The expectations for our working experience have never been higher. With changes to working patterns, places and attitudes, your users expect a seamless experience no matter where they are or what device they’re on.
However, this is only possible with a robust and agile security posture. Now that data is being created and stored across multiple locations both on net and in the cloud, and employees are accessing applications from any number of possible locations, the possibility for vulnerabilities is ever-increasing.
The best way to secure your data and applications is to build a system where user identity acts as the network perimeter. The traditional ‘walled garden’ approach where the IP Address acts as the perimeter has not survived 2020. Bad actors now have a larger attack surface via access to hybrid public cloud, SaaS and on-premise infrastructure, so the best way to protect your organisation is to make access the exception and not the rule.
Here are 5 ways you can build a zero-trust security system with identity as the perimeter.
1. Question the user
Multi-factor authentication is the foundation of conditional access and should be the first step in your new strategy. Products like Cisco’s DUO will ask users to validate their identity through a secondary verification method, like the user’s mobile number, to block imposters trying to access your data. Users would be required to validate their access through this quick process regardless of what device they’re on or location they’re in, keeping your assets safe. Cisco DUO also allows you to group users and set specific permissions so that you can prevent data leakage and shadow IT.
2. Secure devices
The next step should be to secure your devices through user identity. One way to do this is with a network segmentation solution like Cisco’s Identity Services Engine (ISE). While DUO is questioning the user, ISE will interrogate the device to make sure its acceptable for use, checking operating system, IP address, if it’s a company asset, etc. ISE will enforce user group authorisation policies to make sure user behaviour matches their permissions and if they don’t ISE can isolate and quarantine that user to prevent further unsecure access.
3. Secure SaaS applications
Securing your SaaS applications, such as Microsoft 365 or Salesforce, will be a pivotal part of your strategy as this is where your users will probably spend most of their time. A Cloud Access Security Broker (CASB) product like Cisco’s Umbrella will work with DUO to authenticate users and monitor your SaaS apps and user behaviour to enforce permissions and company policies. Umbrella is Cisco’s first line of defence – it works with DUO and ISE to track user behaviour across all platforms as a data loss prevention (DLP) tool. This cloud-based firewall will secure your data from shadow IT and users that bypass your LAN or VPN.
4. Secure your data
One of the most effective ways to secure your data overall is to use a system that analyses the information coming from other systems, such as DUO, ISE and Umbrella, to help further identify any unusual traffic patterns or threatening behaviour. Cisco’s Stealthwatch does just that. It also gathers information not just from its internal sources, but from the global pool of Stealthwatch customers to proactively defend against threats other customers have seen. When it identifies a problem, it works with ISE and Umbrella to either block access or quarantine users to minimise impact.
5. Secure the office
While your office network might not seem like a priority while your users are working at home, there is a way to secure your LAN and improve your remote networking operation.
Meraki MX is an on-premise security platform for your hybrid office/WFH operation that combines your router and firewall into one device. It can be used as a secure VPN concentrator – connecting all your remote devices to the network, and as well as asking the user to authenticate through DUO, it is also a device profiler (similar to ISE). It will interrogate the device to make sure it is what it is saying it is, that its using a safe OS, etc. The management for Meraki is completely cloud-based, furthering enabling a remote working operation, while keeping your LAN safe. For smaller SME's, the Meraki and Umbrella integration offers some of the same network access security features as ISE via integrated cloud based management dashboard (which would be a significantly easier deployment).
Segmenting your security strategy into these 5 categories will make sure all your systems, data and users are protected from themselves as well as outside threats.
If you would like to learn more about creating a security strategy around your users, book a meeting with our security expert, Ian.