The COVID pandemic has highlighted the challenges of ensuring security across an expanding enterprise network forced to support more and more remote workers, an ever-increasing diversity of devices, and frequent mobility. Praveen Jain, founder and CEO of cloud networking startup WiteSand, spoke with eSecurity Planet about the challenges of maximizing security in today’s environment, the value of a zero trust model – and three key questions to address to make sure you’re on the right track.
There’s an inherent weakness in the way security too often relies on a trust-but-verify model in which endpoints are given access to the network and are only quarantined when they’re determined to be infected, Jain, a former Cisco SVP and founder of Insieme Networks, told eSecurity Planet.
The problem with that approach is that malware can remain dormant on a user device for a long time before threats actors move laterally through a network – and most current methods that count on perimeter security won’t notice that traffic flow.
Employing a zero trust model instead, Jain said, ensures that endpoints only get network access post-authentication – and recognizes that most traffic will likely be to the Internet or a private data center, limiting lateral movement within the network via default deny policies (with exceptions for printers, conferencing, etc.). “There really is no reason laptops need to be able to talk to each other,” he said.
Network Security Grows in Complexity
Networking and security are far more complex today than they were even a decade ago, when trust-but-verify was sufficient. “The rise of remote work gave rise to the ‘borderless enterprise,’ one which is characterized by workers moving fluidly between home and office, and by the proliferation of devices – mobiles, laptops, tablets – used to conduct business,” Jain said. “The pandemic added fuel to the fire by accelerating the irreversible trend.”
Now that it’s no longer sufficient to enforce security only at infrastructure entry and exit points, security needs to be pervasive and based on zero trust, Jain said. “As the pandemic subsides and employees get back to work, the potential threats from unpatched laptops and new mobile devices acquired during the pandemic require increased focus on securing the campus and branch networks from propagating any zero-day attacks,” he said.
The answer, Jain said, is to deploy a series of security tools at various layers, with no implicit trust given to any device. “Each user or device – local or remote, wired or wireless – needs to be authenticated and authorized before granting access,” he said. “As a preventive measure, the ideal would be to block all unwanted communications among users and devices in the enterprise network so that, in the case of a zero-day attack, its lateral movement is limited.”
The pandemic has vividly demonstrated the power of isolation for preventing viral contagion, and the same is true for protecting enterprise networks. “Many organizations worry about implementing so-called isolation or microsegmentation in the existing network, as they have limited or no knowledge of communication patterns among devices and users to determine what is valid versus what is not,” Jain said. “In the spirit of an already working network, they often tend to leave it unaddressed.”
New security tools that allow running in monitoring mode first, then selectively blocking unwanted communications, can be an excellent way to address that gap, Jain said.
Jain – who has held positions in three startups acquired by Cisco (and former Cisco CEO John Chambers is now running Pensando Systems, an edge computing startup co-founded by Jain) – is now at the helm of WiteSand, which emerged from stealth mode in June with $12.5 million in seed funding and bills itself as the first “zero trust network as a service.” He talked with eSecurity Planet about what he sees as three important network security tests.
Three Network Security Tests
Jain suggests using the following three baseline tests to evaluate the security of an enterprise network:
- Can you ping one of your peers’ laptops from your laptop in the office? “There is a good chance that you can,” he said. “It’s worth asking why this communication is allowed. Is there really ever a need to log into other employees’ laptops? Why are laptops not isolated from other laptops? The problem of this open communication is that if one of the employee laptops is infected by a zero-day exploit, it may laterally propagate into other laptops.”
- Are your IoT and other devices properly segmented? “If your IoT camera is supposed to talk to an on-prem DVR to store the recordings, are these fully segmented to only allow that communication? If not, any attack on an IoT camera or DVR may spread laterally to other parts of the network.”
- Are any of your offices still using a pre-shared password to connect to corporate Wi-Fi? “You may think, ‘No way!’ but you will likely be surprised with the reality, unless you have deployed a network access control solution or equivalent that can authenticate employees to a trusted company identity source such as Active Directory. If you haven’t, you should know that an ex-employee can hop onto the corporate Wi-Fi network from the company parking lot.”
Another way to maximize security in the face of current threats is to deploy a “network DVR” to record all authentication processes for all devices, making it possible to look back and see who was affected, when and where they were affected, and if anyone else was affected. “With all activity recorded – all employees, BYOD, guests, and IoT devices – a complete forensic record exists,” Jain said.
Ultimately, Jain said, the goal should be to move away from manual configuration, working towards 360-degree visibility of the network to ensure consistent policies across all devices and locations.
Further reading: Zero Trust Can’t Protect Everything. Here’s What You Need to Watch.