Achieving Zero Trust: ManageEngine's path to upgrading cybersecurity

Glossary

Abbreviation

Stands for

DLP

Data loss prevention

MDM

Mobile device manager

MFA

Multi-factor authentication

2FA

Two-factor authentication

UEBA

User and entity behavior analytics

ZTA

Zero Trust architecture

ZTNA

Zero Trust network access

ZTAA

Zero Trust application access

ZTDA

Zero Trust data access

Introduction

Zero Trust guide

"Knock knock."

"Who's there?"

Even knock-knock jokes have verification! How about you? Would you welcome a stranger into your home without verification? You would probably look through the peephole. You would open the door and ask them who they are, based on which you would decide how much access they can have. A delivery agent stops at your porch. A plumber can enter your kitchen to fix the sink. A house sitter can enter all the rooms, but you would keep the closet with your valuables locked. Similarly, organizations have multiple layers of security covering everything from entering the network to accessing files. All of this is facilitated by the guiding principles we refer to as Zero Trust.

Who is this e-book for?

Zero Trust may seem intimidating without the right guidance. If your organization is stepping into this ocean now, this e-book is for you. We will start with ManageEngine's ongoing experiences and work our way to mapping out what you can do as an IT leader for your organization.

Rajesh Ganesan

(Zero Trust) addresses the agile needs of modern organizations and eventually it will become the way any security framework is (built).

From a business option to a business imperative, every one of us is on a Zero Trust journey-whether we know it or not.

- Rajesh Ganesan
President
ManageEngine

In this e-book, we will elaborate on:

  • Zero Trust: what it is and what it is not.
  • A framework you can implement without tearing your existing system apart.
  • ManageEngine's Zero Trust plan.
  • Real-life use cases.
  • Challenges and best practices.

Self-assessment to get started

Self-assessment to get started

What is Zero Trust?

Zero Trust is more than just a buzzword. It is the next step in cybersecurity. In the last decade, there has been an uptick in the number of security incidents organizations face due to internal and external threats. In ManageEngine's 2021 Digital Readiness Survey, we deduced that phishing, network endpoint attacks, and malware were the most prominent security threats, yet only 26% of organizations have opted for Zero Trust network implementation. Zero Trust is no longer an option. It is an imperative. At ManageEngine, we have started implementing Zero Trust in our network to give ourselves an extra shield against these preventable attacks.

Zero Trust stands on three principles:

The principle of least privilege:

Also referred to as the principle of least authority, this is the practice of limiting user access to resources by providing just enough authorization for a member to carry out their tasks. It is also applicable to systems, processes, devices, and applications that request authorization.

Never trust, always verify

Implicit trust has always been a point of vulnerability in security. We know that we cannot blindly trust everyone within a network. With Zero Trust, we reduce the implicit trust zone and enforce continuous explicit verification.

Assume breach

This is one of the few areas where being a pessimist helps: assume a breach has occurred or is occurring at all times. Microsegmentation allows you to control the affected radius and prevent the breach from spreading.

Debunking the myths

Myth #1: Zero Trust is a product

Fact: Zero Trust is not a single solution that you can purchase. On the contrary, it is a framework or set of principles to guide organizations to make better security choices and protect themselves from breaches. However, vendors can offer multiple tools, like user authentication, that can be integrated to support Zero Trust in a network.

Myth #2: A good strategy needs to start from scratch

Fact: Google's BeyondCorp had to take apart and rebuild its entire network architecture to incorporate Zero Trust, but you do not have to do this. Enhance your existing network with a step-by-step approach. You can use a password manager tool, real-time auditing and monitoring, and multi-factor authentication (MFA) as a first step.

Myth #3: It really means "never trust (your employees), always verify"

Fact: Security is not personal. Trusting that everyone inside your organization has good intentions is a vulnerability. Attackers can be within or without an organization, and your job as an IT leader is to always keep information secure. However, this does not mean employees must always be treated like threats. User and entity behavior analytics (UEBA) can be used to assign trust scores based on several parameters and to grant users personalized access.

Myth #4: Zero Trust is for large enterprises

Fact: You do not need to burn a hole in your pocket or run a multinational corporation to introduce Zero Trust. BeyondCorp created a misconception that Zero Trust is expensive and time-consuming. That is only because it had to create something that did not exist before. SMBs, on the other hand, can now get started on their Zero Trust journeys with the simple tools that are available. In fact, you will save money on operational costs in the long run. Let us not forget that cyberattacks are not selective—they can happen to anyone. It makes more sense to spend a bit to protect your data than to pay hefty fines for non-compliance and damage control.

Myth #5: It only works on-premises

Fact: Over the last few years, we have seen tremendous growth in organizations adopting cloud-based solutions and moving to cloud or hybrid environments. Likewise, Zero Trust implemented on-site can be extended to cloud solutions with cloud-based security approaches.

Myth #6: The user experience and productivity will suffer

Fact: It might seem like a hassle to limit access and verify identities with each session, but with the right tools, workflows, and policies, it is possible to provide a user-friendly experience. Studying user behavior allows us to eliminate authentication requests for low-risk profiles and lessen wait times consistently. Additionally, Zero Trust increases productivity on the admin side. Once an employee leaves the organization, it automatically ensures they do not have access to any resources. There is no room for manual error. The admin team can focus on other critical tasks instead.

Assessing ManageEngine's security model

The traditional castle-and-moat model works under the assumption that everyone within a network is trusted. It weeds out external threats and vulnerabilities but does not account for the internal users or devices. That was the standard strategy for almost 20 years. Now, this is outdated.

traditional perimeter-based security model

The perimeter-based security model worked when ManageEngine had employees working in the office every day. Access to information was granted through the corporate Wi-Fi only. Pre-pandemic, working from home was not mainstream yet. Apart from development teams and some remote employees, ManageEngine did not have a heavy requirement for the VPN. When the pandemic hit, everyone shifted to remote work. Simultaneously, we were hiring new employees for multiple teams.

At this point, ManageEngine faced five main challenges:

Capacity

There was an unprecedented surge in VPN users. We faced issues like slow performance and connectivity issues when using mobile data. Within a week, we had to block some non-work-related sites to optimize bandwidth.

Limited verification

VPN access was granted with just a username and password. Was this a safe way to verify user identity? Absolutely not. Even if one careless employee used a notes app to store their passwords or had a generic password like “ManageEngine123,” we were vulnerable to attacks.

Visibility

VPN logs are not comprehensive, so we could not figure out who was accessing what, an essential capability on which we could not compromise.

Access control

We could not take privileges away from compromised devices or accounts. The burden then fell on the application itself.

Cost

During the pandemic, Zoho inaugurated over 30 spoke offices in India as a part of our rural revival initiative. Scaling up the VPN for all the spoke offices was expensive because we used a third-party service.

It became evident to the Admin team that it would have to step up its security to keep business moving as usual. Our Security team got to work—it was time to find a stronger alternative to the VPN.

Why did we decide to begin our Zero Trust journey now?

  • The pandemic forced a temporary shift to remote work but influenced an irreversible change in work culture. At the time of writing this e-book, Zoho is over 12,000 employees strong and easing its way into a hybrid model. Balancing in-office and remote teams requires a sophisticated security framework.
  • A successful enterprise is always the biggest target for cyberattacks. It is inevitable. It is at risk for ever-evolving external threats, insider attacks, vulnerabilities, and more. Over the last few years, we have noticed an increase in potential threats. Thus, ManageEngine decided to get started with Zero Trust.
  • Zero Trust is not infallible. There is still room for attacks, but Zero Trust is an additional form of protection in which every organization must invest.

Get fresh content in your inbox

By clicking 'keep me in the loop', you agree to processing of personal data according to the Privacy Policy.