While it seems that every vendor claims to be an enforcer of zero trust, there is value behind the concept if you can cut through the marketing haze.

One of the greatest areas of value is around enabling hybrid work for employees.

Remote work and hybrid work have extended the corporate world to every home, and user device. The workforce must access wherever they are, from whatever device is in front of them. The control IT once had has *literally* left the building, making it critical that each and every connection operates on a zero trust basis.

There are three reasons for why zero trust is a great fit for the modern workplace.

Securing access to business resources

Increasingly mobile workforces bring with them an increasing level of risk. With work happening at home, the office, and really anywhere, security MUST be the same no matter who, what, when, where and how business data is being accessed.

With hybrid work, the concept of on-prem and off-prem goes away. Likewise, with zero trust the concept of trusted and untrusted goes away. Why? Because with ZT trust is never inherently given, the default assumption is that everything is hostile. The thought being that an in-office employee using a managed device should start with the same level of trust as a WFH user with a BYOD device. However, like everything in nature, a trust relationship must be established and earned through continuous criteria.

One way to look at this is that Zero Trust is the pathway in which hybrid work connections should flow. This involves adopting a Security Services Edge (SSE) platform that acts as the security checkpost for all entities – whether user or server. A key component of any SSE platform is Zero Trust Network Access (ZTNA). ZTNA solutions represent the first door that should be opened. They offer secure access to private apps (the starting point for most zero trust journeys). As the hybrid workforce continues to evolve and mature, Forrester recognizes ZTNA as an essential technology in the implementation of a zero trust edge (ZTE) model. Further, Gartner predicts that ZTNA technology will replace 60% of VPNs in the next two years as enterprises enforce Zero Trust.

Making access simpler for IT

Making access seamless to end users

Pre-hybrid work, end users were used to having separate solutions for access based on their location. Now users are demanding a seamless user experience more than ever.

This means that a hybrid workforce must be unified, suggesting you shouldn’t have the mindset of a “on-prem workforce” and “remote workforce.” IT must view secure access consistently across all plains. This involves selecting the right SSE platform that supports the entire workforce.

In doing so the workforce is unified, as is security and networking teams. For the first time, security and networking functions are not in conflict but are united as security can enforce granular risk management while networking ensures fast connections from user to app. Together security and networking can build a more agile and adaptive business, united by zero trust.

Hybrid Work isn’t Going Away…

As your business considers the future of hybrid work, contemplate what zero trust adoption can mean for your business, your users, and your current security strategy. If you’re curious what adopting zero trust in the hybrid world might look like, get started by replacing VPN.

The post The Role of Zero Trust in Enabling Hybrid Work appeared first on Axis Security.

Despite 2,600 cybersecurity vendors all claiming the term of zero trust it’s important that technology leaders, including CIOs, don’t get swept into the marketing frenzy of term dominance, instead focusing on the principles of a zero trust strategy evident in modern access solutions.

An essential part of the zero trust concept requires users to be authenticated, authorized, and continuously monitored before they can access applications and data. Zero means zero. Moreover, IT needs to adopt a “minimalist” approach to allow for greater simplicity and agility. An effective zero trust strategy combines a streamlined set of core enterprise security technologies that will replace the 30 various technologies causing excessive noise and complexity.

While zero trust IS the choice architecture and strategic approach to security and modern access, the concept of zero trust has become like “digital transformation,” a word that is used but never understood. Something that is critical to the business, but difficult to implement. For this reason many IT organizations have been hesitant to adopt zero trust.

This is why we believe that businesses should take definitive, manageable, actionable steps towards zero trust adoption and modernizing their access security strategy. ESG Research found that most enterprises start with a single zero trust use case and work their way up from there. It’s important to start small, so many organizations start by eliminating VPN access to their most sensitive and business-critical internal applications.

I recently wrote a column for SC Magazine that looked at the implications of this shift to zero trust. Zero trust is a journey that all companies are on, and no two journeys are the same. How can we help CIOs on their journey, no matter where they are? Understand your business priorities and stick with vendors that stay true to the underlying principles of zero trust architecture.

The post Zero doubt about the direction of zero trust security appeared first on Axis Security.

A VPN is not a Zero Trust architecture

A Zero Trust architecture is quite different from a VPN even if that VPN is in the cloud. A VPN creates a private network for a public internet connection solving the problem of users who are off network, but that’s not adequate security for today’s environments. A VPN is not a Zero Trust solution because once the user gets connected, they are on the network and fully trusted with open access to potentially everything — even if that network is software defined. Plus, that VPN is an attack surface open to the public internet. And as many learned in 2020, the VPNs are not just a weak link for security, they are also hard to scale overnight in the event of a sudden change of location or migration of employees toward a work from home model. 

For application resources in any location, Axis Security can replace the VPN and provide secure access that conforms with the NIST Zero Trust architecture tenets. 

How does NIST define a Zero Trust architecture?

NIST defines Zero Trust architecture in special publication 800-207 has seven basic tenets: 

1. All data sources and services are resources
2. Authentication and authorization rules must be enforced before access is permitted
3. Access to resources must be granted session by session
4. Access is granted by dynamic policy
5. All communication is secured 
6. Monitor and measure the security posture of all assets
7. Collect information about security hygiene, network entities, and communication, and use the information to constantly improve in a regular program cycle

Shift left fast to a Zero Trust model

Applications are the main data sources and services for almost every organization. Axis Security’s Application Access Cloud is a fast and simple way to shift left to Zero Trust without reconfiguring your existing network and in many cases without requiring installation of an agent on the endpoint. The App Access Cloud is designed to enforce the NIST Zero Trust architecture tenets for users accessing work applications and resources located anywhere — on company premises or in the cloud. It was built to deliver and enforce Zero Trust access from any user, anywhere, to any destination resource for the organization. Here’s how it works.

It starts with the user and their device

With so much malware in the marketplace and attacks being based on user credential theft or forgery, the first step is all about device posture and hygiene – what kind of device is attempting to access the resource? Before initiating a session, App Access Cloud checks a list of acceptable parameters for connection, including user and device context awareness. If a user is at home attempting to access an application with a company issued laptop that’s passed a device posture check, they may get full access permissions for that application, but later they attempt to access that application using a personal device that’s not managed by the company, policies can step right up and limit permissions to read-only. Once authentication is confirmed, access is granted — however, authorization is continuously confirmed throughout the access session.

It is continuous

Once a user is confirmed and connected, Zero Trust principles do not stop. The App Access Cloud monitors each user session, offering adaptive policy enforcement appropriate to the sensitivity and data control policies of the application and the changing context of the user and device. Nuanced policies can restrict permission attempts to copy and paste, or download files based on changing user context as well as the device security posture and hygiene. If context changes mid-session, policies will enforce the change in real-time. Down to the granular level, every request a user make to an application is brokered and sanitized before being forwarded on, ensuring only well-formed requests are ever delivered.

It keeps applications and data isolated

Application Access Cloud isolates applications and then governs access for each app and resource individually – the user is never on the corporate network. Every application remains isolated from the internal network and the internet.

It has continuous visibility and centralized policies

App Access Cloud includes centralized access policy management to govern which users can access specific applications and tracks their activity, providing detailed views of user and application behavior during each session. This visibility and control over connections and subsequent data flow help prevent breach and data loss by rogue users and malware alike, and provide a step-by-step log of session activity for any necessary post-event incident investigations. 

Complying with NIST SP 800-207 is a good idea

Good Zero Trust architecture principles include more than just secure assets behind high walls. The workflow of every user’s interaction with organizational resources are all steps in the Zero Trust model, from data and users to analytics and automation. Axis Security can show you how to apply these principles to all your work applications.

Download our NIST Zero Trust Architecture Compliance whitepaper to learn more.

The post Applying the NIST Zero Trust Model via App Access Cloud appeared first on Axis Security.