The challenges in network security have grown substantially as workforce decentralisation has increased, Internet of Things (IoT) devices have flourished, and cyberattacks have become more advanced and persistent.
Conventional security methods, which mainly focus on network perimeters, have proven to be insufficient as a primary security strategy. Instead, network security strategies have adapted to keep pace with a constantly evolving and diverse user and device environment, while addressing more formidable threats aimed at formerly ‘trusted’ network components.
Currently, there are two significant security initiatives that form the backbone of network security: secure access service edge (SASE) and zero trust. In 2019, Gartner defined SASE in recognition that IT access and corresponding security services will be available in the cloud.¹ Similarly, the zero trust framework is not a product, but rather a way of building IT systems that restricts network access to authorised and authenticated users. At its core, zero trust says that, just because a device is connected to a particular part of a network, it shouldn’t necessarily have access to everything that’s on that network.
This is an important shift from the traditional focus on perimeter security, which relied on keeping threat actors out of a network (but once you were in, you were in). In other words, if a device was allowed into the network perimeter, it was ‘trusted’, and anything ‘untrusted’ had to be kept outside. Zero trust rejects these misconceptions for two reasons:
1. With so many devices connecting to networks, one perimeter is no longer enough. Devices (and people) still need to be viewed as untrusted inside the perimeter.
2. With so many Software-as-a-Service (SaaS) applications housed in the cloud, most of the platforms that organisations use sit outside the perimeter – and yet they are trusted enterprise resources.
This is the basis of SASE, and the fact that businesses need to be able to securely access data on the edge outside of their network perimeter. Of course, this brings with it a large amount of complexity.
Zero trust and SASE rely on identity
A core principle of both zero trust and SASE frameworks is that access to IT resources should not be determined solely by where, or how, a client connects. The network is intrinsically untrustworthy, and an ‘overlay’ security fabric must be added based on a well-defined, identity-based architecture that segments traffic solely to those paths and resources that have been explicitly permitted. These architectures can cover the entire security ‘lifecycle’ of an endpoint: from authentication and authorisation to continuous monitoring and attack response. The goal is to authenticate the device and continuously compare its configuration and status to a defined set of acceptable security states, ensuring it does not introduce vulnerabilities or participate in an attack.
Know what’s on your network
The capacity to extensively and precisely recognise all connected devices in a network, both wireless and wired, is a crucial security measure. The most efficient strategy uses various discovery techniques to identify and categorise a diverse array of device types, from traditional IT-managed devices to previously undetected IoT devices such as cameras, medical equipment, sensors, and other hard-to-detect endpoints. Cutting-edge solutions use machine learning (ML) to continuously assess contextual and behavioural data, dynamically update device fingerprints, and offer recommendations for newly encountered devices.
To facilitate detailed traffic segmentation, device detection and profiling can be combined with access policies, enabling a comprehensive, closed-loop access control system from visibility to network infrastructure enforcement. Based on specified policies, devices can automatically receive access permissions or be quarantined if they are non-compliant with configurations or exhibit malicious or insecure behaviour. The result is a dynamically safeguarded network that can identify when new or existing devices are integrated, moved, or request additional services.
The Aruba ClearPass difference
Networking solutions with intrinsic support for zero trust and SASE architectures provide a strong, built-in security foundation. Aruba ClearPass performs a wide range of zero trust architecture functions. It starts with a range of authentication services to identify users and devices. Based on identity, ClearPass Policy Manager will assign a set of access permissions that are enforced by the Aruba network. ClearPass OnGuard performs advanced endpoint posture assessment and remediation to ensure security and compliance requirements are met prior to users and devices connecting to the network.
As an Aruba Gold Partner, Blue Connections IT can work with your business to re-frame your key goals and challenges, conduct a review of your existing network infrastructure, and make recommendations for optimising your foundations to enable ongoing innovation, security and control.
To learn more about how Aruba ClearPass can help you establish a strong, zero trust security foundation and protect your network from advanced threats, contact the Blue Connections IT team today.
Chief Technology Officer, Blue Connections IT