ALWAYS VERIFY - ExpertFocus - The tenets of zero trust for secure access and software-defined perimeter - Pulse Secure
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ExpertFocus
Brought to you by Pulse Secure January 2019
NEVER TRUST,
ALWAYS VERIFY
The tenets of zero trust for secure access
and software-defined perimeter
ExpertFocus
Building zero trust for secure
access and exploring the
software-defined perimeter
Our dynamic world of mobile and cloud computing requires advancing secure access capabilities based on
continuous verification and authorization — the old moat-and-castle perimeter model is as outdated as, well,
moats and castles. Here’s why and how to apply Zero Trust model for Hybrid IT access and how software-defined
perimeter adoption will expand in the years ahead. Steve Zurier explains.
W hen China started building its Great Wall more
than two millennia ago, the technology was
appropriate to keep invaders out and protect the
Chinese people’s lives and property. Today, that technology
is, for the most part, obsolete. Functionally it would
cation controls to users, devices,
applications and network resources
as part of perimeter-based access
security. This is all about prov-
ing identity, location, device, and
security state before and after being
granting access based on least privi-
keep out only the most basic ground attacks, not unlike
lege to applications and resources in
the traditional technology designed to protect network the data center and multi-cloud.
perimeters. Scott Gordon (CISSP), chief
marketing officer at Pulse Secure
But basic network devices from While traditional perimeter de- shared that “the dynamic provision-
just a decade ago are hardly a fenses are still crucial to set cor- ing of virtual network and cloud
match for today’s sophisticated at- porate boundaries on the internet, applications and resources, as well
tacker in this age of mobile devices, along with the use of firewalls, as the diversity of users and devices
cloud applications and anywhere virtual private networks (VPNs) requesting access have materially
anytime access. How can securi- and network access control (NAC) contributed to the security breaches
ty managers protect the company technologies to assure role-based and identity theft that are in the
when such a large percentage of the and segmented access to network headlines. One gap is visibility.
staff works outside the corporate resources, the security industry has Enterprises do not have accurate
environment and the vast majority been implementing a Zero Trust data or insight into who or what is
of users now run cloud apps, mobile model to mitigate malware, attack, accessing their resources. IT can not
devices and other non-corporate breach and data leakage risks. A see the insecure devices and connec-
computing technologies? Clearly, Zero Trust model applies authen- tions that are propagating viruses or
something has to change. tication, authorization and verifi- leaking sensitive data. IT can only
www.pulsesecure.net • 2
ExpertFocus
“Think of Zero Trust as a security model and
SDP as the upcoming security architecture that
companies will use to manage access security
for hybrid IT”
– Rob Koeten, chief software architect, Pulse Secure
account for 70% of devices on their lost passwords, and unavailable Perimeter (SDP). SDP leverages the
network and are thus susceptible to services.” Zero Trust tenet of ‘never trust, al-
IoT exploits. Another gap is access Gordon adds: “So where is this ways verify’ by essentially enabling
policy granularity and enforcement all heading and how can secure secure access directly between the
consistency. When IT staff have access be fortified? As businesses user and their device to the appli-
many disparate security systems and take advantage of mobile workforce cation and resource no matter the
policy components to manage, an and consumers, they have also been underlying infrastructure - but in a
enterprise’s secure access controls actively migrating their data centers scalable way and according to pol-
can not be broadly instrumented, and “webifying” applications to the icy. In a sense, SDP enables Secure
and orchestration becomes cumber- cloud. To this end, security profes- Access elasticity as users gain easy
some if not piecemeal. This also im- sionals have been building out an means for access protection which
pacts user productivity as employees application-based access security ar- travels with them everywhere they
content with multiple login requests, chitecture called Software Defined go, with what devices they use, and
How does your company deliver/consume When do you expect to fully deploy a Software Defined
corporate applications and computing resources? Perimeter platform across your hybrid IT environment?
Data Center
67.14%
Currently deploying
20%
Within 1-2 years
25.71%
Public Cloud (SaaS)
41.43%
Within 2-4 years
21.43%
48.57%
Public and
32.86%
Private Cloud No plans or
(IaaS) over 4 years
www.pulsesecure.net • 3
ExpertFocus
“SDP leverages the Zero Trust tenet of ‘never trust,
always verify’ by essentially enabling secure
access directly between the user and their device
to the application and resource no matter the
underlying infrastructure - but according to policy.”
– Scott Gordon, chief marketing officer, Pulse Secure
where ever the application resides.” cess until the users has been validat- extends access all the way from the
Rob Koeten, chief software archi- ed by the SDP system. user and device through the data
tect at Pulse Secure, explains that “Think of Zero Trust as a securi- center or multi-cloud, leveraging
SDP works hand-in-glove with the ty model and SDP as the upcoming Zero Trust functionality,” says
Zero Trust architecture. With Zero security architecture that compa- Prakash Mana, Pulse Secure’s vice
Trust, the network treats everyone nies will use to manage access secu- president of product management.
the same — suspiciously and with rity for hybrid IT,” Koeten says. Before granting access, an SDP sys-
no trust — and does not grant ac- “Pulse Secure’s approach to SDP tem will take five distinct actions:
Survey respondents optimistic about SDP
A recent poll of security professionals by SC Media found that while security professionals believe that a software
defined perimeter (SDP) can dramatically improve security, a transition to this new model will take several years.
The survey found that 78 percent of respondents thought it was very likely or likely that SDP could isolate apps
from an untrusted network. Seventy percent say SDP will improve DevOps security and 62 percent say it can
improve IoT threat management.
Overall, 64 percent of the respondents were either extremely confident or very confident that SDP could manage
security access requirements from the data center and across the cloud.
“The survey shows that the respondents think that security is gradually getting better,” says Chris Christiansen,
a senior analyst with the Hurwitz Group. “I think if you separated it out by vertical, the financial sector would
have much higher confidence and with manufacturing and medical it would be much lower.”
Christiansen adds that like in many other situations a small percentage of early adopters will lead the way. He
points out that while confidence remains high, roughly one-third still have no plans to deploy SDP in the next four
years. Only 20 percent were currently deploying SDP and 26 percent planned to deploy it in the next two years.
“SDP requires that people think about security in a different way,” Christiansen says. “Most people still view
security as an obstacle. The way SDP will sell with people is if the vendors focus on what it will do for the busi-
ness. In the future, security will be baked into the applications and it will let people do their jobs easier, faster and
without fear that the lack of security will cripple their businesses, causing extended litigation and a costly foren-
sics process.” — SZ
www.pulsesecure.net • 4
ExpertFocus
“Gradually evolving to the new SDP security
methodology is, in the long-term, best interests
of the business.”
– Chris Christiansen, senior analyst, the Hurwitz Group
5 questions to ask before implementing SDP
Chris Christiansen, a senior analyst with the Hurwitz Group says there’s a long laundry list of questions security
managers should ask before deploying a Zero Trust security stance with a software defined perimeter (SDP), along
with offering suggestions on how to move forward.
1. Do you have a consensus on the level of risk the company is willing to take? Explain to management that in this
mobile world based on clloud applications the old way of doing security is no longer the recommended option. Ex-
plain that moving to SDP will take time and that while there’s a certain level of risk to deploying a new technology,
gradually evolving to the new SDP security methodology is, in the long-term, in the best interests of the business.
2. What is your corporate access policy? Figure out what your policy is today and what you need it to be going
forward. Do you want to go from simple passwords to complex passwords and two-factor authentication? How
can you best do that?
3. Have you talked to your DevOps people? Work with the DevOps team and get them on board with embedding
secure access into all the applications they develop. Odds are they will be receptive to working in this manner
because they are typically well-schooled technologists who understand what is at stake.
4. What regulations impact the company? All public What is the likelihood that the following
companies are subject to Sarbanes-Oxley Act (SOX) vulnerabilities would be addressed by applying
and have requirements that specify different levels of software-defined perimeter/hybrid IT secure
information access. SDP can play a huge role in helping a access technology? (Weighted avg.)
company meet those requirements in a much more secure Isolate apps from
way. The same holds true for companies that must abide untrusted network 4.01%
by the Payment Card Industry Data Security Standard
(PCI DSS) and Health Insurance Portability and Ac-
Computing resource
segmentation 3.94%
countability Act (HIPAA) requirements. Only companies Improved DevOps security
3.94%
that accept or process credit or debit cards must comply
with PCI DSS, but any company that offers medical ben- App and resource
workload availability 3.89%
efits or handles medical data must comply with HIPAA.
5. Does our potential SDP vendor “talk techie” or do Unauthorized data access 3.84%
they focus on business benefits? Too many vendors lose
potential customers by explaining the intricacies of SDP.
Consistent hybrid
IT access policy 3.84%
Find a vendor that has podcasts, videos, and webcasts
that can explain to the rank-and-file staff within the Malware, ransomware 3.83%
business how these new security measures will help them
do their jobs more efficiently and securely.
IOT threat management 3.71%
www.pulsesecure.net • 5
ExpertFocus
“Pulse Secure’s approach to SDP extends
access all the way from the user and device
through the data center or multi-cloud,
leveraging Zero Trust functionality.”
– Prakash Mana, vice president of product management, Pulse Secure
1. Identify and authenticate the 4. Assess the service request. For always been protecting the private
user. Is the user an employee or a which services (applications and health records of its sensitive patient
third-party contractor and in what resources) is the user authorized to data. However, over the past sever-
department do they work? This step access? Is the service from the data al years, the physicians have been
identifies the user to ensure that center, the cloud, or perhaps a cli- looking for a way to view electronic
they have appropriate rights to ac- ent-server application service? And medical records remotely, so protect-
cess not only the network, but also what access rights do they have? If ing patient data is more problematic
the data they are requesting. the user is a company salesperson, since the user is often remote. Many
2. Authenticate and assess the de- for example, he or she should have of the company’s employees work
vice. Is it a desktop computer that sits access to client lists, sales forecasts at different facilities and they all
on the internal network or perhaps a and quarterly results reports, but wanted the convenience of accessing
mobile device owned by an authenti- not human resources information work information at home or while
cated user? At this point the software on employee salaries, sensitive traveling from site to site.
identifies not only the device, own- medical records, or any proprietary While the hospital’s administra-
ership and operating system, it also intellectual property. tors wanted to grant the medical
confirms compliance configuration 5. Establish secure connection. An staff remote electronic access to
and if the device is authorized to SDP Controller will communicate patient information, they had to en-
access the app or resource. It deter- to the endpoint and the network sure that the technology was secure
mines the security state. resources closest to the application and offered the ability to restrict
3. Determine the network. How is and data to determine if the access access based on a person’s role
the user trying to access the net- request should be granted according within the hospital system. Doctors
work? Is the user coming from the to policies maintained in the SDP and nurses would get different lev-
corporate network, an airport, or Controller. If access is granted and els of access to patient information
a local coffee shop network where the security state has not changed, than administrative staff or medical
security is typically less secure? Per- the SDP Controller will send in- technicians, for example.
haps the user is trying to connect structions to the respective entities By implementing a zero trust-
from a home network with a router in order to establish a protected based approach, Borgess extended
issued by a cable company. Authen- connection between the device and data center and cloud access out to
ticating the user’s location can help the application. 1,200 employees, not just the med-
determine if this is really the user ical staff, also making it possible
or someone using compromised Zero Trust in action for employees to work remotely.
credentials, trying to access from a At Borgess Health Alliance in Ka- Pulse Secure’s approach let them
location inappropriate to the user. lamazoo, Mich., a top priority has customize access policy based on
www.pulsesecure.net • 6
ExpertFocus
“You can call it SDP if you want, but the
bottom line emphasis will be less on firewalls
and more on access management.”
– Edward Amoroso, CEO, TAG Cyber
department, position and role with- Use cases for SDP which an application gets divided
in the company, ensuring they were Koeten outlines three use cases for into two parts: the piece that is
continually protecting the private companies to transition to a Zero available to the user and the portion
medical information of the more Trust security model based on an that the administrator can access.
than 1 million patients Borgess SDP architecture. In the SDP model, it is now possible
serves. Secure cloud apps: As companies for most any company to realize
“Pulse Secure not only gener- move applications such as email, Zero Trust advantages with built-in
ated immediate cost savings for timesheets, and travel and expense security for everyone who accesses
our organization, but it also saved reports to the cloud, the old perime- an application. In many situations,
our physicians’ valuable time. The ter methods of security do not work. companies will increase the require-
benefits were also passed on to our The security team can provide better ments for administrators to get
patients – our top priority – en- security by having a perimeter model access to privileged segments. So
suring their private medical data based on access rights that a compa- based on access rights, users gain
remained secure, while at the same ny can extend outside the traditional access to the basic features of the
time enabling their doctors to focus data center. Based on specifically application, while administrators
more on care and less on logistics,” assigned roles and permissions, users can gain privileged access to update
said Jeff Johnson, information secu- are granted access to each, discrete tables, delete tables, or add another
rity technical specialist at Borgess business application. databases instance.
Health Alliance. Secure DevOps teams: The rise of Koeten says he expects compa-
Pulse Secure’s granular access the cloud has also seen the emer- nies to migrate to SDP over several
policy engine supported data pri- gence of the DevOps. With cloud years, adding that it will not require
vacy compliance regulations and apps, the gateway must be deployed a rip-and-replace of the company’s
fostered a better work-life balance dynamically within the apps as security infrastructure.
for their practitioners. Medical they are developed and deployed. “Companies will take an evolu-
staff could now leave work at more Based on this approach, security tionary path to an SDP architec-
reasonable hours knowing that they and access rights get rolled into the ture,” Koeten says. “Certainly the
could check records and complete application, so no application ever early adopters will be more aggres-
paperwork from anywhere and on gets deployed without building SDP sive, but as companies deploy more
the device of their choice. More so, in from the outset. cloud apps, they can simply build
they did not have to understand the Secure privileged access: Start-up SDP into the new apps. The idea is
intricacies behind the technology; it companies that deliver cloud apps that over time, the company can get
just worked with no disruption of to customers have pioneered an more consistent coding security into
workflow. approach of micro-segmentation in the application and there will be
www.pulsesecure.net • 7
ExpertFocus
“Pulse Secure not only generated immediate
cost savings for our organization, but it also
saved our physicians’ valuable time.”
– Jeff Johnson, information security technical specialist,
Borgess Health Alliance
less room for errors. This will lead ly because many of the audits are eter that goes with employees and
to many fewer misconfigurations.” based on firewall logs; companies business partners wherever they go.
Edward Amoroso, CEO of secu- just cannot go off that system all Moving forward, company networks
rity consultancy TAG Cyber, says, at once. It is going to take them will trust no one and users will only
“Secure access is the new perimeter. time to adjust to the new model as have access to the applications and
You can call it SDP if you want, but they migrate more of their business data set in policy rules.
the bottom line emphasis will be applications to the cloud. The raison d’etre for Zero Trust
less on firewalls and more on access “The perimeter works about as and SDP, the company maintains,
management.” well as police tape around a phys- is that if you cannot prove who
Amoroso explains that enterprises ical crime scene” Amoroso says. you are, prove the device is yours,
will find that rehosting enterprise “It prevents honest people from prove you are running over a secure
workloads, one-by-one, into a entering a clearly delineated space network, and prove you are allowed
virtualized data center or cloud eco- but does nothing to stop determined to use that service or application,
system, will become the best way and capable actors from climbing you should not gain network access.
to manage data and applications. underneath or going around. The This will make life much more
Each time a workload gets hosted, new solution requires distributed, difficult for the hackers who have
it should receive micro-segmented virtualized, compartmentalized data preyed on misconfigurations and
security protection, which allows protection. So people ask me ‘Is the poor access and password manage-
security pros to simplify the DMZ perimeter dead?’ I tell them, ‘No, it’s ment.
firewall ruleset. The end goal not dead; it’s just changed.’” With SDP, supporters of a Zero
becomes zero-trust, with device-to- Effectively the perimeter exists Trust model maintain, the hackers
cloud access of hosted workloads in wherever people work. Security pro- will have to wind their way through
the cloud with no perimeter in the fessionals cannot build a line in the multiple access barriers, something
traditional sense. sand and guarantee that from a cer- that will knock out many of the
Amoroso agrees with Koeten that tain point at the edge of the network low-level players. While there will
companies will migrate to SDP over bad threat actors cannot penetrate always be threats, Zero-Trust offers
time. He says there is no reason to the corporate network. One can companies a fighting chance to stay
take all the firewalls down main- think of SDP as an extended perim- secure. n
www.pulsesecure.net • 8ExpertFocus
Pulse Secure offers easy, comprehensive Secure Access solutions
that provide visibility and seamless, protected connectivity between
users, devices, things and services. The company delivers suites that
uniquely integrate cloud, mobile, application and network access to
enable hybrid IT. More than 20,000 enterprises and service providers
across every vertical entrust Pulse Secure to empower their mobile
workforce to securely access applications and information in the data
center and cloud while ensuring business compliance. Learn more at
www.pulsesecure.netGet Your Head
out of the Clouds.
Zero Trust Access Security for Hybrid IT
Your business is taking advantage of cloud, and taking on increased
malware, IOT, availability and data leakage risks.
More than 20,000 enterprises entrust Pulse Secure to deliver Zero Trust
security to empower their mobile workforce to access resources from the
data center to the cloud while ensuring business compliance.
Learn why at pulsesecure.net/zerotrust
Copyright 2018 Pulse Secure, LLC. All rights reserved. Pulse Secure and the Pulse Secure logo are registered trademarks or Pulse Secure, LLC. pulsesecure.netYou can also read
