Approaching zero trust security strategically
With digital transformation efforts accelerating, the attack surface expanding exponentially and conventional perimeter-based security continuing to fail, there’s never been a better time for organizations to re-evaluate their options and consider taking their zero trust strategy seriously.
But the complexity of adopting zero trust is its greatest challenge, especially because it requires careful planning. It requires a set of complementary user, device, workload, data, and network security technologies that all need to operate together to be effective against internal and external cyber threats. While it is possible to achieve quick wins in some areas, there are no silver bullets or shortcuts when adopting zero trust security.
Accurately summarizing the complexities of this implementation process, the National Security Agency (NSA) released its latest government and industry guidance on the importance of integrating zero trust security. Unlike in previous guides, business leaders can gain a better holistic understanding of why zero trust implementation will be a difficult endeavor, but a necessary one.
What the NSA is recommending isn’t particularly what leaders want to hear as they evaluate the time and resources zero trust requires. While it is not a simple or quick process, zero trust can be successfully implemented through the following key components:
Zero trust strategy and long-term leadership commitment
A comprehensive, enterprise-wide implementation of zero trust security requires a well thought out strategy and a considerable investment of resources. The number one component necessary for zero trust adoption is a long-term commitment from leadership. As zero trust is a model, not a single technology or a product, the mindset required for zero trust must be embraced for any implementation to be successful. This is where conversations on the realities of zero trust are difficult, but necessary.
Do not overpromise on timelines or capabilities. Make all stakeholders aware that for most organizations, zero trust is a multi-year journey – this is not a set-it-and-forget-it solution. All members of the organization, from the CEO to users, will continually need to keep their guard up for investments to be worthwhile. As the NSA pointed out in its latest guidance, “once even basic or intermediate zero trust capabilities are integrated into a network, follow-through is necessary to mature the implementation and achieve full benefits.”
Understand existent IT infrastructure and security gaps
One of the crucial first steps in implementing a holistic zero trust approach is to determine which of your already existing IT infrastructure and cybersecurity controls are already zero trust-compatible or could easily be updated or replaced.
Nobody wants to start all over or continue to add even more tools to their already existing plethora of costly and complex cybersecurity solutions. In many cases, there are simple steps toward zero trust that can be taken first, such as network micro-segmentation, that may not require additional hardware or software purchases.
Many organizations might already have some of the required zero trust building blocks in place (e.g., MFA). By taking those building blocks, rearranging some, and evaluating where improvements can be made, a cost-effective, incremental adoption of zero trust can be possible.
If you need to add new zero trust solutions to your IT security infrastructure, look for solutions that are compatible with the latest zero trust standards, such as NIST SP 800-207. With the rapid rate of technology change, also make sure that your underlying zero trust architecture is modular and flexible to simplify future upgrades and prevent vendor lock-in.
Start small and then branch out
As the NSA guidelines reveal, trying to implement comprehensive zero trust all at once is not recommended. The road to zero trust is a long journey that requires careful planning and phased rollouts. Large organizations are expected to take close to a decade to truly achieve comprehensive, multi-level zero trust security. Before embarking on the journey, it is highly recommended to first secure leadership buy-in and then develop a strategy and phased implementation plan.
Do not try to “boil the ocean” and make too many changes at once. Pick a focus area, such as the implementation of zero trust identities, before branching out into other areas like zero trust networking, devices, workloads or data.
Prioritize the implementation order based on your perceived risks and current deficiencies. In time, zero trust security should be applied comprehensively to all users, devices, networks, applications, services, and data. Neglecting any of these areas creates blind spots and opportunities for exploitation.
As reports of massive security breaches appear in the news every week, traditional perimeter-based security approaches are unable to defend our systems against real-world cyber threats. Using a “security by design” approach, a properly implemented, multi-layered zero trust security solution minimizes the potential damage an internal or external adversary can inflict.
Through multi-level monitoring and contextualized, multi-domain behavioral analytics, a zero trust-based security platform is also well equipped to go head-to-head against even the most sophisticated adversaries. Organizations that have not yet started their zero trust adoption journey should seriously consider making it a top priority as soon as possible.