A Zero Trust environment is a hot topic in enterprise security circles—and it requires a more skeptical mindset than most current thinking. In the traditional network security model, network access defines connectivity. Zero Trust verifies users and devices. It's a “never trust, always verify” principle.
As many 2019 cybersecurity forecasts predict, it’s becoming one of the major principal cybersecurity frameworks. How should IT and business leaders implement and deploy perimeter-less security, Zero Trust environment in their organization?
Going “perimeter-less” involves building user-centered security with multiple data points rather than validation against a single data point (e.g., “Is their password correct?”). Build security requirements on multi-factor authentication (MFA), ensuring they have a current mobile operating system and the right business-specific security policies. Create a coordinated workflow for your security measures and immediately enforce these measures on any access device.
In Five Steps to Perimeter-less Security: Adopting a Zero-Trust Model for Secure Application Access, Duo Security, acquired by Cisco, lays out a logical plan for adoption.
Initiate your migration to a Zero Trust environment by using MFA. This eases users into the transition of taking additional security measures each time they log in. It’s not difficult, and you’ll end up with an inventory of your users and devices. It’s not just users who need support during the transition. Admins must get comfortable with the perimeter-less paradigm too.
Whether they’re personally owned or company-managed, determine each device’s security posture—the operating system it’s running and the apps it’s accessing.
Establish the trustworthiness of a device before a user is allowed access to the app. First, verify the device has been given previous access; second, check it meets your security requirements. A user may have the correct credentials and try to access their work email from an unapproved device that doesn’t meet your minimum criteria; perhaps it’s running an out of date operating system. In either case, the user doesn't get access.
Enforce risk-based and adaptive access policies by user and device. Set permissions so a corporate email login requires a username, password, and MFA. Typical behavior that falls within this policy could be considered a remote user logging in from home around 8 am to check email—nothing unusual there. But what if that same user logs in at 2 am from an unknown IP address and checks data that they haven’t accessed before? A Zero Trust environment risk-based model catches this anomalous behavior.
Establish a secure connection between applications and devices only after verification of the user-device policies you designated in step four.
Adopting a zero trust environment model to your application asset portfolio doesn’t happen overnight. Start migrating apps that carry the highest risk. If that’s an open question, divide your portfolio into categories of risk. Prioritization flows from there. Three effective categories are: high, medium, and low.
Categorize by first tagging software assets with categories: directly controls PII, internet-facing, handles money, life-threatening, schedules conference rooms, etc. Once all the portfolio’s assets are categorized, add them to one of the three risk categories.
Don’t make the mistake of adopting a zero trust environment to only a portion of your portfolio. This new paradigm is a zero trust environment— low-risk apps are part of the migration.
In a Zero Trust environment, access decision responsibility shifts away from the network. An added benefit is no longer needing, and paying for, VPN, MDM or Network Access Control (NAC) solutions. Your network is safer, more applications are protected, and you are optimizing IT spend. That’s a win-win.