Zero Trust works on the principle that there are constant threats both outside and inside the network. Zero trust also assumes that every attempt to access the network or an application is a threat. It is a network security philosophy that states that no one inside or outside the network should be trusted until their identity has been carefully verified. These assumptions underpin the strategy of network administrators, forcing them to design stringent and less reliable security measures.
There is an all too common notion that implementing a zero trust architecture requires a complete overhaul of your network. There will certainly be a lot of work to do, but a successful implementation is about having the right framework in place paired with the right tools to execute. Every environment should have consistent zero trust. It’s a cultural change, which is often a bigger change than technological change. It involves a mindset and a commitment to change the way access is granted and how security is maintained throughout the organization.
The right access and the right needs
The first step in designing a zero trust architecture is deciding who is allowed to do what, and that’s probably the biggest problem. You have to determine who has access to what resources, depending on the nature of the resources so that each individual can do their job. And then you have to make sure that the devices that people are using are properly secured.
Implementing Zero Trust Access (ZTA) involves ubiquitous application access controls, powerful network access control technologies, and strong authentication capabilities. One aspect of Zero Trust Access that focuses on controlling application access is Zero Trust Network Access (ZTNA). ZTNA extends the ZTA Principles to verify users and devices before each app session to confirm that they are complying with the organization’s policy to access that app. ZTNA supports multi-factor authentication to maintain the highest degree of verification.
Using the zero trust model for application access or ZTNA allows organizations to less depend on traditional virtual private network (VPN) tunnels to secure remotely accessible assets. A VPN often provides unlimited access to the network, which can allow compromised users or malware to roam sideways across the network in search of resources to exploit. However, ZTNA enforces policies in the same way whether or not users are connected to the network. Thus, an organization benefits from the same protections, no matter where a user logs in from.
The implementation of an effective ZTA security policy must include secure authentication. Many breaches come from compromised user accounts and passwords, so the use of multi-factor authentication is essential. Requiring users to provide two or more authentication factors to access an application or other network assets adds additional security to combat cybersecurity threats.
It is also essential to ensure that users do not have inappropriate or excessive access levels. Adopting ZTA’s practice of enforcing ‘less access’ privileges as part of access management means that if a user account is compromised, cyber adversaries only have access to a small subset of the company’s assets. It’s similar to network segmentation but on a per person basis. Users should only be allowed to access the assets they need for their specific function.
Ensuring Device Security with Zero Trust
Device security also plays a central role in implementing an effective zero-trust security policy. Making sure the devices people use have been properly secured is paramount. This is especially important as IoT devices proliferate and become more important targets for cyber attackers.
Since IoT devices don’t have the ability to install software and don’t have built-in security features, they’re essentially ‘headless’. As technology has advanced, so have the interconnections of IoT ecosystems with the corporate network and the entire Internet.
This new connectivity and the expansion of IP enabled devices mean that IoT devices have become a prime target for cybercriminals. The majority of IoT devices aren’t designed with security in mind, and many don’t have traditional operating systems or even enough processing power or memory to build in security features. .
One of the benefits of ZTA is that it can authenticate endpoints and IoT devices to establish and maintain complete management control and ensure visibility of every component connected to the network. For headless IoT devices, Network Access Control (NAC) solutions can perform discovery and access control. Using NAC policies, organizations can enforce zero trust principles of least access to IoT devices, granting only enough network access to fulfill their role.
Develop a strong Zero Trust security policy
When it comes to zero trust security, you must develop and execute a plan that ensures consistent protocols and policies that are implemented across the network. No matter who, where or what they want to access, the rules need to be consistent. This means you need to find zero trust security tools that aren’t cloud-only, for example, because if you are running a hybrid network you need the same zero trust on your physical campus as you do for your remote workers / assets. In comparison, few companies use the cloud only; most have taken a hybrid approach, yet many zero trust solution providers develop cloud-only solutions.
Over the past year, businesses have started to rely more on hybrid and multi-cloud environments to meet their ongoing digital transformation needs. According to a recent Fortinet report, 76% of organizations surveyed said they use at least two cloud providers.
An important aspect to consider is the difference between each of the cloud platforms. Each has different built-in security tools and functions with different capabilities, command structures, syntax, and logic. The data center is yet another environment. Additionally, organizations can migrate to and from clouds. Each cloud offers unique advantages, and being able to use the ones that meet its business needs is critical for the organization; cybersecurity should not get in the way. Yet, with each cloud provider offering different security services using different tools and approaches, each of your clouds becomes an independent silo in a fragmented network security infrastructure, which is not an ideal setup.
But, if you have a common security layer across all of those data centers and clouds, you provide an abstraction layer on top of the individual tools that gives you visibility into clouds, their control, and the ability to establish a common security posture regardless of where an application may be, or where it may roam.
Therefore, applications can reside anywhere from campus to branch office to data center and cloud. This is why it is so important to ensure that your zero trust approach can deliver the same protocols no matter where the worker is physically located and how they are accessing company resources.
Implement a Zero Trust architecture for enhanced security
As the network perimeter continues to dissolve, in part due to advanced computing technologies and the global shift to remote working, organizations must take advantage of all the security benefits that exist. This includes knowing how to implement a zero trust security strategy. Because there are so many threats from outside and inside, it is appropriate to treat every person and thing trying to access the network and its applications as a threat. Less reliable security measures do not require a complete network overhaul, but result in a stronger network shield. By doing the initial hard work of establishing Zero Trust Access and its derivative, Zero Trust Network Access, you will relieve your IT security team of extra work and dramatically increase your security quotient.
(The author is Regional Vice President, India and SAARC, Fortinet and the views expressed in the article are his own)