How to Begin Your Zero Trust Journey

Zero Trust is a journey, not a destination. It may sound cliché, but that statement addresses the common misconception about Zero Trust and aligns expectations. To learn about what Zero Trust is and why it is relevant to your organization, we strongly recommend reading our recent blog, “Understanding the 2021 NSA Zero Trust Guide”. Today’s blog focuses on when, where, and how to transition to a Zero Trust model.

In this blog, we follow up on Gartner’s research note, “What Are Practical Projects for Implementing Zero Trust?”

Trust nothing, verify everything

The Zero Trust network architecture model has been around for over a decade and represents a revolution, or paradigm shift, for securing access to resources and reducing the attack surface. Still, only in the last couple of years that it became the buzzword “du jour” that it is today and began to go mainstream. The concept may have started in the Open Group forums and later defined in 2010 as “Zero Trust” by John Kindervag and Forrester. In short, they understood that the old Russian proverb of “trust but verify” wasn’t a practical approach to perimeter security at a time when the consumerization of IT, BYOD, cloud computing, IoT/OT, and other IT megatrends were taking hold. With the hyper fragmentation of the traditional enterprise network’s perimeter and the emergence of new advanced and persistent threats, the new mantra was born: “trust nothing, verify everything.” The rest is history still in the making.

It’s 2021, and amid a global pandemic driving accelerated digital transformation across multiple industries, both the public and private sectors have moved to the strategy phase and assigned a budget to initiate the transition to a Zero Trust network architecture. The time to act and build an intelligent network is now, but the undertaking may seem daunting at first. The good news is that it doesn’t have to be, thanks to current technologies. Zero Trust doesn’t have an on/off switch, it is not a product, and it is not necessarily a rip-and-replace undertaking. It is an approach to network security that is very well suited for brownfield deployments, with the right mix of integrated tools.

An Adaptive Trust solution combines identity (user, app, device), behavior, context, and other attributes to allow just-in-time least-privilege access to enterprise resources (users, apps, devices). Combined with an AI-enabled software-defined perimeter, organizations may be in an excellent position to, over time, decommission legacy technology developed with the old trust model in mind. Over time, some VLANs will become unnecessary, and user VPNs become an obsolesced security control.

When is the right time to start the Zero Trust journey?

There is an essential pre-requisite to keep in mind. First of all, the C-Suite and the entire IT organization (and OT in some industries) must adopt a Zero Trust security mindset and buy into the new trust model. The starting point should be when there is a shared vision for the future of the entire organization’s security posture and a clear understanding of the short-term and long-term benefits of starting the transition. An organization that does not understand the rationale for moving towards Zero Trust is not yet ready. Security teams, network teams, development teams, operational technology teams, and supply chain vendors will need to work together for the strategy to be successful. The C-Suite is critical to achieving this shared vision and inspiring the team to take the first steps, with the CISO acting as the overall champion managing change and operational risks. Begin a Zero Trust project when all stakeholders understand that:

• Zero Trust is a journey, a mindset, supported by a mix of integrated technologies
• The transition does not hamper productivity and business operations when implementing the right tools
• The zero-sum game between security controls and network performance no longer exists under this new paradigm, and everyone wins

The second and critical pre-requisite is to formulate the Zero Trust strategy that is right for the organization. Every organization, industry, and use cases are different, and therefore there is no single strategy. All plans must have a systematic approach to replace implicit trust with adaptive trust.

Where to start the Zero Trust journey?

In recent research notes published by Gartner, “What Are Practical Projects to Implement Zero Trust?” Neil MacDonald and John Watts propose that most strategies start with network-related projects. These Zero Trust networking initiatives can be broken into two major areas:

1. Front-end network access focused on user-to-application segmentation (Zero Trust Network Access, ZTNA)
2. Back-end network access focused on workload-to-workload segmentation (identity-based segmentation)

To get started with these initiatives, achieving complete visibility in network communications flows at the application layer is ideal (you can’t control what you cannot see). But above all, an identity foundation and adaptive security controls must be in place. An excellent place to start piloting projects is with your remote workforce’s access by providing secure access anywhere.

How to start the Zero Trust journey?

Gartner proposes that security and risk management leaders prioritize the following initiatives (note: you can find these bullet points in the Gartner research notes):

Federated Identities

• Documenting all existing identity federations in use
• Identifying the source of truth for user identities, including the process for third-party ones
• Identifying where stronger authentication is required and define new policies
• Standardizing how to identify how a device is managed or unmanaged
• Defining how machine and application identities are established
• Architecting for managing machine identities at scale for container and Kubernetes environments

Adaptive Access Controls

• Requiring stronger authentication for all remote access and SaaS application access
• Making context-based access mandatory for all SaaS applications (e.g., cloud SSO or CASB)
• Integrating device security posture assessment into access control decisions
• Integrating with federated identity systems to control access on-premises and in the cloud

After these two foundational initiatives are in place, the focus can shift to these two projects:

User-to-Application Segmentation (ZTNA)

Gartner recommends: “ZTNA reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties. Start with a pilot of a ZTNA product. Plan rollouts to the organization by prioritizing contractor and third-party access. Then conduct a proof of concept (POC) to test applications with the ZTNA product, and use observation mode to learn patterns of access by user and role to build policies from there.”

What to do, specifically?

• Inventory all instances of VPN that allow access to the network. Replace these over time
• Identify applications and servers in the DMZ with named sets of users. Replace these over time
• Make unmanaged device access a mandatory part of the ZTNA architecture
• Test ZTNA solutions for legacy application compatibility
• Define policies for combining user attributes and services to enforce who has access to what
• Determine if an on-premises policy management and policy controller is needed

Workload-to-Workload Segmentation (Identity-Based Segmentation)

Gartner recommends: “Identity-based segmentation reduces excessive implicit trust by allowing organizations to move individual workloads to a default-deny model for communication, rather than an implicit-allow model. Implement network segmentation to reduce excessive trust zones, starting with high-level segmentation of campus and server networks. Like ZTNA, observation mode will be necessary to learn the patterns of communications by workloads and applications in order to build policies. Then, evaluate machine identity management techniques such as SPIFFE, OpenID Connect, and SAML across workloads to support granular segmentation. When starting an identity-based strategy, start with a small collection of critical assets to build initial implementations and expand from there.”

What to do, specifically?

• Develop a strategy to address heterogeneous workloads spanning on-premises, hybrid, virtual, and container environments
• Identify workloads that require segmentation using means other than agents, such as network-based or API-based orchestration

Partnering for Success

Elisity is the right partner for organizations ready to take the first steps in the Zero Trust journey. At this crucial time when the “now normal” flipped the proportion of remote workers vs. on-prem workers, piloting Cognitive Trust for Workforce Anywhere can be the ideal first step. A crawl, walk, run strategy to implement Zero Trust across an entire organization, and its supply chain, can start with these remote workers and third-party supply-chain vendors. Elisity provides the missing link between visibility and enforcement to enable adaptive trust. With Elisity Cognitive Trust, organizations of all sizes gain more intelligent control over access to all their technology assets:

• Quickly deploy a network-based and API-driven solution for on-premises, cloud, and hybrid environments
• Integrate seamlessly with federated identity systems
• Go into observation mode of all network communications via a single pane of glass
• Phase-out obsolete VPNs to avoid chokepoints that hamper network performance
• Control contractor and 3rd party access as well as managed vs. unmanaged devices
• Implement user-to-app nano-segmentation

It is always better to show than tell: request a personalized demo today to see if the security mesh developed by Elisity is the right fit for your Zero Trust strategy.