Working remotely or form home caused companies to adapt to new generation technologies which in turn brings information security risks. In the last 2 years, we have seen that even the companies that have never experienced this working method before, have adapted to the system quickly. Requirements emerged with this change. However, the security risks have also increased. When it comes to information security of institutions such as production, service, government and almost all other industries that you can think of, the thing to be considered is not only protecting the services they provide to the end users, but also to prevent both the interruption of the continuity of remote work and the security weaknesses of the employees, especially due to individual errors.
In our article, instead of mentioning the security products such as Waf and Firewall, that are known by almost everyone in the industry, we will try to talk about the new threats we foresee for the future and how we are able to prevent them.
Prioritization is a necessity while protecting the infrastructure. Even the strongest companies do not have limitless human and material resources. Therefore, risk analysis is essential before investing in information security. Risk analysis will elucidate both investment areas and prioritization.
First, let’s talk about internal threats. The danger that may be caused consciously or unconsciously by company employees, former employees, contracted personnel or employees of 3rd party companies.
According to a research of 2020, employee-related attacks have increased by nearly 50%. It has been determined that 60% of the companies have been attacked by 30 or more employees within 1 year. When we analyze the reports in detail, it shows up that the bills of these attacks that companies are exposed to, cost much more than the value of the security investments to be made.
Companies have given a start to move their services and even their infrastructures to cloud systems for reasons such as system redundancy, incident response, ease of management and security. At the end of the transformation, it is expected for companies to move the majority of their infrastructure investment pie to cloud environments. Particularly in our country, we consider that the option of hosting services in cloud systems, where we have not been able to break the prejudices yet, is going to be obligatory. For this reason, it is a necessity for even companies that have not been integrated into this environment, making their plans.
The term Software as a Service (SaaS), that we hear constantly, has got the support of almost all manufacturers today. We can give Office365 as the most known example for SaaS. SaaS can include many solutions such as applications, databases, operating systems, firewalls. Pay-as-you-go model can be a utilized service for most of the SaaS solutions. While SaaS service can get service for Public Cloud, solutions that only employees are able to access or communicate between application, can be created in Private Cloud model.
Even though server maintenance and basic security arrangements are the responsibility of the company we get the service from, unknowing the term SaaS and solutions will bring security risks. If we want to give an example from Google Cloud Platform (GCP), that can bring risks that not having knowledge of Data-Encryption, IAM (Identity and Access Management) and even data redundancy options on the platform. In reality, those we are talking about are similar to the security and redundancy solutions that already have to be implemented in data centers . On the other hand, operating without consulting Google Cloud Platform may bring huge, unpredictable risks to the cloud systems especially for services which are open to internet and where data privacy is important.
Secure Access Service Edge (SASE) is a term that was created by Gartner. It is thought to be the security standard of the future in cloud systems . Gartner has foreseen that 40% of large-scale organizations will be adapted to SASE by 2024. In 2018, this was 1%.
SASE’s goal is to make wide area network and security solutions for mobile access easier, as well as to provide easy and secure access to applications and data on the cloud.
In the SASE titles,
There are terms such as reducing complexity, universal access, price advantages, performance, security and ease of use. SD-WAN, NGFW (Next Generation Firewall), Firewall as a Service (FWaaS), Network as a Service (NaaS), whose names we have been hearing constantly for the last few years, and which manufacturers try to introduce to us with various events, are the solutions that support Sase. It is said that manufacturers such as Palo Alto have shifted their investments to these areas in recent years. Even though, they still have problems within themselves, it is a necessity for us to be ready for this transformation that will apparently happen in a few years time.