Latest Posts

Sectona Recognized By KuppingerCole As A Maturing Challenger

PAM Market Overview KuppingerCole, a leading analyst organization headquartered in Europe, announced public availability of its Leadership Compass report for Privileged Access Management.  The report suggests that PAM has become one of the “fastest growing areas of cybersecurity and risk management solutions”. KuppingerCole estimates the PAM market is a $2.2bn market by revenue with a growth of up to $5.4bn expected by 2025. The reports states how credential vaulting, password rotation, controlled elevation and delegation of privileges, session establishment and activity monitoring are now almost standard features of any PAM solution. More advanced capabilities such as privileged user analytics, risk-based session monitoring, advanced threat protection, and the ability to embrace PAM scenarios in an enterprise governance program are becoming the new standard for PAM solutions to protect against today’s threat. Sectona Strongly Recognized as Challenger Sectona has impressively surpassed several competitors in this report to make its way as a strong Challenger to look forward to. Among a competitive space of 25 vendors recognized in this report, 80% of whom have been in the industry for over a decade, Sectona in a short span of just over 3 years has shown immense growth and earned an admirable spot as a strong Challenger in the Overall rating. The lead analyst Paul Fisher highlights “Given how the short time that has elapsed since the company was founded, it is maturing at an impressive rate”. Speaking about some key innovation and strengths, the report also rates Sectona a respectable Challenger in the Product and Innovation Rating sections. This has been a noteworthy feat for the company considering how it has quickly graduated from being a Follower in the previous report to a Challenger this year. Feature-rich, the KuppingerCole analyst also rates Sectona’s PAM solution Spectra as a ‘positive’ when it comes to Interoperability, Usability and Deployment. Sectona PAM Analysis in the Report Considering Sectona is a young company, analysis of its PAM product involves mostly hits especially for the key aspects with little misses. Hits - Easy to understand and use dashboard, PDK (Plugin Development Kit) does not need coding - Access from wide range of platforms without agents or plug-ins - Strong support for cloud-based services to onboard assets - A collaborative, cross-platform approach allows for integrations offering desired flexibility - Despite its relative youth, the company has done well to present some advanced ideas on PAM and application integration Fisher specifically calls out Spectra’s PSM (Privilege Session Management) strength stating that it “offers access to privileged sessions over any HTML5 supported browser from any platform without the need of agents or plugins to be installed”. This aligns with not just the core PSM capability but also covers needs of advanced requirements including secure remote access for users, especially in today’s digital environments. Misses - While undoubtedly innovative, Spectra needs to offer more capabilities to succeed in Europe and North America - May struggle to fund the marketing it deserves - Functionally limited to PSM with lack of proven AAPM (Application to Application Password Management), CPEDM (Controlled Privilege Elevation and Delegation Management) capability Primarily being a non-funded company, Sectona has grown its revenue 300% YoY. This is testament to the fast-growing business and financial stability of our company. Sectona has a strong foothold thus far in India, Middle East and East African countries and have aggressively begun adequate marketing initiatives to penetrate and sustain newer markets including Europe. From a technology standpoint, Sectona’s Spectra PAM solution has proven Application to Application Password Management capabilities. This is highlighted in the report by Fisher where he mentions “It’s up to speed with features such as application to application password management by using APIs and SSKs (Software Support Kits) for many platforms”. Spectra also has built-in Privilege Elevation and Task Automation capabilities. This is also rightly mentioned in the report stating Spectra “offers some degree of automation with Privileged Task Management”. Where We are Headed Our commitment to innovate and address more genuine and practical areas of concern around privileged access has never ceased. We continue to develop and enhance our PAM product capabilities to make it a more value-driven offering for organizations. Some of our innovative capabilities for the near future include: DevOps – Secrets Management Sectona is currently working towards making its DevOps secrets management module available by the 3rd quarter of this year. Sectona has always believed in a future vision and had started developing around DevOps secrets management last year. This thought process is also validated by KuppingerCole where they identify DevOps in organizations as one key contributor to the growth of the PAM market. To add to it, Paul Fisher highlights that Spectra “is well positioned to manage DevOps and containerization demands in the future”.  Privileged Account Governance While Spectra has taken care of the customizable reporting and dashboard part in its current version, roadmap includes a dedicated PAG (Privilege Account Governance) module providing privileged access certifications and valuable insights related to the state of privileged access. This again is in line with some of the advanced capabilities that PAM solutions will be expected to have, as stated in the report.
Vishal Thakkar May 10, 2020
Vishal Thakkar
May 10, 2020

Strengthening Core Security To Achieve Compliance With SAMA Cybersecurity Framework

Safeguarding the sensitive data of your digital society is one of the prime requirements for any nation. Online services are becoming strategically important for both public and private sector organizations, helping them grow a digital economy. And Kingdom of Saudi Arabia is not immune to this growing change. They proactively explore and implement a strong, immune, system which can safeguard sensitive data, transactions and most importantly confidence in the entire Saudi Finance Sector. The financial sector in Saudi recognized the rate at which technology is changing, and the cyber threats always loom large in any given situation along with evolving risks. Saudi Arabia Monetary Authority (SAMA) came up with cyber security framework in May 2017 to enable financial institutions to effectively identify and mitigate the cyber risks.  The main objective of this framework is to: To create a common approach for addressing cyber security within member organizations To achieve appropriate maturity level of cyber security controls within member organizations To ensure cyber security risk are properly managed throughout member organizations The requirements of this framework does not just encompass best practices suggested across various industry cyber security standards like PCI DSS , NIST, ISF, ISO, BASEL but also mandates adherence to some. The framework mandates and defines principles, and objectives for initiating, implementing, maintaining, monitoring and improving cyber security controls in member organizations. The SAMA Guidelines are very crisp and clear regarding cyber security principles and objectives. Those are broken down into four domains of cyber security: Leadership and Governance, Risk Management and Compliance, Operations and Technology and lastly Third-Party Security. [caption id="attachment_23026" align="aligncenter" width="503"] Figure 1: SAMA Cyber Security Framework Structure Source: Cyber Security Framework, Saudi Arabia Monetary Authority, Ver 1.0, May 2017[/caption] It is well known that regardless of the source of a cyber-attack, compromised credentials eventually lead to cathartic damages in any cyber-attack. Identifying the root cause for this spot on, SAMA suggests stringent measures around User Privileges, Identities & Access Management. They have laid down a comprehensive list of control consideration policies for member organizations around providing need-based and controlled access to critical IT systems, discovering & vaulting critical IT systems and privileged accounts, comprehensive monitoring and logging and multi-factor authentication enablement for all privileged users including internal staff and third-party vendors. Sectona PAM is Aligned with SAMA Best Practices Sectona, with its modern and next generation Privileged and Remote Access Management (PAM) Suite helps organizations achieve compliance with confidence. Business Requirements for Access Control The guidelines state that all the users’ access must be on need-to-have and need-to-know basis to avoid unauthorized access and (un)intended data leakage. With Sectona’s Spectra Privileged Access Management, access can be controlled, defined and managed on a need-to-know and need-to-have basis. Depending on the users’ roles, responsibilities and need to access critical IT systems, access policies on a granular scale can be defined and password-less transparent access to IT systems such as RDP, SSH and others can be enabled. This ensures that only designated users access with their authorized named user IDs and passwords of these privileged accounts are not shared among multiple users. Spectra PAM also empowers you to automate discovery across accounts & assets for easy on-boarding of accounts reducing significant manual efforts for IT operations team. Furthermore, provisioning of privileged accounts adds another security layer for on-boarding additional users who need privileged access. Spectra PAM Account and Asset discovery provides an automated way of discovering IT assets across your IT infrastructure. With schedulers and automated on-boarding rules, obtain relevant asset information and reduce time for securing privileged accounts. Start on-boarding VMware ESX/ESXi managed guest OS Automatically retrieve and list OS linked to Active Directory Run network-based discovery for assets across on-premise locations Gain complete visibility into the privilege accounts & IT assets whether on-premises or in the public or private cloud User Access Management With Automation The guidelines states managing users with changing role or job positions, any change in external staff or third parties should be approved by accountable party.Spectra Privileged Access Management Solution is tightly integrated with Active Directory and it can allow access to users present on AD. Various roles and user access policy creation is possible for the users. Spectra has maker-checker facility wherein any changes or modifications to user roles can be validated and approved by authorized personnel. With Spectra’s Attribute based grouping policies, access provisioning to users can be automated while following attributes such as role, IT asset group, user band etc. This reduces manual dependence to map one-on-one access for each user to each IT asset and account. Centralization of Identity and Access Functions The guidelines state that all the functions of identity and access management should be centralized. Spectra PAM has a centralized web console that can be accessed from any platform & any HTML5 supported browser. Since Spectra works on micro-services architecture, all components are embedded into one web console which can be configured & controlled via central management console. This also helps at the time of upgrade of Spectra to control centrally with a single installer. Privileged and Remote Access Management with MFA The guideline states that all the users taking privileged access should have restricted use, MFA should be used for all remote users, MFA should be used for all privileged users taking access on critical systems with risk assessment, all the accounts must go through a periodic review, there should be individual accountability. Spectra Privilege and Remote Access Management Solution allows creating separate policies for remote users wherein, they have MFA enabled access. While defining user access policies, MFA can be enabled for all privileged users taking access. With Spectra’s cross-platform and browser-based access capabilities, all users especially remote user and third-party users can be enabled access to IT systems without VPN over browser ensuring restricted use over data movement and copy of data. Learn more about securing remote privileged access without VPN here. Spectra PAM allows creation of user policies where multi-factor authentication-based access can be enabled for user profiles handling critical and sensitive data. Spectra PAM suite is built with robust MFA authentication capabilities with easy to implement MFA for multiple sets of users. Solution provides a range of authentication methods covering: Adaptive authentication for enforcing MFA based on risk scoring for user access that relies on parameters such as time-based access, device fingerprinting and access criteria based on Geographic location Integration with leading Cloud Based MFA authentication providers such as Okta, One Login and Duo helping reduce time to implement and integrate Sectona Mobile which provides MFA based on Mobile based Soft Tokens (without internet connectivity), SMS Tokens, and Email Tokens. Out-of-the-box integration with hardware token providers such as RSA SecureID and Vasco Monitoring, review & accountability The guideline states that monitoring and review of privileged and remote accounts must be done while ensuring accountability.Spectra PAM has a robust session recording and session logging module that captures comprehensive details around which user accessed what system at what time from where among other details. This helps associate individual accountability of privileged and remote user access.Furthermore, Spectra has an in-built Threat Analytics and Risk Assessment Engine, which calculates a risk score for each and every session based on user profiling and the activities carried out in each session. The use of non-personal privileged accounts For this requirement, guidelines state that there should be limitations and complete monitoring of the privileged sessions, all the passwords must be confidential and all the passwords must be changed periodically and also at the end of each session.Spectra PAM enables administrators for live monitoring of the sessions and termination as well with complete audit. All the passwords are stored in robust Spectra Password Vault which does the complete management of passwords i.e. rotation, verification and reconciliation. Users can define the frequency for password change along with the desired complexities. Conclusion It would be safe to say that SAMA has laid down an extensive list for Identity and Access Management requirements taking into consideration complete security of the nation. The detailed framework document is available.Going one step further, we have also published a list of high priority use-cases that companies must take note of and protect when it comes to securing privileged accounts. Refer to this document here. Also, for those starting out with their privileged access security programs, start by targeting and identifying all privileged accounts. Leverage this list here  to start your privileged access security program.
Shruti Kulkarni April 30, 2020
Shruti Kulkarni
April 30, 2020

Company Culture And Value System: Significant In Unstable Situations

“But in the midst of all that uncertainty and lack of clarity, there lies a wild beauty. A hope. Possibility. The promise of something bigger than us happening just beneath the surface that we can’t see.”  - Mandy Hale.  With this beautiful thought, we must learn to embrace each situation as it comes and persist through it by believing in our company’s value system. An organization aims to create a culture for employees to thrive, build a value system to function unanimously and a path that leads to company driven goals. Fundamentally, these are the pillars for a successful company to survive, grow and lead. However businesses are meant to be risky affairs, be it managing teams, tackling profits and losses and to add an element there are always a few unforeseeable situations that tend to disturb the normalcy. While in difficult situations naturally the competition to run businesses in an unaffected manner and constantly be at disposal of continuity pushes companies to focus on deliverables and expect employees to contribute to the best of their capabilities. During this process, seldom organizations waive out the importance of maintaining and managing culture for employees to be equally productive. There are various elements to this, naming a few would be: Need for Communication, Enhance Engagement Plans, Shaping and Adapting to changes in Culture, Importance of being Relevant and Curating Team Activities. Need for Communication Expectations, Functionality and Execution are bound to change during undetermined circumstances, how do we cope with this? Communication is the key! Managers, Team Leads, HR’s require to be vocal, clear and transparent about the situations, their effects on our organization and how we are planning to overcome this. Also, encouraging a two way communication is essential, hearing out employees, their problems, opinions and addressing them in a right manner boosts employee morale. Enhance Engagement Plans Seldom it has been observed, during unprecedented situations employee engagement process takes a backseat. It is beneficial to always keep employees involved and engaged irrespective of the ongoing state of affairs. Productivity is a result of highly engaged individuals and teams. Improving engagement plans is number-one step to help employees overcome any coercive situation stemmed out. It must be a collaborative effort within teams and their respective reporting managers to devise plans that works best for the team. Companies should revamp the engagement plans analyzing the need, requirement and abilities of their teammates as whole. Shaping and Adapting To Changes in Culture Company culture must top the hierarchy chart in any organization. Each company has its own unique way of setting up culture which caters to their teams and aligns with business values. There is no universally acclaimed rule to design culture, it is a collective endeavor between the leaders and teammates which define the organization in its truest sense. Every business venture starts with right set of values which is observed by individuals involved with a vision to create a harmonious culture and for teams to imbibe it. Undecided situations might hinder the regularity and ethnicity of culture, however as Leader/ Founder it is one’s obligation to mold the culture in a way that helps stimulate the business and employees to not lose out on the essence of being in a well-organized entity. Another perspective is that of considering steps to assist employees to accept and adapt to the changes made. Importance of Being Relevant All possible circumstances beholds unique challenges, identifying them makes it easier to subsist with the situations. Being vigilant of situations around, their effects across various sectors, curating some coping mechanism helps an organization to sail through. The need is to stay Relevant! For Example: Currently prevailing COVID-19, demands one to stay relevant and updated from a business standpoint. Recognizing the requirements which market commands, being technically sufficient will help companies to cater to those requirements. This arises a need for employees to be evenly relevant with regards to skills and Managers to guide them through this. Relevancy indeed becomes a crucial factor within productivity program. Curating Team Activities Following the above pointer, where relevancy is a necessity curating team activities that inculcate and involve employees to stay relevant seems favorable. Organizations should plan activities around informative topics and skills for mutual benefit of employees and company in common. One can always involve informal elements to it, to maintain a good balance of employee relationships. Team Sectona strides to hold up with present-day crisis through this astounding quote and sharing a link to exhibit how we do it!! “Challenges are what makes life interesting. Overcoming them is what makes life meaningful.”
Priyanka Joshi April 22, 2020
Priyanka Joshi
April 22, 2020

Why Running Isolated Privileged Sessions For Remote Users Is Important?

More than 40 percent of top executives from the CNBC Technology Executive Council confirm that data and cyber-attacks have surged since the majority of their workforce is working from home. While many organizations are moving to define a new norm for Work from Home, most use a hybrid environment, and many of their on-premises components aren’t going anywhere soon. As CIOs and CISOs navigate these turbulent times, keeping employees safe and running business operations is of supreme importance currently. As millions of workforce now work from home including IT teams, mistakes and human errors are bound to open door to cyber attackers. As people continue to remain a perimeter control in an organization, hackers continue to exploit vulnerabilities and focus their efforts on compromising user credentials. IT teams have now been forced to run privileged activities outside the conventional IT setup. Some of these processes of remote access have never been stress-tested or risk-evaluated in the past. Protecting access to these technologies is critical, as VPNs and Virtual Desktops become the new attack vectors for cyber attackers, and the gateway to your internal networks. Considering the rapid surge of this pandemic, IT Teams were not completely prepared for a massive spike in work from home environments. Privileged users, developers, application team users have been accustomed to working from hardened, monitored and controlled office machines. However, this wave has forced organizations to ship desktops to allow employees work from home and sustain business as usual. Some organizations have allowed access from personal devices to office environments with/without normal VPN setups. Needless to mention, in such scenarios, employee access is susceptible to unknown environmental attacks like on Wi-Fi network. Organizations at the same time must evaluate risk of increasing cases of insider threats, data leakages and unmonitored access. VPN based access or Direct Access to Cloud Servers In normal scenarios, many internal IT users require a specific environment to operate and often access their workstations. In case of external users, a specific access is provided to RDP or SSH sessions via VPN. VPNs normally provide security of encrypting the traffic with some providers adding features for basic device health check and source country check. In a privileged access scenario, this normally means a user with a potentially unknown & possibly vulnerable machine eventually has high privilege access to your environment. This also means that normal controls of data movements, identity checks, audit logging are limited. Learn more on the vulnerabilities of a VPN based remote access here. Public cloud environment is susceptible to attacks where direct server access is granted to IT teams. While this is common scenario for test environments, a poor network configuration or misconfiguration could expose your network to a major breach hotspot. Isolated Privileged Sessions Isolating privileged sessions from the outside world or your trusted users accessing from anywhere is an ideal scenario for planning your privileged access strategy for work from home users. Provisioning Bastion Hosts to secure your production environment (on-premise, public or private cloud) without boundaries is recommended to withstand attacks while allowing access to critical applications & assets. Often managing Bastion hosts like Windows Terminal Servers require skills for specialized hardening parameters, network re-configuration & additional licensing issues & additional user access management (if managed outside your trusted windows domain). Sanitize your Attack Surface with Sectona PAM’s True Session Isolation Sectona Privileged Access Management is a quick to deploy solution with option for software defined proxies for RDP, SSH & Web Sessions with pre-configuration setup for allowing access using Windows Terminal Services. It has an advanced technology that seamlessly allows RDP, SSH, Web sessions over TLS on port 443 enabling you to traverse corporate firewalls easily. With added control of restricted movement of data and isolating the user machine to connect to your environment significantly reduces your attack surface. Know more about Sectona Privileged Access Management here.
Siddhesh Shetye April 16, 2020
Siddhesh Shetye
April 16, 2020

De-Constructing Security Of VPN-Based Remote Access

In such unprecedented times, entire workforce globally has been forced to work from home. While safety first is the order of the day, it has also put tremendous pressure on CISOs & security teams within organizations to test the ‘safety’ of their respective organizations’ IT infrastructure and architecture. Needless to mention, VPN-based remote access is the way to go for most. For what it’s worth, for all the right reasons, the appeal for a VPN is justified, since it is cost effective, easy to use and most importantly gives the perception of secure remote access. However, what is interesting is this – I was just browsing through the primary use-cases of a VPN and the results for the same were amusing. The top 3 use-cases I saw were: -Bypass restrictions from ISPs & governments to browse websites of choice by hiding & masking your source IP address -Workaround to watch streaming media such as Netflix in places that restrict viewing of content on such platforms -Protect yourself from being logged while torrenting Well, I know the larger intent of a VPN and how it does work for organizations, especially in scenarios where a site-to-site VPN is in use. In some places, a remote VPN is used wherein there is a pre-requisite for end users’ devices to have the VPN client installed. Yet, when I read these results today, it is amusing as it does not come across as a compelling enough reason to opt for a VPN for securing access to critical IT systems and applications, should one not know about its use-case in IT scenarios. None of the above use-cases evidently speaks of the security aspects a VPN can provide to an organization or how it can secure a user’s access or protect critical data. It simply speaks of the anonymity a VPN can provide while browsing over the internet or public Wi-Fi under the pretext of safeguarding privacy and encrypting the traffic from user’s machine to the VPN as if the access came from the organization’s private network. Yet, are these reasons enough to make VPN the go-to solution for securing remote work from home amid this global pandemic, especially for organizations that store confidential data and allow critical access to users? Maybe not. De-Constructing VPN Vulnerabilities From an operational standpoint, VPN setup is architecturally more complex and more expensive to maintain. Furthermore, it causes inconvenience to users requiring manual and time-consuming steps to enter credentials and initiate a session. From a security standpoint, attack surface is much larger, let’s consider the below scenarios: Scenario 1: For organizations where remote workers use personal devices and are required to only access selective applications or systems, allowing access via VPN client may expose them to a larger attack surface. This is because of the VPN client that is installed on the personal devices, through which other hitherto unknown or malicious applications get exposure to sensitive organizational servers and systems. This is a highly risky and undesirable scenario. Scenario 2: Let’s say, to tackle above scenario, designated & hardened IT-managed desktops/laptops are provided to remote users for remote access. Notwithstanding the operational & cost burden to facilitate this arrangement, does it still offer foolproof security? A Research was conducted by academics a few months ago that identified a vulnerability or security flaw in specific operating systems (tracked as CVE-2019-14899) which could allow an attacker to tamper with VPN-tunnelled connections. Another Research by a group of United States & Spain academics have discovered a whopping 13 programming errors in 61 separate VPN systems tested. They also identified that 6 of 200 VPN services also scandalously monitored user traffic. This very concept is nothing but data leakage. Such vulnerabilities are enough for hackers to inject a malware onto the remote system, intercept and compromise credentials of high privilege accounts and take out sensitive information. All it takes is one compromised credential to bring an organization to its knees, not worth the risk. Scenario 3: With VPN based access enabled, remote users are given access to the entire network with restrictive control whatsoever as to which systems or applications can be accessed by the users. This exposes the entire infrastructure for access to all remote users which again calls for high risk since the concept of controlled privileges or need-based access is left unaddressed. Furthermore, there is no logging or tracking of activities or access being done pro-actively. This could make governance much harder considering lack of comprehensive accountability relying only on system logs at best. Scenario 4: VPN growth is accompanied by the need for more firewall and other gateway or router appliances. A couple of years ago, Cisco had released an alert stating a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of the affected system and it could stop processing incoming VPN authentication requests due to a low memory condition. From the above scenarios, the baseline is clear – VPNs are good for allowing users who need access to non-critical information but for those who need access to sensitive information and systems, VPN simply isn’t enough to ensure privacy. Adopt a VPN-Less Approach A modern and easy-to-deploy approach for this is to activate a remote privileged access system. All it takes is for the organization to provide a dedicated virtual server residing with organization’s IT managed network. The IP for this server (or dedicated URL as defined by the IT team) should be published over the internet. Any remote user who wishes to access organization’s infrastructure, connects and authenticates through this SSL encrypted communication from user machine to server. Once in, password-less & role-based access can be defined for only designated applications or systems such as RDP, SSH or critical business applications. Moreover, such access can be allowed over any HTML5 supported browser. This means, the real RDP or SSH sessions open on the server residing in organization’s premise, only a virtualized rendering of this session is emulated over the browser for the remote user. As such, for any critical session accessed, user only sees an HTTPS based session and is hence secured and encrypted. Furthermore, since a browser-based session is allowed, activities including copy paste or extraction and download of data from session to end user’s machine is restricted imposing stronger control measures. Rest assured, all sessions initiated by remote users are completely logged and monitored with comprehensive audit trails suggesting who logged in to which system at what time and performed what. This helps with better governance and mitigates risks associated with uncontrolled access given to remote users, isolating user’s end machine from critical systems and network and restricting copy or movement of data outside the network. Integrate VPN with an Additional Layer of Security Framework With a VPN in place, to mitigate risks of VPN vulnerabilities, impose an additional layer of security with a privileged remote access security technology. Instead of allowing transparent access to users from the VPN to critical systems, enforce access to remote users and route traffic through this privileged access (PAM) server. Allow communication from VPN only towards PAM server. From PAM, access can be better controlled, encrypted and instead of allowing access to complete network, dedicated need-based access to RDP, SSH and other critical applications can be defined for users. Needless to mention, comprehensive logs and monitoring of user activities can be captured. How Sectona Can Help Secure Remote Access Sectona provides an easy-to-deploy Privileged & Remote Access Management solution capable of providing the advanced technology to allow VPN-less or VPN integrable secure access to remote work from home users. The solution seamlessly allows RDP, SSH, Web sessions over TLS on port 443 enabling you to traverse corporate firewalls easily. With added control of restricted movement of data and isolating the user machine to connect to your environment significantly reduces your attack surface. Know more about Sectona Privileged Access Management here.
Avatar April 15, 2020
April 15, 2020
1 2 3 5