More organizations have shifted to the cloud, completely transforming the way business is done. For many, the days of solely relying on big on-premise data centers are gone, now replaced with a combination of on-premise and cloud-based applications. As the way we store and access data changes, we are forced to come up with new ways to improve infrastructure and keep it secure. That’s where Zero Trust comes in.
No matter where you are on your Zero Trust journey — maybe you’ve never heard of it, maybe you want to try it but don’t know where to start, or maybe you’re in the thick of it — we’re here to walk you through five steps that will help you understand Zero Trust and how it can elevate your data security.
So what is Zero Trust?
Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside their perimeters and instead must verify anything and everything trying to connect to their systems before granting access. This vendor-neutral design philosophy allows maximum flexibility in designing infrastructure architecture.
Every access request is fully authenticated, authorized, and encrypted before granting access. Lateral movement is prevented through security policies and least privilege (minimum permissions to do your job). Rich intelligence and analytics are utilized to detect and respond to anomalies in real time.
The Zero Trust Maturity Model
This level is where most organizations are at today. Companies who are at this stage have not started their Zero Trust journey, and generally have:
- On-premises identity with static rules and some single sign-on (SSO).
- Limited visibility available into device compliance, cloud environments, and logins.
At this level, an organization has begun its Zero Trust journey and has started to make some progress. The areas of adoption at this stage are usually:
- Hybrid identity and finely-tuned policies that gate access to data, apps, and networks.
- Devices registered and compliant to IT security policies.
- Networks being segmented and cloud threat protection in place.
- Analytics that are starting to be used to assess user behavior and proactively identify threats.
Although the Zero Trust journey is never complete, at this stage an organization has made great strides and improvements in security through the adoption of:
- Cloud identity with real-time analytics and dynamically-gated access to applications, workloads, networks, and data.
- Data access decisions governed by cloud security policy engines and secured sharing with encryption and tracking.
- Complete Zero Trust in the network – micro-cloud perimeters, micro-segmentation, and encryption are in place.
- Implemented automatic threat detection and response.
Steps to achieve Zero Trust
1. Define your protect surface
Define your protect surface based on the most crucial data, applications, assets, and services elements for your business.
2. Map the information within your surface
There are many ways to map transaction flows, and some techniques for defining your protect surface also apply to mapping its transaction flows.
3. Architect a Zero Trust environment
As you develop the architecture, keep in mind ease of operation and maintenance, and flexibility to accommodate protect surface and business changes.
4. Create Zero Trust policy
Zero Trust policy is based on the Kipling Method. This shows you how to decide whether to allow or block traffic and how to create a security policy that safeguards each protect surface.
- Who should access a resource?
- What application is used to access the resource?
- When do users access the resource?
- Where is the resource located?
- Why is the data accessed — what is the data’s value if lost (toxicity)?
- How should you allow access to the resource?
5. Monitor and maintain
Security is a continuous process as logging and monitoring will reveal needed improvements to make to your policies are your business and infrastructure change. Follow the operational processes you developed when architecting the network to maintain and continually update prevention controls.
Running the Zero Trust marathon
Zero Trust is a marathon, not a sprint. Since it is not a vendor-specific model, you have the ability to adopt this model utilizing a number of different vendors. If you are ready to start your Zero Trust journey or want to talk about where you’re at, reach out to us today.