The other day I was talking to an analyst about trends in networking and how important the zero-trust security model has become. With zero trust, a user or device is only trusted after confirming their identity or status. It moves security away from implied trust that is based on network location and evaluates trust on a per-transaction basis.
Many organizations are incorporating zero-trust strategies into their architectures, replacing implicit trust for network edges and remote users with consistent convergence of networking and security. This change in mindset has led to specific projects that involve zero trust, such as zero-trust network access (ZTNA) initiatives.
Zero-trust concepts have received much more attention since the increase in remote and hybrid work arrangements. It’s important to provide a good experience no matter where users and the applications they need to access may be located. Unlike a VPN that provides broad access to the network, ZTNA provides granular control, so access is only granted to a specific application.
Many organizations have used ZTNA only for remote access, but now Universal ZTNA has become a priority for more enterprises. Universal ZTNA is different in that it enables connections regardless of the location of the application or user.
Instead of having one policy for remote users and another policy for those located on-premises, with Universal ZTNA, users can be located anywhere. The user identity, device identity, and a posture check are performed before access is granted. As organizations realize the benefits of adopting zero-trust, many of them graduate from a ZTNA remote access solution to Universal ZTNA for access anywhere.
The Expansion of Zero Trust Security
When I talked to the analyst, he referred to the next step beyond Universal ZTNA as “ZTNA for devices” because not all access involves users. However, a more accurate term is zero trust access (ZTA). ZTA is a superset, applying zero trust principles to users and their devices and also to non-user associated devices. It doesn’t just focus on user application access like ZTNA; it also looks at network access for Internet of Things-type devices.
Many enterprises have an increasing number of “headless“ network-connected devices, which could be anything from sensors to heating and ventilation controllers or lighting and door access systems. These new smart devices are in addition to the IP-phones, IP-cameras, and printers that have been on corporate networks for years. These devices do not have a user role and a username and password to identify themselves.
All of those non-user-associated devices that aren’t logging in through a portal or client are dependent on the network. Unlike people who could be connecting from anywhere to an application anywhere else, a remote device like a badge reader or an HVAC controller connects to the network. These devices will be connecting to servers on the network or possibly calling back to a cloud-based management platform. Either way, their access to the network should follow zero-trust principles with just the minimum access required to reach that server or service, so they don’t act as a platform for a bad actor to search the network for new openings.
Implementing ZTA includes the use of network access control (NAC) solutions to discover and control the access of headless IoT devices. Using NAC policies, the zero-trust principles of least access can be applied to to these non-user associate devices. The NAC solution grants only enough network access for the device to perform its role and nothing more. And it can monitor the network and revoke access when access policies are violated.
ZTA and Fortinet
Although the idea of using zero-trust principles to restrict device access may sound new if you’ve only been focusing on user access and ZTNA, at Fortinet, we’ve always believed that the only way devices should access the network is through ZTA using a network access control solution. With that said, you need the right type of NAC product with the ability to do network orchestration and policy enforcement.
For years, we’ve had the ability to apply zero-trust principles for devices. This complements our newer capabilities with ZTNA for applying zero-trust principles to users. Together, we call it ZTA. Enterprises use our FortiNAC solution to identify and secure IoT and endpoint devices, while they use FortiGate next generation firewalls and FortiClient to deliver location-independent user-based application access control.
Learn more about how Fortinet Zero Trust Access continually verifies who and what is using your resources.
