Thanks to a rapid shift to remote work, Zero Trust is finally garnering the attention it deserves. With its tailored controls, micro-perimeters and trust-nothing approach to access, Zero Trust gives CISOs confidence that their security program can secure their remote workforce and meet regulatory compliance requirements.
Built on an identity-centric framework for security, Zero Trust completely transforms both current and legacy IT models. My experience implementing Zero Trust has shown me that, while the process to implement a complete architecture takes time, the transformation is worth the effort and the benefits will be realized throughout the journey.
What is Zero Trust?
The Zero Trust framework verifies that only trusted identities have access to systems, networks, applications and data at every step, based on an identity's role or operational need. Trusted identities are separate authentication and authorization planes that make up the overall trust of a user, their devices, and their access. Examples of identity types are the user, device, applications, data, network traffic and behaviors.
Zero Trust can help companies prevent and contain an incident before suffering a catastrophic breach. If one identity type is compromised, the others will not be affected. This framework has been essential in securing remote workforces that transitioned seemingly overnight due to the need to protect employees, the business systems and applications, and data no matter where it is or where they are.
Building a Strategy for Implementation
Zero Trust is the next evolution of the security model, and charting a strategy is essential to successfully making the transition. When building a strategy, there are five key components to consider:
Humans are often the weakest link in security practices, falling victim to phishing attacks or lack of security awareness. It is critical to align your strategy with the people across your entire organization and develop a process for consistent monitoring of user access and behaviors and apply least privilege concepts at every level; ensuring that only the right people, have the right access, to the right applications, systems, and data.
Workloads vary between employee, systems, devices, applications, data and more. Each employee’s workload depends on their roles, what systems they use and what applications and data they have access to. The system to system or application to application workloads must also be mapped out to ensure that you understand how the data flows from and in between each of these and the users.
Internet of Things (IoT), industrial control systems, operational technology has made securing connected devices more challenging as the entry points on networks have increased tremendously and introduced more opportunities for vulnerabilities with insecure communication protocols and configurations. To achieve a fully adopted Zero Trust framework, security professionals must isolate, secure and control every device — including mobile devices and laptops — that is connected to the network. Every device needs to be trust verified and need to have the appropriate attributes that infer and validate its trust.
Organizations should create logical segmentation boundaries around network assets and increase isolation between segmentations. You must protect data from the inside out by drawing boundaries around resources instead of networks. This can be done by creating micro-perimeters to ensure only the right systems, applications and users talk to each other. It is also important to examine network behaviors and validate that the microsegments are effective and that the user, employees, roles, systems and applications are behaving normally and as expected.
To truly protect data, your organization first needs to identify your most critical business systems and classify what sensitive data needs to be protected. Then you must determine where the data is located and conceptualize how you can defend that data. Classifying all your data could be an arduous thing but starting with the most business critical data is vital.
Begin Your Zero Trust Journey Today
Transforming your technology infrastructure can be long, tedious work, and you will operate in a hybrid Zero Trust/legacy mode for a time. Begin by implementing Zero Trust principles, process changes and solutions for the highest-value data assets. Do not discount the incremental gains. Simply implementing identity and access management (IAM) or MFA, for example, are invaluable and important steps in protecting your business today and towards achieving your ZT goals and objectives. While it could be a challenging journey, the risk reduction for the overall business will give CISOs peace of mind that their workforce is properly secured no matter where they are.
James Carder, LogRhythm CSO