Archive for August, 2018

Johnson Controls announces Net-Ctrl winner of CEM Systems Business Partner of the Year Awards 2018

Thursday, August 23rd, 2018

Johnson Controls has announced the winners of the CEM Systems Business Partner of the Year Awards, EMEA, 2018. Winners were honoured at CEM Systems’ annual security conference, held 23—24 May at the Galgorm Resort & Spa, Northern Ireland. Net-Ctrl received the Business Partner of the Year Award for the UK and Ireland South region.

“Johnson Controls is very fortunate to be involved in many exciting and often iconic access control projects around the world and 2018 is no exception” said Philip Verner, regional sales director, Building Technologies & Solutions, Johnson Controls. “Through customer endorsements and the support of our committed Approved Reseller channel, we have successfully opened up CEM Systems innovative access solutions to many new sectors and territories throughout Europe, Middle, East and Africa (EMEA). The 2018 Business Partner of the Year Awards are not only given to our top EMEA business partners for high levels of sales, but are given in recognition for their ongoing commitment to accredited CEM Systems training, joint marketing initiatives and their tireless endeavour to go above and beyond when delivering successful customer projects within their respective regions.”

For the UK & Ireland, South region, Net-Ctrl received the Business Partner of the Year award in recognition of their success within the education sector. As a relatively new channel partner, Net-Ctrl has promoted CEM Systems products at various education events this year and has successfully won a number of prominent UK school security projects including Bradfield College.

Unleashing Wi-Fi for SMBs

Thursday, August 23rd, 2018

With over 30 billion connected “things” expected by 2020, it has become quite clear that consumer-grade Wi-Fi routers are simply no longer capable of meeting the needs of small and medium businesses (SMBs). These days, even smaller businesses are demanding fast, reliable, always-on connectivity for dozens or hundreds of connected devices. However, small and medium businesses often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments.

This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in five minutes or less. In addition, Unleashed enables anyone to manage their network from an intuitive Unleashed mobile app or website browser. Let’s take a closer look at the Ruckus Unleashed solution below, starting with our access points.

Ruckus Unleashed Access Points (APs)

Our Unleashed access points leverage a range of advanced Ruckus technologies to deliver higher speeds, optimized coverage and more reliable connections for SMBs. Examples include BeamFlex+, which helps APs provide optimal performance for every device – every time – by adaptively re-configuring antenna patterns.

In addition, ChannelFly utilizes advanced machine learning to select the least congested channels, while SmartMesh wireless meshing technology dynamically creates self-forming and self-healing mesh networks. In addition, Unleashed APs are packed with a range of enterprise-class features that are simple for just about anyone to manage. These include WPA encryption and DPSK security, guest connectivity services via a self-service portal or through social media, in-depth monitoring of network usage patterns (deep packet inspection), application-specific access rules and network resiliency.

As we discussed above, Ruckus Unleashed access points are designed for small and midsize businesses, such as law firms, health clinics and insurance agencies. They can be deployed in small and midsize retail outlets, including stores, restaurants and coffee shops. Ruckus Unleashed APs are also the perfect choice for multi-dwelling units (MDUs) like large homes, small apartments and housing structures that require uninterrupted, pervasive coverage. In addition, Ruckus Unleashed APs can benefit smaller primary school classrooms that require higher-bandwidth and uninterrupted Wi-Fi coverage for digital learning. Ruckus Unleashed access points support single or multiple location installation options, with up to 25 APs and/or 512 concurrently connected clients per deployment.

The Ruckus Unleashed Mobile App

A Ruckus Unleashed network can be installed in under five minutes by simply configuring a single Ruckus master access point. The master AP settings are automatically replicated and subsequently pushed to all network APs via our Unleashed Zero-Touch Mesh feature. Put simply, we make installation, configuration and basic network management easy for even non-technical users with the Ruckus Unleashed mobile app for iOS and Android.

Indeed, SMBs can use the Ruckus Unleashed mobile app to monitor and manage their networks from anywhere in the world. More specifically, the mobile app enables SMBs to see how many clients and APs are connected, monitor ongoing network traffic, observe which applications are using the most data on the network, view important alerts at a glance and create rules to deny access to any website.

In addition, SMBs can quickly create a new wireless LAN or edit an existing network, run SpeedFlex to test Wi-Fi speeds, conduct basic troubleshooting using ping test or trace route, reboot APs and block misbehaving clients. The Ruckus Unleashed Mobile App, which is built around an intuitive user interface (UI), also features detailed dashboards, graphs and charts. These allow SMBs to drill down and view in-depth data, such as how much (uplink/downlink) traffic has been flowing through specific APs, for example.

Ruckus Unleashed Multi-Site Manager

The Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or 10,000 APs – offers SMBs more advanced options for managing multiple Unleashed networks deployed across various geographic locations. Designed to provide ‘single pane of glass’ view with intuitive and customizable dashboards, the Ruckus Unleashed Multi-Site Manager displays near real-time insights about connected access-points (APs) and clients, along with map views of networks and recent activity.

In addition, the Ruckus Unleashed Multi-Site Manager enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a click of the mouse. SMBs can also use the Multi-Site Manager to build a database backup file with relevant site configuration data, replicate the network at a different site with the ‘cookie-cutter’ backup file and quickly restore a site in case of disruption.

Conclusion

The proliferation of connected devices has made it almost impossible for consumer-grade Wi-Fi routers to continue meeting the needs of small and medium businesses. However, SMBs often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments. That is why we are making Wi-Fi easy with Ruckus Unleashed.

Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in just five minutes using the Ruckus Unleashed mobile app for Android or Apple iOS.

Interested in learning more about Ruckus Unleashed for SMBs? You can visit our Unleashed product page here, download our Unleashed data sheet here.

View the original post by Ruckus Networks.

Are All Your Critical Network Management Processes Automated?

Monday, August 20th, 2018

There are several network management processes that should be performed on a regular basis to ensure the network is running optimally with minimum downtime. However, these tasks are often tedious and repetitive to perform manually so they are commonly delayed or not completed, leaving the network potentially vulnerable and in a less than optimal state.

For example:

Compliance Processes: Do all switches and access points configurations comply with the organisation’s policies? The security settings of the routers, switches and access points and the network management settings need to be checked on a regular basis against network policies. Are all network devices configured to send syslog to the correct repository?

Network Utilisation: Are there unused switch ports, and could connections be consolidated and perhaps some switches be re-deployed to other network locations? Or is the network getting close to full capacity and should new switches and access points be deployed to handle more traffic and users?

Network Resiliency: Does the network offer sufficient L2 and L3 redundancy? For example, are first hop redundancy protocols (like VRRP) configured and operating correctly?

Backing up configuration files: Are all the configuration files saved to non-volatile storage on the device and to backup storage?

Many network management platforms (NMS) offer tools to enable network administrators to perform these tasks interactively but having IT personnel run these tasks manually is time-consuming, error-prone and expensive. These tasks should be automated to ensure that the network is running optimally.

Many NMS are designed without automation in mind so traditional network automation approaches bypass the NMS to monitor and control network devices directly through SNMP, SSH, or other standard or proprietary protocols.

Limitations of the traditional approach:

The device discovery and registration process and the intelligence provided by the NMS cannot be accessed programmatically. The same applies to historical data aggregation and correlation. Data polling is inefficient and resource intensive. Compliance can suffer because company-specific compliance processes are too hard to automate.

SmartZoneOS 5 offers a comprehensive library of well documented REST-APIs that enables any application applications to programmatically invoke just about any network management function offered by the SmartZone OS graphical user interface (GUI) or command line interface (CLI).

IT managers and third-party applications can automate network processes by accessing the SmartZoneOS functions from within their own management and automation platforms and issue direct commands without creating error-prone proprietary scripts. Ruckus itself makes use of these APIs within its own products.

A full set of near real-time MQTT/protocol buffer data streams enable 3rd party applications to ingest all network data, statistics, and alarms (from: client, AP, switch, WLAN, controller, cluster) with little delay, no fidelity loss, and no need to create a firewall pinhole. These data streams enable the recreation of SmartZone dashboard elements or custom dashboards for internal and external consumption. Ruckus itself makes use of this capability to enable its own network analytics and reporting software.

Each SmartZone network controller supports access to a complete set of network machine-level metrics, enabling it to plug directly into existing automated backend systems and provide a ‘headless’ interface for the network infrastructure.

View the original post by Ruckus Networks.

What Is Secure Onboarding, and Why Is It Such a Challenge?

Monday, August 20th, 2018

At Ruckus Networks, they have a lot of discussions with customers and prospective customers around secure onboarding. We’ve come to realise that it’s a term that is not universally understood. The thing that it describes is a thing, but people don’t always use that term to describe it. We need to do some work to familiarise the IT world with the term in a networking context. So what exactly do we mean when we say “secure onboarding”?

Let’s Start by Defining “Onboarding”

You have probably heard the term onboarding used to refer to a human resources process that’s about getting new employees integrated into an organisation. When someone starts a new job, they fill out some paperwork (or these days, online forms), go through an orientation, get a tour of their new office building and so on. That’s not the kind of onboarding we’re talking about in the context of network infrastructure and connectivity, which might be a source of confusion.

Actually, though, it’s tangentially related because when new employees arrive, one of their first questions is likely to be “How do I connect to the Wi-Fi with my tablet?” Or their phone or their personal laptop. The same thing happens on move-in day at college campuses, where the range of devices that need to connect is often much broader. It also occurs in primary and secondary schools where students are allowed to connect with personal devices.

Precision matters here, and what we are really talking about is network onboarding. Simply stated, in a networking context, onboarding means the process by which a BYOD or guest user gains access to the network for the first time with a device (or an IT-owned device connects to the network, for that matter). Every environment is different, but users in a variety of organisations often struggle with this process. This can lead to user frustration and excess trouble tickets for the IT team.

User Expectations Are Set by Experiences with the Carrier Network and Home Wi-Fi

What creates this frustration with network onboarding? Why do organisations find this process such a challenge? It originates in the gap between user expectations and user experience. When someone activates a new mobile phone, the service desk at the carrier retail outlet plugs in a SIM and you’re good to go. It’s a set-it-and-forget-it experience.

User experience with your home Wi-Fi network is also simple. They look for the name of their Wi-Fi source and enter the password, or pre-shared key (PSK). They don’t roam between different sources of connectivity within the home, always connecting to the same home router. The device always seems to connect without problems when they return after going out. Users control their own Wi-Fi password—when it changes, and whether it changes at all. Or their roommate or spouse can easily give them a heads up when that person changes the PSK, so no big deal. Between their experience with the carrier network and home Wi-Fi, users are conditioned to expect easy connectivity without having to think much about it.

Things get much more complicated in an enterprise office environment, and in schools and colleges. But those expectations for a set-it-and-forget-it experience remain. We’ve blogged before about the user experience issues with default methods of network onboarding and authentication. Historically, organisations have often relied on default methods of network onboarding, but more and more they are adopting systems to streamline this process.

Secure Network Onboarding Plugs Wireless Security Holes

There’s one aspect of the secure onboarding challenge that we haven’t addressed yet, and that’s the security piece. Secure network access is an often-overlooked area within the IT security domain. It’s a challenge because too many IT organisations rely on the default methods for network onboarding and authentication that are built into their networking infrastructure.

The risks inherent in unsecured Wi-Fi don’t get as much attention as some other threats, but they are very real. Prying eyes can spy on unencrypted data traffic, and undifferentiated access can leave sensitive data exposed to unauthorised users. The latter is an issue even over a wired connection. Insecure devices can bring malware, ransomware and other bad things into your environment. For more detail on these and other potential security holes related to network access, please refer to our previous blog on this topic.

Network onboarding alone isn’t enough—secure network onboarding is essential to plug these security holes. Adding on to our previous definition, secure network onboarding means the process by which a BYOD or guest user securely gain access to the network for the first time with a device. And those security holes must stay plugged on subsequent connections, too.

Often there are trade-offs between user experience and security. We’d all be a lot safer if we just unplugged our computers from the internet—but no one could get any work done that way. Or users and devices would be safer if IT locked down every computer so that no new software could be installed. That’s at best impractical (for IT-owned devices) and at worst impossible (for unmanaged BYOD devices).

Secure network onboarding is that rare product category where the usual trade-offs between user experience and security do not apply. You can have your cake and eat it too—better user experience and increased security for users, devices, data and the network. If this sounds intriguing, now is a great time to consider Cloudpath Enrollment System, the Ruckus Networks offering in this corner of the security taxonomy. Our new product overview video encapsulates the value it provides in less than two and a half minutes.

View the original post by Ruckus Networks.

Gemalto Boosts Cloud Security with a Scalable Virtual Key Management Solution

Tuesday, August 14th, 2018

Gemalto announced a next-generation key management solution, SafeNet Virtual KeySecure, for simpler and stronger cloud security. Companies can extend their data protection policies to private and public clouds and centralize encryption and key management operations across multiple cloud environments.

SafeNet Virtual KeySecure integrates with leading cloud service providers and virtual platforms such as AWS, Microsoft Azure, Google Cloud Platform, IBM Cloud, VMware, Microsoft Hyper-V and OpenStack, to provide companies with a single key management solution spanning multiple private or public cloud environments.

As a result of the ongoing digital transformation within many organizations, data now resides across a growing number of cloud environments and web applications. Security teams are finding it ever more challenging to manage data protection policies, and solutions are often time-consuming and manual. Data protection operations can be simplified by using SafeNet Virtual KeySecure to uniformly view, control, and administer cryptographic policies and keys for sensitive data.

Companies can improve key security and simplify the audit preparation process by retaining ownership and control of encryption keys.

“Businesses need options when it comes to cloud security and shouldn’t be limited to working in just one environment. With SafeNet Virtual KeySecure, organizations are able to move more workloads to the cloud and easily monitor the access and movement of their encrypted data,” said Todd Moore, senior vice president of Encryption Products at Gemalto. “We are seeing a lot of customers who are interested in taking advantage of the business continuity offered by cloud environments, without compromising the security of their most critical asset, data. Current KeySecure customers would also be able to benefit from this new platform and we will be sharing details of a clear migration path with them in the near future.”

SafeNet Virtual KeySecure offers customers:

  • Centralized Key Management: Centralized, efficient auditing of key management offers simplified compliance for cloud environments and consolidates key security policies across multiple, disparate encryption systems, protecting current investments
  • Flexibility: Customers can easily deploy flexible, high-availability configurations which are built on the latest industry standards, including containers and microservices, across geographically dispersed data centers or cloud service providers.
  • Compatibility: Compatibility with the OASIS Key Management Interoperability Protocol (KMIP) standard provides support for a large, growing partner ecosystem, including the SafeNet Data Protection portfolio which provides customers with a broad spectrum of use cases that can be supported. SafeNet Virtual KeySecure also supports key storage in on-premise hardware security modules (HSMs).

According to Sudesh Kumar, Founder and CEO of Kapalya, Californian-based start-up: “As businesses connect to more devices and cloud platforms, they need solutions that offer security without limiting their potential for innovation. With SafeNet Virtual KeySecure, we’re now able to offer the ability to protect data in a seamless and cost-effective way across endpoints, public clouds and private clouds. Businesses should no longer be held back in making full use of the cloud while retaining control of some of their most important assets.”

Additional resources:

Reddit Breach Takeaways: MFA and Access Management

Tuesday, August 14th, 2018

For years corporations and security professionals have been urged to implement multi-factor authentication (MFA) as the solution for cybersecurity concerns. While MFA isn’t a silver bullet that solves all your cybersecurity concerns, it is a key component in elevating the security of an organization and adding a very important layer of protection. Industry trends are taking MFA to new levels by incorporating it into Access Management Solutions. This shift is being driven by concerns around an evolving IT perimeter where traditional solutions are being exploited and organizations are falling victim to cyber-attacks.

The recent news about a breach from Reddit validates the momentum in the cybersecurity world towards access management solutions. The social media platform, considered the 5th top rated website in the U.S., shared that a few of their employees’ administrative accounts were hacked. While they did in fact have their sensitive resources protected with two-factor authentication (2FA), they were surprised to learn that SMS-based authentication was not as secure as they had hoped.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” – Reddit

 

The weakness in security on the SMS tokens was discussed in 2016 –the draft guideline of the U.S. National Institute for Standards and Technology (NIST) stated that SMS-based two-factor authentication is risky. We also wrote about this in August 2016 in our blog encouraging the use of software tokens which leverage PUSH authentication like the SafeNet MobilePASS+ token.

SAML-based Access Management mitigates risks

Since the issues with SMS have been exposed, why didn’t Reddit implement strong multi-factor using software or hardware based tokens? It turns out they in fact do, as a general practice. In a separate string, Reddit CTO Chris Stowe said that the company, as a rule, had required staff with data access to use a two-factor authentication solution that included a time-based one-time password (TOTP). However, he added, “there are situations where we couldn’t fully enforce this on some of our providers since there are additional “SMS reset” channels that we can’t opt out of via account policy.” Had they protected their resources with a SAML based Access Management Solution this option would be over-ridden immediately mitigating the risk involved with this option. The fact remains that through SMS-based authentication they were exposed –but how did that happen?

Chris Stowe claimed that he knew that the target’s phone wasn’t hacked. However, it is important to understand that the hacking of a phone is only one of the avenues where SMS authentication can be hijacked. We’ve seen examples in movies where a phone is cloned, or when enterprising hackers call the cellphone company to request that the SIM be redirected to a new phone (i.e. call-forwarding).

The intrinsic problem with SMS tokens is that they rely on SS7 or Signaling System Number 7. SS7 is a telephony signaling protocol used by more than 800 telecommunication operators worldwide for information, cross-carrier billing, and enabling roaming, to name a few. There are a number of tools available that can intercept the SS7.

How then did Reddit find themselves exposed? The fact is given enough money and determination, cyber criminals can find ways around many of the safeguards that are put in place today. The most likely scenario is that the hacked users fell victim to phishing or various other social engineering attacks.

Taking Identity and Access Management Solutions to New Levels

These forms of attacks are ultimately what is prompting many security professionals to take their digital security practices to new levels, combining technologies to implement zero trust networks. The importance of implementing a strong authentication solution provided by a trusted vendor cannot be overestimated, organizations simply cannot rely on the use of static passwords any longer.

While Reddit bemoans posthumously that SMS based authentication wasn’t as strong as they thought, this is not the only lesson that can be learned from their exposure. What they were truly lacking was a complete solution which not only enforced multi-factor authentication but also enabled access management controls to be implemented.

Effective Identity Management Integration

Consider for a moment that Reddit had implemented an access management solution alongside their use of 2FA (even with the SMS tokens). A strong access management solution would enable them to create policies around their applications and groups of users, which would have enabled them to continue using their choice 2FA method, but would have added an additional layer of security in the form of context-based authentication, which could have prevented this breach from occurring.

Some examples of beneficial policies for an access management solution would be to consider Reddit’s primary offices being located in the US and Ireland, they could have set up an access policy that would deny access from any country outside of those locations. Or they could set a policy for the group of administrative users who found the use of the multi-factor token cumbersome to leverage their Kerberos ticket when they were in the office and only prompt for OTP when they are working remotely, thus balancing user experience and security and protecting their environment from outsider attacks.

Forbidden Workers Access Policy

Access Policy with Integrated Windows Authentication (Kerberos)

By integrating their systems with an access management solution that supports multiple different authentication methods they could still use the preferred SMS authentication option, but add an access policy which requires them to provide a new unique OTP any time a resource is accessed, or requires the user to input both an OTP as well as their password for an extra layer of authentication security.

Identity Access Management solutions: Access controls adds protection

With a strong access management solution, they would also have access to logs and reporting. This would enable them to isolate and track exactly which users were accessing applications at a given time. If the users were leveraging a software token like MobilePASS+, they would have received a notification when an access attempt was being made by their userID and subsequently had the opportunity to deny the attempt or report it immediately to their security desk.

The problem in this case wasn’t that they were using a weak authentication method, though that certainly didn’t help: The real issue was that the organization was lacking the appropriate access controls ­­— with effective Cloud Access Management, including multifactor authentication, organizations can sufficiently protect their employee’s user identities, their applications containing sensitive data, and prevent customers’ data from being exposed.

Want to prevent breaches and strengthen your Access Management strategy? Read about SafeNet Trusted Access here or join a Gemalto 30-minute live demo webinar.

View the original Press Release at Gemalto.com.