With ransomware skyrocketing and credential phishing established as a primary attack vector during COVID, the pandemic has accelerated the need to reinvent remote access. Zero Trust Access is the answer. Geert Busse, NGS Business Lead, EMEA, tells how, alongside our Next Generation Solutions (NGS) vendors, we presented the four essential requirements for modern Zero Trust Access to our partners last month.
The global pandemic has had profound effects on the enterprise, with remote working rolled out on an unprecedented scale, increased adoption of cloud resources and applications, and the transition to greater workplace flexibility. These changes bring security challenges, and organisations that implement Zero Trust Access will be much more resilient to threats and crises both in the pandemic and beyond.
Zero Trust Access can be defined as ‘never trust, always verify’ access to the internet, data and applications, with verification applied to people, devices, traffic and interfaces before access is granted. Let’s look at the four requirements underpinning this approach.
1. Look at where your data resides
First you need to understand where your data resides, which means performing data identification and classification. This data can be personal identifiable information (PII), payment card information (PCI), intellectual property (IP) or other sensitive data.
We should know when the data was created, by who, where it is stored, and how and with whom it can be shared. This data identification and classification should be integrated with day-to-day workflows to provide critical context around all your data. It’s this data context that connects every part of the Zero Trust ecosystem.
Persistent metadata achieved by classification applied to documents and emails can be leveraged by your entire downstream security stack.
2. Define your users
Zero Trust requires all access to be authenticated to ensure security. To achieve this, an authentication authority is needed that validates and provides user identity, device and context data across a broad range of resources. This can be based on open standards – often the case for cloud resources or proprietary adaptors and on premises or legacy applications.
The critical risk factors can be verified at each point of access, starting with user attributes such as roles, group memberships, time and country of access. Also important are device attributes. Are these unmanaged or managed devices? Is their operating system up to date? Is in-session behaviour baselined against normal usage patterns? Zero Trust means that all these attributes must be verified anywhere before an access decision is made.
3. Define what your users can access
Unified access to data and applications should be based on the least privileges – the minimum the user needs to perform a certain task. Then ask if this is sufficient. Today applications, APIs, data stores and devices are all gateways to sensitive data.
So to achieve a better level of security, we need to augment least privileges with the enforcement of even more precise access controls that are based on real-time evaluation of risk. This can be implemented through a diverse set of micro-perimeters and access proxies.
4. Assume all traffic is untrusted
In the case of internet access, it’s very important to isolate web traffic from the endpoint devices as compromised web sites are still one of the most important attack vectors. Regardless of whether the web content is good, bad, categorised or uncategorised, all web traffic should be rerouted through a cloud-based remote browser that delivers complete internet isolation.
This technology is called remote browser isolation (RBI) and this is becoming a crucial component of any web security offering.
Start your Zero Trust Access journey with Westcon
These are the four concepts that underpin any journey to Zero Trust Access. Westcon NGS provides partners with the expertise, experience and technology to assist them in providing Zero Trust Access solutions to their customer base allowing them to benefit from the growing recurring revenues that this market is bringing.
If you want to know more about the Zero Trust Access business opportunity, join our reseller enablement session in partnership with Ping Identity and Pulse Secure on Wednesday 2 December, or contact your local Westcon account manager. If you want to understand how our NGS vendors address these Zero Trust Access concepts, reach out to our pre-sales teams for a demo.