The Eleven Pillars of Our Zero Trust Service for Enterprise Networks
Praveen Jain, Founder & CEO at WiteSand
As a part of a defense-in-depth strategy, a series of security tools are deployed at various layers. The network-based security tools are the frontline in threat prevention. This article outlines a comprehensive strategy for zero trust based on network segmentation, granular access, blocking unwanted communication, and quarantining. COVID-19 has taught us that isolation is a great way to prevent contagion. This is particularly true for zero-day attacks, for which there is still no detection or patch. Segmenting networks is no different.
WiteSand’s position is that network access control (NAC) is best when combined with the provisioning of switches and firewalls, delivered from the cloud for consistent policies across a global workforce. In fact, in a recent report, the 650 Group named WiteSand as the first and only cloud-based solution for enhanced network access control. Find out why here.
1. Access Policies for Employees Wherever They Work
With a distributed workforce, it is vital to enforce uniform access policies no matter where employees work.
It is possible to specify access policies for employees (or groups of employees) to network resources such as servers, printers, and other resources through the WiteSand Portal. These network resources may be in office buildings, private data centers, or in the cloud.
When a user connects to the corporate network (directly, via VPN, or otherwise), upon successful authentication with the corporate directory, the user’s IP is published across all enforcement points, such as switches, firewalls, and proxies.
Administrators define only high-level policies, while WiteSand continuously implements them under the hood, via cloud-based NAC and provisioning of switches and firewalls.
2. Posture Checks on Employee Devices
Compliance standards, such as SOC2, typically require employees’ laptops and other devices to have up-to-date patches, including antivirus software, encrypted hard drives, and the disabling of external USB devices. Additionally, there may be custom applications on corporate devices that require compliance.
WiteSand integrates with a variety of OS native and third-party MDM vendors, antivirus scanning tools, and vulnerability management tools. The data from these integrations can be used by the network administrator to define the minimum posture necessary to grant employee devices access to the corporate network.
3. BYOD Policies and Enforcement
It is recommended that the BYOD process includes self-registration of devices or administrative registration of devices, authentication using corporate certificates, and enforcement of security posture. It should be possible to unregister a device if it has been lost or stolen.
4. Fingerprinting and Segmenting IoT Devices
Your offices, campuses, retail stores, clinics, manufacturing plants, and other locations have a growing number of TVs, printers, cameras, and other IoT devices. Unpatched firmware, open ports, insecure access, and numerous other factors may make these devices easy targets for attacks. Segmenting these devices based on their intended use is extremely important. For example, a camera does not need to communicate with another camera, but only with a network DVR.
In the WiteSand Portal, devices can be identified by fingerprints and segmented. Furthermore, these devices can be quarantined by WiteSand via API integration with third party threat hunting tools.
5. Pinning All Traffic to the Firewall for Inspection
In corporate networks, traffic within VLANs does not go through firewalls. Firewalls are typically configured to inspect routed traffic across VLANs. As an example, if a medical device is in a VLAN and communicating with a server in that same VLAN, then that traffic is not inspected.
WiteSand supports flexible, simple policies via NAC and switch provisioning to pin all such traffic through firewall inspection.
6. Flattening your network with an East-West deny policy
If the employee laptops do not need to communicate with each other, could they all be placed on the same VLAN and prevented from communicating? In doing so, the number of VLANs in the network could be reduced and simplified. This is just one of many possible use-cases.
This is exactly what WiteSand’s “Intra VLAN deny” policy can accomplish. Through NAC and native switch controls, this is automatically enforced in the network by WiteSand.
7. Securing Corporate SSIDs
The correct way to secure your corporate SSID is to have employees authenticated with the corporate Active Directory or LDAP to make sure only legitimate current active employees have access to the network. This method of authentication is commonly known as WPA1/2/3 Enterprise.
To learn more about this topic, please see our blog here.
8. Securing Corporate Wall Jacks
There have been cases of intruders walking into corporate offices, connecting with a wall jack, or unplugging a TV and connecting to a wall jack, in order to access corporate networks
We recommend setting up a corporate policy via the WiteSand console so that only approved devices are allowed to connect.
9. Guests Access Policies
The Internet is a basic requirement for all visitors of the organization. You may implement no registration of guests, or self-registration, or even sponsored approved access depending on the requirements. It might also be beneficial to implement additional policies, such as blocking all non-office hours access and limiting duration of access.
WiteSand provides cloud-based NAC with complete guest management.
10. Network Devices Authentication, Authorization, Accounting
Your network administrators log into the switch and firewall in your corporate offices to perform day-to-day tasks. All authentications, authorizations, and all activities associated with each login can be centralized by the WiteSand Cloud service.
11. Providing protection for unknown network devices in the network
Are there any incidents of people creating their own networks by plugging in switches or access points in corporate networks?
By securing wall-jacks and fingerprinting all devices, WiteSand identifies and prevents unauthorized network devices until they are approved for entry.
As outlined, eleven pillars reinforce and improve the defense-in-depth strategy. Most enterprises are aware of these pillars, but fail to implement all of the steps.
WiteSand drastically simplifies the process with its intent-based approach. No software to install on-premises, delivered via the cloud, and template-based policies eliminate human error.
If you would like a live demo or a self-guided free trial, please contact us.