What emotion does Zero Trust Architecture invoke when you hear the phrase? Do you throw your hands up in the air in resignation or are you confident you have implemented an effective solution and walked away? If you fall into the latter category, it is important for you to understand the premise of the Zero Trust Architecture (ZTA). According to the National Institute of Standards and Technology (NIST) in Special Publication 800-207, “Implementing a ZTA is a journey rather than a wholesale replacement of infrastructure or processes.” So even when you have designed and built out your infrastructure, you are never really finished.
The industry has been talking about Zero Trust for almost two decades. Gone are the days of the castle and moat designs, where your entire network was isolated and segmented. Today we have gone from hybrid-cloud to multi-cloud, multi-application, and users all over the world. The traditional architecture and network perimeter are long gone brought on by BYOD, cloud and now the explosion of remote workers.
And while ZT is an ongoing journey, there are seven key steps you can take to lay the right foundation for supporting a zero-trust model.
Below is a visual representation of the steps reqired taken from the NIST guide. Not all are covered in detail.
Here are 7 keys to getting to successfully implement Zero Trust Architectures:
So, what do you need to do to get started? When people talk about Zero Trust, they are usually relaying a concept, but where do you need to start? You must have 100% control of a few core components but the most important are users and devices. Another critical component after you have robust controls around users and devices will be the Access Proxy. Access Proxies will be covered in a follow-up article.
Identity is a core component and organizations must have control over in today’s climate. Do your users have shared responsibilities and shared log-on’s? Do you allow generic logons to ease user management? This practice must be eliminated. Every user must have a unique identity assigned. When users need common access, they should be placed in groups by job functions and or responsibilities. This practice is the first step in managing identity.
Do you have a complete inventory of all devices in your network and assigned to your users? Are these devices managed and kept up to date? This is a core tenant to Zero Trust. Every device should be evaluated prior to authorizing access and continually monitored throughout the user’s application access session for changes to the baseline configuration.
The Access Proxy must be able to validate users and devices. Consistently apply and enforce policies throughout all access sessions and terminate access if any user or devices falls outside of policy during the access session. The key use case is the ability to stand up the same access policies in front of all applications (legacy and modern) and leverage the innovation happening in the cloud with IDaaS providers (SSO, MFA, etc).
One of the core concepts of Zero Trust security is the principle of least privilege. Depending on their role, users are only granted access to files and applications they need, without getting access to any other information or systems beyond what is required.
The adoption and near universal implementation of encryption has taken place for ensuring data privacy and security. However, the lack of visibility has hindered organizations to effectively monitor and control data. Some situations require that this encryption not be tampered with, i.e., financial and healthcare data. Without visibility, intelligent decisions cannot be made and applied on encrypted traffic. One must inspect this encrypted traffic to ensure compliance with policies and control measures are being met. Organizations must walk a tightrope between confidentiality and visibility.
Finally, it is important to monitor and manage user behavior. You must monitor the initial posture of user devices and any changes that may occur during the user session. In addition, you need to continuously monitor and adjust access policy based upon changes to any of these parameters. No longer is it appropriate to evaluate these parameters on the initial login and then allow un-fettered access, like traditional VPN’s have done.
Now that I have detailed what I feel are the keys for implementing a Zero Trust Architecture it is time to start the journey.