Cloud and IoT have ensured the expansion of networks and inter-networks, for storage of data instead of silos of data. As Cloud leverages agility to all online transactions or transmissions of data, chances of data leakage have increasingly posed serious security concerns among users and enterprises for whom Cloud lies at the center of their networking philosophies. The evolution of technology, thus, requires secure network infrastructures. A significant number of businesses now use mobility and data-enabled smartphones as drivers of their enterprise and app-to-cloud security is identified as an aspect which needs to be considered.
We interacted with Mr. Rajesh Maurya, Regional Director, India & SAARC, Fortinet for insights on steps required for a secure and shielded Enterprise Cloud Network:
Q: Smart data is the new ground for competitive advantage. What are some unique ways in which, in your opinion, cyber criminals target these data centers (or silos)?
A: Traditional security devices and strategies are woefully inadequate for securing highly dynamic data center environments. Hackers easily gain entry to a corporate network by targeting its weakest points – including an unsecured employee mobile phone, or a workstation with limited access to corporate data – which typically reside in low-value segments of network. Post breaking in and getting a toehold, the hacker can often easily navigate to other more valuable parts of the network, which tend to be much more rigorously protected from external attackers.
This "lateral movement" modus operandi proves to be effective most of the time because many organizations do not isolate different segments of the network from one another. Moving from segment to segment is usually a breeze once hackers get into the network.
The trends which will make such attacks from within the organization more common in the coming years are:
- The increasing adoption of employee-owned mobile devices in enterprise environments. These are often poorly secured and provide a weak point of entry for hackers.
- The exponential growth of IoT devices. Early and even current versions of these devices are not designed with security in mind, and are very tedious if not impossible to secure properly.
- Advancement in hacking techniques.
Q: What are the technological challenges that a company faces while preparing for or recovering from major security breaches?
A: We are at a critical point in our transition towards a digital economy, and failure to rethink what security looks like in this new world will have far-reaching consequences. Few key areas every organization needs to implement as part of their security strategy to prevent and also help them to effectively handle a breach.
- Control network access. The vast majority of these new IoT devices are headless, which means that you can’t patch them, update them, or add security clients to them. So you need to weed out high-risk, compromised, or unauthorized devices and traffic before your let them enter your network.
- Assume you will be breached. If you knew an attacker could get past your perimeter defences, what would you do differently? Most organizations spend the majority of their security dollars on building a better front door. Those resources need to be shifted to actively monitoring your network and identifying anomalous behaviour inside your perimeter.
- Intelligently segment your network. The attacks that do the most damage are the ones that can move freely inside your environment once perimeter security has been bypassed. Secure internal segmentation ensures that a breach is limited to a small area of your network and that attempts at unauthorized lateral movement can be detected. It also allows you to quickly identify infected devices for quarantine and remediation.
Q: What are some technologies (both backend and frontend) Fortinet puts to use that position themselves ahead of competitors, and more importantly cyber felons?
A: The response to increasingly complicated networked environments needs to be simplicity. Securing these evolving environments requires three things:
- Collaborative intelligence – Local and global threat intelligence needs to be shared between security devices, and a coordinated response between devices needs to be orchestrated centrally.
- Segmentation - Networks need to be intelligently segmented into functional security zones. End to end segmentation, from IoT to the cloud, and across physical and virtual environments, provides deep visibility into traffic, limits the spread of malware, and allows for the identification of infected devices.
- Universal policy - A centralized security policy engine that determines trust levels between network segments, collects real-time threat information, establishes a unified security policy, and distributes appropriately orchestrated policy enforcement
Fortinet has, thus, introduced its new security fabric architecture, designed to integrate security technologies for the endpoint, access layer, network, applications, data center, content, and cloud into a single collaborative entity that can be orchestrated through a single management interface. The Fortinet Security Fabric is designed to provide the scalability, awareness, security, actionable intelligence, and open API strategy an organization needs to secure its evolving digital business. It enables the security, flexibility, performance, collaboration, adaptability, and manageability you demand across your physical, virtual, and cloud environments, from IoT to the cloud.
Q: 2016 saw a significant jump in the number of cyber attacks on mobile devices, predominantly smartphones. How well is the Cybersecurity industry prepared for it, in general? How well is Fortinet equipped to combat such challenges?
A: Mobile devices are ubiquitous on corporate networks and, by their very nature, come and go between highly vulnerable and relatively safe environments. More importantly, because these devices are at the mercy of carriers and vendors for their updates, administrators and users often aren't able to provide security patches in a timely manner.
Android has become a viable vector for a variety of attacks against both end users and organizational targets. But if neither users nor administrators can count on timely security updates in the way they can with desktop operating systems, what's the solution? Only use Nexus devices? Stick with iOS? Abandon BYOD? None of these are especially attractive options, but organizations need to give much more careful thought to mobile security as the threat landscape continues to evolve.
Fortinet has addressed these challenges with its Secure Access Architecture solutions which encompass the entire infrastructure across wired and wireless networks. These solutions are intelligently unified within Fortinet’s Security Fabric through FortiOS. This enables the individual components to act and respond as one – all managed through a single pane of glass and leveraging a single source of security updates. These advanced and intuitive capabilities arm IT with universal visibility and control over IoT devices and how they interact with critical enterprise networks.
- Secure Access Applications & Authentication/End Point – Integrated and comprehensive access application solutions that enable guest access, presence, application visibility, device onboarding, certificate management and more
- Flexible Management Options for On-Premise and Cloud Solutions - Offering choice at the access layer with controller, controller-less, cloud, multi-channel, and single-channel deployment modes
- Single Point Controllers across WLAN Access Points and LAN Switches – Fortinet’s powerful Infrastructure Controllers FortiWLC 50D, 200D, and 500D supports 50, 200 and 500 access points and 802.11ac Wave 2 performance requirements, while supporting more devices.
- Enterprise-Class Secure Access and Datacenter Switches – A wide range of high-performance, cost-effective access and data center switches including Fortinet’s FortiSwitch FS-224D-FPOE and FS-548D-FPOE, offers 24 and 48 port PoE (Power over Ethernet) support a range of 10 Gigabit Ethernet data center switches with universal management through FortiGate appliances.
Q: What are your views on the security of IoT-enabled and Personal Area Networks (PANs) like smart homes?
A: There are now thousands of IoT vendors implementing thousands of unique combinations of software, and implementing dozens of technologies (WiFi, Bluetooth, NFC, ZigBee, RFID), on billions of new devices. And of course, the very price competitive nature of this market (the primary market being consumers and not corporations) means that developers will limit their investment of time and money in security.
For Enterprises, all of this means the security risks related to this new era of technology personalization are both significant and unplanned. The majority of these IoT devices will not be part of a corporate deployment; Employees will simply bring them from home, sync them to their Smart Devices, connect to the corporate WiFi network, and then connect to the cloud-based services deployed across the corporate network.
The emergence of IoT, and its significant security implications may finally be the technology evolution that lifts security from being a network afterthought and bolt-on technology to an integral, persistent, omnipresent part of the network. We need secure, trustworthy networking as opposed to networking plus security. We need to create even smaller security domains to limit the scope and exposure of an exploited device. The response to complexity needs to be simplicity, not endlessly adding more single-purpose devices to our security racks.
On personal networks home routers have become the new favourite target of cyber criminals in 2016. Because home users often do not have the skills or information needed to patch their devices, or even know that they are at risk, we also believe that home routers will continue to be an attractive target for cybercriminals for the foreseeable future. Given the possible ramifications, we also call on the manufacturers of home routers to improve their ability to track these devices and provide an automated update solution.