How to build a Zero Trust strategy for your business

September 1, 2021  |  Mark Stone

This article was written by an independent guest author.

Today, corporate and business networks have drastically evolved — our data spans multiple locations, cloud vendors, and a growing number of endpoints. Traditional security, once reliant on protecting organizations from the perimeter and trusting devices inside the network, has become less effective.

Adding to the complexity, the work from home (WFH) model is being embraced by many organizations as they adapt to a rapidly shifting business climate. Corporate Bring Your Own device (BYOD) initiatives are also much more commonplace.

Managing all these new connections represents a significant challenge for most companies, as they must be diligent about protecting data — including corporate, financial, personal and customer information.

The corporate network and workplace show no signs of returning to the pre-pandemic climate. We can only expect more remote connections on our networks.

Adopting the Zero Trust model should be a critical consideration for any company’s security strategy to achieve secure, agile, and adaptable systems and networks.

What is a Zero Trust strategy?

Zero Trust is a strategic initiative created to prevent successful data breaches by championing the concept of “never trust, always verify” across an organization’s network architecture.

If you understand the concept of network segmentation, Zero Trust is like an amplified version of that strategy. With Zero Trust, the concept of segmenting networks is expanded to include more granularity and micro-segmentation. Additional rules are enforced based on users, where they connect from, and other relevant details to ensure that the person, device or application requesting access should be trusted.

By default, the security status of an endpoint is untrusted. Until the Zero Trust network can verify the user and location, it will not authenticate and allow access.

After an endpoint has been authenticated, a restrictive policy can be carried out for that specific session.

Think of Zero Trust like the “need-to-know” basis used by the government: policies only provide the exact amount of network access required for users, machines or apps — nothing more, nothing less.

Essentially and ideally, your business should verify anything and anyone attempting to connect to your systems before granting access.

Zero Trust draws on technologies such as identity access management (IAM), multifactor authentication (MFA), encryption, analytics, and file system permissions. Zero Trust strategies call for users to be granted the least access required to accomplish a specific task.

Remember what Zero Trust is and what it is not. It IS a strategy, model, theory, or architecture. It is NOT a singular tool, software, security appliance, or piece of hardware.

Can Zero Trust work for any sized business?

Yes, Zero Trust can work for businesses and organizations of any size. However, there is a caveat here that must be addressed.

First, and most importantly, a Zero Trust strategy can absolutely benefit businesses of all sizes. After all, preventing breaches and reducing risk is always the primary cybersecurity goal.

However, many businesses will not have the staff, resources, experience, or knowledge required to carry out a Zero Trust strategy. Other companies may possess all the above but have so many networks and endpoints they don’t know how or where to start.

If you’re a small business today, you shouldn’t have to avoid or delay network security initiatives because of your limited budgets. As Zero Trust gains in popularity, there are many options available to small and mid-sized businesses to match their specific use cases and risk profiles.

Many non-enterprise level companies are partnering with managed service providers to help them establish their Zero Trust strategy.

How to implement your Zero Trust framework

There are many articles available that explore how you can implement the Zero Trust framework in your environment. We’ve covered it in much more detail here and here

But in this article, we’ll break it down into simple concepts and five fundamental steps.

  1. Define your goals. The first step of your Zero Trust strategy is to nail down your business goals. Align those goals with cyber threats to mitigate risk. Finally, identify key staff and departments that need to be involved. Ideally, there will be buy-in at all levels of the organization.
  2. Identify what must be protected. As you develop your strategy, you need to determine what types of data and which business assets must be protected. You’ll also need to identify where data is stored, how it travels across your network, and who or what has access to the data.
  3. Assess your Zero Trust readiness. Do you have any elements of Zero Trust (like network segmentation) already in place in your environment? What tenets have you implemented today and what needs to change so you can get closer to Zero Trust? Being honest about where you stand and possessing that organizational self-awareness will improve the process and allow you to better allocate resources, time, and financial budgets. Finally, you should establish a baseline of network activity to differentiate normal traffic from abnormal activity.
  4. Build your architecture, define policy and limit access. Now it’s time to put the plan into action. How will you segment your network and control access to data and resources? Once you determine where the crown jewels are and which data and systems are less at risk, you can embark on a pilot program to work out the kinks. Next, a Zero Trust policy should be drafted that incorporates a score or rating-based trust algorithm. Your policy should find a balance between trust and risk elements so access can be granted accordingly.
  5. Monitor and maintain. Once the strategy has been implemented, it must still be managed. By leveraging analytics and automation, you can dynamically adjust your policy and strategy based on activity and threats. Properly monitoring and maintaining your implementation is critical to preserving a Zero Trust state.

Which departments should be a part of the process?

Adopting a Zero Trust strategy is a team sport. All leading departments of your business — including security, business development, IT services, and operations — should actively participate.

Key decision-makers of a company’s digital transformation should be the primary drivers for the security architecture, strategy and vision. If possible, you should establish a dedicated team with specific tasks for each individual with enough authority to ensure the process and migration is smooth.

CIO and CSOs should have the support of other senior decision-makers in order to promote the strategy.

How AT&T Cybersecurity Consulting can help

If you’re just getting started on your Zero Trust journey, the planning, strategy, and implementation can seem overwhelming. Your organization may be too small to have a CIO, CSO or even a security department.

As mentioned earlier in the article, many small businesses succeed with their Zero Trust strategy by working with an expert consultant

The complications surrounding Zero Trust can be simplified with an industry advisor to help you implement a strategy across all your business's different departments and stakeholders.

Remember, there is no single product you can buy for Zero Trust. Zero Trust is a strategy or framework. To achieve Zero Trust, especially as a small to medium-sized business, it’s better to start with a trusted advisor to do an assessment and provide a roadmap specific to your organizational requirements and risk tolerance level.

Share this with others

Tags: