Viszen Security - InsightsViszen Security - Insightshttps://www.viszensecurity.com/blogsFri, 19 Dec 2025 10:12:13 -0800http://zoho.com/sites/<![CDATA[NEW Zero Trust Guidance for OT/ICS]]>https://www.viszensecurity.com/blogs/post/new-zero-trust-guidance-for-ot-icsWe co-authored a guide with CSA explaining how to operationalize zero trust in OT/ICS environments, including mapping to existing guidance and frameworks like ISA 62443.]]>

Free resource from Cloud Security Alliance

I'm proud to share the release of a guide we co-authored with the Cloud Security Alliance on applying zero trust to OT/ICS and critical infrastructure.

Zero Trust Guidance for Critical Infrastructure

Applying Zero Trust to Operational Technology (OT) and Industrial Control Systems (ICS) Environments
🔗 https://cloudsecurityalliance.org/artifacts/zero-trust-guidance-for-critical-infrastructure

You can download this resource (free) from CSA.

This was definitely a labor of love by all involved. When CSA proposed this, I had one condition: I wanted to make it real and actionable—no fluff. No page after page of confusing abstract buzzwords.

This document provides engineers and architects with a clear, adaptable 5-step process for applying zero trust in OT, aligning IT skills with OT demands.


Visit the link above at CSA's Zero Trust portal and create a free account to download the full document or it's accompanying (shorter) presentation deck. 

 


If you're a CISO or CIO responsible for security OT/ICS environments, you'll love this resource. 

And, if your organization is interested in learning more about integrating OT/ICS into your security program,contact us for advisory services and/or corporate training for your team. 

Get Started Now
]]>Tue, 05 Nov 2024 10:56:58 -0500<![CDATA[NEW Training and Certification Mini-Event]]>https://www.viszensecurity.com/blogs/post/new-training-and-certification-mini-eventNew training for Wi-Fi, network, and security engineers for Wi-Fi 6E, Wi-Fi 7, WPA3, and new security.]]>

The first Wireless Tech Summit

This month (November 2024), Peter Mackenzie and I are co-hosting the first Wireless Tech Summit, a Wi-Fi training and certification mini-event. The best part? It will be in-person here in North Carolina!

Okay, maybe that’s not actually the best part. The best part is probably the concept overall. We wanted to give people access to training and peer connections they may not otherwise have, and do it at a critical time in Wi-Fi history.

The FCC has opened new spectrum so we’re managing 2.4Ghz, 5GHz, and now 6GHz with Wi-Fi 6E and Wi-Fi 7, and that has huge implications for both the design and security of our networks. Plus, Wi-Fi 6E and Wi-Fi 7 require WPA3 security and unfortunately, there’s no easy button for migrating from WPA2 to WPA3.

So, we thought we could get together, co-host a mini-event, and give people four days of training and certification coupled with peer networking and social events. Plus, some special joint labs, testing, and guest speakers to round it out!

It’s bigger than a training, and smaller than a conference. A way to maximize time and precious training budget without having to give up a weekend.

The November 2024 event offers a choice from two training classes:

All three of us are practitioners. Meaning, we teach only part time and the rest of our time is focused on doing the work related to our class content. The content is not only fresh and timely but also real-world and hyper applicable to the daily roles of engineers and architects.

      

Peter is arguably one of the best and most popular Wi-Fi instructors in the the world. He’s not only teaching the course, he developed it (and many others). You can find his full offering at MQ Training Services, based out of the UK, including a suite of the CWNP courses such as CWNA, CWDP, and CWAP.

Jonathan Davis (JD) is also a CWNP-certified instructor and CWNE (Certified Wireless Network Expert) and brings deep Wi-Fi knowledge to our security architecture class, where I of course dive into the depths of security from technology to compliance.

As for me, well I’ve been doing network security for over 20 years and layer that with 15+ years deeply focused on more holistic security architecture addressing all aspects of security. The class is based on those 20 years of experience working with and in hundreds of client environments across all industries. It's also based in large part on my recent book, "Wireless Security Architecture" published with Wiley.

Check out more class details on the event site, including videos. We’d love to have you join us at this or another upcoming event!

Also- be sure to follow me on LinkedIn for more regular updates.

Interested in future dates and/or corporate training for your team? Contact us!

Wireless Tech Summit
Training and Certification Mini-Event
November 12-15, 2024
Raleigh, NC, USA

Get Started Now
]]>Fri, 01 Nov 2024 07:30:00 -0400<![CDATA["Wireless Security Architecture" Now Shipping Worldwide]]>https://www.viszensecurity.com/blogs/post/wireless-security-architecture-now-shipping-worldwideMy new book published with Wiley, "Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise" is now shipping ]]>

My new book published with Wiley, "Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise" is now shipping worldwide. Available as e-book and in print from Wiley, Amazon, and book retailers near you!

Find on Amazon
]]>Tue, 12 Apr 2022 10:14:52 -0400<![CDATA[Showdown: Zero Trust vs. NAC]]>https://www.viszensecurity.com/blogs/post/the-difference-between-zero-trust-and-nacIn the world of zero trust networking, organizations are asking how a zero trust approach fits in with their network access control (NAC) strategy. Here are some thoughts on what you should be considering as you navigate zero trust and NAC.]]>

In the world of zero trust networking, organizations are asking how a zero trust approach fits in with their network access control (NAC) strategy. Here are some thoughts on what you should be considering as you navigate zero trust and NAC.

      

Concepts vs. products

The first major difference in zero trust and NAC is that zero trust is a concept or trust model for information security, versus NAC which is a specific product category. Although there are different types of NAC products today, the market has settled down considerably and all operate within a relatively narrow scope of enforcement and features compared to ten years ago.

      

The many flavors of zero trust architectures

Before we continue, let's untangle the co-mingling of zero trust as it relates to network and application access versus access between virtualized hosts. Although conceptually the same - the goal of zero trust being to move from an implicit to more granular explicit authorization - the execution, products, and vendors are very different for network-based technologies than for virtualized environments (whether they be on-prem, in cloud, or hybrid).

      

For today's discussion, we're focused on the former - the technology that would/could replace (or enhance) traditional network-based NAC products for identification and authorization of users and endpoint devices in your environment. We'll leave the other topic for another day.

      

Implicit vs explicit authorization

The model of a zero trust architecture is to "verify then trust" versus the more common approach of NAC with the "trust but verify" sequence. While - yes - some NAC implementations do offer a "verify then trust" model, the next step after trust is typically an implicit authorization to a network or networks, which is exactly what zero trust security tries to avoid.

      

Network-based vs. application-based enforcement

Strictly speaking in a perfect world, a zero trust approach will include a trust model that offers a user (or device) only the specific access to the resources needed per-task. That's a tall order with the current technologies we have, and traditional NAC vendors will all fall short here, even with the holy grail that is microsegmentation. At best with NAC, we're doing identification and authentication of a device and/or user, and then giving them some level of access at network layers 2 or 3. Contrast this with the approach of a zero trust solution performing the same (or more extensive) identification and authentication, but with the added ability to control resource access up through the application layer.

      

One of the reasons secure access service edge (SASE) solutions fit so well with zero trust strategies is because of the ability to make very granular authorizations to a user or device, based on myriad contextual elements (who, what, when, where, how).

      

Managing users on-prem vs. remote

The next bugaboo with NAC is the limitations in controlling resource access on remote users and devices. Our current network-based NAC products are designed to control access at the point of (managed) network connection - that could be at a wired port in the facility, a corporate wireless SSID, or a remote access VPN in to the organization. But then, that's it. Traditional NAC products weren't designed to manage and control connections from endpoints floating out and about on the internet as people travel or work from home.

      

The conversation could again turn towards SASE and the features that swirl around it - SD-WAN, CASB, and SWG specifically. However, certainly not all organizations have moved to a 100% remote workforce, meaning there's still a need to secure access to internal resources when a user is in the office. This reality makes traditional NAC a still-attractive offering, and is an area SASE will need to continue developing. 

      

Can NAC products play a role in a zero trust strategy?

Yes, absolutely - but with some caveats. If your NAC-based zero trust strategy relies on microsegmentation, know that it's not really the holy grail it's touted to be, and among other limitations it's not the easiest architecture to implement. As we just mentioned, there's still a place in the world for traditional NAC for organizations with a primary focus on on-prem security. Plus, in recent years most NAC vendors have bolstered their endpoint agents and are heading towards the type of granular control organizations will want in a zero trust network.




Get more insights!
]]>Wed, 30 Jun 2021 16:30:00 -0400<![CDATA[The CIO's Guide to Secure Access Service Edge (SASE) Architecture]]>https://www.viszensecurity.com/blogs/post/secure-access-service-edge-sase-architecture-a-primer-for-cxosHere's a quick down and dirty primer comparing the new Secure Access Service Edge (SASE) architecture to our traditional perimeter security methods.]]>

If you're tired of hearing about the "new normal" post-pandemic, hold on to your knickers because some of the outcomes from COVID's business impact are here to stay. Really, it's not a bad thing and we're long overdue for an overhaul of how we identify, authenticate, connect, and authorize access for users and devices.

 

Here's a quick down and dirty primer comparing the new Secure Access Service Edge (SASE) architecture to our traditional perimeter security methods.

 

Executive View of SASE Architecture

From the 10,000-foot view, the three most pertinent points are:

  1. SASE is one solution offering that's part of a larger (or longer) zero trust security strategy. As you'll see in the graphic below, SASE enforces the underlying principle of a zero trust network by not extending implicit access to resources. Meaning, what a user or a device can do or access is explicitly defined in the SASE fabric.

  2. SASE is more of a service set than a single product; it's cloud-based and 'follows' endpoints and users wherever they go, or in the case of work from home -- wherever they don't go. SASE vendors do this with a global cloud PoP network so endpoints connect to the cloud to access resources, vs. connecting to a traditional on-prem datacenter and then egressing.

  3. SASE is likely to deliver on promises of increased simplicity and security with decreased cost, but there will be a certain amount of vendor lock-in as well as overlap with other products related to zero trust and endpoint security that the C-suite should prepare for.

 

Technical View of SASE Architecture

Since this is a C-level primer, I'm not going to dive too deeply in to the nuts and bolts, but I know the CISOs and CIOs I work with, and most of you love a little technical meat.

  1. From an implementation standpoint, how SASE is implemented and what it can (or can't) do is dependent in large part on the vendor. Some SASE vendors came from cloud access server broker (CASB) and secure web gateway (SWG) pedigree; others from firewall and network security. Mileage and roadmaps will vary. How they handle guest (or un-managed devices) as well as users that happen to be on-prem may also vary.

  2. SASE has myriad features (vendor-dependent), with support for zero trust networking being just one. Replacing legacy VPNs terminating to on-prem datacenters is a great way to enter the SASE world, and then continue adding features as you go.

 

Graphic: SASE Architecture vs Traditional Perimeter

For those of you who haven't worked with me yet, I love to draw and doodle. I don't know about you, but I'm very visual and find a picture really is worth more than a thousand words. And who has time to read a thousand words? Here are just a few highlights of the SASE graphic.

  1. On left you see a traditional network security perimeter where we may (at best) have LAN-based connections (wired or wireless) with authentication and perhaps dynamic segmentation with VLANs or downloadable ACLs. For remote access, we see a traditional VPN model with similar features to the LAN connections.

  2. On the right you see a typical SASE architecture with enforcement and decision layers plus SASE elements shown in yellow. One of the benefits of this SASE architecture is to abstract from physically-defined connections (those we control at layers 1-3) and instead apply granular context-based enforcement at layer 7 for both on-prem and in-cloud resources.

 

 

 

 

Get more insights
]]>Mon, 28 Jun 2021 19:15:00 -0400<![CDATA[Wireless Security Trends (CISO Network Security Cheat Sheet)]]>https://www.viszensecurity.com/blogs/post/wireless-security-trends-ciso-network-security-cheat-sheetA quick overview of 3 top trends in wireless security for CISOs and CIOs with a look at new WPA3 security, WiFi 6E, and CBRS/Private LTE/Private 5G with 1-3 key take-aways for each technology trend.]]>

Excerpt from Jen's presentation at ISSA Cyber Executive Forum

Last month, I delivered a whirlwind of a presentation hitting on today's and tomorrow's top network security trends CISOs should know about. The full content covered security trends in 3 areas: 1) Wireless, 2) Secure Edge, and 3) Operations. Today we're looking at the high level wireless security topics, and I'm just going to cover three so this doesn't turn in to a novel. 

 

1. WiFi WPA3

WiFi Protected Access (WPA) 3 is the latest evolution of security for 802.11 wireless LANs (the normal wireless standard we use daily). It's the first major security enhancement in over a decade, which is stunningly embarrassing in an industry where vulnerabilities and new attacks emerge daily. With the updates, we'll see enhanced cryptography protocols (including the addition of elliptic curve), much better downgrade attack protection, support for unauthenticated encryption (meaning encrypting guest portals and such), as well as an upgrade to the operation of what's currently known as pre-shared key (PSK), via a new protocol called simultaneous authentication of equals (SAE).

Take-aways:

  • There's a lot to know when planning a WPA3-enabled network so we'll dive in to this more at a later date. For now, know that this is out, it's available, it's supported in your enterprise WiFi infrastructure, and your organization should be ensuring new endpoints (especially headless/IoT devices) support this.

  • For the network and WiFi architects, we'll be providing additional guidance on how to properly architect with these new features for the greatest security benefit and to meet compliance requirements.

 

2. WiFi 6E

Usually referred to as WiFi 6 "extended" or "enhanced" (not a real name, just a pet name we gave it), WiFi 6E is WiFi 6th generation (802.11ax technology) over the newly-opened 6GHz spectrum. We can barely keep up with all the WiFi terms, so I'm not going to assume any knowledge here. To put it in perspective, for decades, we've been using WiFi over 2.4GHz and 5GHz spectrum. The road to opening additional spectrum (in this case 6GHz) for unlicensed use has been a multi-year escapade for the WiFi industry and the FCC. Radio frequency changes in our WiFi infrastructure and endpoints are hardware (not software) changes. The benefit will be more security (through force), support for higher density of devices, and ultimately the ability to increase throughput.

 

Take-aways:

  • Even though WiFi 6E is an 'extension' of WiFi 6, there will be mandatory security features and removal of support for many deprecated features commonly used today in WiFi 6 (802.11ax) networks.

  • Because it's a hardware upgrade, organizations interested in this technology should be sure to procure WiFi infrastructure and endpoints with radios that support 6GHz. If you're not sure if WiFi 6E is something you should be looking at, drop us a note and we can help.

  • Our tools for monitoring and securing WiFi over the air will also need an upgrade, so set aside budget for re-tooling and training for your teams. 

  • And to further complicate things, use of the new spectrum and additional radios will also mean organizations should be investing in edge switching products that support the latest power over Ethernet standards (these puppies will need the juice) as well as multi-gig Ethernet ports (the higher data throughput supported will oversubscribe 1Gbps edge ports).

 

3. CBRS and Private LTE/Private 5G

This is a pretty cool one, because of the myriad use cases that can help organizations of all sizes and industries. Private LTE/5G is simply the use of cellular RF technology for private use. So, it would be like having a cellular network that's used and managed just like your regular WiFi - except with added security. Your data doesn't traverse a carrier (unless that's your chosen egress) and you own and manage the hardware, typically through a coordinated cloud platform.

 

CBRS is probably exactly what you think it is - Citizen Broadband Radio Service. It's just that in the Private LTE world here in the U.S. that's the radio spectrum we chose to use. We refer to it as band 48, and it's in the 3+GHz range between our traditional WiFi of 2.4 and 5GHz. Private LTE technology gives users a WiFi-like user experience with the benefits of cellular-- specifically enhanced security through SIM/eSIM, coverage over much longer distances, support for higher density, and a much greater resiliency of signal (virtually no interference as we have with WiFi).

 

Take-aways:

  • CBRS/Private LTE/5G should be on every CIO's/CISO's radar because of the volume of use cases and problems it can solve in today's digital transformation projects and the enhanced security it can provide for IoT.

  • This technology has several real-world case studies from connectivity for critical devices in hospitals, to sensitive OT devices, public venues, municipal wireless in rural communities (by towns and schools), and the list goes on.

  • A lot of devices come with Private LTE support. In addition to mobile phones and tablets, many handheld scanners, OT and IoT devices and sensors and even laptops support Private LTE. And that list is growing.

 

Those were the 3 key wireless security trends I wanted to hit on today. We'll keep diving more in to these, and I'll share more content from this and other presentations and workshops as we go.

Get more insights
]]>Wed, 23 Jun 2021 20:05:00 -0400<![CDATA[Hello, world.]]>https://www.viszensecurity.com/blogs/post/hello-world.Stay tuned! ]]>

More content is coming your way.

Stay tuned!

]]>Wed, 16 Jun 2021 21:08:00 -0400