Zero Trust Demystified - How to implement a Zero Trust Framework in 2022
Zero Trust security, or Zero Trust Architecture (ZTA), have become buzzwords in recent years with the rise of data proliferation, remote working and digital business. Organisations are absolutely interested in learning how to create a Zero Trust Network (ZTN) but most are unclear on how to actually implement it.
In this blog we simplify and demystify what Zero Trust is (and is not) to support your organisation to draw tangible conclusions on how you might start implementing a Zero Trust Architecture in 2022.
What is Zero Trust?
Zero Trust is an evolved foundational framework that redefines how organisations and individuals view and act upon the IT security perimeter. In fact, the idea of the perimeter has completely changed, and rightfully so.
Rather than the traditional model of having an on-premise firewall that protects the perimeter with an endpoint agent on the device, you now have no perimeter and therefore the firewall is not offering appropriate security protection. Now that most organisations have moved to the cloud in some way, you cannot automatically trust that devices on your network are secure.
Zero Trust removes this traditional security perimeter assumption by implementing an explicit rule that no application or device can be trusted i.e. ‘trust nothing, verify everything.’
There are many business implications involved with not implementing Zero Trust within your business. Ransomware attacks have exponentially increased, remote work is now the norm for most businesses and the ability to work productively and efficiently has likely been compromised many times as a result of the global pandemic. It’s safe to say - it’s time for Zero Trust.
Zero Trust is about designing and architecting security and networks where nothing is trusted until it can prove its trustworthiness, where the perimeter is moved as close to the devices, data or applications as possible.
Zero Trust is not one single technology, you can’t buy Zero Trust off the shelf, nor is it a single service offering. It’s a long term strategy and shift in organisational mindset that informs all IT security decision making, and it is built upon people, process and technology (we’ll cover this more in our next blog).
There are three high level principles that need to be in place to effectively be deemed as Zero Trust, these include:
- ‘Inside the network’ doesn’t exist
A simple way of thinking about this is to imagine that there is no such thing as ‘inside the network’, therefore every device is open and accessible on the internet, just as if you were working at a coffee shop.
- ‘Trust nothing, verify everything’
Essentially a Zero Trust framework, once implemented, functions as a security measure that assumes a breach has taken place and therefore nothing can be trusted and everything must be verified for access to be granted.
- Adaptive Security Policies
Security policies must be able to adapt in real time and be able to dynamically change based on insight from monitoring tools. For example, when a device becomes compromised, the policies that allow communication across devices must be blocked and that must take place dynamically to be deemed Zero Trust.
Where to start with implementing Zero Trust
1. Map your environment:
The best place to start is to assess your current environment by taking inventory of all assets within your IT environment across the entire organisation. This would include assessing your resources, applications, software, services and data. Essentially, if you’re not clear on what you’re currently protecting you cannot assess where you sit within the Zero Trust framework and you’ll be wasting time and resources down the line.
2. Assess the pathways and process flows:
Once you’re clear on your inventory, you can begin to assess the most important process flows across your business departments. What is most critical for your team to work productively and efficiently? What is permissible across each function and region of the business? The goal is to offer least privileged access to minimise the attack surface. For instance, what is permissible for your Human Resources department across each location, and what is not necessary e.g. HR in Australia may not need access to HR data in China.
This step will help you to assess the pathways and process flows across your devices, applications, people and services before you begin determining the technology necessary to put the policies and rules in place.
3. Design Policies and Rules for the Microperimeter:
Once you’re clear on the core pathways and workflows you can begin to define the policies and rules for the microperimeter. The microperimeter provides deeper granularity across every endpoint, minimising the attack surface at every layer of the IT environment and ultimately, ensuring that Zero Trust is embedded as a core principle across your entire policy engine and Zero Trust Architecture strategy.
At this stage it's important to involve key stakeholders across the business and IT security team, to ensure that once the policies are enforced, the organisation is behind them and users can be educated appropriately.
4. Ongoing monitoring and enforcing of the Zero Trust Architecture:
In order for Zero Trust to work effectively, ongoing monitoring and governance must be in place, and as dynamic as possible. At this stage, the rules for the microperimeter can be enforced, and the rollout of your Zero Trust Architecture can begin. This process can take time and may require significant internal resources.
The steps laid out in this blog give you a simplified starting point to begin your implementation journey, but it’s only the beginning. Leveraging external consulting can make the process more streamlined and can simplify the implementation process significantly. In our next blog we’ll define the three building blocks of Zero Trust Architecture in more detail, including factors of consideration across people, process and technology.
Our cybersecurity expert team at Cloud Solutions Group have built a Zero Trust Architecture Assessment and Roadmap process to achieve a pathway to Zero Trust.
In this assessment and roadmap engagement we work with you to:
Identify and document your cybersecurity perimeter
Review security architecture against modern threats
Assess readiness for simulated attacks
Highlight a maturity scale of cybersecurity improvements
Assess the suitability and configuration of all your Zero Trust Architecture components including Identity & Access Management, Email Gateways, Endpoint Detection and Response systems, Device Management and many more.