CONTACT US
1-844-4ZPE-SYS
ZPE CLOUD

Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Home » Improve Network Security » User Management » Page 4

White Box Networking: Making the Switch

by | Feb 4, 2023 | Data Logging, Improve Network Security, Minimize Impact of Disruptions, Out of Band Management, Remote Network Management, User Management

A close up of fingers plugging an Ethernet cable into a white box networking switch
Vendor lock-in is risky to corporate revenue and security. Enterprise technology ends up on rails, so to speak. Organizations lose the ability to choose the best features, pricing, and functionality for their use cases and instead must go along with their vendor’s roadmap. This is leading executives to take a hard look at their existing networking tech stacks so they can break out of their closed ecosystems. White box networking solutions, which are designed around completely open and customizable hardware components, offer an escape from vendor lock-in. In this blog, we’ll discuss how white box networking works, what the benefits and challenges are, and how to build the best solution.

Table of Contents
  1. White box networking explained
  2. The benefits of white box networking
  3. The problem with white box networking
  4. The solution: White box networking with ZPE Systems

To see an example of white box networking in action, request a

free Nodegrid demo

White box networking explained

White box networking involves the use of hardware – like switches and routers – that are built with commodity parts and can run any software. These solutions are highly customizable, enabling organizations to mix and match parts from different suppliers to get exactly the features they need, like port configurations, storage capacity, and computational power. In addition, white box devices can run operating systems and software that’s been custom-made or heavily modified, allowing even greater flexibility.

The benefits of white box networking
.

Cost savings: Network Operating Systems (NOS) are often the most expensive component of a networking solution, involving recurring licensing fees, support contracts, and periodic update costs. Plus, the vendor may decide to overhaul or replace their software platform, requiring expensive network hardware replacements and licensing upsells to maintain support. White box networking decouples the hardware and software, giving organizations complete control over their NOS and allowing the use of open source or in-house operating systems. By eliminating their reliance on commercial NOS, companies can reduce both their upfront software costs and their recurring licensing fees.

Hardware and software freedom: Even if an off-the-shelf networking solution comes with the necessary features and functionality right now, that’s no guarantee that the feature roadmap will always align with an enterprise’s goals and future growth. A white box solution can be changed at any time by installing new software or replacing hardware components, so it can grow and evolve with an organization. This also means that companies can take advantage of new and emerging technologies like SD-WAN or AIOps as quickly as they want without needing to completely replace the underlying infrastructure – they can simply add the required hardware and software to their existing white box solutions.

Easy management and interoperability: The biggest benefit of white box networking is that it can be managed by any platform and integrated with any third-party solutions. This makes it easier for an organization to create a fully unified environment with centralized orchestration, end-to-end network automation, and complete visibility. Network teams get holistic control over the entire white box infrastructure from a single pane of glass, using their preferred automation scripts and orchestration tools, which ensures greater performance, reliability, and efficiency.
.

The problem with white box networking

Though white box networking has many advantages in theory, a lot of companies find it hard to achieve these benefits in practice. For one thing, many white box vendors focus simply on the hardware and don’t provide a default NOS. That means organizations need to spend additional time purchasing, customizing, or writing their own NOS as well as deploying that NOS to all new white box devices.

In addition, white box hardware is often sold in bulk and can become prohibitively expensive if bought in smaller quantities. An organization might end up buying a lot of extra parts they don’t need just to avoid outrageous shipping fees, and then they’re left with the hassle of storing or reselling that hardware.

White box networking also requires a lot of extra work to configure, deploy, and manage compared to a commercial off-the-shelf (COTS) solution. For many companies, the complexity of enterprise networks and the tech talent shortage make white box networking too much of a headache. Plus, white box manufacturers typically don’t provide ongoing support in the form of NOS updates and security patches, which means the enterprise must take on this responsibility themselves.

Plus, white box devices can also increase the security attack surface of the enterprise network. A poorly configured and unpatched NOS is a tempting target for cybercriminals, who can use a compromised white box device to access sensitive network resources.

The solution: White box networking with ZPE Systems

To use white box networking effectively while avoiding these challenges, you need a complete solution, not just disparate parts to assemble on your own. That solution should combine the open ecosystem approach of white box hardware, the centralized management and security patch advantages of point solutions, and pre-validated applications that don’t require a professional coder to deploy.

For example, the Nodegrid platform from ZPE Systems turns white box networking into a complete enterprise solution. Nodegrid devices are highly customizable, inexpensive, and arrive fully assembled. These devices come pre-installed with the Nodegrid OS, which is built on an x86-64 bit Linux kernel to ensure easy setup and interoperability. ZPE Systems can even manage Nodegrid OS updates and security patches for you, helping to reduce your attack surface and close the tech talent gap. Plus, you can directly host or integrate your choice of networking applications (including Docker containers and SASE solutions) for greater functionality, security, and ease of use.

The Nodegrid solution addresses every major challenge of white box networking so you get complete vendor freedom and simplified management in a single, affordable platform.

Ready to learn more?

To learn more about white box networking with Nodegrid,contact ZPE Systems today. Contact Us

Why You Need an Out-of-Band Cybersecurity Platform

by | Jan 31, 2023 | Data Logging, Improve Network Security, Minimize Impact of Disruptions, Out of Band Management, Remote Network Management, User Management

out of band cyber security
As enterprise networks continue to grow in size and complexity, many organizations struggle to defend their expanding attack surface. The cost of failure also continues to grow – according to IBM’s 2022 Cost of a Data Breach report, the average cost of a successful ransomware attack reached $4.54 million. Koroush Saraf, VP of Product Management at ZPE Systems, identified the top five cybersecurity gaps that must be closed to achieve holistic cybersecurity, which include:

  • Unnecessary exposure of management ports
  • Credential theft
  • Unpatched infrastructure
  • Inability to deploy the right security tools
  • Human error

Closing these gaps requires a three-pronged approach – out-of-band infrastructure, an open platform from which to deploy and manage security tools, and end-to-end automation (aka, hyperautomation). In this blog, we’ll explain how an out-of-band cybersecurity platform combines these three key features into a single, holistic network security solution. Want to see an out-of-band cybersecurity platform in action? Request a free demo of the Nodegrid solution.

Why you need an out-of-band cybersecurity platform

An out-of-band (OOB) cybersecurity platform provides a single, unified interface from which to:

  • View and manage network infrastructure
  • Deploy and control all of the various security policies and applications needed to protect that infrastructure, and
  • Orchestrate network, infrastructure, and security automation.

This platform resides and operates on an out-of-band network running parallel to the production network, which ensures 24/7 availability even if there’s a LAN failure or ISP outage. All network, infrastructure, and security management occur OOB, which prevents resource-intensive orchestration workflows from negatively impacting performance. This vendor-neutral, automation-friendly, out-of-band approach to cybersecurity helps you in several areas.

Reduce your attack surface

The management ports on devices like servers and switches are frequently targeted by cybercriminals because they can be used to gain access to valuable data and resources on the production network. With an out-of-band cybersecurity platform, all infrastructure and network management occurs on the OOB network, which means you no longer need to expose management ports on the production network. Isolating management and orchestration workflows to the OOB network helps reduce the attack surface by making it much more difficult for attackers to find and access those open management ports. Vendor-neutral OOB cybersecurity platforms can also help companies reduce the number of individual devices and solutions on their network, which decreases the attack surface even more. An open OOB serial console like the Nodegrid Serial Console Plus (NSCP) can host other vendors’ applications and solutions and seamlessly integrate them into the cybersecurity platform, so there are fewer devices to patch and defend, and fewer vectors through which cybercriminals can attack.

Understand your attack surface

A centralized, vendor-neutral cybersecurity platform is able to dig its hooks into every component of an enterprise network, providing a complete overview of the entire architecture. With this holistic view, security analysts gain a better understanding of the attack surface and what’s needed to protect each vulnerability. For example, a cybersecurity platform can provide information about software versioning to help with security patch management or help identify which ports are open in various applications and why. Armed with this knowledge, an organization can then deploy granular policies, tools, and controls that are custom-tailored to provide the best defense.

Mitigate human error

Even the best network engineer, working in the ideal environment, will occasionally make mistakes. For example, a recent FAA outage that delayed thousands of flights was caused by a contractor mistakenly deleting some files. And unfortunately, the combination of a tech industry recession and a tech talent gap has meant that many IT teams are overworked and understaffed – far from an ideal situation. Human error is a leading cause of successful breaches, so network automation can reduce human error by letting scripts and playbooks handle many of the tedious and repetitive workflows involved in network management. An out-of-band cybersecurity platform can host or integrate with all the leading automation solutions and scripting languages, giving overworked admins the freedom to use the tools they’re most comfortable with. The centralized platform consolidates automated workflows in a single place for streamlined deployments and efficient management. Organizations can even achieve hyperautomation – automating every task and workflow across the network and security architecture – using the cybersecurity platform as an orchestration hub. This empowers understaffed teams to optimize network performance and security while reducing manual interventions, mitigating the risk of human error.

Ensure 24/7 coverage and availability

An out-of-band cybersecurity platform uses a dedicated network interface – such as a 5G cellular modem – to ensure continuous management access even when there’s an outage on the production network. That means admins have 24/7 access to the cybersecurity platform itself, as well as the devices and systems being protected by that platform. And, crucially, all of the security policies and tools will continue to protect production network infrastructure during that downtime. This continuous availability makes it possible for IT teams to remotely recover from device and network failures without the need for costly and time-consuming truck rolls. Or, in the event of a successful attack such as ransomware, admins can conduct recovery operations on the OOB network, creating an isolated recovery environment (IRE) that’s inaccessible to attackers.

Why choose Nodegrid as your OOB cybersecurity platform

An out-of-band cybersecurity platform uses OOB infrastructure, vendor-neutral management software, and end-to-end automation to provide holistic network security. The Nodegrid platform from ZPE Systems delivers all of this functionality in a single package. Using Gen 3 out-of-band serial consoles and integrated services routers, Nodegrid can dig its orchestration hooks into every system, device, and solution in your infrastructure for complete control. Nodegrid can host or integrate with your choice of automation tools (such as Chef, Ansible, and Puppet) and security applications (such as NGFWs and SSE) for seamless and unified network security management. Plus, with fast and reliable OOB network interface options – including 5G cellular and Wi-Fi – you can maintain 24/7 security coverage and management availability.

Ready to learn more?

To learn more about the Nodegrid out-of-band cybersecurity platform, contact ZPE Systems today. Contact Us

Zero Trust Network Access vs. VPN for Branch and Edge Networking

by | Sep 7, 2022 | Improve Network Security, Minimize Impact of Disruptions, NetDevOps, Secure Access Service Edge (SASE), Security Service Edge (SSE), Serial Consoles, User Management, Zero Trust Security

When comparing zero trust network access vs. VPN, they both have benefits for security, speed, and scalability

Organizations are starting to recognize the benefits of edge computing, which moves data processing resources closer to the sources of data generation and away from the central data center. In addition, businesses are becoming more geographically dispersed, with branch offices, manufacturing facilities, and other remote sites around the world.

While larger remote sites are typically connected to the enterprise network via WAN or SD-WAN, this may not be feasible for smaller branches with fewer staff. Traditionally, VPNs (virtual private networks) are used to create a private connection for remote systems and users. However, a new technology called Zero Trust Network Access improves upon VPNs by providing faster and more secure remote connections.

What is a VPN?

A VPN, or virtual private network, is a service that creates an encrypted connection between a device and a network. In this particular use case, VPNs are used to extend the enterprise network to branch and edge locations. Often, organizations use VPNs as an alternative to installing expensive WAN solutions in very small remote sites. They’re also used to connect sites that are unreachable by traditional network infrastructure, such as offshore oil rigs.

Though VPN traffic is encrypted, there are still security risks. Many VPNs still use single-factor authentication, meaning all you need is a username and password to connect. If a remote user’s account information is stolen, a hacker could easily gain access because they don’t need to provide a second form of identity verification.

In addition, VPNs grant complete access to the enterprise network, trusting remote users and devices just like they were in the main office. That means a malicious actor could use a compromised account or stolen laptop to move laterally around your enterprise network, stealing whatever data they can find.

What is Zero Trust Network Access (ZTNA)?

Zero trust network access, or ZTNA, is another product or service that connects remote users and devices to enterprise network resources. However, instead of creating a tunnel to the enterprise network itself, ZTNA directly connects users to the applications and services they need. Users then need to re-verify their identity and re-establish trust before they access another application.

ZTNA follows the “dark cloud” concept, which prevents remote users from seeing or interacting with any of the data, systems, or applications they aren’t explicitly authenticated to. Microsegmentation is used to create perimeters around each resource with granular, context-based access control policies.

For example, if a branch office employee uses ZTNA to access the shipping system, they can’t see or touch the payroll application unless they authenticate to that specific resource. If the account is behaving suspiciously (logging in at unusual times, accessing resources it doesn’t typically need, etc.) then the account is locked until trust can be re-established. The dark cloud principle prevents malicious actors from discovering valuable resources and moving laterally on the enterprise network.

Comparing zero trust network access vs. VPN for branch and edge networking

Trust

Zero trust network access is more secure than VPNs because it follows the zero trust security model of “never trust, always verify.” Branch and edge accounts are assumed to be untrustworthy until they prove otherwise through repeated identity verification and trustworthy behavior. Remote accounts never have full access to the enterprise network and can only see and interact with the specific resources they’re presently authenticated to.

Authentication

While newer VPNs may allow integrations with third-party MFA (multi-factor authentication) providers like Okta, many organizations are still using single-factor authentication for VPN clients. That makes it much easier for a hacker to use a single set of stolen credentials to gain unrestricted access to the enterprise network. In addition, if a branch employee leaves their VPN session active and their laptop is stolen (for example, because it was in an unsecured building that’s open to the public), the thief can use that session to jump around the network without ever needing to re-verify or re-authenticate.

Performance

VPN connections are notoriously slow. All VPN traffic needs to be backhauled through a centralized concentrator, which creates massive bottlenecks and network latency. ZTNA, on the other hand, connects branch and edge devices directly to the resources they need. If that resource lives on the web or in the cloud, the traffic bypasses the enterprise network entirely, reducing the load and improving performance for everyone.

Scalability

Finally, VPNs are meant to be deployed to individual users on a case-by-case basis. Scaling up is difficult and expensive because you need to purchase licenses and install software for each machine that connects. Also, the more VPN connections, the greater the impact on network performance, and the more VPN concentrator solutions you’ll need to deploy to distribute the load. Gartner predicts that by 2025, 75% of enterprise-generated data will be processed at the edge, so individual VPN solutions won’t be able to keep up.

ZTNA is often delivered on the “as-a-service” model, which means it’s hosted in the cloud and doesn’t require any customer premises equipment (CPE). Licenses are scaled up or down at the click of a button, and there’s no software to install on remote machines. This makes ZTNA the ideal choice for enterprises hoping to expand their global reach or scale up their edge computing capabilities.

Deploying ZTNA for branch and edge networks

Zero trust network access is available as a standalone service, but you can also find it among the cloud-oriented security stack in a Security Service Edge (SSE) solution. SSE combines ZTNA with security technology such as Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and Firewall-as-a-Service (FWaaS). This suite of cloud security features delivers comprehensive protection for branch and edge networks while reducing the need for remote traffic to pass through the central data center.

Learn more about branch and edge networking:

Need more help on branch and edge networking?

Need more help comparing zero trust network access vs. VPN for branch and edge use cases?

Contact ZPE Systems

Why cybersecurity can make you feel lost in space

by | Jun 9, 2022 | Improve Network Security, Network Automation, SD-WAN, Secure Access Service Edge (SASE), Security Service Edge (SSE), User Management, Zero Trust Security

Space Odyssey – Frank Poole

Cybersecurity has been a hot topic for years. With many high-profile breaches, malware attacks, and pricey payouts, it’s no wonder why companies continue to add more and more protection for their IT systems.

Despite this, hackers continue to succeed at exploiting vulnerabilities. Why are there still vulnerabilities in the first place? All it takes is one weak spot and one bad actor (looking at you, HAL 9000) to lock you out and leave you scrambling to regain control.

In this post, we’ll cover how network infrastructure has evolved in the past decade, why cybersecurity can make you feel lost in space, and why recovery is crucial to modern cybersecurity.

 

How network infrastructure evolved

The movie 2001: A Space Odyssey predicted that by the year 2001, technological advancements would enable things like space travel and virtual conferencing. In reality, we were still rolling around in gas-powered cars or waiting for 56kbps dial-up connections to load our email inboxes.

Times were simpler, but that also meant that network infrastructure and cybersecurity were simpler. Most people would go to work at a physical location like an HQ or branch office, and distributed or remote work technologies were very much in their infancy. This meant that network infrastructures were more simple and localized, usually requiring a simple MPLS connection from their off-site data center (if they had one) to their branch offices. Cybersecurity was simple: it was either inherent to the connection type (like MPLS), or required something like a basic firewall or encryption method.

Network architecture showing simplicity of data center connected via MPLS to branch office

Fast forward more than 20 years, and the network infrastructure common to 2001 is barely recognizable. With customers and employees demanding companies adapt to their on-the-go and remote-work lifestyles, the network infrastructure exploded, causing a sort of Big Bang of cybersecurity as we know it today.

Network architecture showing complexity of data center, CDN, remote user, branch office, all connected via many paths

Modern networks need to serve many branch offices and remote locations, and the only way to succeed is by incorporating a myriad of on-prem, cloud, and SaaS solutions. This creates a hybrid infrastructure of data, security, networking, and computing distributed everywhere. In other words, the attack surface continues to expand much like the universe itself, and security professionals have been struggling to contain all the vulnerabilities left in its wake.

 

Why cybersecurity makes you feel lost in space

You might relate to Frank Poole. In the movie, the HAL 9000 supercomputer leads Frank to perform a spacewalk in order to repair a portion of their ship. While Frank floats toward the ship, the corrupted HAL takes control of an EVA pod and slams it into Frank, causing him to tumble helplessly through the black void of space and eventually meet his demise.

Frank Poole death

Trying to secure your IT infrastructure can make you feel just as helpless and out of control. That’s because cybersecurity presents several challenges that make it difficult to gain your footing. And with 2021’s executive order regarding zero trust security, cybersecurity seems even more daunting as previous protection methodologies are becoming wholly obsolete.

Here’s a brief look at some of the challenges of modern cybersecurity.

 

Too many products

Regardless of your industry, there are so many security products to choose from that it can easily feel like you’re floating amongst an endless sky of stars. It’s difficult enough choosing properly secured servers, routers, storage devices, and other physical equipment. Add on the other crucial pieces of the modern network architecture, and it’s easy to make a full time job of researching, comparing, and selecting the right cloud and SaaS security products. Here’s a list that barely scratches the surface of different types of security products to choose from:

  • Firewalls & next-gen firewalls (NGFWs)
  • Security information and event management (SIEM) systems
  • Identify and access management (IAM) products
  • Pen testers
  • Data analytics
  • Intrusion prevention and detection systems (IDPS)
  • Endpoint protection apps
  • Database security solutions
  • Ransomware/malware detection and removal
  • Authentication and single sign-on

 

Too many vendors

All of these products have to originate from somewhere, which brings us to the next challenge: there are too many cybersecurity vendors to choose from. This isn’t necessarily a bad thing, since competition creates better products, but it does complicate the cybersecurity professional’s journey to achieving holistic protection.

At RSA Conference 2022, for example, there were 450 security exhibitors present, 70 of which were funded well enough to afford the cost of a booth. During the show, many discussed that in the previous 18 months there were 1,800 new cybersecurity vendors that received funding to be installed in networks. The TL;DR — this multi-vendor ecosystem will persist (and probably grow even more), and so will the challenge of achieving holistic security.

Of course everyone wants the best of the best, which might draw your attention to staples like Cisco, Fortinet, and Palo Alto Networks. But because the modern hybrid infrastructure is so diverse, there now exist so many niche products available from thousands of vendors. In fact, CyberDB compiled a database that includes more than 3,500 security companies from the United States alone.

Here’s a graphic that puts into perspective just a fraction of the available vendors:

so many security vendors

 

Too many gaps

The third and most important challenge stems from the first two above: there are just too many security gaps to address. Part of this problem is due to the diversity of hybrid infrastructure. But once you’re able to identify the gaps, you’ll find that addressing these will more often than not create even more gaps.

That’s because there’s no single vendor or suite of products that provides holistic cybersecurity. You deploy a variety of products but inevitably run into interoperability issues, which only perpetuates more vulnerabilities as you add more solutions to address these gaps.

What you end up with is a plethora of solutions that are secure themselves, but that don’t provide protection for your infrastructure as a whole.

 

Why recovery is key to modern cybersecurity

According to a Sophos survey, 66% of surveyed organizations suffered ransomware attacks in 2022. And when attacks happened, 70% of organizations needed more than two weeks to recover. Ransomware is the modern disaster, which makes minimizing recovery times an essential part of modern cybersecurity.

Recall the Fortinet 7.0 CVE from 2022. Customers upgrading to the then latest release of FortiOS suddenly found themselves vulnerable to an authentication bypass, where attackers could gain admin access using certain HTTP/S requests. This typical scenario leaves IT teams waiting for a solution while their business remains vulnerable. What’s needed is the ability to recover quickly and automatically, whether from an active attack or an at-risk configuration.

 

Get the blueprint for fast recovery times

Big Tech companies have spent years building this capability into their infrastructure. At ZPE Systems, we’ve directly collaborated with these companies and have created best practices based on these proven architectures. This Network Automation Blueprint details the components and practical steps to take, from automating IT/OT production infrastructure, to implementing an effective design for orchestration and automation environments.

The blueprint is your template to achieving fast recovery times and reducing your risk of attack. Download the blueprint now.

Download Blueprint

 

Watch the blueprint recover a failed upgrade

Watch this tech demo from Tech Field Day 26, where Rene Neumann shows how the blueprint helps you recover a failed device upgrade in minutes.

How to Implement Zero Trust: Technologies to Shield You From Million-Dollar Losses

by | Oct 19, 2021 | Data Logging, Improve Network Security, SD-WAN, Secure Access Service Edge (SASE), User Management, Vendor Neutral Platform, Zero Trust Security

Staff on laptop with zero trust security in place.

How to implement zero trust security is a growing focus of organizations across the globe. With cyber attacks frequently hitting some of the largest companies and threatening entire economies, it’s no wonder why comprehensive network security is a top priority among public- and private-sector entities.

In this post, we’ll show you what you need to implement zero trust security, from big-picture items to individual technologies.

But first, here’s a recap of zero trust security and why your business won’t be safe without it.

Why you need Zero Trust Security

Imagine bringing in a new hire to your department. Soon after, you notice suspicious computer slowdowns and applications that don’t respond as usual. You dive into your program files and discover an unknown .exe file, and you dive deeper to discover attackers actively exploiting your resources. You quickly pull your team together to lock down your network, sanitize every computer and connection, and send out a company-wide instruction to have every employee reset their password.

It turns out, your newest employee unknowingly clicked a bad link and opened the door for a trojan horse attack. But because of your quick response, no significant damage was done and you can rest easy again.

Months later, you come in for your normal workday only to find all your systems locked and unresponsive. Dave, a senior engineer, retired on the day of the attack and never reset his password. The hackers stole his credentials and have gone unnoticed for months. Now your company and its customers are compromised, and the consumer markets you serve are in a frenzy due to a shortage of goods. You can’t help but feel somewhat responsible for the entire ordeal.

This example mimics recent real-world cyberattacks and highlights the importance of moving away from traditional security approaches.

Traditional architecture uses the castle-and-moat security approach. Once a user gains access (crosses the moat), they become trusted to use your organization’s resources (the castle). Aside from the occasional password reset or other authentication protocol, this approach leaves plenty of opportunities for outsider and insider attacks. Zero trust security, however, places a moat around every node and user. This means that no matter how often a system or user needs to access a resource, they always have to verify their identity and intent.

In other words: never trust, always verify. In our example above, implementing simple two-factor authentication could have alerted Dave to his stolen credentials, which would have prevented the attack.

The need for zero trust is due to the explosion of distributed networking. Communications used to be straightforward and centralized: a trusted user using a trusted device would connect from a trusted office location to the data center. Apps and data were securely transmitted between parties, and sealing out attackers could be as simple as deploying a new point solution or product. But user expectations changed all this; now, they need to connect from anywhere using a variety of devices, which means the modern network includes SaaS, cloud, and third-party platforms. This hybrid infrastructure means there are now more nodes and lines of communication than ever — and each is vulnerable to attack.

If the recent attacks on SolarWinds, Microsoft Exchange, and Colonial Pipeline aren’t convincing enough, consider the latest hack involving Kaseya, an American company that specializes in IT and network management software. By exploiting the virtual systems/server administrator (VSA), attackers were able to compromise up to 1,500 of Kaseya’s customers, shutting down educational services, law firms, and an outpatient surgical center in South Carolina.

Pervasive attacks like these have prompted political action, with the President signing a cybersecurity executive order this past May. Read our breakdown of the legislation and how it aims to improve cybersecurity across public and private sectors.

Now that you know why you need better security, how do you implement zero trust?

How to implement Zero Trust: The big picture

Zero trust is merely a concept, however implementing Zero Trust Network Access (ZTNA) means putting this concept to work. Implementing ZTNA involves two parts:

  • The processes, which we covered in a previous post, and
  • The technologies, which we’ll talk about in this post

At a high level, this diagram shows the components you need when considering how to implement zero trust.

A high level diagram of the three main components of zero trust security, including the enterprise resource, policy enforcement point, and policy decision point.

There are three major components to look at in the big picture of zero trust security:

  1. Enterprise resource — This includes all the IT stuff you need to protect and that your business relies on, like hardware, software, and network equipment. In simple terms, this is like the gold that you keep carefully guarded in the center of your castle.
  2. Policy enforcement point — This is the datapath element that enables, monitors, and terminates connections between users / devices / applications and enterprise resources. Simply put, this is like the guard that accompanies those wishing to access your gold.
  3. Policy decision point — This is the layer that decides who / what is safe and grants / revokes access accordingly. In other words, this is the gatekeeper who determines who is allowed into your castle.

To better understand these, here’s a closer look at each:

Enterprise resource

This component is pretty straightforward, and consists of elements you need to operate and manage IT environments. These elements can include hardware like computers and data storage devices; software such as web servers, content management systems, and operating systems; and network equipment like servers, routers, firewalls, and out-of-band devices.

 

Policy enforcement point

This component consists of the datapath elements that enable, monitor, and terminate connections between subjects (users / devices / applications) and your enterprise resources. Though this is represented as one component, it is comprised of two parts that are both typically used in deployments. These parts are:

  • A client-side agent, usually deployed on a laptop or server.
  • A resource-side gateway, which controls access in cases where a client-side agent is not used. Examples where gateways are used include regulated healthcare equipment, ATM machines, and operational technology equipment.

 

Policy decision point

This component is the management and orchestration layer. This layer essentially checks identities to verify who is safe, and assigns policies to determine who gets access and to what. This is also represented as one component but is comprised of two parts:

  • Policy engine — This is the engine that decides whether a machine or web traffic is safe. To accomplish this, the engine uses a variety of data sources when making its determination, such as PKIs and identity management providers, CDM systems, and activity logs.
  • Policy administrator — This administrator uses the policy engine’s determination to grant or revoke access to a machine or web traffic.

There are many tools available to help you monitor and visualize traffic, so you can create policies and configure your policy decision point to meet your zero trust outcomes.

In order to create your zero trust configuration, you need to deploy several essential technologies.

How to implement Zero Trust: Essential technologies

Zero trust is a complete re-imagining of network security and can be a daunting task. But when you add its fundamental technologies to your toolkit, you can effectively build the three components described above and achieve Zero Trust Network Access (ZTNA). Here are the essential technologies you need to accomplish this.

 

Identity and access management

Such a big part of zero trust security relies on verifying that a device or user really is who they say they are. For this, you need an identity management solution from a trusted provider and public key infrastructure (PKI). This allows you to essentially create and issue a digital fingerprint for every user, and includes information such as their username, role, and other unique data. Multi-factor authentication is a critical component of identity verification, which requires users to present two or more pieces of identification/verification before granting access.

Additionally, access management is an important piece that determines a user’s authorization level, or in other words, which resources they can access. Identity and access management both feed information into your zero trust model’s policy engine.

 

Policy management

Another essential technology to have is a policy management solution. This is integrated into your security stack and serves as a single policy creation point. This allows you to define access and authentication policies for your entire organization.

You can specify data access rules for users, devices, and roles, which is vital to achieving micro-segmentation, limiting lateral movement, and enforcing least-privilege access. All of these feed into your policy engine and are used by your policy enforcement point to validate whether a session is allowed to continue.

 

Zero trust equipment and applications

Tying everything together requires equipment and applications that are able to enforce your policies. These are physical or virtual solutions that sit in front of servers and serve as your enforcement points. For example, this could be your next-gen firewall (NGFW) that initiates the multi-factor authentication protocol, verifies a user’s identity, and uses your defined policies to restrict the user’s access to a specific segment of your network.

Where can you get these essential Zero Trust technologies?

When considering how to implement zero trust, keep in mind that there are many vendors who can provide you with the essential technologies.

  • Obtaining an identity and access management solution is the easiest task when implementing zero trust. Many organizations offer an identity store, such as Azure Active Directory or Google Cloud Identity. You can also use companies dedicated to identity management, such as Duo, Okta, or Ping Identity. Keep in mind that if you need to control third-party access, such as for customers or equipment management contractors, you’ll need a solution that can access multiple identity stores simultaneously.
  • Obtaining a policy management solution requires careful consideration and should be part of your overall security stack. Look for a solution that allows you to create policies and set up datapath enforcement points. An adequate framework enables you to create authentication and post-authentication access rules, with an enforcement point that segments your network and continuously authenticates sessions. This security stack can be an on-prem NGFW, or delivered via the cloud using a Secure Access Service Edge (SASE) model, both of which are available from trusted providers like Palo Alto Networks.
  • Regardless of whether you use an on-prem or SASE model, you need an edge infrastructure platform to sit in front of servers and host the enforcement point. For on-prem, this platform must be able to host an NGFW to secure network segments and VLANs. For SASE, this platform must be able to create VPN tunnels to your SASE platform, which can be used for inline inspection and policy enforcement. Either approach requires powerful computing capabilities and a flexible operating system to accommodate workloads for detecting, analyzing, and automatically responding to threats, which few vendors offer.

Here are examples of what proper zero trust implementations look like, with ZPE Systems’ Nodegrid as the edge infrastructure platform:

Implementation diagram showing how to implement ZTNA at the data center using Nodegrid.

In this diagram, you can see where ZTNA and Nodegrid fit into the scheme at the data center. The user connects via Internet, and the Nodegrid SR device serves as the Policy Enforcement Point hosting a VM. This VM communicates with the Policy Engine to authenticate the user, and then grants access to the data center application.

Implementation diagram showing how to implement ZTNA at a branch, edge, or other distributed location.

In this diagram, the user tries to connect to an application at a branch, edge, or other distributed location. The user connects via Internet, where SASE and ZTNA provide secure connectivity. The Nodegrid SR device connects via VPN to the Policy Engine for authentication, and then grants access to the branch application.

How to implement Zero Trust: A recap

To protect your organization, implementing zero trust requires you to build out the main components. With the policy decision point and policy enforcement point in place, you can secure your enterprise resources from outsider and insider attacks. Ensuring these components work like a well-oiled machine means you need the proper identity and access management tools, a complete policy management solution built into your security stack, and equipment and applications that can enforce your zero trust security policies.

Because user expectations have caused infrastructure to become incredibly distributed and complex, the attack surface has increased dramatically. The traditional castle-and-moat approach to security is no longer adequate, and recent newsworthy cyberattacks showcase the network vulnerabilities that even the largest companies still struggle to address. The President’s latest cybersecurity executive order is a step in the right direction to bolster infrastructure protection for public and private sector entities, and you can use this blog as a starting point to begin your zero trust journey.

Don’t get caught without these 5 security must-haves

Watch our webinar, Cyberattacks: 5 Security Must-Haves for Hybrid Infrastructure Gateways, and learn how to lay a solid foundation that makes implementing zero trust easier. Our experts will talk you through how to:

  • Keep edge networks and users fully protected
  • Make smart buying decisions
  • Get complete security and control for years of serviceability

Watch now to protect your business from growing cybercrime.

Zero Trust Architecture: What to Know About the Latest Cybersecurity Executive Order and How to Implement It

by | Jun 14, 2021 | SD-WAN, User Management, Zero Trust Security

Without a zero trust architecture in place, your business might suffer a setback of $4 million or more due to cybercrime. That’s how much the Colonial Pipeline recently paid out after hackers shut down their oil delivery infrastructure and held its restoration for ransom (reference at bottom). The reality is, this is just a drop in the bucket when it comes to risks and losses overall, but it’s why cybersecurity and zero trust are again in the national spotlight.

On May 12, the President acknowledged the importance of protecting public and private sectors from incidents like these, by signing an executive order to improve the nation’s cybersecurity. One of the order’s main callings is for organizations to adopt a zero trust architecture.

Zero Trust Architecture

 In this post, we’ll examine some goals of this executive order and how it seeks to improve cybersecurity for both public and private entities.

But first, let’s recap zero trust and why it’s critical to protecting more than just sensitive data.

What is zero trust architecture?

A zero trust architecture is made up of systems that verify every user, device, application, etc. that tries to access a business’ IT resources. In networking, this involves creating micro-segments or perimeters within each network, and continuously verifying who and what is granted access.

The philosophy behind zero trust architecture is fundamentally this: trust nothing, because threats are everywhere, always.

Here’s a brief rundown of zero trust’s guiding principles:

  • Always verify — Treat every user, device, application, etc. as untrusted, and always verify to determine access.
  • Deny by default — Assume that your environment is already under attack, and continuously monitor for anomalies and malicious activities.
  • Grant least-privilege access — Allow users, devices, applications, etc. access to only the minimum resources needed to perform their jobs.

Zero trust isn’t a turnkey solution, nor does it rely on a single technology. Instead, it involves transforming network security by taking a holistic approach to safeguard every network interaction. This includes implementing hardware, software, and virtual solutions built with security in mind — from Trusted Platform Modules (TPMs), to multi-factor authentication and user access rights — as well as transforming security processes in your organization.

For a closer look at zero trust architecture and its origins, read our previous post.

Does zero trust architecture matter that much?

Zero trust architecture is key to protecting both public and private sector organizations. Though it can be more difficult to measure how attacks impact less tangible things like public safety or brand reputation, the cybersecurity risks are apparent just by looking at monetary losses.

In 2020, cybercrime cost businesses and consumers billions of dollars in the United States alone. In California for example, total financial losses reported as a result of cybercrime totaled more than $621 million, with leading types of crime including phishing, extortion, data breach, identity theft, and misrepresentation, among others. Other states including Colorado, Ohio, and New York ranked with staggeringly high losses as well, which ranged from $100 million to over $400 million.

Aside from causing financial damages, cyberattacks can open the door to allowing very sensitive info to fall into the wrong hands, which can jeopardize public safety and economic stability. Just imagine what malicious actors could do with classified government information or access to public or private infrastructure.

  • In early 2020, the major IT firm SolarWinds was attacked by hackers using malicious code. They successfully created a backdoor to access information and systems belonging to 18,000 SolarWinds customers, which include Fortune 500 companies and government agencies. The attackers were able to spy on customers and infect even more with malware.
  • In early 2021, hackers attacked on-prem versions of Microsoft Exchange Server using zero day exploits (flaws that haven’t yet been patched by the vendor). They were able to access email accounts and install web shell malware that gave them ongoing admin access to victims’ servers. It’s reported that more than 250,000 organizations have been affected worldwide.
  • In May 2021, hackers gained access to the Colonial Pipeline and shut down oil delivery. For six days, the 5,500-mile-long pipeline was offline. Because it carries 45% of the fuel used on the U.S. East Coast, fuel prices skyrocketed before a $4.4 million ransom payment was made to unlock the compromised systems and restore fuel flow.

These attacks and others could have been prevented — or at least dramatically reduced through better containment — with zero trust architecture in place.

For example, if a hacker attempted to embed malicious code into a device, this device would already be trusted in a traditional network security model. This implicit trust would allow the malicious code to go unnoticed, giving the hacker remote access to sensitive information and systems. But with zero trust architecture, implicit trust is eliminated. In this example, the hacker might still be able to remotely access the device, but micro-segmentation would deny access to other devices, and continuous monitoring and analytics would alert company staff to the anomalous activity. In essence, zero trust would contain the threat and help the organization pinpoint the system that requires attention, without having to suffer potentially catastrophic losses.

For all of these reasons, comprehensive cybersecurity is a must-have for organizations. The President’s executive order aims to help catalyze the rapid adoption of better cyber protection methods such as zero trust.

What does the cybersecurity executive order do?

The Executive Order on Improving the Nation’s Cybersecurity seeks to improve protection for federal government networks, and in turn encourage private entities to do the same for their own networks. To achieve these goals, the executive order focuses on three major areas:

  • Removing barriers to threat information sharing Until now, contractual barriers often prevented companies from sharing information with the government about cyber threats that compromised their security. The executive order removes these barriers, and also requires companies to share information regarding security breaches that could impact government networks.
  • Bringing stronger cybersecurity standards to the federal government
    Systems have historically become compromised due to outdated security models and best practices. The executive order seeks to modernize cybersecurity for the federal government, through the adoption of secure cloud services, zero trust architecture, and multi-factor authentication and encryption. The order attaches a specific time period (see below) by which federal agencies must develop plans for implementing these approaches.
  • Improving software supply chain security
    Software is inevitably shipped with vulnerabilities that can pose significant danger of being exploited. The executive order combats this by establishing baseline security standards for software developed and sold to the government. The order calls for the creation of a pilot program for an ‘energy star’ type of label that will allow organizations to easily determine whether software has been created securely. Additionally, the order creates a concurrent public-private process to foster secure software development; incentivizes the market with federal procurement; and requires developers to maintain greater software visibility and make security data publicly available.

Specifically regarding zero trust, the order states that within 60 days, the head of each federal agency must develop a plan to implement zero trust architecture. The order also states that within 90 days, the Cybersecurity and Infrastructure Security Agency (CISA) must assist the Secretary of Homeland Security and the Administrator of General Services to develop a federal cloud-security strategy and issue appropriate guidance to government-wide agencies. In all, these efforts will modernize the federal government’s cybersecurity as agencies move to cloud services and require more comprehensive network protection.

With the federal government leading the charge, the President hopes that private sector organizations will follow by implementing their own zero trust architectures and best practices. The executive order encourages these efforts through additional steps and resources, which include:

  • Creating a review board— The order calls for the creation of a cybersecurity safety review board. This board will be responsible for analyzing cyber incidents and making concrete recommendations that will improve security.
  • Creating a playbook — The order requires the creation of a standard playbook for responding to cyber incidents. This playbook will ensure government agencies can take uniform steps to identify and mitigate threats, and will also serve as a template for private sector entities to create their own playbooks.
  • Enabling better detectionThe order calls for enabling government-wide endpoint detection, response systems, and information sharing to improve detection of cybersecurity incidents on government networks.
  • Creating log requirementsThe order calls for improving investigative and remediation capabilities, through the creation of cybersecurity event log requirements for federal departments and agencies.

How can you implement zero trust?

Remember that implementing a zero trust architecture isn’t as simple as deploying a piece of hardware or software. Because the threat landscape is constantly evolving, you need to take a holistic approach in transforming your security from the inside out. Despite the risks that seem to loom larger with every passing day and make you anxious to fortify your networks, keep in mind that achieving zero trust is a gradual process. Here are some tips to help you overcome common challenges:

Think processes

  • Implement gradually — Zero trust is a reimagining of your network security model, so you need to implement it gradually at the process level. This will help you identify what needs urgent attention while also preventing you from making widespread changes that can create security gaps.
  • Perform routine maintenance — From a security standpoint, your requirements are constantly changing (adding customers, adjusting user access rights, etc.). Routine maintenance ensures that you don’t leave vulnerabilities on your network when, say, a new customer requires user group access, or one of your employees moves to a different department.
  • Consider employee productivity — If you’re a little too ambitious to implement zero trust, you could end up causing issues that affect your employees’ ability to do their jobs. Again, take time to gradually implement your zero trust architecture, so that you don’t inadvertently lock out an entire department or blacklist the wrong mail server.
Think technologies

  • Zero trust equipment and applications — Without the right infrastructure components in place, zero trust is only an idea. Bring it to life by deploying equipment and applications that can enforce multi-factor authentication, verify identities, and allow access only as needed.
  • Identity and access management for all equipment — A critical component of zero trust is being able to determine who needs access to your infrastructure. Because you need to limit admission on a need-to-know basis, your design and security teams need the appropriate tools that will allow them to map user access, and also precisely identify users and applications.
  • Complete and cloud-enabled security stack — Gone are the days of simply plugging into firewall devices for total security. With cloud models and distributed networks and staff, you need end-to-end security offered by segmentation capabilities, and also solutions such as Secure Access Service Edge (SASE). These give you the ability to provide secure, least-privilege access, whether users try to connect from HQ or using airport Wi-Fi on another continent.
  • Infrastructure edge platform to isolate, and connect it all — In order to bring everything together and remain in control of your solutions, you need a robust and secure edge platform. Not only will this help you securely fuse together your zero trust architecture components, but it will provide you with protected out-of-band management of your infrastructure. A truly powerful edge platform will also accommodate additional workloads to help detect, analyze, and automatically respond to threats.

Get serious about these zero trust technologies

With cyberattacks on the rise, tomorrow is too late to start thinking about zero trust architecture. Recent executive action means it’s time to get serious about fortifying networks and the sensitive data they handle. Read our next post for a deeper dive into the technologies that can save you from crippling ransomware and malicious attacks.

ZeroTrust-1

Questions? Contact us with your concerns about zero trust or to see a free demo.

Colonial Pipeline ransom:
Exclusive | Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom – WSJ