5 Steps to Building a Zero Trust Security Model
Concrete steps every organization can take to start the journey toward achieving the end-goal of modern day cyber security protection: Zero Trust.
What is Zero Trust?
Zero Trust is a security concept and framework based on the idea that trust is something greater than network proximity and the endpoints connecting users to corporate systems. In a Zero Trust security model, trust is never assumed. Rather, it's proven through a set of intentional actions, such as user identity and device verification.
User location is no longer considered an appropriate validation metric, and organizations should no longer trust devices simply because they appear on their internal network. This default assumption of trust, based on location, has exposed some organizations to major risks. In a Zero Trust model, access and authorization can be granted regardless of a user’s proximity to the corporate network.
Why the demand for Zero Trust security?
Many organizations have implemented a traditional security model where access and authorization is based on a set of controls at the network perimeter. This traditional security model is being challenged based on the adoption of cloud services (SaaS, IaaS, PaaS) and mobility.
Prior to cloud and mobility, the core of most organizations' data and intellectual property could be found within the four walls of their own data center. This allowed organizations to implement a stack of technical controls based on a binary trust model where users and devices behind the firewall perimeter were trusted, while those external to the firewall perimeter were not.
Organizations now face the challenge of securing data on cloud platforms accessed by managed and unmanaged devices. Traditional security models were never designed to address these challenges.
This is a main driver behind the demand for Zero Trust.
Why adopt a Zero Trust model?
As organizations increasingly adopt cloud services and mobility, they can expect significant architectural changes and security challenges.
At WWT, we understand that organizations must remain competitive and innovative in their markets today. We also know that infrastructure modernization offers many key benefits (e.g., speed, agility and flexibility) that drive the desire to modernize. But these benefits come at a cost that must be weighed against the risks imposed on an organization’s security program.
Traditional security models have gaps that become exposed and more pronounced when customers start adopting cloud services and mobility as part of their enterprise architecture modernization efforts. Obvious gaps include single-factor authentication, flat network design and user identity which, if unaddressed, can make your organization a proving grounds for cyber criminals. All of these gaps can be closed by adopting a Zero Trust model.
Further, while much digital ink has been spilled on the observation that the value of data has surpassed that of oil, I think it’s equally interesting that the adoption of cloud-based services has made this valuable data virtually accessible by any endpoint, at any time, from anywhere in the world. This 24/7 access to data, combined with the persistent growth rate of data usage, has accelerated the demand for building out Zero Trust security models.
5 steps to beginning your Zero Trust journey
While there are many conversations happening in the community around how to fully implement Zero Trust (e.g., Zero Trust eXtended (ZTX), Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA), etc.), this article focuses more on the short-term wins an organization can recognize as it navigates down the path of implementing a Zero Trust security model.
Follow these steps to start your journey:
- Expand your audience: The very first step an organization should take toward Zero Trust involves securing alignment and executive support within the organization. Zero Trust is not exclusively a security team problem to be solved by a single group within the organization. Business leaders must promote and support an enterprise-wide shift in how it provides access to data and applications.
Zero Trust is not a product but a strategy and a concept that can provide major benefits to the business. Business benefits should be clearly documented and well communicated before any technical work is done or decisions made.
- Address asset discovery and inventory: Asset discovery and asset inventory management are core components to effectively implementing Zero Trust. This starts with visibility to all endpoints communicating on your network. If you can’t see what’s on your network, what every device and application are doing, and whether they should be doing what they're doing, you have a visibility problem. You need technology that can discover and manage all endpoints on your network.
Asset discovery and management is an important and critical step to prepare your organization for Zero Trust.
- Understand the importance of data classification: In cyber security, you can’t change or protect what you can’t see. Data visibility is a must, no exceptions. The question to ask is: “Is my data labeled and identifiable?” At a minimum, every organization should have a set of basic data labels and data tags. This provides visibility to how sensitive data flows through your network and defines a structure to govern this data. Sensitive data should be tracked, monitored, protected and only accessed by authorized parties.
There's significant demand for data, and companies who handle data poorly can quickly generate the wrong type of attention.
- Address user identity and least-privileged access early: A fundamental pillar of Zero Trust is providing access to the right people (i.e., identity). This should be understood and addressed at the beginning of your journey. Addressing key security gaps within identity and access management (IAM) architecture, for both on-prem and cloud systems, is a great place to start. This will allow you to document the current level of maturity and document where your organization needs to be to provide the right level of context and access polices.
Implementing single-sign on (SSO) and multi-factor authentication (MFA) are critical components for building a context-aware architecture for employees, partners, contractors and third-party affiliates. There should be policies and governance in place to support user access based on a least-privileged model to ensure the right level of access is granted to achieve a specific task.
- Address enterprise segmentation: Addressing IAM and adopting a least-privileged access model will benefit your organization greatly when addressing enterprise segmentation. Dividing your network into smaller, more isolated segments will reduce the risk of broad lateral movement. Requirement zero should be prevention through reducing attack surfaces.
WWT has a phased approach to enterprise segmentation that can help you evaluate the right technical designs and strategy for a Zero Trust security model. The result of effective segmentation design will protect your organization from a single compromise that subsequently cripples the entire organization. This is true because access is isolated to a specific segment of the network rather than granting access to the entire enterprise.
Security leaders consistently read about data breaches at other organizations. It seems like all of these compromised organizations invested in best-of-breed security technology and had very smart individuals managing and operating their security solutions. If true, why were these organizations breached in the first place and why will more continue to succumb?
If neither technology nor people is the problem, these organizations like have an underlying issue with the security strategy or model being used to govern their assets.
Striving for a Zero Trust security model is not about implementing a single technology, like MFA or a next-generation firewall (NGFW), but about the calculus of those technologies supporting a comprehensive security strategy such as Zero Trust.
WWT has security resources that can support the appropriate high-level strategy and thought leadership discussions needed to evaluate Zero Trust as the right security model for your organization. Our multi-discipline practice is hyper-focused on enterprise segmentation, IAM, endpoint security architecture, cloud security and NGFW solutions to accelerate the journey to Zero Trust.
WWT recommends starting with our Enterprise Segmentation Workshop, where you’ll learn how your existing security posture stacks up against industry standards and discover whether any gaps are preventing you from achieving a truly Zero Trust model.