With an ever-expanding digital infrastructure, an increasingly sophisticated cyber threat landscape, and a growing cybersecurity skills gap, IT and OT leaders are facing pressure daily to establish and maintain trust in their networks. Furthermore, the situation has become even more challenging in recent months with the need to secure remote work around the world. Zero trust Access (ZTA) addresses these concerns by providing full visibility and dynamic control over devices on the network.
To find out more about the challenges of securing network access, we met digitally with two of Fortinet’s Field CISOs: Alain Sanchez and Courtney Radke. We discussed the need for implementing Zero-trust Access in today’s evolving networks and expanding cyber threat landscape.
Q: Can you share some perspective on why Zero Trust Access is more critical than ever?
Alain – The sophistication of the cyber threat landscape has extended to new classes of attacks that aim to inflict damage while remaining silent. They are targeting IT and OT devices, and the industrial systems that manage production in segments such as manufacturing, energy, and pharmaceuticals. And the COVID-19 pandemic accelerated the need for full automation of production.
As production relies more and more on sophisticated regulation, no sensor, application, or user should by default be allowed to influence the running of any critical infrastructure or process. Due to the precision and speed of production required, any malicious order or fake value sent into the process can have devastating effects.
Network access can be compared to the physical access to a controlled building. The default state of all entry doors needs to be set to “closed,” and not “open.” Access rules need to be dynamically refreshed with real-time authentication systems. An individual’s credentials should not just be established at the exterior door, but throughout the building. And the overall behavior of that individual while inside the building should be monitored against a machine-learning baseline profile so that if an individual begins behaving badly, actions can be taken.
This holistic vision of a trust that is continuously earned rather than granted once for all access requires a full integration of the entire security ecosystem. The moment you have a subcomponent that can’t be pinged and dynamically compared to a model of how it is supposed to behave, you’re in danger of breaking the security chain. As CISOs discover these types of weak links within their controlled systems, they have to make hard decisions about who is allowed to do what. The best solution is to opt for a scalable security system that can establish and monitor a zero-trust access model.
Q: The growth of devices is key to the need for Zero Trust Access. Can you share some best practices for managing this exponential growth in terms of security?
Alain – Act quickly, never hastily. ZTA is about knowing and controlling who and what is on your network. Exponential growth should not be a reason for trading security for speed. Of course, the CISO must be the guardian of this principle. Even if enterprises have to catch up on months of production and backorders, security must remain a priority.
The second ally of the security team is automation. Automation is an outgrowth of proper planning and can save precious time in detecting and responding to cyber threats. Once a zero-trust model has been designed and adapted to the level of risk that your business is comfortable with, the deployment then needs to be orchestrated to reach the level of scalability required in large infrastructures.
Q: What are the areas or technologies that provide the most “bang for your buck” with regards to securing organizations’ network access using the zero trust model?
Courtney – Maintaining a strong perimeter is a key to success, although most would have you believe the perimeter no longer matters or is too undefinable to control. Has it expanded and grown more complicated? Absolutely. But it is by no means uncontrollable, nor should it be ignored. Aligning to the zero-trust model means implementing a least access policy that grants the user the minimum level of network access required for their role and removing any ability to access or see other parts of the network. The sharing of information and the building of context and baselines of your users, devices, and networks becomes pivotal to the success of a zero-trust model. It also allows for easier implementation of multifactor authentication (MFA), which is another key technology. MFA is the basis for Network Behavior Analytics (NBA) and User and Environment Behavior Analytics (UEBA) technologies, both of which are designed to protect a network from harm and allow for quicker identification and remediation once harm has been done.
Let me give a retail example. Retail is something we all understand since we all experience retail on a daily basis. As a tangible example, given the nature of retail today where omnichannel is the norm, implementing a zero-trust model is more challenging than ever.
For those unfamiliar with the term, omnichannel is a cross-channel content strategy that organizations use to improve user experience and drive better relationships with their customers across multiple points of contact. The purpose of providing omnichannel experiences is to unlock doors to the consumers and remove barriers wherever possible. It enables retailers to expand to new demographics and open up new revenue streams through technology, which is now required to remain competitive in today’s market. Unfortunately, however, every door you open to better enable customer engagement also provides new opportunities and new attack vectors for threat actors to compromise your business. Protecting these solutions requires carefully controlling who and what has access to internal systems, data, and devices.
Q: Is there anything about Zero trust Access that some CISOs may not have considered?
Alain – The zero-trust model is a strong concept that moves cybersecurity away from implied trust that is based on network location.. It’s a necessary approach as more and more business-critical and life-critical processes become fully digital. However, for people not versed in cybersecurity, the word might carry negative connotations. Wrongly interpreted, it might resonate as if the network, the PC, the applications, or in fact the entire digital ecosystem will stop recognizing its users. It can be seen as a barrier to productivity.
But nothing could be further from the truth. ZTA is a foundational pillar of any effective security strategy. It actually enables the right person to have immediate access to the resources they need to do their job, while also eliminating the risks and downtime that can result from unauthorized access. However, to advocate for the adoption of necessary security solutions such as this, especially as the cyber threat landscape continues to evolve, CISOs need to do more communication and education. They will find themselves not only needing to explain what needs to change and why, but more importantly, how these changes will benefit the organization. This communication is particularly important to those teams that have until now been managing user network access based on a legacy notion of implicit trust.
Q: How does Zero trust Access relate to VPNs and the increase in remote work?
Alain – The rise in remote working has put a spotlight on the limitations of VPNs that take a perimeter-based approach to security. Users connect through the VPN client, but once they’re inside the perimeter they often have broad access to the network, which exposes it to threats.
Unlike a traditional VPN-based approach, which assumes that anyone or anything that passes network security perimeter controls can be trusted, the zero-trust model takes the opposite approach: no user or device can be trusted to access anything until proven otherwise. A zero-trust network access (ZTNA) solution allows organizations to extend the zero-trust model beyond the network. The terms zero trust access (ZTA) and zero trust network access (ZTNA) are often used interchangeably, however, there is a difference. Whereas ZTA focuses on role-based access control to the network, ZTNA relates to brokered access for users to applications.
Unlike a traditional VPN tunnel that provides unrestricted access to the network and applications, ZTNA connections are granted to individual applications per-session. Access is granted only after both the device and user have been verified. Because location is no longer a reliable indicator for access as it is with a VPN, ZTNA policy is applied whether users are on or off the network.