Traditional perimeter-based security designs—gateway firewalls, client VPNs, and password-only application authentication—are inadequate for today’s increasingly dispersed systems. Enterprise boundaries have disappeared due to business demands such as the ability to accommodate remote workers, the use of hybrid and multi-cloud workloads, and the widespread adoption of SaaS apps.
In addition, it is necessary to implement zero-trust access (ZTA) security to prevent incursions due to the intelligence and aggression of today’s hackers and attack methodologies. A zero-trust implementation plan for each agency must be in place by July 2021, according to an executive order that the US President issued in May 2021.
Although the zero-trust security model has been around for more than ten years, few businesses have adopted it because of the lack of readily accessible software, the difficulty of deployment, and an exaggerated perception of the effectiveness of current security methods. NIST recommendations (NIST Special Publication 800-207) outline five principles that ZTA adheres to solve the flaws in conventional security designs:
i. Resources that must safeguard include all data sources and computer services.
ii. The least privileges necessary to execute the task are used to authenticate users and briefly allow access to resources for a specific session. Using a verified and authorized IAM system, and ideally, multifactor authentication, and authorization are dynamic and reviewed for each access attempt (MFA).
iii. Policies that determine resource access take into account the identity of the client making the request, the identity and provenance of the device making the request, the requested application or data, and behavioral factors like usage anomalies, device telemetry, client location, time, and the presence of ongoing attacks.
iv. Every kind of communication is encrypted and authenticated.
v. All corporate resources’ activity, security, and integrity are constantly tracked and analyzed to spot unusual behavior, possible security threats, and holes in current security measures.
To paraphrase the original Forrester report that introduced the concept, zero trust necessitates creating security from the inside out by concentrating on an organization’s IT resources and adding layers of security to and around them. ZTA mandates the following businesses:
– Understand every device and user on a business network.
– Document every resource, including its access permissions, data, apps, services, and other assets.
– Grant temporary access for the duration of a session based on using cryptographically strong user and device authentication to authenticate every access to an IT resource (network, file sharing, database, or application).
– Define access privileges with the smallest possible scope required to execute a certain task.
Zero trust in practice entails treating every user and device with the same level of mistrust and operating as though nefarious attackers have compromised every organizational network. Therefore, all resources must prevent access by default, keep an eye on all activity, check and log it, and confirm each attempt to access the resources.
CONCEPTUALIZATION AND APPLICATION
Several fundamental subsystems are needed to create a zero-trust environment, including:
a) Policy engine with policy administrators.
b) Policy enforcement points (typically access proxies) to supplement traditional forms of access control such as firewalls (NGFW, WAF), IDS/IPS, and content scanning and DLP systems.
c) Identity and access management (IAM) system with single sign-on (SSO) capability (either natively or through integrations)
d) Certificate management system through an enterprise public key infrastructure (PKI) implementation and/or third-party CAs.
e) System and network monitoring system via a formal SIEM (security information and event management) product or data management and analysis systems like the ELK stack or commercial equivalents.
Fortinet’s Zero Trust Strategy
Any area of IT security can be approached using the basic idea and method known as “zero trust.” Some limit it to just network security (zero-trust network access or ZTNA) or cloud services. No matter where they are located—in an on-premises data center, a branch office, a cloud environment, or on an employee’s home computer—Fortinet believes that all corporate resources should operate under the principle of zero trust.
The zero-trust access (ZTA) framework from Fortinet contains products in the following categories:
i. Endpoint access control using the Forticlient agent-based software, which offers lightweight client software, virus prevention, policy compliance, and secure access (VPN, zero-trust encrypted sessions).
ii. Identity access management (IAM) using FortiAuthenticator, an authentication, authorization, and accounting (AAA) system providing access management and control, single sign-on (SSO), and guest management services. FortiToken offers two-factor authentication (2FA) as an optional service through a hardware token or mobile application. The Android or iOS applications are one-time password (OTP) generators that are Open Authorization (OAuth) compliant and can handle both time-based and event-based tokens.
iii. Network access control (NAC) using FortiNAC, which gives visibility to every user and device on a network, performs a dynamic risk assessment of every endpoint, enables the identification, profiling, and vulnerability scanning of devices, and enforces security regulations.
iv. The FortiGate NGFW includes application access control with the FortiGuard application control service, which can restrict or allow access to external and internal applications, use pre-defined or customized policies, and enforce bandwidth usage restrictions or prioritizations based on the applications.
Organizations may extend safe access restrictions to apps for any user with the help of Fortinet’s Zero Trust Network Access (ZTNA) technology. Whether users and their devices are on or off the network, applications are on-premises or in the cloud, all users and devices requesting network and application access are uniquely identified and categorized by Fortinet’s ZTNA solutions.
Advantages, Drawbacks, and Recommendations
Unlike a client or edge VPN, which often applies internal security controls to an uncontrolled environment, zero trust is more secure. Indeed, the current Colonial Pipeline ransomware assault and the 2013 Target stores hack—where a contractor caused the initial breach—involved compromised VPNs.
In contrast, ZTA uses session-based access tokens and least privilege permissions to restrict an attack’s blast radius. Furthermore, ZTA is more convenient for users since it creates encrypted sessions automatically.
The main drawbacks of ZTA are implementation planning, deployment complexity, and workforce training, as it necessitates an inventory of all IT assets and applications and minor adjustments to specific operations.
According to a recent study, half of “government IT decision-makers” tasked with carrying out the new Executive Order requiring ZTA think it will take more than two years to modify their cloud systems to operate with ZTA. Similarly, 60% believe it will take three years or more to implement ZTA.
Given the importance of implementing ZTA, Fortinet suggests taking a staged approach by initially focusing on business units, personnel groups, and geographic areas that are either at high risk or have access to critical information. After completing these target deployments, businesses may progressively roll out ZTA throughout the organization. Start by creating a thorough inventory of IT resources, including hardware, software, and data sources, and a clear and up-to-date business directory to develop access controls for IT resources.
About Author
