Certain cloud security providers who sell “Security Service Edge” solutions are failing to ensure their products are secure by default against malware attacks, according to nonprofit cyber assessment firm CyberRatings.org.
Ensuring products offer security in their default configurations is a key goal of the Cybersecurity and Infrastructure Security Agency in its secure by design initiative.
“The security level of SSE products in their default configuration varies significantly. While many enterprise customers expect these products to reduce operational complexity by being plug-and-play, the reality is that the default security achieved with such a deployment may not be sufficient to meet their specific needs,” CyberRatings says in an Oct. 3 report.
The report explains, “SSE solutions are a subset of Secure Access Service Edge (SASE) that focus primarily on security services delivered through the cloud. SSE encompasses critical security functions such as Secure Web Gateways (SWG), Cloud Access Security Brokers (CASB), and Zero Trust Network Access (ZTNA), which work together to protect users, devices, and applications across distributed networks.”
SSE solutions are intended to provide “flexibility and scalability” and enable security policy enforcement “regardless of user location or device,” making them particularly useful for organizations that use remote or hybrid work models, according to CyberRatings.
A press release says, “Tests showed four SSE products blocked between 89.90% to 96.74% of malware downloads, but three failed to block any malware at all (i.e. 0%).”
While SSE solutions from Cloudflare, Fortinet, Skyhigh and Zscaler each demonstrated high rates of success in blocking malware downloads, products offered by Checkpoint, Cisco and Versa Networks failed to block any malware in their default configurations, according to the test results.
CyberRatings CEO Vikram Phatak highlighted in the press release how it is still possible to prevent malware downloads with the three services that did not provide security by default.
Phatak said, “For products whose default configurations offered 0% protection, we made minor configuration changes to determine how much the protection could improve. With those changes, we were able to achieve over 90% block rate on average.”
The report argues the test results highlight a need for end-users to “verify the security level their organizations require and assess whether the vendor’s default configuration meets their needs.”
The nonprofit says, “If it does not, it is advisable to implement the vendor’s recommended best practices and configurations for an optimized solution. It should not be assumed that any vendor solution will be secure by default.”
An October paper from CISA says, “Secure by default is a form of secure by design.”
CISA explains, “’Secure by default’ means products are resilient against prevalent exploitation techniques out of the box without added charge These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them.”
Companies should make a secure configuration “the default baseline” for all products and avoid charging extra for “implementing added security configurations, according to CISA.
The cyber agency is currently engaging with software companies to garner commitments to secure product development practices through a pledge campaign launched in May.
A running list of pledge signers shows over 220 companies have promised to achieve seven product security goals, including enabling multifactor authentication and automatic security patching by default, within a year. -- Jacob Livesay (jlivesay@iwpnews.com)