This is excerpted from a Zero Trust article John Kindervag published back in 2017, yet the fundamental principles haven’t waivered and the need for a movement toward Zero Trust has never been more acute.
“Zero Trust,” a widely accepted term originally coined by John Kindervag and adopted by Forrester, is a data-centric network design that puts microperimeters around specific data or assets so that more granular rules can be enforced.
Zero Trust networks solve the “flat network” problem that helps attackers move undetected inside corporate networks so they can find and exfiltrate sensitive data. The shift to Zero Trust is applicable across all industries — from government to retail, healthcare, and everything in between. Here are five steps to get companies started on the path to Zero Trust.
Identify Your Sensitive Data
This may seem simple, but it’s more challenging than you might think. It’s impossible to protect data that you can’t see. If you don’t know where your enterprise stores data, who specifically uses it, how sensitive it is, or how employees, partners, and customers use it, then you’re putting your organization at risk. Before investing in security controls, companies must identify the data to protect. Once data is identified, it’s necessary to make the data classification useful, and simplification is key.
Map the Data Flows of Your Sensitive Data
It’s crucial to understand how data flows across the network and between users and resources. Engaging multiple stakeholders such as application and network architects to create a transaction flow map is important because they bring different information to the conversation. Additionally, security teams should streamline their flow diagrams by leveraging existing models. For example, the Payment Card Industry Data Security Standard (PCI/DSS) requires organizations to create data flow diagrams to help them fully understand all cardholder data flows, and ensure that they’re effective in securing the cardholder data environment.
Architect Your Network
The actual design of a Zero Trust network should be based on how transactions flow across a network and how users and applications access toxic data. With an optimized flow in mind, it’s time to identify where microperimeters should be placed and segmented with physical or virtual appliances. For example, in a network where the compute environment is physical, the segmentation gateway usually will be physical as well. But if you’ve decided to adopt a highly virtualized compute environment, you may want to use a virtual segmentation gateway.
Create Your Automated Rule Base
Once the design team has determined the optimum traffic flow, the next step is to determine how to enforce access control and inspection policies at the segmentation gateway. One key principle of Zero Trust is that security pros must limit access on a need-to-know basis and strictly enforce this access control. To define these rules, the design team must have a detailed understanding of which users have access to which data. It’s no longer enough to know the source address, destination address, port, and protocol. Security teams need to understand the asserted user identity as well as the application, which will often serve as a proxy for the data type in the modern segmentation gateway.
Continuously Monitor the Ecosystem
Another core tenet of the Zero Trust model is to log and inspect all traffic, not just external traffic, for both malicious activity and areas of improvement. In the old broken-trust model, traffic was logged only if it came primarily from the Internet and hit edge devices. The syslog protocol would then be used to capture information that would be analyzed in a security information management tool. However, that method doesn’t provide enough context to make good security decisions — internal traffic must be held to the same standards. This is accomplished because a Zero Trust network is designed so that the segmentation gateway can send all of the data flowing through it, including traffic destined for both internal and external network segments, to a security analytics tool for closer inspection.
In today’s threat landscape, skilled, well-funded, organized cybercriminals are constantly working to steal vital information from businesses. Where today’s security approaches fail to protect data, Zero Trust remains the best, most modern way to keep your network secure.
Implemented incrementally, the Zero Trust model enables all organizations to start immediately. Identifying your critical data is the first step. Since the point solutions and tools required of a Zero Trust implementation are already in market and sufficiently matured to a greater or lesser extent, waiting for new technology will not stand in the way.
Your Zero Trust journey can begin today.