[ad_1]
Zero Trust Network Access (ZTNA) is a safe distant entry service that verifies distant customers and grants entry solely to particular sources at particular instances primarily based on id and context insurance policies. This is a component 2 in our ZTNA weblog collection for operational environments. Read the primary weblog right here.
Right now, someplace on the planet a robotic arm wants a firmware improve, a wind turbine is stalled, and a freeway message signal is displaying gibberish. If your enterprise is determined by operational know-how (OT) or industrial management techniques (ICS), it is advisable enable machine builders, upkeep contractors, or your individual specialists and technicians to remotely entry gear for configuration, troubleshooting, and updates.
Shrink the danger with ZTNA
In our final weblog we gave a ten,000-foot view of Cisco Secure Equipment Access (SEA) and the way it can assist to safe distant entry to your industrial community. Cisco SEA is a Zero Trust Network Access (ZTNA) answer controlling who can join, which OT belongings they will entry, and when. It begins with a default deny posture and provides least-privilege entry solely as soon as it trusts the person id.
Clientless and agent-based ZTNA
In addition to proscribing entry to particular belongings and schedules, Cisco SEA also can prohibit the entry technique distant technicians can use to log into an OT asset. If they’re utilizing RDP, VNC, SSH, Telnet, or HTTP(S), they solely want an internet browser—no shopper software program is required. Cisco SEA proxies all distant entry visitors, which means that customers by no means have direct IP entry to the asset or the community. Completely isolating important sources offers you unmatched safety.
In some conditions, you may want a full IP communication path between the distant person and an OT asset. Examples are if technicians are utilizing a vendor-specific administration software program, modifying a PLC program utilizing a local desktop utility, or transferring recordsdata to and from an asset. To handle these superior use circumstances, Cisco SEA provides an agent-based ZTNA entry technique referred to as SEA Plus.
SEA Plus installs a light-weight utility on the distant person’s laptop to create a safe end-to-end IP reference to the OT asset, enabling any TCP, UDP, and ICMP communications. However, in contrast to the community extension supplied by a VPN answer, visitors all the time goes by way of the SEA belief dealer, which enforces safety insurance policies reminiscent of which belongings will be accessed, when, and which protocols and ports can be utilized.
Overall, SEA Plus supplies native IP entry to operational know-how from distant computer systems, however with out the necessity to design, deploy, and keep a VPN infrastructure. It additionally strengthens and simplifies safety with extremely granular controls tightly proscribing entry to OT belongings as required by the ZTNA least-privilege precept.
Take ZTNA to the subsequent stage with automated security-posture checks
Control over the who, what, how, and when of distant entry is a huge step towards sturdy safety of your industrial community and significant infrastructure. But when utilizing SEA Plus, you’re granting full IP entry to an asset. How are you able to ensure the person’s laptop is not going to expose the asset to malware or malicious visitors? To achieve full belief, it is advisable confirm the system the technician is utilizing to log in.
Good information: Cisco SEA and Cisco Duo work collectively to mechanically verify system well being earlier than granting entry to an asset. When a distant person tries to ascertain a session utilizing the SEA Plus entry technique, Duo verifies that the person’s laptop complies together with your safety insurance policies—for instance, working system model and patch stage, firewall standing, use of antivirus software program, and extra. If a tool doesn’t meet your necessities, the technician can not achieve entry.
Stronger safety with much less effort
Summing up: As a hybrid-cloud answer, Cisco SEA avoids the prices and complexity to keep up safe distant entry capabilities at scale throughout your industrial community and significant infrastructure. As a ZTNA answer, it enables you to take management again by implementing least-privilege safety insurance policies primarily based on id and context. And with the mixing between SEA and Duo, you may as well verify the safety posture of distant computer systems—one other key side of zero belief.
Check again quickly for our subsequent ZTNA weblog, to find out how Cisco Secure Equipment Access can assist you monitor distant entry classes for regulatory compliance, investigating incidents, or coaching functions.
In the meantime, be sure you subscribe to our OT Security e-newsletter, be taught extra about Cisco Secure Equipment Access (SEA), and take a look at our Cisco Validated Design Guide for help on the right way to implement ZTNA in your operational surroundings.
Share: