Assume zero trust when someone or something requests access to work assets. You must first verify their trustworthiness before granting access. Zero Trust is rapidly becoming the security model of choice for many organisations; however, security leaders often struggle with the major shifts in strategy and architecture required to holistically implement Zero Trust.
As Zero Trust security itself is a strategy, so too is its deployment. The best approach to reaching a Zero Trust framework is to start with a single-use case, or a vulnerable user group, for validation of the model.
Main Pillars of Zero Trust and where to start
1. Inventory of Devices ( HW and SW Asset )
2. Identities ( Visibility and Management of Users ) – including internal and external workforce, services, customer access and IOT components
3. Privilege Account and Access Management, Least Privileges for std users
4. NAC, Visibility of Devices connected to your network- and enforcing device health and compliance
5. Apps and APIs – ensuring they have appropriate permissions and secure configurations
6. Endpoint Management Solution
7. Data – giving it the necessary attributes and encryption to safeguard it.
8. Networks – establishing controls to segment, monitor, analyse and encrypt end-to-end traffic
Co-Founder at Bitscape Technology Services Limited
Real User
Aug 23, 2022
To start implementing a Zero Trust model in an enterprise, you need to first and foremost define the Attack Surface.
To do this, you want to identify the areas you need to protect. The attack surface is always expanding, making it difficult to define, shrink or defend against.
Focusing on your most valuable assets – sensitive data, critical applications, physical assets, and corporate services, ensures that you are not overwhelmed with implementing policies and deploying tools across your entire network.
Once defined, you can move your controls as close as possible to that protected surface.
Founder and CEO at a consultancy with 51-200 employees
Real User
Aug 24, 2022
Begin Rant
The phrase "Zero Trust" is an oxymoron and means nothing in itself. The appropriate result of zero trust is the calculated absence of a transaction. However, it is a way cooler catchphrase than "Atomic Access Provisioning, Control and Monitoring". As a result, the bandwagon of cyber security has used the phrase to brand their products and services to best represent the path to a security utopia. This has only added to the confusion created by every pundit and blogger who has positioned themselves as authorities on the subject.
End Rant
So what really is meant by Zero Trust?
To answer this, I lean on the CISA Zero Trust initiative to find the definition. Loosely stated, CISA describes ZeroTrust as a collection of concepts and ideas to enforce least-privilege granular access decisions. In other (my) words, Zero Trust is best defined or understood as enforcing a trust boundary around every data element, or in other words, protecting your organizations information assets. Is that not the objective of every self-respecting Security Program?
How you meet these goals has not changed no matter how you label your security program. The essential elements as defined by @Timothy Rohrbaugh with respect, remain the same:
* Reducing the likelihood of an adverse security event.
* Reducing the time to discover the event
* ( I add this to the list) Minimize the impact of a successful adverse security event.
Some of the imperatives have changed the impact of the way a security program is designed. Some of them are:
* Increasing sophistication and automation of attacks due to highly incentivized and well-funded adversaries
* Increased commoditization and simplification of attack techniques making it easier for less sophisticated adversaries from launching successful attacks
* Rapidly shrinking time between vulnerability discovery and its weaponization
* Rate at which technology platforms evolve leaving small time windows for validating secure code, building security controls, patching, etc.
* Diffusion of network edges due to the use of SaaS services, third-party libraries, APIs, authentication, etc.
* Increasing push for compliance by regulatory bodies and contractual obligations diluting security resources available
* Cost of security tools, services and personnel
In a nutshell, you are not late to the party, you are already on the path to "zero-trust".
What keeps changing really is that the trust boundary keeps shrinking and you adapt your controls accordingly and change your measurements in line with the threat perception.
Zero trust can be part of a complete endpoint protection service.
At M3COM we can assist with a SASE solution that will provide Zero Trust, WAN optimization, Next Gen antimalware, Intrusion protection and Data Loss Prevention.
ZTNA (Zero Trust Network Access) redefines secure access by implementing a zero-trust architecture. It requires verification for every access request, ensuring a robust security posture against internal and external threats.ZTNA solutions prioritize user identity and device context to grant granular access to resources. Unlike traditional VPNs, ZTNA solutions do not expose the entire network to users, significantly minimizing security risks. This approach is gaining traction as organizations...
What is zero trust?
Assume zero trust when someone or something requests access to work assets. You must first verify their trustworthiness before granting access. Zero Trust is rapidly becoming the security model of choice for many organisations; however, security leaders often struggle with the major shifts in strategy and architecture required to holistically implement Zero Trust.
As Zero Trust security itself is a strategy, so too is its deployment. The best approach to reaching a Zero Trust framework is to start with a single-use case, or a vulnerable user group, for validation of the model.
Main Pillars of Zero Trust and where to start
1. Inventory of Devices ( HW and SW Asset )
2. Identities ( Visibility and Management of Users ) – including internal and external workforce, services, customer access and IOT components
3. Privilege Account and Access Management, Least Privileges for std users
4. NAC, Visibility of Devices connected to your network- and enforcing device health and compliance
5. Apps and APIs – ensuring they have appropriate permissions and secure configurations
6. Endpoint Management Solution
7. Data – giving it the necessary attributes and encryption to safeguard it.
8. Networks – establishing controls to segment, monitor, analyse and encrypt end-to-end traffic
@ABHILASH TH, thank you for this detailed answer.
To start implementing a Zero Trust model in an enterprise, you need to first and foremost define the Attack Surface.
To do this, you want to identify the areas you need to protect. The attack surface is always expanding, making it difficult to define, shrink or defend against.
Focusing on your most valuable assets – sensitive data, critical applications, physical assets, and corporate services, ensures that you are not overwhelmed with implementing policies and deploying tools across your entire network.
Once defined, you can move your controls as close as possible to that protected surface.
Begin Rant
The phrase "Zero Trust" is an oxymoron and means nothing in itself. The appropriate result of zero trust is the calculated absence of a transaction. However, it is a way cooler catchphrase than "Atomic Access Provisioning, Control and Monitoring". As a result, the bandwagon of cyber security has used the phrase to brand their products and services to best represent the path to a security utopia. This has only added to the confusion created by every pundit and blogger who has positioned themselves as authorities on the subject.
End Rant
So what really is meant by Zero Trust?
To answer this, I lean on the CISA Zero Trust initiative to find the definition. Loosely stated, CISA describes ZeroTrust as a collection of concepts and ideas to enforce least-privilege granular access decisions. In other (my) words, Zero Trust is best defined or understood as enforcing a trust boundary around every data element, or in other words, protecting your organizations information assets. Is that not the objective of every self-respecting Security Program?
How you meet these goals has not changed no matter how you label your security program. The essential elements as defined by @Timothy Rohrbaugh with respect, remain the same:
* Reducing the likelihood of an adverse security event.
* Reducing the time to discover the event
* ( I add this to the list) Minimize the impact of a successful adverse security event.
Some of the imperatives have changed the impact of the way a security program is designed. Some of them are:
* Increasing sophistication and automation of attacks due to highly incentivized and well-funded adversaries
* Increased commoditization and simplification of attack techniques making it easier for less sophisticated adversaries from launching successful attacks
* Rapidly shrinking time between vulnerability discovery and its weaponization
* Rate at which technology platforms evolve leaving small time windows for validating secure code, building security controls, patching, etc.
* Diffusion of network edges due to the use of SaaS services, third-party libraries, APIs, authentication, etc.
* Increasing push for compliance by regulatory bodies and contractual obligations diluting security resources available
* Cost of security tools, services and personnel
In a nutshell, you are not late to the party, you are already on the path to "zero-trust".
What keeps changing really is that the trust boundary keeps shrinking and you adapt your controls accordingly and change your measurements in line with the threat perception.
Hi Evgeny,
You can check out the below blog for more details on the Zero Trust Model:
https://infraon.io/blog/index....
Thanks,
Abhirup
Zero trust can be part of a complete endpoint protection service.
At M3COM we can assist with a SASE solution that will provide Zero Trust, WAN optimization, Next Gen antimalware, Intrusion protection and Data Loss Prevention.
Zero Trust is an attitude. Get the team to have it.
How big is the enterprise?
@Olga Richmond 1000+ employees.