ZTNA: A World Where You Won’t Be Afraid to Grant Permissions Access
Reading Time: 3 minutes

The word trust is a common theme in cybersecurity when it comes to network breaches, yet the idea of lack of trust is what’s highlighted in these breaches. A company’s feeling of safety and security can disappear in a nanosecond once their network has been infiltrated, and all control of networks and applications is lost. For all tech-forward organizations, the feeling of lost control becomes more universal with every new breach to hit the headlines.

While in some industries this scary feeling may be up and coming, in the network security landscape it is not a new phenomenon. Whether from malware, ransomware, or your classic unauthorized access network breach like we saw with Capital One, zero optimism is entertained concerning the safety of companies and individuals from hackers. Awareness of one’s level of a vulnerability is a prerequisite to safety and enables one to take pragmatic steps to secure their data. 

Rethink the Approach for Network Security 

Until recently, the organization’s IT and security teams primarily focused all their security efforts on fighting off different attacks on the perimeter. While this was the right approach when everyone worked in the same office, times have changed. Due to COVID-19 accelerating the “work from anywhere” approach, we need to rethink network security strategies and pivot them around the user instead of where the network is based. 

With more employees working outside the physical office, there is a quickly growing number of endpoints for hackers to attack. In most organizations, the typical employee uses multiple devices to do their daily job. Is each device secure? The answer is probably yes – but you can’t be certain. With each unsecured every device, organizations’ networks are taking an unnecessary risk. When networks are breached, the process of understanding where and how access was gained is not instant and by the time you have your answers, it is too late.

IT and security teams need to change their approach, and instead of solely emphasizing perimeter security, transform their employees’ permissions and access policies. One of the most common mistakes organizations make is trusting their users when it comes to authorized access. When you provide unrestricted access to any user or device in your network, you simply open the gates for your organization’s network to be breached. 

Once a user or organization is compromised, their credentials can easily be used to infiltrate the network, especially with different attacks. This presents the idea that organizations need to have better visibility when it comes to authorized user access to their network. So how can organizations trust their employees once again?

Zero Trust Helping Us Trust Again 

Can we trust our employees once again, and reduce their responsibility and impact as guards of the organization’s network against hackers? I believe we can, as humans are meant to be trusted even though in many instances human error puts that trust in doubt. People aren’t perfect, we all make mistakes, but we must account for them proactively.

A common approach that has gained popularity over the past decade for secure network access is by implementing the Zero Trust model. Zero Trust was originally proposed by Forrester in 2010, with the motto “never trust, always verify”. This is the idea that until the user can verify him or herself via authentication, they will not receive access to the network. Adopting Zero Trust is not a specific product or architecture, instead, it’s taking a more modern approach of setting up organization-wide guidelines inside the company’s resources. 

By implementing the ZTNA model for secure network access, IT teams will have full control over who is granted access, enters and leaves the network at all times. For each network, resource or application, there should be a set of rules and policies in place enforced by the key elements of the Zero Trust model: multi-factor authentication, proper device management, limited privileged access and network segmentation using software-defined architecture.

ZTNA The Approach Not the Model 

Organizations that take the right approach with ZTNA can erase the concept of trusting in their employees and won’t fear to grant access. To achieve secure network access inside your organization you will need to have the proper principles implemented and distributed throughout the company. Treat Zero Trust Network Access as a manual for how organizations should strategize and “trust” their employees with the keys to the kingdom. 

Read More
SASE and Zero Trust Are a Perfect Match
Reading Time: 5 minutes

As more and more organizations are shifting their resources and applications to the cloud, we are seeing how edge computing is changing networks. These organizations must enforce policies on their employees for access to the networks and resources which are now in the cloud or on-premises. Additionally, employees are working remotely more than ever and their employers are seeing more applications and cloud services being consumed outside the traditional workplace. 

With the move to a remote workforce, the outdated hardware we once depended on is creating more issues by the day. The traditional network security architectures and solutions that pinned data to the headquarters of most organizations are a thing of the past. The challenge is that these organizations now need to provide their data and services no matter where their employees are located. 

Today, companies are adopting a more user-centric approach, which will provide a flexible network model for the remote workforce and cloud resources and services which must be accessible for employees around the world. This new model is forcing organizations to implement edge networks, connecting users to networks closer to their location and thus providing a more agile and secure access model to their organizations’ networks.   

To protect these networks, organizations typically shop around in the cybersecurity and network security solutions space, which is highly segmented offering an endless amount of different solutions from many vendors. Instead of simplifying the consumption of cybersecurity, these services are complicating what should be a smooth transition for integrating solutions in an organization’s network environment. The entire security space needs to join forces and offer a holistic approach to cybersecurity, and this is where the idea of Secure Access Service Edge or SASE comes in.

New Kid on the Block

Secure Access Service Edge (SASE), pronounced “sassy,” is a new cloud-based network security model that was coined by research firm Gartner. It combines the different functions of network and security solutions into a unified cloud platform to be delivered as a service without any or very little hardware and appliances required. The key solutions in a SASE platform are ZTNA, SDWAN, CASB, FWaaS and others. This unified platform will help organizations by simplifying secure access to critical resources and networks. The more streamlined model allows IT security teams to easily connect and secure all of their organization’s networks and users in an agile, cost-effective and scalable way.

Gartner also suggests that SASE offerings will offer policy-based “software-defined” secure access with a more agile and flexible networking where security and IT professionals of organizations will be able to customize the level of security, performance, reliability, and cost of every network session based on the identity of each user and prioritization of access needed. 

SASE enables the consumption of integrated secure network security services which promotes the adoption of digital transformation, edge computing, mobile workforces and identity and access management. Further to more advanced security and networking, key benefits include IT productivity, cost reduction, efficiency and flexibility to adopt new business services. Additionally, SASE enable organizations to update their security solutions against new threats and establish policies more quickly for the agile adoption of new security capabilities. For organizations looking to adopt the SASE model for their network security, it’s important to implement a solution that hinges on the Zero Trust approach. 

Zero Trust is a Process, Not a Product

Zero Trust (ZT) is a decade-old security approach that is based on the idea that organizations can’t automatically trust anything inside or outside their perimeters, but instead should verify anything and everything before granting access. They must also keep an eye on users within their borders at all times, and be able to get a warning when (and where) exposure is imminent. This Zero Trust model to secure network access services allows for the delivery of high-security, enterprise-wide network services virtually, and on a subscription basis for small and mid-market to large enterprises.

“Companies cannot afford to trust internal network traffic as legitimate, nor can they trust employees and partners to always be well-meaning and careful with systems and data. To manage the complexities of their environment without constraining their digital transformation ambitions, many companies are moving toward a Zero Trust (ZT) security model — a more identity- and data-centric approach based on network segmentation, data obfuscation, security analytics, and automation that never assumes trust,” states analyst firm Forrester Research. 

When implementing a Zero Trust security architecture, IT managers must isolate resources within their IT infrastructure using micro-segmentation. By dividing network resources at a granular level, organizations tune security settings to different types of traffic and create policies that limit network and application flows to only those that are explicitly permitted. This network micro-segmentation approach allows security teams the flexibility to apply the right level of protection to a given workload based on sensitivity and value to the business.

Today’s digital businesses need security technology partners that offer a range of capabilities that are easy to use and integrate, improve their network visibility and support the ZT model. The modern enterprise places a high value on partner solutions which can apply security controls across environments uniformly and quickly, with features that allow them to modify security policies and access as business needs change. This is where the SASE comes into play with a Zero Trust mindset. 

Zero Trust in a SASE World

Given that the Zero Trust network access model is geared around data access controls and visibility to organizations’ corporate resources, it’s easy to understand why Zero Trust and the SASE model are a perfect match. The two core elements of every SASE platform are its CASB (Cloud Access Security Broker) and the ZTNA (Zero Trust Network Access) solutions. 

By implementing both CASB and Zero Trust organizations can control their users’ activity and access based on preassigned rules created by the IT team. 

This will allow them to fully monitor their employee’s access to the different resources inside their network. But restricting user access to specific cloud resources based on each user or team of users isn’t the only feature that makes Zero Trust so attractive for organizations looking to implement the SASE model. The importance of complete network visibility is also a deciding factor.

As organizations implement SASE platforms with a Zero Trust model that has CASB, ZTNA and Layer7 (the application layer) integrated, IT managers have full control and visibility of user’s access throughout their organization’s networks and applications. Additionally,  any organization’s Zero Trust solution should be easily able to easily integrate with their current IAM – for example Azure AD, Okta and MFA. 

The number of agents required on a device will be reduced with SASE compliant solutions such as Zero Trust Network Access to a single agent or device with streamlined access policies that do not require user interaction while at the same time providing a consistent access experience regardless of the location or resource requested. y providing Zero Trust protection of user sessions seamlessly and consistently on and off the enterprise network, SASE solutions will offer end-to-end encryption as well as web application and API protection (WAAP) services. Using Zero Trust Network Access, SASE platforms will also extend protection to endpoint devices for public Wi-Fi network protection to protect remote workers. This dual-sided approach is crucial as endpoints pile up and expand their reach into organizational networks from afar.

There is No SASE Without Zero Trust 

As we are seeing a massive shift for organizations of all sizes moving to a more modern user-centric model, where the cloud and mobile are the center of attention, we need to adopt an approach that helps them enable better and more flexible security. The model we’ve been waiting for is here and it now has a name; SASE.  

This new approach will allow organizations to easily control their security and connectivity all under one platform. However, we must not forget that the Zero Trust model is a cornerstone of SASE and in a way, is a reason it can be defined as “unified”. Implementing Zero Trust alone is a strategy that gets companies most of the way there, in terms of security, but as this approach is delivered as a service alongside other functions, SASE begins to materialize. In the future, instead of thinking that Zero Trust and SASE are each a stand-alone offer, they will both reinforce each other to provide a revolutionary offering.  

Read More
Can Zero Trust Redeem Fintech?
Reading Time: 5 minutes

Though the ripples are gentler than they once were, the wake of the 2008 financial crisis is still felt today. Financial regulators around the world have since adopted laws that increase transparency and scrutiny alike, making it difficult for traditional banks to operate as opaquely they once did. This has opened the market wide for tech-assisted financial services that people like to refer to as fintech.

It’s a mistake to assume that fintech innovations come from independent programmers or garage development shops, though it has lowered the barriers to entry for providing financial services. Almost all of the world’s biggest banks and institutions invest heavily in fintech for their own products in order to stay competitive, and accordingly the market is enormous, estimated to claim upwards of $4.7 trillion of the sector’s total revenue

However, opening a market may also mean exposing something within it, and alongside a rash of serious breaches in the last decade, fintech’s pace of innovation is now threatened by its inability to be a trustworthy custodian of customer data.

Technology Both a Catalyst and a Cure

The fintech sector is responsible for many new ideas, some of them the same types of products and investment instruments we already have, like loans, but improved. Others, like crowdfunding, robo-advisors, and mobile payments are new and could have only existed with the addition of technology. An online lender that uses an algorithm to match someone’s credit profile with applicable lenders, do a credit check, and approve the loan within 24 hours is a good example.

Despite convenience, a series of serious data breaches in the sector have customers thinking more about how complex fintech services like this handle their data, and regulators’ ears have perked up as well. Credit and identification details must be entered into an online database, trade hands, and be processed and sometimes stored and shared externally. It may result in an approval a hundred times faster than going into the bank, meeting with a loan agent and filling out forms, but it comes with risks that customers shouldn’t be forced to consider.

Even after GDPR laws went into effect, cyber attacks on EU companies increased to a rate of one attack every five minutes, and these days the bigger the company the harder they fall, with damage that’s both hurtful to their brand and to the bottom line. For organizations in the sector, innovation and the intricacy of data structures has resulted in growth, even if customer trust lags behind. Regulations like GDPR and MiFID II are pushing against this notion, just in time for technology like Zero Trust security to provide an answer: remove trust from the equation altogether.

Zero Trust: Few Can Step Into the Vault

What’s so safe about a brick and mortar bank? Cameras are there to watch all entrants and occupants at all times. The money is tucked away behind layers of security and many walls and floors. Only a few employees have access to the vault – where the customers’ most sensitive possessions are – and there are alarms everywhere. How can online financial services providers redeem this level of security?

At a time when hackers are more clever than ever and regulations are boosting enforcement, Zero trust security solutions represent a redemption. In terms of product, Zero Trust is a platform integrated across financial service providers’ networks to enable a superior level of protection for all the data their employees even get close to touching. It accomplishes this by giving IT control over which employees have access to certain parts of the network, and gain oversight over who enters it and what they do.

Using Zero Trust solutions, finance companies and banks can regain the confidence of the market, move faster towards growth and tech initiatives, and take a zero-tolerance approach to compliance, ending an era where data breaches are the new normal. There are three ways it can do so:

With segmented policy access: Don’t give every employee the key to the bank vault. This makes each employee as big a risk as the last, no matter their personal security hygiene. For a platform that helps someone do their taxes and submit the correct forms, an accelerated personal lender, or even a regular online bank, Zero Trust creates specific user access policies at the individual application and even file level, rather than providing full data access to any employee with a password. 

Employees of financial institutions only have access to the least amount of sensitive resources required to do their jobs, and no more. This significantly reduces the number of relevant targets for hackers, and lessens the impact of employees with poor security habits. Access is often synonymous with speed, however, and so banks with staff who wear multiple hats – a necessity in this era of customer convenience – can rely on other aspects of Zero Trust.

By monitoring the network: The equivalent of cameras to watch and record all corners of the bank, activity monitoring features are a central aspect of Zero Trust and run constantly when users are connected to the network. Suspicious activity is more visible to IT, which can then prioritize the threat and close the gap if necessary. Zero Trust also means zero tolerance, after all, so having proof of what occurred on the network in black and white is necessary for ideas that are crucial for financial services companies, such as compliance reporting. A central management dashboard reduces the manpower requirements of monitoring and also can funnel data to other processing tools that look for deeper insights. 

By securing network access: Though resources like files and applications can be segmented with the least-privilege principles of Zero Trust, it still benefits security to install multiple layers of identification and protection at the edge of the network. Encrypted IPSec tunnels, provided by a standard enterprise VPNbusiness VPN, or IPsec VPN stretches across the network and cloud and requires employees to first connect through an application before being allowed inside. This also offers the chance to integrate other network-wide features such as automatic Wi-Fi protection (which cuts the internet off should the VPN connection fail), multi-factor authentication for extra device-based security, and web filtering tools that limit what network-connected devices can access on the internet.

Trust is an Achilles Heel

With these tools, IT teams at banks and fintech companies can safely abandon the defenses they used to post at the network perimeter. Zero Trust lets them build a more agile, aggressive security apparatus which refocuses on users and employees instead. That’s an important milestone when the reality of financial breaches is that it’s often sloppiness or negligence that exposes customer data, not an intrepid hacker genius. For Equifax and JP Morgan, failure to patch and install 2-factor authentication on crucial servers, respectively, caused irreparable breaches of customer data and industry damage. 

Hackers search endlessly in repetitive fashion across employees, devices, and systems for these kinds of human errors, and so an idea like Zero Trust not only makes gaps less common, but also reduces their impact and improves accountability. It’s the type of safety net that helps organizations like healthcare providers and financial service providers and meet compliance expectations confidently, and meet the pace of innovation they’ve so far set for themselves without looking back.

Read More
Zero Trust a Frontline Defense Against Healthcare Attacks
Reading Time: 4 minutes

To optimize their nefarious efforts, hackers often employ the admittedly logical strategy of targeting only the most lucrative sources of personal information. With this in mind, medical records bring a particularly greedy gleam to their eyes. The value of a stolen healthcare file is quite literally ten times that of standard identity theft, with hackers able to squeeze about $2,000 out of a hijacked identity, on average, while the amount and type of information contained in one’s medical records often means profits of up to $20,000.

For hackers, Personal Health Information (PHI) is a veritable treasure trove of rubies, sapphires, and other precious gems in the form of birthdates, family names (useful for cracking passwords), social security and tax identification numbers, and other data tied to receiving medical care. The value of this information is hard to overstate, but multiple other factors have compounded to make PHI more vulnerable than it should be. Healthcare providers struggling with the security of their patients’ data are now beginning to realize the solution is right in front of them: don’t trust a soul.

PHI and Hospitals: A Perfect Storm

A volatile mixture of factors has created the biggest ever hoard of hackable personal data – and it’s in the hands of the industry least prepared to cope. Complete medical files contain identifying data that is nearly impossible to change on the fly, such as one’s SIN. Once this information is exposed, the lengthy time to a resolution offers hackers days or weeks to defraud patients before the tap runs dry. Moreover, the haphazard implementation of IoT devices and other machines used in patient care give hackers a way to affect patients’ health, and not only their wallets.

 Image from Comparitech, 2020

In attending to those under their care, hospital staff are overworked and simply don’t have time to consider the implications of their substandard security hygiene. Their priority is to utilize the complex and precariously stacked array of applications, network resources, and internet-connected devices that help them do their jobs. Any downtime is a health risk, and so resistance to multi-factor authentication and other best practices is the norm. In networks with multiple attack vectors, highly valuable data, and negligent (if well-meaning) workers, it’s clear a low-touch security strategy is necessary to raise the lowest-hanging fruit out of hackers’ reach.

Zero-Trust is the Exclusive Answer

One of the most glaring trends to illustrate this idea is that it took until 2017 for the majority of breaches to originate from hackers, rather than by individual security mistakes within healthcare organizations. Though healthcare had been a ripe target for hackers long before then, that sheer insider negligence outpaced intentional breaches for so long is a scary thought – especially for providers who put a premium on HIPAA compliance. In one particularly cringe-worthy example, it took a whopping 14 years before a PHI breach was discovered and closed.

Providers in the healthcare industry are now forced to confront the fact that their highly-educated workforce simply doesn’t have the security education to be trusted. Many are therefore adopting Zero Trust as a network access model, which takes a different approach to security. In traditional network security solutions, once a doctor had the authorization to enter the network, he or she was trusted within every corner of it, full stop. Accordingly, at a time when one in five healthcare workers are willing to sell PHI for as little as $500, Zero Trust is key.

Why Trust is Obsolete

Zero Trust is aptly named because it enables IT managers to implement a security model where absolutely no one is trusted, and all who enter the network are both allowed only into the places they’re supposed to be and monitored at all times. If you don’t need to see certain parts of the network, you can’t, nor can you do anything compromising inside it without setting off alarm bells in the IT room. For regulatory compliance such as HIPAA, this level of vigilance isn’t frivolous, it’s necessary.

In hybrid-cloud environments like the ones commonly implemented by healthcare providers, Zero Trust is much safer than perimeter-centric security models simply because the perimeter is no longer there. It’s constantly moving, and constantly being accessed by a range of devices and people with varying degrees of protection. As Zero Trust segments users only into the areas they absolutely need to be in, the number of accidental insider breaches and those coming from the outside are decimated. 

The idea behind Zero Trust is one thing, but arriving there is another. Healthcare providers should look to network security solutions that implement a Software Defined Perimeter (SDP) as their foundational step towards winning the ongoing cyber war. Supplementing this SDP solution with security awareness education is also important. Healthcare workers need to recognize that they face daily threats regarding data security, and to learn what their role is in securing the network. This dual-edged strategy is robust, but it will never stave off hackers entirely; PHI is just too lucrative. What it will do, however, is make hacks expensive and difficult enough to dissuade bad actors, shooing them away to the next most vulnerable industry. Better there than here.

Read More