7 key steps to Zero Trust

April 16, 2020 | Derrick Johnson

This is part 3 of a 3 part blog series. You can also read part 1 and part 2.

My last two blog entries provided some key elements of a Zero Trust Network (ZTN), which focused on the tenets of zero trust and how the confidence is gained for untrusted traffic and authorized on a continual basis.  The comprehensive nature of Zero Trust can be a little overwhelming in a world of limited resources, time and budgets.  As security breaches persist, organizations understand that something must be done, and Zero Trust is most certainly worth looking into.

As an organization begins their journey to Zero Trust – first acknowledging that it is, in fact, a journey involving lengthy cycles of assessing, planning, architecting and designing, piloting and implementing – it is important to understand how far you want to take this journey and then follow an overall roadmap to get you there.  At a high level, this plan or roadmap should cover the following:

  1. Develop a strategy – Understand first why you want to take the organization to Zero Trust.  What are the overall goals of the business?  Do you only want to target a specific portion of your network, or the entire enterprise?  Will you only be implementing a software defined perimeter, washing your hands and saying “Done!”? Mapping the business’ goals to the cyber threats putting those goals at risk will help formulate the Zero Trust strategy to mitigate that risk.  This will help you build your case and get executive buy-in because without that, you will not have the support you need to see this journey to the end.  The length of your journey will be determined by the strategy. Given the broad nature of Zero Trust, many key departments of the business, such as development, finance, legal and HR should also be involved and/or consulted in the overall composition of the strategy.  Involving the right people early on in the process not only fosters better communication, but also helps to provide for  a successful deployment overall.
  2. Define your Element of Protection – As your strategy is being developed, you need to understand what you are trying to protect.  Most likely your defined element or elements of protection is your business data.  You need to determine what part of your business assets will be protected.  Will it be only sensitive data? Customer data? All data? What are the varying levels of data you need to protect?  PCI and ePHI data, for example, may have different classifications than financial records, or product designs.  You need to classify all data to understand how it is to be protected. 
  3. Enumerate your data & traffic flows – The next step is to see where that data is stored, where it is going, and who or what is handling that data. This is a critical step since it will drive a bulk of the policy decisions in your architecture.  You also don’t want to complete your Zero Trust journey only to discover a breach still occurred because of some neglected area.  Mapping these transaction flows will also utilize asset and application inventories, and an overall taxonomy of these will be used for other development areas.  For example, a data transaction that is discovered running from an application server to a database will involve cataloging the access requirements of the application, the users that access that application, how they access the data, the application owners, system owners, supported developers, database owners and administrators, and the communication requirements on the network.  As much information that can be obtained for each component of every step along the flow will gain you enormous ground in developing policy and the components of automation that dynamically change that policy.
  4. Assess Your Zero Trust Maturity – Many organizations already have various elements of a ZTN operating on their network today.  A company that has effectively implemented DLP technology across the enterprise, for example, has already determined their sensitive data and understands its location.  Furthermore, a company that has already migrated to a next generation application aware firewall, and utilizedthat technology for remote access VPN, may have the makings of sufficient policy and enforcement engines for the enterprise.  Understanding what you currently have implemented in your environment, how that can fulfill the Zero Trust tenets, and what needs to change to meet with Zero Trust can be very effective in developing the overall architecture, establishing the implementation roadmap and understanding and allocating resource time and financial budgets.
  5. Design and Build the Zero Trust Architecture (ZTA) – The ZTA will outline what that authorization core will look like as it relates to on-premise, cloud, B2B transactions and other elements in the organization, and how it will interact with data stores, analytics, threat intelligence, PKI, ID management, and vulnerability management systems.  It may involve a more agent-based approach and/or collectively group resources together with authentication and policy being governed at a gateway.  It may be difficult to evaluate confidence in public transactions to a web server, from a Zero Trust perspective.  But the data that is provided by the web server may govern how much or how little authorization is programmed into the web application, for example.  The architecture will define how much of your ZTA is made up of software defined perimeters, micro-segmentation, or governed by identity.  As you understand where the crown jewels are versus the least sensitive systems within your network, you can also begin to formulate your pilot program.  The pilot program will allow you to get the kinks out, adjust KPIs and teach you how to operate in a ZTA overall with limited impact to your business.  Pilot programs should focus on the least sensitive data elements first before moving on to the more mission-critical crown jewel systems.
  6. Build the Zero Trust Policy – The implementation of a trust algorithm can involve a score-based approach, or an approach involving certain criteria that must first be met.  It can also not worry about other requests that have been made, or it can weigh a request in context with other requests.  What that trust algorithm looks like is key in establishing policy based on the enumerated traffic flows and data classification.  Policies leveraging contextual and score-based trust algorithms require a lot of planning, testing and tuning of the algorithm’s criteria, weights and measures to get to a point that matches defined metrics.  The policy will incorporate the trust and risk elements in its composition and adjust access authorizations accordingly.  The policy’s composition will also rely on the overall architectural approach since policy driven by identity may rely on different criteria than policy involving software defined perimeters.
  7. Monitor and Maintain – Once you’ve established your Zero Trust environment, it needs the regular care and feeding as any implemented security initiative does.  Analytics and automation play a key role in dynamically adjusting policy based on activity and threats, and benching this activity against performance metrics will help to illustrate return on investment, reduced risk, enhanced performance and overall success.  Monitoring will also determine whether more resources are required to handle increased load on the authorization core, and effectively identify elements that require attention to preemptively adjust defenses through automation and provide for a continuous Zero Trust state.

As an organization evaluates their risk and plans their strategy to Zero Trust, they will discover that a Zero Trust Architecture enables a lot of cloud, IoT and advanced network deployments that  are future-ready for the environment and help it become more efficient and cost effective.  Better organization, reduced overhead and reduced financial spend overall are also just some of the ancillary benefits discovered on the road to Zero Trust.  It is extremely important, however, to understand that the move to Zero Trust is not completed overnight, by a technology refresh, or by the implementation of a single solution.  Cybersecurity is in the business of protecting the business, so an initiative of this nature should never be undertaken haphazardly. By taking a more strategic approach to Zero Trust, security organizations can help to effectively gain the support of the business, assess where they currently are with respect to Zero Trust, map out a plan of action, significantly reduce breach probability and successfully protect their critical business assets and the business as a whole.

Derrick Johnson

About the Author: Derrick Johnson

Derrick Johnson is the National Practice Director for Secure Infrastructure Services within AT&T Cybersecurity Consulting, responsible for its direction and overall business performance. Derrick's practice provides strategic and tactical cybersecurity consulting services around next-generation network and cloud security architectures, zero trust networking, logical and virtual network segmentation and micro-segmentation, security operations, orchestration and automation, and firewalling, among other initiatives. Derrick is a Certified Information Systems Security Professional (CISSP) who joined the AT&T Cybersecurity Consulting team through the acquisition of the VeriSign, Inc. Global Security Consulting business, which was completed in October of 2009. Prior to working for VeriSign, Derrick was the Global Information Security Officer for Stream International; a global business process outsource (BPO) service provider specializing in customer relationship management services. Prior to Stream, Derrick was a Senior Associate on KPMG’s Information Risk Management team, specializing in Information Security Services. Before becoming a consultant Derrick spent four years in systems and network engineering, with a role as a Senior Network Engineer with America OnLine, performing network engineering and administration for America OnLine’s Advanced Network Services (ANS) team. Derrick earned his BS in Computer Engineering from Syracuse University.

Read more posts from Derrick Johnson ›

‹ BACK TO ALL BLOGS