The early days of network security were defined by static, nigh-immutable perimeters. Every user and asset inside that perimeter was treated with implicit trust. This worked well enough in a world where in-office work was the norm and cybercriminals operated largely independently of one another.
How things have changed.
We now live in a world defined by distributed networks, complex digital supply chains, and remote work. Threat actors are considerably more organized and advanced, particularly with the rise of Cybercrime-as-a-Service. Threats are not only more sophisticated, they’re also more numerous and dynamic — 560,000 new pieces of malware are detected each day. Add to that the availability of contextual information for devices, location, behaviors, and other metrics, and it’s clear why companies are heavily investing in digital security.
Legacy antivirus software and perimeter-based network security simply cannot keep up. Many organizations have taken to deploying a new point solution to address each new threat or risk. This has led to bloated, unsustainable security stacks which put added strain on security teams that are already struggling to keep up.
Today’s business landscape demands a new approach to security, one built on Zero Trust.
First introduced in 2010 by analyst Forrester Research, Zero Trust is a security model built on a simple concept — trust no one. Under a Zero Trust framework, everyone, no matter their position in an organization’s hierarchy, must submit to authentication, authorization, and continuous validation. Per Forrester, this approach is based around the following principles:
- Treat all entities as untrusted by default. Deny all unauthenticated access to systems, data, and applications.
- Enforce Least Privilege. Each user must have access only to what they absolutely need in order to do their job.
- Implement comprehensive security monitoring. For security and enforcement purposes, maintain full visibility into your entire ecosystem, including critical assets.
- Incorporate risk-based verification. The likelier that a particular access request could lead to a cyber incident, the more stringent your authentication processes must be.
- Ensure continuous authentication. Even once a user is verified and granted access, continue monitoring their activity to verify their identity and check for suspicious behavior.
It’s important to understand that Zero Trust is not a static security model. It is an ongoing process, one which requires regular revisits and revisions. Successful adoption of Zero Trust therefore requires:
- Organization-wide alignment.
- Leadership buy-in.
- The right processes and policies.
- The right technology.
- The right mindset.
The above components cannot be addressed in isolation, but instead must be treated as part of a unified whole, with each supporting the others. Given the level of complexity this entails, it’s often difficult to know where to start. That’s why below, we’ve compiled a comprehensive checklist of every component involved in Zero Trust adoption.
Zero Trust is a complete departure from traditional perimeter-based security. Before you can define the processes and adopt the technologies necessary to support it, you must first establish a culture that embraces it. You need the right mindset, lest everything else fall flat.
- Build for usability. Security and usability now go hand-in-hand. The days when an organization could afford to ignore the user experience of its security tools are well behind us.
- Trust no one. It doesn’t matter if someone is your Chief Information Security Officer or an intern in the mailroom. From a Zero Trust standpoint, neither user can be trusted without verification.
- Stop believing you’re safe. Your organization is not too small to be breached. On the contrary, small businesses are targeted more frequently by threat actors than large organizations.
- Look at the user, not the device. Many business users now own multiple devices, all of which they use in the workplace. Authenticating each individual device makes it significantly more difficult to determine when a user has been compromised. Identity-based authentication does not suffer from this shortcoming.
- Accept that the perimeter is gone. Firewalls, virtual private networks, and perimeter-focused security solutions are no longer sufficient. Your ecosystem now extends far beyond the network’s edge, and your perimeter can no longer fully protect you.
- Understand the value of cybersecurity. If you’re having trouble defining the ROI of a security solution, consider the reputational damage, data loss, productivity loss, and regulatory fines that might ensue if your organization were breached.
Processes & Policies
Wielded by unskilled hands, even the most powerful weapon is underwhelming. Similarly, even the most formidable security architecture on the market will fall short if no one understands how to apply it. That’s why in many ways, process and policy documentation represents the bedrock of Zero Trust.
- Industry standards. NIST 800-207 is the most widely-accepted standard for Zero Trust, as it’s not only comprehensive, but also vendor- and industry-neutral. Other Zero Trust Models include CISA’s Zero Trust Maturity Model and Microsoft’s Evolving Zero Trust Model.
- User. Every user in your organization should be defined based on:
- Roles and responsibilities.
- Level of authority
- Required access permissions/privileges.
- Compliance management. To ensure adherence with both industry rules and your chosen Zero Trust framework, you’ll want to incorporate a means of policy monitoring and enforcement. Prior to actually deploying the technology, however, you must define:
- How policy violations will be identified and flagged.
- Typical enforcement actions, both manual and automated.
- The systems, assets, workflows, and applications to which a policy applies.
- Who is ultimately responsible for monitoring and enforcement.
- Acceptable use. What systems and devices are allowed to connect to your network? If users are provided with company-owned devices, what are they allowed to do with those devices, and what are the consequences of violating your acceptable use policy?
- Access. Each asset should have its own set of access policies assigned to it. Permissions must be dynamic and adjustable based on the needs of individual users while also preventing lateral movement through your ecosystem.
- Security awareness training. This includes how frequently training sessions and simulations will be run, what those sessions involve, and who must participate. Security awareness training policies must also define how you will assess each user’s knowledge, and what can be done in the event that a user fails their training.
- Assets. Map your network and clearly define each asset in terms of its criticality to business operations and the damage you might suffer should it be compromised.
- Risk management. Determine a framework/process for identifying, classifying, and mitigating risks and vulnerabilities in your ecosystem. NIST’s Risk Management Framework is an excellent starting point in that regard.
- Incident response. Define a concrete management, communication, response, and recovery plan for each type of incident your business is likely to face, with a generalized plan flexible enough to be applied in the event of an unexpected crisis. Said plans must encompass:
- Clearly-defined, practical goals.
- Immediate critical actions, such as isolating infected machines from the network in the event of malware.
- Chain of command.
- Roles and responsibilities.
- Mechanisms for business continuity and disaster recovery.
- Rules and standards for communicating with stakeholders.
- A template for public messaging/releases.
- Policies on incident classification.
- Processes and rules for communicating with threat actors — for instance, whether or not your organization would ever pay off a ransomware distributor.
- Alert and log management procedures.
- Post-incident evaluation and review.
- Usability assessments. You must have policies in place for assessing and addressing usability concerns. Said policies should also define what’s involved in performing routine usability checks, including scheduling.
- Lifecycle management. Ensure there are processes in place for the regular application of security updates and critical patches to software and systems.
Last but certainly not least, there’s technology. These are the tools and architectural components that are foundational to Zero Trust. If you’ve already read NIST 800-207, you already have an idea of what you need, and what this section will cover.
- Policy engine. As defined by NIST, this includes the policy engine that determines whether or not to grant access to a resource, a policy administrator that handles authentication and establishes a connection, and a policy enforcement point that enables, monitors, and terminates the connection. A policy engine is typically informed by:
- Threat intelligence. Information, both internal and external, gathered in real-time by solutions such as Endpoint Detection and Response/Extended Detection and Response (EDR/XDR).
- Real-time diagnostics related to the asset. This includes asset integrity, the presence of any known vulnerabilities, and the presence of any suspicious or unauthorized components.
- Regulatory compliance systems. Solutions that automate the process of compliance enforcement wherever possible.
- Network and system activity logs. Includes all events related to user activity, network activity, and system activity.
- Access policies. Attributes, rules, and policies governing access to enterprise resources, either generated within the policy engine or defined via an external tool.
- Enterprise public key infrastructure (PKI). Generates and logs access certificates.
- Identity and Access Management (IAM). A collective framework of tools, technologies, and policies to create, store, and manage permissions for user accounts.
- Security Information and Event Management (SIEM). Combines threat detection, compliance, and security incident management into a single platform, while also aggregating and analyzing log and event data. Typically also manages and classifies security alerts.
- Endpoint/Extended Detection and Response (EDR/XDR). EDR continuously monitors both endpoints and end-user devices within your ecosystem to help security teams identify and remediate threats. XDR serves the same purpose, but expands its scope beyond endpoints to cloud applications, email, etc.
- Single Sign On (SSO). Facilitates ease of access to your organization’s resources, allowing an authorized user to authenticate to all relevant systems and applications simultaneously rather than having to login to each one individually.
- Multi-Factor Authentication (MFA). Provides an additional layer of verification for users beyond a simple username and password. This in turn makes it considerably more difficult for a threat actor to gain access to a compromised account.
- Sandboxing. Arguably crucial to the concept of Least Privilege, containerization helps ensure that even if a threat actor uses a compromised account to gain access to an application or access, they are unable to move laterally through the network.
- Software-defined network perimeters. Tangentially related to IAM and sandboxing, a software-defined perimeter controls access to assets by forming virtual boundaries based on a user’s identity, location, etc.
- Data Loss Prevention/Data Leak Prevention (DLP). Solutions that respectively prevent data from being rendered inaccessible through cyber incidents such as ransomware and from being transmitted to unauthorized parties outside your organization.
Trust No One, Verify Everyone
Whether you’re an SMB or a large enterprise, the threat landscape you now face is both sophisticated and ever-changing.
A traditional, perimeter-based approach to cybersecurity simply cannot contend with emerging threats, nor can it effectively support distributed work. In order to protect your people, systems, and data, you need to change how you think about cybersecurity.
And that starts with embracing Zero Trust. Book a discovery call today and we’ll help you create a plan to embrace Zero Trust in your organization.