How to implement a Zero Trust security strategy
Fortinet
Zero Trust is based on the assumption that there are constant threats both outside and inside the network. Zero Trust also assumes that any attempt to access the network or an application is a threat. It is a network security philosophy that states that no one should be trusted inside or outside the network until their identity has been thoroughly verified. These assumptions underlie the strategy of network administrators and force them to develop strict, trustless security measures.
There is an all-too-common notion that implementing a zero-trust architecture requires a complete overhaul of the network. Certainly, some heavy lifting is required, but having the right framework and tools in place to execute is essential to a successful implementation. Every environment needs a consistent zero-trust architecture. It is a cultural change that is often a bigger change than technological change. It is about a mindset and a commitment to change how access is granted and how security is delivered across the organisation.
A "Zero Trust" security strategy determines the right access and requirements
The first step in developing a zero trust architecture is to decide who can do what - and this is probably the hardest task. You have to determine who is allowed to access what, based on the resources so that each individual can do their job. And then you have to make sure that the devices that people use are properly secured.
Setting up Zero Trust Access (ZTA) involves end-to-end access controls for applications, powerful network access control technologies and strong authentication capabilities. One aspect of Zero Trust Access that focuses on controlling access to applications is Zero Trust Network Access (ZTNA). ZTNA extends the principles of ZTA to verify users and devices before each application session to confirm that they comply with the organisation's policy for accessing that application. ZTNA supports multi-factor authentication to ensure the highest level of verification.
Using the zero-trust model for application access, or ZTNA, allows organisations to rely less on traditional virtual private network (VPN) tunnels to secure assets that are accessed remotely. A VPN often provides unrestricted access to the network, which can allow compromised users or malware to move laterally on the network and exploit resources. However, ZTNA applies policies equally whether users are on or off the network. So an organisation has the same protection regardless of where a user connects from.
Implementing an effective ZTA security policy must include secure authentication. Many security breaches stem from compromised user accounts and passwords, so the use of multi-factor authentication is critical. Requiring users to provide two or more authentication factors to access an application or other network resources adds an extra layer of security to combat cybersecurity threats.
It is also important to ensure that users do not have inappropriate or excessive access rights. Applying the ZTA practice of "least privilege" as part of access management means that if a user account is compromised, cyber attackers will only have access to a limited subset of the company's resources. This is similar to network segmentation, but on a per-person basis. Users should only be allowed to access the resources they need for their particular task.
Ensure that all devices are secured with Zero Trust
Device security also plays a key role in implementing an effective Zero Trust security policy. It is essential to ensure that the devices people use are properly secured. This is especially important as IoT devices become more widespread and larger targets for cyber attackers.
Because IoT devices are unable to install software and lack built-in security features, they are essentially "headless". As technology has advanced, so has the interconnectivity of IoT ecosystems with the corporate network and the wider internet.
This new connectivity and the expansion of IP-enabled devices means that IoT devices have become a prime target for cybercriminals. Most IoT devices are not designed with security in mind, and many have neither traditional operating systems nor sufficient computing power or memory to incorporate security features.
One advantage of ZTA is that it can authenticate endpoints and IoT devices to establish and maintain comprehensive management control and ensure visibility of every component connected to the network. For IoT devices without headsets, network access control (NAC) solutions can provide discovery and access control. Using NAC policies, organisations can apply the zero-trust principles of least access to IoT devices and only grant as much network access as is necessary to perform their tasks. Develop a strong Zero Trust security policy
When it comes to zero-trust security, you need to develop and execute a plan that ensures consistent protocols and policies that are implemented throughout the network. Regardless of who, where or what they are trying to access, the rules must be consistent. This means finding zero-trust security tools that aren't just for the cloud, because if you're running a hybrid network, you need to apply the same zero-trust rules to your physical campus as you do to your remote employees/assets. By comparison, there are few cloud-only organisations; most have adopted a hybrid approach, and yet many zero-trust solution providers are developing cloud-only solutions.
Over the past year, organisations have begun to rely more heavily on hybrid and multi-cloud environments to support their ongoing digital transformation needs. According to a recent report by Fortinet, 76% of companies surveyed reported using at least two cloud providers.
An important aspect to consider is the differences between each cloud platform. Each has different built-in security tools and features with different capabilities, command structures, syntax and logic. The data centre is still a different environment. Furthermore, companies can migrate in and out of the clouds. Each cloud offers unique benefits and it is important that the organisation is able to use the clouds that meet its business needs; cybersecurity should not hinder this. However, as each cloud provider offers different security services with different tools and approaches, each of your clouds becomes an independent silo in a fragmented network security infrastructure - not an ideal constellation.
However, if you have a common security overlay across all of these data centres and clouds, you provide a layer of abstraction on top of each tool that gives you visibility across clouds, control over them, and the ability to establish a common security posture regardless of where an application resides or where it moves.
Consequently, applications can be anywhere - on campus, in a branch office, in the data centre or in the cloud. That's why it's so important to ensure that your zero-trust approach can deliver the same protocols regardless of where employees are physically located and how they access corporate resources.
Implement a Zero Trust architecture for stronger security
As network boundaries continue to dissolve, due in part to edge computing technologies and the global shift of remote work, organisations need to take advantage of every security advantage there is. This includes knowing how to implement a zero-trust security strategy. Because there are so many threats, both external and internal, it is appropriate to treat every person and thing that attempts to gain access to the network and its applications as a threat. Trustless security measures do not require a complete overhaul of the network, but will result in stronger network protection. By making the effort to implement Zero Trust Access and its offshoot, Zero Trust Network Access, you relieve your IT security team of extra work and significantly increase your security quotient.