Risky Business: Mitigating Secure Access Pitfalls that Threaten Your Company

By Haseeb Budhani, CEO and co-founder, Soha Systems

2015 was fraught with high profile security breaches and highlights that no industry or organization is immune from attack. We have seen significant breaches in government (Office of Personnel Management), healthcare (Anthem and UCLA health), retailers (CVS) and telecom organizations (T-Mobile). Not even toy vendors are safe. VTech revealed that 5 million customers accounts in three-dozen countries were hacked, exposing personal data, chat logs and photographs of children who use its Internet-connected toys. With many experts expecting more of the same in 2016, why are these hacks increasing in scope and severity and what should enterprise security teams do to minimize their exposure?

Today’s cloud-based, mobile-centric, global ecosystem world – in which organizations need to provide employees, contractors, vendors and other partners access to corporate applications regardless of where they’re physically located – could be partly to blame. With many organizations using antiquated security technologies and management approaches to combat today’s threats, here are three things your organization should be doing to minimize your risk profile:

1. Provide secure access to applications, not the whole network

Most people think virtual private networks (VPNs) provide a secure way for remote users to get to the applications they need. After all, VPNs have been an enterprise standard for over 20 years and it’s hard to find an organization that does not employ them. But guess what, VPNs are not as secure as you think. Their biggest problem is they usually give devices and users full, network-wide access. In most cases, employees need access to just a few applications. Third party users, e.g. contractors, usually just need access to a single application. Unless properly managed and configured, a VPN will give users access to the network, compute and application infrastructure far beyond what they need, putting the organization at greater risk. Why give users overly broad, network-wide access via VPNs, when they really only need application access?

2. For every firewall port you open, shut another one down

When experts talk about the porous, swiss-cheese nature of the enterprise perimeter, they are predominantly talking about the large number of ports opened (or holes punched) in the firewall. Since any firewall hole is a potential security risk, the fewer, the better. The norm, however, is that over time, more and more firewall ports are opened to accommodate users. But these holes don’t get closed at the same rate they are opened. Why? IT security team members come and go. Record keeping is sometimes sparse. Projects linger. And it’s just easier to leave things in place rather than change them because we aren’t certain what will happen if we shut down certain ports or whom it might impact. Clearly it’s too simplistic a concept to simply shut down a firewall port for every one that is opened, but it is clear that a different strategy and approach to managing inbound traffic is required.

3. Weak user credentials compromising application infrastructure

The days of presuming a unique username and password are sufficient for securely authenticating users are over. This is especially true for remote users, as they should all be treated as “untrusted users.” Multi-factor authentication (MFA) has proven to be a reliable, user-friendly way of providing a second layer of security to applications, and has proven to be a great solution for enforcing a stronger set of credentials. MFA decreases the risk of unauthorized users accessing applications by asking for a unique PIN code when a user attempts to access an application. The code may be received by the user through an SMS, an email, or other means. MFA is being adopted for corporate apps hosted in data centers and hybrid clouds, as forward looking vendors have made the MFA-to-Application integrations seamless.

4. Disruption need not be feared

The skyrocketing numbers of data breaches impacting enterprises of all sizes makes it imperative for organizations to take their network security to a higher level. To effectively minimize breaches, organizations must think and act differently, and adopt disruptive technologies. Enterprises must reexamine how they are protecting their perimeter, how they are enabling user application access and how to apply additional security layers. By doing so, organizations will find themselves better prepared to prevent malicious hackers and disgruntled employees from penetrating and compromising their application infrastructure.

Haseeb Budhani is CEO and co-founder Soha Systems, which delivers enterprise secure access as a service for data centers and hybrid cloud environments. An experienced software engineer and executive, Budhani previously served chief product officer for Infineta Systems. Earlier in his career, he held senior management roles with NET’s Broadband Technology Group, Personal IT, Citrix Systems, Orbital Data, IP Infusion and Oblix..