The Building Blocks for Zero Trust

The thing is, Zero Trust is not a set of tools that agencies can buy. Zero Trust is a security concept, a strategy, and architectural design approach, geared to help organizations proactively control all interactions between people, data and information systems. 

In a Zero Trust model, you cannot trust anything coming in or going out of your network. This means that agencies must create a new type of data-centric perimeter around information. To protect data, agencies need strong encryption techniques tied to intelligent authentication. In short, agencies cannot afford to blindly allow users (person or non-person entities) to access data without checking their identity.

However, implementing Zero Trust does not require a comprehensive replacement of existing networks or a massive acquisition of new technologies. Instead, the framework should strengthen other existing cyber security practices and tools. As the ACT-IAC whitepaper on the subject notes, “many federal agencies already have elements of Zero Trust in their infrastructure and follow practices that support it in their day-to-day operations. For instance, identity credential and access management (ICAM), access standards based on trust algorithms, automated policy decisions, and continuous monitoring are critical components that are needed for successful adoption of Zero Trust.”

Agencies should take an incremental approach to adopting Zero Trust.  The first step for agencies is to have a clear understanding of their users and their roles, their data, and their technology assets before beginning to implement Zero Trust. Many government systems are aging and siloed but that does not mean that they cannot also be a part of Zero Trust. “Zero Trust solutions can start within a single organization or cross-organizational application, and rapidly drive all users and devices that interface with that organization or application to come into compliance and register their attributes for authentication and authorization,” according to the Defense Innovation Board report, The Road to Zero Trust (Security).

The Zero Trust exTended Framework (ZTX), developed by Forrester, is one approach to applying Zero Trust within an organization. Described as a data-focused version of Zero Trust, ZTX allows users to directly map technology purchases and strategic decisions to the execution of a Zero Trust strategy.  The ZTX framework maps technologies and solutions to the framework’s six pillars, which include:

Pillar #1 – Users People/Identity Security

This includes the use of technologies like ICAM and multi-factor authentication, as well as continuously monitoring and validating user trustworthiness to govern their access and privileges. Technologies for securing and protecting users’ interactions, such as traditional web gateway solutions, are also important.

Pillar #2 – Device Security

Real-time cyber security posture and trustworthiness of devices is a foundational attribute of a Zero Trust approach. Some solutions such as Mobile Device Managers provide data that can be useful for device-trust assessments. But MDM alone cannot provide the visibility and level of protection agencies require now. MDM is a core component of enterprise mobility management (EMM) which also includes mobile application management, identity and access management and enterprise file sync and share.

Pillar #3 – Network Security

As the ACT-IAC report notes, the traditional infrastructure firewall perimeter “castle and moat” approach is no longer enough to protect networks, especially as data moves in and out of multiple cloud infrastructures. The perimeter must move closer to the data in concert with micro-segmentation to strengthen protections and controls. The ability to segment, isolate and control the network continues to be a pivotal point of security and essential for a Zero Trust network. 

Pillar #4 - Application and Workload Security

Securing and properly managing the application layer as well as compute containers and virtual machines is central to ZT adoption. Agencies need the ability to identify and control access to applications in a more granular way to make accurate access decisions. Consequently, multi-factor authentication is an increasingly critical part of providing proper access control to applications in ZT environments.

Pillar #5 – Security Automation and Orchestration

To be effective, Zero Trust must make full use of security automation response tools that automate tasks across products through workflows while allowing for end-user oversight and interaction. Security orchestration will connect the disparate automated security information and event management and behavioral analysis tools used in Security Operation Centers into an integrated way.

Pillar #6 – Security Visibility and Analytics

Zero Trust leverages tools like security information management, advanced security analytics platforms, security user behavior analytics, and other analytics systems to help security experts observe in real-time what is happening within their networks so they can orient defenses more intelligently.  The focus on the analysis of cyber-related event data can help develop proactive security measures before an actual incident occurs.

The bottom line is data authentication is the foundation of Zero Trust. Users, endpoints, email and cloud applications have become communication channels that serve as attack vectors. In a Zero Trust model where you cannot trust anyone or any device, focusing the perimeter around data protection with intelligent authentication is the best security approach. Therefore, agencies must have a clear understanding of their users and their roles, their data, and their technology assets before beginning to implement Zero Trust.

If you don’t know what you have, you can’t monitor it.

To learn why a data-centric approach is the foundation of Zero Trust and to find other resources on Zero Trust click here.