Three key areas for zero-trust access

Issue 1 2021 Editor's Choice, Access Control & Identity Management, Cyber Security

The most secure network is one that has no connections. Of course, that idea is not only impractical, it defeats the purpose of a network. The reality is that no network is an island, and as businesses become more digital, networks inevitably become more complicated and dispersed. Today's networks now have many ‘edges’, so it's much harder than it used to be to create a single defensible boundary. In the face of these changes, the traditional network perimeter is dissolving, and it's far more difficult to tell who and what can be trusted.

Peter Newton.

To respond to increasing threats, best practices now stipulate a ‘trust no one, trust nothing’ attitude toward network access. Protecting the network with this zero-trust access (ZTA) approach means that all users, all devices and all web applications from the cloud must be trusted, authenticated, and have the correct amount of access privilege (and no more).

With perimeter-based security, anything that can bypass edge security checkpoints is given free access. But with ZTA, the assumption is that every device on your network is potentially infected, and any user is capable of compromising critical resources.

The zero-trust access model is not a new concept and CISOs (chief information security officers) who are planning to implement it can choose from a wide array of technologies that are designed to meet the requirements of the National Institute of Standards and Technology (NIST) Zero Trust Architecture. However, getting all these often-isolated technologies to work together to prevent security lapses can be challenging.

Focusing on three key areas of zero-trust access

With ZTA, the entire concept of trusted and untrusted zones no longer applies; location needs to be taken out of the equation entirely. The most effective strategy is a holistic approach that delivers visibility and control by focusing on three key areas: who is on the network, what is on the network and what happens to managed devices when they leave the network.

1. Who is on the network

Every digital enterprise has a variety of users. Traditional employees access the network, but often contractors, supply chain partners and even customers may need access to data and applications located either on-premises or in the cloud.

For an effective ZTA strategy, it's critical to determine who every user is and what role they play within an organisation. The zero-trust model focuses on a ‘least access policy’ that only grants a user access to the resources that are necessary for their role or job. After a user is identified, access to any other resources is only provided on a case-by-case basis.

This strategy starts with CISOs mandating breach-resistant identification and authentication. User identities can be compromised either through the brute force breaking of weak passwords or by using social engineering tactics such as email phishing. To improve security, many enterprises are adding multi-factor authentication (MFA) to their login processes. MFA includes something the user knows, such as a username and password, along with something the user has, such as a token device that generates a single-use code or a software-based token generator.

Once the identity of a user is authenticated through user login, multi-factor input, or certificates, it's then tied to a role-based access control (RBAC) system that matches an authenticated user to specific access rights and services.

CISOs need to make sure that security processes avoid being so complicated or onerous that they hamper productivity or user experiences. ZTA solutions that are fast and support single sign-on (SSO) can help improve compliance and adoption.

2. What is on the network

Because of the massive increase in applications and devices, the network perimeter is expanding and potentially billions of edges must now be managed and protected. For an effective ZTA strategy, CISOs need to manage the explosion of devices resulting from the Internet-of-Things (IoT) and bring-your-own-devices (BYOD) strategies. These devices might be anything from end-user phones and laptops to servers, printers, and IoT devices such as HVAC controllers or security access control readers.

To understand what devices are on the network at any given point in time, CISOs also need to implement network access control (NAC) tools that can automatically identify and profile every device as it requests network access, in addition to scanning it for vulnerabilities. To minimise the risk of device compromise, NAC processes need to be completed in seconds and provide consistent operations across both wired and wireless networks. Any NAC solution should also be easy to deploy from a central location, so it won’t require sensors at every device location.

Although it's important to enforce access control for all devices, IoT devices are particularly challenging because they are typically low-power, small form factor devices without memory or a CPU to support security processes, and they also often aren't compatible with endpoint security tools. Because access control can't be performed in the devices, the network itself needs to provide security.

As they consider ZTA solutions, CISOs need to make IoT control a priority. Access control through the network involves micro-segmenting the network with next-generation firewalls (NGFW) and grouping similar IoT devices together to harden the network. This approach breaks up the lateral (east-west) path through the network, so it's more difficult for hackers and worms to gain access to connected devices. It also reduces the risk that a hacker can use an infected device as a vector to attack the rest of the network.

3. What happens to managed devices when they leave the network

Because people use BYOD devices both for personal and business needs, the third key to an effective ZTA strategy is understanding what happens when devices leave the network. When they aren't logged into the network, users may browse the Internet, interact with others on social media, and receive personal emails. After being online, once they rejoin the network these users can inadvertently expose their devices and company resources to threats they may have picked up, such as viruses and malware.

Controlling managed devices when they go off the network is challenging. Thanks to cloud services, people can disconnect their device from the network at one location and reconnect it at another, or they might start working on one device and continue on another.

To contend with these challenges, endpoint security must be part of any ZTA solution. It should provide off-network hygiene control, including vulnerability scanning, web filtering, and patching policies. It should also provide secure and flexible options for virtual private network (VPN) connectivity.

Like identity management tools, endpoint security should support SSO. When an endpoint is connected to the network, the solution should relay device status information to other network and security components to determine risk and assign an appropriate access level.

Trust no one and leverage an effective zero-trust access strategy

The more people and devices that connect to a network, the less secure a traditional perimeter-based approach becomes. Every time a device or user is automatically trusted, it places the organisation's data, applications, and intellectual property at risk. CISOs need to shift the fundamental paradigm of an open network built around inherent trust to a zero-trust model with rigorous network access controls that span the distributed network.

By selecting integrated and automated tools, CISOs can help overcome the key challenges of zero-trust access: knowing who and what is on the network, controlling their resource access, and mitigating the risks of that access.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Issue 1 2021 , Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Retail solutions beyond security
Issue 8 2020, Axis Communications SA, Technews Publishing, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring
The need for security technology to deliver more than videos of people falling or stealing from retail stores is greater than ever.

Suprema ranks first in survey
Issue 2 2021, Suprema, neaMetrics , News, Access Control & Identity Management
In a recent survey conducted in Korea, Suprema was chosen as the top brand for access control management software and mobile access solutions.

Smart healthcare
Issue 2 2021 , Editor's Choice
In the past year, hospitals, elder care and other healthcare facilities have found themselves overwhelmed with new patients, COVID-19 regulations and other side effects of the pandemic. As efforts focused ...

Platform-based access management solution
Issue 2 2021, ASSA ABLOY South Africa , Editor's Choice
Available in South Africa and throughout sub-Saharan Africa, new Incedo Business connects all your security software and hardware within one platform. You can easily scale it up or down, based on your needs, to keep your people moving and your business growing.

FS Systems celebrates 50 years
Issue 2 2021 , Editor's Choice
This year, FS Systems celebrates 50 years in the fire detection and enterprise security market, successfully executing projects in over nine countries in Africa and LATAM.

Formative AI and distributed cloud among four megatrends revealed at MIPS 2021
Issue 2 2021, Milestone Systems , Editor's Choice
Almost 4000 participants representing end customers, technology partners and media from across the globe attended the first virtual MIPS conference, held over two days in March 2021.

Kiss passwords G00dby3
Issue 2 2021 , Editor's Choice
Cisco Secure has unveiled infrastructure agnostic, passwordless authentication by Duo which enables enterprise users to skip the password and securely log into cloud applications via security keys or biometrics built into modern laptops and smartphones.

200 000 daily access transactions
Issue 2 2021, Impro Technologies , Editor's Choice
The University of KwaZulu-Natal’s legacy access control system was suffering from increasingly limited support, both in terms of hardware and software, with maintenance becoming a pressing concern as it on-boards approximately 9000 new students each year across five campuses.