By Matias Katz, CEO, Byos
A great deal of emphasis has been placed on the use of VPNs to help provide safe, secure connectivity during this historic COVID-19 crisis and the massive move to working from home that has resulted.
However, VPNs are not a definitive answer for secure connectivity; the major problem lies with the nature of home Wi-Fi, and with threat vectors that VPNs can’t address. VPNs encrypt data in transit, but they don’t isolate the device from the network. This means that corporate devices are still exposed to threats, even when using a VPN.
The Risks of Home Wi-Fi Networks
Wi-Fi networks, whether in public or private, are by their very nature dirty, and home Wi-Fi networks are no different.
There are often 10 or more unmanaged devices connecting to the average home Wi-Fi network, such as personal laptops, cellphones, gaming consoles, and home IoT devices. Home internet usage compounds the risk because family members often unwittingly helping bad actors: gamers may download malicious executables, teens are known to visit risky sites, and many family members don’t understand the risks of spam, unable to spot the difference between real and fake apps and emails.
Each of these devices represents an entry point for attackers, and threat actors know this. They understand that WFH employees are unprotected by centralized enterprise security stacks. Once a bad actor has gained access to an edge device on the home network, they can go undetected, moving laterally across the network to the end goal: the company’s corporate devices and data.
With the millions of additional points of remote access now in use, threat actors will be scanning more often, leading to more brute force attacks and more lateral movement. Security teams quickly need to find an alternative method for securing WFH Wi-Fi connections.
Shoring Up Home Defenses:
Work from Home (WFH) is a viable alternative for many companies, but unfortunately, IT teams weren’t ready for the inherent risks and implications that home Wi-Fi networks pose.
Organizations have no visibility or control over these home Wi-Fi networks and therefore cannot trust them.
Home Wi-Fi hygiene can be improved by regularly changing passwords for Wi-Fi networks, changing the default router password, creating a guest network, and keeping router’s firmware up to date. However, even with those steps, risks persist for organizations with WFH employees because enforcement is impossible, meaning the organization will never achieve full compliance. These steps also don’t solve the gap in protection left by VPNs
Organizations need to find an easier, enforceable way for securing WFH employees.
Extending Zero Trust Access to Any Remote Wi-Fi Connection
The assumption that all networks are dirty is fundamental to any effective remote work security strategy such as Zero Trust. The best way to ensure that a home worker doesn’t corrupt the corporate network or otherwise expose key assets is to isolate their devices from their untrusted home Wi-Fi networks. In essence, this means micro-segmenting the remote device and creating a network of one. This step extends Zero Trust access to any remote Wi-Fi network connection.
The Center for Internet Security’s Wireless Access Controls recommends users “Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.”
That’s what endpoint micro-segmentation achieves: the employee’s device is physically isolated from the rest of the home Wi-Fi network, with plug and play USB hardware that delivers a “micro-segment of one.” This approach protects the individual’s device and the organization’s network from the various home Wi-Fi borne threats that security software doesn’t address.
Compliance Assurance: Endpoint micro-segmentation gives security administrators real-time security policy enforcement capabilities and proof of compliance over devices connected to uncontrollable Wi-Fi networks.
This new approach is easy to deploy, provision and manage security in WFH environments. The only other fully secure current alternative – installing network security gateways and cloud controllers on every remote employee’s home Wi-Fi network for traditional network segmentation – is impractical and unrealistic.
Now more than ever before, organizations must make working from home frictionless and secure. Endpoint micro-segmentation is a practical, painless, plug and play way to home Wi-Fi security gaps.
About the author
Matias Katz is the founder and CEO of Byos. Matias has 15+ years of experience in Information Security. He founded his first company (Mkit) in 2008, which provided defensive and offensive security solutions. Matias is an official CISSP instructor. He has presented his research at Cybersecurity conferences around the world and has a TEDx talk. He is a published author – “Redes y Seguridad” (Networking and Security) and founded an international Hacking conference, Andsec, hosting 1500 attendees during its final edition in 2017.
Madison Alexander PR