Taking Zero Trust Security from Idea to Implementation
Here’s what tech leaders need to know about the technical and cultural challenges of zero trust before jumping in.
Whether it’s between leaders, managers and workers, vendors and customers, or companies and regulators, trust lowers the barriers to cooperation and keeps things moving smoothly.
Still, most businesses – and people – recognize that to be too trusting too soon can be a serious disadvantage. And for one emerging network security model, any trust at all is too much.
We’re talking about zero trust, an approach to security that’s experienced skyrocketing interest this past year as enterprises have seen their traditional network perimeters stretched perilously thin by mass remote working and expansion to public cloud and SaaS apps.
In simple terms, zero trust means “never trust, always verify.” Zero trust has become a hot topic for executives since remote access rapidly expanded due to COVID-19 and there was an increase in adversaries looking to exploit remote users and computers. Never trusting and always verifying is more rigorous, proactive and responsive than just building perimeter defenses to keep malicious actors out of your network. Perimeter security is never particularly effective, and with the current trends of having multicloud workloads and applications along with remote access from anywhere on any device, perimeter-based trust models are increasingly failing to provide appropriate safeguards.
Not only does a zero trust approach to security allow businesses to respond faster and with more precision, it also limits the potential for lateral movement of malicious traffic or actors from resource to resource undetected within a compromised environment if a breach was to occur (many of the breaches you’ve read about might have been contained or prevented in a zero trust environment).
Yet for all its rewards, zero trust implementation is a complicated endeavor. Apart from the technical challenges, success depends on engaging and activating multiple stakeholders from across the business, and providing a lot of user handholding.
This article will help tech leaders get their bearings with zero trust as they start to think about how they might implement it themselves.
Exploring the technical aspects of zero trust
We’ll start with the technical aspects. In practical terms, effective zero trust implementation requires not just technology, but also policy and process. It’s not a switch you can flip or a product or service that you can buy, but it does require a blend of tooling distinct from that used in traditional perimeter-based security.
In a zero trust environment, trust zones are built around each application, each device, and your SaaS apps or storage services. Prerequisites for pulling this off without creating a miserable user experience include implementation of an authentication system that allows you to identify devices as well as users. It also requires a microsegmentation capability.
Wrapped around these solutions are strict policies defining which users and devices can access which resources; there can be no more free and open access. Defining these policies and enabling their implementation can be a heavy lift. It requires the understanding of application workflows and dependencies, but there are automation and AI-based solutions to ease some of the burden and the benefit to both security and operations is worth the effort. Zero trust security relies on identity and access management, endpoint control and a mature security monitoring capability.
You must bring people with you on the zero trust journey
It’s important to recognize that implementing zero trust crisscrosses team boundaries throughout the organization. It draws in security, network and IAM teams, along with asset owners and admins, and application owners. This kind of scope means the CIO/CTO will often be the lead, with the CSO/CISO a critical contributor thanks to their perspective on risk management.
You must also invest time in awareness building and socialization of the benefits of zero trust, creating detailed FAQs and sharing them via company newsletters and intranets with plenty of links to resources. Trust us: education and communication prior to rollout can save you a lot of help desk pain as your policy and process changes start going live.
Start small, start critical – and utilize DevOps
You can get off on the right foot with zero trust by starting small to build a series of incremental but highly visible wins. You may want to start with access control and then move inwards toward more complicated data center implementations.
If you start with a baseline across your environment, you can add to this as you discover and classify your workload and data. At the same time, start lining up technology solutions and their configurations. Understand your requirements and select partners to help integrate appropriate technologies to provide for authentication, access control, microsegmentation and monitoring.
Prior to enforcement, we recommend identifying and building your policies and then soft launching your policies in logging mode to help refine your picture of what’s going on in your environment. This offers the opportunity to test processes before launch, to both mitigate the risk of taking down critical systems and to identify patterns and processes that can be automated. From there, adopt rolling implementations to subsets of users – in parallel to your existing security systems at first – to iron out processes and build confidence in the user base.
It’s worth mentioning that it’s likely to be very difficult to get all this right without using agile methodologies within the project to deploy DevOps. The early stages are a lot of work with a lot of changing priorities. So use agile methodologies to move quickly, fail fast and pivot where necessary.
Furthermore, operational overheads can quickly mount, owing to the multiple and ongoing changes and updates to infrastructure and policy. DevOps can help here as you work toward automating user and device updates, or application and systems access flows. With infrastructure as code, for example, systems can be created that allow users to self-serve by registering a ticket for a new device, which then pushes out an update to the infrastructure. There are also technologies now that can help deploy DevOps to legacy workloads as well as apps built in a legacy manner.
Zero trust is worth the effort
Moving to a zero trust security strategy takes several months of hard work and many hours of ongoing monitoring and management. And yet it’s a journey we expect the majority of enterprises will undertake.
The shift we’ve seen to remote work this past year won’t reverse fully. For some, it may become the norm. So executive-level anxieties will remain over whether users’ end points are protected, the mitigation of insider threats, and the risks of lateral movement by intruders should they make it through your perimeter defenses.
It’s not magic; there’s no silver bullet in security. But zero trust is a way to move your organization away from perimeter-based security to a secure access service edge (SASE) as your business continues its digital transformation.
E-book: Zero Trust Security Workbook
About the Authors
Product Engineer - Government Solutions
The role of Product Engineer for Government Solutions is a natural fit for Jeff Tehovnik with his diverse and complimentary skillsets in Development, Cloud Network Infrastructure, and Security. Jeff has been working in IT since 1998 and graduated from Virginia Commonwealth University (BS-IS 2012, MS-CISS 2014) and the SANS Technology Institute (PGC Ethical Hacking & Penetration Testing). Jeff also enjoys research and educating on Technical Information Security Topics including Network Security Monitoring and Advanced Persistent Threats. In addition to recently passing the CCSP exam, Jeff holds the CISSP, GCIH, GPEN, GWAPT, GXPN and VMware NSX: Micro-Segmentation certificates. When he’s not delving into the cloud, Jeff enjoys Reading, Fishing, and Vacationing at the beach with his wife and kids. He is also an avid Hockey Fan.Read more about Jeffrey Tehovnik