Avoiding inertia with 7 steps to a zero trust architecture

With breaches up 68% in 2021 and an increased media spotlight on the impact of ransomware attacks, there’s a greater urgency to elevate cybersecurity and protect data with a Zero Trust approach.

The Cloud Security Alliance (CSA) recently revealed that 80 percent of C-level executives rank Zero Trust as a priority for their organisations. Yet there are notable barriers to Zero Trust

adoption including complacency of access to data, confusion around what Zero Trust means, and just simply not knowing where to start.

Simplifying Zero Trust

Zero Trust is a cybersecurity strategy and framework built around the notion that security risks don’t only concern outside threats, but that significant danger is posed by those already within.

The framework minimises the risk of attacks by ‘trusting no one’ and applies multiple authentication criteria to protect and secure data and productivity. It is built on three core tenets: assume breach; trust no one; verify everything.

Everything is checked and verified before access is granted even when in the system. And even once access is given, this is periodically revoked to reduce the risks of extensive permissions. This prevents attacks by eliminating unauthorised access by authenticating, authorising, and encrypting all access and requests

Digital transformation has made network-focused perimeter defence obsolete

With the workforce becoming increasingly distributed and  94% of organisations now turning to cloud computing, unrevised security strategies will no longer make the cut . Data now resides beyond the traditional network perimeter, with employees accessing information and applications from multiple sources and devices and via untrusted networks. Sensitive business is being distributed in complex ecosystems comprising Software-as-a-Service (SaaS) public and private cloud platforms.

In this environment, trusting an entity inside the perimeter creates an inherent vulnerability – people may not be who they say they are due to identity theft or access misuse. And, if the initial line of defence is breached, inside assets lie widely exposed.

Seven steps to a Zero Trust architecture

These seven steps can help organisations migrate to a Zero Trust architecture and elevate their security posture:

Building framework foundations

Step one must be organising a core team and priorities –  a team of around 6-10 focused individuals representing the key security and business functions. Reading and learning together about Zero Trust and performing organisational discovery, is vital. Always outline the problem, roles and organisational systems first before you buy any tools.

Categorise assets

It’s now time to categorise the risk priorities, the potential consequences if ‘X’ was compromised. Organisations must prioritise vulnerabilities and address the highest risks first. This focuses on the most important assets and workflows, putting assets into impact buckets with a ‘high’, ‘moderate’ and ‘low’ grading approach.

Select initial set of assets

Next, select initial assets and workloads to focus on the highest value attack surface and highest risk users first. This requires being specific and intentional, and the core team should whittle down priorities to the top 3 protection zones to tackle

Implement initial controls

You’ll need to implement controls that protect the assets you’ve prioritised. This might require setting up new processes or reusing existing procedures. You need a system owner and a control provider to have the primary responsibilities to implement control from the core team.

Assess the performance of controls

The established access management controls are only helpful if the platforms they run on and against are trustworthy. The performance of the controls must be assessed as security is dynamic and always changing. This means continually assessing the system and environment and continually assessing the process used to manage that environment. A combination of automated monitoring tools will detect system changes and log suspicious behaviour.

Authorise systems

The senior leader will now decide whether to authorise this plan. Your proposal may include a combination of an executive summary, assessment reports based on testing, milestones, risk determination, and risk responses. If it isn’t authorised, you’ll need to go back, repeat the steps, and refine to meet approval.

Monitor results and refine as needed

Zero Trust requires the organisation to monitor the resources used to achieve its primary objectives. Organisations should, where possible, carry forward these tools and techniques to trigger actions based on the events seen in the monitoring. The security landscape is changing every minute so aligning an external threat intelligence that reflects what’s happening in the real world to your security strategy is critical.

Limiting access and loss

In adopting a Zero Trust approach and redesigning security control to harmonise access management, monitoring, and system management, organisations will protect their data and assets.

Once security pros and leadership teams accept that risk already lies within the system rather than knocking on the doors, they will elevate their security to the right levels and lock sensitive information within the appropriate circles of trust. It may be a gradual journey, but with the right parties collaborating – business, IT, and security – and taking steps to implement a multi-layer security strategy, supported by the right technology partners, the business will protect what’s theirs.

About the Author

John Grancarich is Executive Vice President of Strategy at HelpSystems. He works with cybersecurity and automation customers to develop a full understanding of their needs in light of today’s complex market dynamics and anticipate future trends and technologies. John’s leadership enables the HelpSystems team to conceptualise, develop and implement market leading strategies and deliver continuous value to customers.

Featured image: ©JustSuper