In today's COVID-19-impacted business environment, organizations face the challenging task of dealing with the security risks posed by mobile devices, remote workers, and cloud applications, while also fending off an increasing number of cyberattacks.
The perimeter-based security approach, which has been tried for decades, is not working. Even so, enterprises continue to spend billions of dollars on perimeter-based security gear. Last year, they spent $137 billion on virtual private networks, network access control, and web gateways, while two out of three enterprises still suffered a data breach. This approach costs organizations time and money that could be used in more productive ways.
By contrast, the Zero Trust framework focuses on access control instead of securing the disappearing perimeter. Zero Trust is based on not trusting anyone by default inside or outside an organization. Instead, verification is required from everyone trying to gain access to resources on the network.
Security technologies that enable Zero Trust include multifactor authentication (MFA), identity and access management (IAM), orchestration, analytics, encryption, and file system permissions. In addition to specific technologies, Zero Trust also implements policies that restrict users' access. Users should be limited to accessing what they need to accomplish their jobs, and only what they need. These policies enable administrators and security pros to have control in disparate IT environments.
Five Steps to Building Zero Trust
For organizations that are interested in Zero Trust, here are five steps to implement a Zero Trust framework.
1. Expand your audience
It is vital to get executive buy-in for a move to Zero Trust because implementation involves the entire organization, not just the security team. All levels of the organization must support and promote a shift to Zero Trust. The security team should document and communicate the benefits of Zero Trust before any technical work is conducted.
2. Address asset discovery and inventory
Core components to Zero Trust are asset discovery and inventory management. To carry this out, security teams must have visibility into the devices and other endpoints that access the network. Security teams should see what is on the network, what users are doing on the network, and whether they should be doing those things.
3. Understand the importance of data classification and assessment
In addition to asset visibility, data visibility is also key to Zero Trust. Organizations should understand what data they have and develop a set of data labels and tags. Doing so provides visibility into how data flows through the network and informs a structure to govern data. Sensitive data needs to be tracked, monitored, and protected through access controls.
4. Address user identity and least-privileged access
Zero Trust depends on providing the right access to the right people. Organizations must address gaps in their IAM architecture for both on-premises and cloud computing. To bolster IAM security, organizations should implement single sign-on (SSO) and MFA. Also, user access should be based on a least-privilege policy, so that the right level of access is granted for the specific task involved.
5. Address enterprise segmentation
For an effective Zero Trust implementation, organizations should implement network segmentation. By dividing the network into smaller segments that are access controlled, organizations can reduce the risk that an attacker can successfully move around a network. This is particularly important in stopping ransomware attacks from encrypting systems.
A Zero Trust security model brings together next-generation technologies to support a comprehensive security strategy intended to lower the risk of breaches and boost defenses against attack.
Zero Trust Framework and User IAM
In today's landscape, security is not about protecting the network; it is about controlling the access of people inside and outside the organizations. As a result, a vital aspect of the Zero Trust framework verifying the identities of users and controlling their access.
As an organization begins its Zero Trust journey, it will probably find that IT is struggling to manage fragmented and disparate identities across applications and services. Without an understanding of identities, the organization is left with large windows for attackers to exploit.
The first step for an organization implementing a Zero Trust framework is to assess where it stands in regards to two main elements:
- The organization’s business needs and compliance goals
- The access that their current employees and contractors have to each system
In the assessment phase, the organization should conduct a discovery of systems, both on-premise and cloud, and user entitlements. It should also perform a data cleanliness check to prepare the systems for integration. Clean, standardized data is easier to correlate and automate.
Then an organization should integrate systems and consolidate under one IAM system across on-premises and cloud environments. At this stage, an SSO platform secured by MFA should be implemented to ease user access to applications and systems while ensuring that the people accessing the systems are who they say they are.
The next step is to layer on role-based access policies based on the information gathered in the assessment phase. Access is granted based on the role that the employee or other user performs in the organization. He or she is only allowed the access required for that role; when the user changes roles, the access changes accordingly.
Finally, an organization needs to manage its identity and access controls continuously through the user's experience. This phase involves lifecycle management, segregation of duties, and access reviews and requests. Lifecycle management enables an organization to take control of the joiners, leavers, and movers through automated user provisioning and deprovisioning. Segregation of duty policies mitigate errors and fraud by preventing a single user from having too much authority. Regular access reviews help an organization to react quickly to access creep, lifecycle events, and entitlement updates, as well as policy violations.
Identity Solutions Can Help with Zero Trust
Identity Solutions can help you leverage identity and access management technology to implement a Zero Trust framework and gain increased visibility into who is accessing your applications and systems. Our approach is founded on a Zero Trust framework. We can advise you on what employees, contractors, and others are doing on your systems and whether they should be able to do those things.
Identity Solutions assists you in the execution and management of your workflows, access policies, and security program. We have experts that can organize your systems so that the right people get the right access securely, all within a Zero Trust framework.
Our recently released e-book is a free resource we offer to help take your security implementation and organizational compliance to the next level. Implementing your secure identity strategy has never been easier, and taking the security of your organization seriously in the face of ever-evolving cyberthreats is just a click away.