Have Zero Trust
In This Article
Zero trust is the THE security buzzword of the moment and it is almost certainly on your organization's cyber roadmap. This is usually due to audit findings, a desire to reduce risk, cyber teams moving to what is called an 'assume breach' posture, moving workloads to the cloud and increased remote access due to the pandemic.
A concept, not a mechanism
Zero trust is a security architecture concept that aims to ensure that users and systems only have access to the data and applications they need to do their jobs, and limit the impact of a breach through segmentation. Zero Trust is also part of the SASE concept that aims to provide security network connectivity in a hybrid cloud environment. SASE aims to do this by moving network connectivity and the associated security controls to the data flows and not bending the data flows to the network connectivity/security controls, thereby improving user experience.
This really isn't that new; it is a positive security model (block everything except that which is explicitly allowed), supporting the principle of least privilege, but continuously monitored and enforced.
While zero trust is an architectural notion that relies on the full gamut of your security ecosystem, you may be familiar with the following terms that underpin zero trust capability:
- Zero trust network access or software defined perimeter. Both provide secure remote access into application in legacy data centers and the cloud.
- Micro-segmentation. Provides server-level segmentation in the data center and cloud so that servers can communicate only with other servers in their application stack.
There is often a link between OEMs' zero trust network offerings and their secure cloud web gateway services, as they will consume the same endpoint client. Therefore, it is wise to consider these services together.
Our customers gain a number of benefits from adopting a zero trust stance, including visibility of the applications that their users are interacting with, blast radius reduction of an incident, and reduced risk through enhanced security controls, particularly for trusted third-party access, a key threat vector these days.
The 7 steps of zero trust deployment
NIST SP800-207 is the NIST standard that defines zero trust architectures. Within it is a seven step process for deploying a zero trust architecture:
- Identify actors on the enterprise.
- Identify assets owned by the enterprise.
- Identify key processes and evaluate risks associated with executing process.
- Formulating policies for the ZTA candidate.
- Identifying candidate solutions.
- Initial deployment and monitoring.
- Expanding the ZTA.
In many of our customer engagements, WWT sees organizations jumping straight to step 5, identifying candidate solutions (the interesting bit) without doing the (less interesting) groundwork.
WWT doesn't recommend that customers just buy and deploy these services. As with any security architectural endeavor it is a good idea to understand what you are protecting and its value to the business. They will most likely want to understand which are their most vital assets and prioritize these for migration. They will also want to understand how their zero trust services will integrate with parts of their wider security and ICT ecosystem, such as identity and access management, endpoint protection for device posture, logging and analysis and orchestration and automation systems.
With this in mind, WWT has developed a seven-pillar framework in the spirit of our 'Accelerate' methodology (where appropriate) to support an organization's zero trust objectives. WWT's Zero Trust Accelerate methodology is a means of fast-tracking the zero trust strategy development.
This proven methodology has been designed to rapidly assess an organization's current maturity and deliver a zero trust strategy roadmap. Throughout any future engagements our experts will seek to leverage relevant components of this methodology as necessary.
The 7 pillars of zero trust
It is important to note that before you take the seven pillars into account, it's best to consider the 'foundations' of zero trust architecture (or any other security architecture endeavor for that matter); this includes the supporting zero trust related policies, use cases, information asset value/criticality and controls architecture and IDM. As a preliminary step, uncover and analyze how your organization perceives adopting zero trust and what you are protecting in order to (a) prioritize critical systems and (b) apply appropriate controls to the sensitivity of the asset.
Once that is established you can more effectively incorporate the 7 pillars of zero trust as detailed here:
- Workforce Security centers around the use of security tools such as authentication and access control policies. These tools identify and validate the user attempting to connect to the network before applying access policies that limited access to decrease the attack surface areas.
- Device Security is the identification and authorization when devices attempt to connect to enterprise resources. The devices may be user-controlled or completely autonomous, as in the case of IoT devices (i.e., Smart TVs, CCTV, alarm systems, etc.).
- Workload Security refers to the application, digital processes, public and private IT resources used by an organization for operational purposes. Security is wrapped around each workload to prevent data collection, unauthorized access or tampering with sensitive applications and services.
- Network Security captures the strategic approach to micro-segmentation, which serves to isolate sensitive resources and is instrumental in protecting key data assets.
- Data Security revolves around the categorization of corporate data, both in terms of classification and tagging. Once categorized, the data can be isolated from everyone except those that need access. This pillar also includes the process of determining where data should be stored, as well as the use of encryption mechanisms while data is in transit and at rest. All security processes that revolve around access control, segmentation, encryption, and application or data organization must be closely monitored.
- Visibility and Analytics prescribes the use of artificial intelligence (AI) to automate some processes, including anomaly detection, configuration control and end-to-end data visibility.
- Automation and Orchestration covers modern ways in which organizations can automate and centrally control Zero-Trust models on the LAN, WAN, wireless WAN, and public or private data centers.
A final note
Do not attempt to 'boil the ocean' and deliver a complete architecture in one go – this is a multi-year journey not a sprint. Consider securing your critical assets first (this is why system categorization is key) with some core zero trust functionality and maturing your zero trust architecture from there.