3 tests to guarantee zero trust network security
The COVID pandemic has highlighted the challenges of ensuring security on an expanding corporate network forced to support more and more remote workers, an ever-increasing diversity of devices and frequent mobility. Praveen Jain, founder and CEO of cloud networking startup WiteSand, spoke with ESecurity planet on the challenges of maximizing security in today’s environment, the value of a zero trust model – and three key questions to address to make sure you’re on the right track.
There is an inherent weakness in how security too often relies on a trust but verification model in which endpoints have access to the network and are only quarantined when determined to be infected, Jain, former senior vice president of Cisco and founder of Insieme Networks, said ESecurity Planet.
The problem with this approach is that malware can sit idle on a user device for a long time before threat actors move sideways across a network – and most of today’s methods rely on perimeter security. will not notice this traffic flow.
Using a zero trust model instead, Jain said, ensures that endpoints only get access to the network after authentication – and recognizes that most traffic will likely be to the Internet. or a private data center, limiting lateral movement within the network via default deny policies (with exceptions for printers, conferences, etc.). “There really is no reason for laptops to talk to each other,” he said.
Network security becomes more complex
Networking and security are much more complex today than they were just a decade ago, when trust but verification was enough. “The rise of remote working gave birth to the ‘enterprise without borders’, characterized by the fluid movement of workers between home and office, and by the proliferation of devices – mobiles, laptops, tablets – used to doing business, ”Jain said. “The pandemic has added fuel to the fire by accelerating the irreversible trend. “
Now that it is no longer enough to just apply security at the entry and exit points of infrastructure, security must be ubiquitous and based on zero trust, Jain said. As the pandemic abates and employees return to work, the potential threats from unpatched laptops and new mobile devices acquired during the pandemic require increased attention to securing campus and branch office networks from the spread. zero-day attacks, ”he said.
The answer, Jain said, is to deploy a series of security tools at different layers, without any implicit trust placed in a device. “Every user or device – local or remote, wired or wireless – must be authenticated and authorized before granting access,” he said. “As a preventative measure, the ideal would be to block all unwanted communications between users and devices on the corporate network so that, in the event of a zero-day attack, its lateral movement is limited.”
The pandemic has clearly demonstrated the power of isolation to prevent viral contagion, and so has the protection of corporate networks. “Many organizations are concerned about implementing so-called isolation or microsegmentation in the existing network because they have little or no knowledge of the communication patterns between devices and users to determine what is valid. versus what isn’t, ”Jain said. “In the mind of an already functioning network, they often tend to leave it unanswered.”
New security tools that allow you to operate in surveillance mode first and then selectively block unwanted communications can be a great way to fill this gap, Jain said.
Jain – who held positions at three startups acquired by Cisco (and former Cisco CEO John Chambers, now heads Pensando Systems, a cutting edge IT startup co-founded by Jain) – now heads WiteSand, which emerged out of stealth mode in June with $ 12.5 million in seed funding and is touting itself as the premier “zero trust network as a service.” He spoke with ESecurity planet on what he considers three important network security tests.
Three network security tests
Jain suggests using the following three basic tests to assess the security of a corporate network:
- Can you ping your peers’ laptops from your laptop in the office? “There’s a good chance you can,” he said. “It is worth asking why this communication is allowed. Is it really necessary to connect to other employees’ laptops? Why aren’t laptops isolated from other laptops? The problem with this open communication is that if one of the employee laptops is infected with a zero-day exploit, it can spread sideways to other laptops.
- Are your IoT and other devices properly segmented? “If your IoT camera is supposed to talk to an on-site DVR to store the recordings, are they fully segmented to only allow that communication? Otherwise, any attack on an IoT camera or DVR can spread laterally to other parts of the network.
- Do any of your offices always use a pre-shared password to connect to corporate Wi-Fi? “You may think, ‘No way! But you’ll probably be surprised at the reality, unless you’ve deployed a network access control solution or equivalent capable of authenticating employees to a trusted corporate identity source such as than Active Directory. If this is not the case, be aware that a former employee can access the company’s Wi-Fi network from the company’s parking lot. “
Another way to maximize security against today’s threats is to deploy a “network DVR” to record all authentication processes for all devices, allowing you to look back and see who was affected, when and where. they were affected, and if anyone else was affected. “With all of the activity recorded – all employees, BYOD, guests, and IoT devices – a complete forensic record exists,” Jain said.
Ultimately, Jain said, the goal should be to move away from manual configuration, working towards 360-degree visibility of the network to ensure consistent policies across all devices and locations.
Further Reading: Zero Trust Cannot Protect Everything. Here is what you need to watch.