Getting to Zero-Trust Solution Design
Implementing a zero-trust (ZT) security architecture today is a bit like buying a car in 1901. You had to buy the chassis from one company, the body from another and the seats from a third. Next, you had to put it all together hoping everything would work out in the end. And it was called a “horseless carriage,” because no one quite knew what was going to happen to the traditional horse and buggy.
As the newest methodology for protecting networks, data and endpoints, zero-trust is also something of a piecemeal operation, only worse. There is little consensus on what comprises an effective zero-trust solution, particularly regarding which technologies should go together as you design your security framework. Indeed, getting to ZT means:
- Recognizing that no single technology is a ZT cure-all
- Mastering a lengthy list of acronyms; any or all of which could be ZT components
- Understanding which of those technologies overlap
- Assembling the right technologies to arrive at an effective architecture
A new report from Nemertes Research guides IT leaders in designing a ZT architecture. Here’s what you need to know to help smooth out and straighten what is typically a winding, bumpy road to ZT.
What is Zero-Trust and Why do You Need it Today?
Zero-trust is a security framework, an ethos if you will, based on the idea that no user (human or machine) should be trusted with access to digital assets by default. Zero-trust has many different iterations, but it is useful to keep in mind that it is, at its heart, an idea or concept and not a tangible technology. One way to understand zero-trust is to consider the alternative, which is the still-widespread practice of trusting users by default.
For example, if you log into most websites or corporate networks, they will assume that if you have a valid username and password then you are a legitimate user. Zero-trust turns this practice on its head and eliminates trust. The framework assumes that access should only be granted after specific security mechanisms have established that users are who they say they are, e.g., by authenticating the user’s device and location along with validating other factors such as biometrics.
As more employees work remotely, often using personal devices and home internet connections, the risks grow more serious. Instead, with zero-trust, companies will never trust anyone, always verifying users before allowing access to digital assets.
Untangling ZT Frameworks, Acronyms and Technologies
While ZT is becoming imperative for establishing a robust security posture, standing it up can be shaky. Because there is no hard definition of what a ZT architecture or solution should entail, each authority has its own interpretation or opinion and every organization has unique needs. The National Institute of Standards (NIST) has defined a ZT architecture. Forrester and the Cloud Security Alliance also set out their own ideas but, still, uncertainty remains about how to implement these ideas and what will be required.
Matters grow increasingly confusing as the ZT concept intersects with an alphabet soup of security technologies:
- Zero-trust network architecture (ZTNA) solutions frame zero-trust as a network access paradigm.
- Cloud access service broker (CASB) enforces zero-trust access policies for digital assets in the cloud. However, CASB does not apply the ZT framework to network access, AppSec or data security.
- Zero-trust also reinforces a number of related security models, including secure access service edge (SASE), for which ZTNA and CASB are core elements. This leads to more confusion about whether adopting SASE, for example, delivers a complete ZT solution. Nemertes analysts warned that SASE is not a sure bet, as it doesn’t necessarily mean you have implemented a complete ZT architecture in the way your organization needs it.
ZT Solution Design: Putting the Right Pieces Together
The best way to assemble the ZT puzzle is to start by defining what you need from a ZT architecture and determine your best approach from there.
Nemertes suggested taking a broad view of your IT environment, assessing the existing technologies or capabilities as well as the gaps needed to achieve a smart ZT architecture. You may need more than one solution. Specifically, their analysts took SASE and added to it extended detection and response (XDR), endpoint detection and response (EDR) and software defined perimeter (SDP) functionality.
For those readers just wanting a simple tech checklist, Nemertes offers a good start:
SASE
- SD-WAN
- Firewall-as-a-service
- Secure web gateway
- CASB
- ZTNA
XDR, EDR, SDP
- Endpoint protection platform
- Machine learning and behavioral threat analytics
- 24/7 detection and response services
- Application-level security policies
- Identity management
- Network-level enforcement
This approach starts to approximate the kind of in-depth, pervasive security required for a full ZT solution.
Making Security Ubiquitous: ZT Implementation and Integration
Best practices are now taking shape across the industry, including integrating existing security investments into your ZT architecture. For example, single sign-on (SSO) solutions, security incident and event management (SIEM) systems, security orchestration automation and response (SOAR) technologies and security operations center (SOC) services should all be incorporated and adapted for use with ZT.
The WAN is another factor in the discussion. Network security, secure remote network access and SD-WAN are fundamental to ZT. When SD-WAN or SASE are coupled with EDR, ZT can become pervasive across virtually all elements of the IT landscape.
Conclusion
While the groundswell for zero-trust is inevitable, the road to it is not always clear nor straight. Making your approach work means understanding the various frameworks and technologies that can support realization. Success is accelerated when you think through your ZT requirements carefully, muddling through the acronyms and categorizing each need as either an existing or net new investment. The Nemertes paper offers some compelling insights and details to guide IT leaders on this journey.
