Trust Nothing Until Proven Trustworthy
The Case for Zero Trust Infrastructure
By Michael O’Connell, Security Solutions Architect at Aspire Technology Partners
Zero trust is a concept that has been around for some time but gaining momentum as many organizations are starting to take the approach more seriously. It addresses the challenges of today’s business, including securing remote workers and hybrid cloud environments. The philosophy necessitates a mindset shift for network and security teams and requires them to systematically evaluate their operational capabilities and technology. The framework revolves around the model of requiring users – whether in or outside the organization’s network – to be authenticated, authorized, and continuously validated for security configuration and posture prior to granting access.
Zero trust operates from one fundamental principle: Trust nothing until it’s proven trustworthy. Think of it as the opposite of the U.S. legal system. Treat every user, device, application/workload, and data flow as untrusted. Never trust, always verify.
Implementing zero trust principles can be a considerable effort, but it is possible, even for midsize organizations. So instead of implementing zero trust principles at a company-wide level all at once, apply the principle one piece at a time.
Here are three recommendations to get you started along the path to Zero Trust:
Implement Multi-actor Authentication (MFA)
Multi-factor Authentication (MFA) is an authentication method that requires users to provide two or more verification factors to gain access to corporate resources such as applications or VPN.. MFA comes in different forms. It could be as simple as a code sent via email to the registered user. It could be a code sent via text message to a registered device/mobile phone. Or you could use an authentication app that resides on the authorized user’s mobile device.
The main benefit of MFA is it will enhance your organization’s security by requiring your users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties. Enforcing the use of MFA increases confidence that your organization will stay safe from cyber criminals. Many financial institutions and online shopping sites offer some form of multi-factor authentication to protect your accounts and their networks.
Limited yet appropriate access
Controlling access to your network can be challenging when you have a combination of wired, wireless, and VPN connections. Securing your organization requires that you understand the devices attached to your network. It is important to have the capability to check the identity and integrity of devices without respect to location and provide access to applications and services based on the confidence of device identity and device health in combination with user authentication.
With several methods available, it’s best to implement one that offers a dynamic and automated approach to policy enforcement, posture assessment of the device, and user role. This process enables your organization to enforce compliance, enhance infrastructure security, and streamline your operations.
There are additional benefits as well. You gain visibility into what is happening on your networks, such as who is connected, installed, and running applications, and much more. These platforms can also share vital contextual data, such as user and device identities, threats, and vulnerabilities with your managed security service provider, to help identify, contain, and remediate threats faster.
Access to network resources uses a set of flexible access rules to meet ever-changing business requirements. Users and endpoints are allowed access based on role and policy. Like users are grouped together to form security groups that will enable your organization to set up access controls based on business rules and user roles, not IP addresses or network topology.
Review and update your infrastructure
Check that all legacy security products are kept up to date. Out-of-date products provide a potential vector of attack that can and will be used against your network given an opportunity. Evaluate new products to add zero trust solutions that will integrate or possibly replace multiple pieces of your current infrastructure with a single pane of glass.
Zero Trust starts with knowing the resources on your network and who is using them. An Identity Services Engine (ISE) connects trusted users and endpoints with corporate resources. Authenticating users via Multi-Factor Authentication confirms that users are who they say they are and are permitted to access your network.
As your entire user community gets more comfortable with the Zero Trust concept, it will become more manageable to introduce these principles to other parts of your environment. This allows you to develop a roadmap to reach a complete Zero Trust concept in your organization.
Visit our blog regularly for the next post in this series, or listen to our Digital Aspirations in Business podcast for more information.
If you’re interested in how Aspire can help you, please contact us at CyberSecurity@AspireTransforms.com
Aspire Technology Partners is a four-time Cisco master partner, and we can build you a custom proof-of-concept environment with a full demo.
Aspire Technology Partners is a Cisco Gold Certified Partner engrained in solution pillars that set us apart as a true Cisco solutions provider. We are committed to the continuous improvement of expertise and skillsets around Cisco initiatives that enable us to help and guide customers in the adoption and management of technology architectures designed to transform their organization. We hold Cisco Master Specializations in Collaboration, Security, Cloud & Managed Services and is one of only 25 partners in the US to receive the Cisco Advanced Customer Experience Specialization.