If you’re concerned about Zero Trust Architecture adoption, you’re not alone. It’s slowly becoming a necessity as cyber threats advance, and more companies do their business online. Zero Trust isn't a new concept. The term “Zero Trust” was initially published as part of a Forrester Research paper, “No More Chewy Centers: Introducing the Zero Trust Model of Information Security” in 2010. [1]
The concept is based on the idea of a traditional parameter–edge model, where a firewall (hard crunchy shell) was the primary protector of the network (soft chewy center). The concept was likely a response to research done on cyber-attack methodology, called The Kill Chain, where it is revealed that most common cyber-attack methodology isn’t really deterred by traditional perimeter controls, such as firewalls.
1) What is Zero Trust?
The basic working definition of Zero Trust is:
A Zero Trust system is an integrated security platform that uses contextual information from identity, security and IT Infrastructure, and risk and analytics tools to inform and enable the dynamic enforcement of security policies uniformly across the enterprise. Zero Trust shifts security from an ineffective perimeter-centric model to a resource and identity-centric model. As a result, organizations can continuously adapt access controls to a changing environment, obtaining improved security, reduced risk, simplified and resilient operations, and increased business agility. [2]
Zero Trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero Trust Architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. A Zero Trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a Zero Trust Architecture plan. [3]
Ultimately, Zero Trust Architecture should be a business decision, driven by long-term objectives, such as:
- Ease of management
- Adaptive security controls
- Compliance and stakeholder obligation
- Overall risk mitigation and risk management
The decision to transition to a ZTA requires full commitment and should not be taken lightly, as it'll be a long and time-consuming process to fully adopt. Keep in mind that a full architecture overhaul can also be very expensive. Despite this, the bright side is that it can significantly reduce the overall cyber risk to your organization, and do so adaptively. True ZTA should be done in phases, over time, with measurable tactical wins.
2) What are the Core Principles of Zero Trust?
If you’re adopting a Zero Trust Architecture, here are the core principles a successful deployment should follow within your organization. Hint: if you are not following these core principles, you may need to re-evaluate your current architecture.
1. Ensure all Resources are Securely Accessible, Regardless of Location.
All resources must be included in the scope of the Zero Trust solution. Zero Trust must secure all access by all identities (human and machine) to all resources (data, applications, servers) regardless of the location of the identity and regardless of the location of the accessed resource.
- This mandates the dissolution of the traditional perimeter and replaces it with an alternative security strategy.
- Network traffic transiting the untrusted network areas must be encrypted.
- All access must be subject to an enforced policy model.
Note–it should be clear by just the first principal that Zero Trust Architecture is a strategy, definitely not a single product. Some vendors have offered single product ZTA solutions, which are nothing more than snake oil. You should avoid them because they will likely introduce more risks than they can address.
2. Adopt a Least Privilege Strategy and Strictly Enforce Access Control
A Least Privilege Strategy is exactly as it sounds. You grant resource access rights to the fewest number of accounts, users, and computing processes possible.
Properly implemented, Zero Trust allows for effective enforcement of Least Privilege. ZTA, through Least Privilege provides the ability to bridge network and application security.
3. Inspect and Log All TrafficThis is facilitated in ZTA by using a distributed set of network enforcement points. The additional segmentation required of ZTA enriches the collected logs with context and metadata.
3) What are the Strategic Considerations for ZTA Adoption?
If you are ready to go all in or are making buying decisions for the future of your business, here are a few strategic considerations.
Review Interoperability and Integration Capabilities
New and replacement components of the environment should be able to communicate and integrate with ZTA security policy and enforcement model.
Review the APIs of the solutions and determine:
- If the solution access control is merged into the overall ZTA model
- If the solution implementation has created any new gaps in the ZT model
Invest in Automation
Automation is critical, else ZTA becomes cumbersome and may fail. Automate actions across environments and systems, driven by context and events. The automation should be definable in a workflow.
The automation mapping should define a logical channel, consisting of a centralized Policy Decision Point (PDP) also called the Control Plane, connected with a distributed set of Policy Enforcement Points (PEPs) on the data plane.
Practice Continuous Risk Management
The primary goal of ZTA adoption is to mitigate and minimize cyber risk. Cyber risk is dynamic, with changing attack methods, changing attack surfaces, and changing risk areas. It is critical to continually assess the relative cyber risk and threats to the organization.
Manage Your Resources
All data sources and computing services are considered resources. Each resource can go through the permissions process, and you can grant access uniquely on a case-by-case basis.
Provide Unique Access on a Per Session Basis
Access to individual resources is granted per-session. You should be able to revoke this access at any time.
Deliver Tactical and Strategic Value
As stated above, ZTA is such an investment in resources, time, and money, that tactical and strategic value, in the form of business outcomes must be measurable.
4) What is the Practical Preparation for ZTA Adoption?
Zero Trust Architecture adoption requires a new and dynamic access strategy. Many elements may already be in place and simply need to be aligned to the Control Plane/Data Plane model. Other elements require more effort, even perhaps a systemic organization culture shift. Below are some practical considerations and preparation steps.
Data Categorization
This process can be a considerable effort. It's best to start with known categorization areas and get more granular from there. For example, if your organization:
- Has electronic patient data, then one data category would be ePHI.
- Processes credit cards, then the category would be PCI-DSS data.
Role-based Access Control
This is another area requiring a good amount of effort. It’s also an opportunity to build departmental relationships, especially with Human Resources.
Zero Trust Architecture is based on the Least Privilege model, as is Role Based Access Control. Permissions and access are assigned to groups containing users who are granted access based on their roles.
Data Flow Mapping
This is a helpful process that most compliance architectures now require.
The idea is to know and understand the path that a given data request and fulfillment takes during the process. For example: a patient that has been discharged from the hospital wants to look at their lab test results, recommendations from their doctor, and their current bill, all from the EMR patient portal, from their home.
That could be multiple integrated backend systems fulfilling this request, some fulfilled by systems in an on-prem data center, some from the private cloud, some from a public cloud-based authentication provider, and so on.
Understanding the data flow and being able to “map” it out on a diagram enables the organization to better protect the data throughout its process.
Encryption
Data plane communication must be encrypted. Any exceptions must be documented. Additionally, many types of data must also be encrypted while at rest (on a server or SAN).
Security Posturing
Devices must be inspectable for their security posture prior to being granted access. This is a basic function of a (Network Access Control) NAC solution.
Workload Security
Workloads transferred to the cloud must extend the same access control policies as defined by on premise solutions.
5) Why Should You Work with IE for Your Zero Trust Adoption?
When you consider the strategic aspect of Zero Trust Adoption, it can be overwhelming. Getting an expert opinion could help you spend more strategically, plan ahead, and nurture your staff and processes to maintain a secure environment. At IE we offer virtual CISO (vCISO) to help our customers prepare for a Zero Trust overhaul. We’ll work with you and your team to strategize and prepare your architecture for a Zero Trust approach. Depending on your need, this could include advisement on buying decisions, staff maturity and security awareness, etc. There are many facets to consider. That’s why a team of tech and security experts can help!
Sources
[1] Kindervag, John. No More Chewy Centers: Introducing the Zero Trust Model of Information Security. Forrester Research
[2] Garbis, Jason; Chapman, Jerry W. Zero Trust Security (pp. 39-40). A press. Kindle Edition.
[3] National Institute of Standards and Technology. Zero Trust Architecture (pp. 30-31).
Barth, Doug; Gilman, Evan. Zero Trust Networks – Building Secure Systems in Untrusted Networks
Additional Resources
https://www.cisco.com/c/en/us/products/security/zero-trust.html
https://www.tenable.com/solutions/zero-trust