Zero Trust Part 2: Implementation Considerations
Zero Trust is not just one technology or solution; it comprises a series of technologies, policies, and protocols along a journey toward secure access and data protection.
Although the journey may take time — on average, 1.4 years for companies to adopt a Zero Trust architecture, according to the latest IDG Security Priorities study — it’s all doable.
With that in mind, here are steps toward implementing Zero Trust.
A piece of advice at the outset: “Don’t do too much too fast,” says Wolfgang Goerlich, CISO Advisor with Cisco. “Have specific goals, meaningful use cases, and measurable results.”
- Establish a vision.
Like a mission statement, Goerlich suggests establishing a vision for Zero Trust in your organization. “It might be: We’re going to ensure that identities are trusted, and that trust is evaluated whenever they’re entering into our environments — whenever they’re authenticating and accessing information.”
Many boards of directors and CEOs are not necessarily familiar with Zero Trust, so “You can’t just go to them and say, ‘Oh by the way, we’re not going to trust anyone anymore.’ You don’t want to be the CISO who says ‘No’ all the time.”
The vision should be about enabling the organization to continue to meet business objectives with flexibility, while providing an appropriate amount of security.
- Start with a specific use case.
Zero Trust is about securing users, applications, and the IT environment:
- Workforce: Protect users and devices with identity verification and access management
- Workloads: Secure workloads and contain lateral application movement
- Workplace: Gain control of network connections and access, while containing endpoint threats
“Identify which use case is the most important to you,” Goerlich says. Some organizations might find it easier to start with user access, while others have significant equipment to protect. “As you go, ensure the work reflects the Zero Trust vision while reducing specific risks.”
- Establish a strong identity.
Identity and access management strategy is a core tenant of Zero Trust.
For example, in the workforce use case, multifactor authentication (MFA) technology consistently enforces policy-based controls to determine the user’s identity, the health of the device they’re using, and whether that user should have limited access to applications and systems.
“Examine who is accessing and what they will access,” Goerlich says. “The perimeter is anywhere we make an access control decision. Make the decision based on strong identity, device health, and user behavior.”
For workloads and workplace, have an inventory of applications, devices, and gear. Enforce access controls based on context and policy. For example, is this device patched and free from malware?
- Stay the course and build momentum.
Zero Trust doesn’t stop with contextual authentication for employees.
“The application and infrastructure sides — workloads and workplace — may require more work,” Goerlich says. “Those projects oftentimes take months, even years.”
To build momentum, start with a series of small Zero Trust projects with deliverable milestones, and demonstrate success every few months by showing how risk has been reduced.
“We need to show the board progress. With specific initiatives aimed at specific use cases, we can demonstrate progress towards Zero Trust,” Goerlich says. “You build momentum and a track record for success.”
Next Steps
Learn from others. Cisco has deployed Zero Trust internally to protect application access for 140,000 users. CISO Steve Martino explains how it was done here.
While you’re there, also check out Cisco’s resources on Zero Trust.
Copyright © 2020 IDG Communications, Inc.
Gloss