Leveraging Partner Expertise to Build a Zero-Trust Strategy
Keep building partner trust, but apply the principle of least privilege to networks for security.
Jon Bove
Trust has always been considered an important concept within the realm of cybersecurity. In fact, firewalls were invented with this concept in mind, developed to address the fact that people outside the enterprise network were naturally less trustworthy than those inside it. Zones of trust within networks define what is secure versus what isn’t secure, with most organizations even restricting who has access to critical data and resources.
But while strategies such as these have led organizations to believe that they are fully secure, it’s up to partners to demonstrate that this is simply not the case while helping to build a new strategy – one that involves a zero-trust framework.
The Problem with Trust
Increasingly, organizations are moving toward a zero-trust model as they rethink their security strategies. Take operational technology (OT) environments, for example, which have long relied on inherent trust models because access to their networks was highly restricted. In many of these environments, a user whose device connected to that OT infrastructure was able to access any system. However, the convergence of IT and OT is changing this approach, especially as more devices – many of which control potentially dangerous machinery – connect to the network.
Similar issues exist within traditional IT networks. Using traditional zones of trust, users can freely move between systems and resources. Workflows and applications also move between these zones of trust, and may even move between different ecosystems (i.e., between data centers and the cloud) to access critical data. But when cybercriminals manage to breach perimeter defenses, this movement creates a highly exploitable condition in which they use sophisticated malware to slip under the radar, using the inherent trust in the network to move laterally across it before escalating privileges to move from one area to another.
In the past year, one issue has seemingly risen above the rest for many partners and their customers: Remote work security. With the majority of office workers now accessing critical network resources from outside the network, virtual private network (VPN) connections simply do not provide the level of security required to protect this traffic. Cybercriminals responded to this shift by targeting vulnerable home network systems instead of traditional network devices, looking to ride the VPN connection back into the network. The sevenfold increase in ransomware attacks during the second half of 2020 proves that this was a successful strategy.
Partner Opportunity Around Zero Trust
Considering the ever-expanding nature of enterprise networks, partners must help their customers evolve their strategies to stay ahead of cybercriminals who are doing the same. This can be achieved through the deployment of a zero-trust model.
Zero trust is based on the premise that organizations assume any user or device is compromised, requiring them to continuously authenticate to the network and validate their identity and access. This networking strategy responds to concerns associated with the attack surface’s rapid expansion and introduction of new edges. Further, it determines trust on a per-transaction basis, rather than granting full access to a network segment based on the network location of a user or device. It starts with a default deny-all posture for everyone and everything, requiring verification of users or devices before granting an access request.
This verification starts by taking the user’s identity (role or assigned privileges) and device (personal or corporate) into account. It then incorporates additional attributes and context, such as time, date, geographic location, security patch installation and enablement of specific security tools. Even after verification, only the necessary level of trust is granted, using the principle of least privilege. For example, if a user requests access to an HR application and is verified, they are only given access to that application and nothing else. According to the principle of least privilege, those users and devices receive access only to the resources necessary for completing their job functions – no more and no less.
As organizations move toward zero trust, partners become important resources for their customers. Because partners have documented customer network architectures, worked with asset inventories and helped with risk assessments, they have …
… the knowledge and resources necessary to help their clients build out both zero trust access (ZTA) and zero trust network access (ZTNA) policies.
Establishing the Foundation of Zero Trust
The foundation of any zero trust strategy is knowing and controlling who and what is on the network. This starts with role-based access controls (RBAC) and granting authenticated users an appropriate level of access, a practice in which many organizations already engage, to some degree. Aligning RBAC with a zero trust model requires that organizations establish a least-access policy that restricts users to the minimum level of network access required for their role, removing any ability to access or even see other parts of the network.
Beyond this, ZTA also involves managing the devices that are used to connect to the network, such as laptops, tablets and smart devices. However, organizations are now adding nonuser Internet of Things (IoT) devices to their networks, including printers, heating and ventilation systems, secure doorways, inventory control systems, point of sale (POS) devices or industrial IoT (IIoT). Unlike traditional devices, many of these new technologies lack usernames and passwords that identify them. Therefore, these “headless” devices require a network access control (NAC) solution designed to discover, authenticate and control their access to network resources. NAC policies can apply the zero-trust principle of least access to devices, ensuring that they have only the network access they need to perform their role and nothing more.
Partners engaged in mapping their clients’ networks can help establish ZTA. They are often the ones who have the greatest knowledge of the network, user and devices. Ultimately, this makes them a trusted reseller because they are already the most trusted adviser.
Zero Trust Network Access: Securing the Applications
Today’s businesses increasingly run on applications, demonstrating a need for ZTNA, which controls application access no matter where the user or the application resides. The user may be on a corporate network, home office or somewhere else, and the application may live in a corporate data center, private cloud or on the public internet.
With the dynamic nature of today’s networks, zero trust network access offers the security, granular control and user experience necessary to securely connect a remote workforce. Cybercriminals can exploit VPNs by compromising the endpoint device because the underlying assumption is that the VPN connection comes with trust. That trust extends to the part of the network to which it connects, explaining why threat actors redirected their efforts to exploit vulnerable home networks.
ZTNA takes the approach that no user or device can be trusted to access anything, including applications, until proven trustworthy. This extends the zero trust model beyond access to the network, ultimately reducing the attack surface by hiding applications from the public internet.
For partners, ZTNA poses an opportunity. Having been deeply involved with their customers’ network mapping and policy, they know the application access points. By creating a punch list of new projects, they can use their position as a trusted adviser to help deliver a zero-trust security approach.
Trust No One When Building a Security Framework
Most security measures organizations have in place primarily apply to traditional networks. However, expanding network edges, ubiquitous IoT devices, converged environments and mobile users change the meaning of trust. Zero trust enables organizations to consistently implement security across distributed and dynamic environments because it verifies every user and device before granting limited access. ZTA and ZTNA focus on understanding who and what access networks and applications, regardless of where the users, devices, data and applications are located.
At the end of the day, the only trust that still exists is between partners and their clients. Partners’ deep knowledge of client networks and policies makes them uniquely situated to establish ZTA and ZTNA for enhanced security.
Jon Bove is the vice president of channel sales at Fortinet. He and his team are responsible for strategizing, promoting and driving the channel sales strategy for partners in the United States. A 17-year veteran of the technology industry, Bove has held progressively responsible sales, sales leadership and channel leadership positions. Follow @Fortinet on Twitter or Bove on LinkedIn.
Read more about:
MSPsAbout the Author
You May Also Like