Digging deep into Vietnam’s enterprise security landscape

This article is sponsored by Cloudflare.

Two years of the pandemic has taught enterprises a lesson or two about reinforcing their network security. As most companies transitioned to remote and/or hybrid work, the technology needed to support the paradigm shift needed to catch up. As such, many quick decisions had to be made in the CISO’s office, and some of them may have to be unmade now.

But what exactly does the enterprise security landscape in Southeast Asia look like in 2022, in the face of pandemic recovery and economic restart? This was among the points of discussion during the Vietnam leg of the “Navigating Enterprise Security: From Legacy to Cloud” roundtable, organised by Jicara Media and hosted by Cloudflare.

Fernando Serto, Chief Technologist & Evangelist, APJC at Cloudflare, observed that the advent of COVID-19 has truly redefined the concept of enterprise security.

“COVID-19, from an end user’s perspective has shown us that the (security) perimeter really has dissolved, but you know, even from modernising applications, from migration to cloud, all of these different environments that everyone has now, they all have to be talking to each other— organisations talking to third parties, opening up APIs. So, all of that has already shown us that the perimeter has long been gone,” he said.

The rise of zero trust 

Among the security trends increasingly becoming popular among enterprises is the zero-trust model, which has proved especially helpful for remote work. As employees access company systems and data remotely, companies can rest easy that they are protected from network breaches.

“The basis of zero trust has been (to) get rid of the network. The network should not be the means of control for a user to access an application. If users and applications are never on the same network, you have already reduced the chance of lateral movement, you have already reduced the chance of exploitation of a particular vulnerability in the application server,” Serto said.

“But then there’s the concept of being able to be very granular with authentication authorisation. The way we’ve been accessing environments and applications and so on today has been really, ‘Do I have network connectivity?’ If so, it’s up to the application to say yes or no, rather, the way we’ve been building zero-trust solutions now. What the framework is about is really, ‘Why don’t we do that verification, very early on in the phase?’ Tying the identity of the user, the role of the user with access, is really changing the way you apply these controls, and being a lot more effective, because those sessions are not even established if the user is not authorised to see the application,” he added.

According to Serto, the elimination of single sign-on, as well as the application of multi-factor authentication ensures that the user is who they say they are, and that they have access to the particular application they are trying to log onto.

“If you think of onboarding new users not having to rely on VPN access, not having to rely on network connectivity, especially now that everyone’s working from home— you just ship a laptop to a user, and they already have their multi-factor authentication tokens and things like that. All of the access that the user needs cannot be done over the internet. You don’t really need that private network anymore. You’re actually a lot more secure by doing so,”  he explained.

In addition, most zero-trust solutions out in the market only require an outbound connection from within the network to a cloud zero trust network access provider, Serto noted. 

“You can run a firewall with every single board, every inbound bow port in deny mode. It’s a much better posture, rather than what we always had. And then there’s the availability, and you don’t need to worry about clustering, you don’t need to worry about multiple service provider links, you don’t need to worry about diverse data centres, or anything like that— because the cloud provider will take care of all of that. All of that load balancing and everything else is on our infrastructure, and we just deliver the clean application to the authorised user.”

Addressing security issues

For Vietnam, like in its neighbouring countries, ransomware is also a pressing issue, especially with the accelerated digital transformation across industries during the pandemic. 

Aside from beefing up the IT infrastructure, Serto stressed that enterprises should invest in educating their stakeholders.

“From an IT systems perspective, I think a lot of the ransomware attacks that we’ve seen, they all start with phishing. So education on phishing, and having a very effective phishing mitigation strategy is key,” he said.

“We do application security when it comes to bots and things like that, where there’s vulnerabilities with credential stuffing— for example, users that don’t have a really good password hygiene. There’s a lot of account takeovers still happening today. These are the sort of  things that we’ve been helping customers with, but the things that we can’t help with is the education of users,” he added.

In terms of end-to-end security, enterprises are also having a hard time finding one solution to all of their security woes. Although no single company can cater to all the requirements of an enterprise, Serto rests his faith on vendors that have partnerships with one another, for matters of accountability and interoperability, among others.

“If you do your homework, and if you’re talking to guys like us, or CrowdStrike, for example, we always recommend all the vendors that we have partnerships with, so the ecosystem talks to each other— because that’s the biggest complexity that you have, (with) the number of vendors that you have that don’t talk to each other. (That results in) a lot of blind spots. The earlier you can collaborate and have detection in place, the earlier you’re going to be able to respond to an incident,” he emphasised.

Covering all bases

For Cloudflare, Serto said that a lot of investments were made to ensure that their IT infrastructure is secure, and that no one can compromise their code repositories and such. 

Aside from this, Cloudflare has ensured ease of access for their customers, among other features.

“With all the other products that we build, we’re trying to simplify (and) reduce the friction of deployment of the services. We want (our) users, from day one that they deploy our solutions, to be able to control traffic and control user access, and go into deny mode right away,” Serto said.

“We’re trying to streamline how people use our security products. We’re targeting organisations (where it) doesn’t matter if you have a large security team, or no security people at all, because at the end of the day, a lot of the stuff that we’re talking about here is an IT problem. The IT (team) is responsible for providing access to applications. If you can do that in a secure way, you don’t necessarily need to have a security team to be able to investigate things, (especially) if you know that the products that you’re deploying (are) already secure and are making your environment more secure, and protecting the end users as well,” he added.

Furthermore, many of their users are using their platform to maximise the benefits of edge computing and IoT, Serto said.

“We’ve already seen customers playing with new internet services, running on Cloudflare. It’s a very interesting shift to see that, edge for most people is all public, right?  But we are allowing customers to do both public and private apps within that same platform as well.”

In the end, creating a robust security culture within an organisation will go a long way in ensuring the IT infrastructure is covered on all fronts, because the technology is only as good as the ones using it, and security really is a shared responsibility among all members of an organisation.

“There’s training every quarter, and it’s mandatory for everyone. There are quizzes that everyone has to go through. Sometimes you do live training, so everyone has to be on a Zoom call as well. It’s not just, you pretend you did it, and you tick the boxes, and say, ‘Yeah, I’m done.’ It’s a cultural change, and if security is not the scary thing that everyone avoids at all costs, it becomes fun. And you’re part of that cultural change as well,” Serto concluded.