Professional Documents
Culture Documents
Mitigating Security Risks at The Network's Edge: Best Practices For Distributed Enterprises
Mitigating Security Risks at The Network's Edge: Best Practices For Distributed Enterprises
Mitigating Security Risks at The Network's Edge: Best Practices For Distributed Enterprises
45% INCORPORATED
MALWARE.2
HQ
ALL OF THESE
PERCENTAGES
INCREASED
SIGNIFICANTLY FROM
THE PRIOR YEAR.
As the enterprise’s gateway to the Internet, distributed
enterprises at the network’s edge are highly vulnerable
to security threats.
With multiple parties requiring Internet access and countless 30% OF DATA
risks for security breaches, enterprises must be ever vigilant BREACHES ARE
in developing, updating, and enforcing security policies on the
network’s edge. ACCESSED THROUGH
USER DEVICES.3
HQ
Security. For multiple remote locations, a VPN can Secure the hub-and-spoke architecture with
save the cost of a dedicated Internet connection. isolation and segmentation. In the past, many
The maintenance of establishing a LAN connection organizations used single- or dual-firewall
through an Internet VPN is very low compared architecture that divided networks into segments
to traditional dedicated line solutions. With the at Layers 3 and 4, limiting IP address ranges and
proper encryption and authentication, the VPN Transmission Control Protocol (TCP) and User
architecture is a cost-effective and highly scalable Diagram Protocol (UDP) ports that could traverse
solution for transmitting data securely. one segment or another. While this network
security architecture is still the most common,
Threat detection. Data can be analyzed as it more organizations are starting to control traffic
moves through the network and used to identify at higher layers and use emerging technologies
potential threats or breaches. Leveraging the that facilitate traffic capture, analysis and control.
same intrusion prevention infrastructure in For more information, refer to page 11, “Two
the core of the network for the branch offices Methods for Increasing Security.”
minimizes chances of misconfiguration at the
edge of the network.
THE CLOUD FOR SECURITY SERVICES
Governance. Enterprises charged with
transmitting or storing highly sensitive data can Many organizations want the cost savings and
be more confident that they are in control of efficiencies of the cloud, but don’t want to
implementation and maintenance of the security sacrifice traditional levels of control and security.
architecture. Traditional network security solutions require
expensive and over-featured hardware, archaic
command line interfaces, intensive multi-day
RISKS training courses, certification programs, and 400-
page manuals.
Planning and configuration mistakes. Deploying
a VPN requires a high level of planning and When security is made too complex, the
configuration, along with consistent updating chances of configuration errors and unintended
of router firmware and enforcement of security consequences increase. For distributed
policies. Networks must be properly configured enterprises with little to no onsite IT support,
and regularly maintained. Improperly configured cloud-based security provides visibility,
segments may create security holes within the configuration, and control of thousands of
core network, which hackers may exploit to devices, anywhere in the world. Distributed
access sensitive data. enterprises should ideally deploy security
solutions that combine the immediacy of on-
Physical security is also important to prevent premise management with the simplicity and
theft of the edge router/gateway, which can be centralized control of the cloud.
used to access corporate networks and sensitive
data.
Data isolation. Enterprises can isolate frequently In addition, the provider may be incapable of
targeted applications like email from sensitive completely deleting data from hardware, as
data like cardholder information. clients often share or reuse hardware used by
other clients.
RISKS
Security compromise from within. If user
permissions and roles are not set up carefully,
Loss of governance. In a cloud-based model, data
a user might have the ability to delete or
and information are stored with a third party. It
modify their data within the cloud solution. For
may be difficult to inspect the provider’s data
example, an employee new to the solution with
handling practices. And while rare, there is always
administrative access to the cloud solution could
a possibility that a rogue employee of the cloud
delete important data while they are trying to
provider could compromise data.
learn the new solution or a malicious employee
may compromise data intentionally.
Time to resolution. For companies with
appropriately staffed IT organizations, problems
HQ
Store
ENFORCE DEVICE VISIBILITY—THE KEY TO PCI Security Standards require that servers,
networking equipment, and other payment
ANY SECURITY STRATEGY
card system components be kept in a locked,
access-controlled room—preferably with video
With many new mobile devices joining the
surveillance.4 This mitigates the risk of an
enterprise WLAN network, visibility into mobile
unauthorized individual stealing a device with
applications is becoming critical. Network
access to the network. Physical security of
administrators need the ability to identify,
devices also prevents attackers from attaching
track, and categorize all devices accessing the
extraneous devices to the router that could
network. Device visibility provides IT with real-
monitor and steal data from the network.
time inventory and security intelligence for active
remediation while allowing users to seamlessly
connect to the network without disruptions or
changes in end-user experience. CONDUCT REGULAR SECURITY ASSESSMENTS
Best practices for enforcing device visibility: During a security assessment, a professional
assessor “attacks” the network to identify and
++ Use several criteria to identify devices in recommend controls around any weaknesses in
addition to MAC and IP addresses (which security architectures, including physical security,
can be spoofed) like device IDs and system device key strength, network configuration, and
identifiers that use specific naming client device vulnerabilities.
conventions
Regular network penetration tests, or security
++ Leverage compliance and auditing tools to assessments, are required for PCI Compliance.
provide additional insight into risks and The goal is to test access from low-security
vulnerabilities environments to high-security environments.
This practice evaluates whether cardholder data
++ Enable alerting and enforcement actions is isolated from other segments on the network
for devices attempting to plug into the and verifies that no connectivity exists between
network in-scope and out-of-scope networks (networks
++ Regularly audit and maintain up-to-date that hold cardholder data and networks that
and accurate network topologies (logical do not). Businesses with high numbers of
and physical) facilities or system components may assess only
a sample of the total number of components,
++ Use a common set of security controls for though the sample should be large enough to
policy management provide reasonable assurance that all business
facilities or components are configured per the
++ Institute governance, risk, and compliance standard process. The security assessor must
security best practices verify that the standardized, centralized controls
++ Collaborate and communicate across teams are implemented and working effectively.5
within the IT organization PCI Security Standards recommend annual
penetration testing, at a minimum.
++ Leverage a PKI infrastructure for stronger Each segment should have its own IP address
security. configuration, Routing Mode, Access Control, and
Interfaces (i.e. WiFi SSIDs, Ethernet Groups, and
++ Use 2-Factor Authentication to minimize VLANs). Currently, no tool exists to automatically
theft of user accounts being used by third monitor and search for vulnerabilities within a
parties. segmented network or between segments—such
++ Create and configure VLAN segments. oversight must be conducted manually. For this
A VLAN enables devices to be grouped reason, many enterprises will find that parallel
together. After creating a VLAN, select the networking is a better overall solution for
LAN port(s) or Ethernet groups to which keeping sensitive data secure.
the VLAN ID should correspond.
For example, the enterprise should consider hosting customer WiFi, employee devices,
and Point-of-Sale systems on their own respective networks. Enterprises with parallel
networks expect third parties such as vendors, partners and kiosks who require
Internet access to “Bring Your Own Network.” By expecting third-parties to provide
their own parallel networks, the company can retain governance over its own network
functions, while reducing the overall scope of work to maintain network security.
Parallel networks significantly reduce the amount of time and expertise needed to
segment networks based on application, and limit the scope of work for maintaining
PCI Compliance on the network used for transmitting cardholder data.
Equip.
Room HQ
Customer Area
Security
System
Employee WiFi
Customer Smart Phone
IT
Back
Office
Secure connectivity for always-on performance Fig. 5: Cradlepoint AER Series—Advanced Edge Routing