Zero Trust is not intended to be a one-size-fits-all approach. Specific implementations will vary depending on an organization’s size, complexity, network infrastructure, application stack, and compliance needs. Enterprises here and abroad accordingly need guidance on how best to deploy Zero Trust principles and practices in their particular organization. Indeed, cyber attacks over the last few years have demonstrated how important this subject is to national security imperatives the world over. Not surprisingly, then, the Cybersecurity and Infrastructure Security Agency (CISA), as part of the United States Department of Homeland Security (DHS), has been actively involved in providing detailed guidance on Zero Trust best practices for organizations by introducing its “Zero Trust Maturity Model” or: ZTMM.
Initially developed as a roadmap for federal civilian agencies, CISA’s ZTMM offers clear benefits to any enterprise organization needing to develop cybersecurity strategies and plans for zero trust adoption. ZTMM is structured around five key pillars: Identity, Devices, Networks, Applications & Workloads, and Data. It incorporates three overarching capabilities: Visibility & Analytics, Automation & Orchestration, and Governance. Genians is able to address the critical capabilities illustrated below by leveraging its Network Access Control (NAC) and Zero Trust Network Access (ZTNA) solutions.
As with Genians, many other security vendors define areas within the maturity model similarly. None of them support all the functionalities outlined in the Zero Trust maturity model; indeed, no one product or solution operatesas a silver bullet here
Genians, however, can suggest practical ways to implement the foundation of this model by highlighting the role of NAC and ZTNA. (a.k.a Universal ZTNA).
Let’s take a look at the major features of Genians by separating them into 3 simple but critical domains.
| Domains | Observability and Surveillance | Policy Management | Access Control |
|---|---|---|---|
| Target · | All resources (Network, Devices, Users, Applications, Data, anywhere it connects) | Compliance | Employee, Guest, Remote users, none-compliant users & devices, and whatever it connects |
| Features | · Network discovery · Traffic Flow/Analysis (Netflow) · Device Platform Intelligence · Real time Network surveillance and Anomoly detection · IP Address Management · Switch Port Management (SNMP) · WLAN Visibility | · Condition-based Node grouping (over 600 predefined attributes/conditions) · Automated tagging-based IT asset policies · Device/Node type customization · Dynamic Policy assignment based on the status change of endpoint compliance and network changes · Cross configurations for multiple compliance policies · Covering CIS Core requirements | · Microsegmentation · Authentication & Authorization (RADIUS, 802.1x, MFA including FIDO 2) · Multi-layered policy enforcements (ARP, DHCP, 802.1x / RADIUS, SPAN / Mirror, Secure Web Gateway, Agent · Dynamic Policy Enforcement (RADIUS CoA) · WLAN Security · Switch Security · Cloud Security · Endpoint Security (Updates, Patch Mgt) · Open API-based · Always on ZTNA (Campus, Remote, Hybrid) |
| Required core technologies | · Layer 2 based and non-disruptive Network Sensing and Access Control · Granular access control for remote users · Application visibility and Control · Cloud visibility and control |
||
Most importantly, achieving comprehensive visibility and access control at layer 2 across networks (campus, remote, hybrid, cloud) is extremely critical. This allows us to detect any endpoints sending out suspicious broadcast packets and showing abnormal behavior. It allows us to lock down any non-compliant devices and users immediately by correlating intelligence coming from multiple security products. For that, Genians Sensor-based NAC is required in this dynamically-evolving, heterogeneous network environment since it does not require any network changes or upgrades. Also, the sensor can be versatile in the sense that it can act as a network monitoring, policy enforcement manager, and Secure Web Gateway (SWG) tool for campus and remote users. It also supports Open API, allowing it to orchestrate other security and business solutions to mitigate risk most effectively.
Let’s see how NAC and ZTNA can support cross-cutting capabilities in the maturity model in the event that an organization faces the challenge of preventing risks from malware caused by remote users.
| Anticipated response methods | Pillars and Expected Stages | Integrations |
|---|---|---|
| Web surfing or USB usage not allowed for remote workers | Device (Advanced) | UEM + NAC + ZTNA |
| Deactivate authentication in case of malware detection | Identity (Advanced or Traditional) Device (Advanced) | Antivirus or EDR + NAC |
| Blocking all connections when authentication is deactivated | Identity (Advanced) Network (Traditional) | Firewall + VPN + NAC + ZTNA |
| Comprehensive inspection of files transferred by remote workers | Network (Advanced) Application (Advanced) | UEBA + Antivirus + NAC + ZTNA |
| Blocking network traffic against users sending compromised files | Network (Traditional) Application (Advanced) | EDR + Firewall + VPN + IPS + NAC |
| Announcing to all users when compromised files are detected | Application (Advanced) Identity (Traditional) or Device (Traditional) | Sandbox + IAM or UEM + NAC + ZTNA |
| Network isolation when server malware is detected | Network (Traditional) Application (Advanced) | EDR + NAC + ZTNA |
| Restoring the previous state once malware is removed | Identity (Advanced) Device (Advanced) Network (Advanced) | DMS + EDR + NAC + ZTNA |
* Endpoint Detection and Response (EDR)
* User Entity and Behavior Analytics (UEBA)
* Unified Endpoint Management (UEM)
* Network Access Control (NAC)
* Zero Trust Network Access (ZTNA)
* Virtual Private Network (VPM)
* Disaster Management Solutions (DMS)
As mentioned from the beginning, Zero Trust is not a one-size-fits-all approach. It also typically requires significant effort to implement correlation and automation processes, which play a crucial role in deploying modern cybersecurity strategies. However, NAC-driven ZTNA can be considered a core solution as it provides the fundamental benefits described above. It is also a big step in the right direction to break down IT security silos and realize additional benefits, from centralized visibility, to cross-functional collaboration, to common data sources and threat intelligence sharing, to streamlined workflows, to policy orchestration, and to a consistent user experience.