It’s no surprise that organizations moving to the cloud are looking at Zero Trust. Zero Trust provides a model for designing networks and systems to address the modern threat landscape. It is based on the concept of least privilege, which calls for limiting access rights to users to the bare minimum that they need to accomplish their specific tasks.
Put simply, the objective of Zero Trust is to strengthen an organization’s data security by limiting the risk from excessive user privileges and access, using a series of controls to ensure threats cannot move laterally within an enterprise’s infrastructure. As a result, granular access policy enforcement based on user context, data sensitivity, application security, and the device posture, becomes a critical component of any enterprise’s Zero Trust architecture.
Over the past 24 months however, the stars have aligned around Zero Trust.
As I’ve noted in this space before, Zero Trust was first introduced by Forrester Research a decade ago. It challenged the existing perimeter-based network security paradigm. It argued that not just the perimeter, but everything in the network needed to be locked down to be protected and secured, highlighting the specific risk of lateral movement within a network once a perimeter is breached. While great in theory, the concept proved difficult to implement given the security technologies available at the time.
Over the past 24 months however, the stars have aligned around Zero Trust. It has evolved beyond a theoretical and traditional network-focused paradigm, leveraging innovative security advancements to create a very practical framework for rethinking security architectures to address use cases, IT architectures, compliance requirements, and advanced threats that didn’t even exist 10 years ago.
A New Framework for Security
This new framework is a significant extension of the original Zero Trust construct and is called the Zero Trust Extended (ZTX) ecosystem model. This model, championed by Forrester Research, is still grounded in the idea of securing your data, but is broad enough to cover it wherever it flows – on-premise network, cloud infrastructure like Azure and AWS, SaaS applications like Slack, the broad Internet/Web, and all devices - traditional and IOT. Whiles comprehensive, it is also pragmatic. The ZTX model provides a series of architectural blueprints and security capability mapping tools that CIOs and CISOs can use to guide the investment and implementation of their Zero Trust security strategies.
Forrester’s Zero Trust extended Ecosystem model covers seven key interrelated areas that need to be considered to secure data as it flows through traditional networks and the emerging cloud-based world. Starting with the data itself, the model follows that data as it logically flows into the traditional network, continues into workloads deployed in public and private clouds, as its shared across multiple devices, and acted on by people. The model also highlights the important role of maintaining visibility on data interactions across an enterprise’s entire IT infrastructure, and the critical role orchestration and automation can play in successfully operating a Zero Trust security infrastructure.
But understanding concepts is one thing, proper implementation can be more challenging. And increasingly, organizations are asking, ‘How do I start?’
Define Your Zero Trust Strategy
The best way to answer that question is to take a holistic approach, aligning a well-defined strategy with practical design and implementation blueprints that will achieve the desired Zero Trust outcomes. Since Zero Trust is all about controlling access to data wherever it resides, a great place to start is to think strategically about what data is the most sensitive, and which systems and devices that process this data are most critical and create a game plan to implement Zero Trust in these high priority areas. Once you nail your strategic priorities, you will have an easier time focusing in on the key capabilities, technologies, and features you will need to deliver on your objectives.
That said, I am seeing organizations head down one of two paths as they begin their Zero Trust journeys: one broad-based and one more limited or narrow. The broad-based approach is favored by CISOs and CIOs who realize their organizations need to rearchitect their security infrastructure across a number of areas, and see ZTX as a practical framework to deliver the new security architecture needed to protect the organization.
The second, more narrow approach focuses on improving access control to a limited set of systems and data that the organization believes is most vulnerable and/or critical to the business. For some organizations, that could be focused on strictly limiting application access to authorized users on authenticated devices. For others, it might involve encrypting sensitive data that is placed in the public cloud and, in some situations, ensuring that certain types of information – such as health care data – is never stored there in the first place.
Interestingly, I’ve observed that the first step of most organizations, whether they are going broad on Zero Trust or taking a more surgical approach, is to start their work in the area of access control and identity management. It makes sense, Zero Trust is all about protecting data and the systems where it resides, so limiting who can access what data on which systems is a great first step.
Prioritize Your Capabilities
The next step is to prioritize the capabilities needed to deliver on the Zero Trust strategy that your organization has defined. For example, if you are focusing in the Workloads area, two key capabilities might be implementing very granular access controls to your apps and ensuring that all workloads and storage are continually scanned for malware and information security violations. If your initial focus is to improve protections for your People/Workforce, you may start by ensuring you can enforce acceptable use policies and protect them from threats targeting them from the cloud and web.
Identify Specific Technologies
Identifying the technologies that the organization needs to have to gain the required capabilities is the logical next step. For example, to gain the access control capabilities we just referenced for Workloads, technologies like Software Defined Perimeters (SDP) and Multi-Factor Authentication (MFA) could be deployed. For protecting your Workforce from threats on the web, technologies like web isolation, encrypted traffic inspection, and cloud-based sandboxing can play an important role.
Highlight Specific Features
To help you select the right vendor, you must then identify and prioritized the specific features for each of the technologies that you have selected for your Zero Trust solution. In the example we have been using for Workloads, perhaps you want to prioritize having an SDP solution that is “in the data path” of the traffic, giving you the ability to scan traffic for reporting and threat prevention, and require stepped-up authentication with an MFA tool if risky user behavior is observed. Or with Isolation to secure your users’ browsers when the interact with the web, the ability to integrate with your Secure Web Gateway to selectively isolate only certain types of risky web traffic may be important.
But even with focus, when you arrive at your set of features and technologies required to deliver on your Zero Trust capabilities aligned with your defined strategy, you may end up with a mapping that is fairly-complicated. For example, in this mapping of capabilities, technologies, and features, aligned with a strategy of applying Zero Trust security for content being uploaded to SaaS applications, as many as 11 steps might need to be thought through and controlled across your infrastructure.
So as we can see, applying Zero Trust tenets to something as seemingly straight forward as uploading data to a SaaS app can involve a lot of complexity, including a number of different technologies, multiple integrations, and potentially a large number of vendors.
The Benefits of a ZTX Platform Approach
This reality is leading many companies to prioritize the importance of a platform approach when they begin their Zero Trust planning. If they can identify a small set of vendors that can help them with most/all of their Zero Trust requirements, it can dramatically simplify their program. A Zero Trust platform, such as my own company’s Symantec Integrated Cyber Defense platform, solves many of the complexity issues by pre-building into the platform the integrations organizations need to have the capabilities, technologies and features they need. The result leads to improved security outcomes by reducing the operational complexity, offering better visibility, simplifying the automation and orchestration, and streamlining sourcing and even vendor management.
Our Symantec platform offers companies a simplified security model to deliver the Zero Trust security outcomes most important to them. We’ve mapped its capabilities directly to the ZTX model and I proudly note that our platform was recently recognized by Forrester Research as a leader in the The Forrester Wave™: Zero Trust eXtended (ZTX) Ecosystem Providers, Q4 2018.
In closing I’d like to invite you to contact Symantec to learn more about Zero Trust and the Zero Trust Extended ecosystem model. The move to the cloud-based world creates a fantastic opportunity for enterprises to re-architect security infrastructures, and the ZTX model provides some great blue-prints to guide organizations through this process. The recently named Nobel Laureate, Bob Dylan, once wished that we would all “have a strong foundation when the winds of changes shift.” Zero Trust offers us that strong foundation for those shifting technology winds – today, and for years to come.
Implementing a Zero Trust framework to Secure Modern Workflows
Join our cloud security experts to learn how new product enhancements within the Symantec Integrated Cyber Defense Platform are delivering on the promise of Zero Trust while reducing cost and complexity for network security professionals.
We encourage you to share your thoughts on your favorite social platform.