Implementing Zero Trust For A Borderless World

This guest post is by Kurt Marko on behalf of Fortinet. We thank Fortinet for being a sponsor.

---

Traditional perimeter-based security designs—gateway firewalls, client VPNs, and password-only application authentication—are insufficient for today’s highly distributed environments. Business requirements such as support for remote employees, the deployment of hybrid- and multi-cloud workloads, and the wide adoption of SaaS applications, have dissolved enterprise borders.

In addition, the sophistication and aggressiveness of today’s hackers and attack techniques have created urgency around adopting zero-trust access (ZTA) security to counter intrusions. Indeed, the US President  issued an executive order in May 2021 requiring each agency to have a zero-trust implementation plan by July 2021.

Although the zero-trust security model goes back more than a decade, few enterprises embraced it due to the scarcity of available software, implementation complexity, and an inflated view of the efficacy of existing security measures. ZTA addresses the shortcomings of traditional security designs using five principles as detailed by NIST guidelines (NIST Special Publication 800-207):

1. All data sources and computing services are resources to be secured.
2. Access to resources is authenticated and temporarily granted for a particular session using the least privileges required to complete the task. Authentication and authorization are dynamic and evaluated for every access attempt using a vetted and authorized IAM system and preferably with multifactor authentication (MFA).
3. Resource access is determined by policies that consider the requesting client identity, requesting device identity and provenance, requested application or data and behavioral attributes like usage anomalies, device telemetry, client location, time and presence of ongoing attacks.
4. All communication is authenticated and encrypted
5. The integrity, security, and activity of all enterprise resources are continually monitored and analyzed to provide insight into anomalous behavior, potential attacks, and weaknesses in existing security policies.

Paraphrasing the initial Forrester paper (referenced above) outlining the concept, zero trust requires building security from the inside out by focusing on an enterprise’s IT resources and building layers of protection into and around them. ZTA requires that organizations:

• Know every device and user on an enterprise network
• Document all resources — data, applications, services, other assets — and their access rights
• authenticate every access to an IT resource (network, file share, database or application)
• Grant temporary access for the length of a session based on
• Use cryptographically strong user and device authentication with
• Define access rights limited to the narrowest scope necessary to complete a particular task

In practice, zero trust means treating every device and user with equal suspicion and acting as if every enterprise network is breached by malicious intruders. Thus, all resources must deny access by default; monitor, inspect ,and log all activity; and verify each attempt to access resources.

From Theory To Implementation

Building a zero-trust environment requires several primary subsystems, including:

• Policy engine with policy administrators
• Policy enforcement points (typically access proxies) to supplement traditional forms of access control such as firewalls (NGFW, WAF), IDS/IPS and content scanning and DLP systems.
• Identity and access management (IAM) system with single sign-on (SSO) capability (either natively or through integrations)
• Certificate management system through an enterprise Public key infrastructure (PKI) implementation and/or third-party CAs.
• System and network monitoring system, whether via a formal SIEM (security information and event management) product or data management and analysis systems like the ELK stack or commercial equivalents.

Fortinet’s Approach To Zero Trust

Zero trust is a general philosophy and approach that can be applied to any aspect of IT security. However, some confine it only to securing the network (zero-trust network access or ZTNA) or cloud services. Fortinet believes that zero trust should be applied to all enterprise resources, regardless of where they are located, whether an on-premises data center, branch office, cloud environment, or employee’s home equipment.

Fortinet’s zero-trust access (ZTA) framework includes products in several areas:

1. Endpoint access control via the Forticlient agent-based software providing policy compliance, malware protection, and secure access (VPN, zero-trust encrypted sessions) in a lightweight client.
2. Identity access management (IAM) using FortiAuthenticator, an authentication, authorization, and accounting (AAA) system providing access management and control, single sign-on (SSO), and guest management services. Optionally, FortiToken provides two-factor authentication (2FA) through a hardware token or mobile app. The Android or iOS apps are an open authorization (OAuth)-compliant one-time password (OTP) generator that supports both time-based and event-based tokens.
3. Network access control (NAC) via FortiNAC, which provides visibility to every user and device on a network; a dynamic risk assessment of each endpoint; the ability to identify, profile, and scan devices for vulnerabilities; and enforce security policies.
4. Application access control is part of the FortiGate NGFW with the FortiGuard application control service, which can limit or deny access to both commercial and internal applications, use default or custom policies, and enforce application-specific limits or prioritizations on bandwidth usage.

Zero Trust Network Access (ZTNA) from Fortinet enables organizations to extend secure access controls to applications for any user. Fortinet’s ZTNA solutions uniquely identify and classify all users and devices seeking network and application access, regardless if users and their devices are on or off the network or applications are on premises or in the cloud.

The following chart depicts how Fortinet provides a full ZTA stack across all elements of the ZTA matrix.

Benefits, Challenges, And Cautions

Zero trust is more secure than client or edge VPNs, which typically extend internal security policies to a less-controlled environment. Indeed, VPNs were compromised during the 2013 Target stores breach (where the initial breach came through a contractor) and the recent Colonial Pipeline ransomware attack.

By contrast, ZTA limits the blast radius of an attack due to least privilege permissions and session-based access tokens. Furthermore, because ZTA automatically establishes encrypted sessions, it is more convenient for users.

Implementation planning, deployment complexity, and workforce training are the primary downsides of ZTA, as it requires an inventory of all IT assets and applications and modest changes to some workflows.

A recent survey of “government IT decision makers” charged with implementing the new Executive Order mandating ZTA found that half say it will take more than two years to adapt their cloud environments to work with ZTA. Likewise, 60 percent expect it to take 3 years or longer to fully implement ZTA.

Understanding the significance of adopting ZTA, Fortinet recommends a phased approach by first targeting business units, employee groups, and geographies at high risk or that have access to valuable information. Once these target deployments are in place, organizations can gradually introduce ZTA to the rest of the enterprise. Start by building a comprehensive catalog of IT assets, applications, and data sources, along with a clean and continually updated enterprise directory that together can be used to create access policies for IT resources.