The concept of a Zero Trust infrastructure is now broadly understood across most industry sectors, but what’s less clear is the path organisations need to follow to get there.
Rather than simply being a case of purchasing and deploying a single solution, the process involves a series of steps that must be carefully planned and undertaken.
Begin with a definition
Even if the concept is known, it’s worth starting any deployment project by ensuring that all parties involved agree with the definition.
In essence, a Zero Trust infrastructure requires everyone and everything connecting to a network to have their identity verified. This must even occur if they are connected to a permissioned network such as a corporate LAN.
Devices being used to connect must also comply with an organisation’s stated security policies. This could include having the latest security and OS patches in place. Also, it’s important that parties are only provided with access to resources that they specifically require for their role. If they attempt to access anything else, they will be blocked.
A Zero Trust strategy allows an organisation to move away from the concept of having a secure perimeter designed to keep unauthorised parties out. For many years this was seen as the best method of achieving strong IT security however, as cyberthreats have grown in both number and sophistication, this is no longer the case.
Although first coined back in 1994, the term Zero Trust didn’t gain significant commercial attention until Google implemented the architecture in 2009 and referred to it as BeyondCorp. Fast forward to 2021 and US President Joe Biden made Zero Trust a key pillar of his executive order designed to improve government cybersecurity.
Transitioning to a Zero-Trust security framework
It should be remembered, however, that creating a true Zero Trust framework is a much broader undertaking than just deploying a Zero Trust architecture (ZTA). In a sense, ZTA is actually more of a useful on-ramp towards achieving a full Zero Trust framework.
Transitioning to such a framework needs to begin with an initial assessment of what has to be protected. The location of all applications and data must be confirmed and potential threats to those elements identified.
The next step is to create a plan for the transition. Clear goals need to be defined and a timeline agreed. It’s also important to allocate sufficient resources to get the job done.
Following this, activity will then shift into execution mode. Chosen Zero Trust technologies will need to be deployed and staff educated in their use.
The final step will be to undertake a process of monitoring and continuous improvement. Performance metrics should be regularly gathered for analysis and to support regular reviews to ensure everything is fully functional and delivering the anticipated level of cyber protection.
The implementation path
Once the parameters have been set, work can begin on implementation. This should begin with the classification of data and confirmation of its ownership. Following this, analysis should be undertaken of transaction flows between applications and data locations. Critical paths and typical traffic patterns need to be established to make the identification of unauthorised activity easier to spot.
The next implementation step is to build micro-perimeters around each asset. This can be achieved through a range of options including segmenting networks, deploying access controls, and making use of secure connections.
Attention then needs to be given to enforcing strict access control. This should be involved on least-privilege principles, multi-factor authentication, and regular auditing.
Challenges that might be faced
While a shift to a Zero Trust environment can deliver significant benefits to an organisation, it can also create some challenges. These include:
- Resistance to change: Some staff may not understand the need for change. To overcome this, it’s important to conduct full training and communicate why the approach is best for the organisation.
- Technical complexity: Achieving a robust Zero Trust environment may require skills that are not available within the inhouse IT team. Consider commissioning external experts to help with the process.
- Budgetary constraints: It’s important to undertake a full cost/benefit analysis to ensure that the funds being invested in the project will deliver real benefits to the organisation. It may also be worth considering taking a phased approach to spread costs over a longer period.
- Maintaining productivity: One important goal should be to maintain productivity while the changes are being made. A balance needs to be found between security and access to ensure that staff can continue to make use of the resources they need to undertake their roles.
It will take some time and effort to achieve an effective Zero Trust environment, but the security benefits that will be delivered are significant. Consider how your organisation could begin the journey today.