July 5, 2023
It seems as if a day doesn’t go by in the tech world without another round of Zero Trust products or capabilities being announced by vendors. Many of AE’s clients are very familiar with Zero Trust concepts - especially if you’ve attended any of our Zero Trust talks! However, we frequently get asked “Given all the information that is out there about Zero Trust, how do we even get started with developing a Zero Trust strategy and what should we prioritize?” This blog will point out a few places to focus on when you’re evaluating your own Zero Trust strategy.
1. A Starting Point?
First, it’s important to align your own Zero Trust strategy with some sort of established framework or model. Don’t try to re-invent the wheel!
There are several publicly available Zero Trust models out there, with the most common two being the Forrester and CISA Zero Trust Models:
2. Identity Maturity
A fundamental requirement of all Zero Trust models is that all access is attributed. It’s nearly impossible to apply least-privilege access if you can’t identify who or what is requesting access to a particular resource or application.
Most organizations have a fairly good grasp on identifying common enterprise users and their access to core business systems. Creating initial user access is (usually) easy. Tracking all of the different levels of access that are granted to an employee throughout their tenure at an organization is usually very difficult for most organizations. We tend to find many areas of over-privilege as employees change positions or roles, which makes Zero Trust difficult to fully adopt.
Consider focusing on and mapping out your organization’s overall identity program as one of the first steps towards Zero Trust. Even if you’re several years out from a fully automated “birthright to departure” Identity and Access Management program, getting this pillar wrong (or even fully ignoring it until a later stage) can lead to the weakening of your other Zero Trust capabilities.
One last point on identity: You’ve likely heard us mention the phrase “Active Directory – kill it with fire” if you’ve attended any of our recent Zero Trust talks. It’s true that most organizations don’t have the ability to completely extricate Active Directory Domain Services (“AD DS”)from their environment. However, we believe that AD DS-based authentication is broken and “unpatchable”. At the very least, every organization should have a strategy around separating end user authentication away from critical infrastructure authentication if they want a chance in achieving Zero Trust.
3. Security is a Big Data problem.
It’s extremely difficult to make good security decisions without knowing what is occurring within your various enterprise environments. Zero trust access decisions, regardless of whether those are application or network based, require more and more telemetry in order to apply true least-privileged principles.
Who is requesting access? Why are they requesting access? What piece of the application are they requesting access to? How are they requesting access - via the application itself? API? 3rd party? HR workflow sourced? When are they requesting access and for how long? Is access being requested from an insecure or compromised device? Is access being requested in a way that is unusual or suspicious? Or even more importantly, if our intent is to continuously verify that access should be granted, do we have the ability to continuously collect all of the same telemetry above throughout the full lifecycle of access for that particular application or user?
One of the first priorities an organization should focus on is determining a cost-effective mechanism for handling the extensive amount of telemetry and log data that Zero Trust architectures tend to produce. The last thing we want to do is make the decision to reduce (or even eliminate) potentially useful security telemetry because we didn’t plan out an effective way to store it.
Remember, “Whoever has the most data wins!”
4. Things to Avoid
If you’re looking to maximize resource expenditure, there’s a few things we’d recommend most organizations avoid stepping into at the beginning stage of your journey. Those include (but are not limited to):
Micro-segmentation – Fully deployed network micro-segmentation can be a powerful tool to contain lateral spread of malware and other hostile activity within the enterprise. However, it also requires a significant amount of investment in people, time, and money to deploy micro-segmentation into most existing enterprise networks. Consider focusing on broader level macro-segmentation first (especially a segmentation strategy that involves user separation from critical system assets as a first step).
Zero Trust as a product – Similar to DevOps, Zero Trust is a philosophy and set of methodologies, not a product you can just purchase. Yes, quite a few IT security products and vendors tout Zero Trust features. However, you should be focused on aligning Zero Trust capabilities to your overall strategy first and then figure out what product or products may be able to provide them. Don’t start with a product-centric strategy as it can lead you down a pathway that may not be appropriate for how Zero Trust should be adopted to your specific organizational needs.
5. Zero Trust really is a journey (engage trope engines!)
Every organization has slightly different needs when it comes to cybersecurity. While it’s super tropey to keep using the “_____ is a journey” phrase, it’s extremely important for security leaders to understand that Zero Trust isn’t realized overnight.
We hope these steps provide you with enough information to at least get started on your Zero Trust adventure!