Embarking on a Zero Trust journey

Embarking on a Zero Trust journey

If feeling overwhelmed at the scope of the Zero Trust architecture, get the basics out of the way first. Here’s how.

You’ve heard it all before − the IT landscape is spreading, with hybrid infrastructure combined with SaaS applications, hosted plus on-premises environments and remote workers − all adding to the sprawl and all with one goal: they want access to your network. But how to secure it?

You could consider restricting access to everyone but that’s not a practical approach. as business operations still need to continue and users need access from anywhere. The trick is to provide access while restricting it at the same time – quite a conundrum. But where do you start?

Start by defining your approach to a Zero Trust architecture. What does ‘never trust, always verify,’ really mean?

The first use of the term can be traced to 1994, when it was coined by Stephen Paul Marsh as part of a doctoral thesis. But it only really gained traction in 2010, when Forrester further developed it as an information

security model comprising various pillars, namely: devices, people, networks and workloads surrounding data, encircled by visibility, analytics and automation/orchestration.

Investment is required but start by leveraging known tools and then build on cyber security requirements as organisational elements allow, and as they grow and evolve.

The trick is to provide access while restricting it at the same time – quite a conundrum.

First, have the basics in place; by that I mean a robust endpoint protection solution that aligns to a Zero Trust architecture. Anti-virus is antiquated in many respects as it offers a basic level of protection or a tick-box approach.

What is needed is a solution that covers the entire attack chain from pre-attack to post-breach. This approach will not only help to navigate pre-attack controls proactively, but will also facilitate investigation, monitoring, forensics and analytics, in the event a breach occurs.

But why is the latter important? Simply put: when suffering a breach, it’s important to understand why and so this part is crucial to prevent further attacks, improve security posture and identify where the attack vectors exist.

Next, examine identity and access management policies − who has access? What access do they have? And lastly, do they need that level of access? All too often companies allow unfettered access to employees – this is very risky. Too much access equates to residual risk.

Implementing access controls shouldn’t be cumbersome; rather they need to be defined according to scenarios, maintained and then controlled. One such scenario is to identify both the user and their point of access to the app or data. Then, locate where the latter resides and thereafter look at the transaction chain and what security processes are in play to secure the link between the user and the data.

Ensure multi-factor authentication is used throughout the organisation as a blanket policy for every application − this instils a security first mindset and culture. If the organisation can invest in identity and access management or privileged access management toolsets, it will be better controlled, managed, and most importantly enforced. This should be an automated process that aligns with procedures around staff joining or leaving the business.

Identify users and devices connecting to the organisation that are both managed and unmanaged. Explore how to provide access to remote users from unmanaged devices, and be clear on what policies are in place for these unmanaged devices. Ask how they can be better secured, what risks they pose and if they are a single point of failure.

Managed devices need scrutiny too: how are they being managed and what policies are enforced? How are the accessed and by whom, which takes us back to access management.

So, assuming the company has done the above, it’s now time to bolster the Zero Trust framework – but what’s next?

Implement a Zero Trust platform. The best way to kick this off is by evaluating the needs of the business − understanding the entire architectural landscape, while grasping future organisational requirements, including where the data, applications and users will reside.

Again, looking at the flow of user access to data access will help guide the answer to the above question. Do you need to secure cloud and on-premises data – this is most likely. What does this look like, and have you got a preview of what this looks like and includes?

Integration is key, so if the company has decided a platform is required and has made existing investments into endpoint, SOC/SIEM (more about threat management, unlike Zero Trust principles which pertain to access and threat prevention), identity and access management solutions, then it needs to question if the platform can seamlessly integrate to these existing investments.

Also ask if it can offer the most holistic protection combined with simplicity, cost and user experience. Crucially, can it offer the best protection and broadest coverage? All organisations are cost-conscious, but must ask what’s the cost of doing nothing or opting for the cheap and cheerful alternative. Is this putting the business at greater risk by creating an optimistic peace of mind approach?

Finally, once the solution has been selected, ensure it is configured with the correct policies; administrators are well-versed and trained in the management and updating of these policies, and ensuring procedures are followed, documented and enforced.

If the latter seems like a big undertaking, partner with a specialist cyber security partner to help get it off the ground and ensure the full capability and potential of the solution and investment can be utilised.

Cyber security is not a one size fits all and covers all bases; it’s a continuous improvement process that the business ultimately guides. Never stop looking at the security posture today versus the next, as the rapid change in threats waits for no one and neither should your strategy.

Written by: Ian Oelofse, CASA pre-sales solution architect

Originally featured here