Three key areas for zero-trust access

Issue 1 2021 Editor's Choice, Access Control & Identity Management, Information Security

The most secure network is one that has no connections. Of course, that idea is not only impractical, it defeats the purpose of a network. The reality is that no network is an island, and as businesses become more digital, networks inevitably become more complicated and dispersed. Today's networks now have many ‘edges’, so it's much harder than it used to be to create a single defensible boundary. In the face of these changes, the traditional network perimeter is dissolving, and it's far more difficult to tell who and what can be trusted.

Peter Newton.

To respond to increasing threats, best practices now stipulate a ‘trust no one, trust nothing’ attitude toward network access. Protecting the network with this zero-trust access (ZTA) approach means that all users, all devices and all web applications from the cloud must be trusted, authenticated, and have the correct amount of access privilege (and no more).

With perimeter-based security, anything that can bypass edge security checkpoints is given free access. But with ZTA, the assumption is that every device on your network is potentially infected, and any user is capable of compromising critical resources.

The zero-trust access model is not a new concept and CISOs (chief information security officers) who are planning to implement it can choose from a wide array of technologies that are designed to meet the requirements of the National Institute of Standards and Technology (NIST) Zero Trust Architecture. However, getting all these often-isolated technologies to work together to prevent security lapses can be challenging.

Focusing on three key areas of zero-trust access

With ZTA, the entire concept of trusted and untrusted zones no longer applies; location needs to be taken out of the equation entirely. The most effective strategy is a holistic approach that delivers visibility and control by focusing on three key areas: who is on the network, what is on the network and what happens to managed devices when they leave the network.

1. Who is on the network

Every digital enterprise has a variety of users. Traditional employees access the network, but often contractors, supply chain partners and even customers may need access to data and applications located either on-premises or in the cloud.

For an effective ZTA strategy, it's critical to determine who every user is and what role they play within an organisation. The zero-trust model focuses on a ‘least access policy’ that only grants a user access to the resources that are necessary for their role or job. After a user is identified, access to any other resources is only provided on a case-by-case basis.

This strategy starts with CISOs mandating breach-resistant identification and authentication. User identities can be compromised either through the brute force breaking of weak passwords or by using social engineering tactics such as email phishing. To improve security, many enterprises are adding multi-factor authentication (MFA) to their login processes. MFA includes something the user knows, such as a username and password, along with something the user has, such as a token device that generates a single-use code or a software-based token generator.

Once the identity of a user is authenticated through user login, multi-factor input, or certificates, it's then tied to a role-based access control (RBAC) system that matches an authenticated user to specific access rights and services.

CISOs need to make sure that security processes avoid being so complicated or onerous that they hamper productivity or user experiences. ZTA solutions that are fast and support single sign-on (SSO) can help improve compliance and adoption.

2. What is on the network

Because of the massive increase in applications and devices, the network perimeter is expanding and potentially billions of edges must now be managed and protected. For an effective ZTA strategy, CISOs need to manage the explosion of devices resulting from the Internet-of-Things (IoT) and bring-your-own-devices (BYOD) strategies. These devices might be anything from end-user phones and laptops to servers, printers, and IoT devices such as HVAC controllers or security access control readers.

To understand what devices are on the network at any given point in time, CISOs also need to implement network access control (NAC) tools that can automatically identify and profile every device as it requests network access, in addition to scanning it for vulnerabilities. To minimise the risk of device compromise, NAC processes need to be completed in seconds and provide consistent operations across both wired and wireless networks. Any NAC solution should also be easy to deploy from a central location, so it won’t require sensors at every device location.

Although it's important to enforce access control for all devices, IoT devices are particularly challenging because they are typically low-power, small form factor devices without memory or a CPU to support security processes, and they also often aren't compatible with endpoint security tools. Because access control can't be performed in the devices, the network itself needs to provide security.

As they consider ZTA solutions, CISOs need to make IoT control a priority. Access control through the network involves micro-segmenting the network with next-generation firewalls (NGFW) and grouping similar IoT devices together to harden the network. This approach breaks up the lateral (east-west) path through the network, so it's more difficult for hackers and worms to gain access to connected devices. It also reduces the risk that a hacker can use an infected device as a vector to attack the rest of the network.

3. What happens to managed devices when they leave the network

Because people use BYOD devices both for personal and business needs, the third key to an effective ZTA strategy is understanding what happens when devices leave the network. When they aren't logged into the network, users may browse the Internet, interact with others on social media, and receive personal emails. After being online, once they rejoin the network these users can inadvertently expose their devices and company resources to threats they may have picked up, such as viruses and malware.

Controlling managed devices when they go off the network is challenging. Thanks to cloud services, people can disconnect their device from the network at one location and reconnect it at another, or they might start working on one device and continue on another.

To contend with these challenges, endpoint security must be part of any ZTA solution. It should provide off-network hygiene control, including vulnerability scanning, web filtering, and patching policies. It should also provide secure and flexible options for virtual private network (VPN) connectivity.

Like identity management tools, endpoint security should support SSO. When an endpoint is connected to the network, the solution should relay device status information to other network and security components to determine risk and assign an appropriate access level.

Trust no one and leverage an effective zero-trust access strategy

The more people and devices that connect to a network, the less secure a traditional perimeter-based approach becomes. Every time a device or user is automatically trusted, it places the organisation's data, applications, and intellectual property at risk. CISOs need to shift the fundamental paradigm of an open network built around inherent trust to a zero-trust model with rigorous network access controls that span the distributed network.

By selecting integrated and automated tools, CISOs can help overcome the key challenges of zero-trust access: knowing who and what is on the network, controlling their resource access, and mitigating the risks of that access.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Enhance control rooms with surveillance and intelligence
Leaderware Editor's Choice Surveillance Mining (Industry)
Dr Craig Donald advocates the use of intelligence and smart surveillance to assist control rooms in dealing with the challenges of the size and dispersed nature common in all mining environments.

A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.