Policies

What is Zero Trust?

It’s important to note that Zero Trust is not a solution. It’s not a tool. It’s not something you can buy in a box or download and deploy on your network. Zero Trust is a state of mind. A Zero Trust security strategy assumes that all traffic–regardless of whether it originates from a trusted source – is untrustworthy. This forces web sites, web apps, Software-as-a-Service (SaaS) platforms and even email content to be treated as if it is malicious. It then needs to be authenticated continuously, before each interaction with a user, device or application on the network.

What are Zero Trust Policies?

Zero Trust Policies enforce the rules that govern Zero Trust strategies. For example, an organization may want to force read-only access for suspicious websites to protect users from credential theft. Or, it may want to tighten restrictions around payroll applications because of the sensitivity of data on those systems. Zero Trust Policies take into account the user, the device and what they are requesting access to–and their trustworthiness are continuously monitored and evaluated.

Why can’t you create, implement and manage these policies with legacy security tools?

Traditional security policies authenticate entities (a user, device or application) once at the edge of the network and then give them access to everything inside the network. This worked well when enterprise networks were set up in a hub and spoke model where there was little mobility. Users tended to log in from corporate headquarters behind a robust firewall that could control traffic flowing in and out of the data center.

Today’s networks, however, are highly-distributed and mobile. Users, devices, apps and data are spread out across private and public cloud infrastructures where they are spun up and down on demand. This decentralized architecture hasn’t so much eliminated the perimeter as it has expanded it to anywhere users do business–whether it is a remote office, a home office, a customer site or on the road. The perimeter is everywhere – making it impossible to stop breaches.

What makes Zero Trust Policies different from these traditional approaches?

Zero Trust Policies continuously authenticate entities at the perimeter and inside the network, ensuring that nothing gets through the cracks. This granular control allows you to identify and monitor changes of trustworthiness. Rather than assume authenticated entities are trustworthy, Zero Trust Policies assume everything is malicious by default and require them to continuously prove their trustworthiness.

How do I implement Zero Trust Policies?

It’s a strategy that requires enterprises to completely rethink how they protect the organization. Zero Trust Policies must be ubiquitous throughout the network security stack–including the Secure Web Gateway (SWG), firewall, and Cloud Access Security Broker (CASB). Whether someone is connected to a cable coming out of the wall at the corporate headquarters or logging on from public WiFi in a coffee shop, Zero Trust Policies govern exactly what they can access and at what level.

What are the core principles of Zero Trust Policy?

Start with a catalog of applications

You can’t secure what you don’t know. Any Zero Trust policy starts with cataloging your applications so you know where they sit in the network and  what users need access. You can then define levels of accessibility to determine who gets full access, who gets read-only and whether users can get upload or download permissions.

Granular control

Once you know what you have, you can bake levels of control into your Zero Trust Policies. It’s almost like calculating a risk score. For example, let’s say that a known user is trying to access an application on the network. Multi-factor authentication proves that the user is who they say they are and they are logged into a known device. However, the user is located in a country such as Albania.

Not only is that a strange location for this particular user to be located in, it’s a known hotbed of hacker activity. A Zero Trust policy can be set to provide the authenticated user access to the application but limits him to read-only. This granular level of control protects the application from potentially malicious activity without disrupting the user’s productivity–just in case the user really does have a legitimate reason for being in Albania. Zero Trust policies allow you to set these various levels of security based on pre-set rules and apply them globally.

All encompassing

Zero Trust policies also need to go beyond just user to app accessibility. They need to go the other way as well by dictating data flow from the application to the user or even between applications. This allows you to apply Zero Trust policies to applications, users, devices and data–providing complete coverage across the enterprise. You should even be able to extend policies to third parties such as customers and partners using unmanaged devices to be truly secure. It shouldn’t matter if it’s an application, a person, an IoT device – every entity needs to continually prove its trustworthiness throughout every interaction.

Why is Menlo Security in a good position to deliver on the promise of Zero Trust Policy?

Menlo Security starts with a clientless first approach, making it easier and more elegant for the IT staff to implement globally. Menlo then provides a single place to create and manage those Zero Trust policies – allowing you to set once and apply globally across applications, users, devices and data.

Menlo is also built on an Isolation Core™. Everything goes through this abstracted layer in the cloud, giving administrators unparalleled visibility and control into security without impacting the native user experience.