In this blog, we follow up on Gartner’s research note, “What Are Practical Projects for Implementing Zero Trust?”
The Zero Trust network architecture model has been around for over a decade and represents a revolution, or paradigm shift, for securing access to resources and reducing the attack surface. Still, only in the last couple of years that it became the buzzword “du jour” that it is today and began to go mainstream. The concept may have started in the Open Group forums and later defined in 2010 as “Zero Trust” by John Kindervag and Forrester. In short, they understood that the old Russian proverb of “trust but verify” wasn’t a practical approach to perimeter security at a time when the consumerization of IT, BYOD, cloud computing, IoT/OT, and other IT megatrends were taking hold. With the hyper fragmentation of the traditional enterprise network’s perimeter and the emergence of new advanced and persistent threats, the new mantra was born: “trust nothing, verify everything.” The rest is history still in the making.
It’s 2021, and amid a global pandemic driving accelerated digital transformation across multiple industries. Both the public and private sectors have moved to the strategy phase and assigned a budget to initiate the transition to a Zero Trust network architecture. The time to act and build an intelligent network is now, but the undertaking may seem daunting at first. The good news is that it doesn’t have to be, thanks to current technologies. Zero Trust doesn’t have an on/off switch, it is not a product, and it is not necessarily a rip-and-replace undertaking. It is an approach to network security that is very well suited for brownfield deployments, with the right mix of integrated tools.
An Adaptive Trust solution combines identity (user, app, device), behavior, context, and other attributes to allow just-in-time least-privilege access to enterprise resources (users, apps, devices). Combined with an AI-enabled software-defined perimeter, organizations may be in an excellent position to, over time, decommission legacy technology developed with the old trust model in mind. Over time, some VLANs will become unnecessary, and user VPNs become an obsolesced security control.
There is an essential pre-requisite to keep in mind. First of all, the C-Suite and the entire IT organization (and OT in some industries) must adopt a Zero Trust security mindset and buy into the new trust model. The starting point should be when there is a shared vision for the future of the entire organization’s security posture and a clear understanding of the short-term and long-term benefits of starting the transition. An organization that does not understand the rationale for moving towards Zero Trust is not yet ready. Security teams, network teams, development teams, operational technology teams, and supply chain vendors will need to work together for the strategy to be successful. The C-Suite is critical to achieving this shared vision and inspiring the team to take the first steps, with the CISO acting as the overall champion managing change and operational risks. Begin a Zero Trust project when all stakeholders understand that:
The second and critical pre-requisite is to formulate the Zero Trust strategy that is right for the organization. Every organization, industry, and use cases are different, and therefore there is no single strategy. All plans must have a systematic approach to replace implicit trust with adaptive trust.
In recent research notes published by Gartner, “What Are Practical Projects to Implement Zero Trust?” Neil MacDonald and John Watts propose that most strategies start with network-related projects. These Zero Trust networking initiatives can be broken into two major areas:
To get started with these initiatives, achieving complete visibility in network communications flows at the application layer is ideal (you can’t control what you cannot see). But above all, an identity foundation and adaptive security controls must be in place. An excellent place to start piloting projects is with your remote workforce’s access by providing secure access anywhere.
Gartner proposes that security and risk management leaders prioritize the following initiatives (note: you can find these bullet points in the Gartner research notes):
After these two foundational initiatives are in place, the focus can shift to these two projects:
Gartner recommends: “ZTNA reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties. Start with a pilot of a ZTNA product. Plan rollouts to the organization by prioritizing contractor and third-party access. Then conduct a proof of concept (POC) to test applications with the ZTNA product, and use observation mode to learn patterns of access by user and role to build policies from there.”
What to do, specifically?
Gartner recommends: “Identity-based segmentation reduces excessive implicit trust by allowing organizations to move individual workloads to a default-deny model for communication, rather than an implicit-allow model. Implement network segmentation to reduce excessive trust zones, starting with high-level segmentation of campus and server networks. Like ZTNA, observation mode will be necessary to learn the patterns of communications by workloads and applications in order to build policies. Then, evaluate machine identity management techniques such as SPIFFE, OpenID Connect, and SAML across workloads to support granular segmentation. When starting an identity-based strategy, start with a small collection of critical assets to build initial implementations and expand from there.”
What to do, specifically?
Elisity is the right partner for organizations ready to take the first steps in the Zero Trust journey. At this crucial time when the “now normal” flipped the proportion of remote workers vs. on-prem workers, piloting our Secure Access Anywhere solution can be the ideal first step. A crawl, walk, run strategy to implement Zero Trust across an entire organization, and its supply chain, can start with these remote workers and third-party supply-chain vendors. Elisity provides the missing link between visibility and enforcement to enable adaptive trust. With Elisity Cognitive Trust, organizations of all sizes gain more intelligent control over access to all their technology assets:
It is always better to show than tell: request a personalized demo today to see if the security mesh developed by Elisity is the right fit for your Zero Trust strategy.