Business & Technology

Know “Who” and “What” with Zero-trust Network Access

By Peter Newton | February 18, 2020

Identify and Secure Users and Devices, On and Off Network

When security is focused primarily on the perimeter, those attackers, malware, and infected devices that manage to bypass edge security checkpoints often have free access to the flat network or network segment inside. They can take their time to establish a beachhead, escalate privileges, spread laterally across the network, and identify and exploit the data and resources they want to steal, hijack, or destroy. Perimeter-focused security, combined with flat and open network environments are the reason why the average mean time to identify a threat is 197 days, with another 69 days required to contain a breach, usually because it has spread so far and deep into the network.

The common issue is one of trust. When you automatically extend trust to any device or user in your network, you put your organization at risk when either becomes compromised, whether intentionally or unintentionally. Fortinet’s Zero-trust Network Access framework specifically addresses this challenge by shifting the fundamental paradigm open networks built around inherent trust, to a zero-trust framework through the adoption of rigorous network access controls. 

The core assumption is that every device on your network is potentially infected, and any user is capable of compromising critical resources. With that new paradigm in place, organizations need to know exactly who and what is on their network at any given moment. Next, they need to ensure that those users and devices are only provided with the minimum level of network rights necessary for them to do their job. And finally, any resources they need should only be accessed on a “need to know” basis, regardless of their location or function.

Fortinet’s unique Zero-trust Network Access framework leverages a tightly integrated collection of security solutions to enable organizations to identify and classify all users and devices seeking network access, assess their state of compliance with internal security policies, automatically assign them to zones of control, and then continuously monitoring them both on and off the network. Achieving this starts with three essential functions:

Knowing WHAT is on Your Network

The first objective of a Zero-trust Network Access strategy is to establish a running inventory of all devices on the network. FortiNAC accurately discovers and identifies every device on or seeking access to the network, scans it to ensure that it hasn’t already been compromised, and profiles it to establish its role and function – whether an end user’s phone or laptop, a network server, a printer, or a headless IoT device such as an HVAC controller or security badge reader. 

FortiNAC then uses dynamic network micro-segmentation to assign each device to an appropriate network zone based on a number of factors, including device type, function, and purpose within the network. It can also support Intent-Based Segmentation provided by a FortiGate NGFW platform to intelligently segment devices based on specific business objectives, such as compliance requirements like GDPR privacy laws or PCI-DSS transaction protection. With Intent-Based Segmentation in place, assets are tagged with compliance restrictions that are enforced regardless of their location in the network, helping to reduce the time and cost of compliance implementation.

And finally, FortiNAC provides continuous monitoring and response for these devices. Those devices that begin to behave abnormally can be quickly identified, allowing FortiNAC to take a variety of countermeasures, such as reassigning them to a quarantine zone so they cannot achieve their objectives or infect other devices. 

Knowing WHO is on Your Network

User identity is the other cornerstone of an effective Zero-trust Network Access strategy. The objective of Zero-trust Network Access is to determine who every user is and what role they play within an organization and then establishing a “least access policy” that only grants access to those resources necessary for their role or job, with access to additional resources only provided on a case-by-case basis. 

Tools like FortiToken, for two-factor authentication, and FortiAuthenticator for AAA services, access management, and single sign-on (SSO) are used to identify and apply appropriate access policies to users based on their role within the organization. They also support SAML implementations to exchange authentication and authorization data between parties, enabling users to securely access SaaS solutions such as Salesforce, ADP, or Office365.

User identity can be further authenticated through such things as user log-in, multi-factor input, or certificates, and then tied to role-based access control (RBAC) to match an authenticated user to specific access rights and services. 

Protecting Assets ON and OFF the Network

Monitoring assets that remain on the network is pretty straightforward. The challenge is that many of them are mobile, including BYOD devices owned by employees. They serve multiple purposes for their users, bridging their personal and business lives. They are used to browse the internet, interact on social media sites, and receive personal and business email when not logged into the network – which means they are often exposed to threats that can be dragged back into the network, exposing other devices and resources to risk.

According to one Ponemon Institute report, 63% of companies are unable to monitor off-network endpoints, and over half can’t determine the compliance status of endpoint devices. When you combine that with Gartner’s warning that 30% of breaches involve insiders (whether or not they are malicious), it is imperative that endpoint devices that have access to critical network resources are also protected when they are off-network.

Zero-trust Network Access addresses the challenge of off-network devices with client- and cloud-based solutions. FortiClient, including the Fabric Agent, combined with cloud-based FortiGuard Cloud, provides continuous endpoint protection to prevent device compromise whether on or off network. It also enables secure remote access to networked resources via VPN connectivity, scanning of traffic, URL filtering, sandboxing as well as sharing endpoint security status as part of the authentication and authorization process. This includes endpoint telemetry such as device OS and applications, known vulnerabilities, and patches, as well as security status to refine the access rules applied to the device. 

The Advantages of a Zero-trust Network Access Strategy

By transitioning to a zero-trust network access framework that identifies, segments, and continuously monitors all devices, organizations can replace their high-risk, flat networks to ensure that internal resources remain secured, and that data, applications, and intellectual property remain protected. This strategy not only reduces many of the risks an organization faces due to a perimeter-centric security strategy, but also magnifies visibility and control across the organization – including off-network devices – while simplifying overall network and security management.

Don’t miss Fortinet’s upcoming global virtual event for cybersecurity and networking professionals to learn more about our latest product announcements. Sign up here.

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.

Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.  

Find out how Echoenergia and New Zealand Red Cross used Fortinet’s Security Fabric for end-to-end network protection.