At its core, Zero Trust security is an approach that flips the “trust, then verify” strategy of legacy network access tools, like insecure VPNs or ineffective NACs, on its head. It is about invoking a “zero implicit trust” mindset that permits user access to the right resources they need to do their jobs at the right time. The National Institute of Standards and Technology (NIST) defines Zero Trust as “a set of guiding principles for workflow, system design and operations.”
Where should you start? Instead of getting stalled with analysis paralysis, it’s important to understand there’s a maturity curve and you don’t have to start from scratch. Even baby steps will make a substantial difference. Here is guidance to set you soundly on the Zero Trust security path and harden your organization’s cybersecurity defenses.
1. Take inventory of your network
Before you can implement Zero Trust security, you need to understand what kind of shape you’re in. You can’t protect what you can’t see, which is why auditing your network is an integral part of strengthening your security posture. You likely have a variety of access control and networking mechanisms, as well as a distributed, hybrid ecosystem of IT and security infrastructure elements.
For example, many organizations have multiple VPN solutions to control access to different resources in different locations. Identify what and where those are, who is using them and for what purpose. Take note of vendor names, user numbers, contract expirations and any upcoming hardware refreshes, including the cost of hardware maintenance and software licensing. Knowing when those agreements expire can help you plan an entry point for Zero Trust Network Access (ZTNA)—which applies Zero Trust principles to network security—and the budget you’ll have available.
2. Assess identity and access management (IAM)
Zero Trust at its heart provides an identity-centric approach to security. Therefore, understanding and managing identity is an incredibly important step, but doesn’t require perfection before embarking on your Zero Trust security journey.
Understanding how your organization’s IAM systems work is a natural part of every Zero Trust security initiative since you’ll use them for authentication and identity attributes. Identity management programs (technology, people, and processes) can be valuable for your Zero Trust security initiative, even if they are relatively immature. Your IAM environment doesn’t have to be perfect, but it can’t be “broken,” either.
3. Prepare network infrastructure
A large part of the strength of Zero Trust security is its ability to enforce identity and context-aware policies at the network level, bridging often separate security and network teams. Security and network architects need to collectively plan for the changes that Zero Trust security brings to enterprise network infrastructure, operations and potentially network topology.
Proactively obtain an understanding of your enterprise network and how various security, connectivity, availability and reliability components are deployed. This type of inter-departmental coordination and cooperation is important because many Zero Trust-based security solutions impact the underlying network and topology. You can save significant time in this step with network-agnostic solutions that act as an encrypted overlay on top of your existing network infrastructure.
4. Define and prioritize security policies
Your security policies will define which identities are permitted to access which resources under what circumstances. Within a Zero Trust environment, access can only be obtained through the evaluation and assignment of a policy to an identity, and that access may be enforced at the network or application levels.
However, you don’t need to define policies for every person, resource and application out of the gate. That’s a monumental undertaking that can be achieved over time. Start with policies around critical infrastructure and your organization’s crown jewels, like intellectual property, personally identifiable information (PII), Health Insurance Portability and Accountability Act (HIPAA) or other compliance data.
Zero Trust Network Access (ZTNA) is a foundational solution many enterprises are using to start their Zero Trust security journeys. With ZTNA, there are two major architectures to consider with downstream options as you build what’s best for your organization.
Next you should choose a user access model. There is a client-based model that must be installed on a server or a user’s device to initiate connections and is required for many enterprise resources. Another is browser-based, allowing users to connect to web applications. Typically, businesses choose a hybrid approach for user access depending on use case.
Rolling out the policies during deployment puts you well on your way to implementing Zero Trust security. While it’s a big task—well, several sets of tasks, really—if you’ve chosen deployment as a service, you’ll have lots of help.
Appgate can help with your Zero Trust security implementation … which, if you’re doing it right, will constantly evolve. And because Appgate SDP, an industry-leading, enterprise-grade ZTNA solution, can be delivered as a service we are with you every step of the way from planning to deployment and beyond.
Appgate is uniquely qualified in the Zero Trust conversation and was named a ZTNA Leader in the 2021 Forrester New Wave report. Appgate is also one of several key industry partners collaborating on the NIST Implementing a Zero Trust Architecture Project with the National Cybersecurity Center of Excellence (NCCoE). More information on Zero Trust security can be found by diving into these additional resources:
Zero Trust Security: An Enterprise Guide, co-authored by Appgate CPO Jason Garbis
Secure network access for your hybrid enterprise
Technical guide to Appgate SDP
Demo Appgate SDP
VPN vs. ZTNA vs. SDP vs. NAC: What’s the difference?
By Chris Scheels