Building a Zero-Trust Strategy   

In the past, security professionals relied on traditional perimeter security such as firewalls to prevent unwanted access to their data.

Today traditional perimeter security is irrelevant due to the adoption of cloud-first strategies and flexible working approaches, which has blurred the line as to where that perimeter exists.

The pandemic and cloud-first technologies have expedited this move to an extended perimeter which has driven cybersecurity professionals to prioritise a Zero-Trust strategy throughout many organisations.  

So the question is: what is this perimeter?  

In this blog, we will cover some of the bases of Zero-Trust, such as:     

• The Pillars of a Zero-Trust strategy.  
• Getting started with Zero-Trust. 
• The Zero-Trust maturity curve.  
• The evolution of Zero-Trust between March 2020 and April 2021.  
• The challenges of Zero-Trust and how to automate the challenges. 

Zero-Trust is a Process, Not a Solution.  

Zero-Trust refers to a security framework requiring all users to be authenticated, authorised, and continuously validated. This means that there is a collection of cybersecurity processes working alongside, or built on top of, a foundation of strong IT capabilities.  

Zero Trust assumes that there is no traditional network edge which means that it addresses the modern challenges of today’s business. Some examples of IT capabilities building the foundations for Zero-Trust are identity management, authentication and asset management.  

Simply put, Zero-Trust is a security concept based on the premise that organisations should not trust anything inside or outside their perimeters and should instead check anything attempting to connect to their systems before providing access. 

Zero-Trust Security Model     

Before implementing a Zero-Trust strategy for your organisation, ensuring that you know the steps to get started is imperative. These steps ensure that your organisation is prepared to undertake this long journey toward a Zero-Trust model.  

Below are five steps every organisation should take when building a Zero-Trust strategy to improve its security posture:  

Setting Goals 

  Organisations must ensure a clear set of defined goals.  

According to NIST 800-207, the fundamental goal of a Zero-Trust strategy is to prevent unauthorised access to data or services, which makes access control granular.  

The first goal is common sense; however, an organisation must shrink ‘implicit trust zones’ to achieve the second goal.  

Identify what must be Protected.  

To do this, identifying the core areas of Zero-Trust is necessary. CisoMag suggests that these are:     

• Enterprise identities and devices.     
• Enterprise Resources.     
• Trust Verification Systems (Policy Decision Points (PDP) & Policy.  
• Enforcement Points (PEP: Policy Enforcement Points) and policy engine).     

However, it is also essential to identify your organisation’s data and entry points. Organisations must clearly outline access points before assessing an organisation’s Zero-Trust readiness or outlining their strategy.  

Assess Zero-Trust Readiness     

Finding out where your organisation sits on the Zero-Trust maturity curve is essential to evaluating the network, endpoints, and data and user identity maturity levels.  

The best way to do this is by taking this Zero-Trust assessment.

Build Architecture Policies and Limit Access     

Building architecture policies and limiting access is where your organisation structures network devices and services to enable a Zero-Trust security model. These design principles create a framework for a Zero-Trust strategy to work with.  

Some of the main principles which organisations should use are:     

• Default access controls are set to ‘deny’.  

• Preventative techniques are in place to authenticate all users and devices.  
• Real-time monitoring and controls work to identify malicious activity and threats to your organisation.  

Maintenance     

As with many security strategies, maintaining what is inherited is necessary. Maintenance helps your organisation make the most out of your security and continuously monitor environments to protect them from malicious attacks and other cyber threats.  

The Zero-Trust Maturity Curve     

Adopting a Zero-Trust security model is a lengthy process with several stages. Where you sit on the maturity curve can help you understand which step is next on your journey.  

Fragmented Identity:     

• Active Directory on-premises.  
• No cloud integration.  
• Passwords everywhere.  

Unified IAM:     

• Single sign-on across employees, contractors, and partners.  
• Modern multi-factor authentication.  
• Unified policies across apps and servers.  

Contextual Access:     

• Context-based access policies.  
• Multiple factors are deployed across user groups.  
• Automated provisioning for leavers.  

• Secure access to APIs.  

Adaptive Workforce:     

• Risk-based access policies.  
• Continuous and adaptive authentication and authorisation.  

• Frictionless access. 

What we have seen Between March 2020 and April 2021     

There is no doubt that the pandemic and a new way of remote working have pushed the idea of a Zero-Trust strategy forward. A remote workspace has resulted in a massive tactical shift and a more strategic approach to investing in recent technologies.  

Okta’s Whitepaper ‘The State of Zero Trust Security 2021’ published June 2021, suggests that:     

“More than three-quarters (78%) of companies around the world say that zero trust has increased in priority, and nearly 90% are currently working on a Zero-Trust initiative (up from just 41% a year ago).”     

As a result, the prioritisation of Zero-Trust has increased throughout the past 18 months.  

Challenges of a Zero Trust Strategy     

Zero-Trust is a lengthy process of technology and security awareness to create a comprehensive strategy that covers all bases of an organisation’s accessibility. However, with a comprehensive approach comes many challenges.  

Passwords vs Passwordless   

One of the fundamental issues is what to do with passwords.

Due to security concerns surrounding post-it note password keeping, many organisations have time-consuming helpdesk requests for password resets and perimeter issues. This manual way of keeping passwords has become increasingly problematic due to increasingly dispersed perimeters with remote workers.  

However, organisations remove the post-it note problem by utilising a passwordless approach. Doing so can remove an attack vector, helping to take one step toward a more robust strategy.  

There are many benefits to a passwordless approach, such as utilising more secure access such as biometrics. The use of biometrics helps secure the perimeter, removes ‘password fatigue’ from the employees in an organisation, and simplifies the user experience.  

Cloud-based Technology     

There is no doubt that cloud-based technology is frequently used due to a remote workforce and an increasingly modern working method.  

However, with this new type of technology comes a new security problem. Cloud-based technologies have created a new access point which means that organisations must know who has permission to access this unique area.  

Utilising awareness and identity technologies can be one way of doing this  

Adopt a Zero-Trust strategy with Sapphire

There are many more problems that organisations can face and work to resolve by adopting a Zero-Trust strategy. If you want to discuss any issues your organisation faces, contact our team below for guidance.