The pandemic has fundamentally changed how security teams think about protecting the business, in many cases accelerating digital transformation projects and placing renewed emphasis on the Zero Trust model for information security.
As security teams implement Zero Trust, it’s important to consider access management and control. In doing so, this reflects a larger shift in business, in which organizations require a more dynamic model for resilient, flexible enterprise security that does not create friction that may hinder day-to-day operations and workflow.
Security professionals realize the need to push security to the edge, focusing as much on the entity requesting access as on the data or service being requested for and why the request was made. Whether beginning the journey or continuing down the path of migration to a Zero Trust environment, there are several critical concepts related to access management and control that security pros should consider:
- Gain visibility and map transaction flow. Identify the data, assets, applications, and services in the company’s hybrid network, prioritize the criticality of each, and map the transaction flows between them. John Kindervag, who created Zero Trust, has coined the term “protect surface” as the smallest reduction of the company’s attack surface based on one or more of the data, applications, assets, and services (DAAS). By defining protection surfaces and prioritizing the criticality of each, security teams can move controls as close as possible to the DAAS through use of microperimeters and microsegmentation. This also helps limit the potential East-West movement of attackers and contain the blast zone should a breach take place.
- Establish micro-perimeters and segment the network. Isolate applications and devices closer to the workload, including setting up micro-perimeters. Depending on the criticality of the data, application, assets, or services within those perimeters, add further protections by also using microsegmentation.
- Develop dynamic security policies. Exercise the principle of least privilege access by creating a dynamic security policy and extending multi–factor authentication for user, machine, and mutual authentication.
- Monitor, enforce, and maintain. Evolve to continuous monitoring of risk and trust for each entity (users, devices, and applications) by developing a risk/trust engine – an area that’s often the most difficult to execute.
Companies can deploy Zero Trust in phases, with security and IT teams building a “trial run” on less critical portions of the network to practice and learn Zero Trust before rolling it out to the most critical DAAS.
To make Zero Trust easier to deploy, consider network virtualization or moving to cloud-based security controls. Using these services, security professionals can more easily make use of software–based technology to achieve more granular network segmentation and to centralize security controls. They can take advantage of analytics, programmable orchestration and automation to quickly turn off and on network and security controls for applications, devices, users, and data.
Of course, there are many tools for network segmentation, including next–generation firewalls, network overlays, software–defined network integration, host–based agents, virtual appliances, containers, security groups, and container–based clusters (such as Kubernetes and Swarm). For example, security teams can use network segmentation gateways to segment networks via layer 7 policy, granularly controlling the traffic moving in and out of a microperimeter. Software defined perimeters with identity–aware access management and control are a practical solution for microsegmentation, because they can significantly improve the security controls of an organization while also allowing the organization to deliver anywhere, anytime access to applications and services from any device.
Regardless of the technology, don’t think of Zero Trust as a single product or platform. It’s a strategic framework, an approach to securing the business and its most critical DAAS in today’s dispersed, hybrid networks. In addition, every organization has unique business drivers, risk tolerance, and industry nuances that they must consider.
Zero Trust offers an elegant model for security, but companies often find the transition challenging. Some will have to change “the way they’ve always done things.” Some organizations will need to change business processes and procedures. Networking and security teams will also need to align more tightly than in the past. Don’t underestimate the impact of culture. Making change at this level requires sponsorship from executive leadership and other lines of business, as well as the security team to help ensure its success. However, Zero Trust should not be a scary proposition, especially since companies can deploy it in bite-sized pieces and there are certified Zero Trust consultants who can offer guidance.
Tawnya Lancaster, lead product marketing, AT&T Cybersecurity