How to Get Started on Zero-Trust Security
Agencies are becoming more interested in zero trust because users are accessing applications and data outside of traditional network perimeters, in clouds and on home networks. As a result, agency IT security chiefs are looking to bring protections to wherever applications, workloads, users and devices might be, Jim Kotantoulas, a technical solutions architect at Cisco Security, writes in a Cisco blog post.
Zero trust assumes that an organization’s network is always a hostile environment and that both external and internal threats exist at all times.
“Zero Trust mandates a ‘never trust, always verify, enforce least privilege’ approach, granting least privilege access based on a dynamic evaluation of the trustworthiness of users and their devices, and any transaction risk, before they are allowed to connect to network resources,” Kotantoulas writes. This is the trust-centric model and the foundation of zero trust security, he adds.
Cisco’s approach to zero trust lays out six critical steps an agency or other enterprise needs to take to adopt a zero-trust architecture, according to Kotantoulas.
The first is to establish trust levels for users and user devices. This is why identity management and authentication are central to zero trust, which enables more granular control related to access in an organization’s environment. The second, related step is to establish trust levels for Internet of Things devices and/or for data workloads.
Then, in the next two steps, agencies need to establish software-defined perimeters to control both access to applications and networks, via application access and segmentation/microsegmentation, respectively.
According to a white paper from the Cloud Security Alliance, a software-defined perimeter updates the traditional perimeter-based approach to security and gives “application owners the ability to deploy perimeters that retain the traditional model’s value of invisibility and inaccessibility to ‘outsiders,’ but can be deployed anywhere — on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations.”
Software-defined perimeters aim to give application owners the ability to set up perimeter functionality where needed, the Cloud Security Alliance notes, and “provide access to application infrastructure only after device attestation and identity verification.”
The fifth and sixth steps involve automating adaptive security policies. First, agencies need to automate adaptive policy that normalizes policy in the network, data center and cloud. Then, agencies need to automate adaptive policy using threat response, in which the trust level adapts to the level of the threat.
Shifting from a trusted perimeter model to a zero-trust model “means that static security policies that are already in place are now obsolete,” Kotantoulas writes, adding that cybersecurity “now needs to evaluate, adapt and deploy new security policies that address threats in an ever changing and dynamic environment.”
That means agency IT security policies “now need to be dynamic and calculated from as many sources of data as possible. All network activity must be visible, understood, continuously inspected and logged. Any indications of compromise or variations in behavior changes of their apps, users and devices must be investigated, validated and responded to immediately.”
This constitutes a threat-centric model within zero trust.
Both the trust-centric and threat-centric models “should be equally considered” when building zero trust networks, Kotantoulas writes. “And both should span across all aspects of the network, protecting the workforce, the workloads and the workspace.”