Who hasn’t heard about Zero Trust? Undoubtedly one of the hottest buzzwords these days, and in this case the hype is well justified. We need a strategy to avoid being breached and to mitigate the impact in case you are. Zero Trust is that strategy for success, with its focus on something that can be controlled (“protect surfaces”) as opposed to a focus on ever-growing “attack surfaces.” It’s no surprise that many organizations want to implement a Zero Trust cybersecurity strategy! The challenge, as with many drastic technology shifts, is that it can look a little overwhelming in the beginning.
To make it simple, let’s break the problem into smaller portions and start by focusing on two key surfaces to protect: your devices (or shared resources) and your applications (or shared workloads). Also, we can measure our progress more effectively if we break this in steps. The first step is identifying and authenticating all access to services. The second step is providing access to resources on a least-privilege principle (which limits access to users and only on a need-to-know basis). The last step is continuous monitoring of the network for Zero Trust access.
What do we mean by Zero Trust?
The term Zero Trust is often misused by the market, which has created significant confusion, so I should start by defining what I mean by it. Zero Trust is a cybersecurity strategy that can be applied to multiple domains. In the context of network and application security, Zero Trust relies on three main pillars:
- All access to services must be authenticated, authorized, and encrypted.
- Access to services should not depend on where you connect from.
- Access is subject to change at any point, thus continuous monitoring is required.
How can HPE Aruba Networking help in your journey to Zero Trust?
As mentioned, Zero Trust is a cybersecurity strategy, not a product or a feature. I can’t tell you about a secret magic button to enable Zero Trust. What I can do is suggest a few steps that can help you in this journey. Identity feels like a natural first step, but don’t worry about the order. Any progress is good progress!
Identity
If you haven’t done it already, you should start looking setting up an identity provider to govern access to your applications and shared resources. This doesn’t need to be a complex or costly project. Microsoft and Google have solid identity services they can offer as part of their productivity suite that will make this technology easily accessible. When doing so, make sure you enable multi-factor authentication (MFA). You can easily integrate your identity provider with HPE Aruba Networking SSE to regulate access to applications old and new (Zero Trust access to applications). Any application “SaaS-ified” with ZTNA will immediately be integrated with your company’s single sign-on (SSO).
Likewise, you can integrate HPE Aruba Networking ClearPass and/or Cloud Auth (a cloud-native NAC service delivered as part of HPE Aruba Networking Central) with your SSO to give users an extremely simple workflow to enroll their devices into the network (using Zero Trust to access the shared medium):
- If you’re enrolling computers, tablets, smartphones, etc. you’ll just need a simple app that onboards corporate and BYOD devices in an uncomplicated, three-step process. From then on, network access will be authenticated against ClearPass or Cloud Auth and authorized against your SSO Identity Provider.
- If you have (wireless) devices where you can’t use certificate-based authentication, you can also give your users a simple portal where they can generate a passphrase that uniquely identifies their devices. As with the more secure certificate-based authentication, network access will be authenticated against Cloud Auth and authorized against your SSO.
- Lastly, for those (wired) devices where you can’t use certificates, passphrases, or anything like that, you can always resort to profile-based authorization by combining ClearPass or Cloud Auth with the native profiling capabilities of Central’s Client Insights. Devices will be automatically classified based on static characteristics such as the MAC OUI, DHCP fingerprint or HTTP User-Agents, as well as more dynamic attributes such as applications, domains visited, and so on.
Least-privilege access
Ok, so you’re now at a point where you have reasonably good control over who or what is connecting to the network (shared resources) and applications. It’s time to talk about least-privilege access or, as we like to call it “role-based access.” Once again, we’ll break this down into securing access to applications (primarily handled by SSE) and securing access to shared medium (the network) where device-to-device communication is still very relevant.
With the HPE Aruba Networking SSE, you can control access to internal applications, SaaS, and even the Internet with a single identity-based policy. This doesn’t necessarily require a large project or expensive hardware. You can start by giving external collaborators agentless remote access, then grow into your own users by deploying a light agent. This allows you to control and secure all the users’ traffic wherever they are. Finally, bring all your devices or IoT “things” into this single web and application policy by tunneling all Internet traffic from your offices through the Secure Web Gateway (SWG) that is part of SSE. Or you can start by evolving your SD-WAN or SD-Branch network towards a SASE architecture, secure Internet browsing with SWG, and then work your way into CASB (cloud access security broker) and ZTNA (Zero Trust Network Access). The journey doesn’t need to be the same for everyone. Just keep making progress!
Figure 1 - Single web and application security policy.
And just like SSE helps with the implementation of a Zero Trust strategy to govern access to Application and web browsing, dynamic segmentation brings the concept of Zero Trust to the shared resource that is your corporate network. This need not be excessively complex. If your environment is relatively simple, a centralized SD-LAN (software defined local area network) with user-based tunnels and WLAN networks tunneled to a set of segmentation gateways (or SD-branch gateways if you also want them to be WAN-facing) will give you what you need (here’s a short video going into a little more detail).
By tunneling all your users and “things” to these security gateways, you’re effectively (or virtually) plugging them directly into your “unified threat management” device. Each device is in a segment of one, and governing the communication between these devices is now as simple as whether a device in role A can talk to a device in role B over a certain application/protocol.
Figure 2 - Identity-based security centralized in a cluster of segmentation gateways.
Continuous monitoring
We’re at the point where we have least-privilege access to our applications and between our devices. We’re just one step away from Zero Trust.
Just like we’ve been doing, we’ll start with application access. First, the posture done by the security agent allows the SSE to react in real-time to events impacting any device, automatically adjusting what a user can or can’t do. But perhaps more importantly, the SSE is brokering all communications with internal and public apps, keeping a very accurate record of all traffic. Integrate the SSE with your SIEM for a very complete picture of your how your applications are doing.
Figure 3 - Log all access to your applications.
And just like SSE is logging all your application traffic, HPE Aruba Networking Central and gateways are monitoring all user and device activity for potential security threats. Don’t forget that you have everything directly plugged into a UTM (Unified Threat Management) product. Any suspicious lateral movement will be immediately detected, and the necessary actions (block risky traffic, quarantine device, etc.) will be taken. All this should of course be logged into your SIEM to get a uniquely deep view on how your devices are behaving.
Figure 4 - Track all device traffic.
Conclusion
As part of this journey, we’ve covered a lot of concepts: identity management, network access control, SSE, dynamic segmentation, SIEM, and more. The good news is that many of these capabilities come delivered as a service and some are part of broader suites you already have. Identity may be part of your application suite, Cloud Auth is part of HPE Aruba Networking Central, SSE integrates a lot of components. And your SD-WAN Gateways can double themselves as SD-LAN gateways to provide dynamic segmentation and role-based access.
The journey need not be as challenging as you were initially fearing. But what’s most important, you don’t need to do all at once. One great thing about adopting a Zero Trust strategy is that every step you take will most likely be in the right direction. If you don’t have any of the pieces, start with whichever seems most approachable and get some quick wins. If you’ve already started this journey or have some of the tools, try to look for synergies and integrations between them. And then keep going one little step at a time. Your organization will keep getting stronger and more resilient.
If you want to learn more about how to easily implement a Zero Trust approach in your organization, please watch my video on Easy Zero Trust with HPE Aruba Networking.
Click image to watch the Easy Zero Trust with HPE Aruba Networking video
Other resources
