Down with trust: a practical, actionable approach to achieving Zero Trust
Zero Trust is a term that was first made popular by Forrester analyst John Kindervag over 10 years ago. However, the concept of perimeterless security and zero trust architectures go back much further to the 1990’s academic research. Why is it then, that Zero Trust today both excites and confuses?
Born out of the need to mitigate the risk of prolific and evolving attacks in the complex, dispersed modern environment, Zero Trust continues to gain momentum for its hard-line security stance and rigorous approach to countering today’s escalating cyber threats.
Trust no one and no thing. That is the central thrust of the aptly named Zero Trust paradigm. In stark contrast to traditional depth in defence approaches, Zero Trust is built on the idea that everything and everyone must be considered suspect – inside and outside the organisation. With Zero Trust we must interrogate, investigate and cross-check until we are 100% positive the access is safe to be allowed.
Zero Trust excites cyber practitioners and technology professionals because it promises greater control of sensitive data, applications and devices. By tightly controlling access, it provides a higher level of security assurance.
Zero Trust also confuses because it is a broad theory rather than a single technology. Context is key when talking about Zero Trust as it often means different things to different people. Zero Trust should be thought of as a holistic approach that mixes different requirements and technologies to your individual needs. It should always be remembered that Zero Trust is an idea and not a specific technology.
In this series, CyberCX will explore Zero Trust in depth. We will make recommendations on how to get started on your Zero Trust journey. Most significantly, we will provide commentary on popular vendor approaches and put their solutions under the microscope. We will illuminate each approach and evaluate their benefits, drawbacks and provide additional depth on key Zero Trust concepts.
With the rise in mobility and remote working, people are creating, storing and accessing data from anywhere, meaning critical information is distributed across cloud, datacentres, campuses and users. As we have briefly discussed though, legacy controls on the perimeter of the network don’t protect against attacks from within the enterprise. A Zero Trust policy requires all communications to be untrusted by default.
With Zero Trust, the end goal is clear - prevent unauthorised access to network resources which by the Zero Trust definition, includes all data sources and computing services. Trust no one. This in turn leads to the question of “how”.
One fundamental method of achieving Zero Trust is by making access control enforcement as granular as possible - a concept known as micro-segmentation. In its simplest form, this means breaking up a network into lots of smaller logical pieces, each with their own access control. In this way, a breach in one area does not automatically mean your entire network is compromised. However, there is a clear cost/benefit trade off with micro-segmentation.
While segmentation and micro-segmentation are what most people think of when they first consider Zero Trust, it’s not the only approach and in certain situations, it may not be the best approach.
For example, how many segments are enough to achieve the stated goal of Zero Trust? Take it too far and the additional complexity, cost and overhead required to implement and maintain micro-segmentation can outweigh the benefits.
When considering adoption of a Zero Trust architecture, there is a logical step-by-step approach to consider. The process outlined below is technology agnostic and designed to help readers determine if Zero Trust is appropriate for the organisation.
organisations should adopt a four-step process
Step 1 - Identify Actors and Assets : identify who is active in the network
Step 2 - Identify Processes, Evaluate Risk and Create Policies : identify process flows and risk to each process
Step 3 - Identify, Deploy and Monitor a Solution : based on the candidate Zero Trust Architecture and solution selected
Step 4 - Expand the Solution : consider expansion to other applications or processes based on suitability
To learn more about adopting a Zero Trust architecture for your business, please click the button below.
When considering Zero Trust, an approach to creating a Zero Trust network should be at the forefront of your thinking. A Zero Trust network is important in achieving network segmentation. Network segmentation is designed to protect the security of sensitive data and critical applications by dividing the network up into smaller, more secure enclaves. Network segmentation suits:
When creating a Zero Trust network and working towards better network segmentation, you should investigate next-generation firewalls.
To learn more about building a Zero Trust network, and the benefits and disadvantages of Next-generations firewalls, please click the button below.
If you already have a well segmented Zero Trust network, micro-segmentation could provide an even more granular approach to protecting the security of sensitive data and critical applications on your network. Micro segmentation can be considered the more dynamic and granular cousin of network segmentation. It is particularly relevant and can be considered a foundation of data centre and cloud security. Micro-segmentation decouples security segmentation from network infrastructure and pairs security segmentation with real-time application dependency mapping, to effectively prevent lateral movement inside data centres and cloud environments.
To learn more about building a Zero Trust Micro-segmentation, and where it should and should not be deployed, please click the button below.
Securing any network begins with visibility of every connected user and device across your network,
and the data that those devices and users are trying to access. For Zero Trust, or any security measure, you cannot create appropriate enforcement policies and controls without this knowledge. Combine the need for visibility with the sheer variety and volume of unsecured IoT devices, and the challenges presented by OT systems and networks, a Zero Trust Network Access Control (NAC) becomes attractive. NAC involves understanding and enforcing the identity of every device that touches your network, including context, traffic flows and resource dependencies.
Rethinking the concept of identity and expanding your Zero Trust initiative with NAC can help protect unmanaged and unmanageable infrastructure such as IoT and OT environments.
To learn more about building a Zero Trust NAC, and where NAC technologies and solutions add real value, please click the button below.
Organisations are operating in a time where accessing an ever-increasing number of applications outside the traditional network perimeters is the norm. Software, platforms, infrastructure and application workloads are often in the public cloud. The challenge for organisations is to support the user experience while protecting their users, applications and data from security threats.
Secure Access Service Edge or SASE simplifies networking and security by delivering cloud based services direct to the source of connection (edge). Security within a SASE deployment is based on identity and relies on cloud applications and data to eliminate latency, irrespective of where they are connecting from.
To learn more about utilising a SASE approach to compliment your Zero Trust efforts, please click the button below.
It is often said that in a cloud enabled world, identity is the security perimeter. Zero Trust Identity and Access Management is responsible for all elements of identity governance and access control, including creating, storing and managing enterprise user accounts and identity records.
Developing an approach to IDAM and considering IDAM solutions is a complex area that warrants dedicated attention. IDAM solutions may form part of a larger federated community and may include non-enterprise employees or links to non-enterprise assets for collaboration.
To learn more about Identity and Access Management as part of a Zero Trust initiative, please book some time with one of our IDAM experts or read more about the services our IDAM Practice can offer.
As outlined, Zero Trust should not be considered as a singular product or solution, rather it is a concept and an approach to architecting security outcomes for individual organisations. Just as organisations are different, so is their ideal Zero Trust model. This is because the ultimate solution must be adapted to the complexity of the environment, while effectively protecting people, devices, applications and data.
With the foundations of Zero Trust in place, organisations can gain confidence through enhanced visibility and continuous monitoring of their security posture. Zero Trust brings a slew of additional benefits and opportunities to organisations.
Irrespective of whether you are an organisation preparing to embark upon a Zero Trust journey, or an experienced Zero Trust expert, CyberCX can outline the benefits of Zero Trust and design a Zero Trust framework to deliver significant operational value.
To learn more about the benefits of Zero Trust, please click button below.