The Best Trust is No Trust at All

Trust has always been a critical consideration for security. Firewalls were invented because people outside the network were inherently less trustworthy than those inside the network, especially when it came to things like accessing data and resources. And zones of trust have always existed inside networks: the DMZ is usually considered less secure than the production network. OT networks have traditionally been completely isolated from IT. And not everyone inside the network has access to things like IP and R&D data. For the most part, trust is an issue that most organizations feel they have locked down.

However, a few things have recently changed to cause many organizations to rethink their strategy and shift to a Zero Trust model.

OT networks, for example, have generally relied on an inherent trust model because access to the network was so restricted. In many OT environments, anyone on any device connected to the OT infrastructure could access just about any system. But the convergence of IT and OT has given pause to that idea, especially as things like control systems monitoring and managing sensitive, and sometimes potentially dangerous machinery, are connected to the network.

Many of the same issues also exist within the IT network. Within zones of trust, users can move freely between systems and resources. And workflows and applications often move between zones of trust, even between different ecosystems, like between the data center and the cloud, to access critical data. This is a highly exploitable condition once a cybercriminal manages to breach perimeter defenses. Hiding under the radar, sophisticated malware can use the inherent trust in the network to move laterally across the network, even escalating privilege to move from one area to another.

But perhaps the most significant issue has been the rapid transition to a work from home model. The vast majority of office workers now have to access critical network resources from outside the network just to do their job. And most of them are protected with little more than a VPN connection. Cybercriminals have responded to this shift by shifting their efforts away from targeting traditional network devices to exploit vulnerable home network systems, looking to ride the VPN connection back into the network. And this has been a very successful strategy, marked, for example, by a seven-fold increase in ransomware attacks during the second half of 2020.

Zero Trust

Like the rapid expansion of the attack surface and the introduction of new network edges, these and similar challenges have been a primary motivation behind the growing interest in Zero Trust as a networking strategy. Zero trust is based on the premise that any user or device could potentially have already been compromised, and you, therefore, need to limit risk through controlled access and monitoring.

Rather than basing trust on the network location of a user or device and granting full access to a segment of the network, the zero trust model determines trust on a per-transaction basis. That starts by setting a default deny posture for everyone and everything. That way, whenever a user or device requests access to a resource, they must be verified before access is granted.

Such verification is based on the identity of the user (role or assigned privileges) and the device (type of device, personal or corporate asset, etc.) It also includes other attributes and context, such as the time and date, location, and even aspects of device security posture, like whether the latest patches have been installed or if specific security tools are enabled. And even after the device and user are verified, only the appropriate trust required is granted, based on the principle of least privilege. For example, if a user requests access to an HR application and is verified, they are only given access to that application and nothing else. The idea is, users and devices receive access to the resources they need to do their jobs based on policy and nothing else.

There are two additional aspects of Zero Trust that every organization should be aware of. They are Zero Trust Access (ZTA) and Zero Trust Network Access (ZTNA). While they may sound similar, they are pretty different. And the distinction is important.

Zero Trust Access

The first step in any zero trust strategy is knowing and controlling who and what is on your network. That starts with role-based access control (RBAC), so authenticated users can be granted an appropriate level of access. Most organizations already do this to some degree. But by aligning RBAC to the zero-trust model, those users receive a least access policy that restricts the user to the minimum level of network access required for their role and removes any ability to access—or even see—other parts of the network.

But ZTA also includes managing what is on the network. Naturally, this includes whatever device a user may be connecting to the network with, whether it’s a laptop, tablet, or smart device. But we now live in a world where the number of non-user IoT devices connecting to the network also continues to explode—whether printers, heating and ventilation systems, and secure doorways, or inventory control systems, Point of Sale (POS) devices, or Industrial IoT. Many of these devices do not have a username and password to identify themselves. These “headless” devices require a network access control (NAC) solution designed to discover, authenticate, and control their access to network resources. NAC policies can apply the zero trust principle of least access to devices, only granting sufficient network access to perform their role and nothing more.

Zero Trust Network Access

Up until now, we have been discussing managing and controlling access to the network and networked resources. But today’s businesses increasingly run on applications, and ZTNA is all about providing brokered access to applications. ZTNA is a way of controlling access to applications regardless of where the user or the application resides. The user may be on a corporate network, working from home, or someplace else, and the application may live in a corporate data center, in a private cloud, or on the public internet.

ZTNA offers better security, more granular control, and a better user experience than a traditional—especially in light of the complexity and dynamic nature of today’s networks, making it a smarter choice for securely connecting a remote workforce. For the most part, a VPN is a dumb tunnel that can be exploited by compromising the endpoint device. The assumption is that anyone or anything that has access to the VPN connection can be trusted. And many times, that extends to the part of the network it is connecting to. This explains why cybercriminals have been so keen to redirect their efforts to exploiting the vulnerable home networks of remote workers.

ZTNA takes a much different approach: no user or device can be trusted to access anything until proven trustworthy. In this way, ZTNA can extend the zero-trust model beyond the network while reducing the attack surface by hiding applications from the internet.

Trust begins by not trusting anyone

The security measures most organizations have in place today were designed for a traditional network. But as network edges expand, IoT devices become more ubiquitous, environments converge, and users become more mobile, trust can no longer be granted based on location. Zero trust enables organizations to implement consistent security across distributed and dynamic environments because every user and every device must be verified before limited access is granted. ZTA and ZTNA focus on understanding who and what is accessing the network and applications, regardless of where those users, devices, data, or applications are located. And in this way, by not trusting anyone or anything, you can go back to trusting your network.

Learn more about Zero Trust solutions from Fortinet that enable organizations to see and control all devices, users, and applications across the entire network.