Zero Trust; What It Is And Why It’s Important

April 21, 2020

Tweet This:
Share on LinkedIn:

So, you purchased new solutions and scaled existing solutions to support a remote workforce…. Now what?

By Jim Warman, Kovarus RVP of Solutions

Over the past three weeks I’ve spent a lot of time talking to customers about various challenges; how to support the growing business needs while keeping costs down, how to take advantage of some of the downtime by getting up to speed on newer technologies (automation, cloud, IaC, etc.) and inevitably how supporting a remote workforce has challenged companies to adopt new methodologies and quickly build trust that employees can still do their jobs while working from home.

This post isn’t going to dive into what collaboration tool (Cisco Webex, Zoom, Microsoft, etc.) is best for an organization or how to scale it up to support the growing number of employees that now need access. I’m also not going to cover adding additional licenses to your existing VPN solution. Instead I figured I would write about something most companies are in dire need of assistance with; departmental access policies and implementing security zones and boundaries.

I’m sure many of you have spent time evaluating and purchasing new collaboration tools, new firewalls to support the increase in remote-access VPNs and maybe even implementing a Multi-Factor Authentication (MFA) solution like Cisco DUO to try and secure access to business-critical applications. However, the one question that most companies can’t answer and typically scares them is around restricting access once a user has authenticated via a VPN. The same granular Network Access Control (NAC) enforcement you might already use for on-prem wired & wireless users must also now apply to your remote access work force. NAC solutions like Cisco ISE, Aruba ClearPass, Forescout CounterAct, and more recently Cisco Duo do allow for integrations with remote access users.

Let’s assume your business has various departments: Finance, HR, Marketing, IT Operations and others. The employees in each of these departments are now working from home and need access to applications to do their jobs. Moreover, they likely have different applications to support the specific departments; Finance likely has resources that Marketing shouldn’t have access to, or HR has resources no other departments should have access to. These access requirements are currently most often overlooked and the potential security risks have just gone up exponentially as we added hundreds if not thousands of remote VPN users very quickly. Your MFA solution might have helped with ensuring a user’s identity to gain access to the corporate VPN but most likely it stopped there. In addition, how did you roll-out your new or scale your existing MFA solution to a large number of users? An email blast asking them to go to a portal to self-register? Are you leveraging MFA for basic two-factor authentication or are you also leveraging posture assessments? What if a user was already compromised? Would the intruder then have the ability to register their device and still gain access? This is where “Zero Trust” comes in.

Cisco Systems defines Zero Trust as:
“A comprehensive approach to securing all access across your networks, applications, and environment. This approach helps secure access from users, end-user devices, APIs, IoT, microservices, containers, and more. It protects your workforce, workloads, and workplace.”

Historically we would leverage Microsoft Active Directory (AD) to try and secure access to resources. With today’s sophisticated attacks we can no longer assume AD groups are enough to secure access. Many organizations struggle with implementing and maintaining an AD environment that can properly support restricting access. Another method to try and secure resource access was by implementing security Access Control Lists (ACL) typically defined by source and destination subnets and maybe even ports. In order to properly restrict access with ACLs you have to ensure remote access authentication is putting the users into specific groups and hopefully the proper subnets to configure the ACL. Even then, for smaller companies, you likely have resources that span departments and need unique access to multiple resources across departments. Both options, along with other singular security measures are often hard to implement and even more difficult to scale with the business.

This is where Kovarus can assist. Our proven methodology enables customers to quickly document and assess what users need access to and create a roadmap to implement solutions to enforce security measures. For example, we find that for most companies, 60%–70% of their users only need access to basic resources like the intranet. By leveraging a solution like Cisco DUO Access Gateway along with DUO MFA we can quickly and securely present the intranet to the 70% needing access without giving them access to full VPN. This drastically reduces the potential security threat with enabling VPN for all users. For the remaining 30% of users we have implemented zero trust solutions from companies like Cisco Systems and Palo Alto Networks to properly identify the user and trusted device, grant access to their authorized resources and restrict any potential lateral movement once a user is in.

Solutions exist today to solve almost any challenge and zero trust is no exception. However, implementing zero trust solutions are only as good as the understanding of what resources employees need access to. Our vast team of certified Architects and Engineers can quickly work with your team to define access policies and implement solutions to secure access to corporate resources and improve your security posture. If you would like to continue this discussion or learn more about how we can assist, please feel free to reach out to me at via email or Webex Teams or

Looking to learn more about modernizing and automating IT? We created the Kovarus Proven Solutions Center (KPSC) to let you see what’s possible and learn how we can help you succeed. To learn more about the KPSC go to the KPSC page.

Also, follow Kovarus on LinkedIn for technology updates from our experts along with updates on Kovarus news and events.