Zero Trust is, in its essence, an approach to solving problems. What we find so interesting and critical about it lies in the nature of the problems it addresses: digital risk, security, trust. And the funny thing about problems is that in order to address them, you need to recognize them for what they are.
I’m tackling this topic of preparing for Zero Trust — my colleagues will address implementing and maintaining in this short blog series — but before you can prepare for a Zero Trust security strategy, you have to accept that some traditional assumptions are no longer true or sufficient. And you have to recognize the scope of the problem requires a new framework to solve it.
It’s hard to imagine a modern connected organization that doesn’t have an issue that the Zero Trust eXtended ecosystem (ZTX) can address. Regardless of the regulatory environment in which they operate, at some granularity, they all need to establish a level of assurance that the resources they manage are secure. ZTX recognizes that the perimeter boundaries that were the mainstay of the past (corporate firewalls, VPNs,…) are not sufficient by themselves to establish manageable levels of trust in today’s world of ever-connected devices, cloud-enabled services, and massive data resources.
Preparing for a successful Zero Trust security strategy starts with the recognition that your business has challenges that it needs to address, and that by addressing them, you can unlock agility and value for your business. ZTX in some organizations may be seen as an effort to mitigate risk and ensure business continuity, but if approached correctly, it can be viewed as a strategy that enables flexibility, portability, and scale. If you have to deal with your problems, you might as well transform your efforts from being a drag on your business into a means of acceleration. Accepting that ZTX can help your business is the first step.
Let’s say you realize you have a problem with trust and you want to get on the ZTX plan, but how do you start?
At Ionic, we understood early on that it all starts with identity, and not just the identity of the humans in the trust equation, but all entities including — most importantly — the source of your problems: your resources. That solution to the equation is, in effect, ensuring that the right set of consumers (user, service, device) have access to the right set of resources under the right set of conditions and that the converse is not true. After all, if you had no resources, you wouldn’t have any problems.
In order to start providing solutions, organizations need a framework for defining “right.” In today’s world, IdPs and directory services can be leveraged to provide the framework for users, but the resource side of the equation has been ignored for too long. Siloed solutions for every resource type and service provider may be a way to get started, but these approaches can rapidly devolve into an unscalable, unmanageable drag on your business. They can inhibit the ability to react to the market by locking you into services while increasing the cost of deploying new solutions.
An agile and scalable approach includes a framework that allows for maintaining the identity resources independently of where or how they are hosted. This allows the business to focus on providing rapid value to its customers instead of managing the next ZTX deployment model. Recognizing a solution that enables the value of your resources is key to securing those assets.
The digital world is not a static place. A solution that you deploy today may not meet tomorrow’s needs. ZTX isn’t so much a destination as a journey. Your definition of right in today’s world may not meet your business needs in tomorrow’s. What you know about your users and resources will evolve and policy will change. A plan that anticipates and enables low-impact adaptation is a plan for the future.
A framework that includes a dynamic, centralized policy engine across your resources allows you to tie together and manage point solutions at scale. To turn expected policy changes — no matter what the business driver may be— from a complete rebuild into just a configuration modification. Reinventing the policy wheel in every application to react to every market change paralyzes progress. A central policy framework can be the key to scaling your business.
While the requirement to adopt Zero Trust is generally driven by security and risk teams, the plan, execution, and maintenance impacts the core of the organization and the bottom line. The problem isn’t going away with one launch. A central policy framework turns your security and risk approach into a market advantage.
Development teams need to be enabled to focus on providing business value versus encoding policy changes. Just like you would externalize user identity via an IdP, externalizing resource identity and policy management creates an SDLC that can quickly adapt to your needs without placing the burden on the team that should be driving revenue.
If you can accept that a solid security plan will enable your business, and if you can recognize that you need a framework to manage resource identities, then you’re ready to create a plan. And a Zero Trust security strategy that focuses on minimizing the impact on your SDLC — today and in the future — is one that enables the agility needed for today’s digital transformations.
Bill LeBlanc, chief technical officer of Ionic Security, has a deep background in system architecture, software development, and cloud computing. He assumed the role of CTO at Ionic after leading the partnership integration team for more than five years.
Bill has held engineering roles at Cisco and Aruba Networks, and he has co-founded several successful companies, like Pharsalia Technologies and SteelBox Networks. You can read a Q&A with Bill LeBlanc here.
Part 1/3 Blog Series: Zero Trust