Zero-trust security: How to get started
When the pandemic caused more organizations to rely on a distributed workforce, those organizations had more pressure to move services to the cloud. At the same time, attackers ramped up security threats that took advantage of the uncertainty and fear many people were experiencing. The result: Companies have made zero-trust projects a priority.
Many are wondering how to make the transformation to zero trust. Small, defined steps are best, said Chase Cunningham, vice president and principal analyst at Forrester Research.
Cunningham noted some potential starting points: replacing a software-defined perimeter or software-defined WAN that is a bottleneck for remote workers, improving monitoring of users through identity and access management or behavioral monitoring, or extending endpoint detection and response (EDR) monitoring to all nodes.
But it needn't be a matter of rip and replace. Often, existing security technologies can be reconfigured to be more in line with the zero-trust model, said Kieran Norton, infrastructure solutions leader at consultancy Deloitte.
Here are key steps to take to get started with zero-trust security.
Get executives to buy in
All zero-trust initiatives need support from business leaders, but many times it's company leaders themselves who are driving the move, said Forrester's Cunningham, because of some compelling benefits.
"At the end stages, what you get out of zero trust is remote-workforce enablement, lower risk, and more command and control of diverse assets. You have an easily translatable business strategy that is easily justifiable to the business."
—Chase Cunningham
Currently, nearly 30% of companies either have zero trust in place already or have projects underway, according to Cybersecurity Insiders' 2020 Zero Trust Progress Report. Another 43% of companies are planning to tackle zero trust this year.
Assess your current situation
Every company has a different security maturity level and a different set of assets and skilled personnel. Before embarking on creating a business infrastructure for zero trust, companies must know where they stand, Cunningham said.
"I think it is a very important thing for organizations to take a realistic assessment of their current posture. If they don't do that, they don't know where to start."
—Chase Cunningham
The top focus of many companies, according to the 2020 Zero Trust Progress Report, is deploying multi-factor authentication within the next 12 months. That is followed by identity management and single sign-on.
Start small and proceed with deliberation
Companies that want to deploy a zero-trust framework are often overwhelmed by the enormous scope of the project and decide to start with protecting their most critical assets.
Such an approach can lead to failure, said John Kindervag, field CTO at Palo Alto Networks. The most critical assets are often the ones that have had layers of software and security built around them to keep them working, making them fragile. Instead, the learning curve should focus on the most implementable projects first, to develop in-house expertise.
"Focus on low-sensitivity data or assets and build zero trust incrementally and iteratively. You boil the ocean one teaspoon at a time."
—John Kindervag
All-new technology is not needed
Zero trust is not necessarily a set of new technologies, but a different way of looking at security and what the boundaries are for trust. Because vendors have all labeled their products as necessary for digital transformation and zero trust, there is a lot of confusion in the market.
Take it all with a grain of salt, said Forrester's Cunningham.
"The things that prevent compromises are not [new technology such as] super-mega encryption post-quantum whatever," he said. More can be gained, he said, from taking aim at the low-hanging fruit: eliminating bad passwords, enabling MFA, limiting what users can access, and limiting lateral movement with micro-segmentation.
"All the other stuff that we see being sold in the industry is lipstick on a pig. We have a lot of folks that continue to buy more stuff."
—Chase Cunningham
That's not to say that the right technology will not help. But companies should first figure out what they really need, he said. "In reality, you can build a zero-trust infrastructure with any set of technologies. But although I could build the Suez Canal with a shovel, it is much better if I bring in the right equipment."
Prepare for take-off
In the end, a deliberate and planned approach to zero trust allows companies to learn the technology, correct course, and then take on the most critical threats. Kindervag, who coined the term "zero trust," argues that this approach gives a company enough runway to get up to speed before attempting the hardest projects.
If companies do it right, then it provides operational savings, he said.
"It reduces capital expenditures by eliminating unnecessary or redundant controls. Fewer people are needed to manage and maintain a zero-trust environment."
—John Kindervag
When old meets new
Zero trust involves revamping trusted principles with a new approach. Remember that when sorting out the approach your team will take.
"The technologies are many of the same things that we have been doing for a long time, and that is where I think clients sometimes don't see through all the noise. You probably have a bunch of technology in your environment today that you can use to move to a zero-trust model—so you don't have to replace everything, buy new technology, and start over."
—Kieran Norton
And as with any major technology project, keep it simple, said Cunningham.
"The most important approach is to pick a pillar, solve for it, complete it, and then move on. What you shouldn't do is try to start three or four projects at the same time, because then you wind up with three or four 70% done projects, and that's a problem."
—Chase Cunningham