Organizations across many industries are in the throes of a journey to implement the zero trust security model to increase their cybersecurity posture.
Through my experience working directly with CISOs and CIOs at various organizations, the path towards zero trust is often not as easy as one may hope. There is one button to press here and achieve zero trust-based security. Between the need for dedicated personnel, agreement across a wide range of stakeholders, and the proper budget, the only way to effectively move towards a zero trust model is to do so iteratively.
Why is the path to zero trust so difficult?
Zero trust has been talked about for quite a while, but many organizations are yet to implement it. One thing to keep in mind is that zero trust is not a tool, but a collection of concepts and ideas to enforce least privileged access.
The zero trust model provides a global policy across the organization, which makes it challenging because organizations are typically fragmented, with different departments responsible for different cybersecurity controls. The only way to achieve zero trust across the entire organization is to have buy-in and leadership from the top on down, and then build that collaboration across all the departments. You must get all the groups and stakeholders on the same page.
How can you get that buy-in and stewardship of a zero trust model across the organization?
The zero trust model must be positioned as enabling the business — specifically examining where automation can reduce friction and enable a more agile, productive business. If your organization doesn’t have the technology capabilities currently available to automate key security functions, such as the automation of user lifecycle, provisioning, and other security capabilities, you will need to focus on building these foundational capabilities first before moving forward with zero trust.
Foundational capabilities will improve security posture and threat response preparedness required to achieve zero trust. With zero trust, access is enforced for any subject that is accessing applications or data. To achieve true zero trust, the access decision needs to be based on not only the positive identification of the subject, but also other contextual information (e.g., the health of the endpoint the subject is using and the health of the network where the request originates). Dynamic policy enforcement requires near real-time information about the network and endpoint for making access decisions for an authenticated user — even when the user has the appropriate authorizations.
Identity governance systems will still be required for provisioning coarse-grained access that will provide authorization information to policy enforcement points. A full zero trust approach requires risk evaluation at the network and endpoints, as well as orchestration to add additional context required by policy enforcement points.
As you can see, zero trust is so all-encompassing and broad that organizations can suffer from analysis paralysis: Where to begin? How to accomplish such a big project within a certain timeframe and budget?
What I’ve seen work is when it is broken down into phases/steps through an iterative process. Identify areas for quick wins. For example, where does the business have critical risks and how can those be minimized? Approaches to solve this challenge include segmenting your most sensitive networks and implementing identity access management. Take one step at a time, do that well, and then move onto the next. And of course, all of this must be transparent to the business/users.
Which industries or organizations are ahead and making headway, while others are just starting?
The organizations I’ve seen who are further along in this journey are financial institutions and government mandated organizations.
Financial firms have sensitive data that must be protected and (more often than organizations in other verticals) have a greater level of cybersecurity maturity, resources and teams. Many other industries are still focused on the basics, whereas financial institutions have the bandwidth and wherewithal to continue to evolve and improve their cybersecurity program.
With last year’s Executive Order on Improving the Nation’s Cybersecurity, federal agencies were required to shift to a zero trust model. Each agency has now focused on changing their approach toward the explicit trust of assets, identities, and the networks that those users and assets operate on.
Is the 2024 deadline realistic and where should critical infrastructure be in their journey if they are going to meet this deadline?
When it comes to timelines for implementing zero trust as well as the impending 2024 deadline for agencies as set forth in the EO, the biggest questions are:
- Is the funding there?
- Does the organization have a mature security program with the right skills (such as cloud, identity, etc.) and resources in place?
- What infrastructure changes are needed, and can the supply chain meet these needs? We’ve seen supply chain issues the last couple of years across the board — this cannot be discounted as far as what is realistic and possible.
In a true zero trust architecture, multiple infrastructure layers will need to share risk information with policy enforcement points to allow enforcement of real-time dynamic access policies, which will require orchestration to pull contextual information from every relevant infrastructure layer.
In the end, this means that standards must be developed to create a common understanding and interpretation of risk scoring so that various vendors’ solutions can share security posture and trust-related information for making access decisions with policy enforcement points. These distributed risk evaluation and orchestration capabilities will continue to mature and develop over the next few years.