Interest in using zero-trust concepts to enhance security has increased as more organizations support "work from anywhere" initiatives. Security needs to be the same everywhere and solutions need to be able to adapt to different work models. It needs to be seamless so organizations don't have one option that works well for remote workers and one for in-office workers. Solutions need to be flexible enough to securely address all workforce scenarios with consistent policy, protection and management for remote users, branches, cloud, and data centers.
The zero-trust model of network security reduces the attack surface while providing secure access to applications and dynamic access control. And the most effective strategy is a holistic approach that delivers visibility and control of all users and devices both on and off the network.
Here are three tips for enhancing security with zero trust.
With the zero-trust security model, you need to know who and what is on the network at all times. So the first step is to use network access control (NAC) to discover and identify each device that is on or seeking access to the network and ensure that it hasn’t already been compromised.
The devices accessing networks may include end-user desktop and mobile devices, networked office equipment, retail point of sale systems, operational technologies, and numerous distributed sensors and other devices collectively known as the Internet of Things (IoT). The challenge in managing all of these devices lies in their wide dispersion, the varying levels of device supervision, and the lack of support for standard communication protocols in legacy devices.
During the discovery process, the NAC solution should detect MAC Authentication Bypass (MAB) attack attempts and log these incidents. It should also share the information it collects in real time with other network devices and security infrastructure components.
The NAC processes should be completed in seconds to minimize the risk of device compromise. Ideally, a NAC solution should be easy to deploy from a central location and offer consistent operation across both wired and wireless networks. With the central location, the NAC solution won’t require the sensors at every device location, which can drive up deployment and management costs.
Microsegmentation is another key component of zero-trust. With network micro-segmentation, each device is assigned to an appropriate network zone based on a number of factors, including device type, function, and purpose within the network. And intent-based segmentation can intelligently segment devices based on specific business objectives, such as compliance requirements like GDPR privacy laws or PCI-DSS transaction protection.
Microsegmentation hardens the network in two ways. First, it breaks up the lateral (east-west) path through the network, which makes it more difficult for hackers and worms to gain access to the devices. Second, it reduces the risk of a hacker using an infected device as a vector to attack the rest of the network.
The next generation firewalls (NGFWs) used for microsegmentation should be designed so they can process all intersegment traffic with minimal latency. Avoiding latency issues helps ensure that adding security doesn't hinder productivity throughout the organization.
Even better, a firewall that can handle both Zero-trust Network Access and SD-WAN at the same time.
User identity is another cornerstone of zero trust. Like devices, every user needs to be identified along with the role they play within an organization. The zero-trust model focuses on a “least access policy” that only grants a user access to the resources that are necessary for their role or job. And access to additional resources is only provided on a case-by-case basis.
Authentication and authorization solutions should be integrated with the enterprise’s network security infrastructure and to a policy-based Active Directory database to enable automated enforcement and easy management of least-privilege access policies.
At this point, every organization should be using multifactor authentication, so if you're not, this is a key area to improve. Authentication, authorization, and account (AAA) services, access management, and single sign-on (SSO) are used to identify and apply appropriate access policies to users based on their role within the organization. User identity can be further authenticated through user log-in, multi-factor input (password or password-less authentication), or certificates, and then tied to role-based access control (RBAC) to match an authenticated user to specific access rights and services. Security shouldn't hamper productivity, so solutions should perform with minimal latency to facilitate compliance and minimize user fatigue.
Many organizations that take a piecemeal approach to zero trust get bogged down in the technology and wallow in complexity. When you have products coming from multiple vendors, you can easily end up with multiple dashboards and challenging integrations that may or may not work with the systems you already have. But there’s always more you can be doing to enhance your security posture through zero-trust concepts
Instead of taking piecemeal approach to zero trust that can leave security gaps and can be expensive and cumbersome to manage, it's easier to deploy, configure, and maintain solutions that are integrated by design.
The key to successfully integrating zero-trust concepts is to take it one step at a time. Many organizations have incorporated some elements of zero trust already. They may have solutions in place that restrict application access or have multi-factor authentication. A great way to get started it to improve what you have and then add more zero-trust capabilities over time.