OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Zero Trust Architecture

Recap from the October 22nd, 2019 CISO/Security Vendor Relationship Podcast

by Lydia Pert

Let's talk about Zero Trust Architecture. Zero Trust is a strategic initiative that eliminates trust from an organization’s network architecture in order to prevent data breaches. The basic principle is “never trust, always verify.” Zero Trust protects digital business environments by enforcing network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and implementing granular user-access control. Zero Trust architecture is an option to be considered by organizations who want to prevent data leaks, and lower the risk of cyberattacks.

The majority of businesses use traditional security architecture — typically adopting the incorrect (and unsafe) assumption that anything contained within their own network is trustworthy. But the truth is that security threats can arise quickly from internally, and with even more intelligence than ever before.

Why Zero Trust?

As Steven Prentice explained in the most recent Cloud Security Tip, “People working from anywhere on any device, and data racing around networks and to and from the cloud means there is no single fortress where everything can exist safely. Operating on a belief that everything inside the perimeter is safe because it’s inside the perimeter is no match to today’s hacking, penetration, and insider sabotage.”

And contrary to popular belief, these breaches are not just the result of cybercriminals breaking in. A lot of breaches start on the inside, which is why it is so important for organizations to protect themselves from the inside out.

Implementing Zero Trust

Like Steve explained, organizations need to establish new perimeter protections, including microtunnels and MFA, to new cloud deployments. But not only that: organizations must still somehow factor these new measures into an existing architecture...without those new measures becoming more inconvenient or vulnerable than what they are trying to replace.

It’s also important for leaders to define what zero trust means within their organization and learn what it means to other organizations, since there is presently no clear or unified definition across the industry — merely an agreement about the philosophy. When implementing and using zero trust technologies and practices, leaders must be sure there is clear communication with any other organization involved, since their definition of “zero trust” might look drastically different.

A great way to get started with Zero Trust is to configure your OpenVPN Access Server to allow LDAP Active Directory authentication: from there you can apply specific settings to your Access Server users to determine who can log on, and what information they have access to. By configuring Access Server in this way, you are heading in the right direction towards “never trust, always verify.”