Zero Trust Strategy
"If you fail to plan, you are planning to fail." -Benjamin Franklin
The Challenge
Today, the trade-off between security and productivity is holding back complete Zero Trust adoption. On the one hand, the drive towards greater user productivity creates risk exposure, since few constraints are placed on the user. Users wants the freedom to be able to access what they want, wherever they are. At the same time, the push for greater business security drags down execution, as users become bogged down by access requirements.
The goal should be to eliminate this trade-off. Frustrate attackers, not users! The Zero Trust "sweet spot" promotes high productivity and strong security.
It should go without saying, but there is tremendous value in getting Zero Trust right.
Zero Trust Principles
Remove Implicit Trust
The world spent decades connecting users and devices to networks without any restrictions. Removing implicit trust means to deny by default vs. allow by default. Organizations cannot place implicit trust in any entity, and context should be continuously evaluated. It is this implicit trust that attackers abuse: once the perimeter is breached, they have access to everything on the privileged intranet.
Enforce Risk-Based Least Privilege Least Privilege
Once implicit trust is removed, all access control policies should be risk-based and enforce only the essential access to perform its intended function is allowed. The priciniple of least privelege (PoLP) maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task. Organizations that follow the principle of least privilege can improve their security posture by significantly reducing their attack surface and risk of malware spread.
(Source: Wikipedia: Least Privilege)
Assume Compromise
The assume compromise principle takes the position that an organization should build and maintain its security posture based on the idea that the organization’s information systems have already been compromised. When you design & deploy security with the assumption that the network, user, devices, apps, and data are breached, you minimalize the blast radius of attacks. Just as importantly, encrypting all sessions end-to-end; and use of analytics for threat detection and posture can mimimize the impact of the cyber incidents. (Source: Microsoft)
Barriers to Success
What is preventing your organization from hitting the "sweet spot" of zero trust? These are some common barriers to success we have encountered:
-
Execution plan is too broad
- Without a clear roadmap for execution, it is almost impossible to achieve a goal.
-
No sponsorship or support
- C-suite sponsorship and support is a requirement for business objectives. Without buy-in and budgeting, security initiatives will fail to hit their mark.
-
Objections/poor communication
- Clear communication is key. If your organization doesn't understand what they are doing, and why, then don't be surprised if they execute poorly on objectives.
-
Inability to show progress
- Metrics to measure success is a necessity. Without metrics, it is impossible to measure, and document, the benefits of new security initiatives.
-
Technical debt
- No one knows how that application works
- That was a workaround or exception.
Create a Zero Trust Strategy
A call to action:
-
Perform a Zero Trust Assessment of current zero trust architecture, capabilities, maturity, and gaps for all zero trust domains.
-
Create workstreams with specific stakeholders and subjet matter experts
-
Identify accelerators for each workstreams
- Business initiatives or objectives
- Technology refreshes or migrations
- Security and compliance risks
-
Set realistic expectations around a tightly focused scope
- What are the top things, that if you can deliver, will make the biggest impact on your overall success?
- What is not critical to your success?
-
Create an actionable strategy including a proposed zero trust architecture, journey, and metrics
- Is there a logical order for execution?
- Can you rely on some steps to happen naturally if others are successful?
-
Then iterate