This blog post is the first in a series that will discuss how to simplify the adoption of the zero trust model. If you are not familiar with this concept, we recommend that you start by reading about the zero trust economy and architecture. However, those who are already familiar with the topic know that implementing a zero trust security model can be challenging.
According to the Zero Trust Roadmap website, the zero trust architecture consists of seven components, and the ideal implementation requires fulfilling 28 steps that involve different levels of effort and IT areas. This may seem daunting, but the benefits of adopting zero trust are rewarding.
Fortunately, as hard as the climb to zero trust architecture may be, it is possible to simplify it so that, by passing certain points along the way, you can build a foundation to reach the peak faster. In this post, we will present the first steps to achieve this goal.
Requirements for a Simplified Zero Trust Journey
The first thing to do is come up with a plan to simplify your journey. According to Forrester’s best practices, this plan should be guided by four steps: identification, solution mapping, microsegmentation and journey. Below, we explain each of them.
Identification
Identification is the starting point for the simplification journey. It is where all the components of a zero trust ecosystem are raised (data, workloads, networks, users, and devices).
Data
In order to protect and manage sensitive company data, it is necessary to identify it. When identified, data can be categorized and classified so that access control can be established.
It is worth emphasizing that the visibility of events that occur in applications is important for data access control. After all, this allows for an understanding of how the data has been treated and by whom (and in what ways) it has been accessed and shared.
Workloads
In the zero trust context, workloads refer to all elements of front-end and back-end systems that run the business and help it win, serve, and retain customers[1].
This includes connections, applications, and components that fit as attack vectors and therefore require a strict security mechanism to prevent exploitation by intruders.
Network
This covers all public, private, and virtual networks existing in the company. Identifying networks enables the creation of granular access control for users, endpoints, and devices through a process called microsegmentation, which we will discuss later.
Users
It consists of identifying all users/entities (and their respective roles) on the network. By obtaining this information, it is possible to establish access control based on the role of each user (role-based access control - RBAC).
The RBAC concept enables the application of a zero trust model. As users should only have access to what is necessary to perform a task or function, RBAC allows determining by whom and how specific data or services can be accessed.
Devices
A device is any physical or virtual asset that communicates with the network, such as a laptop, IoT, or API. Identifying devices allows the security team to protect and manage them according to zero trust best practices.
As the devices are identified and analyzed, the security team broadens its perception of the risks (risk awareness) that they represent for the security of the data and the application itself.
Solution Mapping
After the identification step, the mapping of solutions begins. This step is where the minimum privileges are configured, and the access parameters are determined for each data or service (who, what, why, when, and how), also applicable to workloads, networks, and devices.
As you already know, granting minimal access is one of the pillars of the zero trust model, and it works quite simply in practice. For example, to carry out their function, an accountant needs to have access to the company’s financial information, but not necessarily all of it. Therefore, their access must be restricted to only part of the firm’s Financial information.
Likewise, an API should only communicate with applications and services corresponding to its function. If API’s purpose is to connect an application component to a database, any other access permission besides strictly performing this task represents a security breach.
Microsegmentation
Microsegmentation is the logical division of infrastructure, networks and applications into distinct security segments, whereby each component is configured and managed individually, without interfering with the others.
We can compare microsegmentation with containers. Like containers, threaded components have their own infrastructure features and security settings, and attackers cannot roam freely across the network because they are “isolated” from each other.
Journey
The journey is the last step on the list. It encompasses preparation and planning, based on information gathered in the identification, access control and implementation phases.
- Preparation: involves creating a roadmap that provides a visualization of activities, resources, and dependencies necessary for the execution of an efficient zero trust strategy.
- Planning: elaboration of a plan that indicates how the zero trust strategy will be executed based on processes (management of changes, requests, etc.), mapping (devices, users, among other variables), workflows, and data flows;
- Access control: identifying maturity, gaps, and potential risks involving inventories to document matters, data flows, and workflows within the company;
- Implementation: building a zero trust policy and defining accountability for individuals and systems, and ongoing monitoring, i.e., “never trust, always verify” in practice.
By implementing these four phases, the company has successfully built a zero trust approach. Now, efforts need to be dedicated to maintaining the zero trust framework, which implies constant review of the planning and also monitoring of changes that may occur in the company.
Benefits of a Simplified Zero Trust Journey
Preparation is critical to ensure that the security team has the necessary visibility to make the implementation not only successful but also meet the requirements of an efficient zero trust architecture. Without it, any action aimed at implementing the model would be useless.
Apart from providing proper direction for the next stages of the journey, implementing a zero-trust framework—in which any resource within a network is accessible by adapting to trust dimensions and parameters—means following an opposite path to traditional security models, whose access controls are more lenient.
With the identification, solution mapping and microsegmentation steps well conducted and structured, it is much easier to develop a defense posture that minimizes the impact of threats, as your security team will be able to:
- limit the reach of an attack within the network;
- quickly respond to an attack by creating custom blocking mechanisms appropriate for each segment of the application;
- cover blind spots that would continue to exist if they were not identified;
- perform monitoring complemented by data analysis that contributes to a proactive and corrective posture.
Next Steps Towards Zero Trust
As much as the zero trust architecture makes a difference in the current context of cybersecurity, its value is lost when the company itself does not follow the approach to the letter. Therefore, it is important to review the solution mapping frequently to redefine rules and conditions whenever necessary.
A common scenario is contract renewal with suppliers. This is because they can bring about changes that influence the strategy at specific points, such as the use of an API or a web application firewall. If the parameters are not updated as a result of these changes, the zero trust architecture will be impacted.
Assuming your zero-trust framework is calibrated and ready for the next steps, how do you proceed? In the next post, we’ll explain how to segment APIs and applications.
If you want to understand how the zero trust security approach contributes to data protection, you will find what you are looking for in this article!