Achieving Zero Trust Maturity Requires the Right Strategy
Adopting a Zero Trust approach to identity and security is the way forward for the modern digital enterprise. In the previous articles in this series, we’ve talked about the rise of Zero Trust and how the current situation came to be. And we’ve offered our readers a guide to the basic building blocks for implementing a Zero Trust architecture. Today, we’ll be discussing the essential elements in a successful Zero Trust Identity strategy – or, how to build a roadmap that can guide your organization along its journey toward Zero Trust.
The Zero Trust model is far better suited to today’s dynamic digital business environments than legacy perimeter-based approaches to security. Because critical assets no longer reside on-premises – or within fortified internal networks – it’s now crucial to focus on drawing a perimeter at the identity layer. The Zero Trust Identity paradigm does exactly this, requiring continuous risk assessment every time access to a resource is requested. It involves using contextual identity information to inform and optimize access policies. Keep in mind, Zero Trust isn’t a silver bullet. But the right strategy can simplify IT management and improve data protection, all while making it easier for organizations to pivot and respond when new security challenges emerge.
Making the move to Zero Trust does require significant investment, however. This includes deploying identity-aware security solutions, but it also involves implementing the right policies and business processes, and educating stakeholders to understand the importance of the Zero Trust mindset. And, ultimately, it will entail re-architecting IT environments and applications so that they’re wholly suited for — and can fully benefit from — cloud computing.
This won’t happen overnight. Transitioning to Zero Trust will demand planning and forethought, as well as the right strategy. And this will be different for every organization. Depending on your current security architecture, technology environment, and business needs, you’ll need to develop your own unique Zero Trust strategy, one that’s personalized in its timeline and approach.
Begin with an Assessment
Understand Your Asset Universe and Where Sensitive Data Resides
Fundamentally, what you need to get started with Zero Trust is making sure that people have the right amount of access to the right resources at the right time. Rarely is this the case in today’s organizational computing environments. It’s much more typical for identities, users, and machine identities to have excessive amounts of access — and for identity and security teams to remain unaware of who has this access, and for how long. The problem has not gone away, even with increasing cloud adoption. In fact, it may have gotten worse. One recent study of cloud entitlements found that “more than 90% of identities are using less than 5% of permissions granted.”
You’ll need to begin by gaining a thorough understanding of the IT asset and identity ecosystem that spans your organization. Where does mission-critical, sensitive, and regulated data reside? Then, determine who has access to those assets. Among those users, how many have elevated privileges? Are these standing privileges?
Next, you’ll want to focus on how access policies are administered and enforced. The least mature organizations are those that configure access and assign attributes manually, that enforce static security policies, and that lack integrated access governance and privileged access management capabilities as well as cross-organizational visibility. Organizations that are beginning to centralize visibility, identity management, and policy enforcement will be further along the road to Zero Trust, particularly as they become better able to enforce least-privilege access automatically.
Once you’ve centralized policy administration and enforcement, the next step is clean-up. Conducting an organization-wide analysis to determine where there is excessive access will enable you to limit and ultimately remove it. How many (if any) of your existing security policies are implemented in a least-privilege manner?
Building Out Your Zero Trust Identity Strategy
We suggest that organizations seeking to increase their Zero Trust maturity follow the recommendations for evolving Zero Trust capabilities and controls outlined in the Maturity Model developed by the U.S. Department of Defense (DoD), and published in the DoD’s Zero Trust Reference Architecture. This model establishes three levels of Zero Trust maturity, and organizations can advance from one to the next by implementing additional capabilities and controls.
The three levels are:
- Baseline: At this level, all network access occurs according to pre-established cybersecurity policies, and all devices are managed to ensure compliance with policies. Multi-factor authentication (MFA) is in use, and least-privilege access policies are implemented. In addition, networks are segmented with “deny all traffic” as the default, and resource access permitted only after verification.
- Intermediate: Once an organization has progressed to this level, fine-grained user and device attributes are used to determine access policies. Least-privilege access is enhanced with the addition of a privileged access management (PAM) solution, and behavioral analytics are used to inform and fine-tune policy development. At this stage, micro-segmentation is enforced across a majority of the network, and data is tagged and classified for an initial data loss prevention (DLP) solution implementation.
- Advanced: An organization has attained this state once it’s able to enforce dynamic policies that determine access to resources on the basis of robust real-time analytics. Continuous and adaptive authentication and authorization will be in place, and Just-in-Time and Just-Enough access policies will have been implemented. Full micro-segmentation of the network will have been achieved, and advanced analytics will enable automated and orchestrated threat detection.
According to the Cybersecurity and Infrastructure Security Agency (CISA)’s new Zero Trust Maturity Model (currently still in draft form), organizations will have reached an optimal level of Zero Trust Maturity once they can:
- Continuously validate all identities in real time
- Centralize access authorization across all cloud and on-premises systems and resources
- Leverage machine learning (ML) to analyze access patterns within the organization on an ongoing basis
- Constantly monitor and validate the amount of access that each connected device is granted
- Safeguard data access with real-time risk analytics
- Enforce micro-perimeters around all assets and resources in the environment
- Ensure that all traffic is encrypted
- Integrate continuous identity validation into all inter- and intra-application workflows
Remember that Zero Trust Is a Journey
Zero Trust isn’t a single product that you can buy. Nor is it a state that can be entered into with the flip of a switch. Instead, Zero Trust is best approached incrementally. The most successful organizations are those that understand that the journey will take 3 to 5 years, and will proceed through multiple phases. Over that period, significant changes will continue to be made to the technology environment as well as operations, and the organization’s security strategy will have to evolve in tandem.
Nearly every organization will move more applications and resources to the cloud within the next few years, most will connect more devices, and many will leverage emerging technologies as services provided by public cloud vendors or other partners. In every instance, transformation will offer an opportunity to revisit and improve your processes and workflows.
Changing your security strategy means making changes to business processes and employee interactions as well as your technology architecture. This means that it’s as important to involve business analysts in the Zero Trust transformation conversation as it is to include security leaders. Both must collaborate to achieve meaningful results. While a business analyst will understand the business process changes that are needed as well as how these will impact various business units, a security architect will be able to build the right framework and execute upon it.
If there’s one thing that last year’s events have taught us, it’s that Zero Trust security must be intrinsic to digital transformation. Enterprises are now supporting remote workers at an unprecedented scale, and there’s no going back to the office-based work environments of yesteryear. Organizations across industries have had to invent new business models, find new ways of generating revenue, and react to quick-changing markets. Identity and security will need to transform at the same pace as businesses do.
In the modern cloud era, it’s advisable to get started with Zero Trust sooner rather than later. Now is always the best time to begin, and it’s better to start small than not at all. As the costs and difficulties associated with managing legacy security architectures continue to mount, security leaders who delay adoption of Zero Trust will find that the process only grows more difficult the longer they put it off. In many cases, a gradual approach is the most feasible.