Zero Trust Principles
In this article
Zero trust is the security buzzword of the moment, and it is almost certainly on your organization's cyber roadmap. This is usually due to audit findings, a desire to reduce risk, cyber teams moving to what is called an "assume breach" posture, moving workloads to the cloud and increased remote access due to the pandemic.
Zero trust principles are designed to restrict users' and systems' access only to the data and applications they need to do their jobs and limit the impact of breaches through segmentation. Zero trust is also part of the SASE concept of providing secure network connectivity in a hybrid cloud environment. SASE aims to do this by moving network connectivity and the associated security controls to the data flows and not bending the data flows to the network connectivity/security controls, thereby improving user experience.
This really isn't that new; it is a positive security model (block everything except that which is explicitly allowed), supporting the principle of least privilege, but continuously monitored and enforced.
While implementing zero trust is an architectural notion that relies on the full gamut of your security ecosystem, you may be familiar with the following terms that underpin zero trust capability:
- Zero trust network access or software-defined perimeter. Both provide secure remote access to applications in legacy data centers and the cloud.
- Micro-segmentation. Provides server-level segmentation in the data center and cloud so that servers can communicate only with other servers in their application stack.
There is often a link between original equipment manufacturers' (OEMs) zero trust network offerings and their secure cloud web gateway services, as they will consume the same endpoint client. Therefore, it is wise to consider these services together.
Our clients gain a number of benefits from zero trust implementation stance, including visibility of the applications that their users are interacting with, blast radius reduction of an incident, and reduced risk through enhanced security controls, particularly for trusted third-party access, a key threat vector these days.
NIST SP800-207 is the NIST standard that defines zero trust architectures. Within it is a seven-step process for implementing a zero trust architecture:
- Identify actors on the enterprise.
- Identify assets owned by the enterprise.
- Identify key processes and evaluate risks associated with executing process.
- Formulating policies for the ZTA candidate.
- Identifying candidate solutions.
- Initial implementation and monitoring.
- Expanding the ZTA.
In many of our client engagements, WWT sees organizations jumping straight to step 5, identifying candidate solutions (the interesting bit) without doing the (less interesting) groundwork.
WWT doesn't recommend that clients just buy and implement these services. As with any security architectural endeavor, it is a good idea to understand what you are protecting and its value to the business. They will most likely want to understand which are their most vital assets and prioritize these for migration. They will also want to understand how their zero trust services will integrate with parts of their wider security and ICT (information and communication technology) ecosystem, such as identity and access management, endpoint protection for device posture, logging and analysis and orchestration and automation systems.
With this in mind, WWT has developed this framework to help our clients achieve their zero trust objectives. This proven methodology has been designed to rapidly assess an organization's current maturity and deliver a zero trust strategy roadmap.
It is important to note that before you take the seven zero trust principles into account, it's best to consider the "foundations" of zero trust architecture (or any other security architecture endeavor for that matter); this includes the supporting zero trust related policies, use cases, information asset value/criticality and controls architecture and identity and access management (IAM).
As a preliminary step, uncover and analyze how your organization perceives a zero trust implementation and what you are protecting in order to (a) prioritize critical systems and (b) apply appropriate controls to the sensitivity of the asset.
Once that is established you can more effectively incorporate the principles of zero trust as detailed here:
- Workforce security centers around the use of security tools such as authentication and access control policies. These tools identify and validate the user attempting to connect to the network before applying access policies that limited access to decrease the attack surface areas.
- Device security is the identification and authorization when devices attempt to connect to enterprise resources. The devices may be user-controlled or completely autonomous, as in the case of IoT devices (i.e., Smart TVs, CCTV, alarm systems, etc.).
- Workload security refers to the application, digital processes, public and private IT resources used by an organization for operational purposes. Security is wrapped around each workload to prevent data collection, unauthorized access or tampering with sensitive applications and services.
- Network security captures the strategic approach to micro-segmentation, which serves to isolate sensitive resources and is instrumental in protecting key data assets.
- Data security revolves around the categorization of corporate data, both in terms of classification and tagging. Once categorized, the data can be isolated from everyone except those that need access. This pillar also includes the process of determining where data should be stored, as well as the use of encryption mechanisms while data is in transit and at rest. All security processes that revolve around access control, segmentation, encryption, and application or data organization must be closely monitored.
- Visibility and analytics prescribe the use of artificial intelligence (AI) to automate some processes, including anomaly detection, configuration control and end-to-end data visibility.
- Automation covers modern ways in which organizations can automate and centrally control zero-trust models on the LAN, WAN, wireless WAN, and public or private data centers.
Do not attempt to deliver a complete architecture in one go – this is a multi-year journey, not a sprint. Consider securing your critical assets first (this is why system categorization is key) with some core zero trust functionality and maturing your zero trust architecture from there.