Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/24/2020
10:00 AM
Dor Knafo
Dor Knafo
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Rethinking Enterprise Access, Post-COVID-19

New approaches will allow businesses to reduce risk while meeting the needs of users, employees, and third parties. Here are three issues to consider when reimagining enterprise application access.

As we look to reopen the economy, a lot of muscle memory will have to be relearned. The old way of doing things isn't going to make it in the post-COVID-19 world. Too much is on the line, for both employees and customers. Everything is being reconsidered, from entry procedures to foot traffic and flow, to capacity, back-end and front-end processes, online customer service, social distancing, and cleaning.

COVID-19 is an unprecedented challenge for IT departments too. Facing lockdowns and quarantines, organizations are rethinking how they rushed thousands of new users, both insiders and third parties, onto enterprise networks to access critical private applications. In many cases, enterprises also are adding new applications to facilitate online transactions and drive-by service in an effort to deliver contactless customer service. During this crisis, speed and agility were what mattered, and now safety and security are driving the decision-making.

To connect a specific user with a specific set of apps, traditional approaches transport the user all the way to the doorstep of the app with a dedicated tunnel — a VPN. VPNs are permissive, difficult to configure, complicated to manage, and extremely fragile. One slight change in location, device, or operating system and the whole tunnel must be rebuilt from scratch. With a small number of users, devices, and private apps, this is somewhat manageable. But when COVID-19 hit and countless apps, users, devices, and locations needed instant access, it became absolute madness.

How can something so vital to business operations, accessing our own apps, still be so complicated?

Whenever the health crisis of COVID-19 subsides, IT organizations should take the time to rethink how they deliver enterprisewide application access. Crises tend to reveal underlying cracks in an organization. In the case of traditional application access solutions, the pandemic has revealed operational and security issues that are clearly not aligned with digital transformation, the user experience, or the future of work.

Ease of Use Matters
Operational challenges are one of the most persistent challenges that IT teams face. The complexity of multicloud network infrastructure and applications today has led to a tool for every problem. Traditional access solutions have proven to be difficult to deploy and operate. They require new licenses to scale and time-consuming network changes to onboard new users. Post-COVID, we won't have time for that.

What About Zero Trust?
Solutions like VPNs provide too much access, taking the opposite of a zero-trust approach. Users need to be tightly managed, monitored, and controlled. They should not be free to roam once they have gained access. But it is clear that we are largely flying blind, and need better visibility and control not only over user access but each individual request.

Remember Risk?
The security weaknesses of traditional approaches can no longer be ignored. Why are we bringing users on to the network at all? Why are we exposing users to insecure legacy apps?

Here are three considerations for enterprise IT teams to reopen and reimagine enterprise application access, transforming vulnerable apps and networks into zero-trust resources.

  1. Leverage the cloud to isolate the apps completely from the network, making frontal attacks virtually impossible.
  2. Enable continuously monitored, recorded, and controlled zero-trust user access. No more binary decisions at the beginning of the session and free range thereafter. Continuously evaluate user access according to threats and user behavior. No more implicit trust. Application access should be zero trust.
  3. Centralize the access policy and management control of all applications. Ease of use matters.

COVID-19 exposed a lot of weaknesses in the way we enable application access for employees, partners, and third parties. This pain was felt across the board, by executives who wondered about productivity and by users who worried about rationed access. This was felt by IT teams that had to deal with network changes, hardware licensing, and a host of other headaches. Applications remain the lifeblood of business, and employee and third-party access is an issue that is not going away in the new work-from-anywhere world.

Not every change to the way we do business after this crisis will be welcome or particularly helpful. That said, we have learned many lessons during this period of significant business disruption. Access to applications, the foundational tools of business, was put to the test. New approaches will allow businesses to reduce risk while meeting the needs of users, employees, and third parties. That's a change worth making.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 

Dor Knafo is co-founder and CEO of Axis Security. Axis Security was founded to solve the problem of secure application access for employees, partners, and other stakeholders. Axis Security delivers a purpose-built zero-trust cloud native security and analytics platform for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...
CVE-2020-29072
PUBLISHED: 2020-11-25
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.
CVE-2020-26241
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) co...
CVE-2020-26242
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
CVE-2020-26240
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on...