9 Steps to Implementing a Zero Trust Cybersecurity Framework
A primary goal for a lot of businesses and IT teams for the rest of 2022 and into next year is implementing a Zero Trust cybersecurity framework. This is especially important as the shift to remote work is increasingly looking as if it’s permanent rather than a temporary and fleeting trend stemming from the pandemic.
In traditional cybersecurity approaches, there is a perimeter protected by the firewall. The assumption underlying this approach is that the perimeter, of course, exists in the first place, meaning that employees are working on-site.
The perimeter and firewall security approach quickly become obsolete with remote and hybrid workplaces, as well as the growing multi-cloud environment.
That then leads to the need for a different way to manage security that takes into consideration the fact that a perimeter doesn’t exist at all.
Then, we see why Zero Trust is probably that management approach.
What is Zero Trust?
As more companies migrate to the cloud and employees work in different environments, trust but verify doesn’t work anymore for access to assets. Instead, Zero Trust is based on a philosophy of never trusting and always verifying.
In the model of Zero Trust cybersecurity, all users, applications, and devices connecting to the network and already connected are authenticated, authorized, and monitored in an ongoing way. This makes sure configurations are appropriate before they gain access to data and networks, whether they’re on-site or remote.
With an on-premises, traditional network architecture, users and devices were considered trusted when they connected to networks.
This assumption came from the fact that you could limit activity through firewalls and hardwired connections.
Now, Zero Trust lets organizations reduce risk through continuous authorization and authentication.
The Basic Principles
Some of the basic principles of Zero Trust include:
- The assumption of breach
- Assumption that the environment owned by the enterprise is no more trustworthy or different than the non-enterprise-owned environment
- Continuous evaluation of risk
- Constant analyzing
- Continuous enactment of risk mitigation protections
- Minimized access to resources and assets for users
- Continuous authentication of identity for each access request
There isn’t one specific approach to Zero Trust that’s going to work across all organizations. Instead, it has to be carefully customized and tailored to the needs of the specific business.
There’s also not one piece of technology you can put in place and say that you have Zero Trust. It’s a philosophy.
Delving into more of the principles of Zero Trust, we often see the following:
- As mentioned, continuous validation and monitoring are important since the assumption is that attackers exist within and outside the network. There’s never automatic or inherent trust for any user or machine. Zero Trust verifies not only user identity but privileges and device security and identity. Connections and log-ins will time out once established at intervals so that a user or a device is forced to be re-verified.
- Least privilege means users have access to only what they need. It’s like being on a need-to-know basis, reducing exposure to sensitive areas of the network. Least privilege implementation requires the management of user permissions. VPNs are not a good method for least privilege approaches because when a user logs into a VPN, they have access to the entire connected network.
- Zero Trust requires that device access be subject to strict controls. Zero Trust systems have to monitor how many devices are trying to access their network and make sure that each is authorized. All devices have to be assessed to make sure they aren’t compromised, further reducing the potential network attack surface.
- Micro-segmentation is needed in a Zero Trust network because it breaks perimeters into smaller zones. This helps prevent lateral movement, which occurs when bad actors gain access to a network and then can otherwise move to other parts.
- Multi-factor authentication (MFA) requires more than a single piece of evidence for user authentication. Entering a password alone isn’t enough for access.
With the above in mind, the following are some of the general steps an organization might take to begin taking a Zero Trust approach to cybersecurity.
Steps to Implement Zero Trust
Your process could look somewhat different from the steps below, but overall they’re general enough to give you a good guide to what you need to do.
1. Identify the “Who”
First, you need to understand the “who” of your system. You need to know what your system encompasses. This includes not only who your users are but also who the threats could be.
You’ll need to gather detailed information about individual users and characteristics, all nonperson entities and what their functions are, and the roles and attributes associated with each account.
While this is your initial step to implementing Zero Trust, it’s not something you finish. You never can think of it as a one-and-done because you’re always gathering this information. It changes, grows, and evolves over time, and this will affect your approach to Zero Trust.
If you’re in a very regulated environment, you might already know what your data is and what’s most sensitive, which can help you here and going forward.
2. Identify Your Security Priorities
You can’t immediately implement Zero Trust and expect it’s done. As much as it’s a philosophy, it’s also a process.
That means you have to start with what you can manage initially.
Think about the critical assets or applications that would most benefit from Zero Trust. You also have to keep in mind that you want to be able to demonstrate ROI throughout the process.
This is a learning process, so you’re going to want to understand what you want to protect now and what can wait.
3. Define an Attack Surface
Defining your attack surface is something you should be ready to do by now. You should already know the areas you need to protect initially.
If you still aren’t exactly sure, think about your most sensitive data and the critical applications that play a role in your primary business processes. You want to consider your physical assets like IoT devices and point-of-sale terminals, as well as parts of your infrastructure that support the daily work of your employees and executives.
4. Identify Processes
After you know the applications your company is using, you should be at a point where you can start to define key processes. This step can happen earlier on or not. You’re going to be putting controls around these processes, so in doing so, you want to analyze performance, user experience, and how the controls have the potential to impact workflows.
5. Establish Policies
For every user, key business process, and technology you’ve defined so far, you’ll start establishing specific policies.
To begin, for every workflow, you need to identify the upstream resources, which are the things flowing into an asset like databases and systems. Then you’ll define downstream resources like event logs and, from there, entities, which are connections to the asset.
6. Solutions
As we mentioned above, Zero Trust doesn’t have one particular solution or piece of technology you can rely on. You’ll be choosing your tools based on your business goals.
As you identify solutions, think about whether they could require changes to behavior and whether a solution will provide broad support for protocols, services, and applications.
Will the solution allow you to log interactions for continuous analysis, and will it require any components to be installed on an asset?
7. Deployment
Once you’ve identified your solutions, you’ll begin to deploy them. Your priority with deployment is to reduce business interruption.
There are different ways you can do this. You might initially operate in monitoring and observation mode, for example, or ensure that all privileged user accounts have the necessary access.
8. Monitoring
After you figure out that everything is working as you intend it to, you’ll do a period of monitoring in most cases.
You should have a baseline set for monitoring. You also want to monitor your general policy functions.
9. Expand Your Architecture
After your initial round of migration is complete, you can begin to expand your architecture. By this time, you should have a good understanding of all of the parts of your network, you should have baselines and logging data, and you should be able to expand your general framework.
Finally, as a rule of thumb, try to focus on business outcomes instead of security outcomes. This is important because it’s what’s going to allow you to get buy-in from non-security-minded people like your board or executives.
You want to be able to show how your processes are not only improving security but also efficiency and compliance.
There will be changes that you make to the above steps to make it work for you, but it does give you a good idea of how to start. Eventually, you can automate many of your practices from end to end, with the bulk of your focus being on monitoring and analyzing, as well as making changes as needed. It’s doubtful that the need for Zero Trust is going to decline for most organizations in the coming years. Instead, it looks to be the new standard in the near-future.