Distributed remote workforces, migrations to cloud-based business operations, and other factors have required that our traditional internal network be stretched beyond its ability to be reasonably secured. Add the increased incidents of inside-originated threats like ransomware and we have to accept that the internal network really isn’t any more secure than the external one is. How do we secure our businesses’ critical resources without adding unmanageable complexity?
The Zero Trust Model
Back in 2010, John Kindervag at Forrester Research came up with the idea of Zero Trust (ZT) as a security model. The old inside/outside thinking needed to be rethought, mostly because the assumptions upon which it was built (user awareness of potential security risks, physical security, and minimal ingress/egress points for the network) were no longer true. Some of them may never have been true in the first place. The new model involves the principle of least-privilege access, granting users only what they need when they need it, and only after they have been verified and the device that they’re connecting from has been vetted for compliance with the company’s access policies. Needless to sayx, this is more complicated thinking than the old inside/outside model and isn’t traditionally an easy implementation. The business requirement was there, but the level of knowledge required to bring all of these ideas together was another story.
Needs vs Capabilities
Even before the COVID-19 pandemic’s requirement for an expanded remote workforce, organizations were recognizing the need for a ZT security model. Ransomware attacks and other threats originating from trusted networks have been increasing dramatically over the last few years, forcing us to accept that a trusted network model just doesn’t work.
Most businesses understand the need, but many are held back by a lack of technical capabilities. Zero Trust has a number of components that span the traditional silos of information technology and this is out of the comfort zone of many, leading to slow uptake.
This is especially true in the small and medium enterprise space where the information security team is often one person. In the smallest of these, information security is just a hat worn by an IT generalist or an external consultant.
Complexity is traditionally the enemy of a stable infrastructure, but in this case, it can be a roadblock to any implementation at all.
Fortinet ZTNA: The New Perimeter
Fortinet’s Zero Trust Network Access (ZTNA) brings a simplified and integrated approach to the problem.
In the old inside/outside thinking, the firewall was the perimeter. It was the sole ingress/egress point for the network and controlled the bulk of access policy. The distributed network with its multiple points of access has minimized our thinking of the firewall’s role, but what if its influence could be expanded beyond its traditional place? Instead of it being the gatekeeper for a single point of entry and exit, what if it could be the control mechanism for all access? Fortinet’s ZTNA takes exactly this approach.
Using the FortiClient Agent, a user can connect their device to the Fortinet Next Generation Firewall (NGFW) using a dynamically generated encrypted tunnel and be evaluated for access regardless of their location, on-premises or remote. This allows all access to be treated as untrusted and subject to the company’s security policy as policed by the NGFW.
Local? Remote? It’s all the same and subject to the same policies, keeping it simple.
Core Functionality
In its most basic implementation, the Fortinet ZTNA solution consists of the following components:
FortiGate NGFWs
As mentioned above, the NGFWs evolve from being traditional firewalls to being the access control points for the entire extended network. The on-board application proxies become the only paths to the internal resources protected by the ZTNA policies.
FortiClient Agent
The FortiClient Agent manages the encrypted connection to the proxy points controlled by the NGFWs. This connection is the foundation for ZTNA, regardless of whether the device is on-premises or remote.
FortiClient Enterprise Management Server (EMS)
The EMS manages the ZTNA clients and provides redirection to different authentication proxies depending on user requirements.
Fortinet Identity and Access Management (IAM) via FortiAuthenticator
IAM provides user and guest access control, and single sign-on with support for business services like Microsoft’s Active Directory. It also manages security certificates and provides the foundation for optional enhancements like FortiToken MFA.
Optional Enhancements
FortiToken
Multifactor authentication (MFA) can be added to the FortiAuthenticator using a mobile phone or hardware-based tokens.
FortiManager
Policy can be distributed over multiple sites and proxy points via FortiManager. This functionality is in addition to FortiManager’s traditional device management and monitoring role.
Scalability and Investment
The Fortinet ZTNA solution is scalable from the smallest to the largest organizations with each component being offered in subscription-based cloud offerings, virtual machine products, and hardware appliances depending on the requirements of the organization. Small enterprises with a minimal on-site installation and a migration strategy to the cloud might consider a mix of these, with ZTNA proxy points in their cloud installation, as well as their on-site NGFWs. Larger organizations might find themselves at the level where physical appliances are needed to manage the volume, but all use the same basic principle, keeping the complexity to a minimum.
The Whisper in the Wires
Fortinet’s Zero Trust Network Access takes an interesting approach, making the Fortinet NGFW appliance the central focus of the entire network’s security fabric. This seems strange at first glance. After all, we’re talking about zero trust architecture and NGFWs are still traditional inside/outside perimeter devices, no? Yes, but zero trust demands a rethink of what we consider to be the perimeter. If security is going to be integrated into the network as a whole and we’re going to avoid the pitfalls of bolting it on as an afterthought, then every point of access to the network is the perimeter. Fortinet is simply taking what has traditionally been the logical control point and broadening the scope.
This is an appealing way of looking at things, particularly for smaller enterprises looking for a building block on which to begin migrating to a zero-trust access strategy. The Fortinet NGFW appliance can take the traditional firewall role in the short term while users and devices, regardless of whether they are remote or on-premises, are migrated to ZTNA. There’s still an inside/outside mentality in the thinking, but users and client devices are always on the outside for purposes of the security perimeter.
Zero trust is an urgent requirement in enterprises of all sizes, but the complexities of implementation can be problematic. Fortinet’s ZTNA minimizes the complexity and provides an attractive and scalable solution.
For more information about implementing ZTNA with Fortinet, check out their website.