Far from being an out-of-the-box solution for all cybersecurity needs, zero-trust security can be better understood as a philosophy or a mindset that underpins security processes and workflows.
Traditionally, approaches to security focus on the perimeter. Once inside the walls, cybercriminals typically find a soft center that they can exploit by moving around the enterprise, infecting system after system. Under a zero-trust framework, security systems assume that no device or user is trustworthy until they can prove that they are. Thus, hackers getting past one security barrier would find themselves blocked from causing further damage.
“Zero trust is a comprehensive and flexible trust model that eliminates the principle of implicit trust from inside and outside your network perimeter,” said Ashley Leonard, CEO of Syxsense. “It includes principles such as assume a breach has occurred and never trust a device or user.”
Here are five tips for organizations on implementing zero-trust security.
- Know your endpoints and permissions
- Adopt policy-based controls
- Adopt multi-factor authentication
- Take time selecting a vendor
- Play the long game
Know your endpoints and permissions
A key point of zero trust is preventing devices and users from automatically being granted access to the network and all applications just because they provide a password. After all, password and credential theft is rampant. Therefore, it makes sense to have a firm grip on all endpoints operating anywhere across the network.
A lack of visibility of all assets and workflows leaves weak points in the attack surface. This provides opportunities for attackers to move laterally through the network and access valuable resources. Only with all devices and users accurately known, accounted for and verified can a comprehensive list of permissions be compiled and authorized.
Security teams can then know what’s operating in their environments and can continuously monitor and verify trust asset by asset. Quick detection of noncompliance allows for swift isolation and remediation, limiting the window of opportunity for a breach.
“Zero trust reduces the blast radius of a breach and restricts the ability of hackers to get in,” said Howard Holton, chief technology officer at GigaOM.
Adopt policy-based controls
Zero-trust implementation’s success depends upon the presence of automated, policy-based controls to take care of detection, remediation and trust approvals. Automation enables bulk assignments of minimum levels of access to organizational resources — for example — giving all employees access to the corporate intranet and all salespeople access to CRM and sales systems. Policy controls also simplify the removal of noncompliant devices from network access.
Adopt multi-factor authentication
Zero trust fits in well with ongoing MFA initiatives. MFA is one way to ensure that credentials are continuously verified and that access is restricted to only those systems the user needs and no more.
“Zero trust helps ensure that all systems are secure by enhancing identity and access management,” said Angel Taylor, IT operations manager for the Georgia Office of the State Treasurer. “But be prepared for resistance when you try to implement MFA,” she added.
Her advice is to use security awareness training in parallel with zero trust and MFA rollouts to help users understand the need for heightened security. Taylor also recommends IT managers take the time to talk to users, explaining why access changes are being made.
Take time selecting a vendor
Mahmood Ulhaq, chief information security officer at B2B wealth management firm MyVest, calls zero trust his biggest ongoing strategic initiative. He warns organizations to avoid vendors who claim to have end-to-end zero-trust solutions. He said he believes that it takes multiple vendors who really understand your environment and are willing to collaborate to help implement the zero-trust vision.
“Take your time in finding the right suppliers that can help you execute zero trust,” said Ulhaq.
Play the long game
Those determined to implement zero-trust security should heed the five tips above and get ready to play the long game. Zero trust won’t happen quickly. Some parts of the enterprise are likely to implement zero trust much faster than others. And as IT evolves, zero trust will likely have to be incorporated into whatever new technologies and systems are adopted.