Zero Trust is seen as an essential security model to secure enterprise networks. However, security vendors envision the model in different ways. Fortinet determined that secure network access should be the goal. We discussed the topic with Robert Tom, Systems Engineer at Fortinet.
The idea behind Zero Trust is “never trust, always verify”. Essentially, no one is trusted, regardless of whether a user is inside or outside the corporate network. While that distrust may sound strange, it’s meant to allow infrastructure administrators and security professionals to set up more secure environments. That way, users, data, applications, services and corporate assets are optimally secured.
Fortinet has extensive experience in securing infrastructure. Inherently, it has ideas about how Zero Trust should operate. As far as Fortinet is concerned, its foundation is the verification of users and devices. In an ideal world, there is enough assurance that an employee accessing a network is actually the right person. Traditionally, we use a username and password with possibly two-factor authentication. In reality, login credentials are frequently stolen and far from reliable. If a company network solely relies on login credentials, hackers are free to cause immense damage.
As far as Fortinet is concerned, more verification factors should be included. Furthermore, these factors need to be performed continuously. “With every session and every application used, various checks need to be in place to find out if the employee is who he says he is and whether the connection can be set up safely. You can set up a lot conditions to grant access. Strong two-factor authentication can help, as well as a review of the country a user is logging in from. What operating system is being used? And what traffic does a user generate when logging into the network? You could even go as far as checking whether an endpoint has updated antivirus software and whether an endpoint has any vulnerabilities”, Tom explains.
According to Tom, far-reaching authentication allows a company to consistently verify whether the right person is trying to access the network. This can be especially useful due to the distributed nature of organizations. After all, employees connect from varying locations: branch offices, on the road to customers or working from home. Each situation requires verification factors; built-in security mechanisms, differing from case to case. As soon as the verification steps deviate from what is normal, the user should be kept outside of the network.
Although intensive authentication creates a more secure environment, it can never be 100 per cent foolproof. This is why Fortinet sees the least privilege principle as an equally necessary component of the Zero Trust framework. Companies that design their infrastructure based on this principle allow users, endpoints and processes to access only the resources they need. For example, a salesperson only needs to access sales tools and other systems to facilitate sales. That’s what the environment must be set up for — nothing more.
In a least privilege architecture, the number of access points to data, infrastructure and applications decreases. If a hacker does manage to get in via stolen credentials, he can potentially access a limited amount of data and applications. It is much more difficult to gain access to other parts of the company network when the rights within the entire organization are precisely assigned by function level. The attack surface decreases drastically.
Setup requires investment
Although the theory behind verification and least privilege is clear, the question of its practical impact remains. On paper, zero trust requires complete insight into the entire company network and the activities within. At any location of the infrastructure, access must be stoppable if necessary. A seemingly impossible task for networks with thousands of applications, employees and network actions.
Therefore, Zero Trust is best seen as something that companies work towards. Zero Trust is not something to implement overnight. Nevertheless, components to partially enforce Zero Trust are usually already in place. Tom encounters companies with Identity and Access Management (IAM), VPN and network access systems and some form of privilege policy. With such measures, Zero Trust only requires a closer look at the network, further tightening it up in certain areas and performing continuous inspection. This is how you approach Zero Trust. Often, you don’t have to start from scratch.
Model to meet new needs
Tom indicates that many companies get excited after hearing about the components of Zero Trust. Especially when they’re aware that the framework is ideal for remote workers. Many companies seek ways to boost security for this group. Remote workers operate outside the traditional perimeter, reducing the strength of the measures already in place. With Zero Trust as envisioned by Fortinet, location no longer matters. Users are only granted access if the policy and authentication process allows it. Every user goes through the same process.
Additionally, even before working from home gained traction, the sole reliance on the network perimeter lost popularity. Instead of preventing, detecting and addressing threats within the network, it focused almost exclusively on keeping threats out. If attackers got inside the perimeter in those days, they had complete freedom to do whatever they wanted. Cybercriminals were aware of that and capitalized accordingly.
Assume you’ve been breached
According to Fortinet, this is why it is best to make Zero Trust a part of modernization projects. In this respect, assuming your company has been breached also works, Tom says. The hypothesis changes companies’ mindsets and ways of working. “If you assume that you have been breached, what could you do to prevent a disaster of tens of millions of ransoms and associated damage? And what steps can you take to reduce a disaster to a minor incident?”
Of course, a company’s exact needs vary by business situation. Tom points to the role of Fortinet’s Security Fabric, the platform that converges solutions. Zero Trust is equal to converging. The principle is to be addressed with a combination of solutions — FortiGate and FortiClient, in the case of Fortinet. The FortiGate Next-Generation FireWall’s capabilities include keeping advanced malware out of the network, detecting network threats, granting remote access and verifying used applications. Furthermore, FortiClient includes agents that securely and conditionally connect endpoints to the Security Fabric and the corporate network. By combining these products, Fortinet lets companies easily deploy Zero Trust capabilities. On top of that, companies can purchase identity management and network access solutions such as FortiAuthenticator and FortiNAC for accurate profiling and authentication of users and devices. The Security Fabric covers everything required by Fortinet’s Zero Trust framework.
Tom also points out a necessary step for companies to take when they assume they have been breached. With so-called segmentation, companies create zones in the network environment, and then house assets in these zones. This allows them to apply security measures to the segmented network. The advantage of the zones is that it is more difficult for hackers to move laterally and thus reach assets in other network parts. Fortinet offers additional products on top of this to quickly detect and prevent threats within the segments.
Road to Zero Trust
All in all, Zero Trust is increasingly falling into place. In itself, it’s everything but a new idea. However, security providers’ take on the concept is evolving. Fortinet sees verification, least privilege and the assumption of being breached as starting points. When these principles are followed, the infrastructure is set up according to modern security standards. A necessary time investment for safe networks and keeping hackers out, Fortinet believes.