@Robert Ficcaglia .... hmm, maybe not a silver bullet - you wrote:
If the recent hi visibility ransomeware attacks have proven anything, it's that the notion that a headquarters office network is somehow more secure that remote is dubious at best, arguably naively laughable.
NEA: if you stick to defending the castle thinking - you're correct. If you go perimeterless and your HQ users use the same access methods that the ones outside .. you will have a range of advantages - resistency to DDoS, immune to MitM, Brute force attacks, Code injection attacks, portscanning, infrastructure vulnerabilities and lateral movement.
Assume your HQ office is insecure, then work your policy from there. So the remote case is the same as the office desktop - secure your endpoints. If BYOD is the case, then you may have to offer budgets to upgrade hardware to minimal baseline.
NEA: Correct ... just the fact that using for instance ZafePass on the BOYD will have the same effect as in my first answer and still support full mobility.
that said, finding a good cross platform endpoint solution is challenging. I have reviewed over a dozen of the leaders and a dozen newcomers, and all have issues. No silver bullet sadly.
NEA: ... hmm, check us out ... you might like what you see. What are the issues you refer to. I'm keen to know as we have spend a few years take all the ones we know of, out ... so we for instance have NO dependencies to any 3rd party point security i.e. no VPN, no PKI (x509), no IPsec, no TLS, no PIMPAM, no CASB, no DLP ... we can discuss if you need IAM being a larger organisation. The rest is baked in and secure end-to-end. If you think you can breach it - we will gladly give you a go for it. Many have tried - but it doesn't mean we are flawless, but help us find what we don't know - and we'll fix it.
------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
+4593631300
------------------------------
Original Message:
Sent: Jun 02, 2021 01:00:29 AM
From: Michael Nolte
Subject: Remote access to PCI DSS cloud environment
Hi everyone who is interested in a discussion about the topic above. The use cases for remote access are maintenance of the infrastructure (the service is build on AWS VPC, IAM) and application management via Linux on EC2. Does somebody know a reference implementation? There are possibly multiple options to control access e.g. VPN gateway, federated authentication, bastion host, etc. How to achieve an environment which allows the operators and application admins to securely work from home instead from behind a on-prem firewall? PCI requires endpoints which are connected to the environment must be hardened and controlled.
------------------------------
Michael Nolte
CISO
AEVI International GmbH
------------------------------