Over the last nine months, we’ve seen unprecedented growth in the number of corporate employees working away from the office. Many rely on VPNs for connectivity; IT Security and Network Ops trust the Virtual Private Networks with their cadre of external and internal firewalls grouped around the concentrator typically within a conventional perimeter network.
VPNs have served us well until now. VPNs represent a huge and popular attack surface and are complex and expensive to implement and manage in dynamic environments. Vulnerabilities in VPNs are exploited by hackers within hours of disclosure. Malware gets planted on concentrators as part of APT (advanced persistent threat) campaigns with goal of stealing sensitive data. We’re not telling you anything you don’t already know.
Comcast Business, a prominent telecommunications company serving thousands of large and small businesses, launched a campaign promoting their emphasis on security. They sponsored an IDG report titled, Shifting Cybersecurity to Support the Expanded Remote Workforce explaining that the increase in remote workers is resulting in an increase in threats from outside the corporate network. Phishing attacks, using email, plant malware inside the network. Identities are stolen and spoofing penetrates corporate networks with the goal of stealing data or money.
Business Email Compromise or BEC is a common method used to acquire publicly available email accounts of executives. With the stolen credentials, fraudsters impersonate CEOs or other executives and initiate elaborate plans to exfiltrate data or perform fraudulent wire transfers siphoning funds to private accounts.
Email platforms have new features to enlist users to detect phishing. The user reports phishing from their Outlook ribbon, for example, alerts Security Operations and a workflow is kicked off to ring fence the perpetrator. In the meantime, the VPN, with little knowledge of which users are authorized to access which services, is wide open to the attacker, opening the door to attackers. With a little luck Security might be able to ring fence the phishing attack in several hours – more likely it will be days or weeks. Regardless, the business is disrupted and the expensive, time consuming clean up begins. Does it really have to be this way?
No. Security practitioners are beginning to understand that services, especially in the cloud, can be protected by selectively replacing VPNs with software defined perimeters (SDP). The deny all, authenticate-first architecture of the SDP is like having a private application VPN – but without the vulnerabilities. Unauthorized users trying to access services or data are denied by a software gateway to the application or service. The SDP gateway denies access to imposters attempting access without a SPA packet – dynamically enforcing policy. SDP – the Future
Zero Trust models and SDP (software defined perimeter) can hide applications and services from attackers. The Waverley SDP prevents access to attackers using stolen credentials with a powerful combination of SPA packets and the software gateway orchestrated to automatically drop packets in real time. Waverley believes that SDP will make BEC more difficult by quickly denying access when credentials have been compromised.
Another advantage to the Waverley Labs SDP is that it integrates into the CI/CD, imbedded in OpenShift as an example, ensuring access and authorization policies are built into the application/service and instantiated at run time. Did you know that SDP, with an efficient design scales and reduces or eliminates operational overhead and automatically drops connections in real time if unauthorized users, compromised devices or rogue services are detected.
Let me know what you think. Leave me a comment or reach out to me via LinkedIn to connect and have a discussion.
Also, for more info, check out this white paper on Waverley Lab’s deployment of SDP to support a Zero Trust strategy is documented in new CSA research that I co-authored. Titled Software Defined Perimeter (SDP) and Zero Trust the paper evaluates the use of SDP and illustrates how a Zero Trust implementation using SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in perimeter-centric networking models.