Zero Trust Networks

Any way you want it

You can’t move at the moment without someone mentioning “Zero Trust” networks; According to Microsoft, 96% of security decision makers state that Zero Trust is critical to their organization’s success with 76% already adopting Zero Trust security measures.

uniFLOW SecurityWhy?

Well one reason is because the news has been highlighting the rising number of Ransomware attacks, a recent high-profile example being the attack against Colonial Pipeline2 where hackers managed to gain a foothold in the network then moved laterally throughout the company systems at will. Microsoft and others show how adopting Zero Trust principles can protect against this kind of attack3 and the US Government is now demanding that all its agencies move to a Zero Trust architecture.

Therein lies the problem - Zero Trust isn’t a fixed model. Every company can and will implement the ideas of Zero Trust in a way that suits their organization at the time. This may mean that the customer will start with one network and security architecture then slowly transition to their final implementation model over time.

Despite what many software providers will have you believe, just saying “we support Zero Trust” isn’t nearly enough. Supporting Zero Trust isn’t a “one size, fits all” solution. It needs to be able to adapt to the security architecture implemented by the customer whilst they progress along their journey towards a Zero Trust network. It certainly won’t happen overnight; it will be a managed process over many months or years.

uniFLOW Online follows the Zero Trust principles defined by Microsoft:

 Verify explicitly
 Use least-privileged access
 Assume breach

How these principles are implemented by each customer will be different.

One method of implementing a cloud-based print management system may work fine in the lab, but not in the real world. The worst-case scenario is for the network security team to have to compromise on their Zero Trust vision because the users can’t print.

uniFLOW Online, however, provides many different implementation options which allows the customer to decide which one works for their network regardless of where they are on the Zero Trust journey.

So, let's look at how uniFLOW Online's Zero Trust architecture works:

Firstly, let's look at the parts which are consistent regardless of how it will be implemented. uniFLOW  is built with a “security first” focus so all communication is authenticated before any functions can be carried out. Users log in, using their existing company credentials such as Microsoft 365, Google Workspace, OKTA and many more, in line with any multi-factor authentication policies defined by the IT department. This is part of the “Verify Explicitly” Zero Trust principle.

Once the user has been authenticated, they can only perform actions which they are entitled to do as part of their job. Most users will only be allowed to print, scan and copy on the devices to which they have been granted access. A fleet manager will be given privileged access to able to manage the printers themselves but maybe not personal details as this function is reserved for other network admins. In a school, college or university environment, some staff may also be allowed to handle cash and oversee users’ budgets. Other people can be granted a mix of rights, depending on what their job requires. This is part of the “Use Least Privileged Access” principle.

Now the security foundations are laid, we can look at the networks themselves.
For some customers, it may be that users' computers and printers are on the same network and can all talk to each other. This will not prevent lateral movement from one device to another so may not follow the “assume breach” principle. On the other hand, it might because the company hasn’t moved to a more secure level of network isolation yet or simply that it is a really small office with only a few network points. Whatever the reason, uniFLOW Online can work with this customer network type by storing the jobs on the user’s PC and releasing them directly to the printer when required.

For a more secure implementation, there might be a firewall or virtual network restrictions between the PCs and the printers. uniFLOW Online can work with this network implementation by storing the jobs on the Canon imageRUNNER hard disk itself so the job is sent directly from MFD to MFD should the user choose to release it on a different device. This also gets around the problem of the print job not being available if the user’s PC is turned off when they want to release their job.

So, no matter where you are on the Zero Trust journey and no matter where you or your security department have decided you will end up, uniFLOW Online will work “Any way you want it”.

The final, most secure, and increasingly more common approach, is to have every network point isolated from each other regardless of the type of device. In this network configuration, each device can only “talk” to the Internet i.e. there is no lateral movement of any form on the local network. This “micro segmentation” of the network is the best form of “assume breach” Zero Trust principle. Naturally, uniFLOW Online can work seamlessly in this customer environment as well; all secure print jobs are stored in the cloud and the Canon devices then pull the jobs down directly once the user has identified and selected which jobs they want to release. The only thing the Canon device needs is a power supply and a network cable. No other infrastructure or services of any kind are required.

Contact us our team to learn more about uniFLOW online

Source: Blog post republished from uniFLOW online