It’s easy to see why. Salesforce’s cloud-based tools save costs and time, simplify customer analysis, and integrate smoothly with other SaaS services. But is Salesforce a secure environment to run your business?

While Salesforce is generally safe to use, data security in Salesforce is still something users need to consider. Data breaches have exposed potential vulnerabilities. And users need to know how to use the Salesforce data security model when making their implementation more secure.

Data security in Salesforce

Data security is the protection of sensitive data handled by an organization. In the context of Salesforce, this refers to customer records, including financial information and private personal details such as names and contact details.

The consequences can be severe if an organization loses control of data privacy protection. According to IBM, the average cost of a data breach is approximately $4.35 million. Companies that lose large volumes of sensitive customer data can expect to pay hefty compensation.

Salesforce is no exception. In 2019, Salesforce client Hanna Andersson suffered a major data breach. A malware infection on the clothing retailer’s Salesforce platform exposed over 200,000 customer accounts. Neither Hanna Andersson nor Salesforce knew anything about it.

Three months after the Salesforce breach began, law enforcement officers discovered confidential data for sale on the Dark Web. Customers immediately sued under the California Consumer Privacy Act (CCPA).

Salesforce and Hanna Andersson eventually settled the claim in 2021. Both companies accepted shortcomings in protecting user data, detecting malware, and informing customers. And they had to pay as much as $5,000 to affected customers.

Related articles

In Depth

6 Network Access Control best practices

29 Dec 2022•13 min read

In Depth

SaaS Security 101: The Definitive Guide

10 May 2022•9 min read

The Hanna Andersson settlement shows that data security is a critical vulnerability and could happen to any Salesforce user. So let’s dig deeper into the Salesforce data security model to explain how secure the platform is and what companies can do to protect their data.

The Salesforce data security model

Since the 2019 Salesforce data breach, the platform has tightened up its native security features.

Data at rest on Salesforce is encrypted, concealing it from outsiders. Logging systems allow users to track weaknesses and handle alerts. MFA adds strength to authentication processes. And users can even create bespoke protection for data analysis with the Data Mask feature.

However, one set of controls in the data security field is all-important. Permission sets enable Salesforce users to manage data access. Users can use permission sets to ensure that only authorized users can access data. Everyone else is blocked by default – until they are granted necessary privileges.

There are four Salesforce permission sets. Each one plays a role in locking down confidential customer information:

• Organization level – At the organization level, users can manage access for all users in their enterprise. Multi-factor authentication factors make Salesforce portals more secure. Connection limits, location tracking, and IP range screening exclude malicious actors.
• Object level – Organizations can limit access to Salesforce databases and apps. Object level controls allow administrators to set aside portions of the Salesforce environment and create restricted zones with limited access.
• Record level – Security teams can create permission sets for specific records. Marketing teams may need access to information about customer purchases. But financial data can be locked away. Admins can set objects to read-only or allocate editing privileges for certain users.
• Field level – At the field level, users can restrict how users interact with database fields. This provides tight control over how data is used. Many employees may have object access to CRM data. Only a tiny number will have field level access to edit and export the most sensitive data.

Salesforce security issues

Applying access controls is critical, but users must also be aware of Salesforce security vulnerabilities. Be sure to factor in these issues when planning your security strategy.

1. Inadequate data classification

Before you can protect confidential data, you need to understand the data you hold. Companies need to classify every record according to its value and vulnerability. When you have that information, you can start creating field level controls and setting permissions.

Review your databases and assign risk levels to the information they contain. Use regulations as a framework. For instance, the CCPA mandates robust protection of customer financial records. HIPAA requires tight control of any patient data.

Classification matters because it isn’t always practical to secure all customer data. Unclassified data generates noise and confusion. Security teams are presented with false positives and waste time on securing low-value data.

2. Confusing data ownership

Who is responsible for securing your Salesforce CRM system? Many companies cannot answer this question and rely on multiple stakeholders to secure customer data.

Data ownership should be clear and communicated to all Salesforce users. Assign an individual or team to manage data security. They should ensure compliance with relevant regulations, apply native Salesforce controls, and integrate enterprise-wide security systems with the CRM system.

Take advantage of Salesforce’s training materials. The platform offers courses in identity and access management (IAM). With this information, your security manager can master Salesforce permission sets and protect critical databases.

3. Poor Salesforce security awareness

Knowledge about Salesforce security should extend beyond the data security lead. Every CRM user must know security policies and the importance of protecting against phishing attacks.

Remember the Hanna Andersson case. A single Salesforce cyber attack can compromise huge data sets. Poor training and a shallow security culture can have huge implications.

Extended awareness matters because Salesforce is highly customizable. Employees can easily misconfigure communities in the Experience Cloud. And teams can add Salesforce services without IT teams knowing.

Both actions expand the threat surface, potentially compromising a Salesforce environment. Avoid them by educating Salesforce users and creating policies that explain how to use the platform safely.

4. Not understanding how shared responsibility works

As with all cloud-based products, security responsibility is shared between Salesforce and service users. Unfortunately, this is something that users easily forget.

Users may assume that Salesforce protects data, but this is partially correct. Salesforce does encrypt data and guards against malware infection. Clients are responsible for ensuring secure access and object configurations.

Companies using Salesforce can over-provision employees, giving them too much access to sensitive data. They might allow wide third-party access to databases, even down to field level. Marketing teams could create vulnerabilities as they customize their Salesforce solution.

Be aware of your responsibilities under the shared responsibility model. If not, data breaches will probably be due to your own negligence.

Why do you need additional security in SalesForce?

Native security features provided by Salesforce are powerful but insufficient to achieve data security. Companies need to combine internal controls like Salesforce data encryption with external security solutions.

The 2019 data breach demonstrates why external security is so important. Salesforce and Hanna Andersson did not know about the malware infection. Security teams had no idea that gigabytes of user data had been stolen.

While the single data breach cost both companies plenty of money, the cost could have been higher without the actions of law enforcement professionals.

The initial malware infection involved a ‘magecart’ attack that skimmed customer data from the retailer’s payment portal. This agent probably arrived via a phishing attack on a Hanna Andersson employee. None of Salesforce’s internal controls could prevent it, but external security solutions could help.

SIEM tools to scan attachments and quarantine suspicious links can stop phishers in their tracks. IP allowlisting screens devices and permits access for approved IP addresses. VPNs encrypt company networks and conceal credentials from external observers.

Salesforce allows in-depth access management and security logging. But when fine-tuning their CRM security, companies should supplement native features with additional measures.

How can NordLayer help with Salesforce security?

Salesforce makes CRM simple, allowing eCommerce businesses to thrive. But recent data breaches have shown that the cloud-based platform has some critical cybersecurity vulnerabilities.

NordLayer’s tools supplement native Salesforce security and make it easier to achieve regulatory compliance.

Our cloud security solutions include access management tools and Single Sign On that bridge company networks and cloud portals. 

IP allowlisting is another core NordLayer feature. Allowlisting lets you set approved IP addresses and block everything else. This makes it safer to admit remote workers to your Salesforce environment. It also means that credential theft does not automatically provide access to your data. Attackers without approved IP addresses will still remain outside the perimeter, unable to steal customer information. 

Discover how to create a rock-solid Salesforce security posture. Get in touch with our team and discuss your options today.

Cloud platforms host customer databases, powering worldwide eCommerce empires. They allow workers in different countries to communicate, share files, and collaborate on complex projects. And they reduce hardware overheads, driving down costs.

Whatever role they play, cloud services need robust protection. This blog will look at how to secure assets on GCP. While Google’s tools offer some protection, there are plenty of things companies can do to supplement those tools. Let’s look in more detail and offer some best practices to boost your Google Cloud security.

What is GCP?

Google Cloud Platform is a collection of cloud-based services based on the powerful Google Compute Engine. GCP allows users to host apps, store data, implement machine learning processes, and manage app development. It also integrates with other Google services, including Gmail and Docs.

GCP can host a few SaaS apps or scale up to IaaS and PaaS implementations. It is a go-to platform for hosting Kubernetes cubes and cloud storage containers, with a strong record for resource availability. However, clients must implement their own security controls to protect resources hosted by GCP.

GCP security seeks to protect assets hosted on the Google Cloud Platform. The scope of security policies varies depending on each user’s cloud architecture. For example, if you use a single SaaS service, security mainly relates to access control to that individual app. But if you use a PaaS solution, security must apply across the infrastructure stack.

What challenges does Google Cloud Platform face?

GCP users face a range of security challenges. Here are some critical issues you will likely face when following GCP security best practices.

1. Ensuring visibility

The flexibility of GCP makes it popular with cloud architects. But flexibility comes with a price: confused and complex visibility. Cloud assets can come online and disappear within hours. Security teams may not know when app configurations change. Keeping track of cloud-based assets can become extremely difficult.

Tracking threats and applying security controls is impossible without strong visibility. You cannot secure apps that change constantly. Environments with poorly controlled user privileges can spiral out of control, creating huge surfaces for data thieves to exploit.

2. Managing privileges

Over-provisioned users pose a critical threat to cloud environments. If attackers gain the credentials of over-provisioned users, they can access confidential data, change app settings, and compromise cloud performance. Watertight access control is essential.

Security teams must create logical privileges for roles and individuals. Every GCP-hosted app requires a separate privileges policy. And admins must classify data, keeping sensitive information locked away from most users.

3. Application sprawl

Without clear policies on provisioning apps, GCP environments easily fall victim to application sprawl. It is extremely easy to spin up virtual machines or add new apps on the Google platform. The resource hierarchy can change in an instant.

Balancing flexibility and security is a central challenge. Companies need clear hierarchies that reflect their organizational needs. But users need the freedom to reshape cloud environments to fit different circumstances.

4. Identity management at the cloud edge

Managing access to on-premises networks is simple. Authentication occurs at a well-defined edge. But this isn’t the case with GCP. Users can access a cloud resource anywhere. They can use multiple devices and log on via insecure public networks. This makes robust IAM essential.

Security teams require ways to authenticate every connection request. This is particularly difficult in multi-cloud settings. As a result, companies often implement Single Sign On (SSO) to bring all cloud assets together.

5. Cloud misconfigurations

Poorly configured GCP apps present an open door for attackers. For instance, researchers have expressed concerns about attacks originating from misconfigured virtual machines.

Users can also misconfigure the internal IAM tools that Google provides. Administrators may fail to apply domain restricted sharing to GCP containers. Or they might fail to engage logging services to detect threats and weaknesses.

Another common issue is misconfigured VPC firewalls. These firewalls surround cloud data with additional protection. But admins can set overly broad IP address ranges, permitting too much access to sensitive data.

6. Uncontrolled outbound access

Users must secure access to networks. But they also need to manage data flows from cloud assets. Data Loss Prevention (DLP) tools can track files and data and block unauthorized exfiltration. But restrictions on outbound access are not always applied properly.

7. Unpatched GCP assets

Unpatched VMs present a constant security risk. Attackers can exploit privileged access to connected resources or launch horizontal attacks if cloud environments are improperly segmented.

GCP users are responsible for patch management. However, they are not always aware of their duties under the shared responsibility model. Legacy threat scanning tools can also miss unpatched cloud assets. Cloud-native, automated update management tools can fill the gap if security teams choose to use them.

Why is GCP security Important?

There are three core reasons to follow GCP security best practices:

• The GCP hosts vast amounts of confidential information. Data encryption, robust authorization and authentication processes are critical to prevent malicious access to this data.
• Assets on GCP are available 24/7 for companies to access. This maximizes uptime and availability. But it broadens the threat surface, requiring robust security counter-measures.
• Data security regulations apply to critical assets. Users of GCP must protect information covered by GDPR, HIPAA, or PCI-DSS.

These three issues demand a comprehensive security response. Companies must classify and secure data. They must manage access and apply encryption. And they need to apply regulatory frameworks through auditing and security planning.

Cloud-based security features in GCP

Google has included a wide range of security features in GCP. Best practices include leveraging these features where possible while supplementing them with external tools. Important internal security features include:

• Virtual Private Cloud (VPC) – Allows users to create segmented VMs or VM groups, with stateful firewalls and network security controls.
• Data encryption – All data in transit through the GCP is encrypted. Data at rest is also encrypted and unreadable to outsiders.
• Cloud Key Management – Centralized customer-managed keys tools allow administrators to distribute and change keys. This can integrate with hardware keys for secure remote access.
• Logging – Google provides access to continuous activity logs. Users can visualize security easily with real-time data.
• Data Loss Prevention (DLP) – Targets sensitive data and prevents outward transmission to unauthorized actors.
• Binary Authorization – Secures Kubernetes clusters by creating trusted workloads.
• Web App and API Protection (WAAP) – Monitors API activity for common cyberattacks. Allows users to assess integrations with GCP environments, making new app implementations safer.
• Identity and Access Management (IAM) – Enable users to control access to GCP environments. Provides a way to authorize actions within apps and groups. Unifies GCP workloads into one pane of glass.
• Cloud Asset Inventory – Allows admins to quickly inventory connected apps and track any changes as they occur.

External security systems work alongside these internal tools. For example, network penetration testing by third-party software can verify the effectiveness of GCP security. SSO and external IAM cover hybrid networks with multiple cloud deployments. VPNs encrypt data outside GCP, guarding user credentials.

Google Cloud Platform (GCP) security best practices

Companies need to create and implement a data security strategy for their GCP deployments.

This strategy should leverage the internal tools listed above while taking into account specific business needs. Best practices for GCP security include:

1. Implement Google Cloud IAM

Identity is the new battleground in cloud security. Attackers constantly seek high-value user credentials and access to confidential customer or corporate data. That’s why implementing Google’s native IAM systems should be a core priority.

Google IAM allows you to:

• Set privileges for GCP resources – The most important role of IAM. Admins can set permissions for roles or individuals and determine which apps or workloads are available to each cloud identity. Privileges can be extremely detailed to protect sensitive data. Or they can be more general for low-value assets.
• Enforce safe email policies. Only allow access to cloud platform services from corporate email accounts. Prevent access by personal accounts.
• Strengthen admin accounts with security key enforcement. Security keys are even more robust than MFA factors. They apply to high-privilege users such as senior developers or administrators.
• Prevent user access to service accounts used by VMs and automated processes. Reduce the number of user-managed service account keys to an absolute minimum.

A strong IAM system locks down user and service accounts. Insecure connections will be denied or limited. Access to resources will only be possible to authorized users based on need.

However, don’t stop with Google’s internal IAM. Some critical IAM cloud functions require outside assistance.

For example, when you use the GCP, you can allowlist IP addresses to block dangerous devices or networks. There is no realistic native way on Google Cloud to allowlist IP addresses. But you can use external allowlisting solutions like NordLayer to harden your overall cloud security setup.

2. Visualize your cloud environment

Google allows companies a lot of control over how they segment cloud environments. But to create a secure architecture, assets and data must be visible and well-understood.

Use GCP’s internal tools to discover connected apps and create a map of the assets you need to protect. Try to trace the connections between resources. If you understand data flows and user requirements, you can create efficient groups to apply security controls.

Connect roles to cloud assets and target privileges to guard resources. For example, accountants or sales teams may require access to cloud SQL instances, but other employees do not. Always map roles to assets to avoid over-privileging users.

3. Protect assets via Virtual Private Clouds (VPCs)

VPCs are guarded by internal firewalls but can communicate securely via VPC peering. IAM tools enable precise controls over VPC access, and you can create private clouds for projects or departments.

This segments the cloud environment, preventing horizontal movement for malicious actors. For instance, you can set robust barriers around cloud storage containers handling financial information – a valuable aspect of compliance strategies.

4. Use Customer Supplied Encryption Keys (CSEK)

Google Cloud Platform users can rely on keys supplied by Google. But they can also provide their own encryption keys. This is potentially a more secure option.

With CSEK, keys are only known to your employees. Nobody within Google can access them. You have total responsibility to manage and change them when needed.

By default, data handled by the Compute Engine is protected by 256-bit AES encryption. Customer-supplied keys supplement this protection. They also give you more control over assigning keys and managing access.

5. Enable MFA for Google Cloud resources

Multi-factor authentication adds an extra layer of identity protection when logging onto cloud assets.

MFA is not a default setting, so admins will need to remember to engage it via the IAM console. Google Cloud users can add third-party identity providers if required. This allows users to connect via external apps, making remote access more secure.

MFA options on GCP include various cloud identity factors. This includes one-time passwords, email codes, or secure links sent to user devices. You can use separate authentication hardware for high-security connections or rely on less secure SMS-based authentication for a smoother but less secure access process.

6. Centralize logging processes

Google Cloud’s best practices include achieving total awareness of user activity and app configurations. Google provides a suite of logging tools that collect and present information for security teams to monitor.

Users can implement Cloud Logging to collect data from Google Cloud projects. Each project has its own log bucket to contain data, and users can analyze this information via the Logs Explorer tool. You can also enable flow logs to gather information from Kubernetes clusters or VM groups.

If possible, integrate Cloud Logging with your enterprise-wide SIEM systems. Google lets you export log data to many popular SIEM solutions. This makes it easier to track network security via a single pane of glass. Specialist SIEM solutions also tend to provide more functionality than Google’s internal monitoring tools.

7. Use security foundations blueprints

Security managers do not need to work in the dark when implementing GCP best practices. Securing novel cloud settings such as GCP can be challenging without prior experience. That’s why Google offers a series of security foundation blueprints.

Blueprints provide guidance and recommended security practices. Subjects covered include critical tasks like key management, network segmentation, logging, and authentication. The information is presented in a general format but includes plenty of suggestions that will apply to most GCP implementations.

8. Automate security to boost efficiency

Administrators can automate many security functions on Google Cloud. Automation reduces the risk of human error and liberates time to spend on critical security tasks.

The Security Command Center collects threat intelligence and can automatically transfer alerts to third-party SIEM systems. Users can also create automated compliance policies to check that GCP assets are properly configured.

Admins can automate password security, demanding regular resets and enforcing strong passwords. And automated app updates help stay on top of virtual machine patches. Most tasks on Google Cloud have automation settings. Leverage them where possible as part of Cloud Security Posture Management (CSPM).

How NordLayer secures access to Google Cloud

Google Cloud Platform is an easy-to-use, flexible, and feature-rich cloud hosting platform. And many companies use Google Cloud as a location to store or exchange confidential data. This is efficient and cost-effective, but relying on GCP comes with security risks.

Following the GCP security best practices outlined above will help achieve data security. Users can encrypt information, set internal IAM policies for apps and containers, and create firewalls around virtual machines.

However, a robust GCP security posture requires a mix of Google’s internal security functions and external solutions. NordLayer provides the ideal solution when securing Google cloud deployments.

NordLayer allows admins to integrate GCP security into their general IAM setup. Users can ensure secure access to apps via MFA and use Single Sign On to access all cloud assets quickly. They can strengthen access control with IP address allowlisting, which admits authenticated users and blocks unknown or insecure IP addresses. NordLayer applies network segmentation to separate GCP assets and encrypts data in transit to hide it from outsiders.

Add another layer to your GCP security posture with NordLayer. Our tools allow you to combine external and internal security controls. The result will be a GCP security setup that covers every vulnerability. Contact the NordLayer team today to find out more.

Every company infrastructure setup is unique. Therefore, it may require a different approach to solving the same challenges — like how users can access office-based data, applications, or devices while not being present on that particular site.

The most common solution is to choose VPN for security purposes and enablement of distributed teams. However, the VPN selection depends on its type and existing company network arrangement.

If your target is to enable employees to securely connect to different offices and branches of the organization despite being elsewhere, Site-to-Site VPN is the option to explore.

Site-to-Site solution using NordLayer 

Site-to-Site allows users to reach office-bind resources on HQ, your assigned office, or another company branch while not actually being on-site. It is a type of VPN that establishes an encrypted connection to a requested resource on the company network.

NordLayer’s cloud-based feature elevates typical industry Site-to-Site capabilities by connecting not just different corporate sites and resources but by enabling both on-site present and remote users to connect to any company resource on the network.

Click to tweet

Therefore, connection to a single physical location via a virtual private gateway using VPN translates into user connection to all devices and resources assigned to a company router or firewall.

How does NordLayer’s Site-to-Site feature work?

The cloud-based feature can be enabled by connecting NordLayer’s virtual private gateway to the company’s router or firewall.

Moreover, cloud-based Site-to-Site makes it possible to configure a dedicated VPN server to connect to cloud service providers like Amazon AWS, Google Cloud, or Azure.

Users with VPN access – whether present in the branch office, HQ, or remote – can connect to the company network and access the added internal resources and the on-site devices connected to the router/firewall, even though they don’t support a VPN connection.

• Remote user connection:

• Connection from a company branch:
  

• Connection from HQ:
  

NordLayer’s Site-to-Site feature requires virtual private gateways and physical location configuration. Once it’s ready, a VPN connects users to the local company network and allows them to access company resources like applications, data, computers, or printers.

The same logic applies to users accessing the company’s cloud service provider resources. VPN established connection and router/firewall configuration to support IKEv2 Site-to-Site functionality with a static public IP address can provide access to resources for employees despite their location.

Shortly, suppose an employee for a job needs to access your organization’s customer information stored in a database located in HQ, the email server that stands in an office branch on another continent and needs to print it out while working from home. In that case, it’s all available via NordLayer’s Site-to-Site VPN functionality.

How NordLayer’s Site-to-Site is different?

Traditional WAN companies have an architecture based on an all-to-one setup when business units – remote locations and resources of the corporate – are connected to one main point.

Such organizations exploit extensive legacy Site-to-Site architectures that employees use to connect to the network’s main point, allowing them to access company-enclosed resources from different locations. This type of network architecture delivers interconnectivity yet lacks remote flexibility and has downsides affecting network performance, efficiency, and scalability.

As a solution to legacy Site-to-Site, NordLayer is developed to provide flexible and simple problem-solving to the general downsides of using legacy networking. When focusing on the feature functionality, the distinction between legacy setup and cloud-based remote network access solution comes from overcoming the limitations of traditional Site-to-Site solutions.

Cloud-based NordLayer solution handles legacy infrastructure challenges of increasing remote connections with quick integration to the existing architecture. It reverts performance–efficiency–scalability limitations to company advantage:

• Decreased deployment time and expenses. NordLayer solution is fully hardware-free and compatible with hardware-based or hybrid existing infrastructures. Functionalities can be deployed within minutes and don’t require complex costs and long delivery times, focusing on time-to-value for the organization.
• Maintained security and productivity levels. NordLayer Site-to-Site distributes encrypted user traffic to company resources based on the request nature without affecting connection quality instead of bulk processing all users to a primary point of connection and allocating to requested resources afterward. 
• User traffic distribution. The feature decreases the heavy traffic load directing users to the internet resources, internal data centers, servers, or applications in a more streamlined manner. Therefore, the increased remote user traffic peaks don’t impact performance quality as with a traditional Site-to-Site setup. 
• Efficiency and scalability. Naturally, user traffic distribution significantly reduces on-site equipment use managing the ad-hoc demand to upgrade. On the contrary, cloud-based Site-to-Site functionality enables the company to scale on demand without resource-intensive planning.  

The feature brings another level to team performance in business operations using Site-to-Site. NordLayer’s cloud-based feature ‘helps cut hardware-ing and distance corners’, bringing efficiency to secure data sharing and authorized access of on-site devices within the organizations, even if physically impossible.

Benefits of Site-to-Site VPN 

Primarily, Site-to-Site VPN allows for establishing non-office-only based connections. The VPN enables secure data transfers and trusted user activity between the on-premise network and the public network established over the internet.

Implementing NordLayer on top of your existing infrastructure, Site-to-Site unlocks effective and robust cybersecurity measures for various organizational aspects.

Increased network security

Sensitive data and confidential information is the target of most cyber attacks. Thus, encrypted data transfers between organization members utilizing Site-to-Site, whether in the office or remote, help safeguard against data breaches.

Streamlined business operations

Team performance is heavily related to the availability and capacity of the company network. Therefore, Site-to-Site feature maintains a good speed and stable data traffic flow to provide users with quality connectivity and constant access to resources that influence business continuity.

Flexible and scalable protection

Hardware-free Site-to-Site configuration is a beneficial add-on to the existing company network, even the largely hardware-based ones. Thus, the reaction-to-action time to solve ad-hoc challenges is multiple times shorter and easier. It requires minimal resources and provides a solution based on business needs within minutes. 

Entering NordLayer’s Site-to-Site

NordLayer solution provides a modern approach-based Site-to-Site VPN. The feature allows present and remote employees to access data and devices in multiple corporate environments.

Using our remote network access solution to enable Site-to-Site VPN for the organization, IT admins have to follow simple actions to configure the feature. First, they need to create VPN gateways via the Control Panel as entry points into the network and assign teams or role-based employees to access the gateway so they can enter the company network. Site-to-Site has to be configured for every company unit for the seamless cooperation of teams.

With fewer systems to manage, unlimited scalability, flexibility, and easy setup, companies can ensure smooth and productive connections for their users and maintain high-security levels of the business.

The pandemic became a massive sandbox that proved people don’t necessarily need to be nurtured by the office culture to be productive.

Workers argue that flexibility is their right whether they prefer to work in the best countries for remote work, like Germany, Denmark, the US, or any other location of their choice if the job is completed as requested. Management counters with the importance of organizational environment and team bond effectiveness created only by the presence in the office.

Both sides have their points, so what’s next — will we return to an on-site-only setup or transition to fully remote? Will more companies compromise on hybrid work after all? Let’s see where the remote work projections are guiding us.

How new is the ‘new normal’ of remote work?

It would be incorrect to say that remote work didn’t exist before 2020. Freelancers were the pioneers of working online — an adventurous and free-spirited career path. Before the pandemic, 2,9% of ‘teleworkers’ globally were exclusively working remotely. For instance, in the US market, only 6% had never worked in any kind of remote work setup.

The scope of work from home mainly spiked because of a safety measure to prevent virus spread. Even though the alertness settled and life started returning to normal, in 2022, at least occasional remote workers reached 62% globally.

According to Gallup research results, only 2 out of 10 people returned to the old routine — entirely on-site jobs. Meanwhile, the rest of 8 out of 10 employees are split between remote and hybrid work arrangements in the US.

The discussion mainly circles whether employees want to work exclusively remotely (49%) or want to share their time between home and the office (46%). Yet the same research reveals that only 6% of employees see the ideal work environment exclusively on-site.

Remote work tendency: to increase or decrease?

The swing in the longevity of time spent at home before and after the pandemic compares drastically. Let’s fact-check.

According to Statista, remote work in the US before the 2020s was a relatively rare yet existing event, occurring 1-2 times per week. However, 3-4 and 5+ days of work from home per week in the post-pandemic period replaced the then-popular 1-2 days/week work from home.

Talking numbers, the remote workforce reached 53%, and the pool of employees that never worked from home decreased by 13% after COVID-19.

The data of the US-based respondents reflects the increasing trend of staying at home rather than working from the office.

2020 was the rush-hour year, so comparing the difference jump from 2019 to 2021, the number remains increasing as the amount of remote workers has tripled. If we take data from 2018-2021, the fully remote workforce grew four times bigger.

How has remote work escalated in Europe? The growing tendency of remote work in European countries is also significant.

Eurostat data from 2019-2021 illustrates the increasing number of employed people spending more and more time working from home. The average of EU Member States climbed from

• 14,6% WFH sometimes or usually* in 2019, 
• 20,9% WFH sometimes or usually in 2020 to
• 24,4% WFH sometimes or usually in 2021. 

In 2021, the usually only working individuals made just a little less than sometimes or usually in 2019 — 13% in contrast to 14,6%. Note that ’usually’ refers to at least half of the work days spent working from home in a reference period of 4 weeks.

The shift is evident in both the US and Europe — remotes were quick to adapt to the circumstances and increasingly function between the office and home, identifying as remote workers.

Let’s not forget that the covid-era introduced a new work-life cultural concept, ‘workation,’ that combines working and vacationing simultaneously. Therefore, it’s challenging to believe that trend swing will take the working world back to the close-to-none remote setup.

Remote work perspective

It’s worth defining the happy medium for understanding remote work. There are different opinions — for some, it’s home-only; for others — home-never. A hybrid work setup seems acceptable for most organizations and employees that can apply non-site work arrangements.

The perspective of hybrid model growth should double from 42% in 2021 to 81% in 2024, according to AT&T findings. The forecast predicts almost one in four Americans will work remotely by 2025.

The prediction is supported by the forecast of conferencing software (like Teams, Zoom, or Google Meet) market growth — in 2021, it reached $14.6 billion worth, and in 2026 is expected to reach as high as $27.3 billion worth. The growing demand shows the need to communicate remotely in the future.

Hybrid work influencing factors

What are the influencing factors for hybrid work escalations — is it just the peer pressure of employees? 83% of professionals say they would decline a job offer without offering flexible work options, according to International Working Group.

Expectations are high as almost everyone (97%) expects organizations to be flexible regarding the work environment. FlexJob indicates that more than half (57%) of organization members would change jobs if they weren’t allowed to work hybrid. After all, 77% of employees see flexibility as the second most important factor after salary in their employment.

The reasoning behind it can be based on preference to save time on commuting, make Mondays less anxious without knowing you must show up in the office at 8 AM, or work from a different city or country.  

Productivity and engagement in remote work

Hybrid or remote work help achieve a better work-life balance that resolves into a positive chain reaction. Employees and organizations notice that staff is exposed to less stress, leading to workers being more present and engaged despite online environments.

It proves that hybrid work isn’t entirely a one-way road. At first, being unavailable to observe employees’ activity on-site might have needed convincing the management of the hybrid work benefits.

According to Zippia’s Remote Work Statistics report, 32.2% of managers agree that productivity has increased after the 2020 remote work shift. Generally, 68% of organizations say there’s been an improvement in employee productivity since the remote work arrangements. 

Return or not to return?

The determination to work remotely is clear for most of the employees. Besides the long list of benefits the workers learned by heart, 20% of the workforce who vouch for flexibility would agree to give up vacation time over office-defined work.

The worth of remote work can be calculated more precisely — a typical organization saves an average of $11,000 per employee yearly if the employee spends half of the working time outside the office.

Saving funds and time open more personal, team, and company opportunities. Organizations have a better chance to scale globally. It brings us to a solution to a raging issue of limited talent pool companies struggle with significantly.

Talent and remote work

Knowledge workers are in high demand to cover the growing need for professionals in all industries. According to Uplers’ research, 69% of companies face a shortage of skilled talent, and geographic limitations are one of the leading factors reserving the reach of the potential talent pool.

According to the Upwork study, companies with remote or hybrid work policies appear to be less negatively impacted by talent shortage — only every third of such organizations see a limited talent pool as a challenge. Half of the knowledge workers who provide computer programing, IT, marketing, and business consulting services to companies are freelancers.

Regarding company size, large companies tend to have a higher demand for talent that turns over with more noticeable talent shortages compared to small or medium-sized companies.

According to Manpower data, 64% of small companies (10-49 employees) struggle to find the right profile workers, while 72% of medium-sized companies (50-249 employees) and 74% of large enterprises (250+ employees) are impacted by a deficiency of skilled professionals.

Remote work by industry

Technological advancements and flexibility allow companies of various industries to adopt hybrid work for its benefit. It’s noticeable that consulting-type services are quicker to move to telecommute. The trend can be justified by the opportunities to unlock markets worldwide, streamline the workload, and better prepare for modern technological setups.

Taking hybrid work through the industry axis, IT is the leading industry to adopt remote work. Finance, customer service, healthcare, marketing, education, and sales industries are primary areas to explore and utilize the benefits of the remote workforce.

Remote work and security

The massive migration to remote work during the pandemic was kick-started for safety reasons. However, home offices opened gaps for cybersecurity vulnerabilities that many companies weren’t exposed to before.

According to Statista, cyberattacks are one of the major risks concerning organizations. Cyber threats increased exponentially with the growing number of unprotected home networks and distributed teams.

The other top risks on the list include human error, cloud computing vulnerabilities, mobile device security, and loss of corporate data and information, as the concerns of organizations in Europe and the US.

Securing hybrid environments

Many organizations proved flexible in times of change — growing cyberattacks and risks were repulsed with security and hybrid work-adapted business solutions. Transitioning to cloud environments allow companies not only to enable remote workers but implement hybrid infrastructure models to support new ways of working.

Circumstances determined businesses’ push to improve network security even though upgrading existing legacy architectures wasn’t in the strategy.

During the later years, evolved Zero Trust security models now define modern remote access and cybersecurity standard. A combination of cloud application security, endpoint protection, and identity management solutions helps protect company assets and users effectively from potential vulnerabilities imposed by remote and hybrid work.

To support business projects and a large customer base, Hostinger has several departments to maintain all the projects and services up and running. Therefore, originally based in Kaunas, Lithuania, the company now has an extensive team of over 1000 employees in 51 countries across the globe. Yet a large team brings its challenges in times of change. Egidijus Navardauskas, Head of Cybersecurity at Hostinger, gives his insider experience on their journey of implementing remote work in extreme situations.

The Challenge

Rapid organization onboarding to remote work during lockdown

Hostinger as most of the companies in the pre-pandemic time, lived a daily office-based life. However, it changed during Covid as all teams started working remotely and adjusting to the new way of living.

“Before the pandemic, we used to work from the office full time —  there was no need for most of the teams to use an internal VPN solution except for a part of the IT staff.”

Click to tweet

Once the lockdown period came into effect and workforce borders started expanding, the existing VPN solution limitations were revealed. It wasn’t initially built to scale sufficiently and provide a reliable VPN connection to handle the fast growth of remote employees in different countries.

The employee distribution and work from personal networks required the company to grant them a swift connection to internal resources. However, operational continuity was at high risk, and the current setup lacked role-based network access controls for maintaining security levels. 

The Solution

Replace the existing VPN with a more agile solution

The employees used to work from the office all the time, and only a part of the IT staff was using an internal VPN solution as there was no need for most of the teams to access internal resources after working hours. 

“As Hostinger had to move to a remote working model due to the pandemic and fast growth of remote employees in different counties, the existing VPN solution was not scalable enough to handle many users.”

Click to tweet

Transitioning from an on-site environment to remote work quickly can be challenging for any business. Especially in the case of Hostinger, which experienced a sudden necessity to change its work and infrastructure approach.

Ad-hoc tasks are difficult to squeeze into tight schedules even in extreme circumstances, so time management and efficient distribution of resources are crucial — choosing the right solution from the first shoot is critical.

“Time shortage and lack of human resources, as all IT teams were very busy with their quarterly goals, were the additional factors that impacted the remote work situation.”

Click to tweet

Therefore, the journey from identifying the issue, selecting a solution, and making the delivery had to be well-organized and smooth.

Why choose NordLayer?

NordLayer provided an optimal solution to change the existing company VPN and seamlessly integrate it into the current infrastructure.

Even though the requirements for a new VPN were extended to establish remote connections of the worldwide-distributed high number of employees to organizational resources and provide secure identity management measures to the IT administrators. 

“NordLayer topped the shortlisted solutions by Hostinger by being the most cost-effective and easiest-to-manage option — this is how we chose the solution.”

Click to tweet

When selecting a cybersecurity solution, Hostinger usually uses a risk-driven approach, and of course, the solution has to fulfill requirements that are suitable for our company’s needs. Following the practice ensures the organization’s main security goals, which are confidentiality, integrity, and availability of resources and data. 

5 steps to onboard a global remote team overnight: decision-making process and proceeding with NordLayer

Clear steps and objectives helped Hostinger to optimize and streamline its process of problem-solving from understanding the current solution limitations — cannot scale with a growing team,  what are the desired results — provide network access controls, meet compliance and security requirements, and provide backup servers, to overviewing the plan and implementing to the whole organization.

The Outcome

Fast adaptation to a crisis with extended security outcome

The company achieved a remote work setup on time, so business and team productivity weren’t affected. It all happened while facing a global lockdown with time and human resources limitations.

Today, all Hostinger employees use the solution daily as the team works in a hybrid model. We utilize ten private virtual gateways for our company needs — all this just having NordLayer and a 5-people cybersecurity team.

Most importantly, Hostinger employees can connect securely to internal resources no matter where they are. Moreover, the IT staff can focus more on other projects rather than maintaining internal VPN infrastructure — the service provider is responsible for the maintenance of the servers, so it saves a lot of valuable time. 

Pro cybersecurity tips 

The pandemic may start feeling like old news at some point the more time passes by, yet it was an unusual situation that had effects on businesses that reflect up to this day and will stay relevant in the future, like teaching to react to extreme situations to keep businesses running. Even though not everything can be foreseen, thus it’s beneficial to have a strategy and a sound plan in place to be well-prepared.

It’s good to start even from small things — Head of Cybersecurity of Hostinger Egidijus Navardauskas shares his tips for business security:

Have you considered how your organization would hold if stress-tested? What would be the main impediments to securing business continuity? Even expected challenges can bring to light lacking security and adoption of implemented infrastructure. Therefore, it’s always worth exploring the possibilities and performing crisis drills even on paper — be ready to ensure teams and organization perforation despite the work setup, and reach out to learn more about a remote access network solution for modern companies.

Securing data and protecting assets is critically important when using Office 365. This blog will discuss the major threats faced by users and we will suggest some security best practices. Office 365 is a safe place to run business operations. But you need awareness and policies to make that safety a reality.

How secure is Office 365?

Office 365 is a suite of cloud-based business tools. Like all cloud applications and platforms, Office is vulnerable to external attackers. Cyber-attackers can breach user defenses. They can access sensitive data, disrupt operations, and cause plenty of damage before they are stopped.

Security concerns are real. Up to 85% of organizations using Office 365 suffered an email data loss in 2021. 15% of organizations using the platform suffered more than 500 breaches in the same year. Just 4% of organizations not using Office 365 reported the same data breach frequency.

Microsoft has toughened Office security features in the past few years. However, Office 365 users still need to control their security posture. If you can find a secure configuration that meets your needs, you can use the platform safely. The first step in doing so is mastering the security features supplied by Microsoft.

Security features in Office 365

Users can access most Office 365 security features via the Security and Compliance Center on Microsoft Accounts. This cloud-based portal allows users to choose several critical security functions. These functions include:

1. Identity and Access Management (IAM)

Microsoft’s IAM solution lets you set up digital identities for all Office users.

Every user has a digital identity containing their authentication details and authorization information. This lets administrators add adaptive multi-factor authentication for all log-ins. Admins can manage passwords efficiently, onboard and remove users as needed.

IAM also allows you to manage authorization options for all users. Admins can set privileges based on roles or individual requirements. This limits app access to users with appropriate permissions. Unauthorized outsiders won’t be able to intrude.

2. Information security

With Microsoft Information Protection (MIP), users can manage data as it travels across Office cloud resources and even on remote work devices.

Users can classify data to ensure it only reaches authorized devices. Set different sensitivity levels to make data available or defend it as required.

Classification works alongside Data Loss Prevention (DLP) and Microsoft Information Governance (MIG) tools. Create robust security controls for confidential data, and set lifecycle controls to delete data when it is not needed.

3. Threat defenses

Microsoft offers Office-native Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) features. Together, they neutralize cyber threats and track traffic to assess security weaknesses.

Azure Sentinel is a SIEM system that uses Artificial Intelligence to monitor the Office environment. Sentinel can track every active Office application and device. Security teams benefit from real-time visibility across the threat surface.

Azure Defender and Office 365 Defender are XDR tools. They extend threat detection to all endpoints, including email accounts and cloud applications.

4. Risk management

Office 365 includes a suite of tools to manage risks and ensure compliance. These tools identify and classify risks, focusing on data protection across an Office 365 environment.

Risk management tools allow security teams to assess insider threats, manage the risk of insecure communications, and fine-tune privileges for admin accounts. Audit tools let you drill down into compliance issues until every data security weakness is covered.

What are the most important Office 365 security concerns?

The security tools above are comprehensive and flexible. But they are generally voluntary. Users need to create their own security setup and choose measures that fit their Office implementation.

Office 365 leaves plenty of room for misconfigurations. And these gaps are the ideal space for attackers to work. Here are some critical threats for security managers to assess:

1. Credential theft and unauthorized access

Cyber attackers may gain access to your entire Office 365 environment if they steal user credentials. Users can leak credentials in many ways. For instance, employees could:

• Share information insecurely via Office collaboration apps
• Click on attachments that extract personal data
• Follow unsafe links in social engineering email messages
• Install malware onto a connected device

Credential theft is a constant security concern for Office 365 managers. Office does include multi-factor authentication, but MFA is not enabled as a default. Many companies forget to apply extra authentication and suffer as a result.

2. Unsafe privileges

According to Zero Trust principles, Office 365 users should have access to the resources they need and nothing more. Limiting access to sensitive data makes data extraction and loss less likely. Hackers cannot freely access data. Employees won’t be able to leak data during their tasks accidentally.

However, privileges creep can lead to too many people having access to too much data. By default, every Global Administrator Account has extensive privileges. Security teams need to restrict admin accounts manually. This potentially leaves scope to abuse access and steal data.

3. Data loss

Data breaches are a nightmare scenario for Office 365 managers, but they are possible without adequate security controls.

The major problem here is sharing. Office is built to enable information exchange. Workers share documents, conversations, databases, and much more. This is great at an operational level. But the flow of data is a security problem.

Data can leak via many storage locations or sharing tools. Employees may not know about data sharing risks or how to store data securely. And data can pass to unauthorized third parties without the knowledge of security teams.

4. Complacency

Many companies move from on-premises Office implementations to cloud-based 365 environments. While the applications are familiar, the security context of these two setups is very different.

Security managers may lack visibility of all cloud endpoints and in-use applications. They may lose sight of data containers or fail to turn on necessary security features. Sharing tools like SharePoint present new risks, such as allowing access for third-party guests. But these new risks aren’t always detected during cloud transitions.

Office 365 security best practices for business

What can businesses do about the security threats listed above? The answer lies in applying Office 365 security best practices. By following these security practices, you can enjoy the benefits of information sharing and keeping data safe.

1. Enable IAM

Access management is the top priority when securing Office 365 environments. Companies must create a secure perimeter and restrict access for unauthenticated users. Users should have the privileges they need to carry out work, but no more access than they require.

Office 365 has built-in IAM tools to control authentication and authorization centrally. Set conditional access policies for every role and back up password access with MFA technologies. Bring all Office 365 apps together via Single Sign On (SSO). This makes it easier for employees to manage passwords. It also simplifies access management for security professionals.

It is advisable to create separate user accounts for admins with elevated privileges. Every admin account requires maximum protection. Users should only use administrative accounts for specialist tasks, and rely on other accounts for everyday work.

2. Educate users to understand Office 365 security

Employees must know how to avoid phishing attacks. Build anti-phishing training into all onboarding processes and refresh this knowledge regularly. Workers should always be aware of dangerous email attachments and how to spot malicious links.

Users also require training in how to share information securely. Educate staff on how to use SharePoint and Teams without compromising security.

3. Collaborate securely

Education combines with robust collaboration app security to protect data in-transit. Install DLP systems to track sensitive files and ensure they stay within the network perimeter. DLP will alert managers if employees share critical data, and block any illegitimate transfers.

Set up Message Encryption on Teams and other communication tools. This protects the content of messages. Only authorized users will be able to read messages or open files.

Use Safe Attachments to scan all email attachments and shared files. Extend attachment protection to Teams, SharePoint and OneDrive so that all potential endpoints enjoy security coverage.

4. Put in place anti-phishing protections

Office 365 includes specialist tools to handle phishing attacks. These advanced threat protection tools go beyond trusting employees not to open malicious links. They actively inspect emails to detect malicious content.

For example, users can sandbox attachments automatically with Application Guard. This creates a protected environment to open pdfs or spreadsheets. Application Guard scans files to detect unsafe sources. This matters because Office files are common attack vectors. Sandboxing makes it much less likely that an innocent document will spark a security alert.

Safe Links is another useful anti-phishing tool that scans URLs to detect security concerns. And you can set “external” email tagging for inbound messages. This alerts users to be careful when opening external communications.

These measures do not remove all phishing risks. Zero-day threats are still an issue. But together, Application Guard, email tagging and Safe Links provide plenty of defense against social engineering attacks.

5. Use anti-malware solutions

When anti-phishing measures fail, malware protection tools enter the picture. Office 365 users should take advantage of Microsoft’s anti-malware tools wherever possible.

Implement SIEM protection via Azure Sentinel, and use XDR to scan all endpoints. These two tools work together to detect malware infections and quarantine affected files. This should neutralize ransomware attacks before they take down network infrastructure.

6. Strengthen your password policies

User access is the major Office 365 security weak point. And credential theft is the most common attack vector. Make it harder to mount credential stuffing attacks by enforcing strong password policies across all users.

Make sure Office users avoid real names and familiar words. Include multiple symbols and numbers, in combinations that are impossible to anticipate. Use password manager tools to store and update passwords. This reduces the risk of human error.

Generally, make sure users do not reuse passwords from other network assets. Every Office 365 user requires unique credentials, with no exceptions.

7. Strengthen data security controls

Employ MIP to lock down sensitive information and allow access to less important data. Office 365 lets you label sensitive information such as personally identifiable information (PII) and financial records. These labels enforce tools to keep sensitive data secure, such as encryption or watermarking.

DLP also allows you to track data movements and prevent data leaving organizational boundaries. This makes it easier to work remotely without creating additional data loss risks.

8. Check compliance and security scores

Data security measures aim to meet strict compliance goals. For instance, you may need to protect financial records to comply with PCI-DSS, or meet HIPAA rules when handling patient details. Microsoft has created tools to make the compliance task easier, so use them when available.

The Office 365 compliance portal provides guidance for meeting important regulations. It also includes a compliance score that charts your progress. Updated in real-time, the compliance score suggests required actions. It provides a useful road map to compliance across all Office 365 services.

Office also provides an overall Secure Score. This can be found in the Security Center, which records a percentage based on an organization’s security posture. Adding extra security measures boosts the score, and the system delivers recommendations based on your Office 365 setup.

9. Optimize mobile device security

Employees may use mobile devices to access Microsoft’s SaaS applications. This particularly applies to companies with large communities of remote workers or BYOD setups. In any case, it is advisable to implement Mobile Device Management (MDM) security solutions,

Office 365’s MDM tools encrypt confidential data on mobile devices. They can wipe data from devices in the event of theft. And they prevent network access for stolen or compromised devices.

10. Put in place rock-solid Office auditing

Be sure to enable the Unified Audit Log via the Office 365 Security Center. The UAL lets you track user activity across all accounts. You can see who is sharing information and how that information spreads across your cloud environment.

By default, audit logs provide 90 days of historical information, which isn’t that much. However, you can extend the scope of audit logging to as long as ten years if desired. Longer periods provide a better evidence base for compliance management, but you will need measures to efficiently store and search audit data.

Ensure secure access to Office 365 with NordLayer

Collaborate, strategize, and store data safely with our office 365 security best practices. On-board security tools and solid staff education let you use Microsoft’s business environment without creating unnecessary risks.

However, just relying on Office 365 controls is a risky move. That’s especially true for companies with hybrid cloud environments who manage multiple platforms and require secure access to SaaS apps. In those cases, it makes sense to apply enterprise-wide security solutions like NordLayer.

NordLayer’s IP allowlisting tools supplement Office 365 security controls. Admins can define a list of authorized addresses. These IP addresses are then permitted access to Office resources. Unlisted devices are excluded or require additional verification.

NordLayer encrypts traffic passing between employee devices and Office 365, countering man-in-the-middle style attacks. Threatblock also blocks malicious websites, reducing the risks posed by phishing attacks. Use Microsoft’s internal features to secure Office 365. But go further, integrating Office into your wider cybersecurity setup. To find out more, contact the NordLayer team today.

Unsecured apps are vulnerable to external attacks, data loss, and infrastructure damage. One unprotected app can cause an enterprise-wide data breach. Fortunately, there are many ways to strengthen cloud security and make application usage safe.

This blog will explore cloud app security and the threats users face. You should find everything you need to know when securing critical cloud assets.

What Is cloud application security?

Cloud application security is a set of tools, policies, and procedures that protect information passing across a cloud environment. The aim is to:

• Create a secure environment and protect data on all cloud apps
• Manage cyber threats
• Prevent unauthorized access to cloud resources
• Ensure the availability of critical assets

Cloud application security covers popular platforms like Amazon AWS, Google, and Microsoft Azure. It also extends to individual SaaS apps hosted on cloud platforms. Collaboration tools like Slack or Zoom require specific security solutions. The same applies to cloud-hosted business tools like Salesforce or data storage services.

Do you need cloud application security?

Yes. Legacy network security tools cannot properly protect cloud assets. VPNs and firewalls can protect locally-hosted data and applications. But cloud apps are hosted by third parties. Users can access them from virtually anywhere via a huge range of devices.

Attack surfaces have become more complex as cloud apps have proliferated. Cloud endpoints cannot be secured by locally-managed hardware or encrypted network connections. Older tech plays a role, but new application security approaches are essential.

Cloud application security threats

The first step in securing a cloud environment is understanding critical security threats. Here are some of the most important cloud application security risks to factor into security planning.

• Misconfigured cloud apps – Gartner reports that as many as 99% of cloud security issues are due to client error. Cloud deployments are complex, and teams must manage a range of application configurations. Every SaaS app requires access controls and processes to guard against shadow IT. Getting app configurations right is essential.
• Account hijacking – Malicious attackers can hijack user accounts and infiltrate cloud-hosted apps. Account hijacking tends to result from poor password hygiene and credential exposure. Security teams must enforce strong password policies. Password managers make life easier for workers. Encryption keeps credentials private and secure.
• Phishing – Phishers persuade employees to provide access credentials. They may also entice users to click links that harvest private data. Security teams must train all staff and enforce responsible behavior.
• Automated attacks – Attackers may find vulnerabilities via scanning agents. Botnets target poorly secured cloud apps, taking down cloud resources via denial-of-service attacks.
• Buggy APIs – APIs connect cloud applications and users. They need to be secure at all times. The problem with APIs is that they are both feature and data-rich. One compromised feature could expose data inside the app for outsiders to harvest.
• Physical security – Cloud applications rest on physical hardware somewhere in the world. Cloud providers must protect hardware against theft and take measures to handle fire, extreme weather, and other sources of damage.
• Inadvertent data loss – Staff can accidentally delete data, change it irreversibly, or lose encryption keys. This places intact data out of reach. A comprehensive data backup strategy is essential.

Cloud application security best practices

Failure to deal with cloud security vulnerabilities can have serious consequences. Let’s explore some app security best practices to lock down critical assets.

1. Understand the threat surface

Robust cloud application security rests upon strong visibility. Total awareness of cloud workloads and device connections puts you in a good position to apply controls.

Create and maintain inventories of connected cloud apps. This inventory will form the basis for security measures later on. Trim the inventory regularly to remove any unneeded cloud apps. Try to keep the threat surface as small as possible.

2. Deploy identity and access management (IAM)

Every cloud application is vulnerable to credential theft. Enterprises must establish complete control over who accesses cloud apps. They must also define and manage user privileges.

Cloud-native IAM tools manage access by authenticating log-in requests. They compare login credentials with secure directories and ensure that only authentic users gain access. Multi-Factor Authentication (MFA) adds another set of time-limited and unique credentials.

After admitting users, IAM systems authorize their privileges. Privileges allow users to carry out core workloads and restrict access to other applications.

Developers can access the tools they need. Sales teams can access CRM databases and marketing assets. Every role is limited, but workers are free to carry out their duties.

Additionally, IAM applies Single Sign On. SSO creates a single point of entry to cloud resources. One cloud-based application provides access to all apps. There is no need to secure multiple cloud endpoints.

More advanced IAM tools actively check for unsafe credential storage. They alert security teams if staff store credentials digitally or share information insecurely. All these features enhance the safety of cloud applications.

3. Create a cloud application security strategy

Companies need cloud application security. This strategy should specify how to access cloud apps safely and how user identities are verified. Users should know what they need to do and what threat mitigation controls are in place.

Looking beyond security policies, security teams should have a clear plan to secure data on all cloud applications. This can be visualized on three levels to cover vulnerabilities:

• Platforms. Cloud infrastructure underlying can include exposed data files. If companies develop cloud infrastructure in-house, security staff must focus on correctly configuring platforms. Encrypting all data is advisable.
• Databases. Secure cloud databases with appropriate encryption and access controls. Assess the right authorization levels for every role. Workers should only have access to relevant data. All other information should be out of reach.
• Applications. Secure the attack surface by extending IAM to all applications. Check API configurations, and use any threat detection systems provided by app developers. Set up automated notifications about unusual access requests or network traffic patterns.

4. Use automated security testing

Testing is a critical aspect of cloud app security. It may be too late to detect and mitigate vulnerabilities when cloud apps go live. Instead, companies should switch from standard DevOps to DevSecOps (Development Security Operations).

DevSecOps includes automated testing systems that assess code during the development phase. Testing during the CI/CD process uncovers weaknesses before hackers have a chance to exploit them.

Testing should extend to open-source code libraries used to build cloud applications. It should also cover data containers and user-provisioned cloud deployments. Every part of the cloud environment is vulnerable.

Testing does not end after app provisioning. Enterprises must continuously test IAM systems to ensure the integrity of IAM processes. They should also test encryption tools. Keys may be exposed or out of date, creating inherent weaknesses.

Automation is vital. You can automate development and post-deployment testing to reduce security workloads and ensure regular results.

5. Focus on password hygiene

Companies need to drive home the importance of password hygiene. Access controls and encryption mean little if employees expose passwords to outsiders.

Stolen or hacked credentials are a major security weakness. Staff must use strong passwords and change them regularly.

SSO helps make this task more manageable as workers handle fewer credentials. Cloud-native password managers also automate password strengthening and password replacement.

6. Employ comprehensive encryption strategies

Exposed data is an easy target for hackers inside cloud perimeters. That’s why encryption is a critical component of cloud app security.

Encryption scrambles data, making it unreadable to anyone without specific encryption keys. There are three main ways to encrypt data on the cloud:

• Encrypting data at rest secures information stored by enterprises. This could include HR information or financial records. Companies can encrypt files, databases, and even cloud platforms. With more layers covered, hackers will struggle to access confidential data.
• Encrypting data in transit makes collaboration safer. Data constantly moves throughout cloud environments. Information passes from on-premises networks and remote devices to the cloud. Encrypting data as it moves protects against interception attacks.
• Encrypting data in use makes using applications safer. Employees may retain workloads in an open state for long periods. This leaves data vulnerable to interception and extraction. The use of encryption and tools like DRM makes in-use data less accessible.

7. Active threat detection

Monitor cloud applications in real-time to detect threats and protect data. User behavior patterns can provide clues about ongoing attacks. Access requests for sensitive files can generate automated alerts.

Security teams can use activity monitoring data to fine-tune privileges management. Monitoring data is also a valuable compliance tool, providing evidence of continuous security management.

8. Regularly patch software and apply system updates

Cloud applications require timely and frequent updates to keep pace with evolving threats. Codebase changes and new services constantly present new vulnerabilities and exploits for hackers to target. Automated scheduled updates neutralize weak spots as they emerge.

9. Proactive privacy and compliance policies

Data privacy is a central part of compliance strategies. Enterprises operating in the cloud face major regulatory challenges, including GDPR, PCI-DSS, or HIPAA compliance. Secure cloud apps to meet relevant compliance standards.

Security teams should build app security audits into their schedule. Check that apps and security controls meet regulatory guidelines. Include the development environment used to provision cloud applications and open-source libraries used by DevOps teams.

Use regulatory requirements as a framework to build effective controls. For instance, PCI-DSS compliance demands data encryption for financial records. HIPAA demands tight identity management and encryption of sensitive information.

Compliance strategies aren’t static. Enterprises should take a proactive approach when securing sensitive data, using regulatory frameworks as guides.

How businesses could secure their cloud applications

Legacy tools like VPNs have security limitations when guarding the cloud. Instead, using security tools that function alongside cloud application APIs is advisable.

IAM and SSO systems are essential components of cloud security strategies alongside data encryption and threat monitoring. Fortunately, you can source solutions that bring together core app security functions.

The two major options here are proxy or API-integrated Cloud Access Security Brokers (CASBs):

• Proxy CASBs route traffic through a separate proxy between user devices and cloud apps. Proxies usually employ HTTP and can intervene with traffic passing through cloud endpoints. The CASB applies encryption and tracks anomalies such as suspicious login requests.
• API-based CASBs do not require an extra layer of routing. These CASBs are built into cloud apps instead. This has many potential benefits, as well as some drawbacks.

Benefits of API-based CASBs include:

• Improved speed – There is no need to route traffic via a proxy. This boosts speeds and improves the user experience. Routing large amounts of traffic through a proxy may lead to performance issues as demands grow.
• Firewall interaction – API CASBs supplement existing network firewalls. They add cloud security features that protect data and monitor activity. Proxy CASBs damage performance by adding another security barrier alongside firewalls.
• Easy upgrades – Users must update CASBs as applications evolve. App developers often add or exchange protocols and authentication systems. But developers do not routinely alert CASB developers about needed upgrades. API-based tools are easier to patch as apps change. Over time, cloud apps will leave proxy CASBs behind.
• Better security – Proxy-based CASBs break TLS sessions to access the HTTP stream. They then reconstruct TLS protection to complete cloud access. Users trust their CASB to restore TLS sessions safely and reliably. This weak point can compromise the security of cloud deployments.

Major cloud computing providers like Google and Amazon recommend API-embedded CASBs where possible. This makes perfect sense in a fast-changing cloud application environment.

However, API-based CASBs may not work with all SaaS deployments. CASBs are often compatible with most but not all APIs. This can add complexity to cloud security architecture. Proxy CASBs can operate across different APIs, resulting in simple solutions.

Enterprises also need to be aware of problems surrounding CASBs. For instance, cloud infrastructure providers rarely inform CASB developers about platform alterations that cause security issues. Cloud platforms can change quickly. CASB vendors need to keep up with changes and plug any security holes.

This issue affects proxy CASBs more than API-based versions. API-based brokers integrate closely with apps. App developers tend to flag any API changes for CASB developers. As a result, patches appear in a more timely manner. Users can expect stronger security.

The shared security responsibility model

Before implementing cloud application security best practices, bring the shared responsibility model into the picture.

In cloud environments, cloud providers and users share responsibility for security. Responsibility levels depend upon your cloud computing setup and your choice of a cloud service provider.

Generally speaking, cloud providers like AWS or Microsoft Azure assume responsibility for protecting:

• The infrastructure stack (including hosts and data centers)
• Software required to host cloud applications and data
• Networking infrastructure connecting cloud apps

Clients must handle everything else. Responsibilities vary according to whether you choose IaaaS, PaaS, or SaaS deployments.

• IaaS – Infrastructure-as-a-service users have the widest responsibilities. Users must protect apps and data, as well as infrastructure. This includes middleware and can include the cloud operating system.
• PaaS – Platform-as-a-service users must protect any infrastructure they maintain, including apps and data hosted by their service provider. Any proprietary apps hosted by third parties remain your responsibility.
• SaaS – Software-as-a-service users are responsible for data stored or processed by cloud applications. The main security risks relating to SaaS applications are access management and encrypting sensitive data.

Shared responsibility model in practice

Getting the balance right when applying the shared responsibility model is all-important. A good starting point is assessing every cloud application.

It is critical to define the responsibilities of users and providers for each application. Be clear about internal security controls and what your provider offers. Write a clear description of who is responsible for securing each asset and how to ensure data security.

Regardless of the cloud model in use, users are always responsible for:

• Securing on-premises and remote access endpoints
• Protecting data flowing through cloud resources
• Managing access to cloud applications.

Bring operations and security teams together. Developers need to provision cloud services flexibly and quickly. Security teams must advise about how to calibrate those services safely.

However, cloud users aren’t alone. Cloud service providers realize the complexity involved in managing cloud application security threats.

Providers usually offer user controls within APIs to secure their apps. They may also offer monitoring and threat management functions. Always investigate and use available cloud-native security tools.

Enterprises can also request audit information from providers. This should include details about their security strategy. Compare the material provided with your service terms to ensure providers meet their obligations.

Cloud application security assessment checklist

Before we finish, here is a quick checklist of critical cloud application security measures:

1. Create robust security policies covering all cloud apps. Take into account private, public and multi-cloud environments. Consider how to secure remote workers. Include processes to onboard and off-board employees. And put plans in place to detect and mitigate data breaches.

2. Implement IAM for the cloud. Ensure users have the correct privileges. Keep in mind Zero Trust concepts and the principle of least privilege. Combine cloud apps with SSO and add an extra protective screen with MFA.

3. Train staff in cloud security awareness. Make sure staff is aware of data storage and password policies. Train workers in secure cloud application usage and ways to share data safely. Focus on the threat posed by phishing attacks.

4. Deploy cloud security controls. Protect endpoints with encryption and CASBs. For instance, cloud-specific controls like disabling SSH and SQL Server access guard against brute force attacks.

5. Check application configurations. Poorly configured cloud apps are a critical security threat. Enforce API protection policies to configure apps properly. Focus on potential malware injection sites to neutralize common external attacks.

6. Put backups in place. Store sensitive data and workloads on separate cloud servers. Backup server files to ensure smooth disaster recovery. Carry out regular restoration tests to make sure data is recoverable.

7. Update software when needed. Use automated patch management to update cloud applications and deliver patches to all worker devices. Test updates when possible before deployment.

8. Track threats and log incidents. Use automated threat scanning and activity logging. Cloud logging tools can organize and analyze complex data. Use this data to improve your security posture and provide evidence of compliance.

9. Apply data security policies. Put in place policies to encrypt data at rest, in transit, and in use. Check encryption keys are used safely, preventing exposure to external attackers.

How can NordLayer help?

Follow our cloud application security checklist and best practices to secure cloud environments. With the correct controls, enterprises can take advantage of cloud computing. Sound app security measures reduce costs and cut data loss risks.

NordLayer offers cloud security solutions for all digital businesses. Install IAM, MFA, and SSO to control cloud access and reduce the attack surface. Create encrypted connections between remote workers and cloud portals. And integrate client-side security controls with tools provided by CSPs.

Find a route to ironclad cloud security. Get in touch and discuss your security options today.

There are several routes that a business can take to transition to SASE: doing everything themselves or going to a vendor are just some of the options. For this reason, Managed Service Providers (MSPs) can be incredibly useful when making the leap more streamlined and convenient.

How do MSPs help enterprises migrate to SASE?

MSPs can reach out a helping hand to businesses that don’t want or can’t implement SASE by themselves. Enterprise as a client just picks what they need from MSPs, and everything is done for them. Though, it’s not unheard of to have a MSP provider choose the needed components for the organization. This converged approach is more effective and saves client organizations time.

The external experts help businesses that may not have on-site specialists that could help them navigate various specific challenges associated with SASE. Choosing a SASE vendor is one of the most important IT decisions a business can make, so it’s very helpful to have someone to deal with product analysis, narrowing down the needed technologies, and planning network security schemes. It’s one of the most hassle-free methods to ensure optimal user experience when the transition to SASE is completed.

MSP benefits for SASE implementation

Here is the list of principal benefits that MSPs bring to businesses moving to the SASE framework.

1. Experience

As MSPs provide their security and networking services in a very niche field, they have amassed considerable expertise in helping clients overcome various challenges associated with SASE. Dealing with various vendor platforms is something that MSPs deal with daily, so they already have all the necessary knowledge for in-depth consultations.

2. Scalability

One of the most important benefits that MSPs can provide is scale. Simultaneously they can support thousands of clients as their multi-tenant architectures are equipped to do just that. Most MSPs also invest resources to have multiple points of presence across the globe to provide service without interruptions for globally distributed workforces. A broad reach is paramount in ensuring stable connectivity when setting up SD-WAN elements of SASE infrastructure.

3. Time-saving

MSPs are often regarded as the quickest route to implement SASE. Going from the drawing board to operating infrastructure takes little time. As MSP has all bases covered, this means very rapid implementation of SASE services. In turn, this also cuts the time and creates a quick route to instant value.

4. Prioritization

As SASE is a complex service with many critical components, it can be difficult to wrap your head around what should be done first. MSPs can guide organizations through this minefield by clearly defining priorities that should be achieved. Not to mention that some SASE service components can be implemented only after completing some prerequisites. MSPs, therefore, streamline the whole rollout procedure by keeping it on track.

5. Execution

A typical business could be stuck at the proof of concept level when planning its SASE service approach, which can be costly and time-consuming. MSPs have an in-depth understanding of their client’s pain points, which makes them more equipped to tackle various practical issues. This saves the trouble of going the trial-and-error route when implementing SASE without external help.

How to choose the right MSP for SASE implementation

While MSPs help you to create SASE that works for you, you still need to pick an MSP provider that would be the right fit for you.

1. Know which MSP type is right for you 

The first decision you’ll have to make is to pick one of the main MSP types.

Build and operate — this type handles full SASE deployment, including software and hardware configurations, monitoring performance, and integrated response to incidents. This involves not only the setup but ongoing maintenance.

Build and transfer — MSP designs, configures, and deploys all needed equipment and transfers it to the client. From the handover, the customer is responsible for its maintenance.  

Takeover — after the organization creates and deploys its SASE solution, MSP makes strategic decisions for operations outsourcing.

Note that there still can be varieties and hybrids of these models. The agreements could be time-based, as the provider will maintain everything for a set duration, after which the organization agrees to take over.

2. Do background research on MSP capabilities

The second part of the equation is that MSP should match the organization’s requirements:

• Can MSP match the enterprise’s scale?
• Are necessary network security services provided?
• Does MSP have the required expertise within the customer’s industry?
• Are connectivity services provided along with security?
• Is MSP providing an integrated product or combining different tools from separate providers?

A good match should align across the board with your setup requirements.

3. Check the price/value ratio

It’s essential to calculate whether relying on MSP makes sense financially. The return on investment can vary greatly depending on the used services, company size, and other agreements. This is a helpful exercise to rethink priorities and get the best solution that makes sense not only securely but money-wise.

4. Look into the SLA agreement

Finally, there is a question about legally binding contracts. MSPs heavily rely on Service Level Agreements to establish expectations with their clients. The document outlines the services that will be provided, the objectives, and any other relevant prerequisites. SLA metrics can vary greatly from one MSP to another, and it’s a client’s responsibility to ensure that their needs are addressed.

How can NordLayer help?

SASE and its network security component, Secure Service Edge, is an essential cornerstone of most enterprises’ digital transition. SSE combines cybersecurity technologies and concepts like ZTNA to deliver internet access security and network access management. This allows the development of a future-focused approach to an organization’s cybersecurity for growing modern businesses.

NordLayer helps to reduce risks associated with hybrid work or globally distributed workforces. As a complimentary addition to your IT infrastructure, it enhances network access control by segmenting the user base through Virtual Private Gateways and filtering out malicious websites from the employees’ browsing.

Get in touch with our experts today, and learn how NordLayer could improve your network security with a click of a button.

The aim of MFA is to verify user identities and strengthen network protection beyond the level provided by traditional passwords. But how should you achieve this goal?

This blog will explain some core MFA best practices. It will also lead you through a step-by-step guide to implementing multi-factor authentication. The result should be an MFA system that ensures rock-solid network protection where it matters most.

MFA best practices

Multi-factor authentication is an essential addition to cybersecurity setups. Properly configured, MFA allows workers to relocate to their homes, connect remotely as they travel, and use cloud resources anywhere.

These MFA best practices will help you create an authentication system that meets your needs.

1. Plan the right MFA solution for your business

Multi-factor authentication is not a one-size-fits-all technology. Choose the right authentication system for your business needs. For instance, types of MFA to think about include:

• Biometric scanning, such as retinal scans and fingerprints.
• One-time passwords (OTP) delivered by tokens, email, or SMS.
• Hardware devices such as security badges, cards and tokens.
• Contextual factors such as keyboard behavior, location data, and the network are used to make a connection.

Workers could benefit from biometric scanning if your business relies on mobile devices. Quick, user-friendly biometrics can provide secure access away from the office. Smartphones are well-suited to techniques like fingerprint scans.

Workforces where remote working is routine, might prefer hardware tokens or tags. These small devices are easy to carry between work and home. The tokens will still be required to access network resources if devices are lost or stolen. So they are a good extra defense measure.

Whatever solution you choose, it must comply with network infrastructure. Find an MFA system that is compatible with critical apps and employee devices.

2. Create an enterprise-wide MFA solution

Multi-factor authentication solutions must cover all access points to network resources.

Carry out a device audit before sourcing any technologies. This will help you understand which types of MFA tech to choose and how to train employees to use authentication systems.

Cloud assets and on-premises resources should all be included. Protect all cloud endpoints with more than one authentication factor, with additional protections for high-value assets.

3. Manage change to bring users on board

The biggest problem with multi-factor authentication is ensuring employees use authentication tools consistently and safely. Workers may lapse into unsafe behavior if MFA is too time-consuming or complex. That’s why change management is all-important.

Plan a staged introduction that makes every user feel part of the process. Extra authentication methods will disrupt working practices, at least for a while. But if you approach employees as participants in the process, they will respond positively.

Inform users about upcoming changes at the start of the project. Explain how MFA will benefit workers and how user identification works. Answer any questions as the project unfolds. Workers need to know exactly what is required and how to comply with security policies.

Change managers can isolate areas of potential resistance. Focus on chokepoints like using third-party devices, managing biometrics, and password management. Provide training and refresh user knowledge after MFA comes online.

4. Create user-friendly MFA systems

When mainstreaming MFA, companies need to craft user-friendly solutions. Systems should minimize friction and maximize speed while remaining secure.

Explore ways to reduce the work of users. Adaptive authentication can remove the need for passwords and use device or location information alongside biometrics. Single sign-on portals can bring services together and make logging on easier.

Where possible, provide multiple options for users. Some workers will embrace retina or fingerprint scanning. For others, it could be impractical or intrusive. They might prefer hardware tokens.

When people choose their own solutions, they are more likely to feel in control. When they “own” their authentication choices, workers will be less likely to back-slide and abandon MFA.

5. Combine MFA with single sign-on (SSO)

As hinted above, one common solution for MFA is single sign-on (SSO). SSO creates a single identity security portal. This gateway allows users to access core resources according to their individual privileges.

SSO fits neatly with MFA. You can combine standard password portals with biometrics and one-time passwords. Using a single portal and extra identity verification factors balances user experience and network security.

• SSO reduces employee workloads, providing instant system access to all relevant resources. That’s particularly useful when connecting remote workers to cloud assets.
• MFA supplements password security. This solves some problems associated with SSO, including the repeated use of passwords or the reliance on weak passwords that are easy to hack.

6. Make use of contextual factors

Multi-factor authentication systems use more than biometric scanners and hardware tokens. MFA can also leverage contextual information about individual users and their devices.

Contextual information is passive. Users do not need to provide information consciously. Instead, agents detect data about the user’s device or location. Agents on user laptops can tell whether the computer is in the owner’s home or connected to insecure public wifi. Blacklisting screens out unknown devices or those accessing from unsafe locations.

Users move. They won’t always be located at home. And if employees request access from elsewhere, MFA systems ask them for additional information. That complicates matters for laptop or smartphone thieves with access to worker devices.

More advanced authentication factors are also available for extremely high-security situations. Techniques like liveness testing and biometric keyboard verification provide maximum information about user identities. These contextual factors represent an extremely strong barrier against data thieves when used with physical tokens.

7. Think about passwordless solutions

In some cases, MFA allows companies to remove traditional password access from their network perimeter. Passwords are clumsy to use. Few employees use strong passwords or store them safely. Going passwordless can make a lot of sense from a security perspective.

MFA can use contextual information about mobile devices, user locations, or even user behavior. These factors may be sufficient to allow access when combined with biometric data. This saves time while providing a degree of security. However, strong passwords should be retained to access sensitive data and critical workloads.

8. Implement the least privilege to secure network assets

MFA can apply uniformly to all users, but it’s also better to implement role-based MFA to enforce the principle of least privilege. Part of Zero Trust Network Access (ZTNA), this principle states that users should only have access to essential data and applications. All non-essential resources should be off-limits.

Identity and Access Management and network segmentation are core ZTNA technologies, but MFA also plays a role.

MFA systems can ask for additional information when users try to exercise administrative functions. MFA can also apply conditional access to high-security databases and request additional user credentials at regular intervals.

9. Use provisioning protocols for cloud compatibility

Companies can combine MFA systems and critical cloud assets by using provisioning protocols. For instance, Microsoft Azure Active Directory supports protocols like RADIUS and Oauth 2.0.

Standard protocols like RADIUS make it easier to combine legacy network tools and cloud applications. MFA systems must operate across all network devices and resources. Adopting an approach based on standard protocols makes this possible.

10. See MFA as an ongoing process

Deploying MFA doesn’t end when users start to apply biometrics or hardware tokens. Companies must see authentication as an ongoing challenge requiring constant attention and regular audits.

The threat landscape does not stand still. New phishing techniques emerge monthly. Novel malware threats can compromise previously secure endpoints. Network managers must be aware of these developments. Security teams must update MFA systems to reflect real-world cybersecurity risks.

Regularly assess MFA systems to ensure they are delivering effective security. Are workers using them properly? Do you need to use more or different authentication factors? Are any gaps not covered by authentication processes?

Companies also need to be persistent and determined when deploying MFA. Most MFA solutions experience problems. Users regularly report difficulties, which can cause IT teams to roll back authentication projects. Resist this urge.

Provide support to any departments or individuals experiencing issues. Drill down into the concerns reported by users. They may detect technical issues that were not apparent to security professionals.

Above all, don’t expect overnight success. MFA eventually becomes embedded in everyday work, but this won’t happen immediately.

Step-by-step MFA implementation strategy

When implementing MFA, here are the steps to follow:

1. Train users in how MFA works

Employee education is critical when implementing MFA. Every process must be centered around upskilling and reassuring users.

Poorly informed workers may resist authentication techniques or back-slide to unsafe practices. Here are some things to bear in mind when training staff:

• Regularly communicate via email from the start of the project. Timely emails will ensure staff are aware of timescales and security policies. They can include contact details for project leaders.
• Create ways for staff to engage with project managers. Messaging apps like Slack are a good option here. Make staff available to field any queries and provide updates if requested.
• Stress the positive aspect of MFA. Always focus on why you are introducing MFA and how it will help individuals.

2. Design an MFA system to suit your needs

Choosing the right form of multi-factor authentication is critically important. Some companies find that biometric scanners like facial recognition are appropriate. This works well when end users have access to smartphones with reliable cameras and fingerprint scanners.

Other companies prefer to distribute hardware tokens to remote workers. Tokens provide one-time passwords and can be tracked remotely by security managers.

Questions to ask when choosing an MFA solution:

• What kind of devices will use your MFA system?
• Is there a mixture of work-from-home and on-premises end users?
• Is ease of use more important than pure identity security?
• Do you need sophisticated solutions with fine-grained MFA controls?
• Is cost an overriding factor, or can you afford to spend more?
• What apps and services will your MFA solution interact with? Compatibility is essential to avoid friction and improve the user experience.

3. Apply privileges to roles and individuals

Create privilege levels for different access requests. This allows individuals to access core resources while keeping sensitive data off-limits to those who do not need it.

You might want to request extra identity data when accessing customer records or executing admin commands on cloud platforms. MFA requests every few hours may also be needed when accessing financial records.

Some resources may not need MFA at all. Contextual controls and passwords could be sufficient to protect low-sensitivity resources. However, risk assesses each asset to avoid leaving confidential data exposed.

4. Make sure your MFA implementation is compliant

Authentication is a core aspect of major data security regulations, including HIPAA, GDPR, and PCI-DSS. Sectors like health care or financial processing have specific requirements absent from other business areas. Knowing which regulations affect your business is absolutely vital.

For example, PCI-DSS requires:

• Strong encryption of all customer data
• Three-factor MFA for any servers handling customer data
• Identity management to ensure customer records can only be accessed by authorized individuals

Third-party authentication providers should possess the accreditation. Look for an Attestation of Compliance (AOC) with PCI-DSS or HIPAA. This means the provider has been independently assessed as meeting compliance standards.

5. Create a streamlined way to request backup factors

Sometimes employees lose authentication hardware or business laptops. In these cases, they will probably also lose MFA data. Security best practice involves resetting the user’s account with a backup factor and creating a new set of authentication information.

One option is to enable multiple devices on a single account. If users have more than one authorized device, they can use it to request backup factors and reset their accounts.

Security teams should also be prepared to remove authentication factors from user accounts when thefts occur. There should be a clear process for quarantining compromised factors, making it tough for thieves to use stolen identity credentials.

6. Plan to on-board new remote workers

All work-from-home equipment must be audited and authorized with MFA software installed. But setting up MFA with remote workers can be time-consuming. It may leave security vulnerabilities if staff is left to their own devices.

Many companies provide work laptops for new hires. If you take this route, take time to lead staff through the MFA onboarding process. If necessary, schedule video meetings to explain the process. That way, you can verify that staff properly follow every step.

7. Configure adaptive MFA controls

Before MFA goes live, explore additional security controls your provider offers. This should include adaptive systems to detect anomalies and meet threats proactively.

At this stage, you can blacklist certain access locations. For instance, you may blacklist all public wifi hotspots. But you could even limit access from entire continents.

8. Plan to audit your MFA solution

Plan to reassess your authentication setup regularly. Every MFA implementation experiences some problems. They are generally not deal-breakers and tend to involve easing users into the authentication process.

Check that users are following MFA practices. And make sure privileges match up with risk assessments. Do multiple factors protect confidential data, or can general users access databases?

As new threats emerge, authentication systems can become outdated. Be prepared to update software or add new factors if the situation changes.

How can NordLayer help with MFA implementation?

NordLayer offers a suite of security tools allowing companies to create secure SSE architecture at the network edge. Guard cloud assets, on-premises data centers, and remote work laptops. And make life easy for workers to carry out their tasks.

Our products include 2FA or MFA for authentication to increase security levels while connecting to company networks. NordLayer caters to apps like Google Authenticator or Authy and USB devices to deliver security keys.

Adding MFA is quick and easy, especially when you combine authentication and SSO. The result is all-around security for critical business assets. To find out more, get in touch with the NordLayer team today.

Zero Trust is one of those most critical terms that already live rent-free in IT managers’ heads. It’s way past the emerging buzzword stage — now, Zero Trust is a security model that dictates organizational cybersecurity strategies and general security approaches. 

But how influential is the Zero Trust model? What’s its role in the near future and its place in a broader picture of cybersecurity? Let’s take a look at what trends to expect in the Zero Trust department.

Password is dead; long live Zero Trust?!

The new cybersecurity era will likely be marked by another iconic moment in the digital age. Rumor has it that we will be done with the passwords in 2023. Hard to say if it’s true, but passwords as single-factor authentication are outdated in the context of the current cybersecurity landscape.

Lost or stolen credentials surge black markets imposing risk to data security. A glance at the high numbers of the latest data breaches of 2022:

• Slash Next reports 255 million phishing-related attacks in 6 months — a 61% increase compared to 2021.
• According to Verizon, weak or stolen passwords contributed to 81% of hacking-related data breaches. 82% of breaches were triggered by human error (including social engineering attacks).
• Nvidia suffered an attack and lost the credentials (email addresses and Windows password hashes) of 71,000 employees.

Keeping in mind that 73% of employees recycle the same personal passwords for work-related accounts – NordLayer’s research about bad cybersecurity habits concluded weak passwords as one of the top vulnerabilities of organization security – the number of leaked personal credentials is a huge red flag for organizations.

Despite education and targeted reminders of password hygiene, more than half (59%) of workers tend to reuse passwords while being familiar with existing risks.

The remaining high data breach statistics only confirm the insufficiency of current actions regarding securing credentials and company data accordingly.

The Zero Trust mindset to ‘trust none; verify all’ is a straightforward change for companies to dismiss careless passwords from their systems and elevate security levels effectively. 

A quick recap: ZT, ZTA, and ZTNA

Zero Trust (ZT) is a trust algorithm that ensures resources within specific networks can be accessed only by verified endpoints — devices or users. Yet when discussing cybersecurity, additional concepts of Zero Trust Architecture (ZTA) and Zero Trust Network Access (ZTNA) emerge — what’s the difference?

An easy way to differentiate Zero Trust, Zero Trust Architecture, and ZTNA is to define Zero Trust as the driving idea, model, or mindset that puts the theoretical foundation for the application of the method.

The Zero Trust principle turns attention to the main focus points:

• Make sure to check and verify every endpoint connection request to the network.
• Solely job-mandatory access rights must be granted to perform role objectives. 
• Plan for the maximum constraint of user movement in the network in case of a breach.

Zero Trust Architecture is a practical application of the Zero Trust approach when building security policies and IT infrastructure as if there was no traditional perimeter. ZTA combines and implements solutions for:

• Endpoint verification
• Network supervision. 

ZTNA is a segment of Zero Trust Architecture that provides a solution to trusted-only application access. ZTNA is integral to the SASE and SSE frameworks for establishing security in remote cloud environments.

What changes does Zero Trust employ: ZTNA’s focus

Instead of discussing Zero Trust at theoretical levels, it’s beneficial to investigate ZTNA to understand what changes it suggests and how companies apply them.

According to Statista, the most common solution organizations used to enable Zero Trust segmentation in 2021 was ZTNA. Identity, Credential, and Access Management followed it.

The popularity of ZTNA comes from its adoption as a more efficient identity- and context-supported solution for controlling increasing attack surfaces in hybrid environments.

As ZK Research indicates, VPN was a go-to solution to manage and protect companies’ IT perimeters. However, VPN performance and security fallbacks brought by backhauling network traffic and open network access make it refer to VPN as a remote work solution only as a temporary one.

Therefore, to secure and connect remote workers while managing distributed endpoint, user, and application networks under the organization’s scope, companies turned to secure network access (SaaS, cloud, and edge) solutions, including ZTNA.

Shrinking the attack surface – limiting the threat actor’s activity in the network by requesting additional authentication or assigned permits to access internal applications – is the key feature of the ZTNA solution.

Prospects of Zero Trust in cybersecurity

Cyberattacks continuously challenge everyone, from consumers to federal agencies, hitting the weakest link — passwords. Attacks are disrupting business operations from intelligence businesses to manufacturers — any company with internet-connected systems and networks is vulnerable.

The Zero Trust approach can mitigate hardly controllable external and internal factors that might lead to a breach. ZTNA enables IT administrators to monitor, manage and interact with connections between endpoints and ultimately conclude whether the connection should be approved or denied.

Driving factors of ZTNA adoption

The peak of ZTNA matched with hybrid and remote work developments globally introduced by the COVID-19 pandemic. Although opinions tend to clash, remote work is here to stay, and ZTNA maintains its importance to business network security.

To securely return to old ways of working – the static office-contained perimeter, which is the least challenging to maintain and control – all of the workforce should come back to their corporate desks.

Migration to the cloud is gaining momentum as it offers more flexibility and reduces the complexity of traditional IT perimeter.

The password more often causes security issues than prevents it and needs to be reconsidered and redesigned to move to more sustainable solutions.

Evolved understanding of a workplace with WFA (Work From Anywhere) quickly showed the comforts of working from home or cafe, answering work emails from a personal phone, or watching TV series on a corporate laptop after working hours. Yet these blurred lines stretch the reach of unapproved applications and devices blending into the company network.

Although the digital landscape and new modern habits might be alarming, going backward seems unrealistic. Thus ZTNA helps manage current cybersecurity challenges in this technological evolution.

State of remote work 

There’s no denying that companies will have to accept the turned tables — employees now consider not how many days they will decide to work from home but how often they are willing to show up in the office.

If the workforce is not to return to the office full-time, ZTNA naturally cannot be discarded from the company’s cybersecurity strategy.

According to ZK Research 2022 Work-from-Anywhere Study, just one – or even less – out of 10 employees consider 100% work on-site, leaving most of the workforce a risk factor to data and application security.

How do companies adopt Zero Trust? 

Zero Trust is dominant in creating security strategies. Statista survey revealed that one-third of polled companies, as of January 2022, already had a formal strategy actively embracing a Zero Trust policy. Only 20 percent of respondents had no Zero Trust strategy as of 2022.

Statista also concluded that almost one-fifth of respondent organizations completely discard the Zero Trust model as a cloud security strategy while the vast majority (81%) fully or partially embrace Zero Trust model guidelines for building internal security policies.

It’s safe to say that Zero Trust has been assigned an important and influential role in shaping the security infrastructure face. The mindset combines Zero Trust backed practices of accountability, consistency, dependability, and transparency to activities and processes within the organization network.

How to transition to Zero Trust?

Benefits for businesses that adopt ZTNA to enhance the security of their network. Deploying Zero Trust-based features establishes secure cloud access and allows network segmentation for least privileged access to resources.

The model reduces insider threat by protecting internal applications and lowering the potential of account breach risk. Overall, ZTNA adoption supports the company’s journey to achieving compliance requirements.

Zero Trust Network Access is a predominant framework of any setup that deals with hybrid work as an alternative to VPN. NordLayer solution makes implementation of ZTNA easy and integrable despite the existing infrastructure in your company. Reach out to learn more about securing your business network with ZTNA within minutes.