Implementing Zero Trust may seem daunting, but the good news is that you are probably farther along than you think. In this blog series, Broadcom Software will look at the key factors to consider when implementing a Zero Trust framework.
In a blog entitled, “The Definition of Modern Zero Trust” published earlier this year, Forrester Senior Research Analyst David Holmes and Senior Analyst Jess Burn wrote, “Zero Trust is an information security model, one that can be worked toward but without an ultimate end state, that denies access to applications and data by default. All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”
You may manage a device or person or program, but that doesn’t mean you should inherently trust it. Understanding how an entity is accessing your environment is a critical step in your Zero Trust journey.
Bracing for the velocity of change
Forty years ago, most information resided in mainframes, and still does, and accessing those machines wasn’t complicated but was often restricted to dedicated devices. Today, copies of your data are everywhere – in addition to mainframes, data resides on corporate and personal devices, on-prem and hybrid multi-cloud systems, and much more. There also has been unprecedented device sprawl over the last few years, with mobile devices, phones, and laptops proliferating as the world adapted to remote work. In fact, Gartner predicted the global device installed base will reach 6.4 billion units in 2022, up 3.2% from 2021.
At the same time, we have seen a proliferation of sophisticated fraud tools and techniques by today’s adversaries. Just think about the number of times that people reach out to you as an individual to compromise and steal your credentials and information. Vishing, pharming, whaling and every other form of phishing continue to be highly successful– and corporations are a prime target. One of the biggest security challenges in the world today is minimizing employees’ susceptibility to increasingly sophisticated attacks – and mitigating the impact when employees invariably make mistakes.
But verifying the identity of the user is not enough. In a recent interview with Government Computer News (GCN), Lester Godsey, chief information security officer for Maricopa County, Arizona, stressed that identity isn’t just who you are – it also refers to devices, services and functions. “You want to know what services need to talk to other services in the environment, so this concept of identity runs the gamut,” Godsey said.
Ask yourself: Who are your users? Where are they – e.g., are they on the network? Are they remote? What devices are they using? Where are they trying to get to? and where are they going? Is it an asset that is in my corporate network or someplace else?
“Never Trust, Always Verify” starts with visibility
From a technology perspective, continuous monitoring and privilege access management play key roles in Zero Trust implementation. Zero Trust starts with visibility – however, many security teams don’t know what they’re securing. In the past, they haven’t needed to know. It’s been the responsibility of application administrators and data stewards to manage the assets. Today, security teams need to understand: What is the entity using to access the environment? Is it managed or unmanaged? What is on the device?
There are some security tools like Cloud Security Access Brokers (CSAB) and Data Loss Prevention (DLP) that can help provide that needed visibility. But security solutions are not enough. A successful Zero Trust implementation also requires basic governance and risk management – once offloaded to other teams, it now needs to be integrated and brought together.
Collaboration is key
The five-year security plan that you built in 2018 and 2019 might not be what you need now. Re-evaluate the assumptions you built in your original plan to see if they are still valid. Has anything changed regarding normal user behavior patterns? What does the threat landscape look like? What is the access situation for your users today?
To effectively implement Zero Trust, you need to involve the whole business. As part of your plan building, be sure to establish ongoing cross-team communications with all necessary stakeholders to ensure you have visibility into future business decisions. Too often stakeholders make decisions on services and how they’re going to share their data without the security team’s input. As a result, the security team is often playing catchup and doesn’t have the authority to tell these people that they can’t do something. If other people are spending the money and the security team is not involved in those decisions, you are inherently not going to know what you need to secure.
We encourage you to share your thoughts on your favorite social platform.