cyolo.io
Open in
urlscan Pro
34.72.197.182
Public Scan
Submitted URL: https://protect-de.mimecast.com/s/j4YVCk2YvBC2V0xfVIz3B?domain=tenderhearted-chela.herokuapp.com
Effective URL: https://cyolo.io/blog/why-you-shouldnt-put-all-your-trust-in-your-security-provider/
Submission: On April 06 via manual from MK — Scanned from DE
Effective URL: https://cyolo.io/blog/why-you-shouldnt-put-all-your-trust-in-your-security-provider/
Submission: On April 06 via manual from MK — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
We use cookies to improve your website experience and provide more personalized
services to you. To find out more about the cookies we use, see our Privacy
Policy.
Accept
* Home
* Product
* Product
* Solutions
* Zero Trust for OT
* Third Party Access
* Remote Access
* Developers Access
* Company
* About Us
* Partners
* Careers
* Resources
* Zero Trust
* Resources
* Blog
Menu
* Home
* Product
* Product
* Solutions
* Zero Trust for OT
* Third Party Access
* Remote Access
* Developers Access
* Company
* About Us
* Partners
* Careers
* Resources
* Zero Trust
* Resources
* Blog
* Home
* Product
* Product
* Solutions
* Zero Trust for OT
* Third Party Access
* Remote Access
* Developers Access
* Company
* About Us
* Partners
* Careers
* Resources
* Zero Trust
* Resources
* Blog
Menu
* Home
* Product
* Product
* Solutions
* Zero Trust for OT
* Third Party Access
* Remote Access
* Developers Access
* Company
* About Us
* Partners
* Careers
* Resources
* Zero Trust
* Resources
* Blog
* Home
* Product
* Product
* Solutions
* Zero Trust for OT
* Third Party Access
* Remote Access
* Developers Access
* Company
* About Us
* Partners
* Careers
* Resources
* Zero Trust
* Resources
* Blog
Menu
* Home
* Product
* Product
* Solutions
* Zero Trust for OT
* Third Party Access
* Remote Access
* Developers Access
* Company
* About Us
* Partners
* Careers
* Resources
* Zero Trust
* Resources
* Blog
Request a Demo
* Home
* Product
* Product
* Solutions
* Zero Trust for OT
* Third Party Access
* Remote Access
* Developers Access
* Company
* About Us
* Partners
* Careers
* Resources
* Zero Trust
* Resources
* Blog
Menu
* Home
* Product
* Product
* Solutions
* Zero Trust for OT
* Third Party Access
* Remote Access
* Developers Access
* Company
* About Us
* Partners
* Careers
* Resources
* Zero Trust
* Resources
* Blog
Request a Demo
* Blog, Phishing, Secure Access, VPN, Zero Trust
WHY YOU SHOULDN’T FULLY TRUST YOUR SECURITY PROVIDER
* Jan 28 2021
* • 5 min read
CYOLO TEAM
Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on pinterest
Organizations often trust their IT or security teams to be able to manage and
prevent cyber attacks. But many organizations’ current infrastructure can allow
adversaries to get piped into their networks, through VPNs and similar methods.
We need to completely rethink our security strategy and implement more secure
solutions like zero trust. Let’s see why and how.
This blog post is based on the webinar “Are you putting too much trust in your
security providers?”, which you can access here.
THE IMPORTANCE OF A SECURITY FAIL-SAFE
Organizations often put too much trust in their IT teams. They believe these
teams will be able to prevent cyberattacks and data breaches. But this is a
misconception. Not because the teams aren’t skilled or are lacking resources
(though this might be the case), but because our security strategy needs a
complete redo.
Multiple cyber attacks are occurring at any given time and many of them take
place in the same way. It starts with a software DLL, piping is set up for
continued access, the admin account is accessed on a Jump server, Jump boxes
inside the core VLANs are compromised, the attacker finds machine connections
and lateral movement progresses.
This is enabled because of our perimeter based approach. Our VPNs, remote
workers and third party providers are piping our adversaries into our networks.
We cannot change modern communication needs, so we need to change our security
methods.
It doesn’t matter how heavily you invest in security. Over the past years, we
can see more and more companies that are being heavily breached. SolarWinds is
the latest most notorious example, but it is not the only one. Security
companies like FireEye, PulseSecure, Fortinet, Portnox and Zyxel have all been
compromised, and even Microsoft had its share of attacks. These companies live
and breathe security, and they invest hundreds of millions of dollars in
securing their own assets. Yet, they are still vulnerable. If they are, so is
everyone else.
3 CYBERSECURITY MYTHS
There are three common myths revolving around cyber security that prevent
organizations from implementing a secure strategy and plan.
MYTH #1: UPGRADING LEGACY SYSTEMS WILL KEEP YOU SECURE
Many companies believe that upgrading their legacy systems will keep them
secure. But upgrading legacy systems is not enough. Turning a system into what
it was not originally designed for is sub-optimal and will not deliver what you
need, when you need it.
MYTH #2: CLOUD INFRASTRUCTURE IS SECURE
Companies think that the cloud is secure. But cloud infrastructure is only what
its name means: it is infrastructure that enables optimal access. Cloud
providers secure the cloud, not what’s in the cloud. Securing data in the cloud
is the responsibility of the company.
MYTH #3: SECURITY INSURANCE WILL KEEP YOU COVERED
Many organizations think their insurance will protect them. But getting
insurance is not a replacement for securing the network and crown jewels. The
legal, ethical and financial repercussions are far more severe and long-term
than what any insurance company will end up paying.
As you can see, common conceptions of security are misguided, and still require
rethinking our security methods. So the question is: what to do when everything
goes sideways? You need to find a fail-safe.
INTRODUCING ZERO TRUST: THE SECURITY FAIL-SAFE
Zero trust is a disruptive security model that turns network-based security
solutions on their head. Instead of securing the perimeter, zero trust assumes
no one is to be trusted. If we look back at the latest attacks, we can see why.
Companies can’t control everything: bugs, code vulnerabilities, user errors:
these things will happen, and they increase the attack surface.
So instead of piping and tunneling attackers into the network, zero trust blocks
access to everyone, except for devices and users that have been authenticated.
Authentication happens every single time a user attempts to access an asset or
system. Thus, modern security needs are answered by design, and not by add-on.
ZERO TRUST VS. VPN
VPNs were built for a different era. It’s no wonder then that many of the latest
publicly-known attacks occurred due to VPN vulnerabilities. A quick look on
Shodan will portray a hefty list of exploitable VPNs. Let’s see what a common
business use case would look like on VPNs compared to zero trust.
Company X is using a third party for its resource management and maintenance.
It’s 10pm on a Friday, and suddenly one of the main services goes down. Unless
it goes back, this will cause a massive loss of revenue. At 10:01pm the IT calls
the supplier to assist ASAP. At 10:02pm the supplier’s admin requests access to
the environment for troubleshooting. Now what?
SCENARIO 1: THE COMPANY HAS AN OPEN VPN POLICY.
In this case, the third party can connect to the server with full admin rights.
However, this can result in injected malware, rights getting stolen, lack of
auditing or monitoring and lack of visibility into what the user is doing. This
is a very risky approach.
SCENARIO 2: THE COMPANY HAS A STRICT VPN POLICY.
In this case, the third party asks for a one time password from the helpdesk,
server credentials are provided to establish connection to the server, and an
admin has to approve this.
This is more secure, but it still enables access to the network once the user is
in, and it is extremely time-consuming and counter-productive. This is a
somewhat risky and very inefficient approach.
SCENARIO 3: ZERO TRUST ACCESS
In this case, the third party attempts to connect to the server through the zero
trust provider. The supervisor is immediately notified and can give immediate
access. The user is automatically authenticated and logged in. If the user needs
more permissions, the supervisor can connect via mobile to insert credentials
with relevant permissions.
Throughout the entire sessions the supervisor can monitor activity from her
phone in real-time and revoke access is needed. All activity is automatically
logged, monitored and recorded.
No credentials are exposed to a third party, the time to react is low and so is
the cost.
As you can see, the zero trust security strategy is a new strategy that answers
modern security requirements, and also ends the trade-off between security and
productivity.
NEVER TRUST YOUR ZERO TRUST PROVIDER
But wait, you might ask, didn’t we start out with never trusting anyone? So why
should we trust our zero trust provider? This is an excellent question, and the
answer is: you shouldn’t.
When choosing a zero trust provider, ask the following questions:
1. Is the user data exposed?
2. Who controls and executes access policies?
3. Can the ZT provider create users on their customers’ behalf?
4. Where are the customer’s secrets (keys, tokens, passwords) kept?
5. How does the provider mitigate the risk of internal threats?
6. What is the coverage of the provider’s secure access? Does it cover users,
networks, apps?
Answering these questions will help you ensure your zero trust provider is not a
vulnerable supplier in your chain. Find a supplier that does not put you at
risk, if they are attacked.
ABOUT CYOLO
Cyolo is a zero trust solution with a unique architecture designed to keep your
assets and information secure, because we do not hold and control sensitive
company information like keys and passwords information.
By securely connecting all users from anywhere without requiring a VPN, and
authenticating devices, Cyolo enables employees to focus on their work and your
business to grow. Cyolo provides advanced user management features, real-time
recording abilities and an easy to use UI. Cyolo can also integrate with your
VPNs, if needed.
Cyolo takes minutes to implement and is compatible with any network topology and
identity infrastructure. In addition, Cyolo does not have access to the
organizational data. Not only does this ensure true privacy and security, it
also improves performance as a better user experience. Request a demo to learn
more: cyolo.io/demo-request
SUBSCRIBE TO OUR BLOG
Get the latest posts in your email
Sign Up
* events
WEBINAR: COMPLIANCE IS TOUGH. A ZERO TRUST APPROACH CAN MAKE IT EASIER
Sign up
* whitepapers
5 THINGS TO CONSIDER BEFORE ADOPTING A ZERO TRUST STRATEGY
Sign up
* webinars
CAN YOU TRUST YOUR ZERO TRUST PROVIDER?
Sign up
* webinars
SANS ZERO TRUST FORUM
Sign up
Follow Us
Facebook-f Twitter Youtube Linkedin
MORE ARTICLES
* Blog, Cyber, Zero Trust
SUPPLY CHAIN ATTACKS: WHAT THEY ARE AND HOW TO PREVENT THEM
* Apr 4 2022
* • 3 min read
A supply chain attack occurs when bad actors infiltrate an organization’s
privileged systems via one of its third-party partner. Learn how to prevent
them.
Read More
* Blog, Compliance
THE COMPLETE GUIDE TO PCI DSS COMPLIANCE
* Mar 17 2022
* • 4 min read
PCI-DSS is a compliance standard designed to reduce credit card fraud by
increasing controls around cardholder data. Learn about the PCI-DSS
requirements.
Read More
* Blog, OWASP Top 10
HOW TO TEST AND PREVENT NOSQL INJECTIONS
* Mar 15 2022
* • 7 min read
Injections are one of the most common web application vulnerabilities. In this
article, we examine how to identify, test, and prevent NoSQL injections in web
applications.
Read More
Load More ↓
SUBSCRIBE TO OUR BLOG
Sign Up
HOME
* How it Works
* Our Integrations
* Customer Quotes
Menu
* How it Works
* Our Integrations
* Customer Quotes
SOLUTIONS
* Product
* Zero Trust for OT
Menu
* Product
* Zero Trust for OT
RESOURCES
* Resources
* Blog
Menu
* Resources
* Blog
COMPANY
* About Us
* Careers
* Partners
Menu
* About Us
* Careers
* Partners
CONTACT
Request a Demo
+1-866-918-1143
Copyright © 2022 Cyolo LTD. All rights reserved. | Privacy Policy
Sumo