Zero trust operates on the premise that there are constant threats both outside and inside the network. Zero trust also assumes that every attempt to access the network or an application is a threat. It’s a network security philosophy that states no one inside or outside the network should be trusted until their identity has been thoroughly verified. These assumptions underlying the strategy of network administrators, obliging them to design stringent, trust less security measures.
There’s an all-too-common notion that implementing a zero trust architecture requires a complete overhaul of your network. There will certainly be some heavy lifting required, but successful implementation is about having the right framework in place paired with the right tools to execute. Every environment needs to have consistent zero trust. It’s a cultural shift, which is often a bigger change than the technology shift. It involves a mindset and a commitment to changing how access is granted and how security is maintained across the organization.
Right Access and the Right Needs
The first step in designing a zero trust architecture is to decide who is allowed to do what – and that’s probably the heaviest lift. You need to determine who gets access to which resources, and that is based on what the resources are so each individual can do their job. And then you need to make sure the devices that people are using are properly secured.
Establishing Zero Trust Access (ZTA) involves pervasive application access controls, powerful network access control technologies and strong authentication capabilities. One aspect of Zero Trust Access that focuses on controlling access to applications is Zero Trust Network Access (ZTNA). ZTNA extends the principles of ZTA to verify users and devices before every application session to confirm that they conform to the organization’s policy to access that application. ZTNA supports multi-factor authentication to maintain the highest degree of verification.
Using the zero trust model for application access or ZTNA makes it possible for organizations to rely less on traditional virtual private network (VPN) tunnels to secure assets being accessed remotely. A VPN often provides unrestricted access to the network, which can allow compromised users or malware to move laterally across the network seeking resources to exploit. However, ZTNA applies the policies equally, whether users are on or off the network. So, an organization has the same protections, no matter where a user is connecting from.
The implementation of an effective ZTA security policy must include secure authentication. Many breaches come from compromised user accounts and passwords, so the use of multifactor authentication is key. Requiring users to provide two or more authentication factors to access an application or other network assets adds an extra later of security to combat cybersecurity threats.
It’s also essential to ensure users don’t have inappropriate or excessive levels of access. Adopting the ZTA practice of applying “least access” privileges as part of access management means that if a user account is compromised, cyber adversaries only have access to a restricted subset of corporate assets. It’s similar to network segmentation but on a per-person basis. Users should only be allowed to access those assets that they need for their specific job role.
Ensuring device security with Zero Trust
Security of devices also plays a pivotal role in the implementation of an effective zero trust security policy. It is paramount to ensure that the devices people are using have been properly secured. This is particularly important as IoT devices proliferate and become bigger targets for cyber attackers.
Because IoT devices lack the ability to install software and don’t have onboard security features, they are essentially “headless.” As technology has advanced, so has the interconnections of IoT ecosystems with the enterprise network and the entirety of the internet.
This new connectivity and the expansion of IP-enabled devices mean IoT devices have become a prime target for cyber criminals. The majority of IoT devices are not designed with security in mind, and many do not have traditional operating systems or even enough processing power or memory to incorporate security features.
A benefit of ZTA is that it can authenticate endpoint and IoT devices to establish and maintain all-inclusive management control and ensure the visibility of every component attached to the network. For headless IoT devices, network access control (NAC) solutions can perform discovery and access control. Using NAC policies, organizations can apply the zero-trust principles of least access to IoT devices, granting only sufficient network access to perform their role.
Developing a Strong Zero Trust Security Policy
When it comes to zero trust security, you need to develop and execute a plan that ensures consistent protocols and policies that are implemented across the entire network. No matter who, where, or what they want to access, the rules must be consistent. That means you need to find zero trust security tools that aren’t cloud-only, for example, because if you run a hybrid network, you need the same zero trust on your physical campus as for your remote workers/assets. Comparatively, few companies are running cloud-only; most have taken a hybrid approach, and yet many zero trust solution providers are developing cloud-only solutions.
Over the past year, organizations have begun to depend more on hybrid and multi-cloud environments to help support their ongoing digital transformation requirements. According to a recent report from Fortinet, 76% of responding organizations reported using at least two cloud providers.
An important aspect to consider is the difference in each of the cloud platforms. Each has different built-in security tools and functions with different capabilities, command structures, syntax and logic. The data center is still another environment. In addition, organizations may be migrating into and out of clouds. Each cloud offers unique advantages, and it’s essential for the organization to be able to use whichever ones support their business needs; cybersecurity must not hinder that. Yet, with each cloud provider offering different security services using different tooling and approaches, each of your clouds becomes an independent silo in a fragmented network security infrastructure – not an ideal set-up.
But, if you have a common security overlay across all of these data centers and clouds, you provide an abstraction layer above the individual tools that gives you visibility across the clouds, control of them, and the ability to establish a common security posture irrespective of where an application may be, or where it may move to.
Consequently, applications can reside anywhere – from on-campus to branch to data center to cloud. This is why it’s so important to make sure your zero-trust approach can provide the same protocols, no matter where the worker is physically located and how they’re accessing company resources.
Implementing a Zero Trust Architecture for Stronger Security
As the network perimeter continues to dissolve, due in part to edge computing technologies and the global shift to remote work, organizations must make use of every security advantage that exists. That includes knowing how to implement a zero trust security strategy. Because there’s so many threats from without and within, it’s appropriate to treat every person and thing trying to gain access to the network and its applications as a threat. Trust less security measures don’t require a total network overhaul but do result in a stronger network shield. By doing the initial hard work of establishing Zero Trust Access and its offshoot, Zero Trust Network Access, you’ll be relieving your IT security team of additional work and significantly upping your security quotient.
(The author is Regional Vice President, India and SAARC, Fortinet and the views expressed in the article are his own)