Zero Trust Adoption: 4 Steps to Implementation Success
According to the Fortinet The State of Zero Trust Report, most organizations claim to either have zero trust access (ZTA) or zero trust network access (ZTNA) strategy either in place or in active deployment. However, most also report that they cannot consistently authenticate users or devices and struggle to monitor users after authentication. Additionally, many organizations also report that implementing zero trust across an extended network is difficult.
Here are four steps experts recommend for Zero Trust implementation.
1. Start Small
Zero trust protection is it is not an all-encompassing architecture. The most successful implementations of zero trust implementation start small, focusing on critical assets with the highest risk profiles, and then leverage a discover, observe and control adoption philosophy, said Kate Kuehn, vArmour senior vice president. “This enables organizations to not have to in essence boil the ocean and try and adopt unilateral controls too quickly, but instead lock down their crown jewels and understand the relationships those assets have to address resilience planning in a phased approach.”
One of the biggest mistakes we see when implementing zero trust is insufficient investing in visibility, observability, and analytics across the organization, Kuehn added. “Without visibility, companies are limited and can’t quickly mobilize to identify or prevent threats to the entire enterprise. Zero Trust is here to stay; while it’s only the first step to dynamic, proactive security, it’s an essential foundation that every organization needs to modernize its security posture.”
2. Authenticate People, Devices
The zero trust implementation model should include authenticating users, machine identities, or other components, ideally based on credentials as well as other factors like device identifier and location said Jacob Ansari, Schellman security advocate, and emerging cyber trends analyst. “It should also include clear ideas of authorization for what permissions that identity has. Further, authorization should make use of a careful definition of least privilege, which means that someone needs to carefully determine what identities should be able to do and not do.
Some of the easy wins involve securing remote access, Ansari added. While not zero trust, per se, using secure remote access with good multifactor authentication is an essential component of a functional zero trust model. Secondly, start looking at machine identities like service accounts or non-user principals for systems or cloud services or APIs.
Make sure someone knows what these identities do, what rights they should have, and how they authenticate. If any API endpoints or the like don’t require authentication or the tokens or other credentials have been exposed through public repositories, require stronger authentication. If service accounts require root user privileges, start the engineering efforts to change how those applications work, so that you no longer rely on risky elements like superuser privileges for service accounts.
3. Use Comprehensive Processes
To ensure success in zero trust implementation, an organization must have a comprehensive adoption strategy covering technology, processes, and people, according to Arun “Rak” Ramchandran, Hexaware global head, digital core transformation.
“Today, technology changes faster than humans can comprehend,” Ramchandran said. “For example, AI and machine learning (ML) have been on an evolutionary path to the point where artificial intelligence is evolving all by itself. AI advances effectively with zero human input.”
To assure that zero trust works in perpetuity, organizations must have periodic audits and recalibration to see how the zero trust environment needs to be updated, Ramchandran added. “There are always state-owned actors within a network who can compromise the network.”
The greatest threat to the system is people in two ways — those creating programs to compromise the zero trust network, and people becoming complacent about protecting it. Human complacency is enemy number one in assuring zero trust data protection.
4. Include Policy Automation Technologies
On its way to beginning an industry-wide standard, zero trust is becoming more broadly adopted, said Yash Prakash, Saviynt’s chief strategy officer. Many security leaders and practitioners have focused their attention on deploying identity-based solutions and building identity-centric architectures. For zero trust implementation, organizations must incorporate three core policy components:
- A policy engine that decides to grant, deny or revoke access to resources for all entities that request to do so. Risk and trust scores are determined in real-time to serve as the basis for each decision.
- A policy administration engine that can establish and terminate the connection between an entity and a resource. Relying on decisions made by the policy engine, the administrator generates authentication tokens or credentials for each session.
- A policy enforcement point to enable and monitor ongoing connections between entities and enterprise resources.
How to Build a Zero Trust Architecture?
Zero trust networks enhance security by implementing most minor privilege access controls and eliminating the need for trusted insiders, explained Nicola Davolio, Hupry CEO. Every user and device must be verified and authenticated before being given access to any resource. This approach eliminates the reliance on perimeter defenses, which can be breached, and instead creates an internal security posture that is much more difficult to exploit.
This approach has many benefits, chief among them being that it helps prevent data breaches and limits the damage that can be done even if a breach does occur. Davolio added. Dramatically reducing the number of users who have unrestricted access to your systems and data makes it much harder for attackers to move later.
How to Adopt a Zero Trust model?
Implementing a zero trust architecture requires operational strategy, policies, products, and integrations to work in harmony, said Bryon Hundley, Retail & Hospitality ISAC vice president of intelligence operations. Each organization’s zero trust implementation process will be different, but typically will include the following steps:
- Identify sensitive data and segment the network.
- Classify and map acceptable routes for data access.
- Create microsegmentation around sensitive data.
- Monitor the environment with security analytics.
What Is a Zero Trust Approach?
“Zero trust summarizes the idea that no device, user, network, or other system or resource can act without authenticating its identity and can only perform actions for which it is authorized,” Ansari said. “The idea that it’s the internet-facing segment that faces all the risks and the interior of the organization is less prone to compromise or malicious activity has been discredited an organization’s network has had porous boundaries since users took their laptops home with them at the end of the day.