5 Keys to Creating a Zero-Trust Security Foundation

By Jon Green, Vice President and Chief Security Technologist at Aruba, a Hewlett Packard Enterprise company

Recent high-profile attacks have disrupted global commerce across the world, bringing home the critical importance of maintaining a robust IT security program. The recent ransomware attacks on the Colonial Pipeline, the largest petroleum pipeline in the US, and meat supplier JBS, highlight the cascading, society-disrupting havoc these types of attacks can create.

Those concerns increasingly extend to IoT devices, as evidenced by the recent hack of cloud-based security services firm Verkada, where bad actors gained access to 150,000 of the company’s cameras, including inside factories, hospitals, prisons, schools, and even police stations.

Vulnerabilities come in many forms and we have known for a long time that the onslaught of IoT devices onto corporate networks is largely unprotected. It’s little wonder then that when the Ponemon Institute surveyed 4,000 security professionals and asked why breaches still happen, the top answer was the increasing attack surface.

Networking and Security Must Go Hand in Hand

As a networking vendor, connecting people and things is part of Aruba’s core mission. But that’s not good enough anymore – organizations can’t continue down the “networks-connect-everything; the-security-team-will-install-firewalls-to-block-the-things-they-don’t-want” path. That is why Aruba has increasingly focused not just on connecting and managing users and devices, but also on building security into our networks, with support for frameworks like Zero Trust and SASE, forging an essential partnership between networking and security.

Today, at the foundation of a modern security architecture, organizations require a very prescriptive Zero Trust security program that rests across five key areas:

1. Visibility: It’s hard to protect something when you don’t know it’s there. We answer the fundamental question, “What’s on my network?”
2. Authentication: Employing a variety of technologies to clearly identify who and what is trying to obtain access.
3. Role-Based Access Control: Just because a device connected to an Ethernet port or a Wi-Fi network doesn’t mean it gets unfettered access to the entire network. Apply business-driven access policies, based on identity and then mapped to a role, enforced with a built-in L4-7 Policy Enforcement Firewall.
4. Continuous Monitoring: Looking for changes in security status that can indicate a compromise.
5. Attack Response: Changing network access privileges in response to a breach.

For years, Aruba customers have been using our built-in Policy Enforcement Firewall (PEF), a Layer 7 stateful firewall, combined with ClearPass Policy Manager to deliver these five capabilities. But, as previously mentioned, we’ve put a lot of focus on the IoT problem over the last several years as the influx of these devices into the enterprise world has accelerated.

From vending machines to building controls to cloud-networked security cameras, “things” are flooding onto the network at an exponentially increasing rate. They are driving much of the new customer experiences and business models that make up digital transformation, and aside from the general IoT management issues, these devices come with little or no security controls or protection. In that same Ponemon survey noted above, over 75% of respondents said they had little or no confidence in protecting IoT devices. Our customers tell us that they can’t see up to 50% of what is connected to their network.

Understanding What’s on the Network

That is why Aruba introduced ClearPass Device Insight (CDPI) in 2019. CPDI uses network traffic analysis to spot everything connected to the network, and machine learning to automatically determine what the device is. This answers the first question above: “What’s on my network?” in a much more definitive way than was previously possible.

When CPDI launched, packet-level visibility was provided by a “collector” – a virtual or physical appliance connected to a SPAN port or a network packet broker. Such a collector is typical in the security industry – but we wanted to do better. From the beginning, we wanted this sort of telemetry to come directly from the network infrastructure itself. Recently, at Aruba Atmosphere 2021, we delivered on that goal during the “Define Your Edge Journey” technology keynote, showing a demo of CPDI, running inside Aruba Central, collecting telemetry through an Aruba gateway. The replay of that keynote session is available for anyone to view – you can access the recording via the link above.

Graduating from Security Awareness to Security Enforcement

Through this evolution, the network itself has become its own security sensor. Can we use it for security enforcement as well? Absolutely. As CPDI collects data about network activity, it develops a detailed view of what each connected device is doing: protocols, ports, and behavior patterns. That information flows to ClearPass Policy Manager, which uses it to decide the appropriate role and access privileges, and to the Policy Enforcement Firewall to enforce access rights and traffic segmentation. No more blind spots. No more security cameras with free access to the ERP system.

All of this is managed and delivered via Aruba ESP (Edge Services Platform) and our cloud-native network management solution, Aruba Central. A practical example of the power of role-based access control is the recently introduced Aruba IoT Transport for Azure. This Aruba Central service allows IoT devices connected to Aruba access points (APs) to securely and bi-directionally communicate with the Azure IoT Hub.

At Aruba, we’re proud to lead the pack in bringing Zero Trust principles to enterprise networks, and as the need grows stronger, we’ll continue to lead.

To learn more about the state of Zero Trust, SD-WAN, and SASE architectures, view the infographic.

For more information about Aruba security solutions, visit www.arubanetworks.com/security.