Chieh Chin Lin

-September 11, 2017

How to Plan the Configuration of Cybersecurity Products

With the rapid development of cloud service and mobile devices, various industries, including those non-information related ones, have reached an inseparable degree of dependence on information systems and networks. Many enterprises have transferred part or all of their services to the cloud, for the convenience of remote workers and mobile devices.

The cybersecurity threats faced by enterprises is greater than ever before. Any information security accidents can cause huge operational losses. Facing these challenges, IT enterprises should plan their solutions as soon as possible.

IT administrators go up against these threats by deploying the appropriate solutions. However, the catch comes during configuration, where one careless mistake could open a loophole in an otherwise airtight protection mechanism.

Luckily, the solution isn’t rocket science. Let’s think about it in terms of “device”, “identity” and “service”.

For example, how should we plan the settings when enterprises use Pulse Connect Secure to provide their staff with remote access to data center?

Device:

Firstly, devices are inspected by host checker. Those that fail to meet the security requirements are not allowed to log on to VPN. Remedy examples are to install the newest critical patches, security and anti-virus software with the latest virus-scanning engines and virus libraries.

Identity:

Usually identities are verified through account names and passwords, yet passwords can be used by other users to log in. So two factor authentication can be added such as Time-based OTP, or the users may choose credentials to identify and log in.

Service:

The employees are divided into their appropriate subgroups, and each subgroup can be set to access the appropriate resources based on their role. For instance, when the staff of operation departments log in, only the systems of operation departments are accessible to them.

One we’ve considered all three aspects of device, identity and service, we can then figure out the internal usage scenarios of enterprises. The same method can be adopted to other products, or a certain scenario can be figured out before committing appropriate solutions. This way, we can maximize the effectiveness of security products, and have a more comprehensive defense, thus reducing cybersecurity threats and preventing attacks against our enterprises.

 

隨着雲端服務及行動裝置的快速發展,各個產業包含非資訊相關產業對資訊系統與網路的依賴已經到達不可分割的程度,許多企業早已將部分或全部的服務轉移到公有雲上,並開始利用行動裝置的便利,許多業務已經可以在手機上進行,這也代表着企業所面臨資安威脅相對以前來說更多更廣,且稍一不甚,資安事件甚至會造成營運上的損失,面對這些挑戰,企業 IT 要及早思考如何解決。

大多數 IT 在面臨這樣的挑戰時,多是透過佈署解決方案,抵擋威脅,但是在佈署時,常常面臨到一個問題,不知道如何規劃設定,深怕一個疏漏,讓攻擊有機可乘,原本的安全設備反倒成了一個漏洞。底下我們透過一個簡單方式,來告訴您如何來解決

從「設備」、「身份」及「服務」來思考

以企業使用 Pulse Connect Secure 提供員工遠端訪問資料中心爲例,如何做好設定規劃呢?

設備:

首先,不符合安全要求的設備,禁止登入 VPN,可以透過 host checker 進行檢查,例如要安裝最新 critial, security 的修補程式、安裝防毒軟體且掃毒引擎與病毒碼都是最新版本

身份:

一般透過輸入帳號密碼的方式,來驗證身份,但密碼可能被他人得知使用來登入,可以加入二次認證方式如 Time-based OTP,或者也可以透過憑證的方式進行辨識與登入

服務:

每個員工都分屬不同單位而使用不同系統,可將各個系統設定成不同 resource profile,當業務部門員工登入後,就只允許使用業務部門的系統

藉由設備、身份及服務這三個面向思考,可以將企業內部的使用情境找出來,例如上述的例子,將員工改成合作夥伴或是訪客,就會有不一樣的情境出現,可依此來做好設定的規劃,同樣的方法,也能套用在其他產品上,或藉此先找出使用情境,再選擇合適的解決方案。如此,可以讓安全產品發揮最大的效用,有更全面的防禦,降低資安威脅,阻絕攻擊於企業大門外。

Categories