There’s a lot of buzz around Zero Trust security. Organizations are rushing to get started, but many don’t really know where to begin. One of the questions we’re hearing is whether technology should be the starting point for addressing Zero Trust. The concern is whether this approach is putting the cart before the horse. From our perspective, it’s important at the beginning of this initiative to separate the framework of Zero Trust from the technology. The entire initiative is a major investment – so setting the foundation will put you in a better position to succeed. The right tools will be there for you to evaluate when your Zero Trust game plan is established.
Zero Trust Security – Think Like a Hacker
Zero Trust takes the stance you don’t implicitly trust anything. That goes for users, networks, and systems. And as pessimistic as it sounds, Zero Trust’s philosophy is built on assuming there’s a breach. So as much as prevention is ideal… detecting, isolating, and remediating is a must. This has become even more important as Cloud, BYOD and other technologies have significantly widened the attack surface. So, at the core of this, you’ll need to transform your enterprise network into a multitude of independent locked-down islands that protect sensitive assets and restrict a breach from spreading if one island is compromised.
Getting Started on Your Zero Trust Journey
To start this transformation, you need to define your sensitive data, its associated infrastructure and services, and who/what gets access to it. You need to do this before you can start creating your islands of trust, which we will discuss. Consider these fundamental steps as your Zero Trust starter’s guide:
Know where your sensitive data is – and prioritize it.
Consider this your first step. You need to understand where your sensitive data is that you need to protect across your enterprise. Then you need to prioritize what data will be protected with the resources you have. Organizations need to pragmatically look at this through a risk-based lens. For example, you may identify your HR database as a priority, as it contains sensitive data about all your employees, including their Social Security numbers.
Know the services and infrastructure that make that data accessible.
Staying with HR database as an example, it probably has a web portal application that makes sensitive data available only accessible to the HR department. However, data access may not stop there. That application sits on top of an operating system and the hardware supporting it. On top of that, there might be other services that make that data available, such as APIs that have access through other avenues. You need to identify these since it will, along with the sensitive HR data, become part of a circle of trust.
Know who is allowed to access, up and down the stack.
This is important but often overlooked. As I mentioned, the HR team is supposed to be the only ones accessing sensitive employee data through that portal application. However, there may be administrators who are responsible for managing the HR services or infrastructure who shouldn’t have access to the HR data. But we see cases where their permissions haven’t been restricted. If that administrator’s account gets compromised, then the attacker has access to that data without ever going through the portal web application. Many organizations don’t account for the whole stack when they consider setting up security privileges. This sounds hypothetical, but this oversight happens all the time.
Enforce principle of least privilege.
You’re only granting a user or to account the least amount of privilege they need to perform their function. That’s a very basic, fundamental cybersecurity concept that’s frequently violated. And that’s why bad things happen. Take the time to properly implement and manage this.
Define your “islands” of authorization to prevent lateral movement.
You now need to draw that protective circle around the entire tech stack – for example, all the services, infrastructure, servers, virtual machines, and storage that hosts data — and the people allowed to access it. This is essentially the island of trust for HR’s sensitive data. You only trust what’s in it. You don’t trust anything or anyone outside that particular circle, including admins who don’t require access.
Monitor for violations of trust.
Now you’ve established your islands, you need to ensure their integrity. This can get challenging as you’re protecting many different islands across the enterprise. You will need constant visibility into what’s broken and needs to be fixed.
The Zero Trust Security Road Map
Organizations are encouraged to constantly evaluate where they are on the Zero Trust journey and what steps they need to take by reviewing CISA’s Zero Trust Maturity Model. As it points out, the journey is an incremental process that can take years to implement. But the path it provides can be your North Star toward achieving it.
Doing the Hard Work: Creating Zero Trust’s Foundation
To achieve all of this, you need to get the foundational level right: the governance in defining and enforcing these circles of trust, the visibility and analytics to help you better understand your risks and the proactive measures you can take, and the automation and orchestration to help support security responses. It’s hard work and isn’t as exciting as the new tools and technology that are coming out. But it’s paramount and there’s no way around that if you want to evolve your Zero Trust initiative into a mature, optimal security framework that can help protect your enterprise.
Getting Zero Trust Right from the Beginning
Zero Trust is a big investment that will take time to implement – and you want to get right. Focus on getting the architectural plan and drawings in place, so you’ve set a foundation and know what you’re creating. Then buy the right tools to build it.
Contact us to learn how Signal Hill Technologies can assist your organization in standing up its Zero Trust cybersecurity architecture.
