Maksim Kabakou - Fotolia

Security Think Tank: Zero trust strategies must start small, then grow

In theory, the elimination of trust on the network simplifies IT security, but zero trust also brings new complications and new challenges. How should CISOs approach moving their organisations from traditional network security to a zero-trust architecture?

It is widely recognised that the traditional boundary protection approach to security is broken, particularly in the era of cloud services and remote working, where it is no longer possible to identify your perimeter, or trust those who purport to be users on your network. This is where the zero trust concept can provide a solution, with the right planning and implementation.

Zero trust can mean different things to different people. At a high level, it is about trusting nothing and no one, on the assumption that all users, devices and transactions are compromised. In terms of technology, many familiar elements underpin the concept, namely identity and access management (IAM), mobile device management, multifactor authentication, and so on.

However, at the core of zero trust is fine-grained micro-segmentation and adaptive policy enforcement that allows security controls to be applied to individual workloads across the datacentre. This can then be complemented with user entity behaviour analytics (UEBA) to monitor who is accessing what, and encrypted (TLS) connections between every user, application and data store to prevent a user breaking out and lateral movement.

All this is done at the application layer, so there is no user access to the lower layers, which significantly reduces the attack surface. Essentially, all users whether they are remote, inside the network or accessing cloud data, are treated the same and must be authenticated before they get access to any data or services.

The best approach will depend on the nature of the specific system, including where data is stored and what services are provided. And all this while considering the use of cloud, hybrid-cloud and remote access.

However, it is usually best to implement zero trust incrementally, first addressing the most valuable data assets and most vulnerable users. This will give early benefits by addressing the highest risks first. This should also include the application of zero trust to all security components.

As with any other change, there are prerequisites, and planning ahead is essential. Before starting any implementation, you need to know your data assets, your physical assets (servers, hosts mobiles, and so on) and your users. You will also need to understand the data flows between clients and servers and also between servers (north-south and east-west, in SDN speak).

This is necessary to understand who is accessing what, so that the access control permissions can be defined and the data assets and applications segmented appropriately. This can be done by moving the data into its own network segment and capturing the system transaction using that data.

This will identify how to segment the data and architecting by placing network segmentation gateways with the appropriate policies in front of the data. Defining and configuring the access control is probably the most complex part of a zero-trust implementation, which is another reason to start small and build out.

Because zero trust changes the way users access services and data, a move to zero trust is best treated as part of an overall digital transformation project to adopt cloud technologies, rather than just an update to a legacy system, as this could risk creating new vulnerabilities and failing to remove some of the problems it is intended to fix. 

Many companies offer zero-trust technology and they may be able to help with the architecture and planning, but only the business owner of the system can identify critical assets and applications. The same applies to the data flows between them and defining the access control needs.

Also, the operational team overseeing the implementation should have a degree of expertise in zero trust and, ideally, the technologies being used. This may require additional training or bringing in more expertise. Because of the transformational nature of adopting zero trust, the CIO, CISO and other board members should be involved early in the planning to help with the prioritisation of assets and services that are migrated to zero trust and help minimise any business impact.

In summary, a zero-trust approach can help protect today’s systems in a way that perimeter security cannot. However, preparation is essential, particularly in identifying assets and the access control requirements and ensuring the necessary skills are available. It is probably best to start small with the most sensitive assets and services and build out, if appropriate, with less granularity than for the most sensitive assets, which will simplify access control management.

Read more on IT risk management