By Peter Newton, Senior Director of Products and Solutions – IoT and OT at Fortinet
The most secure network is one that has no connections. Of course, that idea is not only impractical, it defeats the purpose of a network. The reality is that no network is an island, and as businesses become more digital, networks inevitably become more complicated and dispersed. Today's networks now have many “edges,” so it's much harder than it used to be to create a single defensible boundary. In the face of these changes, the traditional network perimeter is dissolving, and it's far more difficult to tell who and what can be trusted.
To respond to increasing threats, best practices now stipulate a "trust no one, trust nothing" attitude toward network access. Protecting the network with this zero-trust access (ZTA) approach means that all users, all devices, and all web applications from the cloud must be trusted, authenticated, and have the correct amount of access privilege (and no more.)
With perimeter-based security, anything that can bypass edge security checkpoints is given free access. But with ZTA, the assumption is that every device on your network is potentially infected, and any user is capable of compromising critical resources.
The zero-trust access model is not a new concept, and CISOs who are planning to implement it can choose from a wide array of technologies that are designed to meet the requirements of the National Institute of Standards and Technology (NIST) Zero Trust Architecture. But getting all these often-isolated technologies to work together to prevent security lapses can be challenging.
Focusing on three key areas of zero trust access
With ZTA, the entire concept of trusted and untrusted zones no longer applies; location needs to be taken out of the equation entirely. The most effective strategy is a holistic approach that delivers visibility and control by focusing on three key areas: who is on the network, what is on the network, and what happens to managed devices when they leave the network.
1. Who is on the network
Every digital enterprise has a variety of users. Traditional employees access the network, but often contractors, supply chain partners, and even customers may need access to data and applications located either on-premises or in the cloud.
For an effective ZTA strategy, it's critical to determine who every user is and what role they play within an organisation. The zero-trust model focuses on a “least access policy” that only grants a user access to the resources that are necessary for their role or job. After a user is identified, access to any other resources is only provided on a case-by-case basis.
This strategy starts with CISOs mandating breach-resistant identification and authentication. User identities can be compromised either through the brute force breaking of weak passwords or by using social engineering tactics such as email phishing. To improve security, many enterprises are adding multi-factor authentication (MFA) to their login processes. MFA includes something the user knows, such as a username and password along with something the user has, such as a token device that generates a single-use code or a software-based token generator.
Once the identity of a user is authenticated through user log-in, multi-factor input, or certificates, it's then tied to a role-based access control (RBAC) system that matches an authenticated user to specific access rights and services.
CISOs need to make sure that security processes avoid being so complicated or onerous that they hamper productivity or user experiences. ZTA solutions that are fast and support single sign-on (SSO) can help improve compliance and adoption.
2. What is on the network
Because of the massive increase in applications and devices, the network perimeter is expanding and potentially billions of edges must now be managed and protected. For an effective ZTA strategy, CISOs need to manage the explosion of devices resulting from the Internet-of-Things (IoT) and bring-your-own-devices (BYOD) strategies. These devices might be anything from end-user phones and laptops to servers, printers, and IoT devices such as HVAC controllers or security badge readers.
To understand what devices are on the network at any given point in time, CISOs also need to implement network access control (NAC) tools that can automatically identify and profile every device as it requests network access, in addition to scanning it for vulnerabilities. To minimize the risk of device compromise, NAC processes need to be completed in seconds and provide consistent operations across both wired and wireless networks. Any NAC solution also should be easy to deploy from a central location, so it won’t require sensors at every device location.
Although it's important to enforce access control for all devices, IoT devices are particularly challenging because they are typically low-power, small form factor devices without memory or CPU to support security processes. And they also often aren't compatible with endpoint security tools. Because access control can't be performed in the devices, the network itself needs to provide security.
As they consider ZTA solutions, CISOs need to make IoT control a priority. Access control through the network involves microsegmenting the network with next-generation firewalls (NGFWs) and grouping similar IoT devices together to harden the network. This approach breaks up the lateral (east-west) path through the network, so it's more difficult for hackers and worms to gain access to connected devices. It also reduces the risk that a hacker can use an infected device as a vector to attack the rest of the network.
3. What happens to managed devices when they leave the network
Because people use BYOD devices both for personal and business needs, the third key to an effective ZTA strategy is understanding what happens when devices leave the network. When they aren't logged into the network, users may browse the internet, interact with others on social media, and receive personal emails. After being online, once they rejoin the network these users can inadvertently expose their devices and company resources to threats they may have picked up, such as viruses and malware.
Controlling managed devices when they go off the network is challenging. Thanks to cloud services, people can disconnect their device from the network at one location and reconnect it at another. Or they might start working on one device and continue on another.
To contend with these challenges, endpoint security must be part of any ZTA solution. It should provide off-network hygiene control, including vulnerability scanning, web filtering, and patching policies. It should also provide secure and flexible options for virtual private network (VPN) connectivity.
Like identity management tools, endpoint security should support SSO. When an endpoint is connected to the network, the solution should relay device status information to other network and security components to determine risk and assign appropriate access level.
Trust no one and leverage an effective zero trust access strategy
The more people and devices that connect to a network, the less secure a traditional perimeter-based approach becomes. Every time a device or user is automatically trusted, it places the organisation's data, applications, and intellectual property at risk. CISOs need to shift the fundamental paradigm of an open network built around inherent trust to a zero-trust model with rigorous network access controls that span the distributed network.
By selecting integrated and automated tools, CISOs can help overcome the key challenges of zero trust access: knowing who and what is on the network, controlling their resource access, and mitigating the risks of that access.