The Key to Better Security

Many of us have replaced keyed door locks with electronic locks that use codes to unlock doors. They emulate the PIN technology we use to unlock our computers. Our computer technology, however, is going the other way. Physical keys – with PIN codes – are proving safer and more convenient in office environments.

In many offices, an administrative assistant or another employee may need to access the email or a website of an employee who is out of the office. Two-factor authentication (2FA) – which should be installed – usually requires access to a second device, such as a cell phone or an email address. If the account owner is not available, 2FA won’t work, unless the system is set up to work with another person’s devices. That gets really complicated, and it can be compromised.

A security key is a much more secure passwordless form of 2FA. The term security key should not be used interchangeably with passkeys, which are another form of passwordless security. Security keys are physical devices that typically work through a USB-C port, but they are not limited to USB-C. They can use USB-A ports and Apple’s Lightning ports.

When you or an authorized user logs in, that person enters your password and then uses the security key, which generates a unique code or signature to confirm your identity. That makes it difficult for unauthorized users to access your account even if they have your password.

Security keys utilize public-key cryptography, making them resistant to phishing and credential theft. They can be used with cell phones, and to be honest, not enough of our clients are setting them up on their phones. They can be more secure in public places.

Security keys work with virtually all password managers, but they need to be supported by website hosts and the cloud providers they use, such as AWS. That support is getting stronger as many services now recognize their importance for enhancing online security. Security keys are compatible with various platforms and applications, providing reliable authentication without the risks associated with cloud storage.

Security keys are relatively inexpensive to purchase, but they do require specific setup and customization. We can help you with a comprehensive purchase and deployment program. Call us – 973-433-6676 – or email us to discuss your needs and develop a program.

Is ‘Zero Trust’ in Your Future?

The words “zero trust” in Zero Trust Network Access (ZTNA) are probably appropriate in a time when it seems like we don’t trust anybody about anything. ZTNA is being touted as a replacement for VPNs (Virtual Private Networks), especially for remote business needs. It could be more effective, but small businesses will need to jump through hoops.

ZTNA is a technology designed to limit who can access a network and where in the network they can go. The limits are important. For example, anyone who can access a Microsoft 365 network as a global administrator can effectively play God; they can do ANYTHING.

The goal of a ZTNA is to keep out false gods. Its proponents tout the following benefits:

  • Invisible infrastructure: ZTNA allows users to access applications without connecting them to the corporate network, thereby eliminating risk to the network.
  • More control and visibility: Managing ZTNA solutions is easy with a centralized admin portal with granular controls. Managers can see everything and create access policies for user groups or individual users.
  • Simpler app segmentation: Because ZTNA isn’t tied to the network, organizations can segment access down to individual applications instead of complex network segmentation.

Proponents further contend ZTNA is faster and more convenient than VPNs, offer better security, and are easier to manage. Gartner, a technology and research consultancy for large corporations and government, predicts its client base will largely phase out VPNs for ZTNA.

If you’re a small business or nonprofit organization that deals with large companies and government agencies, you may need to learn how to live in the world of ZTNA at the very least. If you want to adopt for your own use, you’ll need to answer some risk/reward questions:

  • Do you need a Ft. Knox type of defense system?
  • Are you willing to build new access systems to maintain your current business process?
  • Are you willing to take on the learning-curve risks of implementing a new security system?

There are no cookie-cutter solutions to changing your security measures. Call us – 973-433-6676 – or email us to discuss the specifics of ZTNA, especially if you need to use it to comply with another organization’s directive. We can help you design and implement a plan that minimizes your risk as best as possible.