The comprehensive nature of Zero Trust can be a little overwhelming in a world of limited resources, time and budgets. However, as security breaches persist, more organizations are adopting this model.
Zero Trust is a journey involving lengthy cycles of assessing, planning, architecting and designing, piloting, and implementing. Before starting the journey, consider how far you want to take the journey and follow a roadmap to get here. At a high level, the roadmap should cover the following:
- Develop a strategy – What are the overall goals of the business? Do you only want to target a specific portion of your network, or the entire enterprise? Will you only be implementing a software-defined perimeter? Mapping business goals to the cyber threats putting those goals at risk will help formulate the Zero Trust strategy to mitigate that risk. This will help you build your case and get executive buy-in, which is needed to see this journey to the end. The length of your journey will be determined by the strategy. Given the broad nature of Zero Trust, many key departments of the business, such as development, finance, legal, and HR should also be involved with and/or consulted in the overall composition of the strategy. Involving the right people early on in the process not only fosters better communication, but also helps to provide for a successful deployment.
- Define your element of protection – As your strategy is being developed, you need to understand what you are trying to protect. Most likely your defined element or elements of protection is your business data. You need to determine what part of your business assets will be protected. Will it be only sensitive data? Customer data? All data? What are the varying levels of data you need to protect? PCI and ePHI data, for example, may have different classifications than financial records or product designs. You need to classify all data to understand how it should be protected.
- Enumerate your data and traffic flows – The next step is to see where that data is stored, where it is going, and who or what is handling it. This is a critical step since it will drive the bulk of the policy decisions in your architecture. You also don’t want to complete your Zero Trust journey only to discover a breach still occurred because of some neglected area. Mapping these transaction flows will also utilize asset and application inventories, and an overall taxonomy of these will be used for other development areas. Obtain information for each component of every step along the flow – this will give you a head’s up on developing policy and the components of automation that dynamically change that policy.
- Assess your Zero Trust maturity – Many organizations already have various elements of Zero Trust on their network today. A company that has effectively implemented DLP technology across the enterprise, for example, has already determined their sensitive data and understands its location. Understanding what you currently have implemented in your environment, how that can fulfill the Zero Trust tenets, and what needs to change to meet with Zero Trust can be very effective in developing the overall architecture, establishing the implementation roadmap, and allocating resource time and financial budgets.
- Design and build the Zero Trust Architecture (ZTA) – The ZTA will outline what that authorization core will look like as it relates to on-premises, cloud, B2B transactions, and other elements in the organization, and how it will interact with data stores, analytics, threat intelligence, PKI, ID management, and vulnerability management systems. It may involve a more agent-based approach and/or collectively group resources together with authentication and policy being governed at a gateway. It may be difficult to evaluate confidence in public transactions to a web server, from a Zero Trust perspective. But the data that is provided by the web server may govern how much or how little authorization is programmed into the web application, for example. The architecture will define how much of your ZTA is made up of software-defined perimeters, micro-segmentation, or governed by identity. As you understand where the crown jewels are versus the least sensitive systems within your network, you can also begin to formulate your pilot program. Pilot programs should focus on the least sensitive data elements first before moving on to the more mission-critical crown jewel systems.
- Build the Zero Trust policy – The implementation of a trust algorithm can involve a score-based approach, or an approach involving criteria that must first be met. It can also discard other requests that have been made, or it can weigh a request in context with others. What that trust algorithm looks like is key in establishing policy based on the enumerated traffic flows and data classification. Policies leveraging contextual and score-based trust algorithms require planning, testing, and tuning of the algorithm’s criteria, and weights and measures to get to a point that matches defined metrics. The policy will incorporate the trust and risk elements in its composition and adjust access authorizations accordingly. The policy’s composition will also rely on the overall architectural approach, since policy driven by identity may rely on different criteria than policy involving software-defined perimeters.
- Monitor and maintain – Once you’ve established your Zero Trust environment, it needs regular attention and monitoring. Analytics and automation play a key role in dynamically adjusting policy based on activity and threats, and benchmarking this activity against performance metrics will help to illustrate return on investment, reduced risk, enhanced performance, and overall success. Monitoring will also determine whether more resources are required to handle increased load on the authorization core, and effectively identify elements that require attention to preemptively adjust defenses through automation and provide for a continuous Zero Trust state.
As an organization evaluates its approach to Zero Trust, it will discover that a ZTA enables cloud, IoT, and advanced network deployments that are future-ready for the environment – in turn helping the organization become more efficient and cost effective. Better organization, reduced overhead, and reduced financial spend are also some of the ancillary benefits discovered on the road to Zero Trust. By taking a more strategic approach to Zero Trust, security teams can help to gain the support of the business, assess where they currently are with respect to Zero Trust, map out a plan of action, significantly reduce breach probability, and successfully protect their critical business assets and the business as a whole.
AT&T Cybersecurity Consulting can help design your Zero Trust Architecture strategy. Learn more here