LastPass recently disclosed that its massive data breach last year happened because a hacker was able to install malware on an engineer’s home computer.
The engineer had access to the company’s cloud storage on his personal machine, which also ran an unpatched movie server. For me, the breach was the final destination happenstance of ridiculous events that allowed something major to occur: The LastPass engineer didn’t segment personal and work technology. And the company didn’t ensure that high-security corporate information couldn’t be accessed by somebody’s personal machine.
The cautionary tale as companies focus more on remote and hybrid work is that we need to do extra diligence to make sure remote workers can’t contaminate work environments. We have to think twice about what we enable and to whom, and come up with a plan to ensure the hygiene of devices we enable access to. Just because information is on the cloud, it shouldn’t be accessible to just anyone who has credentials.
AAA – authentication, authorization and accounting – is a framework for controlling access to computer resources and tracking user activities. As we’ve gotten into the cloud space, we’ve forgotten about the framework. And the rise of products that offer simplistic access to the cloud environment, from any device, has fostered the technology sprawl that allows a systemic failure like the one that affected LastPass.
Practitioners need to think about the cloud technology they have in place and how they’ve secured and managed their borders to ensure that only authorized devices can access the tech. And more broadly, they have to start thinking beyond authentication in today’s remote-work friendly world, where we blend home and corporate technology. It took LastPass almost a year to trace this latest discovery. Had they audited the system properly, they would have detected the intrusion long before.
When it comes to solutions around this, I think the best option is VDI. It remains a niche technology, but I think providing virtual desktops to remote workers is the way to ensure the absolute safety of corporate work environments.
Exploits and issues exist on networks, not just operating solutions, so issuing work laptops doesn’t solve the problem because that laptop is on the home worker’s network. Even if you provide a secure device, it might not be installed correctly. VDI is really the only way to take care of this. You have inherent browser isolation, but more important, there’s a technological separation between church and state. It’s virtually impossible to pass information between the corporate VDI system and anything else that’s going on a machine if the technology is set up correctly.
Exfiltration risk is the big one, but infiltration is also a major risk. VDI gives you isolation from these things because it is a static compute resource that cannot be contacted by the host computer, so malware and malicious code can’t enter the corporate environment from the home machine.
If that LastPass engineer had only had access to a VDI solution, that unpatched movie Plex server on his personal desktop wouldn’t have mattered. And LastPass wouldn’t have had this breach that cost them a customer base and the trust of their customers. Every technologist I’ve talked to has said they’ve moved on from LastPass because there’s not trust anymore.
VDI also offers other benefits, because it’s like gaining access to a compute resource. And if you do it correctly, you can make those compute resources dynamic. When the user logs off the session, the machine is torn down, and anything that was done there would not persist. VDI gives you an opportunity to minimize your support costs because literally, the restart or reboot gives you a fresh device every time. It reduces backend technology costs because you don’t have to ship laptops or deal with repairs.
As we venture more into remote work paradigms, we have to secure our cloud environments from being able to be reached from the outside world. Crazy as it seems, though cloud is supposed to give you anywhere access, it should be anywhere access from an authorized device.
###
(Originally posted on Security Current)
Streamlining Security in a Product Shop
The ’53-Man’ Roster for Security (Part 3 of 3)
The ’53-Man’ Roster for Security (Part 2 of 3)
The ’53-Man’ Roster for Security (Part 1 of 3)
Dear Congress, We need a privacy law.
