Building the New Zero Trust Enterprise
What Zero Trust Is
It was 2010 when John Kindervag, then an analyst with Forrester Research first wrote about the idea of a zero trust security framework in which the idea of a network edge or perimeter was no longer the front lines of the cyber battlefield for an organization.
Rather, that instead of an organization implicitly trusting anything inside its perimeter as being "friendly fire," nothing inside or outside the perimeter should be trusted and that both users and devices should be authenticated, authorized, and determined based on who, what, when, and even where a user or device is from and what it's trying to access should be scrutinized using IAM, orchestration, analytics, encryption, scoring, and filesystem permissions.
The concept of zero trust security effectively erases the castle approach to security architecture in that the "castle has left the moat" with data now being everywhere; no longer behind the defenses of a network perimeter but instead extends to mobile devices, cloud drives, cloud servers and that the threat to those assets are everywhere, everyone, and everything.
This approach to cybersecurity implements an inside-out mentality of protecting the organization's most critical assets where security is designed as "micro-perimeters" around the assets being protected and that the "bad guy" is not trying to be kept out of the perimeter, but is already inside.
Zero trust security is achieved through a litany of different security solutions with identity access management and micro-segmentation at the very heart.
Implementing Zero Trust in 5 steps
The implementation of zero trust in a pre-existing enterprise is a challenge but not impossible. Unfortunately, it isn't as simple as throwing money at the problem and implementing a stack of security solutions that gives you "zero trust." It does of course involve a healthy amount of budgeting, but it also involves a re-architecture of the network and understanding of "who needs access to and from what" and "what needs access from and to where."
Step 1: Create an asset catalogue that includes devices and applications, making sure to document data transmission paths (ports and protocols) that the applications talk over.
Step 2: Locate your data. What is it you are trying to protect? Where is it? Is it on a shared folder on a file server or on a NetApp server? Who needs access to it? Where are they going to access it from?
"You can't protect something when you don't know where that something is or what that something is."
Step 3: Implement micro-segmentation. Segment the network up into different virtual local area networks (VLANs), not just moving devices based on their role to their own unique subnet, but also implementing VLAN Access Control Lists (VACLs) between those subnets or default route them directly to a firewall responsible for internal core traffic filtering. Servers should be in their own VLAN, users should be in their own VLAN, VOIP equipment in its own VLAN, and so-on. An ALLOW-ALL rule should not be set between the VLANs. Time should be taken to ensure what users need access to and what ports/protocols applications and users need to be able to communicate with in order to work. Moving database servers to their own VLANs will also increase security by only allowing ports such as MSSQL (1433/1434) from the application servers and setting up an administration-only VLAN where administrators such as database administrators (DBAs) must first connect to in order to remote in to the server VLAN rather than allowing them direct access from their desktops.
Step 4: Implement IAM (Identity and Access Management) Solutions. No one should be trusted inside or outside the network. Eliminate forms of single-factor authentication inside and outside the AD environment, such as passwords by moving to multi-factor authentication using solutions such as Duo Security, Okta, or take it further with Yubico, StrongKey, or Trusona, which uniquely authenticates users by where they place their finger on the screen when pushing the authentication button and locks the user to a specific geographical location preventing man-in-the-middle (MITM) attacks. Also consider application security in zero trust environments of mobile devices and web apps by securing them with solutions such as Arxan.
Step 5: Protect the data where it's at. Implement role-based authentication to where the data is being stored using solutions such as Varonis to ensure that individual users are granted access to specific data based on their need to know as well as EDR (endpoint detection and response) solutions to detect and autonomously respond to those detected threats.
Other solutions can be implemented to monitor and manage this framework, including security orchestration (SOAR) solutions, SIEM, UTM, and more.
As usual, if you liked this article, please support me by clicking LIKE and share it to your own feed! This is the best possible way that you can support me and my continued research. If anyone has anything to add or comment on in this article, please feel free to share it with everyone below in the comments section! Learn more about me at my homepage at www.alissaknight.com, LinkedIn, watch my VLOGs on my YouTube channel, listen to my weekly podcast episodes, or follow me on Twitter @alissaknight.
I am a senior analyst with Aite Group where I perform focused research into cybersecurity issues impacting the financial services, healthcare, and fintech industries through the assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts, and developing industry models. I provide these industries a combination of syndicated and bespoke market research, competitive intelligence, and consulting services in the cybersecurity market through unbiased, objective and accurate research and content development. Out of my research into the contemporary cybersecurity issues affecting these industries today, I produce research reports and white papers, as well as provide advisory services that include inquiries, briefings, consulting projects, and presentations on study findings as well as bespoke speaking engagements where I often keynote at cybersecurity conferences, seminars, and roundtables annually.