Adopting Zero Trust in IT: Five Steps When Building a Zero Trust IT Environment
This post was last updated on March 18th, 2020 at 01:13 pm
Zero Trust is an approach to cybersecurity which means “never trust and always verify”—before access is granted. The idea of a Zero Trust IT environment is one in which data, endpoints, and systems are protected by limiting access to them. This relatively new way to think about cybersecurity is growing in popularity because it doesn’t necessarily require new tools and technology, rather Zero Trust requires a new approach to what you’re already doing.
This five-step approach to building a Zero Trust IT environment will help you adopt the Zero Trust methodology and implement better security practices within your organization.
1. Know your attack and protect surfaces.
With Zero Trust, you don’t focus on your attack surface but only on your protect surface ─ the critical data, applications, assets and services (DAAS) most valuable for your company. Examples of a protect surface include credit card information, protected health information (PHI), personally identifiable information (PII), intellectual property (IP), applications (off-the-shelf or custom software); assets such as SCADA controls, point-of-sale terminals, medical equipment, manufacturing assets and IoT devices; as well as services like DNS, DHCP and Active Directory.
Once the protect surface is defined, you can move your controls as close as possible to it, enabling you to create a microperimeter (or compartmentalized micro-perimeters) with policy statements that are limited, precise and understandable.
2. Map transaction flows.
The way traffic moves across a network determines how it should be protected. Thus, you need to gain contextual insight around the interdependencies of your DAAS. Documenting how specific resources interact allows you to properly enforce controls and provides valuable context to help ensure optimal cybersecurity with minimal disruption to users and business operations.
3. Architect your Zero Trust IT network.
Zero Trust networks are completely customized, not derived from a single, universal design. Instead, the architecture is constructed around the protect surface. Once you’ve defined the protect surface and mapped flows relative to the needs of your business, you can map out the Zero Trust architecture, starting with a next-generation firewall. The next-generation firewall acts as a segmentation gateway, creating a microperimeter around the protect surface. With a segmentation gateway, you can enforce additional layers of inspection and access control, all the way to Layer 7, for anything trying to access resources within the protect surface.
4. Create your Zero Trust security policies.
Once the network is architected, you will need to create Zero Trust policies determining access. You need to know who your users are, what applications they need to access, why they need access, how they tend to connect to those applications, and what controls can be used to secure that access.
With this level of granular policy enforcement, you can be sure that only known allowed traffic or legitimate application communication is permitted.
5. Monitor and maintain networks.
This final step includes reviewing all logs, internal and external, and focusing on the operational aspects of Zero Trust. Since Zero Trust is an iterative process, inspecting and logging all traffic will provide valuable insights into how to improve the network over time.
You can also read our longer-form article on building a Zero Trust IT environment on HelpNetSecurity’s website.