In the ongoing Work from Home (WFH) evolution, the need to better secure employee endpoints has emerged as a main priority for CISOs. Many organizations have discovered what network and security professionals have long known: once the endpoint outside the perimeter, the level of security is degraded.
This has become every organization's reality as employee’s home networks have become prime targets. The stats show there’s typically 10 or more unmanaged devices connecting to the average home Wi-Fi network, such as personal laptops, cellphones, gaming consoles, and home IoT devices.
A recent DarkReading survey asked infosec practitioners “which cybersecurity aspects of the COVID-19 crisis are most likely to increase risk?” Almost 40 percent of respondents ranked vulnerabilities in the remote access systems and processes that support remote workers as a top threat, another 38 percent said vulnerabilities in devices used by quarantined home workers to access enterprise data, and 24 percent cited vulnerabilities in service provider connections used by remote workers as major concerns.
Their concern is well justified, given both work-from-home imperatives and increasing regulatory and privacy pressures. Legacy services and methods have not effectively addressed network security and governance beyond the organization’s network perimeter, nor have they provided meaningful visibility and control over remote users and their connections.
The gap missing from today’s cybersecurity posture is a layer of isolation from the threats of remote and home “dirty” networks; Threat actors are increasingly exploiting it for targeted attacks. After gaining access through any device on a home Wi-Fi network, they seek to move laterally to and through their main target: the corporate devices and data.
Struggling to Secure
Lacking an effective, scalable way to monitor or enforce secure behavior, IT teams struggle with securing remote endpoints on networks they don’t own.
The Center for Internet Security (CIS) advises: “Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations’ security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying travelers are infected on a regular basis through remote exploitation while on public wireless networks found in airports and cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization. Other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.”
CIS stresses a new approach: creating a separate wireless network for personal or untrusted devices. It notes that enterprise access from personal or untrusted devices and networks should be treated as untrusted, and filtered and audited accordingly.
The “Micro-Segment of One”
Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. It enables network administrators to control the flow of traffic between subnets based on granular policies.
Endpoint micro-segmentation can be thought of as the most granular form of network segmentation; each endpoint on its own micro-segment of one with a dedicated network security stack, a protected entry point to the enterprise endpoint, that isolates it from other devices on the same network.
Take for example a branch office building's network of routers. The Network Admin manages maybe 15 routers, one per floor. Each router connects a department or working group to the company’s network. If each router connects 10 desktops, laptops and cell phones, then 150 devices are connected via 15 network segments. But what happens when some of those 150 devices leave the office? Instead of connecting via untrusted Wi-Fi, endpoint micro-segmentation gives each device its own roaming security stack, travelling with the endpoint and protecting it, regardless of where the employee connects from.
This means that each of those 150 endpoints in the wild are protected for the first time by an enterprise-class security stack (Wi-Fi security, eavesdropping/exploit protection, encrypted DNS, bidirectional firewall, IDS/IPS), all running locally. This architecture, pioneered by Byos, provides robust, advanced connectivity, manageability, and provable governance.
Easing pain points
Because endpoint micro-segmentation is easily deployed by the micro-gateway’s form factor, and are easily and centrally provisioned and managed, they’re easing one of the big pain points of the great WFH migration. It brings Zero Trust security to the network’s actual perimeter: the individual’s edge device.
The employee’s device is physically isolated from their home Wi-Fi network and the potential threats that other devices on the home network might introduce. It provides:
Micro-Segmentation – zero trust access that cloaks the endpoint from other devices on their home Wi-Fi;
Plug & Play Implementation: to support both corporate and BYOD devices quickly and easily
Zero Touch Deployment - deploys seamlessly without anything to install or configure on the network;
Secure Roaming – the µGateway stays with the mobile device, no matter where it goes or what network it connects from;
Direct Connections – no traffic backhauling or rerouting;
Cloud Managed – centralized policy enforcement, integration with SSO/IAM, SIEM resources, etc.; and
This approach affords IT full visibility and control over remote μGateway network connections, and dynamic policy pushing capabilities. It also supports granular network access control for users and devices, both privileged and non-privileged.
Most important, it allows for monitoring and real-time alerting of security incidents, enabling security-minded organizations to de-risk Wi-Fi and untrusted network-borne threats that have accompanied the shift to work-from-home and remote connectivity worker threats.
Stringent data and network security is fundamental to meeting new and evolving compliance requirements, and to protecting the organization’s overall security posture. Strong security starts at the architectural level, and the network-of-one approach addresses the foundational security needs that organizations now face.