By Pieter du Plooy, Manager of ICT Infrastructure at Sol Plaatje University
With the modern-day enterprise/organisation, we need to connect our users in a secure manner to facilitate their access to vital resources. In order to accomplish this, we first need to look at the challenges we face when connecting people to things.
In today’s world, it is has become commonplace for users to use their personal devices to connect them to resources in the organisation. These devices include laptops, mobile devices, IP cameras, printers, and more.
The organisation faces a challenge in both allowing the end-user to connect securely and providing access to data that is secured. BYOD or Bring Your Own Device is here to stay and in order to ensure that users can actually bring their own devices and be secure, we need to look at a number of things.
1. Connecting securely to a network
Organisations can use the 802.1x protocol to allow users to connect their devices securely. This ensures that only authenticated users are actually allowed to connect to the corporate network. This protocol suite will determine the identity of the user or device being connected, and then according to configured policies it will place the user in the appropriate network.
Users who work remotely can connect to an organisation’s resources using a VPN connection. In fact, even if users connect to a public internet network from home, it is encouraged that they make use of VPN software to keep their connection secure.
Organisations and end-users should make use of a firewall to protect their access to the internet. Firewalls protect organisations and users from malicious attackers who wish to gain access to corporate or personal endpoints/devices. The firewall is your corporate network’s, or your home computer’s, defense perimeter.
Making use of a VPN connection and a firewall isn’t always enough to secure a user’s access to a network. So how do we ensure that any kind of authentication over any network is done in a secure manner? Authentication involves a user sending their username and password across a public or private transport medium to a destination network where they are authenticated.
2. Secure Authentication
When users connect to an organisation’s network or to a public network, there is a risk that their user credentials might become compromised. To this end, users need to use secure passwords for their accounts which need to be at least 8 characters in length. These passwords should be a mix of alphanumeric characters and symbols. Even though a secure password is configured, this may not necessarily provide a 100% secure authentication experience.
So what happens when a secure password is not enough? The solution to this problem comes in the form of Multi Factor Authentication or 2FA (Two Factor Authentication). This involves a user entering a password and then performing a secondary authentication process whereby the user provides a code from an app on their mobile device, a biometric scan, or a physical security token.
Whether you are a corporate user or just using your devices for personal use, MFA can secure access to your applications. Using your mobile device, you can, for example, download an authenticator app and use it as an additional layer of security when accessing data. But what about the actual device’s security? How do we know that the device we are using is actually safe to use?
3. Securing your devices
Even though users can connect securely using various methods such as 802.1x, VPNs, MFA, etc. there is still the risk that a device might be compromised in some way. Every day people use the Internet to access various resources. People copy files from one device to another, and often do so with little regard for how safely these actions are performed. An unsuspecting user could click on a malicious link in a website and suddenly find that their device is infected with malware or a virus.
Endpoint devices must be secured with an endpoint security product. In an organisation, these endpoints are usually centrally managed and administrators can easily identify vulnerable endpoints and take action. Sophisticated endpoint security product suites should prevent the exploitation, infection or tampering of connected devices. Once we have secured our devices, how do we protect the confidentiality of our data?
4. Securing your data
When storing sensitive data on an endpoint, it is vital that we store that data securely and protect the data’s confidentiality. Data encryption can be used for this purpose. Several products on the market specialise in data encryption and many operating systems often come with built-in data encryption software. External storage devices can be encrypted if the device is moved from one place to another.
We have seen how users can protect their endpoints in many different ways, whether this is taken care of by an organisation’s administrator or by the user on their personal devices at home.
In summary, endpoints can be protected in a number of ways and these methods should be used together to increase security:
- Secure connections using protocols such as 802.1x, VPN software typically with an active firewall on the device.
- Secure authentication with strong passwords and Multi Factor Authentication.
- Secure devices using endpoint protection software suites for Anti-Virus and Antimalware.
- Securing data on devices using data encryption software.
About the author
Pieter du Plooy
My name is Pieter du Plooy. I was born in Krugersdorp and raised in Kimberley. I have approximately 20 years of experience in the I.T. field. After graduating my first job was a non-I.T. related position as logistical consultant for Accenture. I was subsequently employed as full-time facilitator and Head of I.T. at my alma mater until 2008. Since 2008 , I have held several positions as network engineer, network administrator and I am currently Manager of ICT Infrastructure at Sol Plaatje University.
Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://dev.connect.geant.org/csm2021