The adoption of hybrid working practices in companies is creating constraints for IT teams. Employees’ terminals are accessible from the outside world, and scattered across a variety of environments whose attack surface is poorly defined and therefore, by definition, complex to secure. So how do you address this safety issue?
Exploitation of vulnerabilities, malware, compromised sessions... these are all cyber threats to which remote terminals are (increasingly) exposed, as they lack the protection of the company's security perimeter. As Julien Paffumi, Product Portfolio Manager at Stormshield, points out, protection flaws enable cyber criminals to sneak in and stay under the radar: “Malware that finds its way in via a compromised e-mail or USB key can evade antivirus detection if signatures are not kept up to date. The same applies to an attack that exploits an application or OS vulnerability for which a patch has not been applied. Data stored on these devices and access to SaaS services can also be compromised and exploited by attackers to exfiltrate data,” increasing the severity of the breach. Is the answer to reduce the number of employees outside the company? Could the “Zero Trust” model be the solution? Our experts offer a few possible answers.
The challenges of protecting remote terminals
With the rise of remote working and the widespread use of online tools, it is becoming increasingly complex to manage and secure remote terminals.
The fixed workstation on the company’s premises is no longer the only device that can access the organisation’s assets. The diverse range of equipment (laptops, smartphones, tablets and desktops) and applications, with different operating systems, business software with specific functions, variable security parameters, etc., means in practice that there are many more devices to monitor and secure. Julien Paffumi believes that the complexity of protecting devices lies in the physical management of the perimeter within which they operate. “When used in mobile situations, devices do not enjoy the benefits of physical control over their environment as they would when on the company’s own premises.” By definition, a mobile devices does not have physical control over its own environment (as opposed to secure physical access to company premises). And it does not automatically use secure Internet access (as opposed to corporate network access with security ensured by firewalls). This is because the terminal is not necessarily permanently connected to the VPN, and therefore does not necessarily have all the configuration, software and signature updates, etc. There are therefore fewer guarantees that the device is being afforded the right level of security as defined by the company.
Increasingly sophisticated cyberattacks mean that companies need to take the issue of controlling the working environment seriously.
But many organisations do not require remote workers to use a VPN all the time, and monitoring endpoints outside the company perimeter is a complex task in practice. In this case, “asset management solutions could be used, with the ability to reach the device even without VPN,” Paffumi explains. But this means a potential increase in the organisation’s attack surface, because the agents that need to be deployed on the workstations and asset management servers are publicly visible... So we’re back to VPN again for secure communications!” Increasingly sophisticated cyberattacks mean that companies need to take the issue of controlling the working environment seriously. For example, Google is experimenting with a drastic solution in the form of a pilot programme involving 2,500 of its employees, according to the CNBC news outlet. Using the same principle as “Just In Time” (JIT) access management, in which the lifetime of a right granted to a user equals the time strictly necessary to perform the task, CNBC reports that employees participating in the programme are disconnected from the internet if they do not absolutely need to use it. The aim of this strategy is to reduce the attack surface for employees, and thus prevent internal tools from being compromised and accessed by third parties.
The importance of rethinking perimeter security
As we adapt to different ways of working, perimeter and asset security need to be rethought. Traditional methods are no longer sufficient to prevent sophisticated threats. According to Paffumi, this does not mean that perimeter security is dead, “but the reality now is that the perimeter has expanded, with (a) a traditional physical perimeter and on-premise protection resources, and (b) a virtual perimeter that needs to be successfully recreated around mobile terminals; for example, with a VPN. But such devices require extra protection, particularly in cases where they are not initially included within this virtual perimeter. For example, when the VPN is not running, you need to restrict what the device can do, and what is accessible on that device.”
One approach to adhering to this paradigm is the “Zero Trust” strategy. Trust no user, no machine and no application - that's the philosophy of the Zero Trust security model. By adopting this default position, the company assumes any element to be malicious until proven otherwise: “The Zero Trust model is based on a philosophy according to which the network to which I am connected is already compromised, and is therefore listening in on communications or harbouring threats that are seeking to spread to other connected assets,” Paffumi explains. Such a model also makes it possible to plan for the possibility that the machine and/or user login credentials could be stolen and misused. This means that any device or file, even from an apparently trusted source, is potentially harmful.” But trust is essential for working and interacting “at least on a temporary basis and with an assumption of sufficient guarantees at any given moment. We therefore need to continually challenge and re-evaluate the level of trust to be assigned, using multiple criteria such as identification, location, time of day, update status, etc.”
To check the authentication, authorisation and security for each piece of equipment before granting access to company resources, additional security measures need to be implemented, such as multi-factor authentication network segmentation, continuous monitoring and behavioural analysis. And Mark Johnson, a pre-sales engineer at Stormshield, believes that the hardening of security solutions can go hand in hand with this protective approach: “Some cyberattacks target cybersecurity products themselves. The challenge is to open a security hole in the protection agent and increase its privileges on the infected machine. The security of such products thus needs to be increased over time, to ensure optimum protection against new cyberattacks.” This involves strengthening and “hardening” security products, an approach that consists of reducing the attack surface of the components of a system, software or product to make it even more secure. In this respect, civil companies have much to learn from the military world. That's why Mark Johnson is advising companies to give priority to “ products certified by government organisations, for even greater trust.”
The challenges of managing remote terminals and the risks of compromising unsecured terminals call for a security approach that is tailored to the new realities and uses in the IT world. Zero Trust model, hardened equipment, or both: the choice is yours.