Implementation of Zero Trust Architecture

Introduction

In this article, I would like to expand on my first publication of Zero Trust Architecture in Cybersecurity and cover common misconceptions about Zero Trust, guidelines to implement the Zero Trust model in your environment and finish with where Zero Trust stands in 2021.

Zero Trust Architecture is guilty until the proven innocent approach to providing security to a network. Developed by an expert in cybersecurity, Jong Kindervag in 2010. For individuals who are intrigued to find out about creation and what is Zero Trust architecture, here is the link to my first article.

I am going to start with common misconceptions about Zero Trust Architecture.

Misconceptions about The Zero Trust Architecture

Zero Trust model becoming a popular approach to solve ever-growing cyber attacks and threats to the organization's networks. However, more often security specialists don't know where to begin to implement it, or they are under the impression that to switch to the Zero Trust model, one has to start from scratch. Well, this is not the case. Zero Trust does not require destroying your current security platform and start from fresh. Shifting to the Zero Trust model is a gradual process, that requires working with existing security implementations and create a plan to gradually change to a new platform.

There is a great article, 4 Major Myths of Zero Trust Architecture, published by John Kindervag. In this article, he reveals misconceptions that are surrounding the Zero Trust Architecture model and how to overcome them. The four myths are:

·       Zero Trust Architecture Always Requires a ‘Rip and Replace’ of the Existing Network

·       Zero Trust Architecture Is Expensive and Disruptive

·       Zero Trust Architecture Is Done All on the Endpoint

·       Zero Trust Architecture Cannot Be Deployed to the Public Cloud 

If you are interested in more details, here you can find a link to the article: 

Where to begun

   "We consistently find that enterprises have the earliest and most rapid success if they focus on improving identity management and device security. These two core components of the Zero Trust eXtended (ZTX) ecosystem drive rapid risk reduction and build confidence with executives that the organization can realize security benefits from its Zero Trust program quickly.” - Forrester Research’s Practical Guide to A Zero Trust Implementation.

As with any new system utilization, it is critical to create and follow a detailed plan to achieve a successful Zero Trust model implementation. The framework should be based on Zero Trust eXtended concepts, an updated version of the original Zero Trust Approach. It includes seven core components and details of core capabilities necessary to deliver all the requirements of that particular component. One of the important points is that no single provider can deliver all necessary components to build a Zero Trust model, thus considering multiple providers is a must.

Involve business and IT departments in the development of implementation plans. Most changes will require new investment or a possible shift in investment. It will make sense to include some decision-makers in the development team as well as app developers and IT team members, who will manage the infrastructure you are building.

The Zero Trust implementation plan should include consideration over existing security and IT projects. Ensure proper communication establishment between the development team and existing projects to avoid conflict with existing project scheduling.

The image below represents a sample roadmap to implement a Zero Trust architecture released by Forrester in Practical Guide to Zero Trust Implementation. It suggests dividing all development activities into separate categories and implement them over predetermined phases.

Identify Your Maturity to Discover your Starting Point

Understanding your present development level and where you need to be in a given time period will help you center your ventures and activities.

·       Establish your current baseline – Evaluate your current Zero Trust development and build up a baseline of capabilities.

·       Identify current business initiatives and existing security capabilities – Before beginning implementation, realize what other business activities are in play.

·       Set your desired maturity state and time frames to achieve it - Whenever you have directed a development evaluation, set the ideal future state development and time. Forrester recommends a two to three-year period as a typical time frame to plan a detailed Zero Trust model roadmap.

Forrester’s Guidelines to Zero Trust

Forrester group considers a few proposals and puts them beneath 5 classifications.

1.     Zero Trust for People – The main goal is to adopt a platform that falls under required security innovations without jeopardizing the quality of customer experience and employee experience. With all the players in the game, requiring unique identities with differing access privileges, the criteria for IAM (Identity and Access Management) become more complicated. This category specifically focuses on IAM. It is frequently one of the slightest developed and most straightforward to progress. Often by investing in improvements and implementing multifactor authentication(MFA) and single sign-on(SSO), the execution makes a difference settle other issues related to compliance, security, and efficiency of an organization.

2.     Zero Trust for Workloads – The rapid growth in adding private or public cloud solutions as a part of the organization's structure, made workload security a pressing territory to develop. The first step here would be to identify and categorize workloads in the way where the most sensitive workload, the more secure controls should be put in place. Build a digital identity for each workload after that. This will create isolation points where access control, data storage, and data encryption policies can be applied. The last step would be implementing multiple layers of security tools to apply these policies.

3.     Zero Trust for Devices - It's presently very much reported that IoT turned into a considerably greater objective for cybercriminals over 2020 with the ascent of work from remote locations. The endless list of threats contains vulnerabilities such as botnets, weak or no existent encryption, default plain-text passwords, and insecure communication protocols. To eliminate these backdoors, security departments should consider the next implementations. Apply network segmentation. Allocating user and device traffic into micro perimeters, will not only isolate them from each other but also create an ability to quarantine potentially infected or compromised devices. Apply hardening solutions for IoT devices. Vendors such as Cisco, Intel, and Thales provide such tools. These tools will enable capabilities such as secure firmware, device/data tampering by unauthorized users, and many more. For BYOD devices, conduct a health check before allowing them to connect to your network. Cisco, Microsoft, and Unisys have health check products.

4.     Zero Trust for Networks – Forrester suggests protecting recourses instead of networks. Move perimeter to the "edge" of the network, where users connect to it. Make segmentation around applications and their related services. Create policies to dictate which groups can access what. Implement segmentation at each endpoint, by installing an agent on each host or by virtual network routing. In a virtualized environment, a hypervisor component can provide enforcement of segmentation policies. Next-generation firewalls are equipped with crypto chips that decrypt and inspect all traffic passing through. Palo Alto Networks and Cisco are a few of many other companies that provide management tools for cloud solutions security in the way of container security policies and cloud firewalls. These companies use Trend Micro IDS/IPS installed behind a gateway load balancer to inspect all application traffic.

5.     Zero Trust for Data - The Zero Trust approach is based on the concept of protecting an organization's assets by establishing visibility between users and applications on multiple devices, and enforcing policies regardless of whether the user is connected to the organization's network.

It is very important to classify and define your sensitive data to determine where and how to protect it. These capabilities are available in the service provided by Microsoft (Microsoft Information Protection). It helps organizations to classify, label, and protect data based on sensitivity. Find the answers to the following questions to prepare proper controls and policies: Who is collecting data, for how long, and for what reason? What is the purpose of having this data, how is it collected, and what are the implications of a data breach?

 The state of Zero Trust in Global Organizations

Okta, a company that offers identity management systems that are designed for cloud solutions but also work with on-premises applications, has released a study on the state of zero trust in global organizations.  

Okta researchers: “Zero trust is taking hold in a very meaningful way, with 275% year-over-year growth in the number of North American organizations that have or plan to have a defined zero trust initiative on the books in the next 12-18 months. Our 2020 study finds that 60% of organizations in North America (and 40% globally) are currently working on zero trust projects.”  

The adoption of the Zero Trust model is rising all the time. Okta surveyed 500 of the world's leading security companies and evaluated their Zero Trust initiatives. With the introduction of IAM innovations, North American healthcare institutions take the lead. Since the beginning of the study, there has been a nearly 50% rise in businesses taking steps or having Zero Trust in their plans. Companies like Gitlab, MGM Studios, and FedEx are some examples of businesses that are implementing Zero Trust and stating that you may already be doing some of the steps required for this architecture.

Thank you for your time and I hope you enjoyed reading this article, any comments or critiques will be greatly appreciated.

 References

[1] "Forrester," [Online]. Available: https://www.forrester.com/report/A+Practical+Guide+To+A+Zero+Trust+Implementation/-/E-RES157736. [Accessed 02 04 2021].

[2] J. Kindervag, "Sirius Edge," 18 January 2018. [Online]. Available: https://edge.siriuscom.com/security/4-major-myths-of-zero-trust-architecture. [Accessed 24 March 2020].

[3] "Search Security," [Online]. Available: https://searchsecurity.techtarget.com/answer/What-should-I-protect-with-a-zero-trust-architecture. [Accessed 30 03 2021].

[4] "Microsoft Docs," [Online]. Available: https://docs.microsoft.com/en-us/graph/information-protection-overview. [Accessed 02 04 2021].

[5]”Okta,”[Online]. Available: https://www.okta.com/resources/reports/state-of-zero-trust-security-in-global-organizations. [Accessed 02 04 2021].