More often than not, organizations see zero trust as being an all or nothing proposition, where benefits will only be realized once everything in the system has been integrated. But this could not be further from the truth. One of the main concerns preventing businesses from committing to a zero trust model is that “brownfield” environments have too much technical debt that needs addressing before implementing zero trust.
In their minds, this security approach can only be applied to fresh, or “greenfield,” environments – and even there organizations are hesitant as they may believe security will hinder business agility.
The true reason for why businesses are hesitant when it comes to zero trust is due to a lack of understanding of the process and the unfortunate influence of the myths stated above. Forrester’s zero trust framework gives a clear overview of the seven pillars that provide a comprehensive zero trust strategy: data, people, workloads, devices, networks, automation and orchestration, and visibility and analytics. Even after seeing the different elements set out, businesses may feel overwhelmed by the number of areas that can be linked with zero trust – it’s the classic “boiling the ocean” problem.
But what if companies instead took a more incremental and agile approach where benefits are realized at each stage along the way? This approach not only results in a regular and measurable improvement in security posture, but it also facilitates the integration of further capabilities throughout the process.
Implementing zero trust
Here is a simple, six-stepped, repeatable process that can help organizations adopt a zero trust security model.
1. Identify security priorities
When looking for short term wins in pursuit of a long-term goal, businesses should look to target a single or a collection of applications that would most benefit from adopting a zero trust security model – critical applications that key decision makers are more aware of, which will help demonstrate the return on investment (ROI) along the way.
Companies also need to understand that this is a learning process, and thus need to be comfortable in adapting their approach as they learn more about what they are trying to protect. Adopting zero trust means businesses will be re-positioning the usual access models, and this may require solicitation and education of stakeholders. Part of the process however is understanding these dependencies and catering for them in the program.
Once a company has identified what they want to protect, they can move forward to deciding which zero trust pillar to focus on first.
2. Choose your initial zero trust pillar
Attempting to tackle every single pillar in Forrester’s zero trust model would be extremely ambitious and unrealistic. The overall aim for businesses is to make quick and measurable progression, so choosing to address a number of areas would be counterproductive. Just like how a business would take a very focused approach when identifying what applications to protect at this stage, they should apply a similar attitude when determining how to approach zero trust itself.
There are actually tools available for organizations, one example being Forrester’s Zero Trust Model Assessment Tool, which are designed to help identify gaps in an organization’s adoption of zero trust. Such tools provide insights into which pillars should be focused on, for example closing a gap in the protection of workloads and unnecessary accessibility.
3. Develop specific controls
The next stage is specifying the exact control you are trying to achieve. Once the primary focus point has been identified in step 2, businesses can source the correct security controls in order to move on to the next stage in the zero trust process. So, in the situation where an assessment identifies excessive network access to application workloads, recommendations would be made towards adopting micro-segmentation to protect the workloads and limit their exposure to the risks associated with lateral movement.
4. Identify the data you need
For the next stages of the process, businesses must first identify what information is needed in order to implement the controls effectively. They need data and visibility to build the specific policy that will achieve the outcome.
It is important to remember that an effective implementation of zero trust relies on access to contextual information to help formulate policy. For micro-segmentation in the context of protecting workloads, the minimum metadata outside a standard traffic report is that which describes workloads in the context of data center applications and environments.
5. Create your policies
Once these data points have been collated, the company can build a zero trust segmentation policy for this particular business process and validate it. For this stage, there are three pieces of data that need to be sourced. Firstly, real-time traffic events for the workloads being protected.
Next, context data for each workload and connection is crucial, including metadata associated with the workload, and details of the communicating process that is sourced directly from the workload.
Finally, the business needs an application dependency map (based on the first two pieces of data) that allows an application owner or segmentation practitioner to quickly visualize a specific application’s upstream and downstream dependencies. This application dependency map can be leveraged to build a micro-segmentation policy that allows connectivity to only those dependencies that are necessary for the application to function – a zero trust policy takes an allow-list approach: specify precisely what you wish to permit, deny everything else by default.
6. Validate, implement, monitor
Once the policy is in place, the available traffic and tamper monitoring allows companies to continually monitor the posture of their environment and react to any changes, either manually or through automation. At this stage, you must understand what other elements of business could be affected and mitigate the risks.
With any segmentation effort, the stage that carries the greatest risk is enforcing the policies that have been written such that no other traffic is permitted into or out of the workloads. If the policies are wrong, then there is the chance of causing a production outage. So, the move to enforcement must be controlled, and with sufficient opportunities for monitoring so that that any problems can be quickly detected and fixed. This is where policy testing is crucial – it allows businesses to set up the new process in a ‘test environment’ before applying to the final system.
Given the importance of getting the new process up and running as quickly as possible with minor disruptions to the system, organizations ideally do not want to take huge leaps in their zero trust journey by tackling too many areas at once.
After all the six steps have been completed successfully, it’s time to head back to step one and begin again, this time focusing on a different area. By repeating the process, organizations can incrementally expand their zero trust implementation and continuously improve the overall security state, with the eventual goal of covering the entire infrastructure.
Even once the policies are enforced, the process does not end there. Companies must continuously monitor traffic events for anything unexpected and investigate anything that is outside the normal. Zero trust is a security strategy, not an outcome of itself. Organizations must have an ongoing understanding of their own maturity across the zero trust pillars, so that they can continue to identify which of them need more focus and take incremental steps to improve that maturity.