Viszen Security - Insights #zero trust

NEW Zero Trust Guidance for OT/ICS

Tue, 05 Nov 2024 10:56:58 -0500

Free resource from Cloud Security Alliance

I'm proud to share the release of a guide we co-authored with the Cloud Security Alliance on applying zero trust to OT/ICS and critical infrastructure.

Zero Trust Guidance for Critical Infrastructure

Applying Zero Trust to Operational Technology (OT) and Industrial Control Systems (ICS) Environments
🔗 https://cloudsecurityalliance.org/artifacts/zero-trust-guidance-for-critical-infrastructure

You can download this resource (free) from CSA.

This was definitely a labor of love by all involved. When CSA proposed this, I had one condition: I wanted to make it real and actionable—no fluff. No page after page of confusing abstract buzzwords.

This document provides engineers and architects with a clear, adaptable 5-step process for applying zero trust in OT, aligning IT skills with OT demands.

Visit the link above at CSA's Zero Trust portal and create a free account to download the full document or it's accompanying (shorter) presentation deck.

If you're a CISO or CIO responsible for security OT/ICS environments, you'll love this resource.

And, if your organization is interested in learning more about integrating OT/ICS into your security program,contact us for advisory services and/or corporate training for your team.

Get Started Now

"Wireless Security Architecture" Now Shipping Worldwide

Tue, 12 Apr 2022 10:14:52 -0400

My new book published with Wiley, "Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise" is now shipping worldwide. Available as e-book and in print from Wiley, Amazon, and book retailers near you!

Find on Amazon

Showdown: Zero Trust vs. NAC

Wed, 30 Jun 2021 16:30:00 -0400

In the world of zero trust networking, organizations are asking how a zero trust approach fits in with their network access control (NAC) strategy. Here are some thoughts on what you should be considering as you navigate zero trust and NAC.

Concepts vs. products

The first major difference in zero trust and NAC is that zero trust is a concept or trust model for information security, versus NAC which is a specific product category. Although there are different types of NAC products today, the market has settled down considerably and all operate within a relatively narrow scope of enforcement and features compared to ten years ago.

The many flavors of zero trust architectures

Before we continue, let's untangle the co-mingling of zero trust as it relates to network and application access versus access between virtualized hosts. Although conceptually the same - the goal of zero trust being to move from an implicit to more granular explicit authorization - the execution, products, and vendors are very different for network-based technologies than for virtualized environments (whether they be on-prem, in cloud, or hybrid).

For today's discussion, we're focused on the former - the technology that would/could replace (or enhance) traditional network-based NAC products for identification and authorization of users and endpoint devices in your environment. We'll leave the other topic for another day.

Implicit vs explicit authorization

The model of a zero trust architecture is to "verify then trust" versus the more common approach of NAC with the "trust but verify" sequence. While - yes - some NAC implementations do offer a "verify then trust" model, the next step after trust is typically an implicit authorization to a network or networks, which is exactly what zero trust security tries to avoid.

Network-based vs. application-based enforcement

Strictly speaking in a perfect world, a zero trust approach will include a trust model that offers a user (or device) only the specific access to the resources needed per-task. That's a tall order with the current technologies we have, and traditional NAC vendors will all fall short here, even with the holy grail that is microsegmentation. At best with NAC, we're doing identification and authentication of a device and/or user, and then giving them some level of access at network layers 2 or 3. Contrast this with the approach of a zero trust solution performing the same (or more extensive) identification and authentication, but with the added ability to control resource access up through the application layer.

One of the reasons secure access service edge (SASE) solutions fit so well with zero trust strategies is because of the ability to make very granular authorizations to a user or device, based on myriad contextual elements (who, what, when, where, how).

Managing users on-prem vs. remote

The next bugaboo with NAC is the limitations in controlling resource access on remote users and devices. Our current network-based NAC products are designed to control access at the point of (managed) network connection - that could be at a wired port in the facility, a corporate wireless SSID, or a remote access VPN in to the organization. But then, that's it. Traditional NAC products weren't designed to manage and control connections from endpoints floating out and about on the internet as people travel or work from home.

The conversation could again turn towards SASE and the features that swirl around it - SD-WAN, CASB, and SWG specifically. However, certainly not all organizations have moved to a 100% remote workforce, meaning there's still a need to secure access to internal resources when a user is in the office. This reality makes traditional NAC a still-attractive offering, and is an area SASE will need to continue developing.

Can NAC products play a role in a zero trust strategy?

Yes, absolutely - but with some caveats. If your NAC-based zero trust strategy relies on microsegmentation, know that it's not really the holy grail it's touted to be, and among other limitations it's not the easiest architecture to implement. As we just mentioned, there's still a place in the world for traditional NAC for organizations with a primary focus on on-prem security. Plus, in recent years most NAC vendors have bolstered their endpoint agents and are heading towards the type of granular control organizations will want in a zero trust network.

Get more insights!

The CIO's Guide to Secure Access Service Edge (SASE) Architecture

Mon, 28 Jun 2021 19:15:00 -0400

If you're tired of hearing about the "new normal" post-pandemic, hold on to your knickers because some of the outcomes from COVID's business impact are here to stay. Really, it's not a bad thing and we're long overdue for an overhaul of how we identify, authenticate, connect, and authorize access for users and devices.

Here's a quick down and dirty primer comparing the new Secure Access Service Edge (SASE) architecture to our traditional perimeter security methods.

Executive View of SASE Architecture

From the 10,000-foot view, the three most pertinent points are:

SASE is one solution offering that's part of a larger (or longer) zero trust security strategy. As you'll see in the graphic below, SASE enforces the underlying principle of a zero trust network by not extending implicit access to resources. Meaning, what a user or a device can do or access is explicitly defined in the SASE fabric.
SASE is more of a service set than a single product; it's cloud-based and 'follows' endpoints and users wherever they go, or in the case of work from home -- wherever they don't go. SASE vendors do this with a global cloud PoP network so endpoints connect to the cloud to access resources, vs. connecting to a traditional on-prem datacenter and then egressing.
SASE is likely to deliver on promises of increased simplicity and security with decreased cost, but there will be a certain amount of vendor lock-in as well as overlap with other products related to zero trust and endpoint security that the C-suite should prepare for.

Technical View of SASE Architecture

Since this is a C-level primer, I'm not going to dive too deeply in to the nuts and bolts, but I know the CISOs and CIOs I work with, and most of you love a little technical meat.

From an implementation standpoint, how SASE is implemented and what it can (or can't) do is dependent in large part on the vendor. Some SASE vendors came from cloud access server broker (CASB) and secure web gateway (SWG) pedigree; others from firewall and network security. Mileage and roadmaps will vary. How they handle guest (or un-managed devices) as well as users that happen to be on-prem may also vary.
SASE has myriad features (vendor-dependent), with support for zero trust networking being just one. Replacing legacy VPNs terminating to on-prem datacenters is a great way to enter the SASE world, and then continue adding features as you go.

Graphic: SASE Architecture vs Traditional Perimeter

For those of you who haven't worked with me yet, I love to draw and doodle. I don't know about you, but I'm very visual and find a picture really is worth more than a thousand words. And who has time to read a thousand words? Here are just a few highlights of the SASE graphic.

On left you see a traditional network security perimeter where we may (at best) have LAN-based connections (wired or wireless) with authentication and perhaps dynamic segmentation with VLANs or downloadable ACLs. For remote access, we see a traditional VPN model with similar features to the LAN connections.
On the right you see a typical SASE architecture with enforcement and decision layers plus SASE elements shown in yellow. One of the benefits of this SASE architecture is to abstract from physically-defined connections (those we control at layers 1-3) and instead apply granular context-based enforcement at layer 7 for both on-prem and in-cloud resources.

Get more insights