How to Implement a Zero-Trust Security Strategy
By Peter Newton | August 25, 2021
Zero-trust operates on the premise that there are constant threats both outside and inside the network. It also assumes that every attempt to access the network or an application is a threat. In other words, zero-trust is a network security philosophy that states no one inside or outside the network should be trusted until their identity has been thoroughly verified. These assumptions underlie the strategy of network administrators, obliging them to design stringent, trustless security measures.
How Do You Implement the Zero-Trust Security Model?
There’s an all-too-common notion that implementing a zero-trust architecture requires a complete overhaul of your network. There will certainly be some heavy lifting required, but successful implementation is about having the right framework in place paired with the right tools to execute. Every environment needs to have consistent zero-trust. It’s a cultural shift, which is often a bigger change than the technology shift. It involves a mindset and a commitment to changing how access is granted and how security is maintained across the organization.
Step 1. Determines the Right Access and the Right Needs
The first step in designing a zero-trust architecture is to decide who is allowed to do what – and that’s probably the heaviest lift. You need to determine who gets access to which resources, and that is based on what the resources are so each individual can do their job. Then, you will need to make sure the devices that people are using are properly secured.
Establishing Zero-Trust Access (ZTA) involves pervasive application access controls, powerful network access control technologies, and strong authentication capabilities. One aspect of ZTA that focuses on controlling access to applications is Zero-Trust Network Access (ZTNA). ZTNA extends the principles of ZTA to verify users and devices before every application session to confirm that they conform to the organization’s policy to access that application. ZTNA supports multi-factor authentication to maintain the highest degree of verification.
Using the zero-trust model for application access or ZTNA makes it possible for organizations to rely less on traditional virtual private network (VPN) tunnels to secure assets being accessed remotely. A VPN often provides unrestricted access to the network, which can allow compromised users or malware to move laterally across the network seeking resources to exploit. However, ZTNA applies the policies equally, whether users are on or off the network. So, an organization has the same protections, no matter where a user is connecting from.
The implementation of an effective ZTA security policy must include secure authentication. Many breaches come from compromised user accounts and passwords, so the use of multifactor authentication is key. Requiring users to provide two or more authentication factors to access an application or other network assets adds an extra layer of security to combat cybersecurity threats.
It’s also essential to ensure users don’t have inappropriate or excessive levels of access. Adopting the ZTA practice of applying “least access” privileges as part of access management means that if a user account is compromised, cyber adversaries only have access to a restricted subset of corporate assets. It’s similar to network segmentation but on a per-person basis. Users should only be allowed to access the assets that they need for their specific job roles.
Step 2. Make Sure All Devices are Secured with Zero-Trust
Security of devices also plays a pivotal role in the implementation of an effective zero-trust security policy. It is paramount to ensure that the devices people are using have been properly secured. This is particularly important as IoT devices proliferate and become bigger targets for cyberattackers.
Because IoT devices cannot install software and don’t have onboard security features, they are essentially “headless.” As technology has advanced, so has the interconnectedness of IoT ecosystems with the enterprise network and the entirety of the internet.
This new connectivity and the expansion of IP-enabled devices mean IoT devices have become a prime target for cybercriminals. The majority of IoT devices are not designed with security in mind, and many do not have traditional operating systems or even enough processing power or memory to incorporate security features.
A benefit of ZTA is that it can authenticate endpoint and IoT devices to establish and maintain all-inclusive management control and ensure the visibility of every component attached to the network. For headless IoT devices, network access control (NAC) solutions can perform discovery and access control. Using NAC policies, organizations can apply the zero-trust principles of least access to IoT devices, granting only sufficient network access to perform their role.
Step 3. Develop a Strong Zero-Trust Security Policy
When it comes to zero-trust security, you must develop and execute a plan that ensures consistent protocols and policies that are implemented across the entire network. No matter who, where, or what they want to access, the rules must be consistent – that means you need to find zero-trust security tools that aren’t cloud-only. For example, if you run a hybrid network, you will need to use the same zero-trust security tools with your remote workers that you use on your physical campus. Few companies are actually running cloud-only, most have taken a hybrid approach, and yet many zero-trust solution providers are developing cloud-only solutions.
Over the past year, organizations have begun to depend more on hybrid and multi-cloud environments to help support their ongoing digital transformation requirements. According to a recent report from Fortinet, 76% of responding organizations reported using at least two cloud providers.
The difference in all of the cloud platforms is an important aspect to consider when deciding which service is best for your organization. Each platform has various built-in security tools and functions with different capabilities, command structures, syntax, and logic. The data center is still another environment. In addition, organizations may be migrating into and out of clouds. Each cloud offers unique advantages, and it’s essential that the organization to be is able to use whichever ones support their business needs, and cybersecurity must not hinder that. Yet, with each cloud provider offering different security services using different tools and approaches, each of your clouds becomes an independent silo in a fragmented network security infrastructure – not an ideal set-up.
In order to combat this issue, you must have a common security overlay across all of these data centers and clouds, which will provide an abstraction layer above the individual tools that gives you visibility across the clouds, control of them, and the ability to establish a common security posture irrespective of where an application may be, or where it may move to.
Consequently, applications can reside anywhere – from on-campus to branch to data center to cloud. This is why it’s so important to make sure your zero-trust approach can provide the same protocols, no matter where the worker is physically located and how they’re accessing company resources.
Implementing a Zero-Trust Architecture for Stronger Security
As the network perimeter continues to dissolve, due in part to edge computing technologies and the global shift to remote work, organizations must make use of every security advantage that exists, and that includes knowing how to implement a zero-trust security strategy. Because there are so many threats from without and within, it’s appropriate to treat every person and thing trying to gain access to the network and its applications as a threat. Trustless security measures don’t require a total network overhaul but do result in a stronger network shield. By doing the initial hard work of establishing zero-trust Access and its offshoot, zero-trust Network Access, you’ll be relieving your IT security team of additional work and significantly upping your security quotient.
Fortinet is the keynote sponsor of Camp Secure Sense! Rafi Wanounou, Director of Systems Engineering, will be presenting Adversaries: Core Pillars to Defend Against Strategic Attackers on Day 1 at 12:30pm in Grand Room A. Register now to attend Fortinet’s keynote presentation while enjoying a delicious lunch!
The modern adversary is cunning and resilient. Recent attacks have demonstrated that the current security model is broken and ineffective against the next generation of adversaries. We propose that four security pillars in an automation framework are the path forward to secure the modem enterprise.
Those Pillars are ZTNA, Hardened Endpoint, Secure Networking, and Advanced Security Operations. We will review how these four pillars as part of an automation framework create a network that is sufficiently resilient and malleable to defend against today’s adversaries.
Camp Secure Sense is the leading IT Security Networking Event in Canada for the information technology leaders some of North Americas largest corporations. Register now to join decision makers and the Secure Sense team this year on September 28th & 29th.