Zero Trust Access (ZTA) solutions exist for nearly every part of the network. However, a piecemeal approach to ZTA control leaves security gaps and is costly and cumbersome to manage.
The Fortinet Zero Trust Access (ZTA) framework leverages a tightly integrated collection of security solutions that enable organizations to identify and classify all users and devices seeking network access, assess their state of compliance with internal security policies, automatically assign them to zones of control, and continuously monitor them, both on and off the network.
“Zero trust” has become a buzzword in recent years, adopted by many different technology vendors. ZTA is an important pillar of an overall platform strategy that combines ZTA with security-driven networking, dynamic cloud security, and artificial intelligence (AI)-driven security operations. When organizations permit access under ZTA constraints, they confine users to the resources that are necessary for their role only. ZTA also stipulates the identification, monitoring, and control of networked devices, which are often more numerous than users.
With decades of experience in helping enterprises maintain security coverage for their rapidly expanding networks, Fortinet offers a highly effective ZTA framework that delivers visibility and control in three key areas: users on the network, devices on the network, and those users’ and devices’ offline activities.
Effective and Practical Identity and Access Management
Both legitimate network users and bad actors command the CISO’s attention, whether they are driving business success or jeopardizing it. For this reason, user identity management is a cornerstone of the Fortinet Security Fabric. Organizations can achieve complete user visibility and effective access policy enforcement with the Identity and Access Management (IAM) portion of the ZTA framework:
FortiAuthenticator serves as the hub of authentication, authorization, and accounting (AAA); access management; single sign-on (SSO); and guest management services. It establishes user identity through logins, certificates, and/or multi-factor inputs. FortiAuthenticator shares these inputs with role-based access control (RBAC) services to match an authenticated user to specific access rights and services. FortiAuthenticator also supports Security Assertion Markup Language (SAML) implementations, enabling users to securely access Software-as-a-Service (SaaS) solutions such as Salesforce, ADP, or Microsoft 365.
FortiToken provides two-factor authentication services to FortiAuthenticator, either through a hardware token or as a mobile solution. The mobile solution is an open authorization (OAuth)-compliant one-time password (OTP) generator application for Android and iOS devices that supports both time-based and event-based tokens. The zero-footprint solution makes it easy to scale multi-factor authentication implementations across the enterprise.
Whether the organization has a Fortinet Security Fabric in place or another security infrastructure, Fortinet ZTA solutions for user identity and access management provide robust security for the Fortinet Security Fabric.
Components of the Fortinet Zero-Trust Access Control Framework
Security for All the Things
The second objective of the Fortinet Zero-Trust Access solution is to maintain continuous visibility and access control of all devices on the network. This has been a considerable pain point for organizations. The growth in network device footprints is far outpacing the growth in network users—and certainly that of security teams. To help relieve those teams, Fortinet ZTA solutions provide integrated and automated discovery, classification, segmentation, and incident response.
Automated discovery and classification
The FortiNAC network access control solution accurately discovers and identifies every device on, or seeking access to, the network; scans it to ensure that it is not already compromised; and classifies it by role and function. FortiNAC can leverage existing agents to retrieve device information, but many organizations may not want to have to install agents at every location, in which case FortiNAC can communicate with the network initially, and then later identify devices.
FortiNAC can deliver dynamic network microsegmentation in a mixed vendor environment, supporting more than 170 different vendors and 2,400 different devices and interacting with the network to keep devices in the proper network segment.
FortiNAC also integrates with FortiGate NGFWs to enable intent-based segmentation. This is an approach to segmentation based on business objectives, such as compliance with data privacy laws such as the General Data Protection Regulation (GDPR) or Payment Card Industry Data Security Standard (PCI DSS) transaction protection. With intent-based segmentation in place, security teams can tag assets with compliance restrictions, which FortiGate enforces, regardless of where the assets move in the network, helping to reduce the time and cost of compliance implementation. Organizations may also use intent-based segmentation to maintain internal access policies when they restructure the business, without having to reconfigure the network itself.
Zero trust security model assumes that trust is transient; a device may be certified as trusted and then subsequently infected. Also, the applications it runs may become compromised. To maintain up-to-date trust statuses for all devices on the network, FortiNAC provides ongoing monitoring, with real-time incident response. Once it detects abnormal device behavior, FortiNAC can take a variety of countermeasures, such as reassigning the device to a quarantine zone so that compromised devices cannot serve as a staging ground for threat infiltration or data exfiltration, or put devices in a remediation network segment for the user to address whatever issue has been detected.
Protecting Assets on and off the Network
For end-user devices, such as laptops and mobile phones, Fortinet extends ZTA control to both on- and off-network operation through FortiClient.
Secure remote access
To enable secure remote access, FortiClient provides flexible options for VPN connectivity. It supports both secure sockets layer (SSL) and Internet Protocol security (IPsec) VPNs. A split tunneling feature enables remote users on SSL VPNs to access the internet without their traffic having to pass through the corporate VPN headend, as in a typical SSL tunnel. This reduces latency, which improves user experience. At the same time, FortiClient includes protections to ensure that internet-based transactions cannot backflow into the VPN connection and jeopardize the corporate network.
When end-user devices reconnect with the enterprise network, the FortiClient Fabric Agent shares endpoint security telemetry data—device operating system (OS) and applications, known vulnerabilities, patches, and security status—with FortiGate NGFWs and the rest of the Fortinet Security Fabric. This data helps the Fortinet ZTA tools refine the access rules for the devices.
The key to successfully implementing ZTA is to balance security and accessibility, since locking down the network is rarely an option. Fortinet ZTA solutions make it easier to accurately discover all the devices and users accessing the network and manage the associated security risks of each. This puts CISOs in a better position to support digital innovation (DI) initiatives that expand network access and leverage new network-connected technologies. Zero trust security needs to be more than a buzzword or a talking point. With the right solution, it delivers true business value.
Zero trust has become extremely popular these days. It’s crucial to understand what it is and what it’s not.
A zero trust security model is a methodical initiative that can help prevent data breaches by getting rid of the concept of trust from the network architecture of an organization. Based on the principle to trust no one and to always verify first, zero trust security is made to offer protection to modern digital settings by using network segmentation, stopping lateral movement, offers a layer 7 type of threat prevention, as well as the simplification of granular user access control.
Zero trust is made by John Kindervarg when he was still the principal analyst and vice president for Forrester Research, according to the realization that conventional security models work on the old assumption that all that’s within the network must be trusted. With this broken trust model, it’s assumed that the identity of the user isn’t compromised and that all users will act responsibility and could be trusted.
The zero trust security model considers trust as a vulnerability. When the network, as well as the users such as the malicious insiders and threat actors, can move freely laterally and then exfiltrate all the data that they’re not limited to. Keep in mind that the infiltration point of the attack isn’t the target location, in most cases.
You determine a security surface when it comes to a zero trust. It is comprised of the most valuable and critical assets, data, services, as well as applications in the network. The surfaces that are unique to every organization are protected. Since it only has what’s most important to the operations of a company, the protect surface much smaller than an attack surface, and it’s always recognizable.
Once the protect surface has been identified, you can now determine how the traffic moves within the organization according to the protect surface. Understanding who are the users, what applications are being used, and how they’re connecting is the only method to identify and enforce the policy that makes sure that the access to your data is secure.
Controls will be set in place as near to the protect surface as you can, which lead to the creation of a microperimeter, which moves the protect surface, anywhere it goes. Deploy a segmentation gateway to make a microperimeter. This is also known as a next generation firewall so that that only known and permitted traffic or legit applications can access the protect surface.
Achieving zero trust is considered by many as a complex and costly process. But, zero trust will be set up according to your company’s existing architecture and doesn’t require to you get rid of or replace the technology that you currently have. You will find no zero trust products. But you’ll find products that work cohesively with zero trust environments. There are also those that don’t. Zero trust isn’t difficult to deploy, execute, and maintain. You can do this using a five step approach.
Think about the regular network architecture of any organization. It’s typically a disorderly array of network connections going in every direction between different infrastructure devices on a legacy flat network. Each time the infrastructure needs a change, you should breathe deeply and open the network diagram, hoping that you could wedge the new requirements into this complicated environment. The cost and time to manage this network infrastructure appears to increase yearly. To deal with this dilemma, IT leaders turn to zero trust security and software defined technology. They are eager to make the most out of the simplicity as well as the cost savings but careful about the security implications.
Understanding Zero Trust Security
This new method of offering security for the company is built on the model of zero trust. The National Institute of Standards and Technology (NIST) said that a zero trust model will allow IT support experts to cease trusting packets like they were individuals and get rid of the concept of a trusted network as well as an untrusted network. When it comes to a zero trust network, all the network traffic will be untrusted.
That means, this new method involves authenticating first and providing access to the network next. It will be hard to carry out this method at scale for many different reasons.
The best place to begin on this zero trust security journey will be the wide area network or the WAN. According to the IDC, worldwide revenues will go up over the years. As you can see, the shift to the SD-WAN has created a lot of excitement. But, many IT support professionals are still not sure how to secure this kind of network. Let us begin with a few of the most common problem points and discuss how IT expert can deal with them by executing a secure SD-WAN.
Network Connectivity and Security
Among the most pressing and obvious benefits of SD-WAN is enhanced network security.
An SD-WAN could also help enterprises lower the cost of network connectivity by routing the company network traffic securely over public internet, getting rid of the need to pay for the costly private multiprotocol label switching (MPLS) circuits.
SD-WAN can help optimize your application and network performance by doing the following: