Rethinking Network Security: Three Steps to Zero Trust
Based on the concept of the “least-privilege principle,” ZT has mass appeal, but putting its concepts into practice isn’t always easy.
With hybrid work exploding the number of devices, multi-cloud applications, and network access points, a new approach is needed to operationalize a smart Zero Trust strategy, discusses Trevor Parks, director of security solutions at Masergy.
Zero Trust (ZT) is one of today’s most critical security protection strategies, but it can also be challenging to implement. Why? Partly because it’s a paradigm shift from how resource access has been approached in recent years but also because it requires action across every security domain. A recent Nemertes Research paper on implementing ZT suggests three steps for applying its concepts across your entire IT environment.
Why Zero Trust is Challenging to Deploy
Based on the concept of the “least-privilege principle,” ZT has mass appeal, but putting its concepts into practice isn’t always easy. One basic issue is the lack of any “Zero Trust in a box” product on the market today. Companies looking to roll out ZT must operationalize it by pulling together multiple components and a wide range of point solutions with many overlapping. In the end, it’s typically a mixed bag of old, refreshed, and new. In practical terms, some existing security tools will become part of a new ZT architecture, others will be replaced, and new solutions will also need to be added.
Another reason it’s tough is the mental mind shift required. Nemertes summarizes this well, noting that “most organizations are used to thinking about what application access a user profile should have, but not what any given network node should be able to see or talk to.” Let’s take a closer look at the steps to implement ZT effectively.
Step 1: Build Your Zero Trust Architecture with NIST
To bring ZT’s model to life, it must become architecture. The first step towards operationalization is to start thinking clearly about what that framework will look like for your company. In years past, companies have taken many different paths to arrive at an architecture, leaning on the guidance of various industry authorities, but we’re starting to see hints of standardization—revealing exactly which framework might now be taking the lead.
Seconding advice from the Federal Government, Nemertes designates the National Institute of Standards (NIST) standards as the “now definitive” ZT architecture. This is in response to the push to have federal agencies implement ZT architectures by September 2024.
NIST finalized its Zero Trust architecture in 2021, and this is a smart starting point for mapping out your architecture. At a high level, NIST specifies the tools that need to be in place for every interaction, recommending:
- Deploying a policy engine, which defines and stores access policies
- One or more policy decision points determine whether a given interaction is allowed, per the policies defined in the policy engine
- One or more policy enforcement points, which serve to execute the decisions made by the policy decision points; and one or more behavioral monitoring tools
These will provide information regarding current behavior in the environment and feed it back to the policy engine.
Furthermore, it recommends having an identity and access management (IAM) system in place to establish a consistent means of verifying the identity of any entity trying to get into the environment. IAM can also re-verify the identities of entities once they are in the environment. This is important because a user or device can reveal itself to be untrustworthy after it has gained access to a digital resource.
Nemertes helps you “eat the elephant” in bite-size chunks, simplifying ZT by addressing each security domain individually: infrastructure, applications, data, and devices. From there, you can develop and implement ZT architectures that intersect and overlap:
- For both physical and virtual infrastructure, starting with the network
- In systems and applications
- For enterprise data that lives in all such systems
- For devices trying to gain access
But you also need the right tools to do all of this.
See More: How To Upgrade Your VPN with Zero Trust
Step 2: Re-Architect Your Network and Security
Making a move to ZT means rearchitecting your networks, as well as your security solutions and policies. and practices. Since there is no “silver bullet” here—no fully integrated suite of ZT products or services, you should focus on automation, orchestration, centralization of policy and logging as key enablers.
Rearchitecting also involves revamping network access controls. This will affect initial admission to the network but also ongoing access to different network nodes. The new security architecture for the network does not have a “flat” access model. The user’s access is restricted to the specific purpose of the visit and then rechecked, requiring behavioral threat analytics as the user continues to access information on the network.
Rearchitecting must cover secure access to cloud resources. As a result, a good practice is to deploy a cloud access service broker (CASB), as well as firewalls and access gateways. Access to on-premises resources should similarly be re-visited, such as by implementing a software-defined perimeter (SDP) or micro-segmenting the network. Firewalls and access gateways will also play a role in adding ZT to on-premises assets.
With this list of critical capabilities, 98% of IT leaders are turning to SASE (Secure Access Service Edge) solutions to converge networking and security, according to a recent report. SASE technology converges SD-WAN, firewalls, CASB, secure edge gateway, and Zero Trust Network Access technologies into one cloud-based platform. In fact, SASE is growing as a key part of cybersecurity strategy, according to research from the analysts at Futuriom. When asked if SASE technology will grow as part of an organization’s strategy to implement a more agile, pervasive cybersecurity strategy, 85% of respondents said “Yes.”
Securing endpoints is a further element of the re-architecting process. This may involve endpoint protection or endpoint detection and response (EDR) and extended detection and response (XDR) solutions to monitor endpoints and other areas of the IT estate for suspicious activities. For application access, the ZT rearchitecting means using identity-based security. In some cases, it may make sense to manage access inside the application itself—in keeping with the limited privilege policies of ZT.
Step 3: Operationalize with these Starting Places
After the re-architecting exercise, it’s time to get started. But where do you begin? Nemertes is quick to point out that ZTNA and CASB offer a high-reward starting line due to the popularity of remote and hybrid work. Most enterprises begin implementation by controlling access to on-premises resources and enforcing fine-grain control of access to cloud services and on-premises apps too.
Others start by addressing staffing needs, as ZT often requires hiring some new people or “upskilling” existing staff. ZT is different from traditional security modes, affecting many different products. Hiring and training add time and expense to the ZT initiative. For these reasons, it may make sense to do a careful assessment of doing ZT in-house or outsourcing at least part of it to a managed security services provider (MSSP). With a partner to handle the day-to-day operational work of ZT, enterprise staff is free to focus on architecture and policy. For organizations that do not yet have a security operations center (SOC), the benefits of an MSSP are even greater. A SOC-as-a-Service can fill your skills gap.
Some may start with technology. Whether you work with an MSSP or not, you still must evaluate what to add or change in your current environment to achieve ZT architecture goals. They start by applying policies to the more familiar, existing tools that will stay, then move to the technologies that get refreshed, and finally to the ones that need to be replaced. An MSSP also can advise you on these decisions and planning processes.
In the end, putting Zero Trust architecture in place is critical for modern security in an explosive hybrid work world. Getting started on your roadmap doesn’t need to be an uphill climb. All obstacles can be overcome with sufficient knowledge and planning.
How are you implementing a Zero Trust environment? Share tips with us on Facebook, Twitter, and LinkedIn. We’d love to know!
MORE ON ZERO TRUST:
