Latest Posts

De-Constructing Security Of VPN-Based Remote Access

In such unprecedented times, entire workforce globally has been forced to work from home. While safety first is the order of the day, it has also put tremendous pressure on CISOs & security teams within organizations to test the ‘safety’ of their respective organizations’ IT infrastructure and architecture. Needless to mention, VPN-based remote access is the way to go for most. For what it’s worth, for all the right reasons, the appeal for a VPN is justified, since it is cost effective, easy to use and most importantly gives the perception of secure remote access. However, what is interesting is this – I was just browsing through the primary use-cases of a VPN and the results for the same were amusing. The top 3 use-cases I saw were: -Bypass restrictions from ISPs & governments to browse websites of choice by hiding & masking your source IP address -Workaround to watch streaming media such as Netflix in places that restrict viewing of content on such platforms -Protect yourself from being logged while torrenting Well, I know the larger intent of a VPN and how it does work for organizations, especially in scenarios where a site-to-site VPN is in use. In some places, a remote VPN is used wherein there is a pre-requisite for end users’ devices to have the VPN client installed. Yet, when I read these results today, it is amusing as it does not come across as a compelling enough reason to opt for a VPN for securing access to critical IT systems and applications, should one not know about its use-case in IT scenarios. None of the above use-cases evidently speaks of the security aspects a VPN can provide to an organization or how it can secure a user’s access or protect critical data. It simply speaks of the anonymity a VPN can provide while browsing over the internet or public Wi-Fi under the pretext of safeguarding privacy and encrypting the traffic from user’s machine to the VPN as if the access came from the organization’s private network. Yet, are these reasons enough to make VPN the go-to solution for securing remote work from home amid this global pandemic, especially for organizations that store confidential data and allow critical access to users? Maybe not. De-Constructing VPN Vulnerabilities From an operational standpoint, VPN setup is architecturally more complex and more expensive to maintain. Furthermore, it causes inconvenience to users requiring manual and time-consuming steps to enter credentials and initiate a session. From a security standpoint, attack surface is much larger, let’s consider the below scenarios: Scenario 1: For organizations where remote workers use personal devices and are required to only access selective applications or systems, allowing access via VPN client may expose them to a larger attack surface. This is because of the VPN client that is installed on the personal devices, through which other hitherto unknown or malicious applications get exposure to sensitive organizational servers and systems. This is a highly risky and undesirable scenario. Scenario 2: Let’s say, to tackle above scenario, designated & hardened IT-managed desktops/laptops are provided to remote users for remote access. Notwithstanding the operational & cost burden to facilitate this arrangement, does it still offer foolproof security? A Research was conducted by academics a few months ago that identified a vulnerability or security flaw in specific operating systems (tracked as CVE-2019-14899) which could allow an attacker to tamper with VPN-tunnelled connections. Another Research by a group of United States & Spain academics have discovered a whopping 13 programming errors in 61 separate VPN systems tested. They also identified that 6 of 200 VPN services also scandalously monitored user traffic. This very concept is nothing but data leakage. Such vulnerabilities are enough for hackers to inject a malware onto the remote system, intercept and compromise credentials of high privilege accounts and take out sensitive information. All it takes is one compromised credential to bring an organization to its knees, not worth the risk. Scenario 3: With VPN based access enabled, remote users are given access to the entire network with restrictive control whatsoever as to which systems or applications can be accessed by the users. This exposes the entire infrastructure for access to all remote users which again calls for high risk since the concept of controlled privileges or need-based access is left unaddressed. Furthermore, there is no logging or tracking of activities or access being done pro-actively. This could make governance much harder considering lack of comprehensive accountability relying only on system logs at best. Scenario 4: VPN growth is accompanied by the need for more firewall and other gateway or router appliances. A couple of years ago, Cisco had released an alert stating a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of the affected system and it could stop processing incoming VPN authentication requests due to a low memory condition. From the above scenarios, the baseline is clear – VPNs are good for allowing users who need access to non-critical information but for those who need access to sensitive information and systems, VPN simply isn’t enough to ensure privacy. Adopt a VPN-Less Approach A modern and easy-to-deploy approach for this is to activate a remote privileged access system. All it takes is for the organization to provide a dedicated virtual server residing with organization’s IT managed network. The IP for this server (or dedicated URL as defined by the IT team) should be published over the internet. Any remote user who wishes to access organization’s infrastructure, connects and authenticates through this SSL encrypted communication from user machine to server. Once in, password-less & role-based access can be defined for only designated applications or systems such as RDP, SSH or critical business applications. Moreover, such access can be allowed over any HTML5 supported browser. This means, the real RDP or SSH sessions open on the server residing in organization’s premise, only a virtualized rendering of this session is emulated over the browser for the remote user. As such, for any critical session accessed, user only sees an HTTPS based session and is hence secured and encrypted. Furthermore, since a browser-based session is allowed, activities including copy paste or extraction and download of data from session to end user’s machine is restricted imposing stronger control measures. Rest assured, all sessions initiated by remote users are completely logged and monitored with comprehensive audit trails suggesting who logged in to which system at what time and performed what. This helps with better governance and mitigates risks associated with uncontrolled access given to remote users, isolating user’s end machine from critical systems and network and restricting copy or movement of data outside the network. Integrate VPN with an Additional Layer of Security Framework With a VPN in place, to mitigate risks of VPN vulnerabilities, impose an additional layer of security with a privileged remote access security technology. Instead of allowing transparent access to users from the VPN to critical systems, enforce access to remote users and route traffic through this privileged access (PAM) server. Allow communication from VPN only towards PAM server. From PAM, access can be better controlled, encrypted and instead of allowing access to complete network, dedicated need-based access to RDP, SSH and other critical applications can be defined for users. Needless to mention, comprehensive logs and monitoring of user activities can be captured. How Sectona Can Help Secure Remote Access Sectona provides an easy-to-deploy Privileged & Remote Access Management solution capable of providing the advanced technology to allow VPN-less or VPN integrable secure access to remote work from home users. The solution seamlessly allows RDP, SSH, Web sessions over TLS on port 443 enabling you to traverse corporate firewalls easily. With added control of restricted movement of data and isolating the user machine to connect to your environment significantly reduces your attack surface. Know more about Sectona Privileged Access Management here.
Avatar April 15, 2020
Avatar
April 15, 2020

Leverage Productivity and Skills while Working from Home

Sectona encourages Skill Development as a Productivity Program during Coronavirus (COVID-19) outbreak The COVID-19 pandemic has hit the world at a scale and speed that we have only seen so far. Something that started as a slightest humor, now has farthing impacts on all sectors and sections of market and society respectively. Surrounded in these situations, it’s rather commendable, the world has united to fight these odds, all the sectors of societies have been contributing in their ways, here more specifically discussing of corporate-business sectors who have taken measures to overcome this. Direct Business Impact The COVID-19 has forced most of the countries into lock down, which has given room to most of the internet companies for adapting remote working options which also is the need of the hour. Though companies would be able to utilize remote working options, they would be likely to prepare their employees who are accustomed to remote working to navigate the challenges involved. This would of course include few factors, which are non-exhaustive of, physical environment, creating support networks to make successful transition to this new work structure, helping employees with a clear objective about the productivity expected out of them, building mutual trust, etc. Leveraging Productivity Employees are seldom bewildered while working from home of how they are required to contribute to the business adhering to their work responsibilities, what is the nature of flexibility, what are the expectations set and how do they work towards achieving it and most importantly how they are expected to remain productive while not being present in the physical office environment. Given the current situation, Immediate Reporting Managers have a crucial role to play to help their team mates understand their role and objectives to be fulfilled. A concrete plan to work collectively on leveraging productivity and assisting employees with a skill development program, works in favor of everyone involved. Sectona has always encouraged employees for enrolling to various trainings, keeping oneself updated within Training and Development program. With the outbreak of this pandemic and as a reflexive decision of opting for “remote working”, it was not much difficult for our Team Managers to curate Skill Development projects for their respective teams. As an organization, we take pride in being meticulously process oriented and working from home would not hinder that. Our managers followed an exclusively mutual process to help individual teammates take up new projects considering their interests and capabilities. Open & Transparent Communication: Sectona believes first key to managing remotely is to maintain good lines of communication. It might happen so, as employees are not available around, they might be unclear and uninformed of certain ongoing working aspects, wherein communication bridges the gap. It also helps managers to set up right expectations with regards to working from home, the amount of productivity required. Sectona has never believed in micromanagement. One way that our managers keep in constant touch is getting on a quick call while starting the day to understand the agenda and once in the evening to assess the progress. Keeping the teammates engaged and informed and being accessible for them is essential for our managers. Goal Setting: It is vital to understand individual interests of employees and whether they are aligned with organizational goals in assigning a skill to develop for teammates. This is only possible, with different layers of managers being involved who are also well aware about the engrossment and inclination of employees towards a certain topic in concern. Managers at Sectona had one-on-one interaction with their respective team members to setup a definite plan of skill development while working from home and keep the employees driven with a set goal to achieve and help them be motivated throughout the process. Identifying related Projects: Within an organization each functional department have collaborative tasks to perform whereas for an individual productivity it is essential to curate projects that are in line with the defined goals. To share a precise example, Sectona’s Quality Assurance team has been collectively working and assisting Product Development team through Manual Testing, however utilizing this remote working situation, the QA Team Manager identified a project that can be performed in an automated environment and have continued working towards the same while maintaining the manual testing patterns. Resources Resources become a necessity while deviating from basics that we’ve been doing, towards experimenting new skills and ideas. Sectona has setup online forums, training modules for employees to help make their process of skill development smoother. While not just through virtual platforms and recorded trainings, fellow teammates, seniors and managers can contribute and share their experiences and strategies within the team to assist each other. Time Management During such tough situations, of course a right balance between work and personal life is extremely crucial for our employees. A stress free mind is more productive when compared otherwise. The core idea followed by our managers is to allow flexible hours yet maintain consistency. Here, the concern is to avoid over-burdening employees while keeping them equally productive and organized. Two way Process “Individual commitment to a group effort-that is what makes a team work, a company work, a society work, a civilization work”- Vince Lombardi. Complying with managers’ guidelines and views, employees at Sectona have well adapted to remote working and equally contributed to smooth functioning of all the business aspects. Needless to mention, all cross functional teams have been working in unison to keep the work unaffected, while Implementation and Product Support team has gone out of their way to help our customers experience an unrestrained remote working process through our PAM Solution product, matching the time zones of clients and customers across globe, extending an online-remote support through video-conferences and much more. Amidst these sturdy situations around the globe, Sectona is aiming to get the best out of this situation and support our clients. However, as we make remote working hassle free for our clients through our PAM Solution, it gave us an opportunity to leverage our product and experience it firsthand. We have exposed PAM to the internet of our office premises, which helps all the required cross functional teams have a remote access to their systems. While doing so, we focus on Access Permissions, Risk Management, wherein access is restricted to certain servers and leaves no room for copying or leaking the data. Additionally PAM is able to track the time duration of working on the server, which makes the remote working experience simpler. To keep it lighter and positive, we have been encouraging managers to conduct weekly video calls to engage with their teams, also conducting “Weekend Friday E-meetups” to ensure each other’s well-being, to exchange ideas on general know-hows and proposals to collaborate as a team and much more
Priyanka Joshi April 11, 2020
Priyanka Joshi
April 11, 2020

We Have Got You Covered

Like many of us, our team is constantly monitoring the evolving situation of Covid-19. While the current situation remains uncertain, we persistently continue to take assertive actions to help ensure that our employees and key partners remain healthy and strong.  Here at Sectona, safety and health of our customers, our employees & those we serve is paramount. I want to assure you that as an organization, we are doing everything we can to take necessary precautions and ensure safety of our employees. With that said, our operations have not been impacted or stopped and you can continue to rely on us for technical support in these times.   Our professional services and support teams are working round the clock and you can reach us anytime by writing to your customer success lead or to [email protected] or through your dedicated support contact. Alternatively, you may already have a support ID created on the Sectona Support Portal, you may raise your concern or query over the same and our support team will connect with you for assistance. We understand that many users might be accessing your IT systems from home. Should you require any assistance that can secure their access further, we are happy to help and advice. We hope for things to return to normal soon, until then, please follow health and safety measures for yourself and your loved ones including personal hygiene, social distancing, work from home options and travel restrictions. Our hearts go out to all affected individuals and families around the world.
Avatar March 19, 2020
Avatar
March 19, 2020

Achieve PCI DSS v3.2.1 Compliance with Spectra PAM

The Payment Card Industry Data Security Standard (PCI DSS) has for the reason of protecting cardholder data mandated taking preventive measures to secure privileged account access and passwords. Organizations holding customer credit card details must be compliant with the PCI DSS v3.2.1 (in effect since May 2018) around clauses of privileged access as highlighted below. Sectona with its flagship Privileged Access Management Product Spectra helps organizations achieve compliance around privileged and administrative account access with confidence. Clause 2 of PCI DSS Compliance Frameworks speaks about changing the vendor supplied default credentials, using strong encryption methods for data privacy and a secure password management approach. How Spectra PAM helps you adhere to this clause? Spectra PAM has a robust password vault which uses a 3-step approach to password management (rotation, verification, reconciliation) for all vendor-supplied default accounts. All the passwords are stored in the vault in an encrypted format. Going one step further, as a value add, Spectra leverages its strong discovery module that helps with an automated discovery of all the privileged accounts (including vendor default accounts) across OS & databases and vaults the credentials within its secure vault. Tip: Sectona Research Team has simplified this for organizations by identifying all the vendor-supplied accounts across a wide range of applications and systems. To read more, visit Clause 7 of PCI DSS Compliance Framework speaks about implementing strong access control measures for restricting access to cardholder data on need to know basis. It states that access should be limited to only those personnel whose job requires access to cardholder data. Access to such critical databases should be provided only on prior approval and need-to-know basis. How Spectra PAM helps you comply with this clause? Spectra Server Access and User Access Policies can be configured while granting access to critical data for users. Policies can be defined on a ‘need-to-know, need-to-access’ basis & enforce restrictions on what can be accessed, by whom, when, for what & for how long to ensure only necessary privileges are granted to users. With Spectra’s Workflow module, access to users can be granted only post approval from authorized approver(s). Up to 15 levels of approvals and multiple approvers at each level can be configured for better flexibility. As value add, access to the growing remote & third-0party user base can also be controlled with Spectra’s remote privileged & privileged session collaboration capabilities. Clause 8 of the compliance framework requires identification and authentication for each user taking access to system components. These users can be both internal and third-party vendor users. Use of multi factor authentication for granting access to users and session management like session lock out after specific time duration, setting complex password policies etc. How Spectra PAM can help you achieve compliance with this clause? Spectra PAM has deep integrations with Active Directory for automated user access policy fetching or policy driven attribute-based grouping for faster provisioning of access to internal & remote users. Privilege session management policies can be configured for third-party vendor access from within the network & remotely by defining hybrid access mechanisms based on user role, mode of access & location of access. Spectra PAM has integrations for MFA, wherein second level of authentication and verification for all users can be configured. Additionally, to isolate privileged sessions from third-party vendor access, Spectra PAM has unique Cross-Platform Hybrid Access capabilities that allows users to access via virtualized browser-based sessions or via jump server. Tip: One of our customers had similar requirements for access control mechanism. Don’t forget to read how Spectra PAM was able to meet the needs of the customer, visit  Clause 10 of the compliance speaks about tracking and monitoring all access taken to network resources and cardholder data. It states that for each privileged session, logs should be generated, they should be stored in tamper proof format and should be available for audit. The logs should capture all the activities performed in the session by root or administrator user and users having access to cardholder data. With Spectra’s Session Recording module, logs are generated for all the sessions that are accessed in both text/video format. These logs are stored in an encrypted format and are tamper proof. These logs are accessible only to the authorized personnel. Apart from logs generation, Spectra has a built-in advanced risk scoring and threat analytics engine. Spectra has a library of high-risk events executed within a session and based on the user access & profiling; a composite risk score is generated. This aids in identifying & interpreting high risk privileged sessions. Sectona Research Team has made a comprehensive document stating the above clauses and is available for reading on website here if you wish to read the PCI DSS V3.2.1 Compliance document, it can be downloaded here To know more about a list of high priority privileged use cases, refer to this document here
Shruti Kulkarni February 14, 2020
Shruti Kulkarni
February 14, 2020

Clearing the air around false allegations on Sectona

Over the past few weeks, it has come to our attention via prospective customer and partner network about fake claims spread by competitors and/or unidentified sources regarding Intellectual Property Rights (IPR) issues against Sectona. Please note this is a hoax and there is absolutely no truth to it. Misleading allegations like these from leading players in the kind of mature industry segment that we operate in is deplorable. Unambiguously setting our stand here, we would like to assure customers evaluating our products and partners working with us that there are no IPR issues ever recorded against us in any country. We are committed to building a long-lasting and innovation centered company driven to securing enterprises against advanced attacks with our next-generation privileged access approach. Such propagandized tactics only further reinforces our belief in building a dignified and value-driven security company. Over the past two years, Sectona has achieved unprecedented growth and customer adoption across multiple geographies becoming a fast-growing product company. Enterprises are witnessing a transformation wave in security adoption and our innovation-driven approach is creating a new product experience that is being widely appreciated and embraced. Despite these rumors, we are thankful to all our customers and partners for standing by us and for showing faith in Sectona as well as fostering our ethical journey focused on customer success. Before signing off, I would like to sincerely thank the rumor-spreading sources for the publicity, we do appreciate the attention. :-)
Avatar November 12, 2019
Avatar
November 12, 2019
1 2 3 4 5