Recent ransomware attacks and data breach events have consistently broken through perimeter-based security architectures. These perimeters become more vulnerable by the day, as workforces continue to be remote or hybrid and businesses increase their use of Software-as-a-Service (SaaS), changing their network’s composition from closed to more open.
Zero Trust, a security approach first coined in the mid 90s is suddenly more relevant than ever because it’s a cybersecurity methodology that doesn’t require a perimeter at all. You may be looking to ditch your perimeter-based virtual private network, but are unsure how to implement Zero Trust.
Use these six steps as a roadmap for your organization.
Step 1. Rally a Dedicated Team
Zero Trust can be one of the most transformative actions an organization can undertake and there’s a temptation to make it an organization-wide strategic initiative. This can dilute the effort, making it less imperative as it ranks below everyone’s top to-dos.
You should elect a small team tasked to plan and implement your Zero Trust migration, including internal team members from:
- Applications and data security
- Network and infrastructure security
- User and device identity
- Change Management
Remember: Your Zero Trust initiatives must have full sponsorship. Leadership and stakeholder support are crucial. Start with quick-wins and high ROI projects to sell decision-makers on your Zero Trust transformation.
Step 2. Assess the Environment
Taking an inventory of all devices that access your network is critical. You should compile the most comprehensive list you can, even if it's not entirely exhaustive. Include devices owned and not owned by your organization, but go further than simply cataloging. It’s imperative to understand these devices’ security status and the controls around them, too.
Look beyond hardware across resources to software and users, including:
- Accounts
- Groups and group memberships
- Identities (new, added, or moved)
- Non-human (application and service accounts)
- Virtual machines and containers
- Access devices such as workstations, laptops, and mobile
- Servers, switches, and other network infrastructure
Step 3. Review the Available Technology
The National Institute of Standards and Technology (NIST) identifies three main approaches to implement a Zero Trust Architecture (ZTA):
- Micro-segmentation
- Enhanced Identity Governance (IAM and PAM)
- Software-defined perimeter
Each of these has its strengths and weaknesses but we recommend highly automated identity access management (IAM), which offers one of the most advantageous and effective ways to launch your Zero Trust implementation.
Step 4. Strategically Plan Your Integral Zero Trust Security Activities
No two organizations are the same, so you should adopt this Security Fabric Framework as a planning aide to drive your Zero Trust modernization:
- Start with multi-factor, adaptive authentication, and single-sign-on (SSO)
- For organizational leadership and IT decision-makers to see the benefits of Zero Trust, implement these to combat growing SaaS adoption and remote workforces.
- Move to privileged access
- Privilege abuse is a leading cause of ransomware hacks and data breaches. Vaulting and randomizing passwords for highly privileged accounts can shut down avenues for ransomware attacks which rely on swiping the keys to the kingdom.
- Build out your identity fabric patchwork, and look beyond essential services at other pieces that may be necessary to your organizations, including:
- Reporting
- Identity access
- Messaging and alerting
- Authentication
- API gateway
Step 5. Define Operational Changes
Zero Trust can fundamentally change your security operations. Automating tasks can cause corresponding manual tasks to fall out of sequence and create security gaps. Your organization needs disciplined change management practices to modify processes to keep pace and close these cracks as you stitch each piece of the fabric together and your next steps take form.
Step 6. Implement and Repeat
As your organization deploys new technologies, assess their value according to security key performance indicators (KPIs) and top cybersecurity Zero Trust outcomes, including the average total time to contain incidents, which should decrease dramatically the closer an organization moves to Zero Trust.
Just Getting Started
This six-step Zero Trust model is adaptable and proven to help you advance toward your new IAM and PAM standard. Additional best practices can help your organization build the foundations to support a strong Zero Trust program.
Discover how to navigate this modern cybersecurity methodology with our eBook: Zero Trust Access Management: A Journey, Not A Destination.
