It is hard to visit a technology industry media site without being bombarded with stories or ads discussing the latest and greatest zero trust technology and implementation best practices. But before any of those articles or technology solutions can be of value, as risk and compliance professionals, you need to get your organization ready to maintain a Zero Trust future.
Committing to Zero Trust is committing to a strategy shift in how organizations behave from both an IT and business process perspective. As with all major changes that impact “how” and “what” the company does to protect itself, you must garner support of the board of directors, the CEO and the company leadership team. And this support must be visible to the entire company.
How can you do this? Start with writing a new corporate level policy (or updating relevant existing applicable policies) on Zero Trust where you discuss the scope of the activity and delineate how zero trust considerations should be included in all new technology related acquisitions and process improvement decisions. Zero Trust strategies are not a “one-and-done” decision; they affect how you maintain and enforce decisions moving forward.
A positive step might be to draft an email and associated blog post on why implementing Zero Trust is important to the future of your organization and have the CEO send the email out company wide and post the blog entry. Zero Trust supports risk and compliance efforts because it assumes our carefully-laid information security plans can be breached and asks to implement granular, contextual access that enforces least privilege. The Zero Trust eXtended ecosystem framework also emphasizes visibility and automation. The goal of continuously assessing risk in an automated fashion is something we can all get behind.
Now that the broad communication aspect has been addressed, it will be time to get down to the nuts and bolts of getting ready for Zero Trust. Notice I didn’t start with acquiring and deploying zero trust solutions but getting ready to determine what you actually need in your specific environment. Luckily, this doesn’t mean starting from scratch. Expect that your organization must have some amount of security maturity to move forward.
If you are leading an organization that already is in compliance with the NIST 800 series, ISO 27000 series, and SOC 2 controls, you can leverage some of the work you already have completed to attain a level of information security maturity.
Most critical for planning for Zero Trust implementation, you will need to have updated asset inventories. When I say asset, I actually mean a broader definition than is typically associated with an information security asset inventory. The asset inventory should include all hardware, software, network connections, users, data, and processes. By focusing on assets, an organization has the opportunity to set sensitivity and prioritization on those assets that require the most protection and security.
Next you move on to mapping all your assets and the interplay between each. Here you will be applying the concept of least privilege to every interaction among assets. This is no small task. But if you get this part wrong, throwing zero trust technology at your current problems will not help you attain your future desired state.
If you haven’t noticed yet, most traditional security tools don’t solve today’s security challenges successfully. Case in point are the daily, sometimes multiple times per day, we see breach disclosures. While our organizational and customer sensitive data have always been of utmost importance to secure, the industry tends to make small, iterative changes instead of tackling the actual problem. Your new focus and intent on Zero Trust (a mindset) will help clarify your selection of tools to focus on the job of securing your data.
A Zero Trust mindset helps us focus on what really matters. For instance: What are threat actors going after? Your data and your customers’ data. But the industry has been focusing on securing the aspects of an infrastructure that store, transport, and process data, not the data itself. When you design your security infrastructure to secure your most valued asset [it’s the data if you haven’t figured that out yet ;)] you have to make an assumption that your data will be exfiltrated from your IT infrastructure components, no matter where they are physically located.
These infrastructure controls are a good start, but they are challenging to maintain in the long run. Cutting your infrastructure into silos, into multiple touchpoints, means making changes in multiple places to adjust policy in reaction to new threats, regulations, or business drivers. Besides being time-consuming, they behave inconsistently. These multiple controls may not be enforced in the same way, which means that the same data gets treated differently, depending on where it resides or travels.
Additionally, these siloed controls are usually based on roles or groups, which are blunt instruments when it comes to maintaining policy. Use the least privilege mindset with your Zero Trust strategy to ensure that only the right people or processes can access the data you are entrusted with. The new realities of remote workforces and privacy regulations mean that context matters. Aspects to consider include asking is this the right person, the right process, at the right time, at the right location, on the right equipment that is trying to access a specific data element.
Go beyond the buzzword: Gain organizational buy-in, review your asset inventory, and zero in on data-centric controls for a Zero Trust strategy that you can maintain.
Ben Halpert, vice president of risk and corporate security for Ionic, is a noted author, speaker, and practitioner of risk management, security, privacy, and compliance. He is also the founder of the 501(c)(3) non-profit Savvy Cyber Kids that creates and delivers age-appropriate security, privacy, bully response, and cyber ethics resources and educational tools that enable youth, families and school communities to be empowered by technology.
Prior to joining Ionic, Ben was the director of risk management and compliance for McKesson and spent over 11 years in corporate information security at Lockheed Martin.
Part 3/3 Blog Series: Zero Trust