The pandemic has fundamentally changed how security teams think about protecting the business, in many cases accelerating digital transformation projects and placing renewed emphasis on the Zero Trust model for information security.
As security teams implement Zero Trust, it’s important to consider access management and control. In doing so, this reflects a larger shift in business, in which organizations require a more dynamic model for resilient, flexible enterprise security that does not create friction that may hinder day-to-day operations and workflow.
Security professionals realize the need to push security to the edge, focusing as much on the entity requesting access as on the data or service being requested for and why the request was made. Whether beginning the journey or continuing down the path of migration to a Zero Trust environment, there are several critical concepts related to access management and control that security pros should consider:
Companies can deploy Zero Trust in phases, with security and IT teams building a “trial run” on less critical portions of the network to practice and learn Zero Trust before rolling it out to the most critical DAAS.
To make Zero Trust easier to deploy, consider network virtualization or moving to cloud-based security controls. Using these services, security professionals can more easily make use of software–based technology to achieve more granular network segmentation and to centralize security controls. They can take advantage of analytics, programmable orchestration and automation to quickly turn off and on network and security controls for applications, devices, users, and data.
Of course, there are many tools for network segmentation, including next–generation firewalls, network overlays, software–defined network integration, host–based agents, virtual appliances, containers, security groups, and container–based clusters (such as Kubernetes and Swarm). For example, security teams can use network segmentation gateways to segment networks via layer 7 policy, granularly controlling the traffic moving in and out of a microperimeter. Software defined perimeters with identity–aware access management and control are a practical solution for microsegmentation, because they can significantly improve the security controls of an organization while also allowing the organization to deliver anywhere, anytime access to applications and services from any device.
Regardless of the technology, don’t think of Zero Trust as a single product or platform. It’s a strategic framework, an approach to securing the business and its most critical DAAS in today’s dispersed, hybrid networks. In addition, every organization has unique business drivers, risk tolerance, and industry nuances that they must consider.
Zero Trust offers an elegant model for security, but companies often find the transition challenging. Some will have to change “the way they’ve always done things.” Some organizations will need to change business processes and procedures. Networking and security teams will also need to align more tightly than in the past. Don’t underestimate the impact of culture. Making change at this level requires sponsorship from executive leadership and other lines of business, as well as the security team to help ensure its success. However, Zero Trust should not be a scary proposition, especially since companies can deploy it in bite-sized pieces and there are certified Zero Trust consultants who can offer guidance.
Tawnya Lancaster, lead product marketing, AT&T Cybersecurity