VNS3 6.0 Beta2 is now available. You can find the Free edition in both the Amazon and Azure marketplaces (GCP coming...
Identity Access Management: Zero Trust Networks
As more and more traditional business infrastructure is being migrated to the cloud, traditional enterprise security and common corporate security practices are no longer enough to keep networks safe. Even as far back as the 2014 Sony Pictures Entertainment hack we’ve seen traditional, perimeter-focused security prove ineffective against attacks originating from within and beyond the network. During this attack, hackers were able to penetrate the perimeter firewall and access the entire flat network in a large-scale east-west exploit. In 2015, large enterprises like Google, Inc. began moving their corporate applications to the cloud with a heavy emphasis on a model where corporate data can be accessed from anywhere with the right device and user credentials. Facing the reality of a global network of networks, the traditional strategy of forming a security wall around an internal network is giving way to a many access point approach. This new Zero Trust strategy emphasizes protecting these access points from threats both within networks and without.
What is a Zero Trust Network?
Zero-Trust is a “never trust, always verify” strategy that relies on network segmentation and endpoint authorization rather than a single, unified, external firewall. This approach to network security assumes that no entity is trustworthy by default, leveraging application segmentation and “micro-perimeters” within a network to protect critical applications and data while preventing lateral movement.
A Zero Trust network strategy addresses many common security concerns, including access management, authentication & connectivity, and endpoint & data security. Any access to network resources must be authenticated, including network management activity and applications. Authentication involves supporting industry standard authentication protocols and user directories for any access point to the network, including applications, endpoints, and network connections. Once authenticated, no longer can a single verification into a network enjoy unlimited lateral access within the network. Zero Trust involves the constant verification of users, applications, and data flows within and between networks and data, assets, application, and services micro-perimeters.
Allowing access to network management applications is a key component in a Zero Trust strategy. Network administrators require the necessary access to manage the network, but supporting Zero Trust means providing access for only what is needed, possibly for a limited time, with the ability to shut down access if a threat is recognized. Different organizations have different processes, use cases, and critical elements when it comes to network management.
Traditionally, network devices have one set of administrative credentials used not only for logging into network management applications but also in application scripts. The concern and threat here is that the “keys to the kingdom” credentials are dispersed throughout potentially many network administrator users and possibly in scripts or in repositories. These concerns are even further complicated by a password change. Incorporating industry standard identity protocols such as LDAP authentication with official directories enables users to be managed centrally, decreasing the risks of duplicating another user management system.
How to Build a Zero-Trust Network with Cohesive VNS3
New approaches and innovations continue to push us towards a Zero Trust strategy that allows for the necessary access management for users and applications without creating security holes. Network managers have to first understand the use cases required for accessing network management applications and scripts to work with vendors to provide access management solutions. If a network administrator has a use case to provide temporary access to a key vendor to support their technology, a typical approach may be to provide a temporary user account. But this now involves provisioning a user account with appropriate password policies, supporting forgotten passwords, eventually removing the account and any other actions required for a secure identity management environment. Maybe another access mechanism could be provided, that was secure, provides the necessary access for a limited time and automatically expires, with the ability of an administrator to terminate access if any threat is recognized. The key point is to provide a toolbox of secure options and use what is best for the use case.
Cohesive Networks works with customers to build that toolbox of secure network access management options, supporting a Zero Trust policy for all access points in the infrastructure. VNS3’s API provides the ability to programmatically provision expiring access creds as well as build your network segments and perimeter policies, allowing you to build an encrypted network entirely declaratively in code. In the coming weeks we’ll be releasing more in-depth discussions of the approaches we take with VNS3 to enable you to create a secure Zero-Trust network, including how we approach access URLs, API tokens, and LDAP integration.