Conversations from the field: Your Zero Trust Security Journey Has Already Started!
In conversations with our clients, we often find three common things around Zero Trust:
- While we don’t like terms such as “Zero Trust”, “Zero Trust Access”, or “Zero Trust Network Architecture”, we have come to terms with it, and we now accept it. I am going to refer to it as Zero Trust Security Program or ZTSP.
- However, everyone’s interpretation of this architectural approach is different, and this is both valid and Ok.
- Most organizations we speak to have already started the journey because they have some of the components in place. However, they lack a holistic approach that integrates these components, so they improve your security posture.
At CA2 Security, we go by the Zero Trust definition proposed by Jason Garbis and Jerry W. Chapman in their book “Zero Trust Security” because we believe that it is an architectural approach, in fact, maybe a cultural mindset that requires a bit of a paradigm shift such as those you find in DevOps. Thus, we call it Zero Trust Cybersecurity Strategy. Garbis and Chapman’s definition is as follows:
“A Zero Trust system is an integrated security platform that uses contextual information from identity, security, and IT Infrastructure, and risk and analytics tools to inform and enable the dynamic enforcement of security policies uniformly across the enterprise. Zero Trust shifts security from an ineffective perimeter-centric model to a resource- and identity-centric one. As a result, organizations can continuously adapt access controls to a changing environment, obtaining improved security, reduced risk, simplified and resilient operations, and increased business agility”.
The Main Components of ZTNA
To simplify the message, we believe that every infrastructure and cybersecurity technology/system/tool and process is part of the ZTS Program (you see what I did there? ZTA and Cybersecurity can be and ARE interchangeable now). Here are the main components of a Zero Trust Security Architecture and Program:
A Policy Decision Point (PDP) functions as “the brains of the operation”. This can be one system or a collection of systems, but we are getting closer to one system that decides where specific policies are applied.
Then you have the Policy Enforcement Points. This is where those policies are enforced. This is where certain conditions must be met to grant access to resources. The main components or enforcement points that we recommend evaluating and working with are common systems that you may already have in place, namely:
- Identity and Access Management
- Network Segmentation
- Endpoint Security
- Data loss prevention
- Network Monitoring and Traffic Analysis
- Protection of access and perimeter – SASE
- Conditional access
We will discuss each of these in more detail in later blog entries. Still, for now, the main point we want to deliver is that if you encounter any of these technologies and processes in your organization, you have already started your ZTA journey:
- If you have implemented Single Sign-On (SSO), you are doing Zero Trust
- If you have implemented Privileged Access Management (PAM), you are doing Zero Trust
- If you have an Endpoint Detection and Response (EDR) platform, yep, you have another component of Zero Trust
- If you have logging and a SOC or MDR, yep, that is another component of ZTA
The question then is, am I done? Like most good conversations in cybersecurity, the answer is “it depends”. We believe that the true questions are:
- Are all the systems integrated?
- How are they integrated?
- Can the systems apply central policies in each area of concern?
- Do the systems apply policies independently from each other?
Why to pursue ZTNA
Once we explain what ZTNA is and what are its main components, we ask clients about how they think they could benefit from Zero Trust, and usually, the answer is not very clear, so we first ask about some of the main IT, Security, and business objectives at their organizations to help them build some ZTNA Business Objectives that aligned with their overall goals and needs. Here are some business objectives that you should consider when building a ZTNA strategy:
- Enable and Future-Proof Digital Transformation and Cloud Migration. Many of our clients are either getting started or in the middle of transitioning their digital assets to some form of Cloud infrastructure. As this trend continues and companies navigate their digital transformation, ZTNA provides a scalable and flexible network architecture that can adapt to changing business needs. It is a foundation for growth, enabling organizations to integrate new technologies seamlessly while maintaining a robust security posture; in other words, ZTNA increases agility.
- Enhanced user experience. One common complaint we run into is the complexity of managing different approaches to how people access digital resources and how different and complex their experience is going from resources on-prem to remote access. Add to it, Cloud migrations and access is all over the place. Zero trust security can enhance the user experience by providing more seamless and secure access to data and systems. In addition, when ZTNA platforms are integrated across the infrastructure, users will have the same user logon experience regardless of where their resources are hosted.
- Reduced complexity and operational cost. By integrating ZTNA platform with existing platforms, organizations can achieve two goals: a) Zero trust security can help to reduce the complexity of security infrastructure by eliminating the need for complex perimeter security devices, and b) ZTNA can also help reduce operational cost by eliminating expensive and legacy security tools designed to protect on-prem assets (i.e., VPN). This is because zero trust security relies on a combination of identity and access management (IAM), microsegmentation, and threat intelligence to protect data and systems.
- Simplify Identity and Access Management. There are usually multiple systems involved in an IAM Program. ZTNA and platforms can help organizations bring together some platforms while eliminating others. This leads to improved processes that simplify access management and reduce unauthorized access to data.
- Finally enable organizations to achieve proper segmentation. Ask any CIO or CISO about their segmentation strategies, and they will stumble. This is because segmentation has traditionally been expensive and complex. This usually means that you must put several firewalls across the network. Enter ZTNA’s capabilities around Microsegmentation to isolate critical systems and data! Microsegmentation is a technique that divides a network, applications, and data into small, isolated segments, and the way this is achieved through a ZT Network Architecture and Platform is by segmenting the application and the user access as opposed to an entire network segment. This makes it more difficult for an attacker to move laterally within a network if they can breach one segment. This is because in a ZTNA architecture, users and devices are not trusted by default. Instead, they must authenticate and authorize themselves for each application or data resource they want to access. This helps prevent attackers from gaining access to sensitive data, even if they can access a network.
- Risk reduction. Bringing some of these aspects together, you would be able to reduce risk by reducing the attack surface through microsegmentation and granting access based on a user’s identity, location, and other contextual factors. This granular control significantly reduces the risk of lateral movement and potential breaches. Your sensitive data always remains protected!
- Increased visibility, detection, and response capabilities. When we talk to CEOs, COOs, and General Counsels, they always tell us that the number one thing they expect from their security team is “no surprises and to let us know when something happens as soon as possible”. Zero trust security gives organizations increased visibility and control over access to data and systems. As a result, the ability of security operations teams to detect and respond to incidents is faster and provides ways to automate such responses to make them more efficient.
- Simplify compliance processes. This is another complex and tedious task for most CIOS and CISOs. When you put common regulations and standards such as ISO 27001, GDPR, or HIPAA in front of you, you start seeing common patterns across the board. A network and security architecture based on zero trust principles aligns with various compliance frameworks, making it easier for us to adhere to data protection regulations. We can confidently assure our clients and stakeholders that their information is handled securely and complies with industry standards.
By adopting Zero Trust Network Architecture, we prioritize security, reduce risks, and foster a productive work environment. The key to ZTA is whether your systems can work together to “make risk-based decisions”. This is where our architects and engineers at CA2 Security can help. We have access to vast resources that can combine and integrate your systems to build a ZTA that works for your organization without the hassle of “vendor collusion” that we usually run into the field. We would start by defining your business objectives; we also like to define some architectural principles that work for your organization and that you should be following; then we document all the architectural components in place, define strengths and gaps in each component’s capabilities, analyze how each capability complements each other, to then build an integration plan into an effective and simple Zero Trust Architecture using your existing capabilities.
Let’s embrace the power of Zero Trust and thrive in the digital age together!