What it takes to properly secure corporate networks in the world of remote work, BYOD & IoT

The workplace has changed thanks to COVID-19. Many of us continue to spend most, if not all, of our workdays at home, juggling Zoom meetings, kids, pets, relationships, cooking, cleaning…you name it. Since at least February 2020, organizations around the world have altered the way they operate – encouraging their employees to stay home, stay safe, but stay available.

On top of the immediate operational challenges that companies faced when shifting to full or hybrid work environments, the rise of remote work in response to COVID-19 has pushed a number of network security shortcomings to the surface. In response, cybersecurity vendors and IT professionals have accelerated the development of and search for solutions to fill these network security gaps.

As we return to the office and arrive in a post-COVID-19 world, these areas will dominate the evolutionary direction of corporate network security…

The Role of Identity

As people, we represent the weakest link in the network security armor. While we may wish we were infallible, we’re really full of bad cybersecurity habits, like weak passwords, forgetting to back up data, or clicking on hyperlinks in emails from strangers. Our identities, however, can also be our strongest means of securing networks. The rise of multi-factor authentication (MFA) identity and access management (IAM) tools is allowing organizations to verify employee identity and authenticate their access to the network in real-time, no matter the employee’s location or whether they’re attempting to connect with a managed or personal (BYOD) device.

Network Segmentation

Segmenting the network is a cybersecurity best practice. Period. For any companies, this practice is even a regulatory requirement (e.g., the Payment Card Industry data security standard (PCI)). Network segmentation is simply a means of dividing up a network into smaller parts, ensuring the right people only have access to the parts of the network that are relevant to them. It is a measure that improves the effectiveness of an organization’s investments in other security tools, and can help to prevent significant damage to critical data across the network after a company has experienced a breach.

Securing the Edge

Gartner introduced SASE a few years ago. It represents a new enterprise networking technology category that converges the functions of network and security solutions into a single, unified cloud service. This marks an architectural transformation, as it allows IT teams to leverage a holistic and flexible service to their businesses. Critical to this budding area is NAC. Specifically, the movement of NAC to the cloud eliminates expensive on-site hardware and hidden maintenance costs. With cloud NAC, like Portnox CLEAR, all that’s needed to control network access across a geographically dispersed network is an internet connection.

AbsoluteCare is a fast-growing regional integrated healthcare provider headquartered in Baltimore, Maryland, with facilities up and down the East Coast, including Atlanta, Philadelphia, and Washington, DC. Since 2000, AbsoluteCare has provided medical assessment and treatment to tens of thousands of people through its “wrap-around” care model.

“Several years ago, as the company continued to grow, many of our customers, including companies like Anthem and BlueCross BlueShield said we needed to be HITRUST certified in order to work with them,” said Chris Becker, AbsoluteCare’s National IT Director. As part of that journey towards HITRUST certification, Becker and his team discovered that they would need to implement a network access control (NAC) solution.

“At that time, we looked at HP Aruba ClearPass and Cisco ISE, and decided to go with Aruba,” Becker continued. “We spent quite a bit of money to get it implemented – relying on outside consultants to get it up and running and conduct training – it’s a rather large application. We ultimately used it minimally because much of the functionally was overly complex.”

In general, the company utilizes managed corporate devices across its workforce, specifically Dell laptops running Windows X, as well as a number of iPads and iPhones. “We have a small population of BYOD, but we don’t encourage it – it’s just more work to manage the compliance of those devices with the limited internal IT resources we have,” Becker stated.

Migration Challenges

In the summer of 2020, AbsoluteCare found itself in a bind during a datacenter migration. “We decided to move our Aruba servers from one datacenter to another, and we found out – oh my gosh – this is going to cost us like $30,000 just to move it,” continued Becker. The hidden costs didn’t end with just the migration, however. Becker and his team realized they would have to incur more fees to upgrade ClearPass because the version was nearly three years old.

“We saw dollar signs. Lots of dollar signs. Not only that, but ClearPass really didn’t grow with us – you almost have to be an HP Aruba expert to really make the solution work for you the way you need it to,” Becker recalled.

Headed in a Different Direction

To avoid paying staggering professional services fees for the expertise needed to execute the ClearPass server transfer, Becker and his team opted to go out in search for a new NAC solution that would eliminate these hidden costs and provide a lightweight, flexible option for network access control.

“We definitely wanted cloud. We’re fans of cloud – both private and public,” Becker indicated. “Portnox CLEAR definitely fit the core requirement to act as our NAC solution, but it also offered other benefits through its optional agent that made it the clear winner for us.”

Out With the Old, In With the New

AbsoluteCare was able to swiftly roll out Portnox CLEAR with its AgentP add-on, allowing Becker and his team to leverage the platform’s on-or-off network endpoint risk posture assessment and automatic device remediation capabilities for users on its wired and wireless networks.

“This is one of the things I really liked about Portnox,” said Becker. “When we initially got access to the environment to conduct our proof of concept, we set up our account and then set a meeting for a week out to assess where we were and what we still needed to do. Well, my systems admin basically got everything configured in a few days all on his own.”

For AbsoluteCare, Portnox CLEAR’s ease of use was a major selling point. “I mean, coming off of something like ClearPass, where you basically need to be a systems engineer to figure it out – Portnox CLEAR was just a piece of cake,” Becker reveled…

Want to read the full case study? Download it today.

Whether motivated by geopolitical power, personal gain, or mere curiosity, cybercriminals are currently embracing a renaissance. Like drifting bandits in the once-lawless American West, hackers are striking corporations and individuals with relative impunity. There’s no shortage of incidents to point to; the spate of Pay2Key ransomware attacks on Israeli companies at the end of 2020 by state-sanctioned Iranians hackers serves as a recent example of such activities.

What we know today is that social engineering, email phishing, unpatched firewalls, password stuffing, malware and ransomware make up the bulk of these attacks. And it goes without saying: leaked data can be costly. Today the average cost of a data breach is nearly $4 million. Larger corporations aren’t the only targets. Nearly half of all network breaches target small businesses that simply can’t afford to absorb these losses.

Unfortunately, you don’t need to hold a doctorate in Computer Science from MIT to learn how to identify and take advantage of network vulnerabilities and cause widespread damage to companies and individuals. Look at the Fortinet VPN hack, for example. With 50,000 hosts representing hundreds of thousands of compromised accounts belonging to some of the world’s largest banks, telecoms and government entities released into the Dark Web, even the weekend hacker has the intel and direction needed to cause destruction.

There’s much to be learned and applied from these hacks, however. So, while it’s unlikely we’ll be able to eliminate these incidents in their entirety, there are ways we can mitigate network breaches.

Preventing lateral movement

Lateral movement is a technique used by cybercriminals to dig deeper into a network in search of sensitive data and other valuable assets. Once they’ve gained access to a network, hackers will typically maintain ongoing access by moving through the network and obtaining increasingly elevated levels of privilege.

There are a variety of steps that, when used in conjunction with one another, can help to prevent lateral movement. Critical among these steps is implementing adaptive network access controls. “Adaptive” effectively means several things: (1) you can monitor the risk posture of connecting devices and block/allow access based on the perceived risk level; and (2) you can block/allow access to the network based on a user’s geolocation. These types of adaptive access controls, when paired with MFA — multifactor authentication — and strong password policies, can help to fortify your network.

Segmenting the network

Network segmentation is the practice of dividing up a network into smaller parts, in which only assigned people have access to different parts of the network depending on their role and responsibilities. Network segmentation effectively reduces a cybercriminal’s vantage point into your larger network.

Segmenting your network can be done broadly or granularly. In effect, you want to be able to ensure that application and resource servers do not trust one another, and that any attempt to cross between them requires MFA, adaptive access control and session monitoring. Implementing microsegmentation means looking at the context of the user or device – their role, location, application, etc. – and defining access privileges based on that holistic profile.

Where to go from here

There’s a lot to unpack here. At the end of the day, to truly mitigate network breaches requires implementing a network access control (NAC) solution that can discover, authenticate and segment users across the network, while monitoring the risk of their connected devices, remediating those devices in real-time should they fall out of compliance. By leveraging NAC, organizations can deter further exposure, potentially saving themselves millions of dollars in the process.