Given industry buzz, you’ve likely heard of zero trust and may even already be bought into the business benefits of zero trust. At its core, zero trust is an architectural concept that makes mountains of sense if your organization is looking to protect applications and workloads on the network without adding complexity, expense, or disruption. Remove the inherent trust organizations have been granting users and systems for years and start building policies around data and least-privilege access to data instead.In this way, security admins no longer need to rely on user identity or device location, for instance, to authenticate that user or device; these things are too ephemeral to prevent an incident anyway.
Zero trust is a shift away from perimeter defense as the primary method of cyber attack prevention and towards securing the assets that contain the data, information, “crown jewels” (if you will)—in other words, it’s an “inside-out” approach which trusts no one nor thing unless it has been properly vetted against policy.
Conceptually this idea remedies all of security’s woes from the last 10 or so years. “No! You can’t access that resource!” “No! This system can’t talk to that one!” “No! Your Samsung Moment can’t connect to our corporate network!” Finally, security can go back to a default “no” and protect all the things! Well, that’s not exactly the essence of zero trust, but it’s a starting point (versus the end state, which is what earned security teams a reputation as the “department of ‘no’” in the first place). Sarcasm aside, to get started with zero trust, it’s helpful to zero in (pun intended) on a few steps. Contemplating, “How can I zero trust my entire network” is bound to lead to analysis paralysis. However, as was discussed at length at the SecurIT Zero Trust Summit for CIOs and CISOs in San Francisco in mid-June, architecting a zero trust network is an ongoing journey best approached in stages.
Recognize zero trust is a strategy
John Kindervag, the “grandfather of zero trust,” opened the summit and has been iterating for years that zero trust is a strategy, not a technology or even a process. It’s tempting for security practitioners to want to plug and play, but there is no zero trust tool available for purchase. Zero trust is a framework, a philosophy on which networks—and even security tools—can be built, and to get started with zero trust, it’s helpful to frame it as an overall approach rather than a component.
Designing for zero trust requires security and IT teams to focus on business concepts: What are we trying to protect? From whom? Recognize that zero trust underpins the entire security program; technologies and processes are layered on top of the strategy, not the other way around.
Identify key assets
A fundamental element of zero trust is understanding what key assets the organization has—from systems to sensitive data to critical applications—so that protections can be built around them. As close to the asset as is possible. Identifying the organization’s key assets (without which the enterprise would be up the proverbial creek) improves visibility (because today most organizations don’t maintain a complete and up-to-date asset inventory), increases data awareness, and enables the implementation of a zero trust strategy.
To protect data or systems, the organization must first know what they are, where they are, and how data are stored and travel through the network. Identifying key assets allows the organization to have a data-first approach, which is necessary because everything touches the data: networks, workloads, people, devices… Every company needs to know what assets they have and how those assets interact.
Standardize to reduce risk
A zero trust strategy very much aligns to the now-accepted acumen that security must be a business enabler. While at first glance starting at a place of “never trust” seems like it would increase friction, zero trust actually decreases complexity for the organization by improving visibility (provided you’ve identified key assets, both on premises and in the cloud) and creating a control plane that’s portable (because it centers on the asset, not the environment in which the asset runs). This means security teams can implement a standard set of policies that can be applied uniformly across environments. No more trying to retrofit outmoded controls to modern environments (a.k.a. clouds and containers) or attempting to maintain disparate sets of policies across different toolsets and environments. Zero trust is a holistic and standardized approach to security which leads to better visibility which in turn results in enterprise risk reduction.
In some ways, creating a zero trust strategy isn’t dissimilar from the “back to basics” concept security practitioners have been touting (but not necessarily doing) over the years. Fundamentally, the goal is risk reduction through a focus on assets and controls around those assets. Many security teams to-date center on reactive controls; zero trust up-levels prevention, which (if managed correctly) will lead to fewer incidents and lower organizational risk.
At the start of this post I wrote that zero trust is a strategy. And strategies are best implemented after a bit of deliberate thought and careful planning (versus “ready, set, go!”). With that in mind, it might seem contradictory to now say, “dive right in!” The fact is, creating a zero trust strategy will be hard work and it will be an ongoing process that evolves alongside the networks, applications, and systems the organization uses. But the prospect of hard work shouldn’t stop organizations from moving forward with zero trust.
No company is too early stage or immature security-wise for a zero trust implementation (in fact, less-mature companies may have an easier time spinning up a program). Every company will benefit by moving away from legacy trust models and towards targeted, preventative security. Every organization is ready to understand its assets, learn how assets communicate, and eventually protect those assets.Instead of just chasing threats (which is more difficult, time consuming, and costly), zero trust allows organizations to align IT around applications and data that power the businesses. What organization isn’t ready for that?