Written by Jason Garbis on April 24, 2019
Service Providers: Don’t Be the Weakest Security Link
The understanding that third parties come with their own security risks is crucial to creating a strategy that ensures service providers aren't susceptible to attacks that can turn their own defense systems against them.
In today’s threat environment, enterprises must take a holistic approach to understanding their security posture. This means organizations cannot just protect their own networks and users – they must also consider third-party security risks.
These risks, unfortunately, are not theoretical. Earlier this month, KrebsOnSecurity reported that India-based IT outsourcing and consulting firm Wipro’s IT systems were compromised and used to launch attacks against their customers. Wipro’s customers found malicious and suspicious network activity in their partner systems that communicate directly with Wipro's network. The very company assigned to manage and secure its customers’ systems was inadvertently infecting them with malicious software.
It appears the same hackers have targeted Infosys and Cognizant, so Wipro surely will not be the last such victim. Managed service providers should be on high alert. So what can be done to limit cybersecurity risks so institutions do not become the weakest link in their customers’ security posture? We recommend three core principles:
1. Limit Access, Enforce Controls
The traditional perimeter-based approach to network security is failing to adequately protect organizations. Security tools such as VPNs, firewalls, and Network Access Control (NAC) don’t properly manage access controls, meaning enterprises are using them to control access in an all-or-nothing fashion. The result is that authenticated users typically have overly-broad network access, increasing the attack surface area and allowing wide-reaching breaches like the one at Wipro.
As a service provider, restricting users’ access to customer networks should be done by implementing an identity-centric, Zero Trust approach like a Software-Defined Perimeter (SDP). An SDP is designed around the user and addresses the shortcomings of the traditional network security methods. It limits access by using a need-to-know model, in which device posture and identity are verified before access to a network or application is granted. This helps reduce the attack surface by creating a discrete, encrypted network segment of one, making everything else invisible and inaccessible. The key is to focus on identity, context, and multi-dimensional user profile verification, and to grant access privileges based on attributes that you control. With SDP, you can ensure that your users only have access to customer networks when they require it – for example, driven by a business process such as a Service Desk ticket. This ensures appropriate business processes are being followed and can prevent malware from spreading into customer networks.
2. Secure the IoT Wildcard
Limiting network access is a good start, but it means nothing if the actual devices are not secure. We live in an Internet of Things (IoT) world; the ease and simplicity with which IoT devices can be onboarded and connected makes them a massive security risk. Add the fact that once online, those devices are typically “always on”, and attackers now have 24/7 access to this attack surface. It’s the perfect storm for additional vulnerabilities: IoT devices are notorious for having security issues, maintaining default credentials, and for an inability to be patched or upgraded.
Organizations must secure unmanaged and undermanaged IoT devices with a 360-degree perimeter protection approach. A solution such as AppGate SDP IoT Connectorsecures these unmanaged IoT devices, restricts lateral movement, and reduces the network attack surface – allowing you to leverage the full power of smart devices without putting your networks (or your customer networks) at risk.
3. Hybrid Environment Security
Managed service providers often need to support a wide range of customer environments, including clouds, both public and private, and hybrid architectures. You not only need to be nimble and adaptable, but also secure. It is important to adopt a Zero Trust model that is provider-agnostic and compatible with hybrid environments that encompass cloud, hosted, and on-premise. Implementing a solution that allows for user access entitlements and policies to work across data centers and cloud environments prevents you from having to manage different security plans for each environment. AppGate SDP is a Zero Trust access solution with granular controls that is cloud-friendly. Its Live Entitlements are flexible, easy to build and define, and leverage cloud providers’ metadata to make access decisions.
Third-party risk is not new, but today we are entering new territory with this type of high-profile and successful attack on service providers.
Your customers know that a successful cybersecurity defense needs to look beyond the boundaries of their organization and include high standards for any third-party service providers with access to their networks. As a service provider, your customer relationships are built on trust – your customers trust you and your employees to access and manage their systems while keeping them secure.
In our world of heightened risk, increasing your organization’s defensive capabilities and maturity level is not just good security, it’s good for business. Using a modern SDP architecture can be a differentiator for your firm, and a foundation for stronger trust between you and your customers. That’s a winning proposition for all parties.