Initiative #1.
Virtual private networks (VPNs) are part of a traditional, outward-looking approach to security that assumes everything behind the firewall is safe. However, this model is less effective in today’s hybrid workforce environment where large percentages of employees work from home, corporate assets reside in multi-cloud environments, and attackers routinely evade defenses without being detected.
The lines between internal “trusted” entities and external “untrusted” entities have blurred, and do not align with the idea of a single, defensible boundary between internal assets and the outside world. A modern network access strategy that incorporates Zero Trust enables you to implement a more agile, granular framework for authenticating users and devices.
Trust is dynamically assessed each time a user or device requests access to a resource, and access decisions are made based on contextual attributes such as user identity, time of day, location, device type and more.
*Source: GlobalDots
There is no single silver bullet when it comes to Zero Trust but there are several tools that can help you along the path.
It is important to evaluate solutions based on your organization's strategy. A thorough understanding of desired outcomes as well as your most critical assets and how traffic moves across the organization are integral parts of the decision-making process.
MICROSEGMENTATION Allows you to create network segments or “micro-perimeters” based on data sensitivity, and control traffic within and between the segments to restrict malicious lateral movement.
IDENTITY & ACCESS MANAGEMENT (IAM) Single sign-on, multi-factor authentication (MFA) and privileged access management (PAM) controls provide strong authentication across cloud platforms and internal systems and protect against the abuse of privileged credentials. SECURE ACCESS SERVICE EDGE (SASE) Brings together wide area networking (WAN) and network security services like CASB and FWaaS in a single, cloud-delivered service model. Enables Zero Trust by providing complete session protection, regardless of whether a user is on or off the corporate network.
DATA CLASSIFICATION Enables you to associate security levels with specific types of data, regardless of where that data resides. Classification sets the foundation for Zero Trust access control. DATA LOSS PREVENTION (DLP) Reduces data loss at your greatest point of risk – the endpoint. Solutions monitor and manage the flow of cloud-based and on-premises sensitive data, and provide control points for implementing zero trust policies.
ZERO TRUST NETWORK ACCESS (ZTNA)/SOFTWARE-DEFINED PERIMETER (SDP) Grants access on a “need-to-know” basis defined by granular policies. Connects users to private applications without ever placing them on the network or exposing apps to the internet.
Zero Trust is prone to misconceptions, and many organizations are perplexed about how to formalize initiatives. While there is no one-size-fits-all approach, here are five key tips to help get you started:
Understand why you want to move towards Zero Trust: What are the goals of the business? Do you want to target a specific portion of your network, or the entire enterprise?
Determine what data you want to protect, where it is, where it goes, and who or what is handling it. Complete a risk assessment of sensitive data, and develop a formalized classification policy that is not too granular.
Map the flows of your data, and segment based on data sensitivity. Create small segments of network elements (micro-perimeters) that you can bind together to create a larger Zero Trust network.
Develop and enforce data security and access policies across hosting models, locations, users and devices. Carefully define rules and policies within key security controls.
Log and inspect all traffic for malicious activity and areas of improvement. Leverage analytics, and benchmark activity against performance metrics to illustrate ROI and determine whether more resources are required to maintain a continuous Zero Trust state.
