The concept of “Zero Trust” was coined back in 2010, on the basis that traditional perimeter security models failed to provide adequate protection because the idea of a trusted internal network and untrusted external network is inherently flawed. The solution is to change the trust model, so that no user is automatically trusted.
Today, Zero Trust Access (ZTA) has become something of a buzzword in the industry, with many vendors offering their ZTA solutions. Even the latest executive order on cybersecurity from President Joe Biden includes mandates for Zero Trust. Although the term is seemingly everywhere, implementation continues to lag. A big part of the reason for the slow adoption is there are still a lot of confusion and unknowns about ZTA, what it actually means, and how you get started.
In this eWEEK Data Points article, Jonathan Nguyen-Duy of Fortinet discusses the five facts organizations need to know to effectively implement ZTA for their networks.
Data Point No. 1: ZTA discards implicit trust
ZTA is about knowing and controlling who and what is on your network. CISOs can reduce the risk posed by employees and more efficiently manage an organization’s network by moving away from a system that operates on implicit trust.
By limiting network access for users, as well as adopting extensive identity authentication, zero trust access eliminates points of vulnerability so that only legitimate users have access to the data and systems that are relevant to their position – essentially ubiquitous need-to-know access.
Data Point No. 2: ZTA is not the same as ZTNA
ZTA considers not only who is on the network but also what is on the network. The ever-growing profusion of network-connected devices may include IoT devices that can range from printers to heating and ventilation devices and door access systems. These “headless” devices do not have a username and password to identify themselves and a role. For these devices, network access control (NAC) solutions can be used to discover and control access. Using NAC policies, the zero trust principles of least access can be applied to these IoT devices, granting sufficient network access to perform their role and nothing more.
Zero Trust Network Access (ZTNA) is an element of ZTA that controls access to applications regardless of where the user or the application resides. The user may be on a corporate network, working from home, or someplace else. The application may reside in a corporate data center, in a private cloud, or on the public internet. ZTNA extends the Zero Trust model beyond the network and reduces the attack surface by hiding applications from the internet.
Data Point No. 3: NAC is the starting point for ZTA
To get started with ZTA, you need to take stock of all devices on the network. A NAC solution accurately discovers and identifies every device on or seeking access to the network, scans it to ensure that it hasn’t already been compromised, and profiles it to establish its role and function.
The NAC inventories everything from end user phones and laptop to network servers, printers, and headless IoT devices like HVAC controllers or security badge readers.
Data Point No. 4: Micro-segmentation is key
Once you know what’s on the network, you can use the NAC’s dynamic network micro-segmentation to assign each device to an appropriate network zone. Determining the correct zone is based on a number of factors, including device type, function and purpose within the network.
The NAC also can support intent-based segmentation, which is provided by a next-generation firewall platform to intelligently segment devices. The segmentation can be based on specific business objectives, such as compliance requirements like GDPR privacy laws or PCI-DSS transaction protection. With intent-based segmentation in place, assets are tagged with compliance restrictions that are enforced regardless of their location in the network, which helps reduce the time and cost of compliance implementation.
Data Point No. 5: ZTA needs endpoint software
To overcome the issue of off-network devices accessing client- and cloud-based solutions, you need software that runs on an endpoint. It must provide continuous protection and behavioral-based detection at the endpoint to prevent device compromise, whether the user is on or off the network.
This type of software also enables secure remote access to networked resources through VPN connections, traffic scanning, URL filtering, and sandboxing. Sharing endpoint security status is part of the authentication and authorization process, which includes endpoint telemetry such as the device operating system and applications, known vulnerabilities and patches, as well as security status to refine the access rules applied to the device.
More Than a Buzzword: ZTA is Crucial
In this time of remote work and multiple employee devices, ZTA has become a crucial aspect of cybersecurity. Organizations have the opportunity to switch to a Zero Trust Access framework that identifies, segments, and continuously monitors all devices. ZTA helps ensure that internal resources remain secure, and that data, applications, and intellectual property stay safe.
In addition to simplifying overall network and security management, taking a Zero Trust approach also increases visibility and control across the organization, including devices that are off the network. ZTA should be a foundational pillar of any effective security strategy. Implemented correctly, it enables the only the right person or entity to have immediate access to the resources they need to do their job, while eliminating the risks and downtime that can result from unauthorized access.
ABOUT THE AUTHOR:
Jonathan Nguyen-Duy, Vice President, Global Field CISO Team, Fortinet