Lock icon and security technology showing zero trust architecture

Building Out Zero Trust Architecture

To say cyber crime has gone mainstream is an understatement.

The threat is no longer a potential for organizations, it’s an inevitability that will destroy them if they don’t have the correct defenses in place.

As a result, Zero Trust Architecture is increasingly becoming a must have cyber-defense that organizations can use to keep threat actors out of their networks.

In contrast to the traditional cyber security ethos ’trust but verify’, Zero Trust does exactly as it says: Nothing is trusted inherently. Instead, all users, devices and applications are given the minimum number of privileges needed to perform their jobs and functions.

Given the bare minimum privileges, but no more, this limits their network access, and in turn makes it much harder for attackers to exploit or compromise an individual, application or device, and then use newly inherited privileges to travel through the network, reaching and stealing sensitive data.

When it comes to the benefits this offers, there is the indisputable improvement to security, but organizations that adopt Zero Trust Architecture are also more attractive to insurers and can more easily meet regulatory compliance requirements.

So, what are the key steps organizations must take to build Zero Trust Architecture effectively?

1.       Strategy, budget, planning

Zero Trust Architecture is not a product. You can’t buy it out of a box.

Instead, it is a process that can be built using multiple products and policies which work together to improve security by limiting trust, monitoring network activity and having visibility across all assets.

Having a strategy well defined before adopting Zero Trust is essential, this includes deciding what needs to be brought into the scope of Zero Trust Architecture, deployment milestones, yearly budget allocation for the project, as well as a plan around execution: Zero Trust Architecture can’t be achieved overnight, it is a methodology that can take months, or years, to fully develop and mature.

2.       Understanding the network

The most important first step in Zero Trust is having a clear understanding of the network and what is classified as ‘normal’.

From a user perspective, this involves understanding; who users are, where they are logging in from, at what time of day they are logging in at, what they are accessing, and what devices they use to access the corporate network. Once organizations understand this, they can then see what is normal on their network and set up policies to coincide with accepted user behavior.

From a device standpoint, this means understanding what devices do, what they are connected to and what is classified as acceptable behavior for each device.

From an application perspective, this involves understanding what components should communicate with each other and what protocols are common to these communication pathways.

3.       Visibility

Once organizations have an up-to-date inventory of all the users, devices and applications that will fall into the Zero Trust Architecture, they must ensure they have continuous visibility of them so anomalous behavior can be spotted quickly.

4.       Establishing policies

The most manual part of the Zero Trust journey involves setting policies for users and devices around acceptable behavior.

For users, this could mean they can only log into systems at certain times of day, can only access certain parts of the network from certain devices and specific locations.

For devices, this will be around interactions across the network and how they are allowed to communicate with other assets and applications. For example, what is the acceptable behavior of a printer? What would be deemed malicious?

For applications, this will include the data pathways and flows that exist between internal and external processes, resources and within the application itself.

Organizations need to set up policies for everything that falls into the Zero Trust Architecture, so they have a baseline for acceptable behavior. The focus must be on granting the minimum number of privileges users, devices and applications need to perform their jobs.

Organizations will typically deploy a tooling to manage Zero Trust, which will control and apply policies. Then it can alert on anything suspicious using both threat detection/prevention capabilities and behavioral anomaly detection.

5.       Improving through automation

Once organizations have set up policies, they can then rely on tools which can automatically apply them to employees and device assets. This helps reduce manual overhead and allows organizations to integrate Zero Trust across all assets, even as their network and workforce grows.

Zero Trust offers organizations many security benefits, but getting started with adoption is often the biggest challenge.

By following the above steps, organizations can clearly understand the actions required to roll out Zero Trust Architecture across their environment, helping them improve security and increase their overall cyber resilience.