Verifying that data in transit is protected involves a number of controls, tools, and risks entailing some particular due diligence efforts. This work is not isolated to determining if the data is encrypted in transit but includes systems such as Intrusion Detection/Prevention System (IPS/IDS), Secure Web Gateway (SWG), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB), and Security Information and Event Management (SIEM) tools to detect and prevent data exposure. Network attack surfaces have evolved in the last few years as virtual private network (VPN) use has expanded. However, the number of these surfaces exploded after the pandemic sent nearly 30 percent of the American workforce home in a matter of days (according to Pew Research: www.pewresearch.org/social-trends/2020/12/09/how-the-coronavirus-outbreak-has-and-hasnt-changed-the-way-americans-work ). VPNs are an extension of corporate networks, and another entry point that multiplied by the hundreds or thousands during the pandemic.

While earlier chapters have covered some of this security effort, more examination of how vendors connect to customer networks and the heightened risk it entails is necessary. Nearly 100 percent of these connections are done over hardware supplied and managed by a vendor, leaving the customer with no direct access to understand vulnerable software operating systems (OSs) or configurations. The risks such devices present as unmanaged and unmonitored ...