Who hasnโt heard about Zero Trust? Undoubtedly one of the hottest buzzwords these days, and in this case the hype is well justified. We need a strategy to avoid being breached and to mitigate the impact in case you are. Zero Trust is that strategy for success, with its focus on something that can be controlled (โprotect surfacesโ) as opposed to a focus on ever-growing โattack surfaces.โ Itโs no surprise that many organizations want to implement a Zero Trust cybersecurity strategy! The challenge, as with many drastic technology shifts, is that it can look a little overwhelming in the beginning.
To make it simple, letโs break the problem into smaller portions and start by focusing on two key surfaces to protect: your devices (or shared resources) and your applications (or shared workloads). Also, we can measure our progress more effectively if we break this in steps. The first step is identifying and authenticating all access to services. The second step is providing access to resources on a least-privilege principle (which limits access to users and only on a need-to-know basis). The last step is continuous monitoring of the network for Zero Trust access.
What do we mean by Zero Trust?
The term Zero Trust is often misused by the market, which has created significant confusion, so I should start by defining what I mean by it. Zero Trust is a cybersecurity strategy that can be applied to multiple domains. In the context of network and application security, Zero Trust relies on three main pillars:
- All access to services must be authenticated, authorized, and encrypted.
- Access to services should not depend on where you connect from.
- Access is subject to change at any point, thus continuous monitoring is required.
How can HPE Aruba Networking help in your journey to Zero Trust?
As mentioned, Zero Trust is a cybersecurity strategy, not a product or a feature. I canโt tell you about a secret magic button to enable Zero Trust. What I can do is suggest a few steps that can help you in this journey. Identity feels like a natural first step, but donโt worry about the order. Any progress is good progress!
Identity
If you havenโt done it already, you should start looking setting up an identity provider to govern access to your applications and shared resources. This doesnโt need to be a complex or costly project. Microsoft and Google have solid identity services they can offer as part of their productivity suite that will make this technology easily accessible. When doing so, make sure you enable multi-factor authentication (MFA). You can easily integrate your identity provider with HPE Aruba Networking SSE to regulate access to applications old and new (Zero Trust access to applications). Any application โSaaS-ifiedโ with ZTNA will immediately be integrated with your companyโs single sign-on (SSO).
Likewise, you can integrate HPE Aruba Networking ClearPass and/or Cloud Auth (a cloud-native NAC service delivered as part of HPE Aruba Networking Central) with your SSO to give users an extremely simple workflow to enroll their devices into the network (using Zero Trust to access the shared medium
- If youโre enrolling computers, tablets, smartphones, etc. youโll just need a simple app that onboards corporate and BYOD devices in an uncomplicated, three-step process. From then on, network access will be authenticated against ClearPass or Cloud Auth and authorized against your SSO Identity Provider.
- If you have (wireless) devices where you canโt use certificate-based authentication, you can also give your users a simple portal where they can generate a passphrase that uniquely identifies their devices. As with the more secure certificate-based authentication, network access will be authenticated against Cloud Auth and authorized against your SSO.
- Lastly, for those (wired) devices where you canโt use certificates, passphrases, or anything like that, you can always resort to profile-based authorization by combining ClearPass or Cloud Auth with the native profiling capabilities of Centralโs Client Insights. Devices will be automatically classified based on static characteristics such as the MAC OUI, DHCP fingerprint or HTTP User-Agents, as well as more dynamic attributes such as applications, domains visited, and so on.
Least-privilege access
Ok, so youโre now at a point where you have reasonably good control over who or what is connecting to the network (shared resources) and applications. Itโs time to talk about least-privilege access or, as we like to call it โrole-based access.โ Once again, weโll break this down into securing access to applications (primarily handled by SSE) and securing access to shared medium (the network) where device-to-device communication is still very relevant.
With the HPE Aruba Networking SSE, you can control access to internal applications, SaaS, and even the Internet with a single identity-based policy. This doesnโt necessarily require a large project or expensive hardware. You can start by giving external collaborators agentless remote access, then grow into your own users by deploying a light agent. This allows you to control and secure all the usersโ traffic wherever they are. Finally, bring all your devices or IoT โthingsโ into this single web and application policy by tunneling all Internet traffic from your offices through the Secure Web Gateway (SWG) that is part of SSE. Or you can start by evolving your SD-WAN or SD-Branch network towards a SASE architecture, secure Internet browsing with SWG, and then work your way into CASB (cloud access security broker) and ZTNA (Zero Trust Network Access). The journey doesnโt need to be the same for everyone. Just keep making progress!
Figure 1 - Single web and application security policy.
And just like SSE helps with the implementation of a Zero Trust strategy to govern access to Application and web browsing, dynamic segmentation brings the concept of Zero Trust to the shared resource that is your corporate network. This need not be excessively complex. If your environment is relatively simple, a centralized SD-LAN (software defined local area network) with user-based tunnels and WLAN networks tunneled to a set of segmentation gateways (or SD-branch gateways if you also want them to be WAN-facing) will give you what you need (hereโs a short video going into a little more detail).
By tunneling all your users and โthingsโ to these security gateways, youโre effectively (or virtually) plugging them directly into your โunified threat managementโ device. Each device is in a segment of one, and governing the communication between these devices is now as simple as whether a device in role A can talk to a device in role B over a certain application/protocol.
Figure 2 - Identity-based security centralized in a cluster of segmentation gateways.
Continuous monitoring
Weโre at the point where we have least-privilege access to our applications and between our devices. Weโre just one step away from Zero Trust.
Just like weโve been doing, weโll start with application access. First, the posture done by the security agent allows the SSE to react in real-time to events impacting any device, automatically adjusting what a user can or canโt do. But perhaps more importantly, the SSE is brokering all communications with internal and public apps, keeping a very accurate record of all traffic. Integrate the SSE with your SIEM for a very complete picture of your how your applications are doing.
Figure 3 - Log all access to your applications.
And just like SSE is logging all your application traffic, HPE Aruba Networking Central and gateways are monitoring all user and device activity for potential security threats. Donโt forget that you have everything directly plugged into a UTM (Unified Threat Management) product. Any suspicious lateral movement will be immediately detected, and the necessary actions (block risky traffic, quarantine device, etc.) will be taken. All this should of course be logged into your SIEM to get a uniquely deep view on how your devices are behaving.
Figure 4 - Track all device traffic.
Conclusion
As part of this journey, weโve covered a lot of concepts: identity management, network access control, SSE, dynamic segmentation, SIEM, and more. The good news is that many of these capabilities come delivered as a service and some are part of broader suites you already have. Identity may be part of your application suite, Cloud Auth is part of HPE Aruba Networking Central, SSE integrates a lot of components. And your SD-WAN Gateways can double themselves as SD-LAN gateways to provide dynamic segmentation and role-based access.
The journey need not be as challenging as you were initially fearing. But whatโs most important, you donโt need to do all at once. One great thing about adopting a Zero Trust strategy is that every step you take will most likely be in the right direction. If you donโt have any of the pieces, start with whichever seems most approachable and get some quick wins. If youโve already started this journey or have some of the tools, try to look for synergies and integrations between them. And then keep going one little step at a time. Your organization will keep getting stronger and more resilient.
If you want to learn more about how to easily implement a Zero Trust approach in your organization, please watch my video on Easy Zero Trust with HPE Aruba Networking.
Click image to watch the Easy Zero Trust with HPE Aruba Networking video
Other resources
- Unified SASE webpage
- EdgeConnect SD-WAN Overview web page
- HPE Aruba Networking SSE webpage
- Zero Trust Security webpage
About the Author
Edge Security Product Manager, HPE Aruba Networking
First as a partner and part-time customer, then in the field working as SE, CSE and PoC Engineer, and now in engineering as SD-Branch solution architect, Iโve spent the last 15+ years going from LAN/WAN to WLAN and security, then back again to close the loop and do all at once with SD-branch and edge security.
