If you ask most security professionals to define zero trust, you’ll get an eye roll and an exasperated sigh. To many, it’s been little more than a marketing exercise—and let’s be honest: a lot of what we’re seen and heard about zero trust over the past decade has been more fluff than substance. The term has been so loosely defined that countless cybersecurity vendors have, at one point or another, claimed to offer some sort of zero trust solution.
It’s easy to see why it has such a bad rep.
Today, though, zero trust has become more tangible. Thanks to NIST SP 800-207 and other concrete documentations and reference architectures, zero trust has been given shape and meaning. And just as importantly, technology has started to catch up with the vision. A pure zero trust architecture may still be out of reach for all but the largest, most well-funded organizations, but that doesn’t mean we can’t all take steps in that direction.
The most important step in any journey is the first one, and moving toward zero trust is no different. The first step toward zero trust is planning where you want your journey to end up. The best way to think about that end state is within the context of making access control as granular as possible. That’s really the heart of zero trust, per 800-207, the goal of any zero trust program should be “to prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.”
To that end, we’re going to look at a two critical areas of network connectivity: server-to-server connections and user resource access. We’re also going to briefly look at setting up a zero trust pilot program to help overcome the “boiling the ocean” feeling that may come when taking on a project this broad in scope.
Server to Server Security
To say that today’s enterprise networks are complex is to stretch the limits of the word “understatement.” Multiple cloud instances run together with on-premises network hardware comprising devices from a wide range of vendors: all operated by millions of complex policies.
In this environment, excessive access is the standard for policy creation, especially for firewall rules. Nobody wants to be the guy who submarined a project launch or upgrade by accidentally blocking access to a critical service. The obvious problem here is that a network full of overly-broad access is as far from zero trust as possible.
So how do we tackle this? The first step is to continually monitor your environment for any rules granting excessive access and set up guardrails to make sure new rules aren’t too broad.
Along with that, obviously, ensure you’re monitoring logs so you can pick out any aberrant behavior, including conducting TFA log analysis to monitor access privileges.
The end goal is to restrict access as much as possible without interrupting business or slowing down the speed of operations.
User Resource Access
Your employees, customers, and other users are no longer in any single location—and let’s be honest, they haven’t been for quite some time; the pandemic just accelerated the rate of change. The reality today is that a significant portion—in many cases, the majority—of access requests to your critical infrastructure are coming from untrusted networks. Home networks, coffee shops, vacation homes… the perimeter is everywhere and growing. Personal devices are increasingly being used for business operations as well, opening a host of new potential attack vectors and vulnerabilities.
The first step to solving this issue is to adopt a federated access program. Having a consistent set of policies, practices, and protocols in place regardless of what resource is being accessed, or where the access request is coming from is a key step toward zero trust.
These must be implemented intelligently, and with input across the operation—a poorly-implemented access program can both be ineffective at achieving its goals while also resulting in lost productivity as employees struggle to fit existing workflows into new systems.
However, a properly-implemented federated access management program can streamline access while tightening security. And when combined with multi-factor authentication (MFA), goes a long way toward eliminating unauthorized access and increasing the granularity of access control.
Another effective way to secure user access to enterprise resources is by utilizing the SASE capabilities that may organizations already have built into their existing firewalls. Obviously, setting up a SASE from the ground up can be a costly, complex endeavor. However, there are ways to set up the basics without too much effort, as we’ll discuss below.
Zero Trust Pilot Program
Zero trust can appear to be an impossible dream, particularly for those organizations who would benefit the most. Large organizations have thousands of users and servers, and a loss of productivity, even momentary, can bring incredible financial losses.
Further, very few security and IT professionals have experience with many, let alone all, zero trust technologies and workflows. If new systems and workflows aren’t set up property or otherwise negatively impact productivity, there’s a risk of a ripple effect: not only will there be
immediate repercussions, but also that dev teams may go around security in the future, seeing it as a roadblock.
How do we prevent these issues? The simplest way is to avoid them in the first place. Don’t bite off more than you can chew: start with a zero trust pilot program. Pick a business area with relatively simple operations and start there. Ideally, this would be an area with a single (or very few) applications or services. Whenever possible, use technology that you already own—you may be surprised at the amount of zero trust capability that already exists in your environment.
For example, in the previous section we touched upon the benefits of SASE—which doesn’t always require a re-architecting of the network to achieve. Some modern NGFWs have some type of SASE functionality built in, which give enterprises the ability to set up policy-based user access restrictions without additional hardware outlays. Fortinet, for example, offers native capabilities without any additional hardware or subscription cost. Additionally, look at your cloud services to see what capabilities are there, particularly in the area of identity and access management.
Zero trust can appear daunting—and it is if your aim is to reach a pure ZTA. But that doesn’t make it impossible, and it also doesn’t minimize the value of simply going as far as realistically possible. For many organizations, the additional security of a pure ZTA simply isn’t worth the added cost and complexity of its implementation right now—and may not be for quite some time.
The right approach is to evaluate the zero trust capabilities that are within your organizations’ reach and move strategically. Take things one step at a time, and don’t let the sheer scale of the possibilities stop you from taking pragmatic steps that will benefit your security immediately.