Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

FIRESIDE CHAT: The inevitable replacement of VPNs by ‘ZTNA’ — zero trust network access

By Byron V. Acohido

Virtual Private Networks – VPNs – remain widely used in enterprise settings. Don’t expect them to disappear anytime soon.

Related: Taking a risk assessment approach to vulnerability management.

This is so, despite the fact that the fundamental design of a VPN runs diametrically opposed to  zero trust security principles.

I had the chance to visit with David Holmes, network security analyst at Forrester, to learn more about how this dichotomy is playing out as companies accelerate their transition to cloud-centric networking.

Guest expert: David Holmes, Analyst for Zero Trust, Security and Risk, Forrester Research

 

VPNs encrypt data streams and protect endpoints from unauthorized access, essentially by requiring all network communications to flow over a secured pipe. VPNs verify once and that’s it.

Zero trust — and more specifically zero trust network access, or ZTNA — never trusts and always verifies. A user gets continually vetted, with only the necessary level of access granted, per device and per software application; and behaviors get continually analyzed to sniff out suspicious patterns.

Remote access is granted based on granular policies that take the least-privilege approach. For many reasons, and for most operating scenarios, ZTNA solutions makes more sense, going forward, than legacy VPN systems, Holmes told me. But that doesn’t mean VPN obsolescence is inevitable. To learn more, please give the accompanying Last Watchdog Fireside Chat podcast a listen.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

By Byron V. Acohido

Google, Microsoft and Apple are bitter arch-rivals who don’t often see eye-to-eye.

Related: Microsoft advocates regulation of facial recognition tools

Yet, the tech titans recently agreed to adopt a common set of standards supporting passwordless access to websites and apps.

This is one giant leap towards getting rid of passwords entirely. Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations.

Excising passwords as the security linchpin to digital services is long, long overdue. It may take a while longer to jettison them completely, but now there truly is a light at the end of the tunnel.

I recently sat down with Ismet Geri, CEO of Veridium, to discuss what the passwordless world we’re moving towards might be like. For a full drill down on our wide-ranging discussion, please give a listen to the accompanying podcast. Here are a few takeaways.

MY TAKE: ‘Digital trust’ has a huge role to play mitigating cybersecurity threats, going forward

By Byron V. Acohido

Modern digital systems simply could not exist without trusted operations, processes and connections. They require integrity, authentication, trusted identity and encryption.

Related: Leveraging PKI to advance electronic signatures

It used to be that trusting the connection between a workstation and a mainframe computer was the main concern. Then the Internet took off and trusting the connection between a user’s device and a web server became of paramount importance.

Today we’re in the throes of digital transformation. Software-defined-everything is the order of the day. Our smart buildings, smart transportation systems and smart online services are all network-connected at multiple levels. Digital services get delivered across a complex amalgam of public cloud, hybrid cloud and on-premises digital systems.

It is against this backdrop that digital trust has become paramount. We simply must attain —  and sustain — a high bar of confidence in the computing devices, software applications and data that make up he interconnected world we occupy.

NEW TECH: How ‘CAASM’ can help security teams embrace complexity – instead of trying to tame it

By Byron V. Acohido

The shift to software-defined everything and reliance on IT infrastructure scattered across the Internet has boosted corporate productivity rather spectacularly.

Related: Stopping attack surface expansion

And yet, the modern attack surface continues to expand exponentially, largely unchecked. This dichotomy cannot be tolerated over the long run.

Encouragingly, an emerging class of network visibility technology is gaining notable traction. These specialized tools are expressly designed to help companies get a much better grip on the sprawling array of digital assets they’ve come to depend on. Gartner refers to this nascent technology and emerging discipline as “cyber asset attack surface management,” or CAASM.

I sat down with Erkang Zheng, founder and CEO of JupiterOne, a Morrisville, NC-based CAASM platform provider, to discuss how security got left so far behind in digital transformation – and why getting attack surface management under control is an essential first step to catching up.

For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

MY TAKE: Log4j’s big lesson – legacy tools, new tech are both needed to secure modern networks

By Byron V. Acohido

Log4j is the latest, greatest vulnerability to demonstrate just how tenuous the security of modern networks has become.

Related: The exposures created by API profileration

Log4j, aka Log4Shell, blasted a surgical light on the multiplying tiers of attack vectors arising from enterprises’ deepening reliance on open-source software.

This is all part of corporations plunging into the near future: migration to cloud-based IT infrastructure is in high gear, complexity is mushrooming and fear of falling behind is keeping the competitive heat on. In this heady environment, open-source networking components like Log4j spell opportunity for threat actors. It’s notable that open-source software vulnerabilities comprise just one of several paths ripe for malicious manipulation.

By no means has the cybersecurity community been blind to the complex security challenges spinning out of digital transformation. A methodical drive has been underway for at least the past decade to affect a transition to a new network security paradigm – one less rooted in the past and better suited for what’s coming next.

Log4j bathes light on a couple of solidifying developments. It reinforces the notion that a new portfolio of cloud-centric security frameworks must take hold, the sooner the better. What’s more, it will likely take a blend of legacy security technologies – in advanced iterations – combined with a new class of smart security tools to cut through the complexities of defending contemporary business networks.

MY TAKE: What if Big Data and AI could be intensively focused on health and wellbeing?

By Byron V. Acohido

Might it be possible to direct cool digital services at holistically improving the wellbeing of each citizen of planet Earth?

Related: Pursuing a biological digital twin

A movement aspiring to do just that is underway — and it’s not being led by a covey of tech-savvy Tibetan monks. This push is coming from the corporate sector.

Last August, NTT, the Tokyo-based technology giant, unveiled its Health and Wellbeing initiative – an ambitious effort to guide corporate, political and community leaders onto a more enlightened path. NTT, in short, has set out to usher in a new era of human wellness.

Towards this end it has begun sharing videos, whitepapers and reports designed to rally decision makers from all quarters to a common cause. The blue-sky mission is to bring modern data mining and machine learning technologies to bear delivering personalized services that ameliorate not just physical ailments, but also mental and even emotional ones.

That’s a sizable fish to fry. I had a lively discussion with Craig Hinkley, CEO of NTT Application Security, about the thinking behind this crusade. I came away encouraged that some smart folks are striving to pull us in a well-considered direction. For a full drill down, please give the accompanying podcast a listen. Here are a few key takeaways:

A new starting point

Modern medicine has advanced leaps and bounds in my lifetime when it comes to diagnosing and treating severe illnesses. Even so, for a variety of reasons, healthcare sectors in the U.S. and other jurisdictions have abjectly failed over the past 20 years leveraging Big Data to innovate personalized healthcare services.

MY TAKE: Why companies had better start taking the security pitfalls of API proliferation seriously

By Byron V. Acohido

APIs are putting business networks at an acute, unprecedented level of risk – a dynamic that has yet to be fully acknowledged by businesses.

Related: ‘SASE’ framework extends security to the network edge

That said, APIs are certain to get a lot more attention by security teams — and board members concerned about cyber risk mitigation — in 2022. This is so because a confluence of developments in 2021 has put API security in the spotlight, where it needs to be.

APIs have emerged as a go-to tool used by threat actors in the early phases of sophisticated, multi-stage network attacks. Upon gaining a toehold on a targeted device or server, attackers now quickly turn their attention to locating and manipulating available APIs.

“Threat actors have become aware that APIs represent a ton of exposed opportunity,” says Mike Spanbauer, security evangelist at Juniper Networks, a Sunnyvale, Calif.-based supplier of networking technology.

Over the past year, I’ve had several deep conversations parsing how APIs have emerged as a two-edged sword: APIs accelerate digital transformation, but they also vastly expand the attack surface of modern business networks.