The Fundamental Elements of Zero Trust
The first step for IT security leaders who want to adopt a zero-trust architecture is to conduct an assessment of their security environment. They need to determine where there may be gaps and how they want to evolve their security approach. They also should consider which solutions will give them the most bang for their buck.
A solid place to start with zero trust is identity, credential and access management solutions. Since zero trust revolves around identifying who users are and assessing the riskiness in giving them access, ICAM is foundational. Without a robust mechanism to adjudicate someone’s identity, there is no point in challenging them when they request access.
From there, a key step is not technology-related, but policy-focused. Agencies need to use the principle of least-privilege access to give users access to only what they need to do their jobs. However, IT leaders need to define through policy which users get access to specific networks and resources.
There are a multitude of different technologies that can be called zero-trust products, and security vendors are busy promoting them as such. They range from network access control solutions to database management and protection tools, software-defined networking and microsegmentation solutions, trust algorithms to determine a user’s risk score and more.
The challenge is then to start stitching these solutions together. Most solutions that serve as identity stores for agencies — whether Active Directory from Microsoft or a solution from Centrify or another vendor — are compatible with these solutions. Essentially, something like an SDN solution can interface with an identity solution in a standard way to verify a user’s identity. The solutions such as network access control are the gates, and the identity store is what holds all of the keys.
Agencies also need to put in place behavioral monitoring tools to help verify a user’s identity. Those include looking at where a user is logging in from, the time of day, whether they are logging in from multiple locations, and more. And, multifactor authentication is a must in a zero-trust environment.
The Challenges in Deploying Zero Trust
Multiple security vendors can claim that their solutions are elements of a zero-trust architecture. The key challenge for IT security leaders in government is to not approach a shift to zero trust as a checklist, in which every solution presented to them needs to be a part of their environment.
It all depends on what the agency is doing and how it wants to approach security. Fundamentally, zero trust requires agencies to verify every user and make sure the right users are accessing what they are supposed to. How that is achieved is up to the IT decision-makers.
Of course, there are technical challenges in knitting together ICAM tools with network defense solutions. Those can be dealt with internally or with trusted partners. The key is to remember that zero trust is a mindset shift. So, don’t get too myopic on the technology.
Another key challenge is the end-user experience. More gates mean more time needed for users to go through them. No one likes keying in one-time passwords all the time.
However, IT leaders need to have a deep understanding of their agency’s users. Can they demand that users put in place a new tokenized password every time they want to access a certain network or database? Or can they afford to be more lenient? If users access a resource twice within 10 minutes, will they be prompted to authenticate themselves? These are the kinds of questions that need to be dealt with as much as any technology deployment.
The move to zero trust is a journey, not a destination. The landscape is evolving, but it is possible to get started on the path to a more secure IT environment.