You must be “this tall” for Zero Trust
Realistic prerequisites for your Zero Trust journey.
Introduction
A Zero Trust security strategy strengthens security while simplifying operations. However, if you don’t have some of the fundamental pieces in place before you start, it could result in additional complexity. Worse, it could increase risk and exposure to vulnerability if you haven’t covered all the bases and got your cybersecurity house in order.
What is Zero Trust?
It’s our best defense against growing threats in a “perimeter-less world”, driven by the increasing use of cloud services and remote workforces. While you don’t need a perfect InfoSec program in place to start your Zero Trust journey, you do need some basics in place before you can “get on the ride.”
“Zero Trust is a strategy for preventing and containing breaches by removing the trust relationships we have in digital systems.”
A Zero Trust journey can feel like
a roller coaster - what’s
required to get on the ride?
Fundamentals
Identity and Access Management (IAM)
Identity is the heart of Zero Trust - identity, along with context, is the new perimeter; the combination of these attributes is used to determine access.
“Your IAM environment doesn’t have to be perfect, but it cannot be “broken”, either”
You should have IAM policies defined with clear ownership, with a strong grasp of how people join, move, and leave across the organization. You must have a solid understanding how these activities result in the modification of access.
There should be a system in place to manage your IAM, known as an Identity Provider (IdP). You need at least one in place, the more comprehensive the better - one that manages all access for all resources is ideal. There may be more than one IdP in place, that's ok - you just need to be aware of all IdPs that are in place so you don't miss a hidden authentication entry point.
Your IAM program and IdP should enforce strong authentication, such as complex passwords and multi-factor authentication (MFA). Additionally, your IdP should support single-sign on (SSO). SSO strengthens security by simplifying how you manage access, consolidating disparate sources of authentication through a unified workflow. If you do not have MFA or SSO in place, you should consider the implementation of such as part of your Zero Trust journey.
Many organizations refer to these policies, procedures, and technologies as an identity governance program. If your identity governance program is not well defined, is poorly documented, or is represented by tribal knowledge, a Zero Trust initiative is the perfect opportunity to address that. Clarity of your identity governance program is required for a successful Zero Trust strategy.
Asset Inventory
You can't protect what you don't know about. Zero Trust doesn't fix this, but as Zero Trust is implemented in an iterative fashion, it could help surface unknown assets and illuminate “shadow IT”.
Collectively referred to as “DAAS” (data, applications, assets, services), a clear picture of your assets is key for a Zero Trust journey. However it does not necessarily need to be complete before you begin. The recommended Zero Trust implementation process is iterative, working through one protect surface at a time, and for each, identifying all assets that comprise that protect surface.
“This process allows an organization to start with a small, bounded initial protect surface (or set of DAAS elements), work through the rest of the steps with that initial protect surface to establish their approach, and then add additional protect surfaces as their zero trust strategy matures and expands. ”
That said, you do need a grasp on some of the fundamental building blocks of your asset portfolio.
You need an inventory of infrastructure, including network infrastructure, sites (offices, “on-prem”/colocation facilities), servers, storage, etc.. Especially critical is a clear inventory of security infrastructure - VPNs, firewalls/NGFWs, IDS/IPS appliances, WAF devices, NAC devices, etc..
A strong understanding of your network design (VLANs, WANs, P2P tunnels, etc.) is also key, as well as an understanding of network traffic flow along with a grasp of normal network behavior. You must have awareness of all paths network traffic can take. This is key as your Zero Trust strategy will require you to intercept/verify traffic at key points throughout the architecture.
In addition to your physical infrastructure, clarity of your cloud computing infrastructure (IaaS/Paas) is also needed. Ideally you have a grasp of all cloud-based assets and cloud tenants, along with an understanding of the cloud security controls in place, including access controls, intrusion detection systems, and monitoring/analytics. A clear understanding of your organization’s connectivity to your cloud infrastructure is also key, such as direct interconnects and/or peering to all cloud service providers in use by your organization.
A full inventory of applications is needed, with a strong grasp of the most business critical applications and applications that deal with highly sensitive data. In addition, all application platforms (hypervisors, Kubernetes, service meshes, etc.), development platforms, deployment pipelines, and SaaS services used.
Especially important is awareness of services like a secure gateway (SGW) and cloud access security brokers (CASB). While these are not necessary to start your Zero Trust journey, if they are in place you need to know about them.
Finally, your data assets - a full data catalog. This should include locations of all data, categorized from the most critical, most sensitive, most highly regulated to the least critical, least sensitive, and public. It would be ideal for your data catalog to include data owners, data custodians, and data flows. If you abide by GDPR, CCPA, or many of the ISO regulatory bodies, you will likely have this data catalog already and will be in a much better place to start your journey.
Data is the most important asset that needs to be secured. You must have a strong understanding of where all of your data stores are, how they are accessed, and all of the various data flows.
Monitoring and Analytics
Zero Trust requires continuous monitoring and analysis of network traffic.
A key Zero Trust design principle: Inspect and log all traffic - all traffic going to and from a protect surface must be inspected and logged for malicious content and unauthorized activity, up through Layer 7.
You should have a consolidated logging facility such as a SIEM in place. A SIEM is the best capability to receive and correlate the data captured by Zero Trust technologies you put in place. A Zero Trust journey increases the value of your SIEM investment through the enrichment of log data with identity, device, and context information.
A security operations center, or SOC, should also be in place to detect and respond to incidents and anomalies. Oftentimes organizations use an MSSP to provide this capability. If a SOC is not in place, you should consider doing so as part of your Zero Trust journey.
Finally, while a security orchestration, automation, and response (SOAR) platform isn’t necessarily required, if you have one or plan to have one, a Zero Trust journey can help make the automated responses even more acute and effective.
Policies
You should have a baseline set of policies, such as your organization’s Security Policy, Data Privacy Policy, Identity and Access Management Policy, etc.. These policies will be used to “codify” a Zero Trust policy engine, and used by automated systems to make access decisions.
At minimum, you should have an understanding of what team/what role needs what access to what data/what application for their job function.
The Kipling method, aka “5W1H”, is often used to help think through all of the various workflows, and objectives of those workflows, from which policies can be compared and derived.
Oftentimes compliance reports can help surface all of the various policies in place across the organization.
Security Awareness Training
You should have a regular security education and awareness program in place across the organization as you will use this to educate the organization on the changes that will come with a Zero Trust strategy. If you do not, you will at least need to put one in place as part of your Zero Trust journey.
Executive Sponsorship
For your Zero Trust initiative to be successful, it is crucial to have executive buy-in. Although some Zero Trust initiatives may begin at the grassroots level, the entire organization's commitment is necessary for a successful Zero Trust journey.
Executive support will be needed to help push through the inevitable challenges you will face as you seek to implement a Zero Trust strategy across all facets of the organization.
Conclusion
Transitioning to Zero Trust requires planning and preparation to avoid weakening the security posture along the way.
To be successful in your journey and to “get on the ride,” here’s a summary of what you need:
Functioning IAM systems
Asset inventories (DAAS)
Monitoring/analytics in place, ideally coupled with clear incident response procedures
Security Policies
Security Awareness Training
Executive Sponsorship
None of these need to be perfect, so don’t wait for perfection to start. Get going on your Zero Trust journey today!
Webinar
“You must be this tall to enjoy the Zero Trust ride” webinar with Josh Woodruff, Founder and CEO of Massive Scale Consulting and Jason Garbis, Principal at Numberline Security. Josh and Jason discuss the fundamentals you need in place before starting your Zero Trust journey.
Join Our Community
We greatly value and have deep commitment to providing valuable insights and resources to help our community stay safe in an ever-evolving threat landscape. We invite readers to subscribe to learn more and follow us on LinkedIn to stay up-to-date with the latest news and trends in cybersecurity. Together we can build a more secure future!
