"> Zero-Trust Security model, benefits and implementation possibilities - Datanet Systems

“Another Day, Another Hack!”- Every day thousands of new types of threats and computer attacks are reported and statistics show this with abundance:

  • This year a cyber-attack happened every 39 seconds;
  • The volume of security breaches increased by 11% in 2019 compared to 2018;
  • 62% of companies have already experienced phishing attacks;
  • More than half (51%) – confronted with a DoS or DDoS attack, etc.

It is therefore explainable why over two thirds of organizations consider that security risks have significantly increased. And they are largely right – the volume, complexity and diversity of threats have evolved exponentially in recent years.

But the scale of the phenomenon is not only fueled by the inventiveness of hackers, but especially by the fact that computer security fails to keep up with the digital transformation of business models and modernization of work environments. Increasing the number of mobile users, personal equipment used for professional purposes (BYOD), Cloud services, IoT solutions, distributed applications, micro-services etc. generates an expansion of the attack surface at the level of each organization. Few, however, manage to handle this phenomenon effectively – as a result the number of victims is steadily increasing, although increasingly effective protection solutions are available on the market.

 

„Never trust, always verify!”

To meet this challenge, almost a decade ago John Kindervag, an analyst at Forrester Research at the time, came up with an innovative approach to the concept of computer protection, making susceptibility the central element of a new security strategy, entitled “Zero trust”.

The basic idea is clearly synthesized in the principle of “Never trust, always verify!”, which postulates that any user, equipment, application or service is considered, from the beginning, potentially hostile and / or compromised and, therefore, must be verified when launching an access request. The approach represents a paradigm shift from the classic model of applying security measures within an organization where “trust” was unlimited because:

  • Any terminal equipment (endpoint) was owned and managed by the company;
  • All users, devices and applications used by them were in fixed locations, usually behind perimeter protection systems;
  • A single verification at the initial access point was sufficient and the internal systems were automatically considered secure.

However, the accelerated adoption of mobility and cloud services has radically changed the situation. This has also contributed to an increase in the number of threats that manage to pass the perimeter security solutions (firewalls) and which can be moved laterally inside the infrastructure.

In order to prevent these risks, Kindervag came up with the idea of ​​creating micro-perimeters of protection at any point where an access control decision must be made. Thus permission or blocking is done based on the continuous verification of the level of “trust”, each time a request for accessing resources is issued. In this case owning an equipment, application or a network does not automatically represent a guarantee.

 

How can Datanet specialists help you?

The advantages of the “Zero trust” strategy are obvious: the level of protection provided is clearly higher, the security measures are flexible and better adapted to the specific needs and extended visibility allows customization of the security policies and a more precise control.

Last but not least, a decrease in the attack surface is achieved. Because the “Zero trust” approach aims to protect the priority elements for the activity of each organization, the coverage area is smaller and can be controlled more precisely than in the case of macro-perimeter strategies.

To achieve these gains, in a first phase, Datanet specialists can help you identify the data, applications, assets and services (the so-called “DAAS surface” – Data, Assets, Applications & Services) that are critical to your company and establish appropriate security methods based on the specifics of the activity and needs. But before taking the second step, users must be introduced into the “equation” – the ways in which they access and use the resources must be understood, but also the relationships of interdependence between the elements. Only later can the confidence level verification methods be introduced.

The model proposed by Datanet is based on the “Zero Trust” architecture defined by Cisco, and the choice is not accidental and our arguments are the following:

  • Flexible and secure approach. The strategy proposed by Cisco divides the DAAS area into three main areas: Workforce (users – employees, partners, suppliers – and the equipment used by them); Workloads (applications and services, wherever they are running and wherever they are delivered: in-house infrastructure, Cloud environments, etc.) and Workplace (the equipment that accesses, runs or uses the company’s resources – from mobile devices and IoT devices, on physical and virtual servers, industrial control systems, etc.);
  • Extended offer. Cisco has a strong portfolio of security solutions, with market-validated performance, covering the needs of companies that want to adopt the new strategy. According to the „Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers” report, Cisco’s “Zero-trust” platform is a market leader;
  • High level of compatibility. Cisco’s “Zero-trust” platform is designed so that it can be easily integrated with different management and protection solutions from other vendors. Datanet is one of the leading system integrators in Romania, with certified multi-vendor competencies, and our specialists can help you integrate Cisco solutions with any end-point protection solutions (Microsoft, Symantec, VMware, MobileIron, Jamf, etc.), infrastructure platforms (Google Cloud, Kubernetes, Azure, AWS, etc.) or third-party security solutions (Exabeam, Okta, Splunk, IBM, Dell, Ping Identity, Oracle, etc.);
  • Experience in Cisco security and technology. We are the main Cisco partner in Romania, we have the largest team of certified specialists and we have numerous security projects implemented in different industries.

Duo, a solution with extended coverage

To cover the area of ​​mobile and non-mobile users through the “Zero-trust” strategy (Workforce area), Cisco recommends Duo, a solution that Datanet specialists can help you implement and customize to your organization’s needs. Duo respects the “Zero-trust” principles by ensuring:

  • Confirmation of the users’ identity – the verification is performed by different MFA (Multi-Factor Authentication) methods before allowing their access to resources (DAAS);
  • Visibility on the used equipment activity – the solution provides detailed information without using intrusive agent-applications;
  • Confidence level verification – Duo inspects and verifies the equipment’s security level in real time, as they initiate access to resources. The application issues real-time alerts when it detects an attempted fraud or when it is reported by users;
  • Application of dynamic risk-based access policies – the protection of each application and each service is achieved by applying policies that limit the access of users and equipment;
  • Secure access to all applications and services – Duo provides access protection to applications (on-premises or in the Cloud) through a unique interface, accessible from anywhere.

To achieve these goals, Duo uses several methods and technologies. For example, to confirm user identity, the solution offers a simple and easy to use method called “Push notification” on phone / tablet / smartwatch, where they only have to accept or not the authentication request. In addition, the solution can use tokens that work on the Universal 2nd Factor (U2F) standard, hardware tokens, mobile access code generation solutions, SMS or phone calls, biometric applications that use the WebAuthn standard (Web Authentication API), etc.

The application collects data on each authentication and information about users, equipment and logging activities gives you complete visibility on who and what resources they access. Based on these, Datanet specialists can help you choose and use the appropriate method for each category of users, in various contexts, by defining flexible policies. For example, by using geo-location information, you can set rules to automatically block authentication attempts coming from certain countries or access requests from anonymous networks, such as Tor.

We can also help you define the type of Self-Service Management services offered by the solution, which lower your support costs and offer a greater degree of freedom to end users. For example, Duo Restore allows users to back up Duo accounts and restore them on their own, without the need for technical support. The benefits that Datanet specialists can help you to achieve are numerous:

  • reducing security risks;
  • improving the level of compliance;
  • optimizing the experience of end-users and increasing their productivity;
  • decreasing operating costs and
  • increasing the level of agility of your organization.

Integration, a key element

Datanet can help you integrate the Duo solution with other applications in the Cisco portfolio, such as ASA VPNs (with the help of which administrators can define access policies for VPNs), Umbrella (Cloud platform provides protection against compromised domains), or the Cisco collaborative solution Webex.

Moreover, the “Zero-trust” strategy promoted by Cisco is based on the integration of several solutions in the company’s portfolio, such as Tetration (for Workload area coverage), SD-Access (for Workplace area), and other complementary applications such as Advanced Malware Protection (AMP), AnyConnect, Email Security, Meraki Systems Manager, Application Centric Infrastructure (ACI) or Stealthwatch.

Datanet Systems can help you achieve these integrations and quickly realize the benefits of the “Zero-trust” strategy, tailored to your specific business needs. If you would like to find out more about our approach as well as the technological solutions available, contact us.