The First Steps on the Zero Trust Journey
One of the most discussed concepts in the Information Security world in recent history has been Zero Trust. Although many vendors claim to have products for implementing Zero Trust, an organization must not view them as an instant solution to achieving Zero Trust.
Zero Trust should be viewed as a philosophy comprised of many controls and technologies that enable more robust access management capabilities. It is a change in the mindset of how to protect an organization’s resources. Similar to a least privilege model, it can cause significant disruptions if it's too restrictive or overly complex. An organization adopting Zero Trust must first identify which framework aligns with its Information Security goals.
Several frameworks have been released for an organization to review, but we will focus on the NIST 800-207 Zero Trust Architecture in this discussion. We have decided to focus on NIST as it is product agnostic and from a widely known and respected standards organization, the National Institute for Standards and Technology (NIST). It is also a great starting point for organizations to demystify all the hype around Zero Trust and assess against a defined framework.
What is Zero Trust?
Often within Zero Trust discussions and papers, the terms Zero Trust (ZT) and Zero Trust Architecture (ZTA) are used. The definitions of these terms as defined by NIST are:
- Zero Trust is a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
- Zero Trust Architecture is an enterprise’s cybersecurity plan that utilizes Zero Trust concepts and encompasses component relationships, workflow planning, and access policies.
What exactly does that mean?
In its most basic description, a Zero Trust deployment will evaluate access between all IT systems and end-users continually. Access will be permitted or denied by a centralized system based on dynamic processes. Zero Trust can be deployed on a per-application or environment basis depending on the organization’s requirements. There are multiple solutions and deployment models that an organization should evaluate to support its Zero Trust deployment, and each of these will have varying levels of cost, support models, and technical training requirements.
What's Needed to Implement Zero Trust?
To implement Zero Trust, an organization will need to develop a significant understanding of deployed resources, communication workflows, and end-user access requirements. This information will assist in defining implicit trust zones and building policies that dynamically control access to the organization’s resources. These tasks should also be completed prior to considering assessing whether an organization has achieved Zero Trust.
An implicit trust zone is a collection of resources that permit lateral movement once an end-user or resource is authenticated by the Zero Trust Policy Decision Point. An example of a broad implicit trust zone would be an external user authenticating over VPN and having full access to an organization’s internal resources. A narrow implicit trust zone would only permit access from an application server to a database server over specific ports. Implicit trust zones should only contain the required resources to support a specific function, and access to the implicit trust zones must be as restricted as possible.
What are common issues with implementing Zero Trust?
It may sound very straightforward to achieve Zero Trust based on the brief and simplified descriptions above, but many organizations face significant hurdles in implementing Zero Trust. The following are some of the issues that an organization could face:
- Assuming all environments will fit into a single deployment model of Zero Trust
- Depending on an organization’s history of technical debt, different deployment models may be used within a single organization to achieve Zero Trust. This challenge is likely familiar to anyone who has ever implemented any other technologies or frameworks.
- Lacking a detailed inventory
- The inventory should include systems, user roles, and data flows. Not having this information will leave significant knowledge gaps when defining implicit trust zones and Zero Trust policies.
- Attempting to implement Zero Trust in every environment at once
- Zero Trust can be implemented incrementally, one environment at a time. It should be noted that an organization may choose to not fully deploy Zero Trust in certain environments based on technical debt, complexity, or support issues.
- Assuming a Zero Trust implementation has a finish line
- It is often stated that Zero Trust is a journey, not a destination. Once implemented, a Zero Trust Architecture must continually evolve and adapt to new technology and changing threats.
Is my organization ready for Zero Trust?
Many well-known companies have deployed their version of Zero Trust that has been architected to their specific requirements. As proven by these companies, Zero Trust can be adopted in many different ways. Although many organizations have published a version of specific Zero Trust principles or guidelines, NIST’s framework is a technology-agnostic approach.
A NIST-based Zero Trust assessment can identify how closely an organization is aligned to the NIST Zero Trust Architecture. A NIST Zero Trust gap or alignment assessment will measure your organization against the following:
- The seven (7) NIST Tenets of Zero Trust
- NIST Zero Trust Network Overview and Requirements
- Threats Associated with Zero Trust Architecture
Once the assessment is completed, an organization should be able to build a roadmap to achieving Zero Trust.
From the description and definitions above, it is obvious that a Zero Trust Architecture must include multiple ecosystems within an organization, and a one-size-fits-all approach may not fit.
Where can I learn more?
The following are links to NIST Zero Trust resources and company whitepapers on Zero Trust deployments:
TrustedSec is available to help plan, design, implement, assess, and test your Zero Trust environments with just some of the following services: