By Scott Gordon

We’re living in a complicated time right now in terms of enabling a mobile workforce, securing endpoint devices and protecting access to sensitive corporate and consumer information. On one side of the equation, organizations are moving data into the cloud – public, private and Software as a Service (SaaS). On the other side, we’ve got the consumerization of IT with a big shift in the mobile endpoints and Internet-connected devices users are employing to access that data. The challenge becomes “How do we consistently enforce secure access policy, without negatively affecting usability and end user productivity?”

To put it another way, how can we protect the connection while adding fidelity to make informed decisions and have audit records showing that we’re following policy? This is one of the problems Pulse Secure is solving. Our role is to have the IT organization focus on how they can fortify new business initiatives and a mobile workforce, while extending protected and authenticated access from the endpoint of the user to the resource, in a way that preserves usability and enforces compliance.

This is a big issue if you’re a regulated business that wants to provide access to certain applications and information but doesn’t physically own the endpoint or wants to ensure specific use of corporate-provided devices. Could that device be misconfigured, introduce ransomware, inadvertently offer an unsanctioned app, or be susceptible to unauthorized access and data loss? How do you ensure that the right person gets access to the right information, that the communication session is protected and that user’s device is secure?

How do you ensure that the right person gets access to the right information, that the communication session is protected and that user’s device is secure?

If a company provides access to personal customer information through a critical application that resides with a cloud service provider, you may require that user identity and device security state be verified and that a Secure Sockets Layer virtual private network (SSL VPN) connection needs to be enforced whenever that application is used. At the same time, you want the mobile user to be redirected seamlessly to specific resources, but have the policy centralized, tracked and applied, regardless of user’s device of choice.

Our Pulse Connect Secure product can ensure an always-on virtual private network (VPN) connection or application-specific protected connection. In addition, our host checking functionality verifies that the endpoint is running certain applications and has up-to-date defenses, from antivirus to a personal firewall. We can check that corporate-owned devices have endpoint management software that is installed and active. We can even invoke remediation, such as triggering Microsoft SCCM, to remediate that endpoint. We let you define an endpoint compliance policy down to that level – the user identity, the group, the required device security state and response – depending on the scenario of what type of resources are to be accessed.

Pulse Secure ultimately provides organizations extensive visibility into users and devices to allow IT to make informed decisions and mitigate risk. Once you have this intelligence, you can align business requirements to security requirements, allowing you to preempt the impact on users. You can define the extent of user authentication, device inspection, endpoint compliance requirements and action that would be taken depending on the role and endpoint security state – whether the resource being requested is on the corporate network, in a private cloud or being served by a third-party SaaS application. They can be set up relative to the role of user and the information they want to access. These policies can be phased-in and matured as needed.

A Secure Access policy is typically based on who you are, what group you belong to, what kind of device you have, potentially your location, what resource you’re attempting to go to, the security state of your endpoint and the operational control over the endpoint. All those things can make up a compliance policy that can be triggered as soon as someone attempts to access a resource, whether they are remote or on a corporate network. The policy can also impose different access security conditions if the application or information is in a corporate data center or cloud-based. They key is to enable policy management that can consistently delivered across different user types, computing devices, applications and network resources.

A Secure Access policy is typically based on who you are, what group you belong to, what kind of device you have, potentially your location, what resource you’re attempting to go to, the security state of your endpoint and the operational control over the endpoint.

Pulse Secure achieves this for our customers by using open standards and proprietary methods that facilitate interoperability with a broad array of network, security and cloud-based operating environments. Imagine a remote user requires going to certain corporate applications and a few web applications hosted in a public cloud, the user would only need to authenticate once through our Pulse Secure client for all their access needs. We can use Security Assertion Markup Language (SAML) protocol to federate and facilitate the authentication of that user to that cloud application. Our systems also work with commercial and government issued two-factor authentication systems to enable stronger, identity assurance.

Using standards, we can also ensure that non-employees attempting to access network resources, say through wireless controller, will also be managed. You can have visitors and contractors under specific guest policies where they have restricted access, if that’s the policy you define. For instance, a contractor could have restrictions on specific resource access that they need, set up in advance by an authorized employee sponsor. At the same time, general visitors can request access through a captive portal, where they will be put into a guest virtual LAN (VLAN), to segregate the employee network. This automated process to identify, classify and segregate guest users and their endpoints according to policy is also applied to unknown, internet-connected devices as a means of Internet-of-Things (IoT) security.

Secure access capabilities can also be applied to state and federal government to meet their requirements. We’re used by some of the largest cities, where public servants may need to access resources to look up sensitive information or take tactical activities. Our systems are protecting access and securing the transmission. Another use case applies to discretionary access provision. A visiting federal service agent might require temporary, restricted access to a state or local municipality network resource during a local emergency. These are examples of enabling civic-ready secure access. It’s the ability to have multiple layers of policy from least to most restrictive and be able to activate and enforce that policy as needed.

In a military context, there is even more stringent security, resiliency and integration requirements. The policies are similar, however, in cases where you have multiple entities that are working as coalitions to carry out missions, which is where visibility, availability and response is crucial and interoperability comes to bear. This requires workflow management and secure access orchestration that combines strong authentication, endpoint security assurance, access enforcement, granular policy management, dynamic control application, operational visibility and automated response capabilities. In these situations, usability is about a lot more than just end user experience. Usability might mean the difference between life and death if participants can or cannot easily access the data they need to do their jobs.

IT organizations need operational visibility and the means to assure appropriate and protected resource and data access. Enforcing a security policy without negatively affecting user productivity requires a careful balancing act of process and technology. We provide the platform to allow organizations to gain and leverage secure access capability, while preserving user experience.

Scott Gordon is the Chief Marketing Officer at Pulse Secure

By Scott Totzke, CEO & Co-Founder, ISARA Corporation

The dawn of the quantum computing era promises to fundamentally change the way we approach big problems – from researching cures for cancer to alleviating traffic in urban centers. But – and this is a very significant but –  large-scale quantum computing also has the potential to create catastrophic problems if we don’t take steps now to ensure that data such as financial transactions, medical histories and government records are protected with quantum-safe encryption.

One of the great accomplishments of the modern computing era is the ubiquity – and relative invisibility – of data security. Most of us communicate, transact business and share vital information without fear that the information will be compromised. Data security and encryption are seamlessly built into nearly every technological device at our disposal and we don’t even have to think about when encryption is happening.

A large-scale, general purpose quantum computer is expected to break today’s encryption with ease.

Although it’s estimated that large-scale quantum computers are seven to 10 years away from being powerful enough to break through current encryption standards, companies and governments are running out of time to prepare their networks and data from the quantum threat. This poses challenges for network administrators, executives and corporate boards – not to mention medical providers, military strategists and world leaders.

The reason is simple: Complexity. Today’s global networks are so interconnected that ensuring the security of data against a quantum threat requires a holistic approach that involves software vendors, hardware makers, customers and partners at virtually every level of the computing stack.

Ask a Chief Technology Officer or Chief Information Officer how long he or she needs to successfully implement even a relatively modest system upgrade and it’s almost always months or years rather than days or weeks. Taken on their own, the systems that manage identity and security for everything from online purchases to connected cars are complex, but when we see them becoming increasingly connected to each other the complexity gets even more significant.  This level of connectivity and interdependency underscores just how much of a security threat advances in quantum computing will pose to our existing infrastructure. Collectively, the technology industry has never faced an upgrade cycle this complex. Quantum is exponentially more complex than anything we’ve undertaken and the stakes are infinitely more significant.

For example, the quantum threat will almost exclusively be executed at the level of a hostile nation-state simply because large-scale quantum computers are bulky, expensive and, outside of North America, largely funded by foreign governments. We’ve all seen the damage smart, but loosely organized hacker groups can cause today by accessing Social Security numbers or other customer data. And with the last US presidential election, we caught hints of what organized cyberattacks by nation-states can look like even without piercing encrypted secrets.

These adversaries don’t mind playing the long game. We’re already witnessing instances of nation-states maliciously harvesting encrypted data that they plan to decrypt later with a quantum computer – essentially putting data confidentiality at risk within a decade. Top secret military and government files have at least 20-year privacy requirements.

Similarly, auto manufacturers that increasingly incorporate software in their vehicles are today putting in showrooms cars that will receive over the air software updates. Those cars still will be on the road when large-scale quantum computers arrive and those computers will be capable of compromising software updates.

The question security and risk management leaders need to ask themselves is how long it will realistically take to migrate to a quantum-safe environment. Getting to that answer and helping corporate or organizational leadership embrace it requires understanding a few key factors:

• Where does encryption reside in your stack? Cryptography has become so ubiquitous that many security leaders don’t even know the distinct points at which they might be vulnerable. RSA, the current standard, has been around for decades – in many cases as long as an IT manager has held the position – and few technology leaders have even had to contemplate an entirely new approach to encryption. Only recently did the National Institute of Standards and Technology recommend moving to crypto-agility, the ability to quickly switch out cryptographic algorithms. Migrating a system to a quantum-safe state can’t be started until you understand exactly where it’s vulnerable.
• Which partners and vendors do you rely on for systems or parts? After understanding the vulnerability points, many organizations will have to work with their vendors and partners to ensure the entire chain is quantum-safe. For example, a smartphone manufacturer installing a quantum-safe chip into new devices would need a chipset vendor that could produce a chip with quantum-safe cryptography embedded. That could take the chipset vendor three to five years to develop. Then it could take another two to three years to incorporate it into new products and manufacture them.
• How adept is your organization at dealing with even routine changes? Every organization has its strengths and weaknesses. But few excel under haste. As the points above illustrate, preparing for a quantum threat requires a level of detail and planning many managers will find unprecedented. Understanding how an organization handles routine tasks such as updating things like access key cards tells you a lot of about your readiness for the task ahead.

No matter how prepared we think we are for the quantum era, it’s safe to assume it will be upon us before we currently estimate. Such is the history of technology. Two decades ago, the very notion of quantum computing seemed like a dream. Five years ago, it was viewed as utterly impractical. Today, separate teams around the world are on the cusp of achieving quantum supremacy – representing the first time a quantum computer will solve a problem that current supercomputers can’t.

That’s a major milestone. It should also be a wake-up call.

Global preparation to mitigate the threats posed by large-scale quantum computers will be extensive. And while we may not be able to pinpoint a specific date, we can say that the need to address this problem is an absolute certainty. Will we be ready? The time to start preparing is now.

Scott Totzke is Chief Executive Officer of ISARA Corporation, a Waterloo, Ontario-based security solutions company that offers companies and government agencies quantum-safe products and implementation tools.

Would You Buy a Car with No Brakes? Me, neither. Yet, if we take a hard look at the many types and layers of digital technology that affect our lives, we might see how out of control we truly are. Take your average smart phone. It’s likely to be manufactured in a country the US considers a global strategic adversary. Its circuitry and software contain hidden code, installed at the behest of their intelligence service, that spies on us. In a cyberattack, this code can render the device useless. When it works, the phone connects to networks that are built using equipment made in this same adversarial country. They’re easily hacked. The phone can access corporate and government systems that, as most security managers know, have already been infiltrated by malicious actors.

This is just one example. Our lives are so dependent on digital technology we have stopped even thinking about it. Perhaps we never thought about. We should. Digital technology either runs or has decisive influence over our electrical power supply, food supply, healthcare, financial systems, government, businesses, transportation systems, law enforcement agencies, military and intelligence services. Digital software and hardware are embedded in cars, medical equipment, tools, planes and on and on.

It’s all very slick. It makes our lives easier. It’s also extremely vulnerable to disruption. Our entire reality can easily be thrown into unimaginable, fatal chaos. The risks are far more serious than a simple data breach or loss of service. It may sound hyperbolic, but the survival of our entire society and way of life is at stake. Who’s in control? No one. The current, well-intentioned practices known as “Information Security” or “Cyber defense” are inadequate to mitigate the systemic risk we face.

The increasing tempo and severity of cyberattacks reveal the deficiency of current cyber defenses. These deficiencies exist despite the investment of money and expertise by some of our greatest minds. At the same time, newly exposed cyber vulnerabilities, such as the potential for the power grid to be destroyed by hacking, suggest that we have barely begun to confront what are truly existential threats.

To prevent cyber-borne disaster, the time has come to develop a higher level, more holistic set of rules—a Cyber Policy—that unifies the security and use of digital technology by business, consumers, government, military, media and beyond. We need a high-level, holistic set of rules to govern the pervasive computing systems that run virtually every aspect of modern life.

Getting to such a Cyber Policy would be a Herculean task, but one that must be attempted nonetheless. The underlying challenge will be to get key stakeholders to recognize that organizations, leadership and rules are equally, if not more important that technologies in addressing cyber risks. If agreement on this principle can be reached, then the truly hard work begins.

At a high level, forming Cyber Policy requires conversations among thought leaders from across the technology spectrum regarding what Cyber Policy should embody and how it should be developed. There is a need for a governing body to coordinate policy setting, with commitments to operationalize policies across corporate, legislative and public-sector entities. This body must address the technological aspects of cyber policy implementation – how tooling, standards and frameworks can come together to define and enforce Cyber Policy. It must also deal with organizational and Legislative aspects of Cyber Policy. There have to be “teeth” in Cyber Policy. Voluntary frameworks are, by definition, ineffective in the modern world. Cyber Policy must be real and enforceable.

Cyber Policy presents a leadership challenge. Is the United States up to the job? Can it afford not to be?