In recent years, we have seen multiple examples of ransomware attacks in organizations spanning all sectors (from local government to hospitals and major corporations). A breach in one part of the network quickly cripples the entire organization. Simply put, implementing zero trust is a must for an organization. But how does one go about it?
This 5-step approach represents the most logical way to achieve a zero-trust framework. Let’s dive in.
1) Identifying Data Segments
Increasingly fluctuating network perimeters make for a stressful environment for IT professionals to protect the entire network. One of the initial proactive steps in implementing zero trust is to identify the organization’s segments that contain sensitive information, essential IT operations, or anything deemed to be worthy of more robust user privileges.
The purpose of this is to reduce the attack surface to a minimum, preventing any unauthorized lateral movement. Moving forward, security professionals could create secure zones to isolate data centers, applications, environments, and workloads across cloud, on-premises, and hybrid network setups.
This is a critical task as it allows an administrator to properly segment both user privileges as well as network traffic.
2) Mapping Traffic Flows of Sensitive Data
Once the sensitive data has been identified, the next step is to understand the intent of that data. If one doesn’t know this about their data, they can’t effectively defend it.
Automated discovery tools can help answer the following questions -
- What is the purpose of that flow?
- What data is it transferring?
- What application is said to flow serving?
In order to control and limit admin access, it’s imperative to gain contextual insight into how traffic flows across the network. Documenting how certain resources interact allows one to properly implement controls and help protect data rather than hindering the business. With the right tools, one can start to understand which flows need to be allowed.
Once that’s done, the zero-trust part of saying, “and everything else will not be allowed,” can be carried out.
3) Building Micro-Perimeters
After the first two steps, one has what they need to go about implementing zero trust.
A core feature of any zero-trust framework (building on the first two steps) is micro-segmentation. While the old network security might have identified IP addresses for initial access to trek the network, micro-segmentation uses software-defined barriers that require proper verification of the device, location, and user.
Next-gen firewalls (NGFW) or segmentation gateways (SWG) play a crucial role in conscientious policy enforcement at the application, machine, and user levels. IT professionals can use it to define network groups, access groups, and user groups for multiple applications or devices.
One can establish a micro-perimeter around their most sensitive segments. Achieving it is even easier nowadays with software-defined networking (SDN) platforms enabling the deployment of filters within the network fabric.
4) Designing Access Policies
The data segments have been identified, the transaction flows mapped, and micro-perimeters built – now, the next step in implementing zero trust is to test the Kipling Method.
- Who should be accessing a resource?
- What application is accessing the resource inside the protected surface?
- When is the resource being accessed?
- Where is the packet destination?
- Why is a particular packet trying to access a specific resource within the protected surface?
- How is the packet accessing the protected surface via a particular application?
By answering the questions above, one can limit privileged user access and secure the environment by enforcing granular access controls pertaining to services, data, applications, and infrastructure. With granular policy enforcement, one can be sure that only legitimate application communication or known traffic is permitted.
5) Monitor and Maintain
With the zero trust framework all but set, the task of monitoring and maintaining the network architecture begins. The network administrators can now gain insight into zero trust policies’ operational aspects by reviewing all logs up to Layer 7. By logging and monitoring all traffic, the organization can use and enforce what it has learned to improve its network security.
Eventually, the organization may reach “D-Day” when the network makes the switch from the default ‘allow’ to default ‘deny’ for any flow anomalies.
Securing a network’s applications and data while offering uninterrupted, convenient access is a constant ball game for any organization. While the default ‘deny’ function may deny access to an intended device or user, one can investigate and resolve a particular issue.
Now it’s up to the organization to gauge whether this potential time lost is worth more robust security via the zero-trust approach. As far as savings are concerned, moving other sensitive segments from legacy networks to the zero-trust network can be cost-effective and non-disruptive.
Implementing Zero trust – Verify Everything, Trust Nothing!
Fact that too much trust can be an enterprise’s most dangerous threat, it’s no surprise to see a trend in this least privileged access method. Today, internal access from remote workers, consumers, and IoT devices poses even more risk. By establishing a zero-trust framework, every user and device must be authenticated.
While the task is daunting, IT professionals who have taken on the challenge agree – starting small is better than not starting at all.