Taking Zero Trust to the Edge

zero trust security model secured network picture id1313494602

No one can deny that networks have changed. With the rise in remote working and multi-cloud adoption, the traditional idea of the enterprise perimeter has changed. The move to cloud and hybrid networks made traditional leased line networks used for routing traffic back to data centers less relevant. Now networks are distributed and complex with more edges. Instead of a data center as a hub of the network, now software-defined wide area networks (SD-WAN) are characterized by application-aware dynamic routing and security.

To save bandwidth and reduce latency, computation and data storage is being moved to the enterprise edge so it is as close to users as possible. But creating these additional network edges results in increased levels of complexity. Today's networks have edges from IoT edges, home edges, branch office edges, headquarters edges, enterprise data center edges, and a multitude of cloud edges.

This evolution of perimeter defenses to the advent of cloud-based security services requires a new level of visibility, control, and correlation. Traditional perimeter-based security is based on location. Anything able to pass by an edge security device gains access to the network. But in today's work-from-anywhere world, this model no longer makes sense. To address edge security, organizations are looking to the zero-trust security model, which takes the opposite approach: no user or device can be trusted to access anything until proven otherwise.

Zero trust principles

The basic concept behind zero trust is that no device or user can be granted inherent trust because of their location on the network. This fundamental concept that anything could be compromised means everything must be inspected before access is granted.

The zero trust model uses the principle of least privilege, which means after a device and user is verified, only the appropriate trust required is granted and nothing more. But now many users and devices connect to the corporate network from public wireless networks.

Implementing a zero trust–based approach and properly segmenting edge compute is a powerful strategy for ensuring least-privileged access and control. Building a zero-trust model using a unified security platform approach that spans your cloud computing ecosystem helps consolidate security across all edges. It simplifies the protection of the expanding attack surface regardless of where users or devices are located. It also enables a single-pane-of-glass management model that makes security visibility and policy orchestration less complex and more flexible, and enables automation to span the entire distributed network.

Evolution of VPN tunnels

Zero Trust Network Access (ZTNA) brings zero trust principles to remote access. It is the natural evolution of VPN technology because it offers better security, more granular control, and a better user experience.

Although VPNs have been around for years, the problem is that they take a perimeter-based approach to security. The assumption is that anyone or anything that passes the network perimeter controls using an encrypted connection can be trusted. But that's a reckless assumption, and cybercriminals have noticed. The rise in remote work has turned many more vulnerable home networks into new edges of distributed corporate networks. Bad actors are increasingly targeting unsecured or undersecured IoT devices to gain access to home networks and using VPN connections to get into the corporate network.

ZTNA can help keep out the people and devices that shouldn’t be accessing the network. And it provides visibility and control of those entities once they are connected. Like the market shift from IPsec VPN and WAN edge to SD-WAN, it’s time to shift SSL VPN and user-edge to ZTNA.

Scaling ZTNA

To scale ZTNA across the entire enterprise requires going beyond just cloud-based SASE-only options, particularly if organizations still need access to the data center and private clouds. A better approach integrates network and security configuration, management, analysis, and policy control into a single platform.

Converging networking and security in this way provides the visibility and control required by a NOC, SOC, or hybrid operations center. Running firewalls that have security processors with ZTNA built in with parallel security and networking stacks offers certain advantages in scaling because of the underlying secure connectivity. And in today's work from anywhere world, it's important to be able to extend security to wherever users may be, whether on premises, at home, or on the road.

Discover how Fortinet’s Zero-Trust Access framework allows organizations to identify, authenticate, and monitor users and devices on and off the network.


Copyright © 2021 IDG Communications, Inc.