Michael Xie, Founder, President, and Chief Technology Officer (CTO)
Even in the best of times, maintaining network visibility, orchestrating security policies, and consistently enforcing controls across a corporate network can be challenging. This process has been especially difficult over the last few years as organizations have embarked on almost constant digital innovation. These initiatives have pushed many security teams to the limit. Evolving business strategies and the need to remain competitive in today’s digital marketplace have fractured network perimeters and expanded the potential attack surface, rendering traditional security models and solutions obsolete. These challenges became more severe when organizations raced to support the rapid transition to working from home. From a network and security perspective, every employee suddenly needed to work from an individual branch office.
Adding to the complexity, remote employees often had to connect to critical corporate resources, whether in the datacenter or in the cloud. And they had to collaborate with other remote workers using both work and personal devices from their largely unsecured home networks. Organizations were no longer able to rely on the advanced, enterprise-grade security solutions they had deployed in the core network to protect them from determined cybercriminals. Instead, they had to use VPN connection technology. Now, months later with 5G available, these challenges are going to be magnified.
Relying heavily on VPN technology to protect your network has a number of drawbacks. Setting up, maintaining, and troubleshooting VPN connections is not always easy, and a VPN tunnel is essentially a hardened conduit back to the resources users need to do their jobs. And a VPN provides little to no inspection into the traffic passing through it, which means it is only as secure as the device or home network from which it connects.
In addition, many networks are built around an implicit model of trust, which essentially means, “if you have managed to get past the network perimeter, you can go anywhere you want.” As a result, VPN tunnels take users past the firewall right into the middle of the production network. Cybercriminals seeking ways into the corporate network, look for opportunities like this, so they can then move freely around the network looking for critical resources to steal, corrupt, or hold hostage. It’s part of the reason why FortiGuard Labs saw a seven-fold increase in ransomware attacks during the second half of 2020.
Securing the Network Begins with Zero Trust
The first step to securing highly distributed networks is to stop trusting everyone and everything. It’s particularly important for networks filled with remote workers, dynamically adapting environments, and multitudes of new users and IoT devices. A better approach is to assume the opposite: nothing and no one can be trusted. The idea of zero-trust assumes that any user or device that seeks network access has already been compromised.
Zero trust is exactly what it sounds like. Rather than allowing devices to freely connect to corporate resources, organizations reset their security to a deny-by-default status. Any user or device that wants access needs to provide validated credentials to the network before being granted that access. And then, they are only given permission to use those resources that are specifically required to do their job. Because all unvalidated traffic is denied by default, malicious users and compromised devices can’t even ping the network to see what other resources might be out there. As far as they are concerned, the rest of the network doesn’t even exist.
Implementing a true zero-trust strategy involves adopting two critical strategies. These are zero trust access (ZTA) and zero trust network access (ZTNA).
Zero Trust Access
ZTA extends and expands on the usual perimeter access controls organizations already have in place, such as firewalls, authentication, authorization, and accounting (AAA) services, and single sign-on (SSO). It adds additional levels of verification, such as tying access to the role of the user, their physical geolocation, and even the time or day that access is requested. Devices undergo the same level of scrutiny, including type of device, whether it is a corporate or non-corporate asset, the software it is running, if it has the latest patches, and required security solutions are installed and enabled.
Of course, networks also have many devices that don’t involve an end user, such as printers, secured entryways, security cameras, HVAC systems, and other IoT solutions. Any ZTA solution also should include network access control (NAC) technology to discover, authenticate, and control such “headless” devices so they operate with the same zero trust principle of least access. Like users, headless devices are only granted sufficient permission to perform their role and nothing more.
With ZTA, because every device and user is authenticated, IT teams always have up-to-date visibility about everything on their network so they can provide consistent controls. They also can easily identify anything on their network that shouldn’t be there and take appropriate countermeasures.
Zero Trust Network Access
ZTNA is a new addition to the zero-trust model. It is designed for businesses and users who rely on applications, and can be used in conjunction with a VPN. ZTNA provides dynamic, secure access to business applications that can be deployed in data centers or in private or public clouds. It goes beyond the protections provided by VPN because it’s not perimeter-based. Users and devices are authenticated, access is granted based on policy, traffic is inspected, and security is applied so that any user, in any location, and on any device, receives the same level of protection whether or not they are working from inside the corporate network.
Once a user has been authenticated, they are granted access on a per-transaction basis. In other words, if a user wants to access an HR application, they are given permission to use only that resource and nothing else. And this authentication all happens dynamically and seamlessly. The process is transparent to the user, unless they are denied access to something they do not have permission to use.
Embracing Zero Trust Matters
Even before the pandemic, work-from-home was becoming a reality for many organizations. And IT teams and leaders were looking for ways to maintain control and visibility as their network continued to diversify and expand. But after the changes in 2020 caused by the pandemic, the need for consistent network visibility and access control quickly became critical. This trend isn’t likely to change because remote work is still a reality even if offices open up more around the world. Also, networks will only get more complex. Because users and devices may be located anywhere, and to control who and what is accessing the network and its resources, IT and security teams need to implement zero-trust protections and controls.
Find out more about Fortinet’s simple, automatic secure remote access that verifies who and what is on your network and secures application access no matter where users are located.