How to implement Zero Trust
After answering the question from Monday I kept thinking of how the best way to start programs from scratch. One method I usually recommend is a Zero Trust security model. Now the thing I run into when talking about this, is that people think it’s an all or nothing approach, and most have many issues they need to fix before even beginning to think about planning to implement Zero trust. This is honestly a case I’ve seen a lot of companies, they only like to work on (what I call) “home runs”, they don’t want any base hits, to draw a baseball metaphor. Yet, like any other framework, you don’t have to follow a strict guideline and can implement in ways that compliment your business and security posture.
Like most technology projects, I like to take a more incremental approach, so that you don’t overwhelm any part of the business or IT staff. To start I like Forrester’s Zero Trust Model which splits the model into 7 different pillars: data, people, workloads, devices, networks, automation and orchestration, and visibility and analytics. Other Zero Trust Models use six pillars: Users, Devices, Networks, Applications, Automation and Analytics, which ever one you decide to use, can be the beginning guide for implementation of the framework. Either way, I strongly recommend that you look at this as an incremental project, that way you get results, but you can show measurable improvement.
When you need to show short term wins in a longer project, I recommend that you target a single system or a small group of systems that would most benefit from going to Zero Trust first. Target a critical application that is higher profile, that will show executives the benefit of this project and prioritize downward. Now with any IT project, this will be a learning process and you may need to change your approach depending on the scenario you are working with, so give yourself breathing room. One area that you business may need to adapt is how things use to work, and more how things will work more securely. This means education for everyone, people may have been use to doing things a certain way, and that way doesn’t work anymore (same with any technology project).
Now that you’ve identified your zero trust security priorities above, you’ll next want to choose one of the Zero trust pillars to tackle first. Please don’t answer all of them, trying to tackle all of them will be overwhelming and counter productive, and honestly you may doom this project. Now if you are not sure, or can’t come to an agreement, there are tools out there that let you fill in information, find the gaps and then tell you which pillar(s) your organization need to focus on.
Once you get the pillar identified, then you need to figure out the exact controls that you need to implement. There are a lot of controls and documents that exist out on the web that will give you the framework or ideas on what to do to make progress in that one. So example, maybe you’ve identified data as your pillar, and one way might to be network segmentation so that everyone or everything on your network can’t get to to that data.
Like most projects, you’ve narrowed down your systems, controls and pillar, you’ll need some data to make sure you do this effectively. While this isn’t just an IT project it’s a business project, you’ll need them to work with the business side to fully understand the needs and make sure you create effective policies around this. In order to do that, you need as much information/data as possible. Also around this time, applications flows should be mapped out with the access required, so that you’ll understand the flow of the data, what it’s dependent on and what the impact of your policy may have on it.
Now that we’ve spent a lot of time discussing, planning and debating, comes the phase where you start to implement your Zero Trust model. Unfortunately, that’s not the end of the discussions. When you implement your system(s), you need to validate that everything works the way your planning said that it should. Then monitor both the business and technology workflows and make sure everything is stable.
At this point you should have a repeatable process for your systems, and focus on different pillars and systems and make progress over a period of time. As you can see this can be an involved process and if you tried to do this across your environment will all pillars at once, is just the recipe for disaster and failure. Security is something that doesn’t need to be all at once, every step that you make to more secure, is better than before and it’s a never ending project, but take it in small chunks makes it a traceable win!