5 considerations for building a zero trust IT environment
Zero trust isn’t a product or service, and it’s certainly not just a buzzword. Rather, it’s a particular approach to cybersecurity. It means exactly what it says – not “verify, then trust” but “never trust and always verify.”
Essentially, zero trust is about protecting data by limiting access to it. An organization will not automatically trust anyone or anything, whether inside or outside the network perimeter. Instead, the zero trust approach requires verification for every person, device, account, etc. attempting to connect to the organization’s applications or systems before granting access.
But wait. Aren’t cybersecurity systems already designed to do that? Is zero trust simply cybersecurity with some added controls?
Good question. Zero trust frameworks certainly include many technologies that are already widely used by organizations to protect their data. However, zero trust represents a clear pivot in how to think about cybersecurity defense. Rather than defending only a single, enterprise-wide perimeter, this approach moves this perimeter to every network, system, user, and devices within and outside the organization. This movement is enabled by strong identities, multi-factor authentication, trusted endpoints, network segmentation, access controls, and user attribution to compartmentalize and regulate access to sensitive data and systems.
In short, zero trust is a new way to think about cybersecurity to help organizations protect their data, their customers, and their own competitive advantage in today’s rapidly changing threat landscape.
Why now is the time for zero trust in cybersecurity
Corporate executives are feeling the pressure to protect enterprise systems and data. Investors and “data subjects” – customers and consumers – are also insisting on better data security. Security issues get even more complicated when some data and applications are on-premise and some are in the cloud, and everyone from employees to contractors and partners are accessing those applications using a variety of devices from multiple locations. At the same time, government and industry regulations are ramping up the requirements to secure important data, and zero trust can help demonstrate compliance with these regulations.
Zero trust cybersecurity technologies
Fortunately, the technology supporting zero trust is advancing rapidly, making the approach more practical to deploy today. There is no single approach for implementing a zero trust cybersecurity framework, and neither is there any single technology. Rather, technology pieces fit together to ensure that only securely authenticated users and devices have access to target applications and data.
For example, access is granted based on the principle of “least privilege” ─ providing users with only the data they need to do their job, when they are doing it. This includes implementing expiring privileges and one-time-use credentials that are revoked automatically after access is not required. In addition, traffic is inspected and logged on a continuous basis and access is confined to perimeters to help prevent the unauthorized lateral movement of data across systems and networks.
A zero trust framework uses a number of security technologies to increase the granularity of access to sensitive data and systems. Examples include identity and access management (IAM); role-based access control (RBAC); network access control (NAC), multi-factor authentication (MFA), encryption, policy enforcement engines, policy orchestration, logging, analytics, and scoring and file system permissions.
Equally important, technology standards and protocols are available to support the zero trust approach. The Cloud Security Alliance (CSA) has developed a security framework called a software-defined perimeter (SDP) that has been used in some zero trust implementations. The Internet Engineering Task Force (IETF) made its contribution to zero trust security models by sanctioning the Host Identity Protocol (HIP), which represents a new security networking layer within the OSI stack. Numerous vendors are building on these technical advancements to bring zero trust solutions to market.
Based on these technologies, standards and protocols, organizations can use three different approaches to implementing zero trust security:
1. Network micro-segmentation, with networks carved into small granular nodes all the way down to a single machine or application. Security protocols and service delivery models are designed for each unique segment.
2. SDP, based on a need-to-know strategy in which device posture and identity are verified before access to application infrastructure is granted.
3. Zero trust proxies that function as a relay between client and server, helping to prevent an attacker from invading a private network.
Which approach is best for a given situation depends on what application(s) are being secured, what infrastructure currently exists, whether the implementation is greenfield or encompassing legacy environments, and other factors.
Adopting zero trust in IT: Five steps for building a zero trust environment
Building a zero trust framework doesn’t necessarily mean a complete technology transformation. By using this step-by-step approach, organizations can proceed in a controlled, iterative fashion, helping to ensure the best results with a minimum of disruption to users and operations.
1. Define the protected surface – With zero trust, you don’t focus on your attack surface but only on your protect surface ─ the critical data, applications, assets and services (DAAS) most valuable for your company. Examples of a protect surface include credit card information, protected health information (PHI), personally identifiable information (PII), intellectual property (IP), applications (off-the-shelf or custom software); assets such as SCADA controls, point-of-sale terminals, medical equipment, manufacturing assets and IoT devices; as well as services like DNS, DHCP and Active Directory.
Once the protect surface is defined, you can move your controls as close as possible to it, enabling you to create a micro-perimeter (or compartmentalized micro-perimeters) with policy statements that are limited, precise and understandable.
2. Map transaction flows – The way traffic moves across a network determines how it should be protected. Thus, you need to gain contextual insight around the interdependencies of your DAAS. Documenting how specific resources interact allows you to properly enforce controls and provides valuable context to help ensure optimal cybersecurity with minimal disruption to users and business operations.
3. Architect your zero trust IT network – Zero trust networks are completely customized, not derived from a single, universal design. Instead, the architecture is constructed around the protect surface. Once you’ve defined the protect surface and mapped flows relative to the needs of your business, you can map out the zero trust architecture, starting with a next-generation firewall. The next-generation firewall acts as a segmentation gateway, creating a micro-perimeter around the protect surface. With a segmentation gateway, you can enforce additional layers of inspection and access control, all the way to Layer 7, for anything trying to access resources within the protect surface.
4. Create your zero trust security policies – Once the network is architected, you will need to create zero trust policies determining access. You need to know who your users are, what applications they need to access, why they need access, how they tend to connect to those applications, and what controls can be used to secure that access.
With this level of granular policy enforcement, you can be sure that only known allowed traffic or legitimate application communication is permitted.
5. Monitor and maintain networks – This final step includes reviewing all logs, internal and external, and focusing on the operational aspects of zero trust. Since zero trust is an iterative process, inspecting and logging all traffic will provide valuable insights into how to improve the network over time.
Additional considerations and best practices
For organizations considering undertaking a zero trust security model, here are some best practices to help ensure success:
- Make sure you have the right strategy before choosing an architecture or technology. Zero trust is data-centric, so it is important to think about where that data is, who needs to have access to it, and what approach can be used to secure it. Forrester suggests dividing data into three categories ─ Public, Internal and Confidential ─ with “chunks” of data that have their own micro-perimeters.
- Start small to gain experience. The scale and scope for implementing zero trust for an entire enterprise can be overwhelming. As an example, it took Google seven years to implement its own project known as BeyondCorp.
- Consider the user experience. A zero trust framework doesn’t have to be disruptive to employees’ normal work processes, even though they (and their devices) are being scrutinized for access verification. Some of those processes can be in the background where users don’t see them at all.
- Implement strong measures for user and device authentication. The very foundation of zero trust is that no one and no device can be trusted until it is thoroughly verified as having a right to access a resource. Thus, an enterprise-wide IAM system based on strong identities, rigorous authentication and non-persistent permissions is a key building block for a zero trust framework.
- Incorporate a zero trust framework into digital transformation projects. When you redesign work processes, you can also transform your security model.
There’s never been a better time than now to adopt zero trust security models. The technologies have matured, the protocols and standards are set, and the need for a new approach to security cannot be ignored.