Today, we announced two exciting innovations to Barracuda’s Zero Trust offering. Barracuda CloudGen Access now includes web security to protect users from malicious web content and keep employees safe and productive no matter where they work. In addition, we have also added Zero Trust Access to our email protection suite. The new capabilities allow customers to control and manage access to email systems and Microsoft 365 applications on a need-to-know basis, providing an additional layer of security for their businesses.
To give you an inside look at what’s new and how it can help you, we sat down to talk with Sinan Eren, VP, Zero Trust Security at Barracuda, to get his insights on the recent innovations.
Q&A with VP Sinan Eren
How does the addition of the web at the addition of web security to CloudGen Access help customers?
The need for this type of solution became much pronounced during the pandemic as everyone rushed to enable work from home for their employees. Customers needed to enable access but quickly figured out they also need to protect users’ devices wherever they are, especially a home network where the company has no controls and can’t enforce security policies.
So, web security enables and enhances the whole remote access story by making sure that the endpoints are secure, no matter which network they’re connected to, whether it’s your home network, a hotel, or a Starbucks. The web security controls that we built inside CloudGen Access roams along with the device.
This is something our customers and partners were looking for because many companies were using an inefficient approach for their remote users. They were backhauling all their traffic to an appliance, or somewhere in the cloud, and then trying to provide web security, which creates a very diminished experience, even if your home as a great internet pipe. We solve that by pushing web security into CloudGen Access, which roams along with the endpoint and doesn’t add any additional latency.
What’s most important about this enhancement?
What’s most important about this enhancement is the fact that the web security controls are basically pushed to where the users are. The controls are roaming with you to whichever network you’re connected to. You might be on a telco network with a 5G connection or whatever you’re using, and we still provide the same security. That is a significant differentiator because we do it without backhauling your traffic to an internet chokepoint and ruining your experience and productivity.
In other words, we secure what we enable. We enable remote access, with enablement you get the work done wherever you are. But once we enable you, we protect what we enable through the web security controls that we push to the endpoint itself.
Zero Trust Access is also being added Barracuda’s email protection suite. Why are these technologies a good together? How will the combination help customers?
There have been a bunch of recent, high-profile breaches that have successfully used a new technique called MFA fatigue. Cybercriminals are taking advantage of people being overwhelmed by multifactor authentication alerts, and paired with other threats like credential theft, account takeover, and phishing, attackers now have an effective way to break into collaboration platforms, such as Microsoft 365. Both the Cisco and Twilio breaches are examples of this new technique.
Email is still a very important target because once attackers get access to an inbox and applications like SharePoint and Teams, they can exploit the trust chain to get access to the network. For example, in the case of Cisco, the attackers were able to get access to the VPN client and reset passwords.
We can protect the email platform in itself through Zero Trust Access. Every device and every user that accesses the email infrastructure should be trusted, authenticated, and authorized. If that pair doesn’t match, then you’re not granted access.
The beauty is that this eliminates the risk of credential theft. Even if an attacker compromises your username and password, even if they overwhelm you with MFA alerts and you accept their request, they still don’t have the right device with the right identity, so they’re not going to be able to log into your inbox. That’s how we enhance customers’ security posture.
Why do you think MFA fatigue has become such a problem?
It comes down to complacency. Everyone is getting so many MFA alerts that they are becoming complacent. They’re numb to what it means and why it’s important. They just want the alerts to go away. People are tired, and they’re hitting approve on alerts without thinking about what may have triggered it. The problem is real, and that’s why I think MFA is dead. It doesn’t do the job anymore.
What other types of emerging threats does Zero Trust Access help protect against?
Email is not the only vector. Now attackers are phishing over SMS and through messaging services like WhatsApp, or Slack, or Teams. Now, even if one of those messages are successful, guess what those credentials mean? Nothing. With this solution in place, having password is not going to cut it. It’s not going to be enough for attackers to access any of the protected systems. So even if a user’s credentials are compromised, we’re still there to protect them.