As one of the most highly discussed topics in cybersecurity, zero trust has firmly inserted itself into modern cybersecurity strategies. And while the perceived value of zero trust can vary widely, that hasn’t stopped the cybersecurity community from creating a variety of insights on the topic. To help practitioners wade though the sea of perspectives, following is a cascading view that pulls from some of my favorite resources I have leveraged over the past few years.
To begin, it is important to understand that zero trust is more philosophy than anything else. I like to start by looking at zero trust through a ‘first principles’ lens. As Microsoft suggests, the goal is to verify access explicitly, limit access and always assume a breach will happen. It is also helpful to consider the seven core tenets that the U.S. National Institute of Standards and Technology (NIST) outlines:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
It is imperative to understand your organization’s protect surface, or what Microsoft refers to as defensive areas:
- Identities
- Endpoints
- Applications
- Data
- Infrastructure
- Network
Critical steps to get started with zero trust architecture
Organizations need to strike a balance between uninformed action and over-preparation when launching their zero trust strategy. Start by defining short- and long-term goals and key use cases. Then take stock of relevant capabilities that currently exist within your environment. This should put you in a better place to find a meaningful starting point, which is one of the top challenges that organizations face in the early stages of their zero trust journey.
Common starting points tend to focus on different access paths related to a key application or in support of a business process. Some organizations prefer to start their journey by enhancing key defensive areas such as identity and access management or network segmentation and can include initiatives such as:
- Locking down administrative accounts through the deployment of privileged access management.
- Enhancing visibility and control of cloud assets using a cloud access security broker (CASB).
- Maturing authentication and authorization processes through conditional access controls and enhanced multi-factor authentication.
- Reducing the risks related to lateral movement through micro-segmentation.
It’s also important to note the roles that secure access service edge (SASE) and security service edge (SSE) play within zero trust architectures, as they are often confused. SASE is a framework for designing security and networking architecture in cloud-heavy environments. SSE describes security capabilities (the “SA” part) within SASE and includes CASB, secure web gateway (SWG), firewall-as-a-service (FWaaS) and zero trust network access (ZTNA) as its main capabilities. SSE does not include the non-security capabilities that exist within SASE that focus on network optimization and performance using technologies such as SE-WAN.
Beware the pitfalls
Resist the temptation to buy something as a first step. Often, technology purchases fall short because they do not properly integrate, lack key capabilities or are purchased without first understanding upstream dependencies. And while asset and data mapping are important efforts, they are extremely time consuming. As such, organizations should start these activities early and find ways to progress knowing these efforts may not be complete. Do not overlook the importance of cataloging and contextualizing existing business processes or defining new processes. It is also important to take an iterative approach to deploying zero trust. Start small and build from there. As many say: It is about the journey, not the destination.
CISO and C-suite priorities for zero trust
The zero trust journey is a long one, but when properly implemented, organizations typically realize numerous long-term business and technological benefits:
- Reduced tech costs on two fronts: simplifying the technology stack can reduce the total number of technologies across the environment while also improving overall efficacy
- Improved governance and ability to comply with regulatory requirements
- Reduced cyber insurance costs
- Improved digital transformation and operational resilience efforts
- Heightened awareness of assets and data
Finally, the CISO needs to make this highly complex plan clear to the C-suite, so its members understand how it will enable the business, enhance risk management and maintain compliance. The C-suite should hold the CISO accountable to the value proposed. While ROI is difficult to measure in cybersecurity, all the value-drivers of zero trust architecture can and should be measured.