While Getting Started With Zero Trust Can Be Daunting; the Benefits Are Worth the Cost. Zero Trust is a significant change factor in how cybersecurity is approached. We used to think that our organization was a castle - with walls (firewalls), moat (DMZ), and drawbridge (Access Control). However, with the escalation of militancy in Ukraine, increased activity by cybercriminal groups, and increased attack surfaces caused by businesses migrating to the cloud and employees working remotely, Zero Trust has become cybersecurity's most valuable change agent. Zero Trust is the New Focus Among Executives According to a recent survey, , "conducted by iSMG, (100% among all respondents chose somewhat to extremely critical). " Zero Trust Strategies for 2022 Report everyone said that Zero Trust is critical to reducing their cybersecurity risk Also, nearly half of them (46%) said Zero Trust is the most crucial security practice in 2022. of over 300 large organizations by Forrester indicated that Another survey 78% of security executives plan to raise their use of Zero Trust in 2022. There is no doubt that Zero Trust is a new priority among executives responsible for cybersecurity strategy. But if we take a closer look at the survey, there is an execution problem. . Another 30% said Zero Trust in partial deployment or production, and 63% said their Zero Trust projects are now in the assessment, strategy, or pilot phases. So, as a result, despite C-level are planning, most of them are just planning. Forrester's survey places full deployment of Zero Trust at only 6% If you are looking for an : introduction to Zero Trust Architecture https://hackernoon.com/introduction-to-the-zero-trust-security-architecture-a-concept-not-a-product With A Little Help From My Friends (NIST, CISA, OMB) In May 2021, the US government on improving the nation's cybersecurity. A significant aspect of the EO was the push for agencies to adopt Zero Trust (mentioned 11 times ). issued an EO here In response to the EO, the Office of Management and Budget (OMB) released the to move ahead to zero trust architecture, which includes a detailed road map that not just government agencies and contractors but any organizations can use as a model. Moreover, CISA released its last fall, a roadmap for agencies to transition to a zero-trust architecture. official federal strategy Zero Trust Maturity Model For example, when it comes to Zero Trust, the NIST that (i.e., ). These are core Zero Trust components, such as National Cybersecurity Center of Excellence (NCCoE) has guided maps relevant Zero Trust components to CSF functions, categories, and subcategories NIST SP800–27 policy engines, administrators, enforcement points. Another helpful resource is the whitepaper from NIST — , which describes how to leverage CSF and the (SP800–37) to migrate to a Zero Trust Architecture. Planning for a Zero Trust Architecture NIST Risk Management Framework (RMF) Below are some best practices to start. 1. Understanding the Protection Surface (Yes, Not the Attack Surface) It is a norm to begin a risk assessment with attack surface analysis. For example, security professionals usually start looking at the potential attack surface: Where is the perimeter? How might someone break-in? What is the possible method to do it? With Zero Trust, things are a little bit different. According to NIST's , starting from the data and applications - are recommended. or the perimeter, thus easier to defend. Planning for a Zero Trust Architecture the highest value and highest risk users and assets The protection surface is also much smaller than the attack surface In ZTA, you will not find any perimeter to safeguard but put a "micro-perimeter" around assets. Those are the best areas to start adopting Zero Trust principles. As a result, you have complete control over who accesses the critical assets, how they access them, and when they access them. Secure each protection surface in a method appropriate to protect the surface. Prioritize what to protect based on criticalness against your business goal. After you implement Zero Trust on one or more non-critical protection surfaces, you may not know all of the applications in your data center when you start, but you know your most critical applications. After that, until you reach your cybersecurity goals. move on to the next set of protection surfaces on the priority list 2. Maximizing Visibility - You Can't Protect What You Can't See According to CISA's , before organizations can implement Zero Trust around , they need complete visibility - to understand how everything connects to everything else. Zero Trust Maturity Model four enforcement points (identities, devices, networks, applications, and data) Users, devices, and services are all connected to data centers. It's a complex environment that is only made more complicated by the cloud if organizations try to implement enforcement without understanding how this environment behaves, which results in security gaps or broken workflows. Once they get complete visibility, they can begin . Many essential technologies might already be used and need modernizing with orchestration and policy engines. to understand what trust and enforcement policies they need 3. Building The New Boundary: Micro-segmentation Data centers are traditionally good at managing networks and surrounding environments. But according to NIST SP800-207: a differential segment is how to create a "micro-boundary" in the data center; This is similar to the allowlist of the legacy system. , Zero Trust Architecture Only pre-approved traffic flows can pass. In the case of building a Zero Trust Architecture (ZTA), the principle is the same, but the network . Therefore, the micro-segmentation policy should be and have the capability segment and boundary will be much more miniature de-coupled from the existing network architecture to scale at ease. Besides that, the allowed list is based on policy, not IP Addresses. Maintaining a network, firewalls, and rules are busy enough to try to preserve across micro-segments. As a result, manual work can no longer solve this problem. For example, modern Zero Trust Network Access (ZTNA) solutions use machine learning (ML) or artificial intelligence (AI) to understand the traffic pattern and access logic to help organizations create automated access policies. 4. Aligning Identities No matter which framework or model you choose to follow, identity is the foundation of Zero Trust security. It requires pivotal components, such as Identity origination means knowing where all the identities come from. Not only user identities, but also: identity origination and role-based access controls. service accounts application sessions ephemeral identities cloud assets Zero Trust mandates authenticating the identity before providing secure access, which is impossible with legacy solutions like VPNs. A Software-Defined Perimeter (SDP) or ZTNA goes beyond validating the IP address, continually evaluating security risk based on device posture, location, time, roles, and permissions before granting access. Moreover, as we no longer have a "digital network" or "digital services." Still, we now have a whole "digital ecosystem" that keeps expanding. Suppose we want to remain secure while realizing these new channels or efficiencies or agility. In that case, we need to adopt Zero Trust Architecture — the size and shape of our digital footprint are changing, using the lens of identity to see potential risks and inform where we draw the "perimeter." Identity-based Zero Trust continually monitors every access request made by all users to any resource in the system. The Zero Trust model ensures a thorough audit trail for compliance and policy enforcement, whether on-premise or cloud. Every time an identity – human or machine – attempts to access an asset, a risk analysis is performed based on its behavior during the session and other contextual parameters. To efficiently and effectively manage the entire security posture, it makes more sense to have a to determine policy, view posture, enact compliance, and respond to risk. single, holistic view of organizational identities 5. Reducing Attack Surface Remote workers accessing your network increase the attack surfaces on a new scale. Before any security incident happens, the security team should find ways to reduce the attack surface to minimize exposure. It is also the core of the non-threat-based security operation (or you can think about what the fireman does when there is no fire?) Internally, a micro-segmentation approach gives a secure 1:1 connection to authorized resources. Anything unauthorized to the identity in question is invisible and inaccessible. Thus, reducing lateral movement and preventing insider threats.' We can also apply Zero Trust security outside the organization to protect against external cyber threats and attacks. For example, your mobile and connected workforce are flooded with phishing attempts, . We can further reduce the attack surface by: the root cause of most cyberattacks during COVID proactively mapping your digital footprint (mentioned above), monitoring communication channels for attack indicators (optimal with threat intelligence), and rapidly mitigating identified threats (including patching). Final Words: Cybersecurity vs. Cyber-Resilience Among all Zero Trust models - Google's , Gartner's , NIST , and by Forrester, which This brings the idea of cyber-resilience, and I would like to finish this article with this concept. BeyondCorp CARTA SP800–207 ZTX assumes that being compromised is inevitable. The main difference between Cybersecurity vs. Cyber-Resilience is the focus of response. In cybersecurity, we have DR/ BCP to ensure organizations can resume operations as fast as possible. However, In response to this concept, NIST released a special publication , " " It is the first in a series of specialty publications developed to support — the flagship Systems Security Engineering guideline. the main focus of cybersecurity is still on preventive controls. SP800–160 volume 2 Developing Cyber Resilient Systems — A Systems Security Engineering Approach. NIST SP 800–160 Volume 1 Achieving is not the endgame but an endless journey. Organizations must push their limits, prepare for the worst, and hopefully, although near to impossible, identify vulnerabilities before adversaries. Like the fighter who will face multiple opponents who take different approaches to beat him, he will spar with those who emulate his upcoming opponent. cyber-resilience A resilient security architecture is one where defenders maintain maximum visibility across their enterprise: attacks are detected early, contained, and expelled before attackers realize their objectives; and rapid response and recovery from any incidental damage. It's an approach more adaptable to today's dynamic business factors of today's enterprise where digital and cloud transformation, as an example, are generally more cost-effective. Doing all the above does not immediately turn your organization into the most secure one but helps you embrace most executives' security goal in 2023 - Zero Trust Architecture. Today, we have to admit that the question is ­although this stays important. Instead, the priority should be once an attack occurs. no longer how to keep bad actors out how to recover as quickly as possible to "business as usual" Thank you for reading. May InfoSec be with you🖖.

How Do I Adopt a 'Zero Trust' Framework?

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

10 Ways Stand Out as a Java Developer and Land that Dream Job

10 Fantastic JavaScript Projects for Beginners

11 Great Tips From A Guy Who Leveled Up From Intern To Dev

125 Stories To Learn How To Do X

3 Free Python Courses For Beginners: 2020 Edition

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

10 Ways Stand Out as a Java Developer and Land that Dream Job

10 Fantastic JavaScript Projects for Beginners

11 Great Tips From A Guy Who Leveled Up From Intern To Dev

125 Stories To Learn How To Do X

3 Free Python Courses For Beginners: 2020 Edition

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps