Zero trust security has gained traction in recent years but has been difficult for large organizations to implement.
Developed by John Kindervag in 2010, a then principal analyst at Forrester Research Inc., the Zero Trust Network or Zero Trust Architecture is a security model that upends the old castle-and-moat model. Rather than protecting the network with a firewall at the perimeter, Zero Trust model removes the assumption of trust within the network.
In recent times, some of the worst data breaches were the result of hackers gaining access inside the firewall and having free reign once inside. A recent IBM study reports the global average cost of a data breach in 2018 was $3.86 million, up 6.4 percent from the previous year.
The Zero Trust model works to combat many of the challenges faced in modern network security. By removing the assumption that anything within the firewall should automatically be trusted, movement within the network is restricted. Phishing attacks and other attacks from within are thwarted, resulting in a safer network and safer data.
This all sounds great, so why isn’t everyone using it?
Challenges to Implementing Zero Trust
One of the major challenges to implementing a Zero Trust Network model is the lack of out of the box solutions. There are some tools available, but they likely will not secure your entire network, leaving you with a partial solution and only partial security.
That leads us to the next challenge, the time and cost of implementing a true Zero Trust Network. Since most networks were not built using this model, Zero Trust must be retrofitted to the existing network. In short, this means questioning everything. Network analysis must be done to determine network hardware, services, traffic and everything else on the network and then it must all be secured. Experts suggest that this type of Zero Trust implementation project should be considered in years, rather than months, especially for organizations with large, complex IT environments.
So, Where to Start?
Even with these challenges in mind, all is not lost. We’ve developed a list of easy places to start your Zero Trust implementation:
- First, ensure all future deployments are Zero Trust compliant. If you don’t stop deploying unauthenticated services or WAN communication, you will only add to your technical debt as you work to remediate it. Start requiring strong authentication and each deployment will build toward your Zero Trust goal.
- The next thing you need to do is to get an accurate picture of your network. You may already have network analysis tools or a recent network audit or inventory you can refer to. Once you have a clear, detailed view of your network, you can begin to prioritize systems or hardware to secure first. Pro Tip: That legacy system will likely not play well with Zero Trust, so leave that for last or begin a plan to retire it.
- Start asking questions. Because the Zero Trust model means that you can no longer assume that anything within your network is safe, you need to start questioning the security of everything. Building a structured threat model may also helpful in determining threats. Here’s an example line of questioning: If an attacker gained access to this VLAN, would the host be vulnerable? Why or why not? If this host was compromised, what else would an attacker be able to access?
- Consider starting with a use case. For example, contractor permissions. Once you have worked through the use case and figured out what the access needed and the capabilities required, you will have gained valuable experience and have a starting point for the next use case.
- Start building security controls around your data or resource. This is known as host-based firewalls. As you build your host-based firewalls, consider the requirements of each application and configure the firewall to that. Because this can be tedious, developing policies or processes or using automation can save time and resources and you will make faster progress.
- Implement micro-segmentation. Micro-segmentation is based on criteria, such as user, user location and other data, to determine the level of access. Using these criteria, you can set up policies of whether to trust a user, machine, or application seeking access to a part of the network.
Hopefully, this blog post has given you a better understanding of the Zero Trust Network model and provided guidance to help you get started. As with any complex implementation, preparation, perseverance, and patience are the keys to success.