Navigating Your Zero Trust Journey to Stronger Cybersecurity
Navigating Your Zero Trust Journey to Stronger Cybersecurity
The origin of the zero trust security model stretches back to John Kindervag’s pioneering 2010 paper, No More Chewy Centers. Despite being around for over a decade, zero trust architecture only gained traction in the last couple of years as an essential element for a robust cybersecurity posture.
By removing any level of default trust given to users, apps, and devices, zero trust presumes the presence of a nefarious actor in your environment at all times. The result is a security paradigm in which you continually analyze risks to critical and confidential assets and processes while taking steps to mitigate those risks through continuous verification.
As cybersecurity vendors rush to deliver new solutions that promise to achieve zero trust, it’s vital to exercise caution around such claims. The truth about zero trust is that it’s a journey to embark on rather than something you simply switch on with the latest trendy tools. This article presents some advice for navigating your zero trust journey and strengthening cybersecurity.
Why Zero Trust?
President Biden’s May 2021 Executive Order mandating that the Federal U.S. Government move towards zero trust architecture cemented the model’s importance in supplanting traditional perimeter-based defenses to protect critical systems and data. But why has zero trust undergone a swift change from something desirable to being perceived as imperative?
Growing IT Complexity
Growing IT complexity underpins the need for a zero trust architecture. A recent Flexera report highlighted how 89% of organizations now run multi-cloud strategies. In a multi-cloud environment with users accessing resources hosted on the Internet and on-premise, there is no longer an easily identifiable network boundary.
Another element contributing to this IT complexity is the popularity of hybrid workforce models. Many employees now work both from home and at the office, accessing IT resources from a diverse range of devices, including on-premise workstations, personal laptops, tablets, and even smartphones.
The result of this complexity is a blurred boundary in which it’s harder to guard assets using firewalls and other perimeter-focused security solutions. It’s also impractical to assume inherent trust based on a user’s physical or network location — providing default trust doesn’t account for the fact that a user traversing the internal/local network may have malicious motives or had their account breached.
A More Dangerous Threat Landscape
The allure of potentially huge windfalls from cyber attacks has attracted more threat actors seeking a slice of the pie. Companies around the globe get inundated with ransomware attacks, phishing emails, and other profit-motivated cyber attacks every day. The threat of nation-state-sponsored attacks further endangers many high-profile, government, and critical infrastructure organizations.
This more dangerous threat landscape sees traditional defenses more likely to buckle as opportunistic hackers eventually find a way into target networks. While many companies have dedicated incident response teams to respond to in-progress cyber attacks, a better approach is needed to prevent lateral movement before the damage is done.
A zero trust approach equips organizations to cope with this more nefarious threat landscape by continuously validating access to applications and data.
Zero Trust: Phases of Implementation
If zero trust is a journey, what are the steps along the road? Here are some crucial phases of implementation to aim for.
Improve Visibility
You can’t protect what you don’t know about. Unfortunately, there is a lot that companies don’t know about on their networks. One example is when different departments deploy shadow IT devices, applications, and infrastructure without the oversight of central IT. In one report, 80% of workers admitted to using SaaS apps without approval from IT.
Comprehensive visibility into devices, identities, data, apps, workloads, privileges, and services is an important initial milestone on the zero trust journey. With IT environments in a constant state of flux, this visibility must be ongoing rather than relying on snapshots. Achieving the zero trust idea of continuous verification requires feeding all of this information into a policy engine so that access requests get accurately evaluated. Useful tools to help gain this visibility include attack surface monitoring, extended detection and response (XDR), and cloud access security broker (CASB) solutions.
Strengthen Identity and Access Controls
With comprehensive visibility in place, focus on strengthening identity and access controls. If you don’t already use multifactor authentication (MFA), aim to migrate to it for at least your most important apps to ensure better protection for critical workflows and sensitive data assets.
Also, bolster user access by removing redundant access privileges and orphaned accounts that retain their access privileges despite having no valid business owner.
Leverage Automation
Automation plays a vital role in the dynamic threat detection and response capabilities that zero trust promises. This automation must be reliable and not add to the noise that security analysts deal with in their daily work.
From an identity management standpoint, the switch to risk-based authentication likely requires an identity segmentation solution that moves your perimeter closer to the user and automatically classifies every account (including non-human service accounts). Adopt adaptive MFA, which uses contextual information and business policy to select appropriate risk-based authentication factors automatically.
To get good data on the context of each access request, behavioral analytics backed by machine learning models can prove helpful. Additional security context can be fed into a zero trust policy engine using information from SIEM solutions and threat intel efforts.
Optimize and Extend
With the basic tenets of zero trust in place, it’s then time to refine your approach with real-time policy enrichment. Analytics drive this enrichment by evaluating current policy efficiency based on user trends, access deviations, software modifications, and data sensitivity changes. APIs and prebuilt integrations can provide the connectivity needed to get big-picture insight into your zero trust implementation. Extend important zero trust controls, such as adaptive MFA, to all apps and services.
Tips for Succeeding on Your Zero Trust Journey
Here are some tips to consider for a smoother transition to zero trust security.
Adopt a Zero Trust Mindset
A basic tenet of succeeding with zero trust is for security professionals to adopt a zero trust mindset. Instead of thinking about zero trust as something you can install, consider it defined by assuming malice in all requests to any IT resource.
There are no safe or unsafe zones, nor are there catch-all tools that enforce zero trust. The mindset shift is difficult because security professionals are not used to assuming compromise at all times. Viewing zero trust as a mindset shift also allows for flexibility in architectural approaches and solutions, which can mean choosing an identity-driven approach, micro-segmentation, or an overlay network.
Learn From Other Journeys
A hugely beneficial source of insight on zero trust comes from other companies that are further along the road in their journeys. Many high-profile organizations have documented and reported on their zero trust implementations, including Palo Alto and FedEx. Lessons worth learning are freely available and worth assimilating from these journeys, even if those organizations don’t operate in your specific industry.
Establish Realistic Timeframes
In a rush to become aligned with a zero trust model, many organizations don’t establish feasible timelines. To get realistic about the scale of the challenges, it’s worth a reminder that the US Department of Defense aims for a five-year transition period to implement zero trust. A further study of ten organizations on zero trust journeys found that the majority reported a three-to five-year implementation period. The multi-year scale of the task can temper your expectations while still recognizing the need for this transition.
Use Least Privilege Access
While zero trust encompasses far more than the least privilege principle, it is a solid bedrock upon which to build your strategy. Move towards least privilege access to ensure users only get access to the applications and associated privileges strictly required for their daily work. The full realization of least privilege in zero trust requires you to grant least privilege access for each request to any resource, but a broad least privilege access strategy is a good start.
Test and Learn
The best way to understand your zero trust progress is to test it out with simulated attacks. Objective-oriented red team exercises provide valuable feedback on whether you can trust your current zero trust implementation to defend your most valued systems and data. Aside from allowing you to get proactive about cyber defense, offensive security practiced by ethical hackers is a great way to test, learn, and strengthen your zero trust architecture while avoiding the fallout from a genuine cyber attack.
Gauge Zero Trust Strength with Cloud Range
Cloud Range’s customizable cyberattack simulation training helps gauge the progress of your journey toward zero trust. Of particular value are red team exercises that can uncover gaps and vulnerabilities in your zero trust implementation by authorizing offensive cybersecurity professionals to carry out targeted attacks with specific objectives. These and other cyber simulation exercises provide invaluable lessons to carry forward and tweak your processes, tools, and policies in better alignment with zero trust principles.