By William Rankin
Director, Cybersecurity Governance and Compliance
In case you missed it: federal agencies have to make the move to zero-trust architecture (ZTA) by end of fiscal year 2024.
It’s a great goal. But this move is breaking new ground. The steps forward may not seem clear. If you’re feeling overwhelmed or you’re not sure where to begin with zero trust, this is a great place to start. Read on to learn the mindset you should adopt to lead the charge towards ZTA, along with some technical tips for getting started.
For ZTA, Adopt a Marathon Mindset
ZTA is not “achieved” through a single technology, nor is it solely a technology issue. It is methodology that requires a paradigm shift in how your organization approaches information security. That’s an important distinction because to make, because in order to implement ZTA, your organization will need to employ the right people, processes, and technology to prepare for organizational and cultural changes.
When you think about ZTA, think about it as a marathon – not a sprint. You’ll likely need to tackle some fundamental cybersecurity issues while also preparing for organizational and cultural change. Each of these is a project in itself. Taking it one step at a time is going to be important.
These are five steps you can take toward implementing zero trust.
Five Steps Toward ZTA
Before we begin, the overarching theme for this process is improving cyber hygiene. Zero trust is still built on core basic principles of information security.
Know your data, applications, assets, and services
To do zero trust well, you have to understand what you need to protect. You need an inventory of your data, applications, assets, and services, and an understanding of how they interact with each other. When it comes to segmenting your environment, knowing the relationship between your assets is crucial. Additionally, if one of these things breaks or gets compromised, you know what else it affects.
After you’ve established comprehensive inventories and relationships, you’ll need a data classification schema. This means that data is categorized by priority, and access permissions are established based on low, medium, or high priority. For example, if something is very important to secure, it should have limited access. And the best way to do that? Use technology to automate this process, so that once data is categorized, it is immediately classified and protected.
Assess current people, processes, and technologies
Similarly, you’ll need to perform a gap analysis of your people, knowledge, skills, and technologies. Do you have the right people who can architect a zero-trust network? Do you have people who can be responsible for the things listed above, like inventory and access control? You’ll also need point people for change management, and a process for tracking and releasing changes to your environment.
Don’t forget: the great thing about ZTA is that you can build on what you already have. The key is to know what you’re currently doing, and if what you’re doing is working. You may need to add technology to your stack as you build, and you may need to change some configurations. Conducting these gap analyses will help guide those decisions.
Establish conditional access and impossible logon rules
This step is all about understanding normal patterns of behavior, so that you can spot aberrant behavior. For example, if you know staff from a certain department normally never log in after a certain time in the evening, someone logging in after that time should raise a red flag. An extra level of protection here is conditional access – if you know that staff won’t need to log back in at night, you can set up rules that prevent them from logging in between 6 pm and 8 am. Along with this principle, you should have parameters in place for how people connect remotely to your systems.
Impossible logon rules prevent behaviors that should be impossible. For example, a staff member logs in from the east coast, then logs in again 15 minutes later from the west coast. You should have rules in place that prevent this type of behavior.
Create micro-segmentation.
Keep data and technologies separate that don’t need to be mingled. This protects you from lateral attacks if you are breached. Think of how a submarine is built with watertight compartments. Sectioning the vessel off in this way means less risk of sinking and reduced damage if one section is attacked. This is how you should approach your systems. Logical micro-segmentation hardens network resources and limits the ability for an attacker (internal or external) to move laterally within the environment. If you’re employing proper micro-segmentation, an attacker or ransomware can’t compromise adjacent resources or services.
Implementing Zero Trust
Ultimately, be pragmatic. This goes back to the marathon idea – you’re not going to be able to sprint the implementation of ZTA, so don’t wait to get started.
Our team of experts is equipped and ready to help you make the necessary changes to achieve a zero-trust strategy. We work with your organization to ensure that ZTA implementation is aligned to your organizational priorities. Our zero-trust model is a holistic cybersecurity architecture approach and framework that ensures every user, device, and network flow is authenticated and authorized to access internal and external applications and data.
Implementing a zero-trust network access solution will help you detect, isolate, and respond to different types of threats. We’re ready to help you get there.
