Trust no one: security and the channel
The zero-trust network architecture trusts no one. It’s the spy, the suspicious doorman at an exclusive resort and the armed guard at a celebrity shindig. It’s the network that asks you to prove who you are, constantly. And it’s the much-needed shift in thinking and architecture design from the VPN and software-defined perimeter solutions that have dominated networks in the past. Zero trust is, according to Ian Shak, principal solutions architect at Saicom, a relatively new term that defines a network architecture and suite of tools that is the Swiss Army knife of data and system security.
“It’s the ‘trust no-one’ mentality,” he adds. “In the past, we would grant access with verification, but with zero trust, there is absolutely no trust until the person has been authenticated using multiple layers of authentication. There is no access to private company resources and assets without moving through the layers of zero-trust authentication.”
The zero-trust network is aligned to identity. With the right identifiers and multifactor authentication (MFA) capabilities, the network will grant the user access to the business, but this access is further refined by role – the individual can only access the data and applications that are relevant to their role or task. It is refined, defined and targeted, minimising user reach and risk. Zero-trust networks have stepped up the security and authentication protocols offered by the traditional VPN or software-defined perimeter.
The lightweight solution
“The VPN is very much a historical approach to remote access,” says Andy Fourie, area director for Microsoft Security Solutions MEA. “You have a set of credentials, you authenticate yourself, and the network allows you in on the basis of those valid credentials. It’s a lightweight solution that’s very one-dimensional. The software-defined network is an evolution of the VPN that puts the protections on the network. It’s a slightly improved user experience as it is reliant on user credentials.” The VPN has been around for years, and while it worked well at first and is still in wide use today, it still gives remote people access to the soft internal network.
As Shak puts it: “It gives all your users keys to the kingdom, the master key to the bedroom.” Software-defined perimeters evolved alongside the proliferation of cloud computing, allowing for organisations to create mini perimeters across various clouds as gateways to ensure the authentication of individuals. Zero-trust networks turn the concept of ‘prove and we will trust’ on its head.
“The zero-trust network won’t give users access to the system even when they know who they are, where they’re coming from and what they’re doing,” says Shak. “Even with absolute proof of identity, zero-trust won’t let an individual download an entire database, for example. Authorisation is stacked on the individual, taking security deeper, beyond the network level and into the data and permission level. Finance can see finance records, HR can see HR, but the two will not cross unless specified.”
Crafting the best zero-trust strategy requires insight into different aspects of the network and organisation. First is to understand the data: who gains access to it, what privileges are granted to whom, and what permissions, authentication protocols and passwords are required.
For Charl Ueckermann, group CEO, AveS Cyber International, it’s important to set up behavioural rules of how, when, where and what confidential information people process.
“Take a view that, despite the checks and balances in place, the endpoint or network connection may still be in a state of compromise and that close monitoring is required to ensure data integrity,” he adds. “Different layers of protection need to be architected into the IT estate of the organisation, both private and public hosted. Proactive monitoring and response management processes also need to be integrated to ensure the confidentiality, integrity, and availability of all company assets are protected.”
For the channel, zero-trust networks are an opportunity. It’s a way of helping companies redefine their thinking around security architecture and develop an approach that’s better suited to the complexities of the current cybersecurity landscape. Zero-trust architecture is not only more secure, but it offers the user a far more seamless journey in terms of authentication, access and experience.
“For the channel, the value of zero trust will lie in how they redefine their practice and how they work with organisations, helping them to relook at their security and move to a more modern way of working,” says Fourie. “Zero-trust networks are a huge opportunity from a channel perspective as it’s very different from the historical approach of reselling tech and providing a level of support. This allows them to work with customers, understand their business and provide advisory services around the solutions and design of zero-trust solutions. It allows for the channel to shift towards an advisory and consulting service that helps them to operationalise and run and manage these networks.”
There is no best of breed zero-trust network strategy, and no perfect blueprint to the perfect solution. It’s an architecture that evolves to fit the challenges experienced by organisations and a move towards a new mindset and security approach. It allows far greater agility and control for organisations constantly balancing the security tightrope, and its potential can evolve to fit need, risk profile and requirement.
“It makes management easier while embedding security deeper,” says Shak. “You are striving to get to a point where you have a single pane of glass to manage identity permissions and segments of the network. Zero-trust is a journey. Few companies are there yet.”
"This article was first published in the Q1 2021 edition of The Margin magazine"