Cisco zero trust network. Enforcing Zero Trust Access with Cisco SD-WAN

Extending Zero Trust Security to Industrial Networks

Recent cyber attacks on industrial organizations and critical infrastructures have made it clear: operational and IT networks are intimately linked. With digitization, data needs to seamlessly flow between enterprise IT and industrial OT networks for the business to function. This tighter integration between IT, OT, and Cloud domains has increased the attack surface of both the industrial and the enterprise networks.

The traditional security perimeter that industrial organizations have built over the years by installing industrial demilitarized zone (IDMZ) is no longer sufficient. While this is still the mandatory first step to protect operations, embracing the digital industry revolution requires additional security measures, assuming that no user, application, or connected device can always stay trustworthy.

The Zero Trust Security model that many are now implementing to secure the enterprise workforce, workloads, and the workplace must be extended to industrial operations. It establishes an initial level of trust for all connecting entities based on their business role, enforces it through the network infrastructure, and continuously verifies this level of trust and compliance in every access request. It identifies not just users, but endpoints, and applications to grant them the absolute minimum access they need.

Building blocks of a zero-trust network

I recently presented a webinar explaining the specific Zero Trust requirements for IoT/OT networks:

  • Endpoint visibility. Gaining detailed visibility of what’s connected is key. Both to understand what you are protecting as well as continuously verifying the identity of each device. Yet, many industrial organizations still operate without an up-to-date asset inventory.
  • Endpoint compliance. Industrial assets have software vulnerabilities that must be identified to plan corrective measures with the operations team. In many cases, the sheer volume of vulnerabilities becomes overwhelming to manage. You need risk scoring to prioritize your strategy for compliance improvement.
  • Network segmentation. Most industrial devices have been developed without security features. Once a device has been granted access, it should be added to an industrial zone as defined by the ISA99/IEC-62443 Isolating industrial devices with micro and macro segmentation techniques (in addition to isolating the entire industrial domain with an IDMZ) is the most effective way to ensure threats can be contained.
  • Threat detection and response. Zero Trust doesn’t stop once access has been granted. Communications are continuously monitored to detect malicious traffic and abnormal behaviors. Events are reported with the appropriate context so that remediation can be done quickly without impacting industrial operations.

Cisco completes the zero-trust circle for OT networks

Being the leader in both the cybersecurity and industrial networking markets, Cisco is probably the only vendor on the market offering a comprehensive, validated architecture for extending Zero Trust Security to industrial workplaces.

Cisco Cyber Vision is designed to help industrial organizations gain visibility into their industrial network, discover all devices, identify known vulnerabilities, determine risks, and detect threats or abnormal behaviors. Because it is built into Cisco industrial network infrastructure, Cyber Vision can be deployed at scale without the need of additional appliances or out-of-Band collection network.

This detailed list of industrial devices is shared in real-time with Cisco Identity Services Engine (ISE) where security policies are created. Once IT and OT have defined the industrial zones or production cells they want to secure, IT will create Security Group Tags (SGT) in ISE to specify which communications are allowed between zones. OT users now just have to place industrial devices into the corresponding group using the Cyber Vision graphical interface for the right security policy to be automatically applied to them.

Downtime is very disruptive in industrial environments, so it is vital to monitor policy behavior before enforcement. The Policy Analytics module in the Cisco DNA Center network management platform lets you visualize real time traffic flows between groups to ensure your policy will not block communications that are required for the industrial process. Once you are confident with the monitored policy, you can activate the policy enforcement through Cisco DNA Center.

This simple workflow enables effective collaboration between IT and OT to define zone segmentation and enforce Zero Trust in the IoT/OT network. IT leverages tools designed to manage and secure networks. OT remains self-sufficient by using a tool that understands the industrial process. New devices will not be allowed into the network until OT places them in the production zone they belong to via a simple drag and drop within Cyber Vision. Moving a device from a zone to another will automatically modify the security policy applied to it.

Zero Trust doesn’t stop once access has been granted. Communications from and to industrial devices must be monitored to identify malicious traffic and abnormal behaviors that could disrupt production. As Cyber Vision is embedded into the industrial network, it sees everything and continuously decodes application flows to detect threats by leveraging signatures from Cisco Talos and behavioral baselines defined by OT. All these security events are reported to Cisco SecureX for investigation and remediation.

Get started today

This comprehensive and validated architecture lets you easily extend Zero Trust Security to your industrial domain today. Learn more by watching the replay of the webinar I recently presented.

What about you? How mature is your organization’s OT Security practice? Take the test and see what you should do next! To learn more about how you can secure your IoT/OT infrastructure, visit our IoT Security page or contact us. To get the latest industry news on IoT Security delivered straight to your inbox, subscribe to the Cisco IoT Security Newsletter.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Enforcing Zero Trust Access with Cisco SD-WAN

As applications become distributed across clouds, data centers, SaaS, and to the edge, enterprises need to enable secure access to these applications for their workforce from anywhere. Implementing Secure Access Service Edge (SASE) is a preferred method for enabling secure access to distributed applications by a hybrid workforce and the growing number of IoT devices.

Zero trust is one of the most common starting points for enterprises that are embarking on their SASE journey. Many enterprises are either in the process of adopting zero trust or have already adopted it. The initial transition was primarily driven by a large number of remote workers as a result of the pandemic. However, many enterprises are now transitioning to hybrid environments with the workforce distributed from campuses to branches to home offices.

This hybrid work environment, along with increasing reliance on distributed Cloud and SaaS applications, requires a network architecture that provides scalable and distributed zero-trust security enforcement close to endpoints and people using them. This maximizes bandwidth utilization of the WAN link while ensuring that there is no central choke point where all the traffic needs to be redirected. In addition, in order to thwart real-time threats, IT needs the network to continuously monitor and assess the security posture of devices after application access is granted.

The latest enhancements in the SD-WAN security architecture are designed to support this new paradigm of distributed applications and hybrid workforces. Now, the tight integration between Cisco SD-WAN and Cisco Identity Services Engine (ISE) enables IT to employ zero trust security functions for the traffic that goes through an SD-WAN fabric.

cisco, trust, network, enforcing, access, sd-wan

Cisco ISE Configures Security Posture in SD-WAN Fabric for Zero Trust

Delivering a Zero Trust methodology for SD-WAN traffic requires four key functionalities: application access policies based on the desired security posture (who can access what); security controls for admitted traffic; continuous enforcement; and immediate adaptation to security posture changes—all enforced with a consistent model for on-prem, mobile, and remote devices and workforce.

Cisco ISE supports the configuration of security posture policies in SD-WAN fabric. When a person’s device or an IoT endpoint connects to the network, the posture of the device is evaluated based on the configured policy, and an authorization decision is made based on that outcome. For example, an outcome of a device posture evaluation can be compliant, non-compliant, or unknown. This outcome of device posture evaluation determines an authorization policy, which can include the assignment of a Security Group Tag (SGT) and other authorization attributes to the device and owner. Details about how this is configured in Cisco ISE are captured in this technical article and video.

In addition, Cisco ISE shares the security group tags and session attributes with the Cisco SD-WAN ecosystem. This information can be leveraged by IT to create identity groups and associate security policies in Cisco vManage to enable access by specific user groups to applications over the SD-WAN fabric all the way to the edge.

The images of Cisco vManage console in Figures 1 – 3 illustrate the process of how Cisco vManage learns a set of security group tags from ISE.

Monitoring of Security Posture Guards Against Attacks

Cisco ISE also supports a periodic reassessment of device posture (which is explained in detail in this video). Any change in the posture will cause a change of authorization which results in a different security policy being implemented in the SD-WAN edge. This enables the network and endpoints to work in unison to enable zero trust capabilities. Following are three use cases to illustrate what is possible with the deep integration of Cisco ISE and SD-WAN solutions.

  • IT can configure a posture policy that requires an Anti-Malware Protection (AMP) agent running on endpoints to identify malicious files. When the owner of a device connects to the network, the posture is evaluated and determined to be compliant with a running AMP agent. The compliant status results in a specific SGT being assigned to the traffic and associated authorization access. As an added benefit in this case, SD-WAN router will not execute the network AMP functionality when it is being run on the endpoint. However, if the AMP process on an endpoint is terminated either voluntarily or involuntarily, ISE will detect this through periodic posture assessment. The endpoint’s non-compliant status will result in a more restrictive SGT being assigned. On the SD-WAN router, a policy for non-compliant traffic will result in the execution of the network-based AMP function for the traffic originating from that endpoint. As a result the network and end-point work in unison to ensure that the right policies continue to execute properly.
  • IT can configure posture policy that prevents the insertion of a USB device in an end-point. When a device connects to the network without a USB attached, the posture is evaluated by ISE as compliant, and therefore traffic from the device is allowed to pass through the network. If a USB is connected to the device, ISE will immediately detect the non-compliant status and do a change of authorization, assigning a different SGT which can be used by the SD-WAN edge to block all traffic from the device as long as the USB is attached.
  • With Software-Defined Remote Access (SDRA), another key technology of Cisco SD-WAN, the traffic from remote workers and their devices is processed by the SD-WAN edge as well as subjected to ISE posture evaluation. This means that all the functions for accessing applications based on posture are applicable and available to both on-prem and remote endpoints.

Start the Journey to SASE with Zero Trust-Enabled Cisco SD-WAN

Cisco SD-WAN connects the workforce and IoT devices to any application using integrated capabilities for multicloud, security, and application optimization—all on a SASE-enabled architecture. Zero trust is a key capability of SASE, along with SD-WAN, enterprise firewalls, a Cloud access security broker, secure web gateways, malware protection, intrusion prevention system, URL filtering, and DNS-layer protection.

As organizations make progress on their journey to SASE, Cisco SD-WAN’s rich security capabilities enable Zero Trust functions across SD-WAN traffic to secure the network and devices in a scalable, optimal, and cost-effective way.

For more information on innovations in Cisco SD-WAN

Keep up with the latest in Cisco networking, get curated content from networking experts at the Networking Experiences Content Hub.

SASE and Zero Trust

How does SASE play a part in Zero Trust Architecture?

A Hyper distributed workforce demands smarter network security

The rise of remote access means perimeter protection is no longer up to securing your network. As part of a SASE Cloud security solution, zero trust is key to controlling network access across an expanding attack surface.

The workforce isn’t the same anymore. Across continents and time-zones, remote users access multiple devices to connect to an ever-growing number of SaaS applications.

Perimeter protection via VPN was once enough to safeguard segregated networks. Now, nothing separates those in and outside an organisation.

Zero Trust Network Access (ZTNA) has emerged as a new approach to security. ZTNA operates on the principle of least privilege.

In other words? Trust no one, no device, no user, no application. No matter where they are in the network.

A quick guide to SASE

Secure Access Service Edge (SASE), is a Cloud-based network and security framework protecting users, applications and data. SASE combines SD-WAN with Cloud-native security, delivered by a single Cloud service at the network edge.

It’s no longer a matter of trust

Cloud-services have shifted the security landscape. With more traffic bypassing the data centre, VPNs are largely obsolete along with traditional security measures.

An alternative to remote access VPN, ZT architecture removes trust from the equation. Based on the principle of least privilege, users only gain access to services based on their role. Covering both the Cloud and the data centre, ZTNA offers more security and flexibility. This enables users to access services wherever they are and the services are hosted.

A zero-trust approach:

  • Establishes trust in every access request, no matter where it comes from
  • Secures access across your applications and network
  • Extends trust to support a modern enterprise across the distributed network.

In this new world, trust is not a right – it’s a privilege.

What Is Zero Trust Security? Definition, Model, Framework and Vendors

Zero trust security limits user access in a network, even if the user is already a part of the network perimeter.

Zero trust security is defined as a security model that deems no device, software, or individual trustworthy and instead tests every user and system trying to gain access to any resource in a network. This article looks at the fundamentals of zero trust security, its pros and cons, architectural framework, and the top 10 vendors that can optimize the benefits of zero trust security for enterprises in 2021.

What Is Zero Trust Security?

Zero trust security is a security model that deems no device, software, or individual trustworthy and instead tests every user and system trying to gain access to any resource in a network.

This concept refers to an IT security approach that keeps sensitive data safe while complying with new privacy regulations. The model validates user identities before giving them direct access to critical IT systems. It utilizes a combination of tools, including multi-factor authentication (MFA), identity and access management (IAM), and endpoint security to authenticate user identities. As a result, unauthorized users are filtered out and prevented from accessing sensitive information.

The zero trust security model can be deployed on diverse networking environments such as Cloud, on-premise, and multi-Cloud or hybrid setups. It works on the principle of ‘trust nothing, verify everything’. Traditional networks permitted users to access any system, file, or data once they got in. However, in comparison, zero trust segregates different network parts and prevents unauthorized lateral access even if the users get into the network.

What is Secure Access Service Edge (SASE) ?

Key features of zero trust security

Most zero trust security systems are known to include the following key features:

  • Multi-factor authentication (MFA): Multi-factor authentication enables users to use at least two distinct methods to authenticate their identity. The first method involves a normal login with a username and password. while the second one can be a one-time password (OTP) sent to a phone number or email address linked to the account or even security questions.
  • Least-privileged access: This feature requires each user to have the lowest level of access to accomplish their task. The method blocks lateral movement and limits damages due to any breach. Additionally, it also avoids misuse of company data by internal company staff.
  • Microsegmentation: Microsegmentation refers to a process that divides a network into different zones to allow the entry points to go to one part of the network. This technique limits attacks (if any) to only one section of the network, thereby preventing malware from damaging the entire network.
  • Device discovery and identity protection: In a zero trust model, IT administrators need to know the devices operating on the network and the credentials residing on each device. This establishes a benchmark for normal activity on the network. This way, the IT team can easily identify, handle, and red flag any anomalies.

According to a 2021 report by Research and Markets, the global zero trust security market size is predicted to reach a valuation of 59.43 billion by 2028, expanding at a CAGR of 15.2% from 2021 to 2028.

Advantages and Disadvantages for Enterprises?

With the rising remote work culture, building a zero trust network has become critical for every organization. However, enterprises need to weigh in on the pros and cons of a zero trust model to decide upon its suitability for their business.

Advantages of zero trust model

Here are the advantages that a zero trust security model comes with.

  • Vulnerability management: A zero trust model safeguards a company from in-network lateral threats that could manifest within a network. It makes the network less vulnerable to breaches or attacks.
  • Effective user identification policies: The zero trust model uses multi-factor authentication in most cases, but sometimes, the model goes beyond passwords with biometric verification. Such a practice can better guard user accounts. Hence, in zero trust, strong policies are in place for better user identification and access.
  • Smart data segregation : A zero trust model lacks a big pool of data that all users access. Instead, data is segmented based on type, need, and sensitivity, making the system more secure. This helps in protecting critical or sensitive data from potential attackers.
  • Added data protection facilities : The model protects data that is both in storage and in transit. Additionally, it employs advanced features, including automated backups as a disaster recovery practice. encrypted or hashed message transmission to safeguard moving data, and much more.
  • Enhanced security orchestration: A zero trust model ensures that all your security elements work together efficiently and effectively for better security. Inactive security elements are recovered immediately to facilitate 24/7 foolproof protection.

Disadvantages of zero trust model

Although a zero trust model showcases a comprehensive security strategy, it does make security policies complex. Here are some disadvantages of a zero trust model.

  • Needs efforts to set up: Introducing new policies on an existing network is challenging, especially during the transition phase. Sometimes, building a new network from scratch is easier than switching over to the same network. Additionally, if legacy systems are not compatible with the zero trust model, starting a new network would be feasible.
  • Needs user-specific policies : Managing company employees for access grants is inevitable. However, the user pool extends to clients and third-party vendors as they also use company portals or websites. This implies that, with these add-on access points, a zero trust model needs policies in place specific to each group of users.
  • devices to handle: Today, different users tend to use different devices. Each device has a different set of properties and communication protocols. This means that organizations need to implement and update policies to manage the growing number of devices on the network.
  • Complex application management : Likewise, applications are of various types. They are generally used across multiple platforms via a Cloud environment. Sometimes, they are also shared with third parties. Hence, a zero trust approach requires better application planning, monitoring, and management depending on users’ needs.

Zero Trust Security Model and Framework

Zero trust has become crucial for organizations as the digital frontier is impacting their business network security architecture. A zero trust security model provides a complete security suite for an organization. Enterprises can leverage greater granular control over accessibility, better visibility, and improved analytics and automation to keep the policies in check and update them as and when needed.

Zero trust model

A zero trust model has seven main components — zero trust data, zero trust networks, zero trust people, zero trust workloads, zero trust devices, visibility and analytics, and automation orchestration. Let’s understand each one in detail.

Zero Trust Security Model

  • Zero trust data: Data protection is a priority in the zero trust model, followed by supplementary protection layers. If a cybercriminal breaches the network perimeter, exploits vulnerabilities, or illicitly collaborates with an insider, they would have less accessibility to critical data. Also, policies will be in place to respond to the attack immediately before it becomes a formal breach. Data is the primary target of most attackers and insider threats, and it is considered a vital pillar of a zero trust model. Data protection can happen when organizations understand who has access to it, whether the data is sensitive or stale, and whether an attack response is in place to manage potential threats.
  • Zero trust networks: For attackers to steal your data, they must be able to navigate across the length and breadth of your network. However, a zero trust model makes this challenging as it segments, isolates, limits, and restricts the network with advanced next-gen firewalls.
  • Zero trust people: In a security strategy, humans represent the weakest pillar. Hence, in zero trust, all users—inside the network and on the internet—are monitored to track how they access resources and verify their activity. Also, users are monitored to prevent inevitable mistakes of falling prey to phishing. bad passwords, or suspicious insiders.
  • Zero trust workloads: Enterprises have several applications and software components that allow customers to interact with them. Any unpatched customer-facing application, API, or software can act as an attack vector. Zero trust regards the entire system, right from storage, operating system, to web front-end, as a threat vector. It further deploys zero trust-compliant controls for better protection against such vectors.
  • Zero trust devices: With the advent of IoT and the high demand for Smart devices worldwide, device count has grown exponentially in the past few years. Here, each connected device can act as an entry point for attackers to infiltrate your network. With a zero trust security approach, security teams are better positioned to manage and control every device on the network.
  • Visibility and analytics: With zero trust principles, organizations have better visibility of everything happening over their networks. Methods such as advanced threat detection and user behavior analytics can help identify suspicious behavior in real-time.
  • Automation and orchestration: Zero trust security enables automation that can help in disaster recovery and keeps systems up and running. Automation in a zero trust model aids in faster remediation and advanced threat detection. It also saves human resources as automation tools can perform incident response, thereby focusing on other important tasks at hand.

Architectural framework

The National Institute of Standards and Technology (NIST) observes that zero trust implementation requires an architectural framework with definite logical components. This framework controls access to resources, and monitors data flow transitioning into and within the network.

In August 2020, NIST released a publication titled ‘NIST Special Publication 800-207: Zero Trust Architecture’, which details the logical components of a typical zero trust architecture, design scenarios, and threats. The publication also establishes zero trust principles for enterprises wishing to leap zero trust security.

Here are the fundamental elements of the zero trust framework as defined in NIST SP 800-207.

Zero Trust Security: Architectural Framework

Policy engine : The policy engine decides whether to grant access to a resource or deny for a subject. It uses policies by the enterprise and outside sources such as continuous diagnostics and mitigation (CDM) systems and threat intelligence services to grant, deny, or revoke access to target resources. This policy engine is also coupled with a policy administrator.

Policy administrator : The policy administrator links or delinks the communication path between a subject and a resource. It is responsible for generating client credentials or authentication tokens used by the client to access a resource. It takes help from the policy engine to continue or discontinue a session. The public administrator establishes a communication path with the help of policy enforcement points via the control plane.

Policy enforcement point : The policy enforcement point acts as an intermediary between a subject and an enterprise resource as it enables/disables communication between them. The component can be further divided into a client (user) and resource side (gateway). Beyond the enforcement point, enterprise resources are hosted in a trust zone.

Data access policies : This component details the rules and policies for gaining access to enterprise resources. These policies can either be encoded or generated on the go by the policy engine. Authorization of resources begins with these very data access policies. Additionally, these rules define the primary access privileges for accounts and applications in an enterprise.

Identity management system : This module creates, stores, and manages the accounts and identity credentials of users in an enterprise. Necessary user details such as name and email ID are present within the system, along with organizational attributes such as user role and access privileges. The zero trust system often considers public key infrastructure (PKI) to deal with artifacts linked to user accounts.

Security information and event management (SIEM) : SIEM gathers security-related data for future analysis. The collected data is then used to update policies and create awareness over potential attacks against the enterprise.

Threat intelligence : This module communicates information from various sources that allow policy engines to make informed access decisions. The information can relate to new vulnerabilities that can threaten the enterprise in the future. Additionally, the component also blacklists newly detected malware and reported attacks. Inputs from this component are then relayed to the policy engine to grant or deny access to an enterprise’s assets.

Network and system activity logs : This component collates asset logs, network traffic logs, resource access events, and other aspects that reveal the security position of an enterprise’s IT system in real-time.

Top 10 Zero Trust Security Vendors in 2021

This section lists the top 10 zero trust vendors with good user ratings and provides a comprehensive security strategy to an enterprise’s network.

Akamai

Overview: Akamai is a popular zero trust vendor that provides a Cloud-based model. Its zero trust model incorporates dynamic and transparent policies for enhanced security.

Product: Akamai Intelligent Edge

  • Akamai’s product offers a single sign-on (SSO) with MFA
  • Safeguards against distributed denial-of-service (DDoS) attacks, thereby allowing secure data processing with a smooth workflow
  • Offers identity-based security
  • Enables advanced threat protection
  • Assists in inline data inspection

Pricing: Pricing details are only available upon request on the company website.

Editorial Комментарии и мнения владельцев: Akamai’s products (e.g., Intelligent Edge) are compatible with most APIs. They provide a user-friendly interface for easy monitoring and threat management. However, some users have reported issues such as data vulnerability risks as the product stores data on a third-party Cloud. Additionally, default rules exercised by the product can sometimes block valid user requests.

Cisco

Overview : Cisco offers a zero trust solution that secures access across the entire enterprise’s environment. It protects everything, right from applications to folders.

Product : Cisco Zero Trust

  • Cisco’s product (Zero Trust) provides policy-based control over the network
  • Gives detailed logs, reports, and alerts
  • Provides greater visibility with an eye on any form of access across your network

Pricing: Pricing details are only available upon request on the company website.

Editorial Комментарии и мнения владельцев : Cisco’s Zero Trust is suitable for companies having remote task forces as it provides a consistent security experience for all employees, be it remote or in-office staff. However, some users have reported that the product requires hands-on management from the IT team. Additionally, the implementation and deployment of the product is a time-intensive process.

What is Cisco Zero Trust?

Cloudflare

Overview : Cloudflare’s zero trust solution provides a steady login experience to every user, device, and application in a network.

Product : Cloudflare Access

  • Provides easy remote access from any location
  • Enables micro-segmentation
  • Seamless integration with open source software and social identity providers

Pricing : Cloudflare access is a part of Cloudflare teams, free for up to 50 users. Following rates apply as per team:

Editorial Комментарии и мнения владельцев : Cloudflare Access is suitable for compliance-friendly organizations as the product obeys compliance rules by accessing logs in real-time via an interface. It enforces the default deny rule by working with identity providers and endpoint protection platforms. However, some users have reported issues that this default deny rule can sometimes block valid requests.

Illumio

Overview : Illumio offers a comprehensive, end-to-end zero trust security model by eliminating any insider or outsider. It provides microsegmentation and allows data isolation and data encryption, and easy data control for securing valuable data.

Product : Illumio Core

  • Illumio Core offers microperimeter security
  • Provides complete protection for data in transit
  • Enables end-to-end security for data

Pricing: Pricing details are only available upon request on the company website.

Editorial Комментарии и мнения владельцев : Illumino Core gives reliable traffic discovery and visualization features. It also provides good customer and engineering support. However, some users have reported issues with the reporting feature. Users have to apply filters time and again to get what they want in a report.

Palo Alto Networks

Overview : Palo Alto Networks is a top IT security provider with zero trust security offerings that are a part of its network security suite.

Product : Palo Alto Networks (Zero Trust Solution)

  • The product offers advanced integration with other security elements
  • Provides granular visibility as the product has a central console for viewing network happenings.
  • Offers multi-factor authentication features
cisco, trust, network, enforcing, access, sd-wan

Pricing: Pricing details are only available upon request on the company website.

Editorial Комментарии и мнения владельцев : Palo Alto Networks provides detailed reports along with threat responses. It also has responsive technical support. However, some users have reported frequent updates as the product is still in the developing stage. A few users also say that the product often requires several months for implementation.

6.Symantec

Overview : Symantec provides a cyber-defense platform to enable a zero trust model. The solution manages encrypted data traffic and also uses behavioral analytics to identify threats.

Product : Symantec’s Zero Trust Solution

  • Utilizes a strong web application firewall
  • Provides a user control and authentication toolkit
  • Harnesses security analytics for better future preparedness

Pricing: Pricing details are only available upon request on the company website.

Editorial Комментарии и мнения владельцев : Symantec’s Zero Trust Solution is suitable for organizations opting for a remote work module as the solution effectively manages secure remote workforce access. This, in turn, reduces the VPN overhead. However, some users have reported issues related to the vulnerability of application firewalls as new malware, and sophisticated algorithms could trick such security products.

Okta

Overview : Okta offers a popular zero trust solution that is easy to set up and implement. It also helps users stay compliant with various international standards.

Product : Okta Identity Cloud

  • The product is centered on identity access management (IAM) and zero trust policies
  • Offers multi-factor authentication (MFA)
  • Provides single sign-on (SSO) feature
  • Automates process-driven workflow, e.g., employee onboarding and offboarding process

Pricing: Okta Identity Cloud provides multiple packages depending on product features. Standard rates include the following:

  • 2.00 per user per month – Single Sign-on
  • 3.00 per user per month – Multifactor Authentication
  • 5.00 per user per month – Single Sign-on Adaptive
  • 6.00 per user per month – Multifactor Authentication Adaptive

Editorial Комментарии и мнения владельцев : Okta Identity Cloud is suitable for enterprises handling a large pool of international users as the product stays compliant with several international security standards. However, some users have reported issues related to the initial setup, which can turn out to be quite complex. Also, first-line support sometimes faces hurdles when dealing with complicated problems.

Forcepoint

Overview : Forcepoint provides a wholesome zero trust solution that is suitable for managing a safe remote workforce.

Product : Forcepoint Private Access

cisco, trust, network, enforcing, access, sd-wan
  • Forcepoint ‘s product is a next-generation firewall
  • Offers continuous network monitoring
  • Employs data loss prevention strategy
  • Implements network protection and micro-segmentation
  • Offer data traffic decryption for full visibility and instant threat inspection

Pricing: Pricing details are only available upon request on the company website.

Editorial Комментарии и мнения владельцев : Forcepoint’s product is suitable for remote workers as it eliminates any complexities and risks of VPNs since it gives them access to required applications. However, some users have reported issues highlighting organizations’ vulnerability as data is stored on third-party clouds.

Unisys

Overview : Unisys offers a complete zero trust implementation with a five-step mechanism: prioritize, protect, predict, isolate, and remediate.

Product : Unisys Stealth

  • Stealth product offers micro-segmentation and full visibility
  • It offers Cloud and mobile support services
  • Provides an intuitive and customizable interface

Pricing: Pricing details are only available upon request on the company website.

Editorial Комментарии и мнения владельцев : Unisys Stealth implements a comprehensive five-step methodology that helps in faster risk mitigation. However, some users have reported issues that the product lacks on-premise deployment options for Mac devices specifically. Also, the product does not perform well with network traffic analysis.

AppGate

Overview : AppGate offers risk-based solutions that provide customizable rules for authentication and threat prevention.

Product : AppGate SDP

  • Reduces attack surface Verifies user identity based on user role, date, time, location, etc. Blocks lateral movement and offers micro-segmentation
  • Pricing: Pricing details are only available upon request on the company website.

Editorial Комментарии и мнения владельцев : AppGate SDP is suitable for organizations targeting isolated environments and requiring granular access control across multi-Cloud frameworks. The product also has responsive user support. However, some users have reported issues related to the management interface as it is quite complicated to operate.

Let’s compare the features of these solutions again:

Takeaway

A zero trust model is based on the ‘never trust, always verify’ principle. It keeps a check on access to resources, files, folders, and systems within a network. The model makes remote access, IoT, and Cloud environments more reliable, secure, and trustworthy. Hence, businesses must embrace such a security solution to overcome ever-evolving cyber threats.

Do you think zero trust security completely shields an enterprise’s network? Comment below or let us know on LinkedIn Opens a new window. Opens a new window. or Opens a new window We’d love to hear from you!