Solutions for the Distributed Enterprise The First Six Steps to Securing Remote Locations 1
Table of Contents What is a Distributed Enterprise... 3 Market Drivers... 5 What Problems... 7 Step 1: Centralized Security Policy... 9 Step 2: Secure Communications Between Locations... 11 Step 3: Secure the POS... 13 Step 4: Attain regulatory compliance... 15 Step 5: Secure guest Wi-Fi hotspots... 17 Step 6: Gain greater visibility... 19 How WatchGuard enables Distributed Enterprises... 20 What Is a Distributed Enterprise? A Distributed Enterprise is a type of company that generally has both a corporate headquarters and remote sites, which employs a highly centralized system for controls and management. In addition to managing and securing a traditional corporate headquarters and remote employee sites, Distributed Enterprises must also support multiple locations that operate like a typical small business. This relationship between a centralized entity and many independent business locations is especially common in the retail, hospitality, medical, and financial industries and creates unique network security challenges. In this ebook, we ll explain the most common security challenges faced by Distributed Enterprises, and more importantly, what you can do about them. 2 3
Evolving regulatory standards are forcing organizations in many industries to upgrade security systems. Market drivers Consumer and regulatory pressures are forcing Distributed Enterprises across the world to make adjustments to both the technologies they purchase, and the policies they enforce. Evolving regulatory standards are forcing organizations in many industries to upgrade security systems. Retail, hospitality, and healthcare organizations face significant losses if they fail to comply with Payment Card Industry Data Security Standard (PCI DSS) and/or the Health Insurance Portability and Accountability Act (HIPAA). Organizations of all sizes have begun to take notice of the dramatic increase in the volume of data breaches. Cyber crime is becoming increasingly popular due to the increased profits, and access to sophisticated malware is more readily available than ever before. Data privacy and protection laws are in place in over 80 countries worldwide. 48% 4 A month doesn t pass without another high-profile corporation falling victim to a data breach, and the negative publicity is inescapable. Businesses ranging from Target, to Sony Pictures, to Ashley Madison, have all been plastered across the headlines following major breaches of customer data, and their reputations may never fully recover. Consumers no longer view Wi-Fi hotspots as a pleasant convenience. Now, fast and reliable wireless internet access is expected. Customers, guests, patients, and vendors all have one thing in common: the overwhelming desire for Wi-Fi. The need for advanced networking technology has become increasingly common. Basic networking equipment doesn t offer the flexibility that Distributed Enterprises need to facilitate modern requirements in technology, including the adoption of cloud services, network segmentation, VLANs, and dynamic routing. New threats rise 48% each year. Gartner reported that 4.9 Billion Things connected to the internet in 2015. 5
COFFEE XTM devices have tremendous horsepower to let us do what we need to do, while protecting our networks with application filtering, IPS, web-blocking, spam-blocking, https, and more... Seeing the performance and level of protection we get we are very happy with the investment we made in our WatchGuard deployment. ~ Daniel Mullikin, Network Administrator, Shari s COFFEE COFFEE What Problems Distributed Enterprises are subject to several unique security challenges, in addition to the significant challenges faced by traditional enterprises. For this modern, far-reaching organization, centralized security policy is critical, as is the ease of deployment of the security solution at the remote business location. Once security is deployed, the ability to maintain visibility across their entire network for compliance reporting, health monitoring, and business intelligence purposes is equally as important. Unlike traditional enterprise organizations, these remote business sites are generally filled with consumers, all looking for Wi-Fi access. Business owners have to figure out how to offer, secure, and even benefit from this demand. Finally, all businesses must achieve compliance with the growing number of standards for security compliance like PCI DSS and HIPAA, which require constant management and auditability of vulnerable systems and data. 6 7
Solutions for the Distributed Enterprise Step 1 60% of breaches How can I define security policy for my network and ensure that policy is implemented and active at every location? are due to human errors - Verizon Data Breach Report 2015 Centralized Security Policy The NCR Network and Security Services (NSS) team is excited about using WatchGuard s rapid deployment technology as part of our Site Shield service. Installing and configuring firewall devices in this manner will strengthen our ability to deploy NSS quickly and cost-effectively. ~ Lenny Zeltser, Director of Product Management at NCR 8 For any Distributed Enterprise, the able to define centralized security policy is a must-have. Centrally defined rules regarding acceptable network usage, data storage and transfer, and handling of sensitive customer and payment information must be easily deployed and managed. Also, since technical expertise at the remote locations is generally very rare, this centrally defined policy must be very easy to deploy and manage at each location. Organizations need to standardize on a configuration template which can be deployed centrally. Given the scarcity of IT resources in a Distributed Environment, deployments must occur in a quick and cost-effective manner. Management of acceptable policies needs to be centrally managed to ensure consistent rules and timely software upgrades. 9
Solutions for the Distributed Enterprise Step 2 Deploying WatchGuard was a simple installation process at GlobalHunt. Setting up VPN was like child play as WatchGuard Drag and Drop feature took only a few seconds, How do I secure communication between HQ and all of my remote business locations? Corporate Headquarters ~ Jagdish Chandra, Manager IT at GlobalHunt India Pvt Ltd. Secure Communications Between Locations 10 Although remote locations often operate as independent small businesses, there is a constant requirement for sensitive information such as corporate resources, customer records, and payment data to be shared between the corporate headquarters and each site. Dangers of sending sensitive communication over the open web present significant security risks. Distributed enterprise organizations need a way to secure all communications between their corporate HQ and remote employee and business locations. Map data 2015 Google Establishing an encrypted network connection, known as a Virtual Private Network (VPN), between the HQ and the remote location, or between two remote locations will ensure that all communications are secure. 11 11
Step 3 56million customer records stolen from Home Depot using POS malware. - Verizon Data Breach Report 2015 How can I segment our POS network from the other traffic at each location and get that payment information back to HQ in a safe and compliant way? Remote Location Corporate Headquarters Secure the POS Put simply, strong security, properly done! ~ Andy Evers, IT Manger, Red Carnation Hotels Credit cards have been a convenience to businesses and consumers alike for over 50 years. These small pieces of plastic make transacting easy, but securing those transactions in our connected world is a different story entirely. Purpose-built malware is popping up every day, designed specifically to compromise point of sale (POS) systems. For the Distributed Enterprise, cash-only is simply not an option. Organizations must accept and transmit customer payment information, which creates a unique set of security challenges for both the remote site and the corporate HQ. Remote locations that process credit card transactions must utilize best-in-class network security technologies to not only protect and monitor their payment systems, but to also separate the network used for payment transactions from the rest of their network and all other information systems. Also, as the target of many dedicated attacks, organizations must employ solutions for protecting their POS systems from advanced and zero day malware threats. Sophisticated UTM appliances can offer Distributed Enterprises all of the advanced network protection they need from one easy-to-deploy offering. 12 13
Step 4 $5,000 to $500,000 fines for not being PCI compliant. How can I achieve and report on regulatory compliance? - focusonpci.com Attain regulatory compliance 14 WatchGuard s centralized logging and reporting capabilities really help us stay on top of the network, and we also use the PCI reports they generate. ~ Daniel Mullikin, Network Administrator, Shari s Restaurants In recent years, regulatory bodies have been tasked with establishing data security standards and requirements, which are designed to protect both businesses and consumers from theft, fraud, and other damages. Although these compliance standards are valuable, they can generate serious challenges for IT professionals. Security systems need regular updates to correspond with the ever-evolving compliance standards. In addition, data storage and transmission systems need to be constantly monitored for unauthorized usage and access. Organizations that fail to comply with PCI DSS, HIPAA, and other global standards, are subject to enforcement actions and fines. Businesses within the retail, healthcare, and hospitality markets are especially sensitive to regulatory compliance. Related aspects of PCI DSS, HIPAA, and other major regulatory compliance standards can be achieved leveraging UTM security appliances as they enable segmentation of network traffic and secure transfer of sensitive information between sites. Modern network visibility tools offer the ability to set alerts and automated reports on security events that are relevant to the compliance standard, including data-leakage, malware, and unauthorized user access. Maintaining clear visibility for auditing purposes is also a requirement for maintaining compliance. 15
Step 5 Being able to create a good wireless network with access points in every third room has been very cost effective for us, which is an important consideration. How can I offer guest Wi-Fi services without compromising the security of my overall network? ~ James Priory, Headmaster, Portsmouth Grammar School Secure guest Wi-Fi hotspots 16 Wireless internet access is becoming an increasingly common service offered to customers, guests, and patients. Distributed Enterprises that choose to offer guest Wi-Fi must be aware of the associated liability. Users can often jump from the guest network to the corporate network, giving them access to sensitive employee and customer data. Businesses also assume liability for any copyright infringement that results from guests illegally downloading content such as media. Organizations must balance the need for tight security, while at the same time providing a fast and seamless Wi-Fi experience for their customers, especially as the number of connected devices continues to grow. Organizations that choose to offer Wi-Fi hotspots must implement technologies and processes that adhere to data security standards, including PCI DSS and HIPAA. Wi-Fi performance is a large influencer of customer satisfaction, so all security technologies must offer line speed performance during times of peak usage. Both firewall and wireless access point technologies must allow for network segmentation, which separates guests from sensitive corporate data. Full UTM, Data Loss Prevention and Advanced Malware protection are essential in protecting the wireless network from targeted and evolving threats. 17
Step 6 of businesses actively monitor and analyze security intelligence. - pwc.com How can I monitor all network traffic and network connected devices from one single management console? Gain greater visibility 18 I look at the central dashboard every day. It is up on my screen and it gives me real-time visibility or near-time visibility to the bandwidth usage at each one of our 43 sites. ~ Daniel Mullikin, Network Administrator, Shari s Restaurants Data breaches are taking longer to catch each year. This isn t due to a lack of security, but rather a lack of visibility. Small technology environments often struggle to pinpoint every threat that enters the network, and that lack of visibility compounds as environments become larger and more distributed. Capturing log data is a step in the right direction, but that data is useless without the tools to distil out relevant security events. Organizations need the ability to monitor traffic flowing throughout the network, both at corporate headquarters and remote locations. Complete network visibility is required for both real-time and historical traffic. Traffic flowing through the network, at all locations, must be made plainly visible to the IT department. Distributed Enterprise organizations need visibility tools which translate oceans of data into actionable threat intelligence that can be utilized at the remote site and by headquarters alike. Alerts are required to notify admins of any event they deem significant. Dashboards are needed to easily identify trends and security threats. In addition to dashboards and alerts, historical reports must be maintained in order to establish baselines, which are critical in identifying abnormal network activity. 19
WatchGuard enables Distributed Enterprises to secure the network of every remote location through consistent, simple, and rapid deployment of enterprise-grade security, threat intelligence, and wireless technologies. Leveraging WatchGuard s portfolio of Firebox Unified Threat Management (UTM) appliances and Wireless Access Points, Distributed Enterprises can easily configure, deploy, and manage consistent, enterprise-grade network security and secure wireless across all remote locations without the need for technical expertise at each location. In addition to providing best-in-class, easy-to-deploy security, the company s actionable threat intelligence platform, Dimension, delivers centralized visibility across an organization s entire network. This visibility is critical for tracking and managing network health, reporting on compliance requirements, identifying and combating possible network threats, and assisting with proactive business decision-making. www.watchguard.com/distributedenterprise 2015 WatchGuard Technologies, Inc. All rights reserved. WGCE66881_111915