0 Accept as true with Community Get right of entry to (ZTNA) is a safe far off get right of entry to provider that verifies far off customers and grants get right of entry to handiest to express sources at particular instances in response to id and context insurance policies. This is a component 2 in our ZTNA weblog collection for operational environments. Learn the primary weblog right here.
Presently, someplace on this planet a robotic arm wishes a firmware improve, a wind turbine is stalled, and a freeway message signal is showing gibberish. If your online business will depend on operational generation (OT) or business keep watch over techniques (ICS), you want to permit device developers, upkeep contractors, or your individual professionals and technicians to remotely get right of entry to apparatus for configuration, troubleshooting, and updates.
Shrink the chance with ZTNA
In our final weblog we gave a ten,000-foot view of Cisco Protected Apparatus Get right of entry to (SEA) and the way it can lend a hand to safe far off get right of entry to for your business community. Cisco SEA is a 0 Accept as true with Community Get right of entry to (ZTNA) answer controlling who can attach, which OT belongings they may be able to get right of entry to, and when. It begins with a default deny posture and provides least-privilege get right of entry to handiest as soon as it trusts the consumer id.
Clientless and agent-based ZTNA
Along with proscribing get right of entry to to express belongings and schedules, Cisco SEA too can prohibit the get right of entry to means far off technicians can use to log into an OT asset. If they’re the usage of RDP, VNC, SSH, Telnet, or HTTP(S), they just want a internet browser—no consumer instrument is wanted. Cisco SEA proxies all far off get right of entry to site visitors, which means that customers by no means have direct IP get right of entry to to the asset or the community. Totally keeping apart crucial sources provides you with unrivaled safety.
In some eventualities, you could want a complete IP communique trail between the far off consumer and an OT asset. Examples are if technicians are the usage of a vendor-specific control instrument, enhancing a PLC program the usage of a local desktop software, or shifting information to and from an asset. To deal with those complex use circumstances, Cisco SEA provides an agent-based ZTNA get right of entry to means known as SEA Plus.
SEA Plus installs a light-weight software at the far off consumer’s pc to create a safe end-to-end IP reference to the OT asset, enabling any TCP, UDP, and ICMP communications. On the other hand, in contrast to the community extension presented through a VPN answer, site visitors at all times is going in the course of the SEA agree with dealer, which enforces safety insurance policies equivalent to which belongings can also be accessed, when, and which protocols and ports can be utilized.
Total, SEA Plus supplies local IP get right of entry to to operational generation from far off computer systems, however with out the wish to design, deploy, and deal with a VPN infrastructure. It additionally strengthens and simplifies safety with extremely granular controls tightly proscribing get right of entry to to OT belongings as required through the ZTNA least-privilege theory.
Take ZTNA to the following degree with computerized security-posture tests
Keep an eye on over the who, what, how, and when of far off get right of entry to is a huge step towards powerful coverage of your business community and significant infrastructure. But if the usage of SEA Plus, you might be granting complete IP get right of entry to to an asset. How are you able to be sure that the consumer’s pc is not going to divulge the asset to malware or malicious site visitors? To realize complete agree with, you want to ensure the instrument the technician is the usage of to log in.
Just right information: Cisco SEA and Cisco Duo paintings in combination to mechanically test instrument well being sooner than granting get right of entry to to an asset. When a far off consumer tries to ascertain a consultation the usage of the SEA Plus get right of entry to means, Duo verifies that the consumer’s pc complies along with your safety insurance policies—for instance, running machine model and patch degree, firewall standing, use of antivirus instrument, and extra. If a tool does now not meet your necessities, the technician can not acquire get right of entry to.
More potent safety with much less effort
Summing up: As a hybrid-cloud answer, Cisco SEA avoids the prices and complexity to deal with safe far off get right of entry to features at scale throughout your business community and significant infrastructure. As a ZTNA answer, it permits you to take keep watch over again through imposing least-privilege safety insurance policies in response to id and context. And with the combination between SEA and Duo, you’ll additionally test the safety posture of far off computer systems—any other key facet of 0 agree with.
Take a look at again quickly for our subsequent ZTNA weblog, to be told how Cisco Protected Apparatus Get right of entry to help you observe far off get right of entry to periods for regulatory compliance, investigating incidents, or coaching functions.
Within the period in-between, remember to subscribe to our OT Safety e-newsletter, be informed extra about Cisco Protected Apparatus Get right of entry to (SEA), and take a look at our Cisco Validated Design Information for help on put in force ZTNA to your operational setting.