As a business, you open your doors (or your network) to an array of people. You are proud of your products and services. You want to show them off and make them easily accessible to those who need them – and rightly so. This helps build brand awareness and confidence in your infrastructure and capabilities, driving sales and service adoption.
An open and trusting nature is beneficial for your business, but it also brings significant risk.
Read on to learn more about the risks.
Internal security threats
Most business networks are built on the foundation of a traditional network perimeter. Block external access by default and open specific pinholes where necessary, but trust anything internal and provide unrestricted access to IT resources.
This approach is problematic – how can you be sure that connected users and devices are trustworthy? With the explosion of Internet of Things (IoT) devices, many new “things” are being connected to your network that behave differently to more traditional endpoints. This only exacerbates the problem.
Consider if a rogue visitor located and connected to a network point in your premises, or discovered your WiFi password, would they obtain full network access? Would you be aware this had occurred? What if they left this device connected for monitoring, remote access or data exfiltration purposes?
Sectors such as retail, high-street banking, healthcare and housing are some of the most vulnerable, with public access a core requirement for service availability or business success.
All it takes is for one to fall victim and internal IT resources may become accessible to the perpetrators. This leads to systems being accessed by unauthorised people, often using valid credentials and by legitimate means.
The solution – Zero trust network architectures
Zero trust architectures minimise these risks and provide a dramatically more secure network using four key principles; verify, segment, enforce and monitor.
When devices are connected, they should be placed in an isolated network with no access to any IT resources. They should be held in this network until they have been profiled and validated. You could incorporate checks for authorised operating systems, up-to-date Anti-Virus or corporate domain membership. You should also authenticate the user on any devices to ensure they are in the right hands, implementing multi-factor authentication wherever possible.
Once devices are verified, they should be placed in the relevant network with appropriate segmentation. Depending on your users and devices, this may be based on organisational departments, user access requirements or device types. You can also employ micro-segmentation or nano-segmentation for added security. This allows you to restrict up to the level that devices are entirely isolated on a local network, only accessing outbound to strictly required applications or IT resources.
Once devices are in the appropriate network, they should only have the minimum required outbound network access. This should be enforced by internal Next Generation Firewalls (NGFW). Enhanced security controls should be applied, such as Intrusion Prevention and Detection (IPS/IDS) or network Anti-Virus (AV), to prevent lateral attacks originating from compromised devices or malicious internal users.
Continuous monitoring and profiling of devices should be implemented to detect changes to any users or devices once they have network access. Devices can be crafted to appear legitimate until they have obtained access. Devices can also be compromised at any time. User behaviour can change based on emotional state and influences. Network access should be removed if any suspect changes are detected. Monitoring of log data is critical, so send it all to a Security Incident and Event Management (SIEM) system for centralised correlation and analysis. This enables faster detection and response if an incident does occur.
Reconsider your networking approach
Many businesses are too trusting when it comes to IT access, and in being so are low hanging fruit for potential attackers. By combining comprehensive Network Access Control (NAC), centralised authentication, internal segmentation firewalls (ISFW), User and Entity Behaviour Analytics (UEBA) and SIEM solutions, you can benefit from a secure zero trust network architecture.
Node4 are experts in secure networking solutions. Speak to us today about how we can ensure that your network does not leave your business vulnerable.
If you’d like to learn more about achieving a zero trust network architecture with SD-WAN, watch my webinar, Should Your WAN Be Defined by Software, on demand.