02 Mar President Jon Cartu Writes – 5 considerations for building a zero trust IT environment
Zero trust isn’t a product or service, and it’s certainly not just a buzzword. Rather, it’s a particular approach to cybersecurity. It means exactly what it says – not “verify, then trust” but “never trust and always verify.”
Essentially, zero trust is about protecting data by limiting access to it. An organization will not automatically trust anyone or anything, whether inside or outside the network perimeter. Instead, the zero trust approach requires verification for every person, device, account, etc. attempting to connect to the organization’s applications or systems before granting access.
But wait. Aren’t cybersecurity systems already designed to do that? Is zero trust simply cybersecurity with some added controls?
Good question. Zero trust frameworks certainly include many technologies that are already widely used by organizations to protect their data. However, zero trust represents a clear pivot in how to think about cybersecurity defense. Rather than defending only a single, enterprise-wide perimeter, this approach moves this perimeter to every network, system, user, and devices within and outside the organization. This movement is enabled by strong identities, multi-factor authentication, trusted endpoints, network segmentation, access controls, and user attribution to compartmentalize and regulate access to sensitive data and systems.
In short, zero trust is a new way to think about cybersecurity to help organizations protect their data, their customers, and their own competitive advantage in today’s rapidly changing threat landscape.
Why now is the time for zero trust in cybersecurity
Corporate executives are feeling the pressure to protect enterprise systems and data. Investors and “data subjects” – customers and consumers – are also insisting on better data security. Security issues get even more complicated when some data and applications are on-premise and some are in the cloud, and everyone from employees to contractors and partners are accessing those applications using a variety of devices from multiple locations. At the same time, government and industry regulations are ramping up the requirements to secure important data, and zero trust can help demonstrate compliance with these regulations.
Zero trust cybersecurity technologies
Fortunately, the technology supporting zero trust is advancing rapidly, making the approach more practical to deploy today. There is no single approach for implementing a zero trust cybersecurity framework, and neither is there any single technology. Rather, technology pieces fit together to ensure that only securely authenticated users and devices have access to target applications and data.
For example, access is granted based on the principle of “least privilege” ─ providing users with only the data they need to do their job, when they are doing it. This includes implementing expiring privileges and one-time-use credentials that are revoked automatically after access is not required. In addition, traffic is inspected and logged on a continuous basis and access is confined to perimeters to help prevent the unauthorized lateral movement of data across systems and networks.
A zero trust framework uses a number of security technologies to increase the granularity of access to sensitive data and systems. Examples include identity and access management (IAM); role-based access control (RBAC); network access control (NAC), multi-factor authentication (MFA), encryption, policy enforcement engines, policy orchestration, logging, analytics, and scoring and file system permissions.
Equally important, technology standards and protocols are available to support the zero trust approach. The Cloud Security Alliance (CSA) has developed a security framework called a software-defined perimeter (SDP) that has been used in some zero trust implementations. The Internet Engineering Task Force (IETF) made its contribution to zero trust security models by sanctioning the Host Identity Protocol (HIP), which represents a new security networking layer within the OSI stack. Numerous vendors are building on these technical advancements to bring zero trust solutions to market.
Based on these technologies, standards and protocols, organizations can use three different approaches to implementing zero trust security:
1. Network micro-segmentation, with networks carved into small granular nodes all the way down to a single machine or application. Security protocols and service delivery models are designed for each unique segment.
2. SDP, based on a need-to-know strategy in which device posture and identity are verified before access to application infrastructure is granted.
3. Zero trust proxies that function as a relay between client and server, helping to prevent an attacker from invading a private network.
Which approach is best for a given situation depends on what application(s) are being secured, what infrastructure currently exists, whether the implementation is greenfield or encompassing legacy environments, and other factors.
Adopting zero trust in IT: Five steps for building a zero trust environment
Building a zero trust framework doesn’t necessarily mean a complete technology transformation. By using this step-by-step approach, organizations can proceed in a controlled, iterative fashion, helping to ensure the best results with a minimum of disruption to users and operations.
1. Define the protected surface – With zero trust, you don’t focus on your attack surface but only on your protect surface ─ the critical data, applications, assets and services (DAAS) most valuable for your company. Examples of a protect surface include credit card information, protected health information (PHI), personally identifiable information (PII), intellectual property (IP), applications (off-the-shelf or custom software); assets such as SCADA controls, point-of-sale terminals, medical equipment, manufacturing assets and IoT devices; as well as services like DNS, DHCP and Active Directory.
Once the protect surface is defined, you can move your controls as close as possible to it, enabling you to create a micro-perimeter (or compartmentalized micro-perimeters) with policy statements that are limited, precise and understandable.
2. Map transaction flows – The way traffic moves across a network determines how it…