Strengthen endpoint data protection for your remote workforce
It is clear that remote workforces are here to stay. The pandemic has succeeded in upending several deep-rooted assumptions about work, productivity, and collaboration. While some businesses have allowed employees to work from home indefinitely, several are also allowing employees the flexibility to work from home if or when they wish to. It is a changed world.
The switch to remote working has not been without its challenges. Traditional security models revolved around what is called “perimeter security”. The idea is to strengthen your perimeter or boundary – the implicit assumption being anything outside the boundary is untrusted, but what’s inside is automatically trusted. A lot of network security tools such as firewalls and proxies have always operated to support this security model.
These assumptions, under the impact of the sudden shift to remote work, have paved the way for several security challenges. Business users and their endpoint devices (desktops, laptops, Macbooks etc.) used to be considered low risk from a security standpoint because they operated inside the “safe” perimeter for the most part. Now, they’re not. And that has heightened concerns in security teams around employees and their devices. Business users and their endpoint systems are now suddenly working in unsupervised environments with no security perimeter. And this has not gone unnoticed by malicious actors. Ransomware and Wiper attacks have dramatically increased in frequency during this time.
Protecting endpoint data has become one of the 5 top-of-mind issues for Chief Information Security Officers (CISOs). And a modern endpoint data backup solution may just be what the doctor ordered.
Modern backup solutions are geared to drive automated, reliable and predictable results – and reduce manual / human touch points – which usually are the source of errors. Hosted in secure and reliable Tier-4 Data Centers, with global presence – solutions like these are usually referred to as BaaS (Backup as a Service). Think of them as a minimum-touch backup service where you don’t have to stand up infrastructure on your premises. In the case of Parablu’s BluVault for instance, you just add in your licensed users to the BluVault console and deploy the endpoint agent using a mass deployment tool such as SCCM, Intune or AD GPO – and the rest is automatic.
How does BaaS ensure security?
It is somewhat non-intuitive to trust that a cloud-based solution, functioning far away from your business offices can somehow secure your data and keep it safe – perhaps even safer than your data was inside your previous perimeter-based security model. Read on, and I’ll explain how. Please note that for purposes of illustration, I will often use the example of BluVault, Parablu’s own BaaS offering.
1. Zero Trust
As the limitations of the perimeter security model get exposed in the new reality, businesses are increasingly turning to Zero Trust models. Zero Trust Security isn’t new – but it is steadily gaining currency in today’s work environments. The principles of Zero Trust are quite simple:
- Verify explicitly – Identity is the foundation for zero trust. No more disparate authentication mechanisms – you need a single centralized source of truth that everybody trusts. Authenticate against a central identity management source. Azure Active Directory perhaps, or Okta.
- Principle of Least Privilege – Grant access only when needed, only for as long as needed, and for the specific task and role at hand.
- Assume breach – With Zero Trust, you should assume every attempt to authenticate is an intrusion and you should validate access no matter who and how small the stakes. Multi-factor authentication mechanisms are a key ingredient of Zero Trust.
All Parablu’s solutions are designed for Zero Trust. BluVault is integrated with Azure Active Directory (Azure AD) as well as Okta and can use them as identify management authorities for authentication including Single Sign On (SSO). Azure AD security groups can even be used to do license management by provisioning and de-provisioning users automatically.
BluVault’s authentication mechanisms use OAuth 2.0 and are based on a security token. Tokens are always used only for the operation required, for the period of time needed, and subsequently discarded. Also, built-in roles clearly determine the scope of privileges users have – Administrators, Delegated Administrators, or end-users.
Integration with Azure AD or Okta for authentication means that users of BluVault also get the benefit of multi-factor authentication. But in the case Azure AD or Okta are not being used and the customer instead chooses to use Parablu’s native user namespace – Parablu has its own built-in multi-factor authentication mechanism. Businesses can also turn on reCAPTCHA based brute force password protection.
2. API Gap – your defense against Ransomware
Backups are possibly the best defense against ransomware. Having a secure copy of their data lets businesses preserve their leverage and doesn’t require them to negotiate with the attacker or pay the ransom. But recent ransomware variants have begun to specifically target backup data copies and destroy them. It is therefore important to pick a backup solution that can adequately defend itself from potential attackers.
BluVault uses backup storage targets that are practically impossible for ransomware to get to. These storage vaults are typically object storage targets to which all communication is authenticated and performed via REST API calls. While ransomware can easily attack a local backup copy or a backup repository it finds on a LAN, no variants have been able to attack object storage targets.
Having a secure copy of their data lets businesses preserve their leverage and doesn’t require them to negotiate with the attacker or pay the ransom.
3. Industrial-grade encryption
BluVault ensures that data stays encrypted at all times – both during transit, and at rest when it reaches the backup destination. All data transfers use https and data is encrypted in-flight using TLS 1.2 with strong ciphers. Data at rest is protected using AES-256 encryption and the business always controls the encryption keys. This is called Zero Knowledge Privacy – and it means that BluVault protects data without having to have any knowledge of the data, its contents, or the encryption keys used. Businesses can cause encryption keys to be regenerated for all their users, as of then as they wish. BluVault never persists encryption keys anywhere – they are generated automatically for every user when required, kept in memory for use during encryption / decryption, and then immediately destroyed.
4. Preventing Data Leaks
One of the big concerns businesses have with the WFH arrangement is how to keep enterprise data safe – from the employees! Business laptops are usually equipped with DLP (Data Leak Prevention) software which blocks sensitive data from being transmitted out of the device. But what if a cloud-backup copy is accessed by the end user, and restored to a personal device?
BluVault has prevention mechanisms for this type of threat, that can easily be enabled by businesses. BluVault’s integration with Azure AD’s conditional access policy means that it has the capability of doing device-based authentication. So, when a user attempts to authenticate into BluVault using their Azure AD credentials, BluVault can also check if they are coming in from a Azure AD domain joined device. If not, the authentication attempt can be denied. You can learn more about Device-based Authentication here.
BluVault has numerous other security features geared towards keeping data secure and enterprises safe. For instance, delegated administrative permissions are designed to give certain users administrative rights, but over a limited set of users and devices – for example, a branch office, or a specific department. There are also ways by which the business can determine whether administrators are allowed to view and restore user data from end user backups. Administrator rights can be curtailed for certain high value users with clear audit logs that inform in case these rights are reinstated at any point in time. Users can also share data with collaborators – both inside and outside the company, but secure sharing policies can be set to ensure that they always share files using a complex password with 2-factor authentication, disallow downloads, and use a self-destruct timer on the shared file.
When a user attempts to authenticate into BluVault using their Azure AD credentials, BluVault can also check if they are coming in from a Azure AD domain joined device. If not, the authentication attempt can be denied.
BluVault is also designed to make it easy to backup user data no matter where employees are – at home, at an airport, at a hotel – it really shouldn’t matter. Data payload is compressed and de-duplicated at all times to keep it as small as possible. This is important to save storage space in the backup repository, but more importantly – to save network bandwidth. Also, since slow network bandwidths may make it impractical to backup all data on every endpoint system, BluVault’s policy-based control allows administrators to fine tune and set exactly what to protect on end-user devices. Specific folders to include/exclude, file types to include/exclude. Policies can also control how much CPU and network bandwidth BluVault should consume on end-user systems.
And no matter how widespread the user base, all management is central. Administrators manage everything – users, devices, polices – and get their reports, audit logs etc. – all through a single pane of glass.
It is true that the remote work model has offered opportunities for businesses and employees to be more creative and even enhance productivity. But the vulnerability of having important enterprise data in an unprotected environment is all too real to ignore. Adopting a SaaS-based backup solution (BaaS) can go a long way to help defend against vulnerabilities and safeguard business data. But pick the right solution. Hopefully this blog post has been instructive in describing what you should be looking for.
Parablu’s BluVault is designed to enable robust data backup from user endpoints, SaaS workloads (Microsoft 365) and edge servers. Our patented integration with Microsoft 365 and OneDrive for Business also means that you can deploy BluVault without spending a penny for backup storage. Sound interesting? Reach out to us and learn more.
Learn about its advanced data protection capabilities with our experts by requesting a demo here.