A roadmap to Zero Trust architecture
Five ways to manage the transition to Zero Trust architecture
Organisations are increasingly transitioning to Zero Trust, the modern security model that requires strict verification for every user and device trying to access network resources. Forrester Research reports that CISOs in the APAC region are pioneering adoption, with 78% of organisations investing resources into a Zero Trust security strategy.
Because Zero Trust is a fundamentally different approach to protecting organisations, it requires time, resources, and cross-functional buy-in to fully implement. In one survey, nearly two-thirds of future adopters believe it will be “moderately difficult” to implement Zero Trust; about 30% said it will be “very difficult.”
Organisations that wait to transform their application and network security face risks, however. There has been a notable increase in data breaches across New Zealand and nearly two-thirds of Kiwi businesses experienced a cloud breach in the past year.
netQ and Cloudflare make it simple for any Enterprise, Government, NGO, and Commercial Customer to start their Zero Trust journey, now. With a phased approach, customers can realise immediate ROI without disrupting employee productivity or connectivity.
Those who are early in their journey (or starting from scratch) can begin to build momentum for full Zero Trust adoption with these five simple projects:
1) Establish identity and enforce authentication
As Gartner recommends, “Once the strategy is defined, CISOs and risk management leaders must start with identity – it is foundational to zero trust.”
In a Zero Trust approach, the network must be extremely confident that requests come from the entity they claim. Organisations must gain an accurate picture of who should actually be trusted, and with what – otherwise known as identity. netQ guides customers to establish a consistent corporate identity, making granular policy enforcement for applications more seamless.
Cloudflare’s Zero Trust Network Access (ZTNA) technology shrinks customers’ attack surface by granting context-based, least privilege access per resource, rather than network-level access. It establishes a way to securely authenticate identity, for example, through enforcement of multi-factor authentication (MFA). MFA is one of the best ways to safeguard against user credential theft. It can be integrated with an existing identity provider (e.g., Microsoft Azure Active Directory, Okta, OneLogin, Cisco DUO), or other user credentials (e.g., Google, LinkedIn, one-time passwords).
Cloudflare was recently recognised in the 2023 IDC MarketScape for ZTNA for its current capabilities and strategy.
2) Secure email against phishing attacks
Email is both one of the largest business applications, and the biggest attack vector. Phishing attacks such as business email compromise (BEC) campaigns are incredibly costly; BEC, for example, has cost victims over $50 billion worldwide. In New Zealand, phishing is the most commonly-reported cyber scam and comprises almost 71% of all reports to CERT NZ.
As part of the Cloudflare Zero Trust platform, Cloudflare’s email security service assumes that no email can be trusted, even if from “trusted” senders or domains. It proactively hunts for phishing infrastructure, sources, and delivery mechanisms to block campaigns at the onset, and blocks phishing across different channels (email, web browser, network). It seamlessly integrates with cloud email suites and takes minutes to deploy, without hardware or software to install, and without impacting end users.
Cloudflare was recently named a Leader in The Forrester Wave™: Enterprise Email Security, Q2 2023 report.
3) Protect and control outbound Internet traffic
DNS filtering uses the Domain Name System to prevent users from accessing malicious websites and to filter out suspicious or malicious content. It can also help block phishing websites, such as ones using a spoofed domain and designed to steal login credentials. DNS filtering can be considered part of a larger access control strategy aligned to Zero Trust, because it controls where users (or groups of users) transfer and upload data.
Cloudflare’s Internet-native secure web gateway (SWG) service protects office users first with DNS filtering and, later, with more comprehensive inspections across all distributed locations. Cloudflare’s data loss prevention (DLP) and remote browser isolation (RBI) services can also be added for threat protection against data exfiltration, zero-day browser exploits, and more.
Cloudflare has been recognised as a Leader and Fast Mover in the 2023 GigaOm Radar for DNS Security.
4) Close a common attack vector: inbound network ports
Some attackers try to send malicious traffic to random ports (a virtual point where network connections begin and end) in the hopes that those ports have been left ‘open’, meaning they are able to receive traffic. These open inbound network ports are a common attack vector that should be protected.
A Zero Trust reverse proxy allows customers to securely expose a web application without opening any inbound ports. From there, the application’s DNS record becomes the only publicly visible record of the application. And the DNS record is protected with Cloudflare’s Zero Trust policies. As an added layer of security, internal/private DNS can be leveraged using ZTNA.
5) Enforce Zero Trust policy for the most critical applications
Every organisation’s set of apps are unique. Enterprises (over 2,000 employees), for example, each run an average of 211 different apps. Zero Trust policy enforcement is based on the specific type: private self-hosted apps (addressable only on the customer’s network), public self-hosted apps (addressable over the Internet), and SaaS apps.
netQ and Cloudflare customers can simplify Zero Trust policy enforcement by choosing an initial list of the most critical apps (for example, HR, accounting, and collaboration/productivity apps). Zero Trust policies will be applied using the most appropriate options, such as a Zero Trust reverse proxy, ZTNA, RBI, and/or cloud access security broker (CASB).
Access control needs to be seamless and transparent: the best compliment for a Zero Trust solution is that end users barely notice it’s there. These services ensure applications can be accessed securely and quickly, without latency.
Start your Zero Trust journey with ease
A Zero Trust provider needs to both secure customers’ users on the internet and optimise the internet to make sure that those users stay continuously protected.
If you’d like to chat more about your Zero Trust journey, please click the contact us button below.