A Modern Security Architecture for IT And OT
The traditional approach to securing digitized business and production processes assumes that all devices, applications and the communication between them are located in the company's own network. Consequently, the focus has been on securing the network at the perimeter, i.e., the dividing line between the internal and public networks. Within the network itself, unrestricted communication was predominantly possible. This approach no longer fits the reality. Today's infrastructures are much more complex and often span multiple networks. In addition, there are more and more externally managed systems such as cloud environments or remotely maintained machines. At the same time, more and more critical business processes are being digitized and networked. This increases the requirements for availability and reliability as well as data protection. The simple approach of network-focused security is scaling less and less well in today's world.
In response to this new cybersecurity environment, the zero-trust paradigm is moving to a security architecture that focuses on securing the individual endpoints, users and services involved in a business or production process, as well as the communication paths between them. This means moving away from the idea that control at the network perimeter is sufficiently possible.
Zero-Trust Networking
The Genubox remote maintenance solution is an example of how zero-trust networking access can be implemented in industry in the form of a software-defined perimeter. Remote maintenance requires that service providers can connect from an external, potentially insecure network to a machine or system within an internal, security-sensitive production area. To initiate a secure remote maintenance session, a service box in the Genubox solution connects from the internal network to a Rendezvouz server accessible from the external remote maintainer. The remote maintainer in turn establishes encrypted communication to this perimeter via a remote maintenance app. After successful authentication, access is only granted to specific services, such as the desktop of the machine being serviced, the terminal (via SSH) or selected ports. Genubox thus allows external clients to access an internal infrastructure only after appropriately strong authentication, and only in a dedicated manner to explicitly defined services. Unlike a classic virtual private network (VPN), there is no complete network coupling.
Result: more robust and resilient networks.
Zero-trust networking thus replaces trust in the security of the overall network with trust in the security of specific communication endpoints. Compromise of individual endpoints is thus limited to the permitted communication relationships and no longer endangers the overall network. This approach puts operators back in control of their assets, proactively lowers the attack surface, and allows for faster detection and mitigation of attacks, as well as rapid and targeted recovery. The result is more robust and resilient networks, matching the higher criticality of modern digital business processes.
Author: Martina Hafner, Marketing Communications Manager
