Archive for December, 2018

2018 Annual Digest of Identity and Access Management

Thursday, December 20th, 2018

Identity and Access Management continues to be a key component in building an enterprise’s cyber security strategy. Today we are presenting our observations of Identity and Access Management in 2018. What happened this year? What can enterprises learn from events in the media in terms of Cyber Security in general, and Identity and Access Management specifically?

Here is a brief timeline of significant regulations, data breaches and world events that were marked by the media, including Gemalto sources and these events signified in the Identity and Access Management arena:


Q1

February 1
PCC DSS 3.2 takes effect

What happened
This payment card regulation affects individuals who access systems which hold credit card data. From February 1, 2018, they are required to authenticate themselves with multi-factor authentication. The Payment Card Industry Data Security Standard was developed to encourage and enhance cardholder data security and facilitate broad adoption of consistent data security measures globally. The ultimate aim is to reduce credit card fraud.

Lessons learned
Companies should already be far along the road to PCI DSS 3.2 compliance by now. They should be prioritizing compliance by working with partners on encryption, key management and authentication.

Q2

May 19
The Royal Wedding

What happened
When Prince Harry married Meghan Markle, thousands of reporters were present, and yet the secrets about Meghan’s dress, manufacturer and designer remained a secret. While the interworking of the dress designer, Givenchy and the Royal Family network will remain privileged, it seems that part of the reason for the success of the secret was that the work was confined to locations which were secured physically.
Lessons learned

Physical seclusion is not always possible for fashion industries and other global enterprises today. They often collaborate on Computer Aided Design (CAD) software alongside cloud-based applications, and some require reports that provide visibility into login attempts into their ecosystem. An identity and access management solution as a service (IDaaS) can help fashion enterprises or governmental institutions ensure that only the right person receives the right information at the right time, without endangering the enterprise or its end customers.

May 25
General Data Protection Regulation (GDPR) begins

What happened

General Data Protection Regulation (GDPR), requires companies to be more accountable to their EU-based users on how their data is controlled and used. It also requires companies to notify their local data protection authority regarding suspected data breaches.

Lessons learned

Although GDPR can fine organizations for data breaches, these fines may be reduced if the organizations can prove that they have deployed security controls to minimize damage. To help your organization handle GDPR, identity and access management provides a first line of defense to the sensitive user data harbored in your companies’ cloud and web apps. With scenario based policies and convenient access management, you can help your enterprise save on GDPR costly fines or sanctions.

Q3

August 1
Reddit’s Company Cloud Attacked

What happened
Reddit, the social media platform, considered to be the 5th top rated website in the U.S., shared that a few of their employees’ administrative accounts were hacked. An attacker gained access to data through Reddit’s company cloud after compromising some accounts.

Lessons learned
While they did in fact have their sensitive resources protected with two-factor authentication (2FA), Reddit encouraged users to move to token-based 2FA. For years corporations and security professionals have been urged to implement multi-factor authentication (MFA) as the solution for cybersecurity concerns. While MFA isn’t a silver bullet that solves all your cybersecurity concerns, it is a key component in elevating the security of an organization and adding a very important layer of protection.

September 25
Facebook Mega Breach

What happened

The September 2018 Facebook breach was not only a ‘mega’ breach in terms of the 50 millions of compromised users affected, but also a severe breach due the popularity of the social media giant. Cyber criminals got ahold of users’ FB login credentials. The breach was compounded by the fact that many users utilize their Facebook credentials to log into other social media sites, which means that the hackers actually were able to access not only a user’s Facebook account, but to all other accounts that use Facebook login credentials.

Lessons learned
The risks that consumers were exposed to as a result of buffet-style sign on in the Facebook case, also apply to the enterprise. Fortunately, there is a solution: To maintain the convenience of single sign on without compromising on security, enterprises can use Smart Single Sign-On.

Q4

November 30
Quora and Marriott Hotels announce massive breaches of user data

What happened
Quora Q&A site suffered a massive breach of user data, including the compromise of 100 million users’ credentials. On the same day, the Marriot International Hotel chain suffered a serious breach, allegedly undetected for 4 years!

Lessons learned
In the Quora case, similar to Facebook, accounts are linked to other social media sites such as games and quizzes, so that access to one account opens the doors to related data. The Marriott Hotel incident shows that it’s not enough to protect your data. It also deals with access issues involved with mergers and acquisitions – in this case merging the Starwood Reservation system with Marriott. You need to see who is accessing your networks and see if there is any unusual activity, right from the start. Monitoring and reporting capabilities in an access management solution can help organizations gain insights into unauthorized access attempts.

Identity and Access Management as a Strategy, 2019-style:
In 2019, it is inevitable that there will be more cyber security violations, including corporate identity theft. And it’s likely that more regulations will be put in place to force enterprises to be proactive, not just reactive.

The question is what organizations will do to brace these breaches. For more information on how your enterprises can prevent breaches, enable the continuous business transformation of their resources securely and simplify compliance, learn more about Gemalto’s SafeNet Identity and Access Management, request a 30 minute demo of SafeNet Trusted Access or watch our video, “How Access Management Enables Cloud Compliance.

View the original post at Gemalto.com.

Simplifying Network Management with Ruckus SmartZone

Wednesday, December 19th, 2018

First introduced in 2015, SmartZone-powered controllers combine scalability, tiered multi-tenancy, architectural flexibility, and extensive APIs into a single centrally-managed element. These capabilities enable managed service providers to implement complex, multi-tier and as-a-service business models using their own management applications. They also allow operators to manage subscriber data traffic on a massive scale while integrating traffic flows and network data into existing network architecture.

Ruckus SmartZone products have been deployed in thousands of enterprises and in more than 200 service provider networks across five continents.

Unifying Network Management

IT departments seeking to manage both wired and wireless networks via a single console have traditionally needed to purchase a stand-alone network management element for on-premises management scenarios. Fortunately, Ruckus SmartZoneOS 5 has transformed the industry’s most scalable WLAN controllers into a comprehensive single network element to control and manage both Ruckus access points (APs) and switches. This simplifies network management by:

  • Eliminating provisioning errors through the use of an automated discovery process for access points (APs) and switches.
  • Reducing configuration and deployment duration when compared to a multi-console approach.
  • Reducing network software and hypervisor license fees, server expense, utility expense, and training costs.
  • Enabling a single network controller cluster to scale to 450,000 clients.
  • Enabling networking-as-a-service.

It should be noted that Ruckus SmartZone also includes open, well-documented RESTful application programming interfaces (APIs) that allow IT departments to easily invoke SmartZone functions and configurations to enable error-free automation. In addition, streaming APIs enable IT to monitor in near real-time the full array of Ruckus network data, statistics, and alarms. This means IT departments can more easily create customized, information-dense dashboards and reports.

Ruckus SmartZone Lineup: SZ300 & SZ100

Let’s take a closer look at Ruckus’ SmartZone lineup below, beginning with the Ruckus SmartZone 300 (SZ300) which is targeted at operators, MSPs, and large enterprises. Key features and benefits include:

A single SZ300 appliance can manage 10K APs and 500 switches, while 3+1 active clustering increases capacity to 30K APs, 1,500 switches, and 450K clients.

  • 6x 1GbE ports, 4x 10GbE ports.
  • The SZ300 protects itself from catastrophic failures with intra-cluster and inter-cluster failover. Geo-redundancy with active/active clusters delivers higher availability versus traditional hot-standby. Hot-swappable power supplies, 3x fan sets, and redundant disk drives further improve uptime.
  • Multi-tenancy, domain segmentation, and containerization enable secure delivery of managed network services in complex, multi-tier business models across multiple geographies, including MVNO models.
  • Visual Connection Diagnostics speeds and simplifies troubleshooting and client problem resolution while unique “super-KPIs” enable IT to more quickly detect and react to potential user experience degradation.
  • Optional Ruckus Cloudpath integration lets IT create rich location-, device- and user-based policy rules, enabling network segmentation based on real security and policy needs rather than on a one-size-fits-all approach.
  • The SmartZone OS advanced feature set includes rogue AP detection and mitigation, adaptive band balancing, load balancing, airtime fairness, hotspot, and guest services, capacity-based admission control, and more.

Meanwhile, the Ruckus SmartZone 100 (SZ100) is a scalable network controller for mid-sized enterprises. Key features and benefits include:

  • A single SZ100 appliance can manage up to 1,000 APs, while 3+1 active clustering increases capacity to 3,000 APs and 30K clients.
  • 4x 1GbE ports, 2x 10GbE ports.
  • Active/active clustering delivers higher availability and resiliency than traditional N+1 standby. 3x fans further improve uptime.
  • Visual Connection Diagnostics speeds and simplifies troubleshooting and client problem resolution while unique “super-KPIs” enable IT to more quickly detect and react to potential user experience degradation.
  • Optional Ruckus Cloudpath integration lets IT create rich location-, device- and user-based policy rules, enabling network segmentation based on real security and policy needs rather than on a one-size-fits-all approach.
  • The SZ100 can store up to 30 days of network configuration and client data on internal storage drives even with reboots.
  • Automated AP and switch provisioning; L3 and L2 auto-discovery of APs and switches reduce manual administration.
  • The SmartZone OS advanced feature set includes rogue AP detection, interference detection and mitigation, band steering, airtime fairness, hotspot, guest networking services, and more.

Ruckus SmartZone Lineup: vSZ-H and vSZ-E

The Ruckus Virtual SmartZone – High-Scale (vSZ-H) enables operators and managed service providers (MSPs) to easily, flexibly, and securely deliver Networking-as-a-Service (NaaS). Key features and benefits include:

  • A single cluster scales to 450K clients, 30K APs, and 1,500 switches.
  • A single low-cost license and a commodity x86 server with any popular hypervisor are all that’s needed for a vSZ-H instance.
  • Active/Active 3+1 clustering eliminates idle controller capacity and data loss during redundant failover while minimizing configuration time when nodes are added.
  • The vSZ-H centralizes LAN and WLAN management and flexibly integrates with the Virtual SmartZone – Data Plane (vSZ-D) or external WLAN gateways to accommodate complex data plane routing topologies.
  • Sophisticated zone and domain segmentation give service providers the flexibility to supply non-hosting partners with their own domains, to run different SmartZone OS versions in different zones, and countless other options.
  • An independent, containerized tenant architecture minimizes the risk of degraded end-user experience and enhances data privacy between tenants.

Meanwhile, Virtual SmartZone – Essentials (vSZ-E) offers mid-sized enterprises flexibility, lower deployment costs, and the ability to scale a network up to 60,000 clients. Key features and benefits include:

  • A single cluster scales to 60K clients, 3,000 APs, and 50 switches.
  • A single low-cost license and a commodity x86 server with any popular hypervisor is all that’s needed for a vSZ-E instance.
  • Active/Active 3+1 clustering eliminates idle controller capacity and data loss during redundant failover while minimizing configuration time when nodes are added.
  • The vSZ-E centralizes LAN and WLAN management and flexibly integrates with the Virtual SmartZone – Data Plane (vSZ-D) or external WLAN gateways to accommodate complex data plane routing topologies.
  • IT can offload WLAN and connectivity services such as DHCP/NAT to the AP or vSZ-D to reduce expenses for separate routers and servers.

SmartZone: Ruckus APs and Switches

Ruckus SmartZone controllers are designed to manage Ruckus’ extensive lineup of indoor and outdoor access points. Our AP family offers a solution for every deployment scenario including small businesses, wireless LANs, and mission-critical high-density carrier grade installations. Ruckus outdoor access points are suitable for a range of environments and offer a choice of mounting and antenna options, with outdoor point-to-point bridges providing connectivity between remote sites.

As a comprehensive single network element, SmartZone also manages the Ruckus ICX switch family, which can be deployed standalone, stacked or installed within a campus fabric. Switch management features offered by SmartZone include discovery and inventory, SNMP monitoring, link discovery, firmware upgrades, as well as backup and restore functions. By using SmartZone, organizations can proactively monitor their network, perform network-wide troubleshooting, generate traffic reports and gain visibility into the network activity from the wireless edge to the core.

Are you interested in learning more about the Ruckus SmartZone platform?

Submit a contact form or email sales@net-ctrl.com and we can set up a demo for you.

View the original publication at The Ruckus Room.

Getting Wired for Wireless: Power

Thursday, December 13th, 2018

Continuing our Wired for Wireless series where our most recent installment talked about performance, this blog will discuss Power over Ethernet and its importance when deploying access points.

Power over Ethernet (PoE) is typically provided for access points (APs), as well as other devices such as voice over IP (VoIP) phones, IP TVs, and video cameras. Although there are many devices that draw power directly from the switch, PoE is particularly important for APs. As such, a primary concern for customers planning an AP refresh is ensuring that sufficient power will be delivered at the switch.

Previous generations of access points could operate on a PoE budget of 15 watts of power at the switch. However, AP radios have evolved considerably and now demand more power. Today, most APs up to and including Wi-Fi 5 (802.11ac) draw PoE of 30 watts. However, while the latest Wi-Fi 5 APs can theoretically operate on 30 watts of power, they need just a little bit more to achieve top performance, drive all the radios, and provide power to the USB port. Next generation Wi-Fi 6 (802.11ax) APs demand even more power. While they operate on PoE + power, they will require more to drive their 8×8 radios for peak performance.

This is precisely why the IEEE recently defined IEEE 802.3bt. The standard outlines two additional power types to bolster PoE: up to 55 W (Type 3) and up to 90-100 W (Type 4). IEEE 802.3bt also stipulates that each pair of twisted pairs must support a current of up to 600 mA (Type 3) or 960 mA (Type 4). In addition, IEEE 802.3bt includes support for 2.5GBASE-T, 5GBASE-T, and 10GBASE-T.

Several vendors already have switches that support 60 watts, although only Ruckus supports 90 watts of power per port. Although there are relatively few devices that require more than 30 watts, more and more power-hungry devices are hitting the market with an ever-expanding appetite for more power. Such devices include LED lighting, high-end video displays, and pan tilt zoom cameras that can consume up to 75 watts and beyond.

This is precisely why we have designed our switches to deliver the power needed for dense Wi-Fi deployments, as well as for other powered devices. Ruckus switches can support Power over Ethernet (PoE) on all 24 or 48 ports with a single power supply – and PoE+ on all ports. As noted above, with dual power supplies, we are the only vendor that currently supports up to 90 watts power per port. Put simply, Ruckus delivers power to spare.

View the original post by Rick Freedman at the Ruckus Room.

Data Protection on Demand Helps Orgs with Cloud HSM, Encryption & Key Management, Finds Test

Thursday, December 13th, 2018

Data protection is more challenging now than it ever has been. The emergence of virtualization and cloud services, for instance, has made it difficult for organizations to uniformly safeguard their information across their IT environments. At the same time, companies must contend with advanced threats that continue to grow in number and sophistication.

Acknowledging these challenges, perhaps the best way that organizations can keep their information safe is for them to adopt a data-centric approach. This type of strategy involves companies using encryption that’s capable of providing persistent protection of sensitive data at all critical points in its lifecycle. Such protection is incomplete if organizations can’t use key management to create, distribute, store, rotate and revoke/destroy cryptographic keys as needed.

Digital security company Gemalto understands these benefits of encryption and key management. It also realizes that companies don’t always have the necessary budget or know how to buy, deploy and maintain hardware in pursuit of these security controls, and sometimes, even when they do, they choose not to because it’s not their core competency. Hence its decision to create SafeNet Data Protection On Demand, a cloud-based platform through which companies can click and deploy cloud-based HSM, key management and encryption services without the need for additional hardware, or expertise.

Gemalto has maintained from the beginning that SafeNet Data Protection On Demand can save customers time and money with its many features, which include the ability to set up a certified cloud-based HSM service and to digitally sign software and firmware packages or electronic documents. To prove this point, the security company decided to subject its solution to a rigorous review by IAIT Test Laboratory. Dr. Götz Güttich, a well-respected senior IT consultant and editor, led a team of German IT specialists in their analysis of SafeNet Data Protection On Demand.

For the review, Gemalto made available to the researchers a test account through which they could explore the solution’s functionality. Dr. Güttich and his colleagues used that account, in turn, to create several test users and activate various services to secure their test data. In particular, they directed their efforts towards evaluating the management and configuration of the solution’s six key services: “HSM On Demand for Digital Signing,” “HSM On Demand for Hyperledger,” “Key Vault/HSM On Demand,” “HSM On Demand for Oracle TDE Database,” “Key Broker On Demand for Salesforce” and “HSM On Demand for PKI Private Key Protection.”

In the course of their analysis, Dr. Güttich and his team did come across an issue in configuring the Certificate Authority under the “PKI Private Key Protection” service. The issue specifically involved selecting a Cryptographic Service Provider (CSP) from Gemalto from a corresponding drop­down menu. Gemalto worked with the researchers to provide support so that Dr. Güttich and his colleagues could proceed with their investigation. The security firm also revised its configuration tools in the meantime to permanently resolve the issue.

But that one bug didn’t detract from the research team’s overall impressions of SafeNet Data Protection on Demand. As it explained in its summary report:

With SafeNet Data Protection on Demand, Gemalto offers an exceedingly interesting service which has the potential to also make code signing, encryption and key management available to companies for which the necessary efforts and the associated costs had previously been too much. Users of this service do not need to purchase and administrate any special hardware, and all clients pay only for the services they actually use. SafeNet Data Protection on Demand can also be a big help toward achieving GDPR conformity (in the context of the “right to be forgotten”) because stored data and keys can simply be erased whenever desired.

The researchers went on to say that the solution was “comparatively quick to set up and relatively simple to use,” with Gemalto’s technical support “convincingly good.” This finding explains what Gemalto has known all along: SafeNet Data Protection on Demand provides companies with an easy-to-use and affordable option for fulfilling their encryption and key management needs.

Want more insight from Dr. Güttich and his team? You can read their findings in full in English.

View the original article at Gemalto.com.

Enhanced Network Security with Pulse Policy Secure and Palo Alto Networks Firewall

Thursday, December 13th, 2018


In today’s IT world, Internet and networking technologies have evolved to offer unprecedented services to the end users. Billions of Internet of Things devices are being deployed across all industries, and with this also means allowing access to important and confidential data and resources which brings significant security risks to business IT systems.

Organizations need to implement solutions to address challenges from a security standpoint and the best way to eliminate every possible risk associated with technology is to bring ecosystem and interoperate. One such solution is our award-winning Pulse Policy Secure (NAC) integrated with Palo Alto Networks Firewall.

Pulse Policy Secure provides a Network Access Control solution at an endpoint/user level and provides intelligent Identity-based access by quickly learning contextual data (endpoint IP address, User ID and User role) and shares this with Palo Alto Networks firewall to take appropriate actions to allow or deny access.

Pulse Policy Secure also provides enhanced network security to protect from vulnerable devices with altering based integration with PAN Firewall. Through this joint solution, organizations, users, and customers are protected from cyber threats.

In addition to the above integration, Pulse Secure offers a seamless secure access solution using session federation via IF-MAP framework. This can be achieved within an enterprise network by sharing session information across Pulse Policy Secure or Pulse Connect Secure using an IF-MAP protocol through an IF-MAP server. Once an end user connects remotely or locally to the corporate network and gets authenticated by Pulse Connect Secure or Pulse Policy Secure. The federation requires Dynamic AUTH table provisioning on the PAN firewall and allows secure access to the protected resource based on the resource access policies that are configured on PPS.

Additional information on how to deploy and implement this joint solution is available at https://www.pulsesecure.net/techpubs/pulse-policy-secure/pps.

Check out these resources on our latest NAC release, Pulse Policy Secure 9.0r3:

Zero Trust Secure Access for The Smart Factory Floor Infographic

Pulse Secure Access for the Industrial Internet of Things (IIoT)

Pulse Secure Expands Zero Trust Security for IoT

 

View the original post by Pulse Secure.

Is Wi-Fi learning how to fix itself?

Tuesday, December 11th, 2018

It is hard to argue that Wi-Fi has not had a profound impact on human behaviour. As we consume more data, the humble Wi-Fi access point needs to evolve, not only through the evolution of Wi-Fi standards but also to self-optimize; to learn from its environment and make intelligent informed decisions. It needs to intelligently select how best to use its many advanced feature-sets in order be more spectrally efficient and deliver the optimum performance for any given use case or application. Technical standards describe ‘what’ the AP can do, but it is up to vendors to be innovative about ‘how’ they build their solutions. The industry is now looking to Artificial Intelligence (AI) and Machine Learning techniques to gain an advantage.

One thing that is undeniable is the fact that Wi-Fi has become the de-facto technology that we cannot live without. Whether in the home or in the enterprise, a significant part of our daily experiences and productivity are delivered via Wi-Fi connectivity. People no longer ask, “do you have internet?” but “how do I connect to the Wi-Fi?”; its presence is assumed.

Wi-Fi Growth

With this growth in Wi-Fi usage comes an increase in wireless access points and devices that share a finite amount of radio spectrum. This, in turn, limits the ability of these networks to deliver the desired performance.

For IT teams, vendors have provided WLAN controllers, either physical or cloud-based, that provide ease of management and deliver basic fault-finding tools. However, configurations have been static, requiring IT teams to be proactive in finding and fixing problems that arise within the network. Furthermore, the complexity of Wi-Fi technology has led IT teams to require a high level of specifically skilled staff or rely on a trial and error approach to fixing wireless issues or optimize the network to the desired level. For the IT team, AI promises to reduce the reliance on human capacities and speed up the process of taking the right course of action.

Wi-Fi and Machine Learning

The Wi-Fi industry is embracing Machine Learning, or more specifically Deep Learning AI techniques. These take large datasets (Big Data) and use neural networks to simulate the human brain in order to classify data.

Luckily, Smart Wi-Fi networks can provide enormous amounts of data about their environment. Everything from the type and capabilities of the devices connecting to the network, to the applications being consumed, to radio-specific statistics such as airtime utilization, signal-noise-ratio, and latency. All of which can be harvested for Deep Learning. Data can be baselined for a specific network, anomalies analyzed and resolutions either proactively given to the IT team or automatically corrected by the network.

Wi-Fi and Crowdsourcing

Crowdsourcing anonymized data sets also allows networks to benefit from problems and solutions that have been discovered in other systems, that can now benefit the target network. This allows vendor solutions to become more than the sum of their parts, effectively always learning from their customer base, who then in return realize the benefit of a more effective network.

Conclusion

The evolution of Wi-Fi networks has enhanced self-organizing networks (SON), using AI techniques to learn about their individual environments, self-diagnose, self-heal and self-optimize their performance, ultimately requiring minimal intervention from the IT team.

View the original post by Kevin Francis, Solution Architect.

6 in 10 Consumers Feel Social Media Poses the Greatest Risk to Their Personal Data Security, Finds Survey

Tuesday, December 11th, 2018


Customer loyalty is more important than ever in the age of digital security. On the one hand, failure to disclose a data breach can adversely affect customers’ loyalty to an organization and send consumers running to its competitors. On the other hand, a transparent privacy policy, open communication channels and an accountable business culture can help companies boost their customers’ loyalty and retain more consumers in the event of a personal data security incident.

Organizations should use this dichotomy to evaluate the relationship between their digital security focus and their customers’ loyalty. But they also need to take into account larger industry insights. Knowing how consumers view digital security across different organizations and industries, for example, can help them build up their customers’ loyalty while avoiding costly reputational losses.

Businesses can gain this level of understanding from our “2018 Data Breaches & Customer Loyalty” report. We surveyed 10,500 consumers globally about their thoughts on customer loyalty with respect to businesses’ data security practices. Their responses revealed that organizations have ample room to improve their IT security practices and processes in accordance with their customers’ wishes.

Ranking the Security Risks

Our survey uncovered that respondents feel certain online activities are riskier than others. For instance, four in 10 consumers said that banking exposes them to the greatest amount of risk. Even more than that (52 percent) admitted a lack of complete confidence in the safety of online/mobile banking. By contrast, just 31 percent of survey participants asserted that online retail websites are the riskiest.

Overall, consumers felt that social media platforms constitute the greatest risk to personal data security at 61 percent. They maintained this viewpoint despite their decision to not take advantage of security measures offered by many social networking sites. As an example, Facebook, Twitter and similar portals offer their users the option of enabling two-factor authentication (2FA), but just a quarter of respondents told us that they had enabled the feature for their accounts.

First-Hand Experience with Data Breaches

Consumers didn’t arrive at the above viewpoints on their own. Many did so as a result of their first-hand experience with data breaches. More than a third (38 percent) of respondents said they had reason to believe that they had been victims of fraud involving their personal information. Slightly less than that said the same about their financial information and identity theft at 35 percent and 30 percent, respectively.

Given these experiences, many consumers aren’t optimistic about their data security going forward. Respondents interviewed in 2018 were more likely (38 percent) to believe they would fall victim to a data breach at any time. That’s more than the figures for 2017 (37 percent), 2016 (35 percent) and 2015 (27 percent).

A Call for Improved Online Security

Nearly all (93 percent) of the survey respondents also made clear that they would take or consider taking legal action against a company in the event they became victims of a data breach. This viewpoint highlights most consumers’ belief that organizations need to do a better job protecting their customers’ personal information. For example, seven in 10 respondents said that the responsibility for protecting and securing customer data falls onto the company, while 77 percent of participants told Gemalto that they’d like organizations to increase their online security.

Businesses have no choice but to improve their security if they want to address frustrated consumers that don’t believe the onus is on them to change their security habits. Social media sites in particular have a battle on their hands to restore faith in their security and show consumers they’re listening – failing to do so will spell disaster for the most flagrant offenders, as consumers take their business elsewhere.

Companies can respond by investing in security basics. These measures include encrypting customers’ personal information and implementing robust key management that can help protect those encryption keys against misuse. Also, companies should implement access controls to limit who can access customers’ data, thereby minimizing the risk of a data breach.

For additional insights into the relationship between customer loyalty and digital security, you can download the report or view the infographic.

View the original post by Gemalto.com.

Getting Wired for Wireless: Performance

Tuesday, December 11th, 2018

As we emphasized in our introductory blog about Switches and Robust Wi-Fi Deployments, an up-to-date switching underlay is a prerequisite for high-performance wireless access points (APs). Put simply, wired infrastructure needs to provide adequate speed for connections to the switch: from the access points, uplinks to aggregation and core switches, and to the cloud (or data center). This is because performance is only as fast as the weakest link. While fast access points are important, the full value of APs simply can’t be realized without an adequate underlying network. In an ideal network, all components – including the internet pipe – are well-matched to handle network traffic. A bottleneck at any point in the connection between a user and the cloud (or data center), will slow application performance and negatively affect the user experience.

Let’s take a closer look at the data flow. Beginning with user devices, the first step for wired networks is the connection from access points to switches. Over the past 5-10 years, most enterprise-class switches had 1-gigabit access ports to support access points up to and including Wi-Fi 4 (802.11n). The total throughput possible for a Wi-Fi 4 access point is below one gigabit per second, so connecting a switch to the 1-gigabit port was adequate. Anything faster wouldn’t make any difference to performance, as the AP remained the limiting factor to performance.

Wi-Fi 5 (802.11ac) Performance

Wi-Fi 5 (802.11ac) APs offer potential speeds of more than a gigabit per second throughput. According to a recent Dell’Oro report (August 2018), almost all enterprise APs sold as of 2017 were Wi-Fi 5 models. This means a 1-gigabit access port is on the cusp of becoming the bottleneck for top performance. Indeed, the more recent Wi-Fi 5 Wave 2 APs are capable of up achieving to 2.3 gigabits per second, though the practical limit is a little bit less. Ruckus lab tests confirmed Wi-Fi 5 Wave 2 throughput of one and a half gigabits per second, so a 2.5-gigabit port was sufficient to prevent the access port from being a bottleneck, at least for Wi-Fi 5 APs.

Wi-Fi 6 (802.11ax) Performance

However, next-generation Wi-Fi 6 APs (802.11ax) have already begun shipping, with IDC forecasting Wi-Fi 6 (802.11ax) deployment ramping significantly in 2019 and becoming the dominant enterprise Wi-Fi standard by 2021. This is because many organizations still find themselves limited by the previous Wi-Fi 5 (802.11ac) standard, especially in high-density venues such as stadiums, convention centers, transportation hubs, and auditoriums.

Wi-Fi 6 (802.11ax) access points (APs) deployed in dense device environments such as those mentioned above support higher service-level agreements (SLAs) to more concurrently connected users and devices – with more diverse usage profiles. This is made possible by a range of technologies that optimize spectral efficiency, increase throughput and reduce power consumption. These include 1024- Quadrature Amplitude Modulation (QAM), Target Wake Time (TWT), Orthogonal Frequency-Division Multiple Access (OFDMA), BSS Coloring and MU-MIMO. With the new Wi-Fi 6 (802.11ax) standard offering up to a four-fold capacity increase over its Wi-Fi 5 (802.11ac) predecessor, it is important to proactively eliminate potential bottlenecks at the switch by considering multi-gigabit.

Multi-Gigabit Switches for Wi-Fi 6

It should be emphasized that the transition to multi-gigabit switches to accommodate Wi-Fi 6 APs does not necessarily require a wholesale infrastructure upgrade. It can happen gradually by adding a few switches as needed. Furthermore, most multi-gigabit switches today include a mix of multi-gigabit and gigabit ports. Only those ports connected to 802.11ax (Wi-Fi 6) APs require multi-gigabit speeds, while the other gigabit ports are adequate for computers, printers, VoIP phones, cameras, and additional Ethernet devices.

Conclusion

To take full advantage of the speed performance offered by 802.11ax (Wi-Fi 6) APs (up to 5 gigabits per second), our customers have already begun installing multi-gigabit switches to either replace or supplement older infrastructure. This is because system administrators cannot ensure a quality user experience by simply upgrading one part (access points) of a network. Reaping the benefits of 802.11ax (Wi-Fi 6) requires upgrades on the switch side as well. From our perspective, the transition to multi-gigabit switches should start now. With the average life for a switch being 5-7 years (and up to 10 years for many educational institutions), the need for multi-gigabit connections will almost certainly be upon us within this timeframe.

View the original post at the Ruckus Room.

Wi-Fi security issues – a 5 step guide on the Common Threats and how to manage them

Tuesday, December 11th, 2018

Today’s Wi-Fi networks are now more secure than the typical wired network in the same building. While that may seem like a bold opening statement, today this is often the case.

Wi-FiIt is true that WLANs got off to a chequered start 20 years ago, with attackers finding ways around the early security procedures and protocols in place. Consequently, though, the industry devoted a great deal of effort and innovation towards making WLANs much more secure – and they succeeded. There are, however, still challenges in securing any network.

As we know, wireless “leaks out” to the surrounding environment, which means passers-by can see and attempt to connect to any network they choose. As a response, we need to put steps in place to mitigate this threat. For wired networks, physical barriers with locks on the doors and containment physically within the building are the traditional wired networking means of defense. However, if a person with malicious intent is able to gain physical access, perhaps through social engineering, or tail-gating, a device can be connected and access gained which, then, is an opportunity for an attack to commence.

So how have WLANs been addressing security concerns? What has the result of all that investment and innovation been?

Wi-Fi Security Methods

The Gold standard is the use of Digital Certificates. This method is preferable because, unlike user-created passwords, certificates are virtually impossible to replicate. However, this method is also the most complex to deploy for the network administrator. Unless a friendly, user self-service Enrolment System is used to automate the authorization, creation, and distribution of certificates and secure WLAN setup for users can become a time-consuming task.

The Silver standard is a username and password-based authentication – often linked to a user database such as Microsoft Active Directory. This works well, but network administrators need to implement with care, making sure that proper server certificates are deployed to ensure users address a legitimate server, and that user passwords are suitably complex. Interestingly, both password complexity and frequency of change need not be as onerous as imagined and are well explained here.

We must accept that there will be a need to support some devices that cannot support the gold or silver methods. Such equipment often compromises devices that have crossed over from the home market to the workplace as digital transformation has taken hold – smart speakers, video streamers and casters, as well as other IoT devices. Limited to Pre-Shared Key authentication, in the commercial world, the use of a unique static key per device, called Dynamic Pre-Shared Key, provides enhanced security and limitation of a breach if one key is discovered.

2019 will see the introduction of a further security enhancement called WPA3. This new Wi-Fi security standard will replace WPA2, and improve the encryption strength and ease of setup of the methods discussed above.

Role Based Access – with a suitable WLAN infrastructure, the above access methods can map to user roles. Define what is allowed for a user type and apply rules accordingly. Roles provide a plethora of controls, from VLAN allocation, through to simple port and protocol-based firewall rules up to application-based recognition and control, including URL filtering.

View the original post by Neil Goddard.

Gemalto unveils industry’s first cloud access management and single sign on solution enhanced for smart card users

Tuesday, December 11th, 2018

Gemalto has announced the launch of an industry-first solution that will enable organizations which have invested in Public Key Infrastructure (PKI) security applications to leverage their investment without compromise on security or user experience when moving to the cloud. Through SafeNet Trusted Access, security-sensitive organizations whose employees log into enterprise resources with smart cards can use those same credentials to access cloud and web-based apps and benefit from single sign on (SSO).

Up until now, PKI hardware’s limitations meant companies could not adopt cloud and mobility projects without having to completely ‘rip and replace’ their current security framework. As a result, companies have been using smart cards and tokens to allow their employees to authenticate themselves while accessing corporate resources, but this was limited to activity within the enterprise perimeter. In addition, companies that use PKI credentials for email encryption and digital signing have also been limited to on-premises environments.

This new offer from Gemalto enables employees and organizations to benefit from SSO and high assurance PKI-based authentication, making it easier and more secure to access cloud and web-based apps and resources from wherever and on any device. Employees will no longer have to re-authenticate each time they access a resource with their smart card, while allowing enterprises to maintain high assurance security when needed. In addition, Gemalto will also help users access PKI applications from new environments, including mobile devices and virtualized desktops environments (VDI) and use PKI credentials for security applications including digital signing and email encryption.

“As much as cloud computing is recognized for its many benefits, the reality for most firms is that they will be operating in a hybrid environment for years to come,” said Garrett Bekker, Principal Security Analyst at 451 Research. “By enabling firms to extend their existing PKI investments to cloud and web-based resources, SafeNet Trusted Access can help firms build on their existing security frameworks to accelerate their digital and cloud transformation.”

Gemalto is offering different ways to build on current PKI investments, so companies embrace digital transformation without compromising on security.

  • Enabling cloud transformation: Organizations can extend PKI credentials to access policies, allowing CISOs to maintain security in the cloud by triggering the use of step up PKI-based authentication to cloud and web-based apps when needed
  • Facilitating mobility: Employees can access enterprise applications within virtual environments with their PKI credentials. This means that employees and consultants will be able to perform all the same actions they would normally perform with a smart card, with a virtual smart card.

“With the rapid development and adoption of cloud services, many organizations are struggling to balance their digital transformation projects with the need to keep themselves secure,” said Francois Lasnier, senior vice president of Identity and Access Management at Gemalto. “For organizations that are using high assurance PKI deployments for an added layer of security, our SafeNet Trusted Access solution makes it easier for them to expand into the cloud, virtual desktop infrastructures and mobile devices easily and securely, without putting themselves at risk. Our solution enables companies to allow their employees to operate as normal, while introducing them to the benefits of cloud, mobility and SSO.”

Additional Resources

View the original article at Gemalto.com.