Using Zero Trust to Ease Compliance
The era of compliance and business and consumer demand for privacy is upon us
The rising number of privacy and compliance standards has increased anxiety among many enterprise owners. Between PCI-DSS to HIPAA, the EU’s GDPR to Mexico’s Protection of Personal Data Law, and California’s Consumer Privacy Law (CCPA) to New York’s Personal Privacy Law, these standards have teeth and bite back with stiff penalties for companies that fail to adhere. There is also a growing understanding among businesses and consumers that a lack of adherence can also lead to major drops in revenue and consumer confidence. But the task of developing security policies and deploying technologies to support compliance requirements can be nothing less than overwhelming, leaving companies lost about where to start their journey. Increasingly, enterprises are turning to the zero trust framework to help accelerate and ease their journey to compliance.
Forrester Research introduced the zero trust security concept in 2010 in response to a growing realization: The traditional “moat and castle” defensive strategy was not working. Investing more resources to shore up perimeter defenses has not prevented determined cyber actors from circumventing or breaching these defenses and wreaking havoc inside enterprise networks. Zero trust represents a fundamentally different model, one that assumes no user, device or application, whether outside or even inside the network, can be deemed safe and that each must be validated before being allowed access to network assets.
The concept of needing to shore up the entire enterprise and not just the perimeter is especially true in light of recent trends in DevOps and cloud adoption models. Most enterprises are dealing with complex, heterogeneous environments. These environments include everything from legacy operating systems and platforms to modern virtualized machines, clouds, containers and serverless applications. While they seek to gain from cost savings and efficiencies in adopting these new accelerated, highly automated cloud models, enterprises struggle with the ensuing sprawl and the numerous blind spots and increased complexity that come with the territory. Modern reality means the true threat has little to do with the perimeter and everything to do with defending against these new blind spots.
Forrester Research stipulates that by approaching compliance through the zero trust framework methodology and utilizing the underlying network segmentation it is based on, one can actually achieve more stringent compliance faster. The firm has defined zero trust as a five-step process. Using a specific strategy, and incorporating two critical capabilities of segmentation to accomplish the tenets of zero trust, organizations have an opportunity to greatly accelerate this process. Let’s review these critical capabilities, and then subsequently look at how zero trust and segmentation together can provide companies a prescriptive, easy-to-follow methodology for enabling compliance with industry regulations.
To begin the zero trust journey, you need to incorporate a strategy and utilize two essential capabilities.
First, you must make strategic assessments to separate the critical or most relevant assets and applications from the non-critical. This is actually guidance that comes from Forrester and from most compliance standards that mention it. While the verbiage varies, all compliance standards now mention the value of segmenting/separating/isolating or segregating critical or relevant assets and workloads from ones that are not. By doing so, you can limit the scope of the compliance process greatly, thereby reducing the amount of effort required.
Once you’ve set the baseline for defining critical versus non-critical elements, establishing the following capabilities will ensure you have the necessary tools at your disposal to accomplish zero trust success.
See: Visibility is critical for real-time and historical viewing of all enterprise platforms through a single agnostic lens
To protect, validate and maintain compliance, it is critical to have in-depth visibility that allows you to understand the complex nature of your critical/relevant assets and workloads. This visibility should not be disparate for individual platforms and silos. Rather, it should be agnostic and decoupled from the underlying operating systems and platforms in a single, unified manner. This visibility must be available not just in real-time; a historical view is just as important for reference or forensic analysis. A real-time level of visibility will enable you to map out your workflows and implement policies. And historical visibility also lends itself to compliance reporting requirements by allowing you to continuously monitor connections and to prove ongoing compliance validation.
Enforce: Enforce in a granular and uniform fashion across all environments
Where visibility shows you what workflows are in-scope and your application dependencies, you also need a seamless way to enforce policies in a granular manner at the process, user and fully qualified domain name-level across all your platforms as well. Noted Chase Cunningham of Forrester Research at the Forrester Security & Risk 2019 Conference:
“Zero Trust is strategically focused on addressing lateral threat movement within the network by leveraging micro-segmentation and granular enforcement, based on user context, data access controls, location, app and the device posture.”
Compliance as Mapped to 5 Steps of Zero Trust Networking
Once strategic decisions are made regarding the enterprise’s most critical components and visibility and enforcement capabilities are established, we can focus on applying Forrester Research’s five steps of zero trust networking.
Identify Sensitive Data and Assets
Using visibility into the enterprise, you can easily map out your critical assets, applications and data. This allows you to limit the scope and resources required as outlined in the strategy above.
Map the Flows of Your Sensitive Data
With the right level of visibility one can easily map application workflows in a granular fashion that includes associated users, fully qualified domains and processes involved.
Architect Your Zero Trust Microperimeters
Now that we have gained visibility and mapped out the workflows, we can begin to segment these compliance-critical workflows easily at a granular level by implementing policies around them. Moreover, the ability to enforce the segmentation greatly reduces risk and ensures compliance.
Continuously Monitor your Zero Trust Ecosystem With Security Analytics
Since we have real-time and historical visibility data we can then use the policies we created to continue to monitor our policies and traffic flows. These historical flows become compliance assurance that proves we are truly compliant over time and serves in compliance validation.
Embrace Security Automation and Orchestration
By far the greatest time-saver is being able to take the above work and find ways to utilize playbooks such as Chef, Puppet, Ansible and other techniques to automate further. This means as new workloads come online, the whole process becomes automated. This ensures that you will remain compliant and that the effort will be with minimal manual moves, adds, changes and deletes.
By reducing one’s scope, incorporating in-depth visibility, granular segmentation techniques done in a unified fashion across all your platforms and incorporating Forrester Research’s five steps to network segmentation, we can easily, effectively and quickly become and keep compliant.
