Network Segmentation, Passwordless MFA Everywhere

Why We Made MFA Our DNA: The Vision Behind Zero’s Multi-Factor Segmentation

Published August 22, 2024 by Benny Lakunishok

Even before we started Zero, we understood that certain ports should never be statically open. Ports such as RDP, SSH, WMI, RPC, WINRM and more are just too dangerous, and are all too common targets for attack campaigns used to spread ransomware. We thought, if we can keep ports closed and only open them after strong multi-factor authentication (MFA), then attackers will have virtually nowhere to go – no ability to move laterally. This became the foundation of our network segmentation solution and a true innovation in the market.

On the 24th of March 2019, our MFA patent was born, allowing us to control network connection access rules using MFA – redefining network security and least privilege architecture as the market knows it.

Networks That Are Built Closed with MFA

We started our segmentation solution with *network-layer* MFA. We believe MFA should be a core piece of your architecture, seamlessly integrated with segmentation capabilities that learn the behavior of network users and applications, automatically determining the optimal points for MFA to insert itself, such as privileged ports, and protect every nook and cranny of your network while keeping all of the trivial ports and applications open to the normal user and service. It needs to be fully automated, a true “set it and forget it” solution that minimizes workload for security teams. That’s true Multi-Factor Segmentation.

The DNA of Zero’s Multi-Factor Segmentation

By combining Zero’s network segmentation, identity segmentation, and network-layer MFA, organizations have access to the most powerful, protective multi-factor segmentation on the market – it’s more than marketing to us, it’s patented technology.

Unlike conventional MFA, which operates at the application level and requires users to verify their identity through SMS codes, authentication apps, or hardware tokens, our network-layer MFA is seamlessly integrated into the network infrastructure at layer 3.

This unique approach applies MFA at the port level, enabling precise control over access to network ports based on verified user credentials. Additionally, it empowers organizations to secure east-west traffic as well as north-south traffic, ensuring comprehensive protection against unauthorized access and enhancing overall network security.

Did we mention it’s just-in-time (JIT) MFA? Ports are only open for a specified amount of time (typically a few hours), leaving no ports open to hackers. Therefore, privileged users are only allowed to temporarily access pre-approved assets only after MFA is passed.

Here’s What Happens When MFA is Combined with Automated Policy Creation and Zero Agents

  • You’ll fully segment your network in 30 days: That's right – with Zero, 30 days is all it takes to fully segment every asset and identity on your network. Not the “6-9 months” that our competitors promise, not years like other dark-ages solutions.
  • You’ll get a fully automated solution: Zero Networks is a fully automated platform, eliminating time spent on manual policy creation and management. According to the Enterprise Strategy Group, we save the average enterprise 87% compared with traditional firewall network segmentation and 75% compared with legacy microsegmentation. [Read the Report →]
  • Work with the pioneers of multi-factor segmentation: We patented network-layer multi-factor authentication – no one else. This isn’t a bolted-on piece of our solution, it’s part of our DNA. Combining MFA with network and identity segmentation creates a powerful solution to blocking lateral movement and stopping attacks from spreading, even if a hacker gains access to a network.

Multi-Factor Segmentation: Combining Network-Layer MFA with Network and Identity Segmentation

Chances are, you’ve heard about Zero’s advanced network segmentation capabilities that enable organizations to effortlessly segment every asset, including IT and OT systems, both on-premises and in the cloud, using a fully automated, agentless approach.

You’ve probably also heard about our identity segmentation capabilities that apply the same architecture of network segmentation to user identities, allowing security teams to control user logon access by logon type – network, local, service, etc.

Well, we’ve been combining these capabilities with our network-layer MFA for a while now, and this is what Chris Turek, the CIO of Evercore, had to say:

“Zero Networks is creating a new sphere of security capabilities. The combination of Zero’s network and identity segmentation capabilities redefines least privilege architecture, providing a level of protection that the market has never seen before. It allows security teams to control network device segmentation down to the port and protocol level and then layer complete control of user logon access by logon type – network, local, service, etc. As if that wasn’t enough, you can also add multi-factor authentication to any of those controls! You simply can’t do this using any other platform on the market today. Zero’s combined capabilities of network and identity segmentation are going to rewrite the playbook auditors and examiners use to assess security programs. Security teams need to take note and get ahead of the game.”

Multi-Factor Segmentation Use Cases with Zero Networks

  • Block ransomware and halt lateral movement: MFA-powered microsegmentation is the most robust defense against attackers because the vast majority of ransomware and attackers only care about the privileged admin ports which our MFA powered segmentation completely closes by default.
  • Segment East-West and North-South Traffic: By combining Zero Networks’ patented MFA solution with network segmentation (multi-factor segmentation), you can effortlessly protect client-to-server and even client-to-client sensitive traffic (like help desk activity).
  • Restrict and enforce MFA on admin accounts in a click: Unlike legacy vendors that must keep at least some privileged ports open and therefore vulnerable even without credentials, Zero Networks keeps ports closed and opens them after admin users have authenticated using just-in-time MFA. This blocks lateral movement.
  • Apply MFA to anything: Zero Networks is the only solution that applies MFA at the port level, enabling just-in-time MFA to clients, servers, and to any asset that could not have been protected by MFA so far, such as legacy applications, databases and OT/IoT devices and more.
  • Gain deep visibility into network traffic and behavior: Get granular details on inbound and outbound MFA – source assets, destination assets, destination ports, time created, source users, and so much more. Identify anomalies in real-time.
  • Securely connect remote employees and third parties: Segment user access and verify all users using MFA authentication.
  • Protect OT and IoT devices: That’s right – multi-factor segmentation can be applied to unmanageable devices using Zero.

Redefine Least Privilege Architecture with Multi-Factor Segmentation

We’ve always been MFA-powered – and we’ve always believed in microsegmentation for all. We exist to disrupt network security as you know it – as our competitors know it – so that we can create a safer world. Let’s put the fluffy cyber jargon to the side – zero trust, multi-factor whatever – we want to secure your network in 30 days. No headaches, no professional services required, just real technology that does what it says it does.

Request a demo and we’ll get you segmented faster than anyone else can →