Zero Trust is an end-to-end approach to network and data security that encompasses identity, credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.
‘Zero Trust Architecture provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services’NIST Operative Definition
Organizations need to define zero trust strategy to enforce the security controls across the ‘defense in depth’ layers
IT Security leaders need to perform zero trust assessment across these defense in depth security layers and develop operating guidelines and road map to address potential business requirements.
Zero Trust Security Controls in Defense in Depth Layer
Modern business require effective security controls and more attention required to strength the identities that the organization deals with either users or machines.
Security solutions such as multi-factor authentication (MFA) are required to enforce the zero trust principles. Likewise integrating the single sign-on (SSO) for both external and internal applications are essential. Whilst having multiple point security products and different operational teams to monitor and manage, enterprise need to integrate and orchestrate the identity, access and privilege management solutions with other solution components such as SIEM, DLP, CASB, MDM and much more. Organizations need to consider various attributes such as User devices, Application, Network, Location, etc. to define identity based access policies.
Workforce today use multiple end user computing devices including smart phones to access corporate resources and access it from any locations. Enterprise should have visibility of both managed and unmanaged end user computing systems and its compliance to IT security policies. (example – Data protection policy, Anti virus management policy, etc.). Enforcing zero trust based remote access solutions are essential for ‘work from home’ scenario during demanding situations.
Most organization today depends on SaaS applications and this trend is likely to increase in future. Organization should know how to address the ‘shadow IT’ problem exists today and enforcing strict application security measures for both hosted and cloud applications. Business owner should made aware of the consequences of having privileged access and restrict administrative access with Just-in-time policies to reduce permanent permissions.
Digital business require hybrid infrastructure to deliver services – however organization face dilemma to choose security controls that are available with the cloud service providers over marketplace solutions. IT security leaders to validate whether they’ve specialized systems and tools to manage the endpoints, email systems, and other infrastructure components. Network segmentation and application segmentation are vital in order to adopt zero trust principles.
Data is critical for every business. Identifying the sensitivity and regulatory compliance based on the data are becoming crucial in recent days with increasing privacy concerns. Ensuring the data flow model including machine to machine require access decisions based on organizations guiding principles. Organizations need to enforce encryption, integrity, de-identification, protect misuse and other fraud prevention are must to survive in digital economy.
The slideshow below has recommendations at high level that organizations to adopt enforcing zero trust security controls.
Start enforcing security controls on your existing investments
Each organization has unique technology of choice, operational guidelines, use-cases and budget constraints. The enforcement of security controls based on documented zero trust security principles on the existing investments becomes essential as a good start. Organizations should perform ‘Zero trust’ assessments to have detailed visibility into both technology and operational gaps.
Security in continuous process and require constant learning as the attacks are sophisticated and targeted. Adopting to Zero Trust principles keep the business safe from any breaches.