As we learnt, we need to take into consideration the key aspects that relate to the world of Zero Trust, so that we can enable remote access while providing the ability to sanitize each device before it connects to corporate network, data or resources.
Now we would like to take the practical approach towards fully implementing these best practices in real life.
The first concern is providing all users the means to securely connect to the corporate network and relevant resources from home, in transit or anywhere. Check Point provides several options for the secure connection infrastructure:
IPsec VPN – Provides full access to the corporate network with a VPN client. In order to implement this solution, a VPN client should be installed on each one of the devices with a relevant multi factor authentication means configured (OTP with SMS or email), and the user groups in the relevant remote access VPN community should be updated accordingly.
Note: Make sure your current license supports the amount of connected devices in operation.
Mobile Access – Provides web based access to specific corporate applications without the need to install a VPN client. It provides an ad-hoc connection to a predefined corporate portal from any device.
Note: Ensure the portal is preconfigured to include all relevant applications and their matching user groups.
In addition, this technology provides the option of creating a lightweight SSL VPN client without the need for a designated portal.
Capsule Workspace – A designated solution for mobile devices that creates an AES256-bit encrypted container for all enterprise apps and data with very strong authentication methods and data retention option to limit the amount of locally-accessible data.
Note: This approach is highly recommended and being used by all Check Point employees.
Once the remote access method is determined, we need to implement the Zero Trust model we mentioned earlier.
Check Point Access Control Policy enables you to create granular network segmentation across public/private cloud and LAN environments. With detailed visibility into the users, groups, applications, machines and connection types on your network, you can set and enforce a “Least Privileged” access policy, so only the right users and devices can access your protected assets. For example, sales teams should have access to marketing apps, and marketing teams shouldn’t have access to finance resources.
Check Point Identity Awareness ensures that access to your data is granted only to authorized users based on their specific roles..
Since we now have an overflow of unknown devices connecting to the corporate network, data and resources, we need to ensure each one of these devices is not compromised. Check Point SandBlast Agent and SandBlast Mobile protect devices from cyber-attacks – both known and unknown – and block infected devices from accessing corporate data and assets, including employees’ mobile devices and desktops.