Achieve Zero Trust Maturity with NetFoundry

In my previous article, I wrote about NIST's 800-207 publication. It provides details on Zero Trust Architecture framework and its seven tenets. It also mentions how NetFoundry exceeds those tenets with our unique architecture.

CISA's Zero Trust Maturity Model is another publication related to Zero Trust Security. It gives pathway for any organization to achieve robust Zero Trust Security irrespective of their current state. The CISA publication defines 3 stages in the Zero Trust Maturity journey that progresses from a traditional starting point - Initial, Advanced, and Optimal.

To bring focus to the adoption side. ZTMM (Zero Trust Maturity Model) categorized critical infra into 5 pillars. Below I will explain each pillar and how NetFoundry meets or exceeds corresponding functions:

Identity: Zero Trust operates on the principle of 'Never Trust, Always Verify.' A strong identity means, every user and their associated credentials are authenticated and authorized before they could transact. Grant access only to those resources for which they are authorized.

At NetFoundry, we strongly enforce ABC, Authenticate/Authorize Before Connect. We also don't let an identity to be reused which prevents credential stuffing attacks. You can integrate our solution with your choice of IdP for a strong IAM and Identity Lifecycle Management.

Devices: If a device is compromised, it can be used as a launchpad to further attack other resources. ZTMM suggests to deny access to the devices that don't meet minimum criteria.

At NetFoundry, we let you enforce Zero Trust at Network, Host, or App-level. We provide endpoint posture checks such as MFA and minimum OS version before it can make a connection attempt. If you embed Zero Trust into an app, you can prevent any malware resident on the host from entering the application's user space.

Network: ZTMM suggests to microsegment the network and ensure strong encryption.

As explained above, with NetFoundry you can reduce blast radius to the app-level which goes much granular than microsegmentation at the network level. We also offer two levels of encryption - one from source to the destination endpoint using ChaCha20-Poly1305 and other at each network segment level using mTLS. Moreover, we let you close all inbound connections, making your app's presence dark to the public Internet. We use secure fabric overlay to transfer traffic from anywhere to anywhere.

Applications and Workloads: ZTMM suggests to ensure immutable workloads and strong CI/CD practices to provide protection to applications and workloads.

At NetFoundry, application-level modifications by an external source are completely prevented if they are embedded with our SDKs. Such application will contain an identity with provisioned certificates which must be used before it can make or accept a connection. Our solution can be adapted to CI/CD environments for a hacker-proof tooling.

Data: ZTMM suggest organizations to prevent data exfiltration and automate just-in-time and just-enough access to data.

With NetFoundry solution, you can provide the same Zero Trust access to data as you can to an application. What it means is, you can bring Zero Trust Security into the data instead of close to the data. This will prevent data exposure to any unauthorized access. You can use our APIs to provide automated access for your users for a duration, only to the data they need access.

CISA's ZTMM also includes 3 cross-cutting capabilities that applies to all 5 pillars. Here is how NetFoundry's solution provides those capabilities:

Visibility and Analytics: We provide a very mature web portal as part of our Zero Trust platform. It will let you create identities, services, and policies to assign access. Our unique Attribute Explorer will let you see who has access to which resources. Our Metrics explorer provides an overview of the usage.

Automation and Orchestration: Instead of using web portal you can choose use our APIs as our solution is 100% API-driven.

Governance: We let you create enterprise-wide identity policies for all users and entities to comply with your organization's policies. Logs and Events can be pulled using API calls to your desired location for long-term retention. Portal administration can be integrated with an external identity provider and MFA can be enforced as well. Users can be granted granular permissions to manage our solution.

Please DM me if we can help you to align with the 5 pillars outlined in the ZTMM.