Large enterprises may be hesitant to adopt zero trust security because it may seem too disruptive to their business. However, cyberattacks on businesses continue to increase, costing affected enterprises an average of $3.92 million per breach, so it’s clear that traditional security strategies aren’t working anymore.
Even the President has addressed the need for heightened cybersecurity in an executive order explicitly requiring federal agencies to implement zero trust security policies and recommending that other organizations do the same.
The good news is, implementing a zero trust security strategy doesn’t require the dramatic, expensive network overhaul that many enterprises fear. Adopting a zero trust architecture is a gradual (and frequently cost-efficient) process that, when done correctly, requires minimal downtime and business disruption. Let’s look at the implementation process step-by-step and discuss some tips and best practices to ensure a smooth transition to zero trust security.
How to implement a zero trust security strategy in an enterprise environment
The foundation of zero trust security is the principle of “never trust, always verify.” Rather than creating a security perimeter around your network and assuming that everyone within that perimeter is safe, with zero trust security, you must verify everyone (and everything) that tries to connect to a resource, whether they’re inside or outside.
Implementing a zero trust security strategy in an enterprise environment is iterative, not something you should try to do all at once. Breaking your strategy into a series of small, repeatable steps allows you to improve upon the process as you and your team gain experience with zero trust principles and technologies.
Step 1: Define a protect surface
Older cybersecurity strategies usually focus on defining and defending an attack surface—the sum of all the potential points where an attacker could breach the network. This involves creating a security perimeter around your entire network and trying to keep sensitive data and vulnerable systems as far away from that perimeter as possible. The problem with this approach is that our networks are growing more extensive and more complex, increasing the attack surface and making it more challenging to identify and define every potential entry point.
In a zero trust security strategy, you should instead focus on defining a protect surface or each specific item that needs to be safeguarded from attack. A protect surface should include the data, applications, assets, and services—known as DAAS—that are most critical for your enterprise to protect from attack.
- Data: You should identify and classify your data based on how important it is to your organization, how valuable it would be to hackers, and whether it’s subject to regulations like HIPAA or PCI.
- Applications: You need to determine which applications use sensitive data or proprietary code that may be of value to an attacker.
- Assets: You must create a detailed inventory of all your devices—not just laptops and cell phones, but also point-of-sale terminals, manufacturing equipment, IoT devices, and other network-connected assets—so you know what to include in your protect surface.
- Services: You should identify all business-critical network services that need to be protected, such as Active Directory, DHCP, and email.
Rather than having one large attack surface to protect, you will have multiple smaller protect surfaces to focus on. Remember, implementing a zero trust security strategy is an iterative process, so it’s best to focus on one protect surface at a time. Once you define a protect surface, you will be able to move the required zero trust security controls as close as possible to create a micro-perimeter.
Doing so allows you to create individual security policies and procedures that are limited in scope to the specific requirements of that data, application, asset, or service. You can use network segmentation to granularly control and monitor traffic to a micro-perimeter and strictly limit which users and resources can request access. Defining a protect surface is thus an essential first step for implementing a zero trust security strategy for your enterprise’s DAAS.
Step 2: Map DAAS interdependencies
Once you’ve defined a protect surface, you need to map its traffic flows and interdependencies. You should document how specific resources interact with each other so that you can work these interdependencies into the security policies and controls of the micro-perimeter. Essentially, mapping your DAAS interdependencies allows you to safeguard a protect surface without accidentally breaking any related applications, services, or workflows.
Step 3: Construct the zero trust network architecture
There isn’t a perfect zero trust network design that you should strive to achieve—each zero trust network is customized completely around the protect surfaces. So, after you have defined a protect surface and documented traffic flows and interdependencies, you can build out your zero trust network architecture.
This involves implementing a micro-perimeter using the security controls you planned out in the previous steps. For example, you could use a next-generation firewall to segment your network based on a defined protect surface, create a micro-perimeter around that segment, and monitor traffic and enforce access control on all layers on the OSI model. This model is also known as the Open Systems Interconnection model and is a reference model for how applications communicate over a network. A traditional firewall only protects layers one through four (physical, data link, network, and transport). In contrast, a next-generation firewall also protects your upper stack (session, presentation, and application).
Step 4: Establish zero trust policies
Once you have implemented your zero trust architecture, you need to create zero trust security policies for the protect surface. You should use the “Kipling Method” to determine access, which means asking the following questions:
- Who should have access to this resource?
- What application is being used to access this resource?
- When is the resource being accessed?
- Where is this resource located?
- Why does the resource need to be accessed?
- How should you allow access to this resource?
Remember, you’re creating zero trust security policies for each protect surface and micro-perimeter, so you want to get as granular as possible to ensure only safe, known traffic and communication are permitted.
Step 5: Monitor and optimize
The final step is to monitor the protect surface and conduct frequent log reviews to ensure zero trust operations run smoothly. You should continuously monitor all user and device communication into and out of your new micro perimeter. This will allow you to detect and remediate potential latency, performance issues, and bugs, as well as create baselines for normal behavior. These baselines will make it easier in the future for your security teams and threat detection tools to spot unusual activity that could indicate a breach.
You’ll use the information you gain from monitoring and logging to improve the next iteration of your zero trust security implementation, as well as to continuously optimize your zero trust architecture. By focusing on one protect surface at a time, you can gradually expand your zero trust strategy to iteratively encompass more data, applications, assets, and services until you’ve transitioned your entire network to a zero trust security strategy with minimal disruption to your enterprise.
Additional tips for implementing a zero trust security strategy
Assess your zero trust security capabilities
One of the most significant benefits of zero trust security is that it doesn’t require an expensive or disruptive technology overhaul to achieve. Instead, the goal is to augment your existing network architecture as much as possible using zero trust tools, policies, and procedures. Because of this, it is recommended that you start by assessing the zero trust capabilities of your existing architecture and tools, so you can identify the gaps in your zero trust readiness and avoid spending money on solutions you don’t need or already have.
Identity and access management
Many enterprises find that their zero trust readiness is hampered by deficient identity and access management (IAM). It is challenging to implement a zero trust security strategy without investing in a unified IAM solution that specifically supports zero trust principles and security controls. You should look for a centralized platform that supports zero trust IAM requirements like single sign-on (SSO), multi-factor authentication (MFA), and passwordless authentication, like Okta, for example.
Data discovery and classification.
Identifying the data that needs to be protected as part of your DAAS is much easier when you use the data discovery and classification tool. No matter what business you’re in, your enterprise is likely processing a vast amount of data every day, making it very challenging to manually identify, locate, and prioritize the data you need to protect. There are various specialized data discovery and classification tools that work across multiple industries, but you may find that one of your existing technology solutions already includes data discovery features, such as Azure Data Protection.
Implementing the ideal zero trust security strategy
Your enterprise’s transition to a zero trust architecture will be a gradual process, and it will need to be repeated every time you add a new protect surface to your network. Every time you expand your zero trust architecture, you should refine and optimize the implementation process which will help your security grow progressively stronger.
By following this iterative process and implementing the right tools and technologies, your enterprise can implement a zero trust security strategy that supports your business goals and keeps your network protected.