Federal IT leaders are on an accelerated path to Zero Trust as they work to meet the mandated cybersecurity standards and objectives by the end of FY24. A Zero Trust strategy delivers defensible architecture against sophisticated and persistent threat campaigns that are targeted at federal IT infrastructure, which, if successful, could threaten public safety and ultimately damage the American economy.
Seventy-three percent of federal cybersecurity decision-makers report their agencies are aggressively adopting Zero Trust principles, and another 26% are adopting where they feel it makes sense, according to MeriTalk research.
Deny-by-default, at the heart of a Zero Trust approach, is a principle that’s familiar federal IT. Under the premise of Zero Trust, no individual, device, system, network, application or service operating either within or outside of a security perimeter is trusted. Everything and anything that attempts to establish access must be verified continuously.
The CISA Zero Trust Security Model describes a Zero Trust approach across seven architectural pillars of any digital system: User identity, device, network and environment, applications, data, visibility and analytics, and automation and orchestration.
Let’s look at how Aruba supports Zero Trust across the relevant pillars.
Zero Trust is Built into an Aruba network
Aruba understood from the beginning of our company – and long before the popularization of the “Zero Trust” term – that security must be fully integrated into the network. An Aruba network has built-in role-based, context-aware access controls; a unified environment across campus wireless and wired, branches, remote workers, and the WAN; and end-to-end visibility and orchestration.
Zero Trust is built into an Aruba network, whether agencies choose a traditional architecture with on-premises management or a cloud-managed deployment. With Aruba, agencies can support their Zero Trust efforts while gaining the agility of cloud. Aruba Central is the only “all in one” cloud-native network management system to achieve FedRAMP Authorization, with the Authorization covering wireless, wired, and remote.
Aruba Supports Zero Trust User Identity
Under the CISA Zero Trust Security Model, agencies must identify users and enable trusted access to applications and other digital resources used in their work. That is the function of Aruba ClearPass, which enables agencies to authenticate, authorize, and enforce secure network access controls based on role-based policies for staff, contractors and guests.
ClearPass is FIPS-compliant and has Common Criteria validation. It supports Suite B digital certificates for authentication with CfSC deployments.
ClearPass authenticates against a wide variety of identity sources. Access privileges tied to identity, device type, location, and other factors, and policies are enforced consistently across wired, wireless, and WAN domains. Network-connected devices are automatically discovered and profiled, with their posture continuously assessed. IT can automate BYOD provisioning to authorize employees and contractors to use their devices securely. ClearPass simplifies and secures guest and visitor access to the network. Devices that violate agency security and compliance policies can be automatically remediated or quarantined.
Aruba Supports Zero Trust for Devices Accessing the Network
Under the CISA Zero Trust Security Model, agencies must assure that only vetted devices are allowed to access applications and resources. Agencies must keep an inventory of every device operated and authorized by use and be able to prevent, detect and respond to incidents in those devices.
Aruba Client Insights uses telemetry and machine learning to accurately fingerprint and classify all mobile and IoT devices connected to the network, whether they are accessing applications and services from offices, field locations, or people’s homes. Client Insights also monitors the behavior flows of traffic, and unauthorized APs and unknown devices are automatically detected, located, and blocked.
Aruba Supports Zero Trust a Network/Environment
Under the CISA Zero Trust Security Model, agencies must take steps to ensure their networks are segmented with access controls and other polices continuously enforced.
An Aruba network supports centralized end-to-end encryption, role-based access controls and an integrated policy enforcement firewall. Aruba’s encryption/decryption engine delivers the highest levels of security without sacrificing performance, with support for FIPS 140-2/3 validated 802.11i, NSA Suite-B crypto termination.
Aruba’s Dynamic Segmentation capability allows policy-based access controls to be enforced consistently by Aruba’s Policy Enforcement Firewall. Devices can only communicate with destinations consistent with their access permissions. With Aruba Central NetConductor, IT can use intent-based workflows to manage dynamic segmentation.
Aruba MultiZone APs allow agencies to support multiple classification levels on the same physical APs, increasing flexibility and lowering CapEx costs. Each zone controller can be configured to support confidential, secret, and top-secret communications over a shared RF infrastructure, each managed by different mobility controllers.
Federal organizations can build a secure access service edge (SASE) to enable staff to access cloud-based applications and data, ultimately delivering a better application experience and eliminating the need to backhaul traffic to the data center for security inspection. Instead, an Aruba SD-WAN can intelligently steer traffic from staff and devices—wherever they are—to the cloud, and advanced security inspection is performed in the cloud.
Aruba Supports Zero Trust Network Visibility and Analytics
The AI-driven Aruba Central cloud platform provides end-to-end network visibility. Not only do security analytics keep a continuous watch on device behaviors, but Aruba User Experience Insights also serves as an “always on” technician, providing precise, near-real-time data insights into the network to ensure high availability and performance even for latency-sensitive applications like voice and video.
Aruba Supports Zero Trust Network Automation and Orchestration
Aruba also supports CISA’s Zero Trust automation and orchestration principles. Aruba Central provides consolidated and unified management of the wireless, wired, and WAN infrastructure. The addition of Aruba NetConductor allow IT to orchestrate and automate network configuration and security services. Consolidation of disparate tools reduces the age-old problem of swivel-chair management, giving the IT team has the ability to automate and orchestrate the network from end to end, streamlining operations and enhancing protection.
Your Partner on Zero Trust
Implementing a Zero Trust strategy is a journey, with an urgency accelerated by a worsening threat landscape. If your agency isn’t already on its way, the time is now to begin a pilot.
Learn more about Aruba’s approach to Zero Trust.
Learn more about Aruba’s solutions for the federal government.
