Zero Trust Access Fortinet - Edicao Especial For Dummies

LEARNING MADE EASY Fortinet Special Edition Zero Trust Access for dummies A Wiley Brand Reducing the attack surface Securing the new hybrid workforce Improving application access and security Brought to you by FORTINET Lawrence Miller These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Zero Trust Access Fortinet Special Edition by Lawrence Miller These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Zero Trust Access For Dummies Fortinet Special Edition Published by John Wiley Sons Inc 111 River St Hoboken NJ 070305774 wwwwileycom Copyright 2022 by John Wiley Sons Inc Hoboken New Jersey No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording scanning or otherwise except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act without the prior written permission of the Publisher Requests to the Publisher for permission should be addressed to the Permissions Department John Wiley Sons Inc 111 River Street Hoboken NJ 07030 201 7486011 fax 201 7486008 or online at httpwwwwileycomgopermissions Trademarks Wiley For Dummies the Dummies Man logo The Dummies Way Dummiescom Making Everything Easier and related trade dress are trademarks or registered trademarks of John Wiley Sons Inc andor its affiliates in the United States and other countries and may not be used without written permission Fortinet is a registered trademark of Fortinet Inc All other trademarks are the property of their respective owners John Wiley Sons Inc is not associated with any product or vendor mentioned in this book LIMIT OF LIABILITYDISCLAIMER OF WARRANTY WHILE THE PUBLISHER AND AUTHORS HAVE USED THEIR BEST EFFORTS IN PREPARING THIS WORK THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES WRITTEN SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK THE FACT THAT AN ORGANIZATION WEBSITE OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION WEBSITE OR PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL SERVICES THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE FURTHER READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES INCLUDING BUT NOT LIMITED TO SPECIAL INCIDENTAL CONSEQUENTIAL OR OTHER DAMAGES For general information on our other products and services or how to create a custom For Dummies book for your business or organization please contact our Business Development Department in the US at 8774094177 contact infodummiesbiz or visit wwwwileycom gocustompub For information about licensing the For Dummies brand for products or services contact BrandedRightsLicensesWileycom ISBN 9781119 859840 pbk ISBN 9781119 859857 ebk Publishers Acknowledgments Some of the people who helped bring this book to market include the following Project Manager Jen Bingham Acquisitions Editor Ashley Coffey Editorial Manager Rev Mengle Content Refinement Specialist Mohammed Zafar Introduction 1 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Introduction A s businesses continue to embrace digital innovation cloud applications and the new workfromanywhere normal enterprise networks have become far more complicated and dispersed with an ever growing number of edges As a result the network perimeter has all but disappeared As more people and devices connect to the network from more places the tradi tional perimeterbased approach to security protecting the trusted corporate network from the untrusted internet has become increasingly ineffective To protect this greatly expanded attack surface from modern threats organizations must implement a never trust always verify zerotrust model that incorporates rigorous access con trols across the distributed network so that users devices end points clouds and infrastructure are all protected To successfully implement a zero trust access strategy organiza tions must implement tightly integrated security solutions that deliver robust identity and access management endpoint access control network access control and application access control to users and endpoints working from anywhere Foolish Assumptions Its been said that most assumptions have outlived their useless ness but this book assumes a few things nonetheless Mainly that youre a chief information officer CIO chief information security officer CISO vice president architect engineer or administrator working on an enterprise security networking or infrastructure team As such this book is written primarily for technical readers with at least a basic understanding of security and networking technologies and challenges If any of these assumptions describe you then this is the book for you If none of these assumptions describe you keep reading anyway Its a great book and when you finish reading it youll have complete trust in your knowledge of zero trust 2 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Icons Used in This Book Throughout this book you will see special icons that call attention to important information Heres what to expect The case studies provide best practices from organizations that have successfully used modern data sharing methods This icon points out important information you should commit to your nonvolatile memory your gray matter or your noggin along with birthdays and anniversaries This icon explains the jargon beneath the jargon and is the stuff legends well legendary nerds are made of Tips are appreciated but never expected youll appreciate these useful nuggets of information and helpful advice These alerts point out the stuff your mother warned you about well probably not but they do offer practical advice to help you avoid potentially costly or frustrating mistakes Beyond the Book Theres only so much space in this short book so if you find your self at the end of this book wondering Where can I learn more go to httpsfortinetcom CHAPTER 1 Understanding the Need for Zero Trust 3 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Chapter 1 IN THIS CHAPTER Recognizing modern threats Going beyond traditional access control Defining zerotrust concepts Reaping the benefits of zero trust Understanding the Need for Zero Trust I n this chapter you learn how threat actors take advantage of the disappearing network perimeter and expanding attack sur face to bypass traditional access controls and how zero trust overcomes these challenges Surveying the Modern Threat Landscape In todays digital enterprise business applications and data are dispersed far and wide away from corporate data centers so that users now have greater access to corporate resources using more endpoints from many locations The rapid growth of Inter net of Things IoT devices and corporate bringyourowndevice BYOD initiatives have led to a proliferation of access points and endpoint devices on the network As a result the traditional network perimeter is disappearing and the attack surface is expanding At the same time cyberthreats are growing more prolific and attackers tactics and techniques are evolving and becoming more sophisticated 4 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited IDC predicts that by 2025 there will be 557 billion IoTconnected modified devices worldwide Traditional security models work under the assumption that anything inside an organizations network should be trusted But automatically extending trust to any device or user puts the organization at risk if either is compromised whether intention ally or unintentionally Attackers malware and compromised devices that bypass edge security checkpoints often have unre stricted access to the network because of this inherent trust model Exploits such as credential theft and malware enable attackers to gain access to legitimate accounts Once inside the network they can move laterally and take advantage of the trusted internal net work to target an organizations resources According to the Verizon 2021 Data Breach Investigations Report DBIR 70 percent of breaches in the previous year were caused by outsiders 45 percent involved hacking 86 percent were finan cially motivated 17 percent involved some form of malware including ransomware and 22 percent featured phishing or social engineering As companies modernize their networks to accommodate remote workers multicloud architectures and digital innovation their approaches to security need to change as well Recognizing the Limitations of Traditional Access Control Traditional access control strategies inherently trust a user or device on the network This notion of trust is often based on the user or devices location If theyre on the network theyre trusted But as the network perimeter continues to disappear it becomes increasingly impossible to secure network resources Users are now accessing the corporate network from home offices and mobile devices Corporate resources are also increasingly located in multiple locations beyond the traditional network such as private and public clouds CHAPTER 1 Understanding the Need for Zero Trust 5 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited To overcome the limitations of traditional access control organi zations need a solution that provides Ongoing verification of users and devices Granular segmentation of the network to create zones of control which helps limit the impact of a breach and establishes more control points Leastprivilege access for users and devices so users are only granted the access they need to perform their roles which helps to limit the impact of a compromised identity or device Todays networks have vast dynamic and in some cases even temporary edges The fact that many devices are often offline makes continuously assessing risk and trust even more difficult Because theres no way to verify that users or devices on or off the network can be trusted you should assume that every device on the network is potentially infected Looking at ZeroTrust Basics The zerotrust model is a concept that was introduced by John Kindervag while working at Forrester Research in 2009 The fundamental principle underpinning zero trust is never trust always verify Zero trust challenges the traditional perimeter based security model in which a firewall protects the trusted cor porate network from the untrusted internet To be fair the perimeterbased model isnt as black and white as labeling things either trusted or untrusted Over the years the perimeterbased approach has been tweaked here and there For example demilitarized zones DMZs are typically created for publicfacing websites and applications that are somewhat trusted shades of gray if you will Virtual private networks VPNs are used to extend or punch holes in depending on your perspective the corporate network to remote and mobile users And virtual local area networks VLANs and access controls are used to segment sensitive departments such as human resources and finance from the rest of the network 6 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited But the perimeterbased approach to security has an inherent drawback It grants excessive implicit trust Once youre con nected whether directly or using a VPN you are then trusted alongside the rest of the internal network The zerotrust model moves security away from implied trust that is based on the network location of a user or device Instead trust is evaluated on a pertransaction basis With zero trust your network location or IP address no longer conveys an implication of trust Instead the zerotrust model requires trust to be explic itly derived from a combination of identity and contextbased controls at a very granular level that grants access based on the security principles of least privilege and need to know Zero trust starts with a default deny posture for everyone and everything that is zero trust In a zerotrust model whenever a user or device requests access to a resource their identity must be verified before access is granted Verification is based not only on the identity of the user andor device but other attributes as well including context such as date and time geolocation and device security posture However access is not a one and done deal Just because a user or device has been granted access to a resource doesnt mean they can roam about freely on the network Access is granted at a very granular level Its only given to the resource that is needed to perform a specific function for a limited time not the entire network A key element of the zerotrust model is that trust must be continually reevaluated If important attributes of the user or device change the trust may be revoked and access to the resource removed Zerotrust access ZTA builds on the zerotrust model and focuses on knowing and controlling who and what is accessing the network Rolebased access control RBAC is a critical com ponent of ZTA Only by knowing definitively who a user is can the appropriate level of access be granted based on their role ZTA covers user endpoints where management control and visibility are required Aligning to the zerotrust model means implement ing a leastaccess policy that grants the user the minimum level of network access required for their role and removes any ability to access or see other parts of the network CHAPTER 1 Understanding the Need for Zero Trust 7 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited In addition to knowing who and what is on the network ZTA incorporates security for what is on the network The ever growing number of networkconnected devices now includes IoT devices These headless devices dont have usernames and passwords to identify themselves and their role on the network Instead network access control NAC solutions can be used to discover and control access for these devices Using NAC policies the zerotrust principle of least access can be applied to these IoT devices granting sufficient network access to perform their role and nothing more Zerotrust network access ZTNA is an element of ZTA that controls access to applications regardless of where the user or application is located The user may be on a corporate network working from home or someplace else The application may be hosted in a corporate data center or in a private or public cloud ZTNA is the natural evolution of the VPN Given the complexity of todays networks ZTNA offers better security more granular control and a better user experience than a traditional VPN You can learn more about ZTNA in Chapter 5 Realizing the Benefits of Zero Trust For effective security in the modern threat landscape organiza tions must shift from trying to protect dynamic network perim eters to instead protecting applications and data spread across potentially billions of edges users systems devices and other critical resources A zerotrust strategy provides comprehensive visibility and protection across devices users endpoint cloud and infrastructure with a never trust always verify approach to security Zero trust delivers the following benefits for organizations Reduces risk When you automatically extend trust to any device or user in your network you put your organization at risk when either becomes compromised whether intention ally or unintentionally Zero trust eliminates points of vulnerability by limiting network access for users as well as by adopting extensive identity verification so that they only have access to the data and systems relevant to their role or position in the organization 8 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Increases visibility You know who and what is connected to the network at all times Extends security Security can be extended beyond the network with ZTNA Unlike a VPN which focuses exclusively on the network layer ZTNA goes up a layer effectively providing application security independent of the network CHAPTER 2 Establishing IAM as a Foundation for Zero Trust 9 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Chapter 2 IN THIS CHAPTER Trusting your users with strong authentication Using rolebased access control RBAC to enforce least privilege Keeping privileged access secure Establishing IAM as a Foundation for Zero Trust T he first step in securing your network resources with zero trust access ZTA is to trust your users with verification before granting access In this chapter you learn why iden tity and access management IAM is the cornerstone of ZTA how to manage privileged access on the network and the role of role based access control RBAC in enforcing the principal of least privilege Knowing Who Connects to Your Network Security teams need to know who is on the network at all times Its critical for organizations to know every user and what role that user plays in the company so IT can securely grant access to only those resources necessary for each role or job when needed 10 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited However organizations are at an increased risk from users that connect to their networks with weak passwords Because so many online accounts today require user credentials passwords are often too simple or are reused across multiple accounts making them easy for attackers to compromise using exploits like phish ing and social engineering Even when organizations require com plex passwords for their users passwords alone arent enough Strong authentication or multifactor authentication MFA refers to using multiple factors to verify that a user is who they say they are through a combination of factors such as Something you know for example a user ID and password Something you have for example a hardware or software token or a digital certificate installed on a device Something you are for example a biometric indicator such as a fingerprint or iris pattern Adaptive or contextual authentication evaluates additional user attributes during a login attempt such as time of day geographic location andor network trusted or untrusted to assess the risk before allowing access This technique can be used to either Allow user access when the risk is deemed to be low Require twofactor authentication 2FA when the risk is deemed to be high For example using the network attribute of the adaptive authen tication the system wont prompt an onsite user for 2FA because theyre on the corporate network However the same user log ging in from a public or home network and attempting to access corporate resources would be prompted for 2FA to further verify the users identity Fast Identity Online FIDO provides the most secure and fast est login experiences for online applications and services FIDO supports both Universal Authentication Frameworks UAF that is passwordless authentication and Universal 2nd Factor U2F that is universal twofactor authentication Another challenge facing organizations today is the geographi cally dispersed workforce Employees work from various loca tions such as the main office branch offices and home offices CHAPTER 2 Establishing IAM as a Foundation for Zero Trust 11 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited To support the evolving nature of work including work fromhome and workfromanywhere in the wake of the global pandemic and the ongoing move to the cloud organizations need a better way to securely connect their employees to critical business applications Attacks against endpoint devices are increasing According to a recent Ponemon Sullivan Privacy Report 68 percent of respon dents say the frequency of attacks against endpoints has increased over the past 12 months and the Verizon Data Breach Investiga tions Report found that 30 percent of breaches involved malware installed on endpoints Today there is practically no standardization of device configu rations for personal mobile devices permitted in bring your own device BYOD environments Network risks associated with BYOD mobile devices include Data leakage Unsecured WiFi Network spoofing Unpatched vulnerabilities on rooted or jailbroken devices Malware and spyware Broken cryptography Improper session handling Finally organizations are at risk when access permissions are based on assumed trust of previously vetted devices Many organizations have been breached by former employees and con tractors A lost or stolen device can reveal passwords that enable a breach on the network This is why a zerotrust approach to security is so critical As cybercriminals focus on compromising the broad array of network devices security teams need better visibility and detection of every device connecting to the network Todays enterprise identity environments are made up of vari ous systems that may include networking devices servers direc tory services and cloud applications Managing an identity that resides in these various systems can quickly grow into such a large administrative challenge that it negatively affects users administrators and application developers Federated identity is a solution that enables users from a group of linked organizations to share the same user verification method to various applications 12 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited and resources It does this by connecting users online identities across multiple domains and networks Federated identity solves several common access and security issues for organizations Organizations can manage user access and provide easy access to applications by using security tools like MFA and single signon SSO An example of federated access is an organization enabling users to access partner websites Active Directory and web appli cations without having to log in every time A robust IAM solution should have the following capabilities Establish identity through login MFA and digital certificates which may evolve to add contextual authentication Support both hardware and software token options for MFA as well as FIDO UAF and U2F Provide rolebased information from an authentication source for use in privileged access Establish and enforce rolebased least privilege access policies Provide added security with support for SSO to help improve user compliance and adoption Leverage Security Assertion Markup Language SAML to authenticate users for access to cloudbased software asaservice SaaS applications Verify zero trust network access ZTNA connections for devices and users on a persession basis to individual applications Enforcing RoleBased Least Privilege Access Managing individual user account permissions for just a few hundred users can be a daunting challenge In an enterprise with thousands of users it can be impossible to manage Rolebased access control RBAC enables IT administrators to manage the permissions assigned to users more efficiently by assigning sets of permissions to groups or roles In this way users in an entire department for example can quickly be assigned access to a sen sitive financial application or network file share Additionally CHAPTER 2 Establishing IAM as a Foundation for Zero Trust 13 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited as users rotate through different job roles for example due to promotions or transfers administrators can easily revoke the permissions associated with the old role and assign permissions associated with the new role Active Directory frequently plays a key role in RBAC administration However RBAC can be a doubleedged sword Roles must be clearly defined and assigned only the minimum permissions necessary to perform the required functions for that role This is the principle of least privilege If roles are too broadly defined large groups of users may be assigned excessive permissions in an effort to address everyones needs with a broad brushstroke Roles that are poorly defined may be easily misunderstood resulting in users being improperly assigned to roles Finally roles must be actively man aged to ensure theyre revoked and assigned appropriately and to ensure the permissions associated with roles reflect changes in the organization andor IT infrastructure Failure to revoke roles or permissions can cause permission creep within the organiza tion resulting in excessive permissions for large groups of users Managing Privileged Access Accounts that have privileged access permissions associated with them are particularly valuable targets for attackers These accounts typically have access to critical systems and resources on the net work as well as confidential or sensitive data Privileged access allows the user to make administrative changes to systems appli cations and network and security infrastructure such as installing software or malware altering or deleting critical system files or data creating new accounts and resetting user passwords Privileged access permissions may be assigned to accounts or roles used by humans such as domain administrators local administrators emergency break glass accounts superuser and privileged business users Privileged access permissions may also be assigned to accounts that are not used by humans such as application and service accounts Privileged access management PAM is a subset of IAM Whereas IAM is used to authenticate and authorize all of an organizations users PAM is specifically focused on managing and securing administrator and user accounts with elevated privileges that is privileged access 14 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited UTILITY CO ENHANCES SECURITY ACROSS IT AND OT INFRASTRUCTURE Falu Energi Vatten Energy Water is a municipally owned utility company with products and services spanning electricity heating and cooling water sewage and recycling across the Swedish municipality of Falun Challenges Back in 2009 earlier than many other utility companies Falu Energi Vatten realized both the potential and the necessity of digital transfor mation embarking on a longterm project of modernization and digi tization of the myriad processes and tools underpinning its operations For Falu Energi Vatten the first step in preparing for these changes was the realization that its IT network and security infrastructure would need a level of endtoend visibility control and integration that its previous firewall architecture was unable to provide Solutions After a careful evaluation of potential solutions Falu Energi Vatten chose Fortinet The resulting network included FortiGate nextgeneration firewalls NGFWs FortiSwitch and FortiAP wireless access points FortiClient FortiAuthenticator and FortiToken were added to ensure that every connected user and device would be strongly authenticated and would meet its zero trust access requirements With its integrated software inventory module FortiClient provided Falu Energi Vatten with increased visibility into software installed on the endpoint In addition to managing licenses software inventory can improve security hygiene When installed software isnt required for business purposes it unnecessarily introduces potential vulnera bilities and thereby increases the likelihood of compromise CHAPTER 2 Establishing IAM as a Foundation for Zero Trust 15 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Business Impact Improved the safety reliability and efficiency of essential services through centralized security policy monitoring and control Laid the foundations for ongoing IT and operational technology OT integration Provided the central visibility control and automation needed for the companys digital transformation Through the resulting network infrastructure Falu Energi Vatten now has a solid foundation on which to build a safer more reliable and more efficient future for its business and the community of Falun CHAPTER 3 Leveraging EDR for Zero Trust 17 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Chapter 3 IN THIS CHAPTER Exploring the evolving capabilities of EDR Making EDR part of a zerotrust strategy Leveraging EDR for Zero Trust E ndpoints including desktop and laptop computers serv ers Internet of Things IoT devices and more comprise the single largest attack vector in an enterprise IT environ ment Attackers target endpoints because endpoint security is generally less robust than security in the datacenter and dayto day security decisions on the endpoint such as whether or not to download and install an unknown file open a potentially mali cious email attachment or click on a suspicious link are left to the end user In this chapter you learn how endpoint detection and response EDR has evolved from a rudimentary tool for manually inves tigating incidents to a highly automated detection and remedia tion endpoint solution and why EDR is critical to an effective zero trust strategy 18 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Looking at the Evolution of Endpoint Detection and Response Endpoint protection has traditionally been focused on prevent ing malware and other known threats from infecting a desktop or laptop PC For practically as long as these devices have been around users have been admonished to run antivirus software and keep it up to date Over the years antivirus software evolved into antimalware software or Endpoint Protection Platforms EPP to broadly encompass other forms of malware including worms trojans spyware rootkits exploits malicious scripts and more While antimalware tools have improved greatly since their introduction increasingly leveraging machine learning and behavioral analytics to prevent both known and unknown threats from infecting a PC the unfortunate reality is that prevention isnt always possible When prevention fails endpoint detection and response EDR provides the tools for security teams to detect and respond to threats on endpoints and the network Unfortunately early EDR solutions are too slow and complex to operate in a fastpaced and dynamic threat environment These firstgeneration EDR solu tions require highly skilled security teams to run manual queries to search for specific indicators of compromise IoCs in endpoint telemetry then manually triage and respond to any threats that are detected Most organizations today simply dont have the skilled resources necessary to effectively operate these EDR tools Over the years firstgeneration EDR solutions have evolved with the addition of some key bolton functionality including Threat intelligence Automated correlation of endpoint telemetry to IoCs from threat intelligence feeds reduces the need for manual queries to detect threats Attack visualization Threats can be mapped to help security analysts get a more complete picture of an attack in progress or an attack that has already happened Automated remediation Basic response capabilities typically include the capability to block specific IP addresses and processes isolate endpoints from the network and query the endpoint for additional data CHAPTER 3 Leveraging EDR for Zero Trust 19 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Threat hunting Advanced search capabilities and access to forensic data enables proactive threat hunting in the network environment Secondgeneration EDR solutions offer organizations greater visibility of their endpoints and network environment tight integration with prevention tools such as antimalware and policybased automated risk mitigation using customizable play books An example of a playbook action could be to block spe cific outbound attack communications automatically rollback any system damage from ransomware or prevent malicious file system access These capabilities enable rapid detection and auto mated remediation of threats and attacks in realtime and com plete forensic investigative analysis EDR and Zero Trust EDR is an essential component in a zerotrust strategy enabling organizations to extend the never trust always verify security posture of zero trust to their endpoints EDR provides an organization with a central tool for collecting organizing and analyzing data from the endpoints connected to its network EDR can coordinate alerts and automate responses to imminent threats This involves the incorporation of three elements Endpoint data collection agents monitor endpoints and collect data This includes data about processes activity that occurs on the endpoint connections to the endpoint and data transferred to and from the endpoint Automated incident response uses custom policybased rules to identify threats and then trigger an automatic response The automated response can both recognize the threat and determine what kind of threat it is It can then perform a response such as sending an alert that the endpoints user will be logged out doing so and isolating the endpoint 20 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Analysis of endpoint data in real time enables EDR to diagnose threats quickly even if they do not necessarily match preconfigured threat parameters Analysis also uses forensic tools to examine the nature of the threat and determine how the attack was executed after it has been contained and eradicated These three elements of EDR work together as part of an effec tive zero trust strategy to enable detection containment inves tigation and eradication of threats in your endpoint and network environment Detection When a threat evades the preventive controls on your endpoints and breaches your network environment rapid detection is criti cal to minimize damage However detection can be extremely challenging particularly when you are dealing with an advanced threat that has already evaded your endpoint protection tools EDR uses continuous file analysis and cyberthreat intelligence to rap idly detect threats EDR examines each file that interacts with the endpoint and can flag any files that may present a threat Cyber threat intelligence leverages a combination of artificial intelli gence AI and large repositories of past and currently evolving threat data to detect threats that are targeting your endpoints Containment Once a threat has been detected EDR contains it using segmenta tion to prevent the threat from spreading across the network This involves isolating specific areas of the network so that a threat cant infiltrate adjacent network elements However this may not be enough Therefore in addition to segmentation an effective EDR solution also contains the threat itself Containment is par ticularly important when it comes to ransomware Because ran somware can effectively hold an endpoint hostage it needs to be contained to prevent other endpoints from getting infected File testing Sandboxing allows EDR to contain a threat within an environment that is designed to simulate the conditions within a section of CHAPTER 3 Leveraging EDR for Zero Trust 21 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited your network for the purpose of understanding the nature of the threat Once the threat is confined to this safe and isolated area EDR closely monitors and analyzes the threats behavior This information can produce helpful actionable insights that can be used to improve the organizations overall security posture and can be conveyed to the cyberthreat intelligence system to help it evolve to address future threats Elimination While the other facets of EDR provide critical knowledge about the threat that information is useless if it isnt employed to elimi nate it and similar threats in the future The elimination process depends on gathering critical information about the threat and then using it to execute an action plan For example the system has to figure out where the threat came from and where it went Information about the threats origin can be used to enhance future security measures The system also needs to pinpoint the applica tions and data the malicious file affected or tried to attack as well as whether the file has replicated itself to continue its attack CHAPTER 4 Bringing Zero Trust to Device Security 23 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Chapter 4 IN THIS CHAPTER Knowing what is connected to the network Gaining visibility and control of devices Implementing automated response and network orchestration Bringing Zero Trust to Device Security I f cybercriminals were to write a book titled The Seven Habits of Highly Effective Hackers there would definitely be a chapter called Begin with the Endpoint in Mind Endpoints are a pre ferred initial attack vector for cybercriminals to gain access to more valuable network resources In this chapter you learn how to apply a zerotrust strategy to your device security Discovering and Identifying Devices In addition to knowing who is on the network discussed in Chapter 2 organizations need to know what devices are on the network These devices include Networked office equipment such as printers Retail systems for example pointofsale systems Operational technology OT Internet of Things IoT sensors and devices 24 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited The challenge in managing all these devices lies in their wide deployment the varying levels of device management inconsis tent configuration controls and the lack of support for standard communication protocols in many legacy devices The traditional network perimeter has all but disappeared as the proliferation of devices connecting to the network has created an exponentially larger attack surface for organizations to protect with every endpoint device essentially constituting a micrope rimeter The result of this explosion of devices and the expanding attack surface is that many organizations are losing visibility and control because theyre no longer certain what devices are con necting to their networks And because each microperimeter is associated with an individual device these endpoints have become a prime target for malware infections and sophisticated exploits Attacks against IoT devices are increasing and the scale and impact of a successful IoT attack can be devastating For exam ple the Cybersecurity Infrastructure and Security Agency CISA working with several industry security firms recently discovered a vulnerability in millions of IoT smart camera devices that allows an attacker to gain access to the cameras watch live video feeds and create botnets The greatest area of growth in the endpoint attack surface is from the IoT device explosion Cyberattacks on IoT devices are booming as organizations connect more and more smart devices to their networks Attackers exploit these devices to conduct distributed denialofservice DDoS attacks and other malicious activities To secure endpoints enterprises must have full visibility into where each device is what it does and how it connects to other devices across the network topology Lack of visibility leaves an organization vulnerable to unseen risks and many organizations dont have a strategy in place to deal with attacks on IoT devices Security teams must be able to discover and identify all devices at the edges of the network Traditional network segmentation is used by some organiza tions but it is difficult to define secure networkbased segments that can be simultaneously accessible to all authorized users and applications and completely inaccessible to all others Policy based segmentation enables a more dynamic and granular network segmentation strategy that can automatically adapt to ensure least privilege in a zerotrust network CHAPTER 4 Bringing Zero Trust to Device Security 25 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Ensuring Endpoint Visibility and Control Network access control NAC solutions help organizations keep up with the everexpanding attack surface associated with the proliferation of endpoints and devices on the network NAC solu tions provide visibility into the network environment for enforce ment and dynamic policy control Whether devices are connecting from inside or outside the network NAC solutions can automati cally respond to compromised devices or anomalous activity With NAC solutions organizations can Discover identify profile and scan all devices for vulnerabilities Establish and ensure ongoing network control Establish and enforce policies that limit network access to only what is needed for that device Maintain automated response and network orchestration discussed later in this chapter A NAC solution can automatically identify and profile every device as it requests network access and scan the device for vulnerabili ties The NAC processes should be completed within a few seconds to minimize the risk of device compromise NAC solutions that rely on traffic scanning allow devices to connect to the network during identification However the trafficscanning process can take up to half an hour during which time the network may be breached by a compromised device or endpoint A NAC solution should be easy to deploy from a central location and offer consistent operation across wired and wireless networks Providing Automated Response and Network Orchestration To accelerate and expand the reach and scale of their attacks cybercriminals leverage extensive automation Although visibility into the network can help detect potential threats the response to these threats can be fragmented and ineffective because of slow manual workflows Without the benefit of advanced security processes security teams are often operating at a disadvantage which increases an organizations risk 26 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Attacks are more sophisticated and security analysts face increas ingly complex and fragmented security infrastructures with too many point products from different vendors Fundamental to the security of a constantly changing network is understanding its makeup you cant protect what you cant see An effective NAC platform provides policybased security automation and orchestration that enables discovery of every endpoint and network infrastructure device provides contex tual awareness for implementing dynamic network access con trol and delivers the capability to contain a cyberbreach through automated threat response GRUPO UNIVERSAL GAINS VISIBILITY AND CONTROL WITH FORTINAC Grupo Universal is one of the main conglomerates in the Dominican Republic made up of 10 subsidiaries offering solutions for insurance financial and other services organizations Challenges IT security and IT infrastructure availability are essential to Grupo Universal In 2017 the company launched one of its most important projects since its foundation in 1964 its technological and digital transformation Given the technological demands of todays digital economy storing data in centralized architectures limits employee access and user response Grupo Universals IT teams recognized the risks of a central ized database and decided to evolve into a wireless connection model which in spite of also presenting some challenges allowed the company to meet customer and internal users network security demands To help with the decentralized infrastructure project Grupo Universal chose to partner with Fortinet Solutions In order to reduce the administrative complexity for operational teams Grupo Universal proposed having centralized management CHAPTER 4 Bringing Zero Trust to Device Security 27 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited that would reduce risks and maintain an updated communications infrastructure Through the integration of Fortinet Secure SDWAN with other Security Fabric solutions Grupo Universal was able to deploy a high performance communications infrastructure and endtoend security Management and analytics solutions such as FortiManager and FortiAnalyzer delivered complete visibility with a single pane of glass and centralized policy management FortiNAC network access control provides full visibility of all devices on the network allowing for complete control of the level of access given per device and FortiClient delivers advanced proactive end point protection from zeroday threats It seamlessly integrates with FortiSandbox for advanced threat detection Secure email gateway FortiMail protects cloudbased email services from advanced email threats to keep users and data secure With the FortiWeb web application firewall Grupo Universal was able to safely access cloudbased businesscritical applications Adding FortiAP across the organization tied everything together and ensured secure wireless access for devices for branch offices Business Impact Improved performance and communications speeds with redun dant links across all locations Cost savings of 30000 per year in communication links and 70000 per year in WAN optimization Faster cloud access and cloudhosted applications with local breakouts Through this project Grupo Universal not only appropriately scaled their communications and IT infrastructure centralized administra tion and improved control management and risk response but they also managed to reduce costs and increase network availability to 999 percent With Fortinets support Grupo Universal was able to effectively integrate its communications and security in its technologi cal and digital transformation process CHAPTER 5 Reimagining the VPN with Zero Trust 29 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Chapter 5 IN THIS CHAPTER Recognizing the limitations of virtual private networks Introducing zerotrust network access Improving remote access security and user experience with zerotrust network access Reimagining the VPN with Zero Trust A lthough virtual private networks VPNs have become commonplace many organizations are now looking for better solutions to securely connect their increasingly remote and mobile workforces In this chapter you learn how zerotrust network access ZTNA improves security enables more granular control and delivers a better user experience than traditional VPNs Saying Goodbye to the VPN VPNs have long been the de facto method for remotely access ing corporate networks but they have some serious issues par ticularly in terms of security The recent proliferation of remote working necessitated by the global pandemic has put renewed focus on the limitations of traditional VPNs 30 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited For organizations that rely on a traditional VPN to secure their remote workers and home offices there are many drawbacks including VPNs use the outdated and ineffective perimeterbased approach to security Once users connect to the corporate network with a VPN client they often have broad access to all the resources on the network This largely unrestricted access exposes the rest of the corporate network to threats that use the endpoint as an attack vector If split tunneling is enabled a user can surf the internet without going through a corporate firewall while still connected to the corporate network The risk of a data breach ransomware attack or malware infection on the corporate network increases exponentially if users are permitted to install a VPN client on personally owned devices that may already be compromised VPNs have no visibility into the traffic they deliver VPNs are used to connect to the corporate network over an encrypted tunnel when working from hotels coffee shops or home This tunnel prevents cybercriminals from snooping in on the session but also prevents security controls from inspecting the traffic Because most home offices and public hotspots are connected to largely unsecured networks theyre a relatively easy target for cybercriminals to exploit using social engineering tactics and malware VPNs arent designed for todays highly distributed network resources Applications and data are now spread across corporate data centers multicloud environments and distributed branch and home offices Most VPN solutions werent designed to manage this level of complexity A VPN connection backhauls all traffic across the corporate network for inspection which is bandwidthintensive and causes latency Split tunneling can address this inefficiency but creates its own set of challenges discussed previously CHAPTER 5 Reimagining the VPN with Zero Trust 31 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Building a Secure Remote Connection for Todays Business ZTNA offers a better remote access solution than traditional VPNs and also addresses application access issues ZTNA starts with the premise that location doesnt confer trust Where a user or device is physically located is irrelevant Any user is capable of malicious behavior and any device can be compromised ZTNA is based on this reality ZTNA grants access to individual applications and workflows on a persession basis only after a user andor device has been authenticated Users are verified and authenticated to ensure theyre allowed to access an application before theyre granted access Every device is also checked each time an application is accessed to ensure the device meets the application access policy Authorization uses a variety of contextual information including user role device type device compliance location time and how a device or user is connecting to the network or resource With ZTNA once a user and device are properly authenticated for example using a combination of multifactor authentication MFA and endpoint validation they can securely connect to the net work and be granted least privilege access to requested resources The principle of least privilege means the user and device can only access those applications or resources that are needed to perform an authorized task or function and nothing else Access control doesnt end at the access point ZTNA operates in terms of identity rather than securing a place in the network which allows policies to follow applications and other transac tions end to end By establishing greater levels of access control ZTNA is a more efficient solution for endusers and provides pol icy enforcement wherever its needed Although the ZTNA authentication process provides points of authentication unlike a traditional VPN it doesnt specify how that authentication takes place As new or different authentica tion solutions are implemented they can be seamlessly added to the ZTNA strategy 32 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Today there are two primary approaches to implementing ZTNA Clientinitiated ZTNA Sometimes called endpointinitiated ZTNA the clientinitiated ZTNA model was initially known as a softwaredefined perimeter and is based on the Cloud Security Alliance CSA architecture This approach uses an agent that is installed on a device to create a secure tunnel When a user wants to access an application the agent gathers information like the users identity device location network and the application being used and it builds a risk profile to assess the overall security posture It then con nects back to the application over a proxy connection and if the risk profile meets the organizations policy requirements the user and device are granted access to the application for the session Applications can be on premises or cloud based apps Using the clientinitiated model can be challeng ing because managing the agents on devices can become a headache for IT unless a central management solution can coordinate deployment and configuration Additionally unmanaged devices need to be handled by other means such as a network access controller NAC Serviceinitiated ZTNA The serviceinitiated ZTNA model uses a reverseproxy architecture which is also sometimes referred to as applicationinitiated ZTNA Based on the BeyondCorp model the biggest difference from client initiated ZTNA is that it doesnt require an endpoint agent It uses a browser plugin to create a secure tunnel and perform the device assessment and posture check A key disadvantage is that its limited to cloudbased applications Because the applications protocols must be based on Hypertext Transfer Protocol HTTPHypertext Transfer Protocol Secure HTTPS it limits the approach to web applications and protocols such as Secure Shell SSH or Remote Desktop Protocol RDP over HTTP Although a few newer vendors are offering additional protocol support the model isnt suited to companies that have a hybrid combina tion of cloud and onpremises applications Organizations should be careful to select ZTNA solutions that integrate with their existing infrastructure Building a complete ZTNA solution requires a variety of components a client a proxy authentication and security Often these solutions are provided by different vendors and the components may run on different CHAPTER 5 Reimagining the VPN with Zero Trust 33 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited operating systems and use different consoles for management and configuration so establishing a zerotrust model across ven dors can be difficult or impossible Seeing the Advantages of ZeroTrust Network Access Adopting a zerotrust approach to security is a process that touches many systems and may take years for some organizations to fully implement But addressing remote access is a good first step toward implementing the zerotrust security model ZTNA solutions offer many advantages over traditional VPNs including Organizations can extend the zerotrust model beyond the network Unlike a VPN which operates at the network layer ZTNA focuses on the transport layer effectively providing application security independent of the network ZTNA works transparently in the background which improves the user experience For users ZTNA is easier to manage than a VPN Users no longer have to remember when to use the VPN or go through the process of connect ing Theres also no risk of tunnels accidentally being left open because someone forgot to disconnect the VPN client With ZTNA a user simply launches the application and immediately gets a secure connection whether the applica tion is on premises or in a cloud This encrypted tunnel is created on demand and in the background completely transparent to the user Because the corporate network is no longer an implicit zone of trust the same tunnel is created whether the user is on the network or off the network Users and devices are verified and validated before access to an application or resource is granted This process includes a security posture check that verifies that the endpoint is running the right firmware and endpoint protection software to verify it is safe to connect to the application The verification is granular per session using the same access policy whether a user is accessing resources that are on premises or in the cloud The same policy also controls who can access that app based on the profile of the authenticating user and device 34 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Because ZTNA focuses on application access it doesnt matter what network the user is on ZTNA automatically creates secure connections to applications no matter where the user is located For every application session ZTNA verifies the security posture of both the user and device even when users are in the office ZTNA reduces the attack surface by hiding business critical applications from the internet On the application side because the user is connecting back to the enforce ment point and then proxying that connection to the application the application can exist on premises or in a cloud all while hidden from the internet The application only needs to establish a connection with the enforcement points keeping them safe from cybercriminals More organizations are recognizing the need to transition away from traditional VPNs ZTNA is proving to be a better solution that is easier to use and provides better application security CHAPTER 6 Extending ZeroTrust Control OffNet 35 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Chapter 6 IN THIS CHAPTER Adjusting to the new work reality Implementing zero trust for application access Keeping endpoints networks and clouds secure Extending ZeroTrust Control OffNet I n todays networks a user device or application could be con necting from anywhere which changes the security paradigm The old perimeterbased security model focused on location Where is the user connecting from Where is the application hosted Where is the server installed In this chapter you learn why security must evolve to protect users devices and applica tions wherever theyre located Securing the New Hybrid Workforce Although businesses have been increasingly enabling mobile and remote work scenarios for years the global pandemic forced many companies to transition to remote work for much of their workforce practically overnight Even as organizations begin to bring their employees back to the office theyre having to rethink the office environment and plan for a new reality one that includes permanently supporting remote or hybrid work from home WFH or work from anywhere WFA models 36 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited According to the Pew Research Center 54 percent of employed adults in a recent survey say that they want to work from home all or most of the time when the COVID19 outbreak is over This accelerated adoption of remote and hybrid work models has caused a proliferation in the number of devices and locations that must be protected as the digital attack surface has expanded and more applications devices data and users are now exposed Understanding and controlling the flow of traffic across these widely dispersed environments is critical WFHWFA requires both connectivity and security The appli cations that your employees need to perform their work func tions may be hosted in an onpremises data center in a private cloud or in a public cloud so user identification authentication authorization and access permissions are critical In the public cloud applications can be hosted as a software as a service SaaS offering or they may be running as a platform as a service PaaS andor an infrastructure as a service IaaS workload To securely implement WFHWFA more organizations are look ing at zerotrust access ZTA ZTA limits user and device access to networks which provides identity assurance Zerotrust net work access ZTNA then limits user and device access to only the applications that users need to do their jobs Combining ZTA and ZTNA strengthens the companys security posture Looking at WFHWFA from an outbound perspective secure access service edge SASE solutions provide secure access for employees customers and partners across operating environ ments by securing any user on any device anywhere on the network A cloud access security broker CASB which is a key component of SASE sits between your users remote workers and cloud applications and can be used to monitor activity and enforce security policies SASE pronounced sassy is a clouddelivered service that combines network and security functions with softwaredefined widearea network SDWAN capabilities to support the dynamic secure access needs of todays hybrid organizations Conceptu ally SASE extends networking and security capabilities beyond CHAPTER 6 Extending ZeroTrust Control OffNet 37 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited where theyre typically available which allows users regardless of location to take advantage of ZTNA CASB firewall as a ser vice FWaaS secure web gateway SWG and a variety of threat detection functions BANK MIGRATES ITS WORKFORCE TO A SECURE REMOTE ENVIRONMENT Founded in 1988 Banco Fibra is a wholesale bank that guarantees precision transparency and speed to businesses in Brazil Its busi ness strategy is focused on serving medium and large companies in the most diverse segments and agribusiness Fibra is built by people but strongly reliant on technology This combination guarantees agile flexible and customized business solutions to customers Information security is a top priority at Banco Fibra As a financial institution and potential target for cyberattacks the company has always diligently preserved its customers trust by protecting their datas integrity and confidentiality This concern prompted the banks transformation journey several years ago one that would be key in strategically positioning the company within the business worlds new digital environment Challenges Banco Fibra was already a Fortinet customer using FortiGate and FortiClient solutions before the COVID quarantine The bank initially intended to use these solutions to provide network and endpoint security and improve operational efficiency Now faced with an unprecedented scenario there was an opportunity to take advantage of these solutions functionalities and quickly migrate the workforce to a remote model After the initial setup of the new remotework model many adaptations were necessary to meet the employees technology demands particu larly to define the user profiles and to ensure the secure access and the proper application performance Another challenge was operating their softphone solution over the VPNs Ensuring the performance of the softphone solution was important because it integrated with the customer relationship management CRM application the bank uses to provide customer service and monitor customer experience continued 38 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Improving Application Access and Security In the zerotrust model application access is controlled on a persession basis and each user and device must be verified whether theyre connecting remotely or from the corporate network Application access should be mapped to the individuals role so that only those applications that are necessary for the user to perform their assigned job functions are available Regardless of whether an application runs in an onpremises data center or a cloud environment zero trust is enforced Solutions In a matter of days Banco Fibra deployed the required virtual private networks VPNs using the existing security solutions In less than 10 days Banco Fibra was able to set up its remotework environment with appropriate policies access rules and user authentications among other features Business Impact Quickly transitioned teams to a remotework model keeping the banks operations running throughout the COVID19 pandemic Maintained the high quality of its customer service in a remotework environment Extended the bank offices high level of security to its 350 employees homes Created the foundations to escalate banks digital transformation The bank is currently considering expanding its VPN solution to achieve even more redundancy and availability Another project involves expanding the security perimeter to the data center provid ing even more scalability and better use of cloud resources in a natively secure format continued CHAPTER 6 Extending ZeroTrust Control OffNet 39 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Zero trust access ZTA discussed in Chapter 2 focuses on role based access control RBAC to the network Zerotrust network access ZTNA discussed in Chapter 5 brokers user access to applications Zerotrust application access and security solutions Verify users and devices for each application session Control user access to applications based on policy Enforce application access policy no matter where the user is located Create a secure automatic connection between the user and ZTNA proxy point Work with physical firewalls virtual appliances and Secure Access Service Edge SASE platforms Delivering Security Services to Endpoints Networks and the Cloud Digital transformation initiatives and workforce mobility trends including WFHWFA have changed and expanded the enter prise attack surface opening up new attack vectors that can be exploited by threat actors both inside and outside the network A comprehensive zerotrust security strategy must extend robust enterprise security services to endpoints corporate networks and private and public clouds One of the main reasons for the growing attack surface is the proliferation of IoT and smart devices that are accessing the network Security teams often lack visibility into the deluge of devices accessing their networks A zerotrust approach empow ers organizations to identify and secure unknown IoT endpoints and devices that access the network Integrated endpoint vis ibility granular control advanced protection and policy and contextbased endpoint assessment capabilities work together in a ZTA solution to ensure organizations are protected against compromised devices 40 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited By implementing a ZTNA framework that identifies segments and continuously monitors all devices connecting to their net works organizations can replace their highrisk flat networks to ensure that internal resources remain secured and that data applications and intellectual property are protected This strategy not only reduces the risks associated with traditional perimeterbased security but also increases the visibility and control of offnetwork devices while simplifying overall network and security management As attacks become more sophisticated and advanced the tradi tional perimeterbased approach to security is no longer suffi cient Depending on the nature and sophistication of the threat no single point in an organizations security infrastructure has visibility into all aspects of the threat ZTA confirms the identity of the users and devices that are connecting to your network and ensures they have only the minimum level of access permissions needed to perform a function or job Organizations increasingly rely on hybrid and multicloud environ ments to support their evolving digital transformation require ments According to a recent report from Fortinet 76 percent of organizations surveyed reported using at least two cloud provid ers Similarly the Flexera 2021 State of the Cloud Report found that 92 percent of enterprises have a multicloud strategy 80 percent have a hybrid cloud strategy and respondents are using an aver age of 26 public and 27 private clouds in their environments The result is that applications can reside anywhere from on prem ises to branch office to data center to cloud And now that the era of WFHWFA is upon us organizations are rethinking how they secure their network edges both on premises and in the cloud CHAPTER 7 Ten Steps on the Journey to Zero Trust 41 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Chapter 7 IN THIS CHAPTER Assess the business process criticality of your assets Understand what applications are used Apply rolebased access controls Verify on an ongoing basis Ten Steps on the Journey to Zero Trust I mplementing a zerotrust strategy for your organization is a journey not a destination This chapter offers ten key steps to help you succeed on your journey to zerotrust access ZTA Assess Your Assets and Their Business Process Criticality You cant protect every asset and resource on your network at the same level Its important to prioritize your efforts by first determining which assets and resources are most critical to your business processes Once youve determined where to start you can begin implementing your ZTA strategy to protect your most critical resources and valuable assets first The criticality of your business processes and the systems and applications they depend upon will drive other important deci sions such as additional security policy controls servicelevel agreements SLAs and operationallevel agreements OLAs and recovery time objectives RTOs and recovery point objectives RPOs for business continuity and disaster recovery 42 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Identify the UsersEntities and Roles on Your Network Identifying every user and entity on your network is critical to establishing an effective ZTA strategy Once identity is estab lished access policies are determined by a users role in the orga nization A least privilege access policy is used to grant access to only those resources necessary to perform a specific role or job Access to additional resources is provided only on an asneeded basis Rolebased access control RBAC is a critical component of access management The capability to authenticate and authorize users with RBAC provides a robust network security posture that benefits the entire organization including its partners suppliers and contractors Identify the Devices on Your Network The next step in adopting a zerotrust strategy is to discover and identify all the devices on your network whether thats an endusers phone or laptop a virtual server a network printer a headless Internet of Things IoT device or a security badge reader The proliferation of applications and devices is expanding the tra ditional network perimeter creating billions of edges that must be managed and protected Network access control NAC tools deliver visibility into the devices on your network Identify the Applications Used by Your Organization Applications are at the heart of business operations and processes Today these applications include not only those that are installed on endpoints or servers in your data center The application land scape now consists of softwareasaservice SaaS offerings and application workloads hosted in private and public clouds CHAPTER 7 Ten Steps on the Journey to Zero Trust 43 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Create Zones of Control within Your Network and Assets Network segmentation has long been used to limit traffic in certain areas of the network and to provide additional security controls within the network Perhaps the earliest example is the demilitarized zone DMZ that many organizations create for publicfacing web applications between the internet and the cor porate network Internal segmentation firewalls establish visibility and control within the network and provide the ability to scan protect and block traffic Apply RoleBased Access Controls to Your Assets Rolebased access controls RBAC are used to efficiently man age the permissions that groups of users are granted to a specific asset based on their job or role within the organization Organizations often focus on ensuring group memberships are properly maintained and accurate Although this is an important aspect of RBAC its just one side of the coin Equally important is ensuring that the permissions assigned to a role arent exces sive The scope should be limited to the specific resource that is required by the role and only the permissions necessary to per form a function within that role should be granted that is least privilege access Control Where Devices on Your Network Can Communicate A zerotrust security approach uses microsegmentation to cre ate granular trust zones around individual resources which helps to enforce the principle of least privilege access Users and enti ties are only granted access to the resources that are needed to perform a specific role or job Microsegmentation prevents users and attackers from roaming freely on the network 44 Zero Trust Access For Dummies Fortinet Special Edition These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Microsegmentation adds a dynamic policybased element to traffic segmentation enabling much more granular control than regular network segmentation Extend Control of Devices When Employees Are off the Network Enhanced workplace mobility and an increased emphasis on remote work including work from home WFH and work from anywhere WFA has led to increased interest in endpoint security including endpoint visibility control scanning patch ing and web filtering off the network With a zerotrust strategy in place organizations can address the challenge of protecting offnetwork devices by improving end point visibility Vulnerability scanning robust patching policies and web filtering are all critical elements of a zerotrust strat egy In addition a zerotrust approach can enable secure remote access to networked resources This allows security teams to see control and protect every asset whether on or off the network Going beyond the VPN ZTNA extends traditional ZTA network access to perapplication usage so administrators not only know who is on the network but even which applications theyre cur rently using with transactions and usage constantly being moni tored and inspected Apply Application Access Control An effective ZTA strategy addresses both network connection and application access based on the underlying assumption that no user or device is inherently trustworthy No trust is granted for any transaction without first verifying that the user and the device are authorized to have access CHAPTER 7 Ten Steps on the Journey to Zero Trust 45 These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Continuously Verify and Authenticate Users and Devices ZTA requires continuous authentication verification and moni toring of users and devices that are connected to the network Successfully logging into the network doesnt grant a user or device unrestricted access to the resources on your network Further authentication may be required to access certain sensi tive resources in restricted zones and the duration of user ses sions should also be limited This ensures that sessions cant be hijacked and that appropriate controls can be enforced if for example the device state changes during the session and its risk posture becomes unacceptable These materials are 2022 John Wiley Sons Inc Any dissemination distribution or unauthorized use is strictly prohibited Get started with a zerotrust access strategy today Every time a device or user connects to your network and is automatically trusted your organizations applications and data are at risk The traditional perimeterbased approach to security in which everything inside the network is trusted and everything else is not trusted is no longer effective Organizations need to shift to a zerotrust access strategy based on the principle of never trust always verify to ensure they know every device and user that accesses the network and how to protect their assets on and off the network Inside Understand the basics of zero trust Know and control who connects to your network Know and control what connects to your network Enforce rolebased leastprivilege access Secure endpoints networks and cloud FORTINET Lawrence Miller has worked in information technology in various industries for more than 25 years He is the coauthor of CISSP For Dummies and has written more than 200 For Dummies books on numerous technology and security topics Go to Dummiescom for videos stepbystep photos howto articles or to shop for dummies A Wiley Brand ISBN 9781119859840 Not For Resale WILEY END USER LICENSE AGREEMENT Go to wwwwileycomgoeula to access Wileys ebook EULA