The pandemic has changed lifestyles dramatically and redefined the way we work completely. At the same time, most organizations are grappling with enhancing their network security to support new business requirements. Nearly 80% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks, despite increased IT security investments made in 2020 to deal with distributed IT and work-from-home challenges, according to new IDG Research. The challenges are pervasive, from small and medium-sized to larger enterprises across a wide array of heterogeneous network environments.
To face these challenges, the traditional, perimeter-based network defense approach is no longer effective and is shifting to a zero trust paradigm to protect workforces and valuable IT assets everywhere. Choosing the right security solution and optimizing it for your needs in our new era of digital trust has become particularly critical and also complex.
Digital Trust Begins with Getting Digital Identity Attributes
One of the primary principles of Zero Trust Security is “Never trust, always verify” – but never trust what? Obviously, if you can’t see what is connecting to your network, you cannot trust or even control them. Until now, most typical network monitoring tools have only provided general information about connected devices, such as generic names, IP/MAC addresses, port numbers, logging time, and so on. Speaking of generic names, this becomes a major challenge for zero trust security. Receiving only a general platform name, such as “Android phone” is clearly insufficient to identify the specific device at hard, as we know there are many different brands and versions of Android devices. We need to know whether this is a “Samsung Galaxy S6 mobile phone” or a “Google Nexus 5x mobile phone.” Beyond that, we need to correlate the device name with technical and business contexts, and in real-time. Digital trust must be derived from a mix of dynamically changing identity attributes. The critical attributes are as follows:
- An accurate actual image of the specific device platform
- A list of device fingerprinting sources
- Network connection type (wired, wireless)
- The device platforms’ end of life (EOL) and end of support (EOS) data
- The device platforms’ manufacturer and its business status and location (Country)
- Common Vulnerabilities and Exposures (CVE)
Most importantly, this information all needs to be retrieved without disturbing existing, ongoing IT operations.
Digital Security Onboarding
Once you acquire the necessary digital attributes, you should be able to map device information with users based on their access privileges. The digital security onboarding process can leverage various IT solutions and security technology, but simply put, you should be able to authenticate, authorize, and audit access activities across various network connections such as VPN, xDSL, and 5G. The following features must be considered:
- Network segmentation using digital identify attributes
- Network traffic analysis
- Least-privilege access
- Multifactor authentication (MFA)
- Multi-layered access control using 802.1x, DHCP, ARP enforcement over VXLAN, SGT-based enforcement, TCP reset, Inline enforcement, and integrated agent actions (NAC/VPN, Windows Firewall)
- Endpoint Detection and Response (EDR)
- Endpoint Behavior Analysis
- Network Detection and Response (NDR)
- Cloud network visibility and policy enforcement
- IT Security Automation via Open API
All in all, this may appear to be a daunting list. Indeed, it represents a comprehensive amount of information and certainly, it is not easy to implement it all at once. We at Genians met similar challenges when the first generation of NAC was being developed in the early 2000s, but we simplified the complexity of the technology and revamped the way to deliver next-gen NAC via the cloud with affordable pricing options. Based on our proven technology and experience, we can now present our Zero Trust Network Access Control (ZT-NAC) solution, which comprehensively accommodates all the features listed above and thereby enhances any enterprise’s Secure Access Service Edge (SASE) architecture.
Now, let’s find out how ZT-NAC works.