New buzzwords in the world of IT come and go at an alarming rate. Just when you think you are getting your architecture or processes up to scratch with some new benchmark that your organisation needs to “comply” with, there is a new benchmark to supersede it. So here is another IT buzzword (or buzz-term if you prefer) to add to your ever growing list of compliance goals: Zero Trust.
What is Zero Trust? Do I need it? How do I get it? How will it help me?
The Zero Trust Network or Zero Trust Architecture model is a concept for IT security that adheres to the belief that an organisation should not automatically trust anything inside and outside its perimeter walls. It goes by the regulation that anything and everything that is trying to gain access to an organisation’s systems must be verified before being granted access.
More conventional type security models work on the architecture that considers everything inside the organisation’s network perimeters can be trusted. These days with more awareness around increased attack sophistication and the rising use of BYOD, more resistance needs to be applied if someone were to gain access inside the corporate firewall to help prevent them from moving through internal systems too freely.
A Zero Trust model essentially works on the principle that all access should be cut off to you until the network knows who you are. The model is designed this way to address lateral threat movement within the network by leveraging micro-segmentation and granular perimeter enforcement, based on user, data and location. Lateral threat movement refers to techniques that hackers use once they are inside the organisation’s network, to move through it looking for assets and data of value. To identify and stop this movement, a trust model will correctly identify who the user is, which application they are trying to reach, and if the action is considered an appropriate session. When trust gets breached or challenged, so does the user with some applied friction.
So how do you work towards building a Zero Trust model? Prepare for the build and implementation process to take time. To begin securing the IT environment the organisation will need to look at reviewing various existing technologies and governance processes. A working model draws on technologies such as Multi-Factor Authentication (MFA), IdAM, RBAC/ABAC, orchestration, analytics, encryption, scoring and file system permissions. It also calls for strict governance policies to be enforced such as giving users absolute minimum access they need to accomplish their assigned task.
Building this kind of architecture can be overwhelming for even the most experienced of security teams and it becomes even more complex in larger organisations of course. It would be a whole lot easier if we could all build it from a blank canvas, but the frustrating fact is that most of us are having to deal with a load of legacy systems first which will undeniably mean that you are going to feel like you are going to have to go backwards before you can go forwards.
Above all, there needs to be a security strategy before anything can be put into practice which not surprisingly is a major piece of the puzzle missing from most organisations. To assist your organisation in developing a strategy that will realise a Zero Trust model more quickly, consider this five step strategy roadmap to follow:
1. Identify your toxic data sources:
Identify and classify the data that you need to protect (you can’t protect what you can’t see!)
2. Map the transaction flows of that toxic data:
Understand how data flows across the extended network and between resources and people (employees, partners, customers)
3. Architect your Zero Trust micro-perimeters:
Design the micro-perimeters to be placed around toxic data and segment them with physical or virtual appliances
4. Use Security Analytics to monitor your Zero Trust ecosystem:
Continuously log and inspect all traffic, update rules based on the visibility and intelligence gained from the security analytics
5. Embrace security automation and orchestration:
Create an automated rule base to take immediate action based on confidence levels and business impact
These are the stepping stones that strategy and automation experts such as Diaxion can help organisations flesh out and develop to get closer to achieving a Zero Trust network architecture. With these steps being embraced, your Zero Trust strategy can be the blueprint for your security architecture, addressing and handling the basic to complex vulnerabilities that cyber adversaries target in their attacks. Engage us to work with you in building the foundational needs in architectural security of your data, workforce and workloads that will achieve a Zero Trust ecosystem.