Why Outsourcing Remote Access Management Isn’t the Answer for SMBs

“How do you keep your data secure when you’re a data anchovy in a sea of hacker sharks?” When the Wall Street Journal’s John Bussey posed this question in 2011, the corporate network security landscape was drastically different. Employees weren’t using company-managed smartphones at a rate of 64 percent. Nine out of every 10 employees weren’t keeping sensitive business information on devices they use for both work and personal matters. Yet, even then, SMB network administrators were concerned about their security, and feeling like vulnerable little fish with bigger, more aggressive fish circling. So concerned, in fact, that according to Bussey, many were reluctant to outsource network security services to a managed service provider (MSP), even though these companies would have both the expertise and resources required to keep their networks safe. At the time, many SMBs thought that the “hard disk under the receptionist’s desk” strategy was more effective than handing over control to a third party, even though these MSPs could provide data encryption, threat mitigation and other critical security services. SMBs thought to themselves: “Yes, but what if the host isn’t entirely well-protected? Or what if a peer company within the shared environment was attacked? Or what if hackers prioritized these target-rich environments?” These were real concerns then, and they still are now. So, should network administrators consider tapping into MSPs for network security in our current environment? The core issue is a common one in network security – convenience vs. security. The Debate The convenience vs. security debate comes to how SMBs go about securing communications. On one hand, SMBs could opt for convenience and...

The Cloud is Covered: VPNs Enhance Data Security in the Cloud

Cloud computing not only introduces a new level of flexibility for enterprise IT services, but it often improves data security, too. A cloud provider that has to adhere to stringent privacy and compliance regulations typically has more know-how and access to more resources than a small- or medium-size company. But it is just not possible to rely on a cloud provider for every aspect of data security. In the end, the company is responsible for its own data. Many aspects of data security are beyond the purview of the cloud provider, but at least it is responsible for checking all certificates and knowing which ones are relevant. However, all basic security measures are the responsibility of the company. Among them is the protection of the data-in-transit between the company’s LAN and the data center in the cloud. The easiest way to ensure this protection is to use a location-to-location VPN tunnel. If a VPN solution is already being used, the company has to make sure there aren’t any compatibility issues between its VPN gateway and the gateway at the cloud provider’s site. The VPN standards IPsec and SSL have been in use for many years and are tried and trusted, greatly reducing the potential for trouble. Usually the cloud data center provides a virtual machine on which the company installs another instance of its VPN gateway solution. Major solution providers like Microsoft Azure, Amazon Web Services and Google Compute Engine provide extensive how-to guides and online manuals explaining how to assure compatibility with a VPN. Most providers even relieve the customer of that process by offering a turnkey, managed...

A Closer Look at Cloud VPNs

Virtual Private Networks as a Service (VPNaaS), Managed Security Service Providers (MSSP) and Cloud Remote Access are different solutions addressing the same market requirement – the ability for remote employees to securely access corporate networks via the Internet with a managed solution.  Many enterprises have realized the benefits of using cloud services in other areas of their IT infrastructure. As a result, they no longer want to absorb the costs and management effort involved in hosting their own VPN gateways, especially ones with large numbers of remote endpoints. Striking a balance between giving remote employees the flexibility they desire while ensuring sensitive company data remains secure is admittedly a fine line to walk. Enterprises have faced that challenge for several years now as they’ve wrestled with the bring-your-own-device (BYOD) movement. Factoring the cloud into the equation only compounds the complexity of the situation. That’s why many companies today are outsourcing the operation of the VPN to a cloud solutions provider such as HOSTING. However, not all VPNs are created equal, and enterprises need to carefully examine what a provider is offering. What to look for Be sure the provider offers simple, yet efficient management of your cloud-based VPN. For example, centrally managed VPNs give administrators the ability to easily set up, add or dele te users as needed. With this approach, all configuration parameters are centrally stored. This approach makes it substantially easier for end users to establish connections while making it nearly impossible for employees to bypass or manipulate them. Will end users need to reestablish a secure network connection each time their connection channel changes? If the...

The Internet of Vulnerable Things: Why Remote Access Security is Critical

A new worm that targets embedded devices started to spread during the holiday season. The Zollard worm, which targets various devices running on Linux, has brought to light the numerous security vulnerabilities Internet of Things (IoT) endpoints pose for corporate networks. Researchers at Symantec discovered the worm just before Thanksgiving and said “it appears to be engineered to target the Internet of Things.” It works by leveraging a PHP vulnerability that was patched in May 2012, and attacks un-patched devices, such as Linux-based home routers, set-top boxes, security cameras and more. The worm generates IP addresses randomly, sends out HTTP POST requests and then spreads itself. As Joerg Hirschmann, CTO of NCP, mentioned in a recent InformationSecurityBuzz article, “with more devices requiring secure communications between not just end users, but other devices, enterprises need to start preparing for every device to become a potential attack vector.” The worm clearly presents a looming threat, especially considering it is built to attack IoT devices, such as those listed above, that are rarely, if ever, patched. Enterprises have a wide range of seemingly innocuous IoT devices connected to their corporate networks, including conference-room devices and printers, which can be single-purpose, but are built on a Linux platform with network connectivity that hackers can breach. Spencer McIntyre, security researcher for SecureState, said “They’re small enough that a lot of administrators forget they’re there and forget to patch them, change default passwords, and things like that. But they’re running software that is well-known enough to contain vulnerabilities that can be leveraged by attackers.” Enterprises can protect themselves by ensuring all of the devices accessing their...

Cloud computing without VPN is security risk, Part 2

By Bernd Reder Let’s revisit Tuesday’s post on cloud computing and VPNs, diving deeper into how organizations can ensure their employees are using the cloud securely. The answer is, via a VPN (Virtual Private Network). This applies to any cloud computing environment – be it public, private or the popular hybrid cloud models. The VPN solution should offer the greatest possible flexibility, including support for IPsec and SSL and the capability to enable seamless roaming between various communication media (such as LAN and Wi-Fi) . Furthermore, it is essential that the VPN solution enables an organization’s IT administrators to centrally manage all clients and components of the VPN infrastructure. Cloud VPNs instead of Do-it-yourself VPNs However, many organizations are not equipped to establish a company-wide VPN on their own and instead need a service provider to take on this task, either by providing a Virtual Private Network as a Service (VPNaaS) or remote access out of the cloud. Either of these solutions provides an alternative to the do-it-yourself VPN approach. Rather, cloud VPNs enable employees of a company to securely access all network resources in the cloud environment – applications, data and storage capacities – from anywhere. When considering cloud VPNs, organizations should consider a service that supports all end-devices that are used throughout the company – from desktops, notebooks, tablet PCs to smartphones. Ultimately, no matter which option a company takes to ensure secure cloud access, the organization reaps the benefits of the cloud and lowered IT costs.    ...

Cloud computing without VPN is a security risk

By Bernd Reder One of the key advantages of cloud computing is higher scalability, enabling organizations to adapt IT resources on demand, resulting in lower overall IT costs. The cloud has also afforded small and medium-sized businesses (SMB) easier access to technology that allows for seamless scaling, enabling organizations of all sizes to benefit from lower IT costs. The cloud, however, can also open an organization to new threats. Before diving into just what those are, let’s consider how the cloud operates within an enterprise. In many ways, cloud computing displaces some of the connections that typically run through a company’s LANs (Local Area Networks). For instance, this happens when an employee accesses company cloud services from a hotel or airport via mobile networks or Wi-Fi. This also occurs when the employee accesses Software as a Service (SaaS) platforms, computing power or storage capacities in the cloud (Infrastructure as a Service) from the office. As a result, some of these connections could be potentially unsecure. Security and the Cloud Ideally, when employees are using cloud services they take proper precautions to ensure that no unauthorized persons gain access to critical business information. Yet, organizations and employees cannot rely on cloud service providers to secure data communication. According to a study by the market research and consulting agency Ponemon Institute, 69 percent of all cloud service providers take the view that it is the users’ responsibility to secure remote access to cloud resources – not the providers’. So what’s the easiest and most practical way for organizations to ensure their employees are using the cloud securely? More on that next...