Supply Chain Attacks Start with your 3rd Party Providers

How well do you know your 3rd party service providers and their level of commitment to information security controls and procedures? What do you know about their service providers? For most companies, the answer is “not much”, yes virtually all organizations provide access to those “unknowns” into their network and applications to get the job done. Securing this supply chain has always been a headache for companies and several solutions are commonly used to balance between security and “getting things done”.

Technologies used to reduce 3rd party risks

One of the oldest and most commonly used solutions to enable 3rd parties is VPN:
A Virtual Private Network (VPN) creates a secure and encrypted connection over a less secure network, such as the internet. It allows users to securely access private networks and resources from anywhere in the world as if they were directly connected to the private network’s local area network (LAN).

When you connect to a VPN, your device encrypts all the data you send over the internet and sends it to the VPN server through a secure tunnel. The VPN server decrypts the data and forwards it to its intended destination, such as a website or a private network. Similarly, when data is sent back to your device, it is first encrypted by the VPN server before being sent over the internet. This encryption and decryption process ensures that your data remains secure and protected from unauthorized access while traversing the internet.

One would say that this approach is easy, and the data is transferred securely over the internet, but what about the endpoint itself? Do you trust it? Do you know what happens to your most sacred information once it leaves the premise? Do you even trust the user to do only things he is supposed to do while he has access to the entire network? 

Another technology emerged to answer these questions:

Virtual Desktop Infrastructure (VDI) allows users to access and use a virtualized desktop environment hosted on a remote server or data center. Instead of using a traditional physical desktop or laptop, users connect to the virtual desktop using a client application or a web browser. The virtual desktop includes an operating system, applications, and data, all of which are hosted and managed centrally.

VDI works by using a hypervisor to create and manage multiple virtual machines (VMs) on a server. Each VM represents a virtual desktop instance, which is then delivered to the user’s device over the network. The user interacts with the virtual desktop as if it were a local machine, but all the computing and storage resources are provided by the server. This allows users to access their desktop environment and applications from anywhere, using any device with an internet connection.

While VDI offers several benefits, such as centralized management, improved security, and flexibility for remote work, there are also some significant drawbacks.

More importantly let’s not forget the security risks of VDI.

It is a common misconception that virtual desktops are either invisible to hackers or immune to their attacks. However, neither of these assumptions is accurate. Virtual desktops are susceptible to the same types of attacks that pose threats to physical desktops. Even when attacks are detected, simply ending a session may not always prevent further damage. If there are no proper endpoint protections in place to defend the Virtual Desktop Infrastructure (VDI), hackers can cause significant damage by moving laterally from the virtual session into the server. From a security perspective, virtual desktops are fundamentally similar to their physical counterparts, despite what users may believe.

Despite costly and often clunky VPN and VDI deployments, substantial supply chain risk remains.

Zero-trust to the Rescue

To overcome all of the problems stated above a new concept emerged: “Zero-Trust”.

Zero Trust is a security concept based on the principle of “never trust, always verify.” In a Zero Trust model, organizations do not automatically trust any user or device, inside or outside their network perimeter. Instead, they verify the identity and security posture of every user and device attempting to access resources, regardless of whether they are inside or outside the network.

Key principles of a Zero Trust approach include:

Verify Every User: Instead of assuming that users inside the network are trustworthy, organizations verify the identity and permissions of every user attempting to access resources.

Verify Every Device: Devices, including laptops and mobile devices are also verified for security compliance and integrity before being granted access to resources.

Least Privilege Access: Users and devices are granted the minimum level of access necessary to perform their tasks, reducing the potential impact of a compromised account or device.

Micro-Segmentation: Networks are segmented into smaller, isolated zones to limit the lateral movement of threats in case of a breach.

Continuous Monitoring: Security controls continuously monitor and analyze user and device behavior to detect and respond to threats in real-time.

Assume Breach: Instead of relying solely on perimeter defenses, organizations assume that their network has already been breached and focus on protecting individual resources.

By implementing a Zero Trust approach, organizations can enhance their security posture by reducing the risk of data breaches, minimizing the impact of security incidents, and improving overall security visibility and control.

How Seraphic Security Implements Zero Trust

SaaS-based web applications, coupled with hybrid and remote work models, have made the browser the primary application of the enterprise. As such, it is increasingly under attack and a primary source of leaked sensitive data and credentials. This is due to VPN, VDI and other traditional defenses lacking the browser visibility and control required to protect them.

Seraphic makes it easy to protect any browser – Chrome, Safari, Edge Firefox, etc. – against phishing ransomware, sensitive data loss and high-risk policy infringements. Seraphic also enables secure access to SaaS and private web applications to employees and 3rd parties, from both managed and personal devices, without the complexity and cost of VDI & VPN. Seraphic is easily deployed and completely seamless to the user.

With all of the above zero trust principles in mind, Seraphic has created a “Seraphic Workspace” to enable organizations’ 3rd party contractors and remote workers to do their job efficiently and safely (to both user and the organization):

  • Users are authenticated through Seraphic.

  • Application access restrictions are based on device posture.

  • Users will be able to access only relevant applications while fine-grained policy will ensure that the user can do only permitted actions.

  • Browsing data and downloaded files encryption.

  • DLP controls.

For more information about Seraphic Security, contact us at info@solid8.co.za

Previous
Previous

5 CTEM Myths – Debunked!

Next
Next

Skybox Security delivers extensive automation enhancements with latest product release