To accelerate business and remain competitive, organisations are rapidly adopting digital innovation (DI) initiatives. This means business applications and data are now dispersed far and wide, away from the corporate premises, giving workers access to more corporate assets from many locations. For this reason, the traditional perimeter is dissolving, which opens the internal network to a growing attack surface – a top concern for CISOs.
In response to these threats, organisations need to take a “trust no one, trust nothing” approach to security. Specifically, CISOs need to protect the network with a Zero-Trust Network Access policy, making sure all users, all devices, and all web applications from the cloud are trusted, authenticated, and have the right amount of access. Zero-Trust is critical to securing digital innovation, no matter what the nature of the individual project.
According to Fortinet Field CISO Peter Newton:
“There is a major emphasis on the concept of Zero-Trust Network Access because companies are recognising that, number one, they have all these VPN Tunnels that need to understand and confirm who the users are and two, they have users on all different types of devices that now have access to the corporate network. This is where the ability to understand and see everything on that network has become key and that is why our Teleworker Solutions has gotten a lot of attention and activity in the months since COVID-19 first hit. Now customers are finally able to take a step back now and evaluate whether they put every security measure in place that they needed to so that their teleworker solutions are effective long-term. As a result, many of them are shoring up their Zero-Trust capabilities so they know exactly who and what is on their network well into the future as employees continue to work remotely.”
For security leaders, it is impossible to keep up with the growing number of attacks using a traditional approach to network access. That is why there is a shift happening, from trusting everything on the network to not trusting things. With a well-functioning zero-trust access model, CISOs organize their approach using specific vulnerable areas of the network edge that can be considered untrustworthy: users, devices, and assets both on and off the network.
Fortinet Field CISO Alain Sanchez adds:
“Zero-Trust Network Access is a very strong concept, and a necessary approach as more and more business-critical and life-critical processes are becoming fully digital. However, for people not versed in cybersecurity, the word might carry negative connotations. Wrongly interpreted, it might resonate as if the network, the PC, the applications, or in fact the entire digital ecosystem will stop recognizing its users. It can be seen as a barrier to productivity.
“Zero-Trust Network Access is a foundational pillar of any effective security strategy. It actually enables the right person to have immediate access to the resources they need to do their job, while also eliminating the risks and downtime that can result from unauthorized access. However, to advocate for the adoption of necessary security solutions such as this, especially as the cyber threat landscape continues to evolve, CISOs need to do more and more communication and education. They will find themselves not only needing to explain what needs to change and why, but more importantly, how these changes will benefit the organisation. This is particularly important to those teams that have, until now, been managing user network access based on a legacy notion of implicit trust.”
How does Zero-Trust Network Access work?
A Zero-Trust Network Access strategy focuses on network connectivity and has three essential functions.
The ‘what’: Know every device that’s on the networkThe proliferation of applications and devices is expanding the perimeter, creating billions of edges that must be managed and protected. Overwhelmed IT staff struggle to manage the flood of devices, whether those are coming from Internet-of-Things (IoT) initiatives, bring-your-own-device (BYOD) policies, or any other area of the corporate environment. The first step of adopting a Zero-Trust Network Access strategy is to discover and identify all devices on the network – whether that’s an end-user’s phone or laptop, a network server, a printer, or a headless IoT device such as an HVAC controller or security badge reader. With this visibility, security teams then can know every device type, function, and purpose it has within the network. From there, teams can set up proper controls of the access those devices have. Then, once proper control is in place, a Zero-Trust Network Access approach also includes continuous monitoring and response of devices, which helps to identify and remediate problematic devices so they cannot infect other devices or systems on the network.
The ‘who’: Know every user that accesses your networkUser identity is critical in developing an effective Zero-Trust Network Access policy. Organisations need to know every user that is attempting to access the network. Are they an employee? A contractor? A guest? A vendor? Establishing user identity requires log-in and multi-factor authentication; passwords are weak and frequently stolen. Certificates should then be used to enforce identity and can be tied to role-based access control (RBAC) to match an authenticated user to specific access rights and services. Once identity is established, access policies are determined by a user’s role in the organisation. A “least access policy” can be used to grant access to those resources necessary for a role or job, with access to additional resources provided only on an as needed basis. As the zero-trust model is more widely adopted, security leaders can begin to implement the right controls that grant users the right access to the network from anywhere. The ability to onboard all users with role-based access to the network provides a robust network security that benefits the entire organisation and the entities (partners, suppliers, contractors) it works with.
The ‘how’: Know how to protect assets on and off the networkMany organisations are unable to monitor off-network endpoints, and over half can’t determine the compliance status of endpoint devices. One of the primary culprits for this challenge is enhanced workplace mobility, coupled with an increased emphasis on remote work. With a Zero-Trust Network Access strategy, organisations can address the challenge of protecting off-network devices by improving endpoint visibility. Vulnerability scanning, robust patching policies, and web filtering are all critical elements of a zero-trust strategy. In addition, a zero-trust approach can enable secure remote access to networked resources via virtual private network (VPN) connectivity. This allows security teams to see, control, and protect every asset whether it is on or off the network.
No longer optional
One of the main reasons for the growing attack surface is due to the proliferation of IoT and smart devices that are coming onto the network. Security leaders often lack full visibility into the flood of devices accessing the network—and CISOs have learned hard lessons regarding what they can’t see that will hurt them. To fully secure all of these endpoint devices, enterprises need a zero-trust access policy across the entire network that provides visibility into where each device is, what it does, and how it connects to other devices across the network, as well as continuous monitoring to detect any behavioural anomalies that could indicate a threat.
As security leaders navigate a workforce that is working from a variety of locations and using both personal and business devices to access the network, they need a way to protect all endpoints at the network edge. With a zero-trust access approach, organisations can improve visibility of all devices on and off the network, enable advanced protection, and implement dynamic access control, all while reducing the attack surface.
Integrated security from SCC
COVID-19 is changing the technology culture and infrastructure of every medium-sized and large organisation faster than any known event or phenomenon. This means changes will continue coming – and hackers will continue to target our growing dependence on digital tools. Businesses that focus on a return to “near-normal” will be investing time, effort and money in a battle long lost.
SCC’s security solutions provide an integrated security suite that delivers the right technologies to enhance existing practices. We deploy solutions to help customers secure cloud, data, networks and systems to mitigate risks that may stem from insider and external attacks. We build solutions that can help you to control, govern and manage user identities and access to services and data across your infrastructure.
SCC is a Fortinet Expert Integrator partner, which is the highest level achievable. We have many years of experience securing customer networks, as demonstrated by our Fortinet Platinum Partner of the Year award in 2018 for our expertise in designing and delivering the Fortinet security fabric.
Our depth of capabilities for the solutions we provide assures customers that we can execute with greater agility.
We have extensive experience, qualifications and certifications in a wide range of partner technologies that underpin our solutions. You benefit from thought leadership, key knowledge and vital experience, shared across our global partner network.