Please configure

Implementing a zero trust network

Zero trust is the future

According to the latest global threat landscape report from Fortinet’s FortiGuard Labs, advanced persistent threats (APTs) continue to pose a significant risk to organisations. These attacks can be launched via social engineering and spear phishing as well as malware and other approaches. Ransomware also continues to be a significant issue, with a sevenfold increase in activity in December compared to July 2020, and this trend seems set to continue.

It has become a truism that the question for most organisations isn’t whether they’ll be attacked but when. For many businesses, the need to improve their cybersecurity posture has become urgent without them even realising it.

As the business world becomes more digitalised, the potential attack vectors for threat actors continues to increase. The perimeter is blurring, making it harder to defend, and the proliferation of endpoints makes it difficult for organisations to gain the full visibility and control needed to protect the network. Users no longer work on a desktop PC and landline phone. Instead, they have laptops, tablets, smartphones, smart watches, and any number of other devices, all connected to the internet. They’re working from offices, their homes, branch locations, and public places. As 5G takes off, the speed at which attackers will be able to launch their attacks will increase exponentially. This will turn corporate cybersecurity into a virtual game of whack-a-mole for unprepared cybersecurity teams.

As organisations scrambled to respond to the challenges posed by lockdowns due to the coronavirus pandemic, they sacrificed centralised visibility and control for the ability to provision teams to work from anywhere. This trade-off was considered necessary at the time. However, now that organisations have settled into the new landscape, it’s essential to re-examine network protections and ensure the right measures are in place.

This is where zero trust can help. Like the name suggests, zero trust network security assumes that no one inside or outside the network should be trusted until their identification has been thoroughly checked. Instead of a traditional approach in which users who have already accessed the network are assumed to be trusted, zero trust requires strict identity verification for every individual or device that accesses any application within the network.

The benefits of zero trust

Before exploring how zero trust works, it’s valuable to consider the benefits of a zero trust model. These include:

  • A stronger overall approach to security that covers on-premises and remote workers
  • Reduced complexity and cost of maintaining security measures
  • Fewer security appliances required including firewalls and web gatewaysless investment required in skilled cybersecurity professionals
  • Improved visibility and control leading to better data protection
  • Consistent security regardless of endpoint and network sprawl.

How zero trust works

Zero trust helps simplify the complexity by refocusing attention away from the attack surface, which is amorphous and expanding. Instead, it focuses attention on data, applications, assets, and services. These aspects are easier for security teams to get their arms around and create a natural focus point for protective measures.

Once the key data, applications, assets, and services are identified, the organisation can segment them, creating a virtual fence around them. Any user attempting to enter the fenced-off area must identify themselves satisfactorily via a segmentation gateway.

A zero trust network depends on five key factors for success:

1. Multifactor authentication

Traditional password-based security created weaknesses because a malicious actor merely had to get the user’s username and password. This gave them the figurative keys to the kingdom. Multifactor authentication (MFA) requires more than just a username and password; it also requires the user to provide a third credential. This could be biometric identifiers such as a fingerprint or retina scan. More commonly, MFA is managed by sending a code to the user’s smartphone, which they then  need to enter before gaining access to the system. MFA can also require users to have a dongle or USB.

2. Endpoint verification

Endpoints are the devices that are connected to the network. If a user’s laptop is stolen, for example, it could potentially be used to access the network. Therefore, it’s important to ensure that endpoints are being controlled by the right person. In a zero trust approach, the endpoint has its own layer of authentication, which usually requires the user to respond on the device to confirm its validity.

3. Microsegmentation

Zero trust approaches are only as powerful as their microsegmentation. Microsegmentation refers to the virtual fences that are erected around parts of the network. These fences restrict users to the areas they’re authorised to operate within. If a user wants to move into a different fenced area, the microsegmentation approach requires further authentication. This effectively stops threats from proliferating throughout the network, containing them to a single fenced-off area.

4. Least-privilege access

In many organisations, users are granted access to the business’s systems in their entirety. This means that every user is a potential entry point for hackers into the organisation’s most sensitive areas. This can be overcome by invoking least-privilege access, which is where users are only granted access to the resources they need to do their daily jobs. Any attempt by this user to access off-limits systems, data, or applications would generate a red flag. This restricts the number of entry points and reduces the volume of MFA credentials that need to be managed.

5. Zero trust network access

Organisations can take zero trust a step further by requiring authentication before users access any applications. This is crucial when organisations are managing remote workforces because it removes any location-specific privileges; every user is treated the same whether they’re in the network or not. This approach can replace the traditional virtual private network (VPN) tunnels previously used to improve security.

How to implement a zero trust network

As organisations move to the cloud, zero trust is essential. The cloud environment has different security requirements than on-premises, legacy networks. Cloud environments can also present different challenges around control issues, making it difficult to implement a consistent and reliable security approach that covers the organisation’s cloud and on-premises architecture. Therefore, organisations must implement zero trust in the cloud.

There are three basic steps to create a zero trust approach to security:

1. Define what needs to be protected

It’s essential to start by understanding what needs to be protected. This may include data and information, applications and systems, and network equipment.

2. Limit access

Managing user permissions based on their role will help limit user access to only those systems and data repositories that are absolutely necessary. This reduces the risk of human error and weak passwords, preventing hackers from gaining access to the more sensitive areas of a network.

3. Provide visibility

Security depends on visibility, so it’s essential to use visibility tools like reports, analytics, real-time monitoring, and logs to understand normal patterns of behaviour and identify anomalous activity that could signify an attack in progress. This also helps remediate systems following an attack.

How Spark can help

Today’s successful and nimble organisations are using the cloud to stay connected and move fast. Securing the cloud environment is non-negotiable and urgent. Solutions like the Spark Cloud Managed Network are underpinned by modern security tools that deliver the visibility and control needed to keep your business safe in the cloud. Contact us now and one of your experts will be in touch.

Presented with Spark partner, Fortinet.

Want to learn more? Find out what Cloud Managed Network can do for your business.

Please configure