Zero Trust is a framework for cybersecurity and access management that’s quickly becoming the industry standard. Zero Trust isn’t a product, nor is it one specific solution or type of technology. Rather, it’s an approach to security.
You can identify solutions that will help you work toward the Zero Trust framework, but there’s not one magic option that’s going to do everything for you.
For most organizations, the best course is to incrementally implement Zero Trust in a strategic, methodical way.
You don’t have to do it all overnight, nor should you.
Below is a guide to implementation, especially for SMEs.
What is Zero Trust?
The Zero Trust architecture approach goes beyond being a buzzword. Instead, it’s a strategic approach to secure networks and assets that is especially relevant to the world we’re in right now.
Following the pandemic, employees moved to remote environments. That left enormous gaps in cybersecurity.
Now, two years later, many employees are still working offsite or are at least working in a hybrid way.
This sped up the digital transformation and the shift to the cloud, even to smaller and more traditional organizations.
So why the move toward Zero Trust?
The approach to cybersecurity eliminates implicit trust, and there’s continuous validation through each stage of digital interaction. The principle that underlies it all is never trust, always verify.
With this approach in mind, there’s protection in model environments, and there’s a way to help promote digital transformation.
Some of the big elements that exist in a strategic Zero Trust architecture include the prevention of lateral movement, network segmentation, strong authentication, and least access policies.
If you look at traditional models of security, they operate on theassumption that if a user or device is within a network, there’s implicit trust.
If someone or something gains access to a network following an implicit trust approach, they can move around freely.
With the increasing reliance on a hybrid workforce and migration to the cloud, Zero Trust has gone from something talked about in theory to a necessity.
Along with having distributed workforces in terms of employees, organizations are also outsourcing to freelancers and contractors more often.
This all means the traditional network edge or perimeter no longer exists.
According to the National Institute of Standards and Technology Special Publication, basic principles of Zero Trust cybersecurity architecture include:• The assumption of a breach• Assuming that the enterprise environment is no more trustworthy than the environment that’s not enterprise-owned• Continuous evaluation and analysis of risk• Continuously putting risk mitigation protections in place• Minimizing user and asset access• Continuous authentication and authorization of identity and security for every access request
By assuming you’ve already been infiltrated, you’re able to take a stronger posture against possible threats and reduce the impact if there is a breach.
The goal is to limit the blast radius, meaning that you’re limiting the extent and reach of possible damage from a breach through segmented access and reducing the attack surface. You’re also verifying end-to-end encryption, and there’s network monitoring in real-time.
Least-privilege access is part of Zero Trust frameworks. The Principle of Least Privilege limits access rights, and each user has only the bare minimum level of privilege required to do their jobs.
What Does Zero Trust Protect Against?
Zero Trust protects against many key threats, and most important to note here is that more than 80% of all attacks involve stolen credentials or credential misuse in the network.
Zero Trust helps organizations avoid these types of threats while providing more visibility and better, faster detection.
Zero Trust provides protection from ransomware, supply chain attacks, and insider threats.
Steps to Implement Zero Trust
The following are the most basic and fundamental steps you would need to keep in mind to implement a framework that eliminates the traditional network edge.
Define Your Protect Surface
Outdated ways of thinking about cybersecurity might have you working to reduce your attack surface. This is not a good option in the current landscape, as attack surfaces are always increasing, and that will continue to happen. When the attack surfaces increase, it gets harder to define them, shrink them or even defend them.
With Zero Trust, you’re thinking about the larger-scale level of the attack surface. You’re figuring out your protect surface.
The protect service encompasses DAAS—your most critical data, applications, assets, and services.
Data might include something like credit card information or intellectual property. Applications can include both your custom and off-the-shelf software. Assets could include your IoT devices, just as an example and services can include your DNS and Active Directory.
After you define your protect surface, you can start to create controls with those in mind, developing micro perimeters.
Your network isn’t something static. Instead, it’s something that’s always going to expand. That continuous expansion is why outside of Zero Trust, it’s difficult to control or protect.
You don’t need to map out your entire network to take the first step to Zero Trust.
Map How Your Traffic Flows
A good next step is to begin to map how your traffic is moving across the network because that’s going to help you figure out how to protect it.
You need contextual analytics for your protect surface.
How are resources interacting with each other?
That context is what’s going to help you make sure that you’re putting in place controls that deliver security without additional friction.
You don’t necessarily need to have every piece of information to map out the flow of traffic and interactions of applications. You need to get a general view of how systems are working so that you can see where you need to put in place access controls.
Basically, you’re trying to figure out what you’re protecting before you actually start building the protection for it.
During this phase of implementation, you want to know who needs access to what digital resources. This is going to go wellbeyond simply having a list of your employees.
When you identify users, you need to think about contractors, serverless functions, robotic process automation, and service accounts. You have to think about who needs privileged access, which may include your system admins and developers.
Then you have to identify devices requiring network access. The devices can include workstations, phones, tablets, routers, switches, and modems, as well as IoT devices.
Since you should have identified processes by this time, you might want to find which candidates could be well-suited to the first round of migration. Low-risk processes tend to be best because you don’t have to worry as much about business downtime.
Create An Architecture
Your Zero Trust network is always going to be entirely customized. There’s not one particular design you can follow because the architecture is built around the protect service and your mapped flows.
You can begin mapping out your architecture once you’ve done the above, and you might start with a next-generation firewall.
A next-generation firewall makes a good starting point because it starts the process of segmentation, building a micro perimeter around the protect surface.
You don’t necessarily have to start from ground zero. A lot of organizations don’t realize they already have solutions that support Zero Trust.
Examples include conditional access policies, single sign-on, identity and access management, and multi-factor authentication.
If you already have even just one solution that supports Zero Trust, start with an expansion of that.
There are small but impactful things you can do with elements you already have.
You’ll need policies to go along with your architecture. Your policies need to outline who should be accessing a resource and what application is used to access a resource within the protect surface.
Policies should identify when the resource is being accessed, where the packet destination is, why the packet is trying to access a resource, and how it’s trying to access the protect surface.
Policies need to determine whether a user or device is fulfilling the required access criteria for getting into protected areas.
Finally, as much visibility and documentation of activity in your environment as possible are what fuels Zero Trust. You need to recognize the value of knowledge every step of the way. That knowledge is used not only for security and protection but can also use to enhance your network security over time.
Your admins will be able to see critical bits of information that will help your Zero Trust architecture expand and becomeincreasingly customized and effective.
You start with what you can introduce into your current architecture pretty easily and without a complete overhaul. Then, once you’re ensuring that critical data and resources are only accessible to those trusted individuals and entities you can move on.
There are no best practices in Zero Trust, really, because what you need and what’s best for you is highly individualized in this framework.
There are general steps you can take to move in the right direction, but it’s ultimately up to you what’s going to be the best architecture.
Latest posts by Adam Tanton (see all)
- How to Start Implementing a Zero Trust Framework - March 25, 2022
- Using Technology to Reduce Operational Risk - February 25, 2022
- Which Discount Strategies are Commonly Used by Retailers - February 22, 2022