The evolution of data traffic models towards cloud services, the explosion of mobile devices, the development of connected objects: these are all factors that are imposing structural changes on companies’ communication networks.

Finally, there are many factors that can lead to breakdowns, and therefore to partial or total interruption of activity: cutting of submarine cables, natural disasters, geomagnetic disturbances, theft of copper sections, wars and other geopolitical events, radio jamming, etc. However, certain industries, notably banking, have needs, and even requirements, for uninterrupted connectivity, whatever the situation.

What are the solutions to mitigate these risks? How to maintain an optimal quality of service in all situations?

An essential and complex network

In the connected enterprise, the network is the keystone. It is a critical infrastructure, just like all the other operational units that make up the entire enterprise.
Whatever the sector, the network is essential to the business, linking head offices, production sites and subsidiaries, employees and customers; carrying critical data, hosting business applications.

Over the years, IT networks have seen their complexity grow constantly. They have to adapt and take into account new uses, such as teleworking, new transmission media, such as LTE and 5G, new devices, such as mobile devices and the development of BYOD (Bring Your Own Device). These networks also face increasing threats of malicious attacks.

The needs are therefore growing, and so is the complexity of the networks supporting all these usecases and devices. The use of multiple vendors, each with their own hardware and software layers, and the use of various transmission media do not always allow for an overview of the entire network. Configuration and monitoring become complicated and spread over many “black boxes”.

A basic approach to connectivity is no longer sufficient. The need for infrastructure flexibility, resilience and scalability is greater than ever to better manage, control and evolve enterprise networks.

What is at stake?

The stakes are high here, since the company lives through its ability to communicate not only with the outside world, but also between its different branches. A functioning network is the assurance of a functioning company.

It is no longer unusual for companies to have multiple network access points. For example, it is conceivable that a bank with many branches might prefer to use satellite connectivity (VSAT), which is well known for its reliability and uptime. But VSAT bandwidth is expensive; depending on the needs, terrestrial MPLS, especially fibre optics, could be preferred. This type of link offers higher bandwidth at a lower cost, but at the cost of sometimes less reliable connectivity, or even, in the case of fibre, no coverage.

Connectivity via LTE/5G can also be added to this. But these means are constrained by local congestion at the transmitting tower, and it is difficult to guarantee a level of bandwidth via this medium.

Modern network uses, which involve the global management of complex flows, are incompatible with the low bandwidth of VSAT, or with degraded terrestrial links, or with a sudden drop in bandwidth on a locally overloaded 5G link.

The issue, then, is quality of service. Some applications are more or less sensitive to network outages, latency or bandwidth; for the company to continue to do its business, these applications must be functional. Dedicating a specific link to an application, according to its use, would be ideal, but during a service interruption, its operation would be completely stopped, which is not optimal, or even unacceptable, depending on the business.

It should also be noted that many companies now use SaaS cloud solutions such as Microsoft 365 or business applications. These applications are then hosted in one or more datacenters, at a distance from the company itself. This further reinforces the need for stable and reliable connectivity.

A functioning network is the assurance of a functioning company.

What solutions?

It is then a question of implementing solutions to optimise the company’s network, take into account changing needs, take advantage of new technologies available to safeguard business activity and improve the user experience.

By employing hybrid network technologies, the undesirable effects of a service interruption or change in network conditions can be mitigated. By routing traffic over one or more links depending on the application, continuous operation is ensured, while protecting against service interruption caused by a particular link.

By coupling this network hybridisation with SD-WAN solutions, it is possible to control an entire IT network, and direct data flows over the right channel, taking into account its type, usefulness and criticality.

By consolidating all network links to the outside world into a global infrastructure, it is possible to optimise routing, offer specific SLAs depending on the application, control the entire network and minimise service interruptions. By centralising its management, it also becomes easy to control its security: via new generation firewalls (NGFW), protection against threats, regardless of their origin, is ensured on all links at once.

It also provides complete visibility of all flows on the network, their characteristics, volumes, and performance. This makes it easier to spot potential problems before a failure occurs. Selective routing can also be offered according to the applications accessed, an important feature when cloud usage is becoming more and more important.

What results?

By migrating the network to hybrid solutions based on SD-WAN services, it is possible to multiply the advantages of each transmission medium and divide their disadvantages.

By directing the flows to the optimal medium for its use, one ensures increased user comfort and, above all, almost permanent connectivity, since it is possible to redirect the flows via other channels if these are degraded.

A high uptime, via a hybridisation of its means of communication, guarantees the company continuous operation. Finally, permanent monitoring makes it possible to guarantee the resilience of the network, serving the performance of applications and the user experience.

A one-stop-shop approach, combining an interconnected network, relevant IT expertise and fine-tuned management of all infrastructure components, can therefore meet the needs of companies and guarantee an optimal quality of service.

For over 30 years, Sonema has been offering its customers VSAT, hybrid network and SD-WAN connectivity solutions, while supporting our customers in their hosting and security projects.

For more information, please contact us.

A new model means a new threat model: whether you are running a private cloud or using outsourced hosting, security is more than ever a key issue in today’s IT systems.

New developments in the financial sector, with the rapid growing of Fintechs and applications around the new European framework called PSD2, as well as other initiatives around the world such as Open Banking, are pushing the entire banking sector towards cloud solutions, or a mix of traditional hosting and cloud (called hybrid cloud). But what are the security implications of such a model?

Why the cloud for the banking industry?

In recent years, the banking sector has seen the arrival of many new players on the market. As society moves towards an increasingly digital world, new banks, or neo-banks, have arrived on the market in order to meet the demands of these users who are keen on new technologies; a complete digital management of accounts is at the heart of all neo-banks’ service offer.

Following the success of these neo-banks, many large traditional players have started developing 100% digital offers, without local branches or offices, offering contactless payments, mobile payments, online account management, and advisors who can be reached via chat, at virtually any time of day. Through dedicated brands (such as B For Bank for BNP Paribas, Boursorama Banque for Société Générale, and many others in France and other countries), banks can experiment with the services of the future, aimed at today’s customer.

All these new offers require, however, a radical change in the banks’ IT infrastructure: previously, only a few parts of the banking information system were exposed. These include SWIFT access, access to online banking, or payments via SMS.
Today, there is a swath of applications requiring complete access to customers’ data, directly through machine-to-machine application interfaces (APIs).

All these new applications have a development cost, but above all a hosting cost: this is where hybrid cloud solutions can come into play.
By enabling the rapid development and deployment of new applications, and with unparalleled agility and availability, the cloud is enabling the rapid expansion of digital services offered by banks to meet the tough competition from neo-banks and fintechs.

What model of threats?

A new paradigm means new threats: with an ever-increasing attack surface exposed, an increase in attacks on information systems, and a hosting model that has different security requirements, the impact of poor security could be catastrophic, especially for an industry such as banking, which is subject to strict regulations from institutions.

DDoS attacks, ID theft, data theft, unauthorised access: traditionally hosted, on-premises information systems are already the target of many attacks; the same attacks can target the cloud, but the lack of visibility could further increase the impact of such attacks.

Operational security is, in general, guaranteed by cloud providers; thanks to replication of facilities, multiple redundancies and backups, as well as numerous certifications, it can typically be assumed that the providers’ infrastructures are rather well monitored. To date, there are virtually no examples of data theft directly attributed to the providers of these services.

While providers are assumed secure, the cloud puts the onus of data security on its customers: access configuration, real-time access auditing, performance monitoring, web filtering, credential theft prevention… Data theft in the cloud is most often caused by configuration errors, or lack of monitoring. It is therefore essential that a 360° security solution is also implemented within the cloud.

What cloud security solutions exist?

There are new solutions that also take into account cloud hosting, that are offered by some security vendors. The most modern concept, which meets ever-increasing customer expectations, is SASE, for Secure Access Secure Edge.

One of the primary goals of SASE is to bring together all the innovations in remote application access, CASB, SD-WAN, ZTNA (Zero Trust Network Access), FWaaS (FireWall as a Service), application gateways, threat prevention, Internet of Things and data leakage prevention, and converge them into a single coherent solution, allowing administrators to know who is connecting to what, and when, in a completely holistic fashion, so allow or deny access to resources based on policies, all administered directly from the cloud.

Beyond the threats to the hosting of new applications, the challenges of the hybrid workplace, full remote workstations and access to more and more cloud applications, or even SaaS, are covered by such a solution.

p>Using a SASE solution promises an overview of the entire data stream, from any device, to any destination, created by any user.

What are the benefits of SASE?

The convergence provided by SASE solutions offers many advantages to companies in the management of its networks and users. By centralising access management, SASE makes network security policies consistent in a way never before possible.

The benefits of such consistency are numerous, and mainly due to a perfect visibility of all network flows – their origin, their destination and the authentication of each of them – the IT teams have a complete and detailed view of everything that happens on the network.
These solutions allow for increased efficiency of IT services, reduced security risks, and simplified access management.

For users, centralising access management and authentication at all points on the network provides increased security, while simplifying their daily lives; by using a central authentication authority, user identity checks are made easier. By simplifying and strengthening security, without making it burdensome, productivity and user satisfaction are increased.

For the company in general, a unified security policy through SASE solutions allows a reduction in operational costs, a better scaling of IT policies, and an increased and consistent security. These advantages also bring external benefits, such as a reduction in the risk of data leakage, and therefore a preservation of the brand image.

Such a convergence therefore allows for a consistent, simplified and more agile security policy. In a world where the cloud will represent an increasingly important part of the hosting of services, it is essential to have a solution that allows access control to data.

Among the suppliers of such a solution, Gartner lists Fortinet and NetSkope as references in the SASE market.

Conclusion

Cloud solutions are here to stay, and all industries will, at their own pace, move towards one type of cloud solution or another that best suits their needs. These new solutions are responding to new challenges of rapid growth, and cannot be ignored. However, especially in the financial industry, security requirements dictate that all incoming and outgoing data flows must be carefully managed, especially with the expanded attack surface that these new solutions imply.

The SASE security concept is emerging in the market as the convergence of all cloud and security innovations in the market to provide a unified solution to attacks and misconfigurations. It provides a view of the entire network to secure all exchanges, both between the Internet and internal systems, and within the local network.

For over 30 years, Sonema has been offering its customers unified telecommunications solutions, as well as hosting solutions, network and system security solutions, cloud solutions, and support from its network experts.

For more information, please contact us.

The preservation of a company’s information systems is essential to its smooth operation, and its continuity is a major stake, especially in the event of problems or natural disasters. Business interruption caused by IT failure can be fatal to companies, no matter their size.

One of the main defences against these hazards consists in implementing disaster recovery and/or business continuity plans (DRP-BCP). But what do they consist of? How to implement them? And what are the challenges of these plans?

What is at stake?

Beyond the mandatory compliance, imposed by regulators, implementing business continuity and recovery plans for banking institutions attempts to answer 5 major questions:

• How to return to a normal level of activity in a short time, without major data loss;
• How to communicate with various stakeholders in the event of a crisis;
• How to limit the consequences in terms of financial costs and damage to the brand image;
• How to ensure operational resilience;
• How to monitor the emergence of new threats.

It should be noted that most African monetary zones makes having a DRP-BCP mandatory, to varying degrees of thoroughness. The ECCAS includes this obligation in the COBAC R – 2008/01 regulations. Contingency and business continuity plans are the subject of Chapter 3 of WAEMU Circular 04-2017/CB/C on risk management in credit institutions and financial companies in the union.

Definitions

Disaster Recovery Plan (DRP)

A Disaster Recovery Plan (DRP) is an internal procedure for the recovery of a company’s activity in the event of the failure of its information system, among other things. DRP can plan for partial or full business activity recovery.

The objective of this plan is to anticipate and mitigate the effects of a disaster, such as a flood, a fire, or other natural disasters, but also of attacks on your company’s IT infrastructure. The plan has to be assessed beforehand, listing all the sensitive business data and applications to be duplicated and backed up, but also has to account for the training of people within your company who will be responsible for putting this DRP into action in the event of a crisis.

Being preventive, it should of course be defined and put in place before a disaster. Depending on the size of your infrastructure, developing an effective DRP can take up to a year to properly map the critical parts of your systems.

A DRP does not generally aim to back up and protect everything: that is generally untenable in terms of resources. Their main objective is to identify what is critical to the operation of the business, even at reduced capacity, in order to restore activity as quickly as possible in the event of problems.

Business Continuity Plan (BCP)

A BCP (Business Continuity Plan) has a broader scope: the aim here is to maintain the activity of a company in the event of a major failure, while it is happening.

The COVID-19 global pandemic crisis is an example of the major disruptions that BCP are designed to prepare for. Several scenarios need to be planned for in a BCP, generally divided into 4 distinct natures:

• IT systems failure;
• impracticality of the premises;
• extreme worsening of conditions or interruption of market operations;
• the massive unavailability of skills.

This article deals here in particular with the IT infrastructure, which is nowadays critical to the functioning of companies. In this context, a business continuity plan makes it possible to maintain high availability and to continue working, even in the event of an incident..

What is the difference between DRP and BCP?

 
To better explain the difference between the two type of plans, let’s take a different example, on another scale: your computer’s power supply. A BCP, here, could be a UPS connected to your computer. In the event of power loss, a battery system takes over automatically and transparently. There is no loss of power, and your computer continues to function in the same way as it would when connected to the mains. A signal is emitted, telling you that you are on the backup system; but you can continue working without losing your work, as long as the backup power remains, until the power grid returns to function.

A DRP would be more like an external hard drive, where you regularly back up your work. In the event of a power failure, you would simply recover your backup, for example on a battery-powered laptop, and resume your activity, albeit from a slightly older point in time: the time of your last backup.

On the scale of a complete information system, the same situation applies: a DRP is an effective backup of your data and applications to be recovered in the event of a crisis; a BCP is a duplicated system in real time, which can take over in the event of problems.

The difference between the two is, ultimately, in the acceptable amount time for the company to recover from a production or activity shutdown: a BCP guarantees business continuity, a DRP a rapid recovery.

What are the objectives of DRP-BCP?

DRPs-BCPs cannot be effective unless they include all the critical elements that make up your information system. If the scope is too narrow, there is a risk that your activity will be degraded too much, or even be impossible to resume, in the event of problems. Too broad, and the recovery plan becomes a runaway cost.

One of the primary goals in establishing a good DRP-BCP is therefore to define the exact scope of what is needed to keep the business running. This may be a list of physical servers, databases, software, an e-mail system, etc. Each company is unique in its operations and will therefore have different requirements.

This is why it is important to call on trusted experts when mapping what is to be protected: it is easy to see that backing up the company’s internal chat logs is perhaps less important than backing up or maintaining the billing and accounting system. Again, it is through careful assessment that a list of the information system’s critical points can be established.

Two important values must then be defined: the RTO (Recovery Time Objective) and the RPO (Recovery Point Objective). The first is the maximum downtime of your critical systems; the second is the maximum time it is acceptable to lose data.

This is where DRPs and BCPs differ greatly: the DRP will always have an RTO greater than zero and an RPO greater than or equal to zero. A BCP, on the other hand, will always have both RTO and RPO equal to zero.

In the case of the banking industry, a DRP might typically have an RTO of one or two hours, depending on the services covered; the RPO must be zero, as it is essential not to lose any transactions to avoid loss of funds. In France, the Comité de la Réglementation Bancaire et Financère (CRBF) imposes that businesses in the financial sector must have a contingency plan for business continuity. In the United States, and more generally worldwide, PCI-DSS imposes strict data backup rules. Similar legislation and regulations exist in most countries, to ensure the continuity of operations expected of the banking world.

How to implement a DRP-BCP?

Once the critical infrastructures have been identified and the recovery times decided, it is then a matter of putting in place an effective backup strategy within the framework of a DRP, or the duplication of systems within the framework of a BCP.
 
 

 

A detailed backup policy should be defined and followed. A basic rule, known in the IT industry, is the 3-2-1 rule: three backups, on two different types of media, with one of the copies offsite (i.e. away from your premises; the further the better). The aim here is to maximise the chances of data recovery, in the event of a natural disaster, or technical failure: by using two types of media (e.g. magnetic storage, and tape storage), and by having one copy far away geographically, it becomes easier to make sure a working copy exists.

It is also essential and mandatory to regularly test backups and the backup system to ensure that they can be restored in the event of damage. A tragically famous example would be MySpace, a social network from the turn of the century; all the content posted by its users from the site’s inception until 2015 was lost during a datacentre move. The backups had been silently corrupted for years, and could not be recovered. Although this data cannot really be considered critical, the losses destroyed the remaining reputation that the platform enjoyed.

BCPs go even further: we are now duplicating your critical infrastructure on your premises, but more ideally in a geographically remote location, or in a private cloud. These installations must be duplicated in real time or very regularly. This way, an “emergency” information system is always available and up to date, ready to be deployed in case of problems.

In a situation where there are bandwidth constraints and the RTO may be longer than one hour, it may be possible to use the connection you already have outside business hours to back up critical data during this period. This lessens the impact on connectivity during the business day, but adds the risk of losing the day’s worth of data in the event of a disaster. A BCP almost doubles the bandwidth requirements (at least on exchanges between critical systems), but ensures virtually no business interruption.

In any case, it is absolutely critical to clearly document all these procedures, to train the disaster response teams, and to continually test all crisis scenarii; countless examples in 2020 showed the importance of a business continuity plan during the early stages of the pandemic, and the institutions that were able to come out on top were those that were prepared to respond in the event of a disaster, in an organised and planned manner.

What are the benefits of DRP-BCP?

 
Companies are increasingly resorting to DRPs and BCPs; a major concern for the company being having its data backed up. In an increasingly digitised world, information systems play an important role in the functioning of a company. The loss of data can have a big impact on a business, or even shut it down completely; some companies will not recover from such an event.

Implementing a disaster recovery or business continuity plan allows to continue to provide service to customers and to restore information systems within a reasonable timeframe. In the case of natural or man-made disasters, a BCP can even be a competitive edge, if your competitors also suffer from the same disaster.

This is the IT implementation of the popular adage, “prevention is better than cure”.
The opportunity to establish a BCP also allows you to map in detail what is critical to the functioning of your business. A better understanding of what is critical can also help to focus attention on certain systems in a cyber security policy, which is a key focus today, especially with the advent of new financial tools, the development of cryptocurrency and an ever-increasing demand for digitisation of all financial and government services. The stakes are growing exponentially, and data security will be the keystone of the banking world’s durability and resilience.

Finally, it is also a very useful part of a crisis management plan; having made decisions in advance, it becomes easier to bounce back from problems.

For more information, please contact us.

What Exactly Is PCI-DSS?

• The merchant: any company or individual that accepts card payments. It is to the merchant that the customer gives his information as a cardholder, and represents the first link in the electronic payment chain;  
• The Service Provider, or hosting provider: any company that stores, processes, or transmits payment card information on behalf of another company. These service providers can be thought of as intermediaries that provide various payment services to merchants. Some companies are considered to be both merchants and service providers: a telecommunications company, for example, receives card information from a customer for payment, and at the same time enables its transmission. They are therefore considered both a merchant and a service provider.

The Challenges of PCI-DSS

PCI-DSS Requirements

Compliance Assessment

The Self-Assessment Questionnaire (SAQ)

Vulnerability Scan

Certificate of Compliance (AoC)

Report of Compliance (RoC)

The Importance of PCI-DSS

What Is a Pentest?

A penetration test, or pentest, is an “acceptable” form of hacking, in the sense that these attacks are controlled, desired, and aim to evaluate the security of a computer system. A penetration test is not to be confused with a vulnerability assessment, which is purely theoretical: a penetration test is, in a nutshell, an attempt to hack into your systems, by actors authorised to do so.

Pentests fall into two broad categories: traditional — or manual — tests, and automated tests.

Are There Different Types of Manual Penetration Tests?

Black Box Testing

Black box testing involves attacking a system or network without any prior knowledge of its composition. It is therefore the type of test that will most closely resemble a real attack by a malicious actor. These tests can identify exposed vulnerabilities, configuration errors, and even human weaknesses that can lead to the successful exploitation of a network, through social engineering. Although these tests are the closest to real world conditions, they have many disadvantages: since they are based on research and hypothesis-building, it is difficult to identify all the flaws that may be lurking in a network. They are also, by their exploratory nature, tests that can last several months, thus increasing their cost. Finally, the thoroughness of this type of penetration test depends even more on the expertise of the pentester, since the testing is done “blind”.

White Box Testing

Grey Box Testing

Which Manual Test to Choose?

Automated Testing

What Is the Purpose of Penetration Testing?

To meet these new standards whilst addressing our customers’ issues and helping them implement Microsoft solutions, Sonema has teamed up with Crayon, a leading distributor of Microsoft365 and Azure products:

Microsoft 365

An all-in-one bundle which includes all of Microsoft’s desktop software in a single subscription. The bundle includes M365 Apps for enterprise: Office 365, Teams, Exchange and Windows10 as well as the EMS (Enterprise Mobility + Security) modules. It is a global solution designed to meet all the challenges facing businesses today in terms of employee productivity, team mobility management and corporate data security.

Azure

Azure is a bundle of over 300 cloud computing services for businesses and developers. The range of services includes IaaS resources, Platform as a Service (PaaS) and Software as a Service (SaaS) options, allowing companies to access cloud services without the need to manage servers: Azure SQL Database, Visual Studio, DataMarket, Windows Azure Media Services, Azure CDN.

Support

We provide additional support for training, migration services and licence optimisation plus advice for development proposals.

These new offers will be developed using Sonema and Crayon’s local presence in Africa and will use Microsoft’s data centres in Europe and South Africa allowing businesses to access their data at any time.
To optimise connectivity to Microsoft services, Sonema also offers an ExpressRoute connectivity service, which is particularly well suited for use with Microsoft Cloud services.

« Crayon was one of the first partners to receive Azure Expert MSP status globally in 2018. This status has enabled us to develop a comprehensive managed services portfolio and strengthen our technical expertise. We are delighted to be able to work with Sonema’s teams and to support them in providing this offer to their customers, » says Gwenaël PASQUET, Managing Director of Crayon France.

For Catherine DELOM, Managing Director of SONEMA: « Currently we offer our customers scalable, high-performance and resilient connectivity and security services. This partnership with Crayon, who are one of the Top 10 Microsoft LSPs, allows us to increase our value proposition and to meet our customers’ requirements for Microsoft Cloud services, which are essential to business development, whether it be through collaborative work, messaging or data protection tools. »

ABOUT CRAYON

Crayon helps clients build a business and technical foundation for successful digital transformation through a reliable service framework enabling our clients to scale and optimise their IT assets to unlock the untapped potential in IT and innovation.

Headquartered in Oslo, Norway, Crayon has more than 3,000 employees in over 50 locations worldwide.

More information : www.crayon.com – Press contact : MabcdefelaNO-SPAMnie.CoffNOSPAMee@craNOSPANyon.coNOSPAMm – +47 46 74 8648

ABOUT SONEMA

Sonema has been supporting its customers for more than 20 years in their projects on the African continent. With a committed mindset based on a strong understanding of the issues, Sonema want to be a proactive partner by allowing them to focus on their core business and business innovations.

Through its one-stop-shop approach and network of local partners, Sonema provides tailor-made and scalable solutions for highly resilient satellite, terrestrial and hybrid networks as well as security and hosting services.

Remaining faithful to its values of respect, transparency and responsibility, Sonema place trust at the heart of its customer relationships.

• 66 members of staff committed to its customers, every day;
• 767 customer installations across 45 countries in Africa;
• 37 certified local partners all over the African continent.

As an essential component in the digital transformation of companies, Wide-Area Networks (WAN) must evolve to become resilient, scalable and secure architectures, and thus respond to the necessary changes in networks. Growing digital needs, a democratization of cloud usages: the last few years have seen the emergence of new connectivity technologies, offering ever more controlled quality of service and increasingly minimized service interruptions.

Today, let’s take a look at SD-WAN, a recent evolution in connectivity technologies.

What is SD-WAN?

SD-WAN (Software-Defined Wide-Area Network) is a software-based approach to managing a WAN. It virtualizes a network link through the aggregation of multiple connectivity solutions. It has been touted in recent years as the next big thing in telecommunications.

SD-WAN allows for greater flexibility by separating the physical part of the network from its control and management planes. This approach has several key benefits:

• Increased resiliency, through the multiplication and diversification of link types, and intelligent routing;
• A pragmatic operational cost structure, as bandwidth can be increased via less expensive connectivity options such as Internet access or 3G/4G;
• Link security via next generation firewall (NGFW) equipment;
• A global visibility of the network and an increased agility on evolutions.

Initially, the technology was presented as a way to save bandwidth, thanks in particular to the intelligent routing of different types of traffic on a network. Today, the main benefit put forward by users and manufacturers is the optimization of the availability and latency perception of applications, allowing a better user experience.

How does it work?

This technological approach therefore promises many improvements in service quality. But how does the technology work in practice?

Good planning is the key to good operations

First of all, the customer’s needs must be accurately defined. Depending on the network topology, the connectivity options available on site and the specificities of the applications used, the approaches will be different.

The first step is to accurately assess the customer’s business case; the returns on investment will not necessarily be the same depending on the use.

Mapping network traffic

Once this business case has been established, the careful planning phase can start, by communicating with the client and carrying out a site survey to identify the various sources of network traffic. It becomes then possible to classify the criticality of each network flow, in order to prioritize them.

The equipment

Specific equipment is required at both interconnection points: typically, an appliance (physical or virtual) will be installed at the receiving end, at the customer’s site, and another one, which will manage the other end of the connection, is installed in a datacenter, in the case of a centralized architecture of the customer, or on all or part of the client’s network sites.

Many vendors provide many different features; for example, Fortinet offers solutions integrated with a whole ecosystem oriented towards security, or Aruba (formerly Silverpeak) is more oriented towards flow optimization.

Connectivity

It is now necessary to connect these two endpoints together. All types of connections are compatible here, and this is what makes this technology special: the flows will be routed on the link offering the necessary characteristics for a specific stream. One of the important steps will be to set up the SD-WAN appliances by defining the desired SLAs for intelligent traffic routing. For example, real-time applications, where latency and/or jitter are critical and should ideally be kept to a minimum, will be routed over the link offering the right characteristics. In the case of a critical application, it is even possible to transmit the data twice, on two separate links, to ensure that if one of the two links were to be degraded, the data would still reach its destination.

What result?

Through careful and well-prepared deployment, increased quality of service and connection stability is achieved while minimizing service interruptions. This quality is also achieved without the need for costly bandwidth increases to the primary link.

These technologies act in a completely transparent way for the end user: sudden degradation or disconnection on a network link will have no impact on the data stream. Dynamic routing or load balancing, which balance the network load on several links, would fail altogether if one of the links suddenly disconnect.

What are the benefits of using SD-WAN?

The potential benefits of SD-WAN are numerous, and by extension so are its business cases.

Availability of critical applications

If your business depends on a remote application, whether it is a business application or a cloud application, SD-WAN can improve its availability, by allowing automatic switching between various links depending on their characteristics. If your application is sensitive to latency, jitter, or even just available bandwidth, SD-WAN can ensure that it is always prioritized, even if one of your links goes down, to improve the user experience.

Optimizing access to Microsoft Cloud Services

Some SD-WAN solutions can improve access to cloud services like Microsoft 365 or Azure. They detect Microsoft points of presence to route traffic to the edge points closest to the user, thereby reducing latency and/or jitter to ensure the best application performance.

Bandwidth optimization

If your application sometimes requires occasional bursts of extra bandwidth, SD-WAN can, for example, “overflow” your traffic onto a secondary link to keep your application connected. This allows you to benefit from very high availability VSAT connectivity, as well as an MPLS, fiber or terrestrial ADSL link for occasional bandwidth needs, in addition to VSAT.

Secure connectivity

The use of applications, especially in the cloud, requires a high level of security. SD-WAN meets this need through permanent security and encryption, by implementing anti-virus and anti-spam solutions, intrusion prevention and detection (IDS/IPS), application filtering and through complete control of the authentication process.

When not to use SD-WAN?

The use of SD-WAN is evaluated on a case-by-case basis: depending on the characteristics of the links available between the points to be connected and your needs, SD-WAN can improve the quality of service for your network applications. However, SD-WAN is not suited for all networks; there are several factors to consider in determining whether or not SD-WAN will benefit you.

One of the key factors in choosing SD-WAN is the variety of link types available between your two networks to be connected: the greater the variety, the more SD-WAN makes sense. Coupling Internet bandwidth to an MPLS or VSAT link, to minimize service interruptions and match bandwidth capacity requirements, will always be more economical. SD-WAN will allow you to intelligently route all your traffic in an optimal, secure and more cost effective way than by purchasing more bandwidth on your main link.

A large swath of new solutions are becoming available, such as low earth orbit (LEO) satellite fleets, 5G in large cities, or the deployment of new submarine cables. SD-WAN will allow you to use these new technologies alongside your existing links, in order to increase their bandwidth and availability, in a transparent way, but also to completely change their architecture: a network, today in MPLS, can be turned into a 100% Internet network.

The increase in the use of cloud solutions is also a critical factor: the more your applications are hosted in the cloud, the more important it is to be connected to them at all times. The resiliency of SD-WAN means that you can always be connected, no matter what happens, as multiple channels are used to connect your applications to your network.

Finally, there is a cost factor to consider: an increase in bandwidth may be sufficient for your needs, although diversifying links will always bring a benefit in terms of resilience to outages.

It is therefore necessary to carefully prepare an audit of your existing network, define your needs and carry out an expert evaluation by network engineers who will be able to precisely direct your connectivity needs and set up an evolution path.

Encrypting data at rest, regularly auditing access, on-site security and monitoring for data leakage are just a few of the measures you can take to protect your corporate data. But all these measures quickly fall apart if users knowingly or unknowingly reveal their passwords. How to protect your data against password theft? An overview of the challenges of privileged access management.

Credential theft is commonplace

The security level of an networked information system is generally dependent on its weakest link. Often, this is the user: it is difficult to find the perfect balance between minimal inconvenience and maximum security.

Phishing, ransomware, social engineering, or sometimes even physical data theft, the opportunities to have one’s credentials stolen are numerous, and it is often noticed too late to mitigate the impact. Regularly, huge lists of logins and passwords appear on the Internet. Sometimes, it is the system administrators who are at fault, due to a bad server configuration, an accidental upload of a test database, or simply because the application used by your company does not apply certain necessary security measures. By exploiting these vulnerabilities, some individuals manage to gather large swaths of user credentials, most often valid.

To date, the largest list of accounts is called “Collection #1”; in 2019, a 2.7 billion rows database, containing 773 million unique email addresses, as well as passwords associated with each of those rows was leaked.

This list does not mention which websites those databases were stolen from; it would be tempting to think that such a list is unusable. Unfortunately, most users reuse their passwords, making these thefts quite viable, even if the credentials have not been stolen from your systems: by using a technique called credential stuffing, which involves testing stolen username and password pairs on a target from one of these stolen account sources, an attacker can hope that a user has reused their password.

Akamai, a leading Internet service provider, estimated in 2017 that credential stuffing could cost companies up to $5 million per attack, primarily in application downtime, lost customers and time invested by IT teams. Additionally, there is an estimated monetary loss of $500,000 to $54 million, assuming that 1% to 100% of your users’ accounts are compromised, respectively.

The same vendor indicated that the number of credential stuffing attacks on financial services providers is steadily increasing, with a 45% increase between 2019 and 2020. 3.4 billion attacks specifically using this modus operandi were conducted on online services of banks worldwide in 2020 alone.

Stolen credentials are not only a matter of corporate data

In addition to the loss of time and money that credential stuffing causes, if such a data breach impacts your business, your legal responsibility may also be engaged: the GDPR (General Data Protection Regulation), explicitly classifies logins and passwords as PII (Personally Identifiable Information). Thus, any leak of such identifiers or data, whether or not due to negligence, must be notified to all users as soon as it is detected, and no later than 72 hours after the discovery; any failure to comply with this obligation may cause your company to pay a fine of up to 2% of its turnover as compensation for the breach.

How to mitigate such losses?

While not inevitable, the theft or loss of credentials can be mitigated:

Employee awareness

The first line of defense lies with the users of these credentials. Offer specific training to identify phishing, encourage users to report any breach they notice, or any loss of credentials they experience, without repercussions.

The sooner the loss of credentials is discovered, the faster it can be dealt with; in the case of a dissemination of part or all of your customer base, you can also protect yourself more quickly from the consequences of a data leak if you spot it early enough.

Strengthen security by adapting security protocols

Historically, it was recommended to change your password on a regular basis. Specifically, NIST, the American technology standards institute, recommended changing your password frequently, usually every 42 days, at most. However, it was found that such a policy causes users to use a much weaker password, knowing that they will have to change it in the near future.

It was also found that a long password is more secure than a complex one; NIST guidance calls for a minimum of 8 characters.

But a secure password is no longer enough; authentication techniques called “multi-factor” must be used:

Implement multi-factor authentication (2FA, MFA)

Multi-factor authentication, by verifying a user’s login attempt through something they have (a temporary password generator), in addition to something they know (their traditional password) adds a layer of security in the case of data leakage attacks.

The user proves that he is the instigator of the connection through his smartphone, through a dedicated generating device, through a physical security key (FIDO type) or through a one-time code book. If the system is well implemented (and does not allow resetting these additional factors via email, or allows overriding it in case of unavailability), the security level is greatly increased.

However, beware of authentication SMS, as SIM cards can be hijacked directly from cell phone operators.

Set up access audit and privileged access management systems

In the context of access to company resources, it may be appropriate to add to these policies a continuous access audit system and privileged access management system. By using a jump-box system with secure access, it is easy to limit and control access to resources by forcing users through a well-surveilled “bottleneck”. This will allow the capture of exchanges, the granular recording of accesses, and will also make it possible not to reveal the connection credentials to certain systems, in favor of the user’s identification, via a “bank safe” system.

These systems also make it possible to quickly revoke access to all privileged resources, without having to reset sometimes inaccessible passwords.

I have experienced a credential leak, or my login information has been stolen: what should I do?

In the first case, the absolute emergency is to disable access to all privileged resources. Once this is done, a mechanism for invalidating all user accounts must be triggered, so that they can reset their passwords.

All users affected by such an information leak must also be notified within 72 hours according to the GDPR.

If your credentials have been stolen, it is important to do a personal “mini-audit”: if you use the password that has been stolen on several services, all accounts on these services are considered as compromised, and the passwords will have to be reset immediately, individually, on each service.

Our advice

Within your organization, it is important to focus on continuous auditing of privileged access, and a sound password policy, to minimize the impact that data leaks could have. While not absolutely inevitable, accidents do happen and can be very costly to a company’s operations.

The importance of multi-factor authentication and privileged access control is a powerful bulwark against credential leaks.

Sonema has been helping its customers for over 30 years with their growing connectivity needs, and also offers solutions for privileged access control (PAM), multi-factor authentication and security auditing. For more information, contact us.