This blog was written by an independent guest blogger.
The network is rapidly changing – What was once known as the ‘perimeter’ that comprised of a crunchy solid exterior with a soft chewy center consisting of endpoints has eroded into a mush of mobile devices, BYOD, IOT and hybrid cloud. Corporate applications and data are moving from on-premise to hybrid and cloud environments increasing cloud workloads by the day and enterprises want to give their staff the ability to access data anytime, anywhere - The location of applications, users, and their devices (which are sometimes unmanaged) are no longer static.
Traditional perimeter security methods have done little to stem the flow of today’s cyber-attack reality and this is where Zero Trust Architecture (ZTA) comes to the rescue!
‘Zero Trust’ was first introduced by Forrester Research and considers ‘inherent trust’ as a critical vulnerability. The strapline for Zero Trust is ‘never trust always verify’- everything from the user’s identity to the application’s hosting posture is used provide least privileged access- even after authentication and authorisation in many cases.
The National Institute of Standards and Technology (NIST) approach for Zero Trust, focused on 8 principles have been listed below:
1. All data sources and computing services are considered resources.
2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes.
5. The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture.
Some of the key benefits of ZTA include:
- Helps reduce the risk of a breach
- Enhances visibility by discovering and classifying devices on network to discover and classify all devices on the network
- Supports regulation and compliance activities
- Greater control over cloud environments
- Enables digital transformation initiatives
While there are many benefits of implementing ZTA, it is by no means straight forward to achieve and there are a few factors for any business to consider before embarking on a ZTA journey. Some of these factors are listed below -
ZTA is not a product – it does not come in plug & play! ZTA programs can be complex, time consuming and expensive initiatives that need to be tailored to each individual organisations needs. The complex network infrastructures we see in today’s enterprises can present huge challenges if they are not micro perimeter compatible, leading to expensive redesign and testing which are potentially disruptive to business operations. Therefore, there needs to be a serious business case to invest in a ZTA.
ZTA Requires Strong Data-Centric Context: In ZTA, verification and access controls are based on the data, not the platform or application. Therefore, enterprises need to identify what users, data and resources are connecting across the organisation. The key challenge is therefore mapping the flows of sensitive and critical data, identifying who needs to have access to it and then segmenting/zoning the network based on data classification. This can be a hugely complicated exercise involving multiple stakeholders.
Legacy systems and applications can make it difficult to implement ZTA as they are harder to reconfigure or rearchitect to fulfil the micro-segmentation requirements of zero trust.
In its simplicity, ZTA helps answers the core fundamentals crucial to any cyber security strategy - What are we trying to protect and from whom? Where does our most critical data reside and who has access to it? As cyber criminals are finding innovative ways to permeate through our networks and steal valuable data through stolen credentials and social engineering means, ZTA should form the backbone of any largescale security (improvement) program, alongside other technological, people and process initiatives.
Please view my video on this topic to hear more.