What exactly is zero trust, why should we care about it, and how does an organization implement it? The answer is simple. In today’s interconnected world, where companies store many of their assets outside of their organization, the traditional “castle and moat” security model no longer suffices.

Implementing a zero trust philosophy is essential for reducing the risk to the enterprise or organization. Additionally, federal agencies are now mandated to adopt zero trust, which will likely cascade into other industries and service contracts. This blog will explore the foundations of a successful zero trust architecture and how to approach implementation for the best results

What are the tenants of zero trust?

The National Institute of Standards and Technology devised a set of standards for adopting processes that will authenticate and authorize user network access across all federal agencies, and ensure users accept those mechanisms.

Zero trust is not a technology, nor can any single vendor implement it for your company. It’s helpful to think of it as a philosophy that must be adopted and implemented across the entire organization to give your clients, employees, and customers peace of mind over the information they give you to do business.

Trust no one

Zero trust is a philosophy that assumes you have, or very soon will experience a breach and thus relies on a security environment where no one inside or outside your network is trusted. Verification is required from everyone trying to access your network and assets. Hence, zero trust.

Verify everything and everyone

Every access request must be explicitly authorized, regardless of whether it’s a user, device, application, or data. The authorizations behind these requests must be dynamic and based on contextual information, such as the health of the end-user device, data sensitivity, location, and threat environment.

Limit access

If an enterprise finds itself under attack, access decisions are modified accordingly. Encryption is used both in transit and at rest, and networks are segmented and controlled to prevent lateral movement by adversaries.

Monitor closely

Finally, the integrity and security posture of all resources remain constantly monitored to inform access decisions.

Where to begin

First, consider your governance, which includes your policies and procedures within your organization and how they may apply to any of your zero-trust principles.

You also have a policy engine that handles your automation and orchestration within the organization as you mature your processes. To achieve a more mature model, you must continue to take processes and automate them, producing an increasingly stable foundation.

The third layer is analytics and threat detection, which is visibility into your environment. Seeing across all of these pillars is very important to feed data into the policy engine and governance areas.

Implementing a zero trust architecture

How do you implement a zero trust identity architecture based on the NIST reference architecture?

Users on their endpoint attempting to access a resource must go through a policy enforcement point such as a firewall, cloud access security broker (CASB), or secure access service edge (SASE) enforcement product. The resource can be Azure, Salesforce, or even the Internet if data loss protection needs to be enforced.

To establish identity, you can use Azure AD, Okta, One Identity, or pinging, among other identity management solutions. You should also interrogate the device to ensure it has the appropriate posture, patches, and endpoint protection solution using Manage Engine or Microsoft Intune and security analytics like CrowdStrike, Microsoft Defender, Microsoft Sentinel, or Splunk to aggregate the information into your SIM tool.

Various firewall vendors like Fortinet, Palo Alto Networks, Checkpoint, Cisco, Microsoft Defender, and Netskope can be used as policy enforcement points.

The result is continuous trust verification, threat monitoring, endpoint validation, risk assessment, and location and time-based verifications, making it a critical component of zero trust.

Zero trust philosophy in the Cloud

For simplicity, we will focus on AWS, but these philosophies can apply to various cloud platforms, such as Google, Azure, or AWS.

Understanding how to implement a zero trust architecture involves a traditional three-stage approach.

A user enters through the front-end web application firewall into the public subnet of the web tier. From there, they pass through load balancing to a private subnet for the application tier. And finally, they arrive at a database backend (in this case, Aurora, Amazon S3, and Glacier).

• Segmentation is crucial to reduce blast radius. In this case, apply segmentation at both the public and private subnet levels. Security groups also play a significant role in this architecture, acting as a dynamic firewall. Since static IP addresses aren’t always available, security groups ensure only the applicable web tier servers can reach the application tier servers.
• Authentication leverages mutual TLS running through every communication with the help of Amazon’s Certificate Manager. Congnito also plays a role in ensuring all users are authenticated. AWS Identity and Access Management controls roles and access to resources.
• Detection uses platforms such as Amazon CloudWatch monitoring logs and Guard Duty to acquire threat intelligence. Implementing these measures brings together all seven tenants from NIST in a single application deployment.

Establishing a solid security foundation

In implementing a zero trust architecture, it is crucial to establish a solid security foundation, shifting from a traditional perimeter-based security model to one that focuses on securing every user, device, and network resource, wherever they are.

The NIST and CISA zero trust models are great examples to use as an architectural blueprint. It is also essential to assess your current maturity across the various pillars to see what you already have in your toolkit that you can reuse and function within the environment.

Starting with identity is also a great way to establish authentication—achieved through tools like Azure ID, pinging, or Okta. Data classification is also critical in designing a zero-trust philosophy.

Prioritizing and controlling sensitive data through a data classification policy ensures you can label and identify where it needs to go and how you want to keep the reins on those things. Remember that this is a journey and not a product, so prioritizing and protecting the data is key.

Safeguard your personal use of IT at home

In an age where cybersecurity threats lurk around every virtual corner, it’s imperative to apply the principles of zero trust not only in corporate environments but also your personal use of IT at home.

So, what can you do at home to fortify your digital defenses and stay safe in this interconnected world?

• Start by adopting a skeptical mindset, assuming that no device or connection is inherently secure.  
• Regularly update your operating systems and software to patch vulnerabilities, and employ strong, unique passwords for every online account.
• Implement two-factor authentication wherever possible to add an extra layer of security.
• Be cautious when clicking on links or downloading attachments, even if they appear to be from trusted sources.
• Utilize a reputable antivirus program and keep it up to date.
• A more advanced step is to segment your home network to isolate smart devices from critical personal information, ensuring that potential breaches don’t compromise your sensitive data.

By embracing zero trust practices in your everyday digital life, you can create a resilient fortress for your personal IT security.

Learn more about CISA Secure Our World campaign for safeguarding your personal devices.

Deploy your zero trust architecture with CBTS

The product landscape has become inundated with zero trust platforms and applications. Partnering with an IT solutions provider to guide you in how to implement zero trust solutions successfully is more important than ever.

While no single vendor can perform all protection information, CBTS has many offerings designed

around zero trust, including assessments, roadmaps, architecture planning, implementation services, and managed services. Using an external group for 24/7 threat management is essential for most organizations.

The experts at CBTS are here to guide your organization as you develop, deploy, and maintain your zero trust architecture. Contact us today for more information about how zero trust can take your organization’s security posture to the next level.

Network security is a double-edged sword in application modernization (updating legacy apps to run smoothly in cloud environments). On the one hand, improved security is one of the core benefits of app modernization. On the other hand, it can be one of the most significant hurdles organizations must clear to securely modernize legacy applications successfully.

The forces driving the need for modernization—the disruptor economy, data compliance regulations, and the push for speedy and elastic cloud-native development—are also pushing cybersecurity to adapt. Development is no longer linear, DevSecOps requires a coordinated team approach. Therefore, security processes that once worked in a linear model need to adapt to the process of continuous deployment.

This post will explore the primary benefits of modernizing applications. Additionally, we will review some of the challenges of cloud security and how cybersecurity itself is changing to address these areas of friction.

Learn more: The methods and motivations behind cloud application modernization efforts

The challenges of cloud security

Identity and access management (IAM)

Before complex network structures became common, a single firewall was often effective in securing an organization’s data centers. However, as data centers migrate off-premises and into the Cloud, this approach is no longer effective. Each cloud environment, each application, and in fact, each user represents a potential security risk. While firewalls still very much have a place in cloud security, the overall emphasis of cybersecurity has necessarily shifted to become identity based.

Identity and access management (IAM) is complex, especially for larger organizations that may host thousands of cloud-based identities. Managing and monitoring so many users is a tall order for in-house IT departments who, understandably, have bigger fish to fry (like innovation and supporting mission-critical ops). Nonetheless, identity management is vital, as user identities and their permissions are common targets of hackers.

Learn more: Zero trust networks (ZTN): What are they and how do I implement one?

Tensions between IT security and DevOps

In a report from GitLab, 42% of respondents said that security tests come too late in the development cycle. DevOps’ focus (and arguably its purpose) is to speed up application development through continuous deployment, emphasizing speed and efficiency. In contrast, cybersecurity teams focus on control and risk mitigation.

These two objectives can appear to be at odds and can cause tension between Development and Security teams. Ultimately, each team aims to maximize its respective performance. The development of DevSecOps (development, security, operations) provides an approach that accounts for both operations’ approaches. DevSecOps integrates and automates these three key functions, where possible, making your application modernization journey successful.

Solutions to cloud security issues

Cloud identity management

Robust IAM control must be in place to increase the enterprise’s application security posture.

• Embrace a zero-trust approach that enforces ID authentication with MFA.
• Establish and enforce identity governance protocols across the digital estate, on-prem and in the Cloud using CASB (cloud access security broker).

Culture

For cloud security to be effective, every employee must become a firewall. Training and security leadership has never been more critical. Organizations should adopt the following practices:

• Deploy multifactor authentication (MFA) for passwords.
• Encrypt sensitive data at each state, at rest and in motion.
• Test and pinpoint vulnerabilities with regular penetration testing.
• Maintain data compliance and adopt a regular patching schedule.

Automation

Automated tools powered by AI offer a unique opportunity to implement security tools and testing sooner in development. Developers don’t have to run these tools themselves, with automated and integrated DevSecOps guidance from the security team as part of the process.

DevSecOps and shifting left

The development cycle itself has become a challenge to security and vice versa. When software development was more linear, following the waterfall method, the natural place for security was neatly at the end of the process. However, as DevOps becomes increasingly circular and embraces agile app development techniques, it no longer makes sense for security to be an afterthought. Security must be involved much earlier in the process and integrate with development itself.

This situation has led to the rise of DevSecOps methodology. This framework aims to implement security earlier into the application development process, or “shift security left” on the X axis of the development timeline. DevSecOps promises to merge speed and security and reduce friction between DevOps and security in the process.

Making sense of application security for your organization

App modernization is not optional for most companies—therefore, application security must become a priority. A failure to migrate operations to the Cloud may result in dire consequences in the form of a significant security breach, slowing infrastructure, or being outpaced by digitally mature competitors. Without question, modernized applications are far more secure than legacy apps. But, as we’ve discussed, the move to a cloud-native methodology poses specific challenges, causing IT leaders to rethink cybersecurity and move toward a DevSecOps framework.

What is abundantly clear is that organizations must embrace security partnerships to establish and maintain a strong security posture. CBTS security experts continuously train to stay apprised of developing cyber threats and vulnerabilities. Our portfolio of security solutions includes managed security, assessments and testing, cloud security, and zero trust setup and support. Speak to one of our experts to learn more about how modernizing your applications can boost your company’s overall security.

If you are looking to build stronger cybersecurity into your business network, where does enterprise data security rank on your to-do list? Zero trust can help with that. It is one of the most fundamental yet most crucial steps you can take to protect your enterprise.

When I think about cybersecurity, I try to keep it simple and focus on the key items that are crucial to a successful cybersecurity strategy. A key component of any strategy is to figure out where to focus your efforts. For cybersecurity, you start by focusing your efforts on what you are trying to secure. Do you need to secure a system, a person, a device, a process, or just the data?

As I talked about zero trust last year at conferences and CIO roundtables, it helped people understand how to get started when I had them focus on the basics—namely, keep access to your confidential data restricted and keep your data secure from modification or destruction.

Enterprise data security protects your most valuable asset

The biggest risk currently to your data are cybercriminals or malicious insiders who attempt to steal or encrypt your data. Zero trust data security emphasizes a shift from “trusted networks” to the least-privilege principle that no network or device may be implicitly considered secure and that all traffic on the network or device must be encrypted and authenticated at the earliest opportunity.

Those of us in the information security field—CISOs and BISOs—implement technologies to keep laptops, desktops, and servers free from viruses and malware, but we do that to protect the data on those devices or systems. We secure the device to make sure that only authorized individuals can access the data that device can view.

We secure the device but what we really care about is the data. We do not really care about the device because it is effectively disposable.

Where does zero trust fit into a data-directed security focus?

If you start with a data-directed security focus, you can leverage the power of zero trust solutions to reduce your risk of a data breach. The news is full of reports about companies and organizations that failed to put appropriate controls in place to mitigate the risk of a cybersecurity incident. I have listed four steps you can follow to simplify the problem of enterprise data security. These steps follow the NIST 800-207 Zero Trust Architecture model that the federal government is implementing with the assistance of CISA.

Read more about Cybersecurity and data privacy: the legislative landscape is changing.

First, you need to discover, classify, and label your sensitive or confidential data. You can’t secure your critical data if you don’t know where it is, how it is used, and who has access to it. By classifying and labeling your sensitive and confidential data you can see where it is, how it moves and then implement appropriate access controls using zero trust principles.

Second, now that you know where the data is, you want to implement data resiliency. For your data to be resilient you need to have it encrypted and have immutable copies of the data so that you can quickly recover from an attack. AES type encryption will preserve the confidentiality of that data, both at rest (like your backups) and in transit (from the application to end user). If the data is encrypted at rest, someone can steal it, but it doesn’t harm you or your customers. With the data encrypted appropriately and with a good 3-2-1 backup strategy, threat actors and criminals can’t exploit you by encrypting the data or extort your customers by disclosing the data.

Third, with the data identified, encrypted, and backed up, you want to grant access only to those individuals who are authorized to view the data. To do that you need appropriate access controls using the principle of least privilege, which is a key component of zero trust. Access will require at least two forms of authentication to protect against compromised credentials, so you will implement multifactor authentication (MFA). Zero trust emphasizes user-centric authentication, where MFA is essential. MFA adds an extra layer of protection by requiring users to provide multiple forms of verification before accessing systems or data. This could include something they know (password), something they have (smartphone token), and something they are (biometric scan).

The fourth and final item from the zero trust model is continuous authentication, where user activity and behavior are constantly monitored to detect anomalies. Many zero trust solutions on the market are leveraging machine learning algorithms that can identify suspicious activities such as unfamiliar login times or access from peculiar locations. These tools can be programmed to respond immediately, by either requesting further authentication or blocking access.

Protecting data can mitigate complex and dynamic attacks

Clearly, protecting your sensitive and confidential data is no longer just an option but a necessity for companies and organizations to survive and thrive in the face of relentless cyberattacks. A data-directed strategy—using zero trust solutions built on the principle of least privilege—offers a robust defense against the dynamic and complex nature of modern-day cyberattacks.

I highly recommend that you identify your sensitive and confidential data, implement strong AES encryption at rest and in transit, with a 3-2-1 backup strategy, and adopt user-centric authentication that is continuously monitored. These four keys will help you build a resilient security posture that continuously verifies users and devices while safeguarding your most valuable asset—your data.

If you need guidance for building zero trust into your enterprise data security, contact our security team.

Minimizing data security threats and keeping operations safe is a demanding task that every enterprise grapples with daily. The proliferation of employees working from home (WFH) increases information security risks. In addition to the risks of work-from-home computers, your on-premises network devices, phone systems, and other infrastructure elements must be updated regularly and scanned for potential vulnerabilities. Understanding and implementing patch management best practices will set your company on track for a strong security foundation.

Vulnerability management and patch management are two fundamental information security practices. Vulnerability management helps you identify potential cybersecurity risks while patching is good infrastructure hygiene. When functioning correctly, they work together to help companies find and fix vulnerabilities and help properly allocate IT resources for maximum effectiveness.

Successful vulnerability and patch management are not just one-time or occasional events. Instead, they must become full-fledged programs in your organization. Ideally, patching should be a monthly event, monitoring vulnerabilities as they are discovered. To cover all the angles of your operations, a thorough and ongoing process of assessment, preparation, deployment, and support is needed.

Best practices for a comprehensive patch management program include the following:

• Inventory applications and assets.
• Prioritize systems by risk level.
• Generate a patch management policy.
• Backup your data before deployment.
• Test and document deployed patches in non-production environments.
• Finalize patches in production.

Learn more: Zero day vulnerabilities and their patches: I just met a vuln named Follina

Taking the right steps

With the above components in mind, enterprises concerned about the effectiveness of their patch management strategies should be sure to carefully exercise best practices. Alternatively, organizations overwhelmed by these steps could seek an experienced patch management provider like CBTS to set up and maintain the program. CBTS can also provide guidance and support for each phase of the process.

Inventory applications and assets

An audit of an enterprise’s software environment, hardware, and assets provides a better understanding of risk, vulnerabilities, and aids in prioritizing patches. This inventory provides a topography of current systems and what areas need the most attention. Whenever new applications or infrastructure is added to your organization’s technology stack, your “patch map” must be updated to reflect the additions to the patching program. Special care should be taken to assess third-party application vendors and what vulnerabilities they are adding to your environment.

Prioritize systems by risk level

After your organization has an up-to-date picture of its entire software and hardware landscape, it can effectively assign relative risk levels to each program or system. The higher the risk level, the faster it should be addressed in your patch management strategy. Additionally, if multiple versions of redundant software have accumulated in your portfolio, these can be consolidated to mitigate the risk of exposure from outdated applications.

A managed service provider can aid in analyzing and prioritizing your inventory and deploy automation tools that reduce manual legwork.

Other factors that determine patch prioritization include:

• Data sensitivity.
• Operational importance.
• Vulnerability.
• Device group or operating system.
• Third-party vendors.

Learn more: Top five cybersecurity actions to take right now

Create a patch management policy

If your organization utilizes a third-party vendor for some of its software solutions, involving this vendor in your patch management approach is crucial. Third-party software should be kept up-to-date alongside your proprietary software to ensure that your network environment is up-to-date. Third-party applications need to be updated, just like your other systems and hardware, to plug vulnerabilities that arise.

Other factors to consider when setting up the policies of your patch management program include:

• Cadence. Mission-critical patches should be updated monthly. Third-party vendors and urgent security vulnerabilities should be patched at the same frequency.
• Review. How often will your team review patching procedures and issues? A quarterly review is recommended.
• Monitoring. How will your team monitor newly deployed patches? Were the patches applied successfully or was there an error when deployed? Test to make sure the patch was successful.
• Documentation. Best practices include documentation, such as a user testing log, backout procedures, or other checklist documentation.

Backup data before deployment

There are risks when applying new patches to a system, even when you do thorough testing. That’s why creating full system backups for the affected assets is vital before patching. This ensures that your team has a working version to revert to if there is a problem with the patch.

Test and document deployed patches in non-production environments

A vital best practice of patch management involves testing patches in a non-production environment for critical systems. This sandbox or test environment should match your actual system as much as possible—the same hardware, applications, and other assets—to ensure that any issues can be traced and fixed before rolling out to production.

Finalize patches in production

Caution is almost always preferable to speed when it comes to security. To that end, when implementing the tested patch, utilize a phased rollout where you patch your critical production servers after they clear the testing phase, then move to less critical systems. 

The patching timeline in practice

Experienced patch management as a service providers work on a 30-day timeline to ensure systems stay up-to-date. When possible, patching takes place after hours to avoid potential service disruptions. The major exception to this schedule is urgent security patches known as “out-of-band” releases. These patches are released as needed and sometimes must be implemented on an accelerated timeline.

Watch this episode of Inside the CISO’s Office where CISO John Bruggeman and Jon Lloyd discuss the unnecessary risk organizations take by missing patches, and how to patch smarter, not harder.

A managed, full-spectrum approach to cybersecurity

Establishing and systemizing the best practices for vulnerability and patch management is time-consuming. Choosing patch and vulnerability management services from CBTS gives your business more time and these additional benefits:

• In-depth vulnerability assessments.
• A 98% patch success rate.
• Inventory, analysis, and prioritization of your highest risk vectors.
• Expert guidance in creating your patch management policies.
• 24x7x365 support.

A managed vulnerability assessment and patch management program by CBTS covers every aspect of your network environment, from your endpoints to critical assets, equipment, and facilities. It also extends from the planning and deployment phases to an ongoing monitoring and auditing period, ensuring that your organization’s patch schedule is optimized for your specific needs. The security team at CBTS is home to some of the most knowledgeable cybersecurity experts in the industry. Their knowledge of cutting-edge tools and processes is ideally suited to guide your organization toward a robust cyber defense.

Contact CBTS for more information on vulnerability assessment and patch management services.

Legacy applications often lack the security safeguards of their cloud counterparts. Interestingly, in some fields, these potentially risky legacy systems are why some organizations struggle to upgrade. According to a joint report from Capita and Citrix, over 50% of CIOs believe legacy apps are holding up digital transformation efforts. In many industries like healthcare or manufacturing, dependencies on legacy applications and infrastructure create nightmares for security teams. In these fields, downtime to upgrade systems is untenable. Additionally, specialized equipment, such as MRI equipment, may rely on end-of-life (EOL) workstations that run on unsupported OS, leading to un-patchable backdoors in an organization’s network.

Despite these challenges, organizations that refuse to modernize face substantial risks. In 2022 alone, more than 25,000 common vulnerabilities and exposures (CVEs) were discovered, the highest yearly number of exploits discovered to date. In the first quarter of 2023, almost 7,500 vulnerabilities were found by users and white hat agencies—a number that could exceed the record from 2022.

Lack of visibility, actively exploited security vulnerabilities, and incompatibility with cloud-based security tools are some of the obstacles to securing legacy applications.

Also read: Focusing on security in digital transformation

Common problems with legacy systems

1. Incompatible with new security features

Over time, the number of known vulnerabilities in any application tends to grow. Cybercriminals often subscribe to the same security blogs and databases that cybersecurity professionals read. In other words, the older an application, the more its known vulnerabilities will circulate among hackers.

Compounding this issue is the fact that legacy applications and infrastructure are often non-interoperable with the latest security features designed to combat evolving threats. Security features such as multi-factor authentication, zero trust policies, role-based access, and the modern encryption algorithms will function minimally or not at all, depending on the age of the legacy system.

In comparison, cloud application security tools simplify the process of security management—

especially in a distributed workforce—by improving end-user access, visibility by the security team, control, and access to next-gen anti-malware solutions.

2. Dependent on outdated infrastructure

At some point, updates to legacy applications are discontinued, meaning they must run on outdated operating systems or aging hardware. Like legacy applications, obsolete infrastructure is subject to security gaps that were filled by updated operating systems or newer hardware. This issue is compounded when developers stop supporting legacy systems and end security patches.

Additionally, custom-made legacy software presents its own issues. These applications may be riddled with “spaghetti code,” i.e., code that is difficult to untangle, update, or secure. In this situation, organizations might be forced to re-write and modernize the application or migrate to a comparable system that also requires migrating to new infrastructure to support it. However, with these upgrades and these investments in the future you can see that the costs are well worth the peace of mind. By investing in modern and supported software and hardware, your company will save money in the long run.

3. Lack of visibility

Another common scenario is that a legacy application might be forgotten, or it stops being useful to employees. IT teams may not even be aware that the app is there. Regardless, the vulnerabilities of these apps are still accessible to hackers. And without next-gen monitoring tools, the security team may not be aware of a breach until it’s too late to mitigate damage.

4. Risk of exposure

Exploits for legacy applications tend to increase over time as attackers learn how to attack these old systems and legacy software. Additionally, business restructuring from mergers and acquisitions (M&A) can generate orphaned systems that no one monitors anymore. For example, when FedEx bought the company Bongo, it was unaware that Bongo had an unsecured legacy storage server. A white hat group discovered a vulnerability that could have exposed over 100,000 sensitive customer documents.

5. Risk of falling out of compliance

Data compliance guidelines grow stricter as dependency on cloud storage increases due to the increased attack surface. Moreover, privacy regulations like GDPR, CCPA, and HIPAA can impose heavy fines on organizations that fail to secure their customers data. A prominent example is how Equifax was fined $750 million for a data breach that exposed nearly 150 million users’ personally identifiable information (PII) .

Legacy applications often fail to maintain compliance because the applications can’t meet current regulatory controls.

6. Lack of support

As time passes, the number of IT professionals trained to manage a particular application or operating system diminishes. Eventually, even the developer ends support of a legacy application, OS, or system. This means no more security patches, firmware updates, or bug fixes from the developer. Prominent software companies like Microsoft occasionally provide extended end-of-life support for critical legacy OS or applications for a subscription fee. But even this service eventually ends.

7. Loss of competitive advantages

Speed and agility are two of the most essential factors in ensuring that a business remains competitive. Reliance on aging infrastructure is not conducive to either. Organizations focused on repairing and maintaining IT systems cannot focus on achieving business vision or innovation.

Securing legacy IT systems

According to the Cybersecurity and Infrastructure Security Agency (CISA), the number one bad security practice is “using unsupported software for critical infrastructure.” While there are piecemeal security solutions for organizations forced to rely on legacy applications, modernizing them is the only real way to secure legacy IT applications and infrastructure entirely.

The experts at CBTS can help you assess options and execute a modernization plan. Our team has guided hundreds of clients on their digital transformation journeys. Secure, modern applications and infrastructure are the springboards our clients use to become more efficient, streamlined, and profitable. Speak with one of our project managers to learn how your team can utilize cloud infrastructure to speed up and secure your critical applications.

Get in touch today!

The importance of security assessments and penetration testing is well established. And just when an information security department thinks they have a handle on the security of their company’s operations, try introducing merger or acquisition. What can be—and often is—a monkey wrench thrown in a company’s information security works, mergers and acquisitions (M&As) can introduce a foreign entity into the network and information infrastructure, usually with aggressive timelines.

The chaos and confusion of these events make it difficult to keep track of systems and data, as well as the added task of integrating new web applications—both internal and external-facing—into the organization’s infrastructure.

Given the additional complexities of an M&A event, performing security assessments both before and after a merger is crucial to understanding the new overall security footprint.

Also read: Essential security practices to protect your business

The importance of assessing your security posture during M&A

The critical nature of regular security assessments during M&A was on public display when, in 2016, Marriott International acquired Starwood Hotels. Unbeknownst to Marriott, attackers had exploited a flaw in Starwood’s reservation system two years earlier.

Over the next couple of years, they:

• Incrementally compromised over 500 million customer records (133 million of which were American customers).
• Were in immediate trouble with the UK Information Commissioner’s Office (ICO), and with new GDPR regulations in effect from 2018, were fined over £18.4 million ($24 million USD at the time of writing). 
• Marriott now faces an ongoing class action lawsuit from the customers whose data was compromised.

In 2017, Verizon’s acquisition of Yahoo! highlighted two very significant data breach nightmares—undisclosed to Verizon by Yahoo!—that also put on public display the critical nature of penetration testing during M&A events.  

In the first breach, an attacker stole the personal data of at least 500 million users, including some unencrypted passwords and answers to security questions. In the second breach, 1 billion accounts were compromised, and users’ personal information and login credentials were once again stolen.  

Yahoo! tried to defend itself from liability by saying the passwords were hashed with MD5 (a message-digest algorithm) but by 2017, MD5 had already been deemed obsolete since it is easily cracked to reveal passwords with off-the-shelf computer technology at the time. 

In the wake of the Verizon-Yahoo! M&A landmine, the Securities and Exchange Commission (SEC) was prompted to issue new guidelines for cybersecurity disclosures so neither shareholders, customers, nor acquiring companies are kept in the dark about a data breach.

The unfortunate part about these M&A disasters is that they were unforced errors that could have easily been prevented with security assessments and penetration testing. These two vital services would have revealed the critical vulnerabilities attackers were exploiting and created a high likelihood that a security consultant would have discovered evidence of the previous breaches and leakage of data before the M&A activity began.

Also read: Why continuous penetration testing is critical for security

First steps for an effective security assessment

A security assessment can evaluate either a security architecture or a security program. Or both.

Assessing a security architecture involves measuring an organization’s infrastructure and practices using well-established security best-practice standards, such as the CIS Critical Security Controls.

Security program assessments measure an organization’s security policy and risk using a well-established security framework, such as NIST Cybersecurity Framework. Both CIS and NIST are mainly interview-based, meaning the assessor interviews the organization’s information security team, and each of the controls in the framework is answered and discussed.

The result of these interviews is a findings report that the customer can use to understand how they compare to their peers in the same industry. In addition, the security architecture assessment has another component: a hands-on test of an assessor tool against the organization’s “gold” workstation and server deployment images.

The results of this assessor tool’s run are integrated into the final report. The report will identify areas where the company’s architecture is sound and where they have gaps with standing best practices.

Also read: How to focus on security in a digital transformation

The significance of penetration tests during a merger and beyond

Penetration testing can be time-boxed or continuous. Time-boxed penetration testing has a start and stop date, resulting in a report that signals the end of the activity. While time-boxed penetration testing offers significant value and could have easily prevented the aforementioned M&A disasters, they are no longer considered best practice given how quickly new vulnerabilities are exploited.

They are, in essence, a snapshot in time. Continuous penetration testing is, as the name implies, the process of continuous scanning and attempted exploitation of systems, resulting in periodic reports that can be compared to each other to show delta.  

Operate at the gold standard

Today, continuous penetration testing is considered best practice. The periodicity of the continuous testing will quickly reveal vulnerabilities that are inadvertently introduced during the M&A process, whether through the phased integration of the acquired party’s systems and applications, or through attempted remediation of vulnerabilities identified in a previous penetration test run. These efforts can be implemented either in-house or through a managed service.

If your company is about to embark on a merger or acquisition, it is crucial to conduct security assessments and penetration tests on both your infrastructure as well as the M&A target’s infrastructure.

It is the only way both entities will know what they are getting into and the work needed to shore up network infrastructure before the M&A happens.  CBTS is a trusted third party that has not only an industrial-strength information security practice, but also a dedicated penetration testing team that offers services ranging from security architecture and security program assessments to time-boxed penetration testing, and managed continuous penetration testing. If you have questions about how a security assessment can benefit you, contact us.

What exactly is SASE (pronounced “sassy”)? It’s a framework that unites security and networking in a cloud-based model, combining software-defined wide area networks (SD-WAN) with secure service edge (SSE) technologies. SASE benefits an organization by simplifying and strengthening its security fabric, boosting efficiency, and simplifying WAN deployment. It is evolving to include a portfolio of security tools, including VPN/ZTNA, EDR, CASB, DLP, and a host of new emerging AI tools.

Each SASE and SD-WAN vendor offers slightly different features, so it’s not uncommon for organizations to utilize multiple security and networking solutions to create a customized security strategy. However, managing several vendors quickly becomes overwhelming for overworked IT departments. A managed service provider (MSP) like CBTS can help your organization choose and implement as many solutions as necessary for your operations while maintaining a single point of contact.

Learn more: What is SASE?

What SASE means today

SASE increasingly relies on zero trust network access (ZTNA), a security philosophy that only gives users access to systems and applications as needed. ZTNA is a broad approach, but in essence, it involves the following:

• Identity management.
• Multi-factor authentication.
• Application and device management.

A vital tenet of ZTNA is the concept of “least privilege access,” which monitors user IDs, device IDs, and application IDs for anomalies. For example, if a user who logs into a Salesforce account at 9 a.m. in Chicago and then tries to log into the same account from Germany at 10 a.m., this activity is blocked as impossible and suspicious.

Additionally, as SASE evolves, it has grown to incorporate other security tools, including:

• VPN clients.
• Remote SWG clients.
• Multiple site east/west firewall.
• CASB/DLP.
• EDR/XDR.
• MDR/SOC.
• Malware/threat prevention (signature and IP reputation).
• New AI/machine learning technologies.

Learn more: 2023 Strategic Roadmap: The Future of SD-WAN

Single platform vs. best-of-breed

Leading technology vendors like VMware and Palo Alto offer various SD-WAN and SASE solutions. Some vendors consider SD-WAN and SASE to be the same thing. While there is a good amount of overlap between the two, there are enough differences to be meaningful. Choosing a single vendor for SASE and SD-WAN has the benefit of simplicity and lowering operational complexity.

But what if there are specific tools that your organization needs from rival vendors? Then your IT will need to manage several platforms and risk tool sprawl. But a managed service provider can deliver integrated solutions from multiple vendors in a customized best-of-breed approach. This approach offers the best of both worlds—simplified operations while accessing the highest quality tools.  

Top benefits of a managed SASE solution

1. Cost efficiency

Managed services eliminate the need for upfront technology spending and significantly reduce overhead. Managed SASE shifts the expense model from CapEx to OpEx. Additionally, managed SASE allows IT departments to realign from maintenance tasks to innovative, mission-critical projects.

2. Access to experts

Your IT department likely houses many skilled professionals. However, security requires up-to-the-minute knowledge of the increasingly sophisticated threat landscape. CBTS security experts constantly monitor and adapt to emerging threats. In addition, they can guide your company through the thorny issues revolving around data compliance.

3. Mitigate security risks

It’s not enough to simply access next-gen security tools. Your company needs the experienced hand of security professionals to implement those tools according to the highest priority threats based on ZTNA and data compliance frameworks. Managed SASE significantly improves security across all users.

4. Increase visibility and control across hybrid environments

Managed SASE provides greater visibility across the whole of your digital estate. Closely monitor applications, users, and data flow. What’s more, managed SASE lets you take control of user profiles or application traffic when needed.

5. Simplify security operations

Merging networking and security with a managed SASE solution simplifies IT operations for the enterprise. There’s no need to update hardware at each location; all that’s needed is an Internet connection.

6. Free up IT resources

Implementing, managing, and maintaining SASE tools require time and resources. Sustaining relationships with vendors takes even more time. MSPs remove these burdens and allow your IT team to refocus on more important tasks.

7. 24x7x365 support

A high-quality MSP supports your business through each phase, from consultation to deployment to support. CBTS managed service experts provide day-two assistance for their clients and 24x7x365 technical support, as well as response, remediation, and SOC (Security Operation Center) capabilities.

8. Custom solutions

Utilizing the CBTS best-of-breed approach, you gain access to the best tools your organization needs, regardless of the vendor. Our team can advise you on what services, bundles, and solutions make the most sense for your company and then implement and manage those solutions. While being vendor-agnostic, CBTS maintains relationships with industry-leading technology vendors that our experts can leverage to seek the best pricing possible. Additionally, you will avoid the tool sprawl associated with deploying multiple security and networking tools by leveraging CBTS as your single point of contact for your organization.

9. Flexibility

Managed SASE solutions are easily implemented at any location and for remote work environments. CBTS service managers continuously update, upgrade, and manage SASE platforms to ensure the highest quality of service. Security policies can be customized based on user groups, personas, or roles.

10. Security on a global scale

SASE is ideal for a hybrid world. Admins can set security policies from a central cloud-based platform for every branch globally. They can easily add new branches or implement multi-factor authentication. Build security standards that apply to your business, regardless of where the user works.

Managed SASE is a future-proof investment

Managed SASE benefits your organization in many ways, including a cost-effective increase in ROI, reduced operational complexity, and greater security regardless of where your staff is located. While taking a single vendor approach to SASE management has its benefits, in the end, the logical conclusion is to seek out a best-of-breed provider that can offer custom solutions while maintaining a single point of contact.

The MSP you select for SASE implementation must have security and networking experience. CBTS is deeply experienced in both areas, with extensive relationships with leading security vendors, including Check Point, VMware, and Palo Alto. By combining multiple, best-of-breed SD-WAN and SASE solutions, CBTS delivers complete cloud-based security while streamlining access and control for our clients.

CBTS experts work from the assessment phase to the implementation of your SASE capabilities to provide ongoing, full-spectrum support for your organization.

Contact us today to level up your approach to network security.

The security landscape of the digital workplace

As the paradigm of work has permanently shifted, hybrid and remote work are here to stay. Even companies that have returned to “normal” operations face enormous pressure to offer hybrid options. The need for cloud telephony and collaboration tools has exploded in this environment. Various Unified Communications as a Service (UCaaS) solutions have evolved to meet demand.

UCaaS platforms effectively unite collaboration tools such as Microsoft Teams Voice or Webex Calling by Cisco with cloud-based telephony. It’s safe to say that, eventually, every industry will run its communications through a unified solution that utilizes a cloud collaboration environment. This development seems to be the progression arc of modern communications technology, and it’s overwhelmingly popularity among employees in every industry.

But with the emergence of UCaaS as a primary form of corporate communications, the demand for advanced security measures has increased. The increased reliance on cybersecurity insurance, HIPAA, and other regulatory requirements demands data is protected, driving the push for enhanced security practices. Additionally, the trend to merge UCaaS with Contact Center as a Service (CCaaS) platforms means that security controls must be robust and flexible, as well as deployable across multiple environments and platforms.

This post will briefly examine the technologies driving the digital workplace and delve into the security threats to UCaaS and the security tools evolving to face them. 

Learn more: SD-WAN and NaaS from CBTS pays off for alternative financial services companies

Threats and challenges of UCaaS security

Security is one of the chief benefits of embracing a Unified Communications system. On-premises data centers require enormous upkeep—patching, firmware updates, upgrades, replacements, and firewall maintenance. UCaaS shifts the burden of security to the managed service provider who holds expertise in maintaining security.

The move to managed services isn’t found only in collaboration or telephony, but in all sorts of workloads and Software as a Service (SaaS) applications. Organizations want the same benefits of on-premises equipment without overloading their in-house IT team.

Even though cloud-based infrastructure and applications are more secure than their on-prem legacy counterparts, the move to the Cloud brings its own set of security challenges. The core threats to the digital workplace are the exploding complexity of hybrid networks and the increased sophistication of cybercriminals. Remote work multiplies the number of devices, connections, and applications interacting with your business network. Each user represents a potential security weakness.

Additionally, video conferencing and collaboration tools have their unique security concerns. Threats like “zoom bombing” and sophisticated eavesdropping techniques mean data, recordings, and connections should be encrypted end-to-end. 

Also read: Nine compelling benefits of a CBTS managed cloud environment

UCaaS security solutions

Next-gen security tools

The next generation of security tools, particularly SSE/SASE, is about delivering cloud firewall services, CASB, ZTNA, and cloud secure gateway services to any device. The shift in thinking is from building a “wall” around the organization to building one around each user. SASE is necessary in addition to Microsoft Security Protocols (native in MS Teams, MS Suite, etc.), SaaS, and custom-built apps.

Other emerging technologies include:

• EDR (Endpoint Detection and Response): Next-gen, AI-powered antivirus platforms that flag irregular user activity in location, action, or time.
• CASB (Cloud access security broker): Multi-cloud API flow monitoring and threat detection that merges with data loss prevention (DLP) tools.
• Device identification and management: Gives admins greater control and visibility into the devices connected to their network at any given time.
• Secure gateway: Restricts access to dangerous sites and malware.
• Patching as a Service and vulnerability scans: IT admins push out patches through the network. CBTS can refine the process and boost patching success rates through testing.

Additionally, CBTS deploys these tools by following emerging security concepts like zero trust networking access (ZTNA) which mitigates risk by limiting access to only what’s necessary for each user.

Seamless integration

Many organizations lack an appropriate number of solutions to defend digital processes properly. However, the inverse is equally true for many companies. As more security tools emerge, an IT department may suddenly find itself managing a portfolio of five, six, seven, or more platforms. Tool sprawl is a challenge for even the most seasoned IT professional. In response, industry-leading companies like Palo Alto and Cisco are pushing to condense and merge their security offerings.

Working with a managed services partner like CBTS eliminates this issue. CBTS will partner with your organization to help select the right solution for your business and manage that solution—all while serving as the primary contact.

Single-pane-of-glass controls

The need for simplified controls also accompanies the push for integration. Vendors are working to make this a reality for their companies by creating an easy-to-use dashboard that controls multiple tools or works across vendor platforms. CBTS can design custom dashboards to help you manage multiple tools and vendors.

AI and machine learning

Advances in AI are fueling faster threat monitoring, identification, and remediation. Machine learning tools navigate the growing complexity of UCaaS solutions and the rest of the digital workplace to root out developing malware threats in near real-time.

Compliance management

Compliance movements like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) stateside are forcing IT leaders to rethink compliance management. Working with a managed service provider like CBTS removes stress by putting the onus of keeping up with evolving legislation and cybersecurity standards on the service provider.

Also read: Data protection and managed backup for secure cloud organizations

Selecting a digital workplace security partner

As discussed in this post, it’s only a matter of time before most companies must design and deploy a UCaaS solution to manage their communications effectively and ensure an efficient digital workplace. IT leaders should select managed service providers with broad shoulders. Why not partner with a managed services provider that can implement workplace solutions while ensuring maximum security through next-gen tools and emerging security concepts such as ZTNA?

CBTS offers full-spectrum solutions that support each phase of your digital transformation journey. Get in touch today to learn how CBTS UCaaS solutions and security measures can help your company thrive.

Most organizations and enterprises rely on their IT systems and the Internet to develop, build, and sell their products and services. Moreover, they often use a complicated web of contractors and vendors that are integrated into those IT systems, creating a hyperconnected and complex ecosystem that exposes organizations to systemic risk.

In this blog, I consider how to effectively measure and communicate this type of risk. With quantified risk at hand, you can then make the financial case for cybersecurity measures to minimize that systemic risk.

Learn why you need to understand your risk to qualify for cyber insurance.

Why do you need to create a realistic picture of risk?

Against the backdrop of systemic risk, cyber and security professionals strive to develop and deploy protection measures to lower risk. The reality is there are just too many areas where an adversary could attack. At the same time, securing all of those would be prohibitively expensive and time consuming.

Given these realities, we need a way to decide what to address and what not to address. In essence, we need to find the measures that reduce the most risk for the least expense, or more plainly, give us “the biggest bang for the buck”, all while acknowledging there will always be residual risk.

What is the best way to communicate risk?

In addition to maximizing the risk reduction, we also need a communication mechanism for talking to the executive team and or board of directors to persuade them to provide support and funding. One mechanism for achieving this is to communicate actions in terms of business risk. Each entity’s risk appetite is very different from the next, so tailoring the conversation to the specific needs of your audience is extremely important.

For example, as compared to an established firm, a start-up will often accept larger risk. By nature, startups embrace product risk. A start-up that considers heavy spending on security knows that such spending would detract from product innovation and increase product time-to-market.

What is a good approach to assess and understand risk?

Identifying, managing, and communicating risk requires a cross-discipline team as no one individual knows everything. That’s right, even I don’t know everything! As with any team exercise it is important to ensure everyone is using the same language. I find that the Open Factor Analysis of Information Risk (FAIR) taxonomy is superb.

FAIR clearly defines the differences between risk, vulnerability, threat, probability, and more. Additionally, it offers a mechanism to quantify the risk and express it as an annualized and or one-time loss. While not all organizations will be ready or able to wait to implement that level of rigor, it can still be used to deliver a qualitative assessment that CEOs and CFOs will be able to understand.

Personally, I find that understanding an entity’s value chain and risk appetite allows risk practitioners to position risk reduction or mitigation measures more effectively and balance the desire to reduce risk with the need to grow and operate the business. If technical and security practitioners cannot articulate the risk reduction a particular product will deliver, it is highly likely that any decision made to mitigate perceived risk is a knee-jerk selection based on current trends or vendor marketing.

In conclusion

The reason you need to think about risk is simple: your business is complex. Wise business decisions balance numerous factors, such as change and stability, safety and risk, and both long and short-term outcomes. With risk factoring into every equation, it is essential to quantify and communicate risk in ways that everyone can understand.

Contact our security team today if you need assistance with assessing and mitigating your risk today.

More from David Leech

Key themes to the new cybersecurity law and legislation coming online in 2023

Cybersecurity and data privacy: the legislative landscape is changing

Ten years ago, implementing a single firewall per business location was considered an adequate security practice. However, a single firewall is not sufficient in this age of remote and hybrid access where criminals and threat actors actively target your company.

Why?

Because the points of presence (PoPs) for even simple business models have exploded in recent years. No longer is it enough to simply protect a company’s digital perimeter or edge, but managed network security services must now encompass employees, devices, and applications. An organization’s data must be secured, no matter where it lives or how it flows.

In other words, each device must be secured, every application monitored for vulnerabilities, and every employee must become a firewall. As hackers become increasingly sophisticated at targeting your employees and the potential points of attack continue to multiply, organizations must deploy both proactive and reactive managed network security services. Gone are the days when running an antivirus program occasionally was a satisfactory defense technique. Now, businesses must manage a portfolio of security applications and protocols to address the increased risks to your data.

This post will review the best practices of managed network security services through the lens of three security strategies:

• Devices
• Applications
• People

Securing devices

Brought on by the COVID-19 pandemic, the remote and hybrid revolution of the world’s workforces mean that it is no longer sufficient for an employee to work from anywhere; they also want to work from any device. While this is incredibly convenient for remote employees, it is a massive potential problem for security teams. Each device represents a potential vulnerability or weakness in the secure perimeter you need to establish to reduce risk.

Fortunately, managed network security services are evolving to secure mobile devices. Effective risk mitigating strategies include:

• SASE/SSE. Secure access service edge (SASE) and security service edge (SSE) are cloud security solutions that integrate with emerging cloud network tools (Firewall as a Service [FWaaS], SD-WAN, and zero trust networking access [ZTNA] to name a few) to secure access points and PoPs.
• EDR. Endpoint detection response (EDR) is a next-generation suite of antivirus and anti-malware applications that make your devices unattractive targets for criminals. EDR does not rely on user signatures but instead deploys machine learning to notice aberrations in user behaviors. EDR also utilizes more effective tools to contain and defend against malware.
• MDM. Mobile device management (MDM) is a way for organizations to control connected mobile devices. First, businesses enroll the device in the MDM tool and set rules and policies for the device. For example, MDM can turn off the camera function of a device during a sensitive meeting. MDM can also send an application to every MDM-enabled device within an organization. MDM is an emerging technology to allow businesses to secure their employees’ devices en masse.

Learn more: 2023 Strategic Roadmap: The Future of SD-WAN

Securing applications

In many ways, modern businesses are the sum of their data and value-add applications. For example, a Software as a Service (SaaS) company may market and sell applications to its end users. The same company also uses applications for business operations: finances, payroll, HR management, communications, security, etc. As each device represents a potential security breach, so does each application. Additionally, with digital and physical supply chains being more interconnected than ever, the potential for catastrophic damage across entire sectors is a genuine danger. Remember the Log4J vulnerability that was revealed in December of 2021 and the impact that had on virtually every organization.

Businesses can take proactive steps to secure their applications enterprise-wide using managed network security services such as:

• Patch applications. A vital and often overlooked piece of security hygiene is routinely checking for and installing the latest patches for each application. These patches plug security vulnerabilities as they are discovered. An organization should check for new patches at least once a month.
• Vulnerability scanning. This automated test seeks out potential vulnerabilities and creates an actionable report. As a rule, vulnerability scans should be scheduled to run once a month.
• Penetration testing. Often confused with vulnerability scans, a penetration test (pen test for short) is an in-depth, cohesive examination run by actual humans. The goal is to simulate a cyberattack. Unlike a vulnerability scan, pen testing is an investment, ranging anywhere from $15,000 to $70,000. Testing length varies from a couple of days to several weeks depending on the size and scope of the test.
• Security assessments. How do you know what security measures you need to implement to secure your applications? Security assessments advise businesses on what mosquitos to swat (patching and vulnerability scans) versus potentially catastrophic attacks they must prepare for (penetration testing). In addition, security assessments help companies comply with evolving government security and application management regulations. Security consultants like CBTS take a holistic view of the organization, factor in business goals, and deploy solutions with a phased approach.

Learn more: Cloud security controls that help mitigate risk

Securing people

Businesses hoping to attract and retain the best talent know they need to meet the demand for a hybrid workforce. However, it is unfortunate that a vast majority of security breaches come from users falling for a phishing attack rather than a brute-force cyberassault. People are distracted by hectic schedules and responsibilities, and social engineering schemes grow more sophisticated by the day. That’s why it is incredibly vital to generate a culture of security.

Each employee must become a firewall. But what does that actually mean?

Choosing a trusted partner in managed network security services

Choosing which security tools are appropriate for your company’s unique needs is challenging. How do you select not just adequate tools but the best-in-class anti-malware services? How do you deploy those tools effectively without overburdening your IT department while staying on budget?

CBTS uses a consultative approach to discover your company’s needs and to develop a phased plan for instituting the appropriate solutions. Our profoundly experienced team offers a comprehensive security assessment to identify potential vulnerabilities and proactive steps to prevent malware attacks. CBTS managed security services save your IT team time and money by offloading the burden of researching, managing, and updating security tools.

Get in touch with CBTS today to learn how to protect your devices, applications, and people.

Learn more: Watch our Tech Talk replay now