whether those resources are located on-premises or in the cloud. These considerations should greatly assist the CISO team trying to construct a more secure virtual network.
EA: Most companies have come to accept stronger authentication as a requirement. Do you see one-time password use growing – and is the mobile device the preferred device?
BF: The continued widespread adoption of mobile devices will erode the use of on-premises PC. And yes, we see one-time password use growing, as well as other multi-factor authentication choices, based on risk-driven policy decisions that you should be able to adjust on the fly. For instance, if an employee is trying to access a low-risk application hosted on-premise and that they access at about the same time every day as a typical activity for their role, you may not want to invoke a multi-factor authentication sequence. If however, that same employee appears to be accessing a more sensitive application at an abnormal time of day and from a different location, then by all means, the security teams should dynamically invoke one-time passwords or another multi-factor authentication method. Network security relies on dynamic controls to ensure secure access to the resources within your network. Utilizing solutions that provide this help will always reduce the potential damage that a determined cyber adversary may cause in the event of a breach.