Fortra. Zero Trust 101: A Guide to Zero Trust Security
Murphy’s law famously states that if anything can go wrong, it will go wrong. Security has long-since adopted this mantra and implemented zero trust as a coping mechanism.
When taken in full, it can present quite a challenge. But broken down into its various parts it becomes a manageable task, especially when guided by a security partner with the right toolset to take you through each advancing level of security maturity.
What Is Zero Trust?
Simply put, zero trust is the approach of “never trust, always verify”. This model assumes any user could have malicious intentions and that a cyberattack may already be underway. In other words, zero trust is the approach of erasing inherent trust and requiring constant and ongoing authentication and authorization for the users, services, and systems on the network.
The three basic tenants of a zero-trust strategy are:
- Always assume a breach
- Trust no one
- Verify everything
Even after verifying a user’s identity, the user in question still doesn’t have the “keys to the kingdom”. Zero trust approach denies total access to the user, opting instead to make them prove their identity layer by layer, step by step, continuously. By leveraging network segmentation and establishing micro-perimeters, zero trust measures only grant access to assets when a valid reason is presented for doing so.
How to Get Started
It’s important to recognize that zero trust is not a technology, but a journey. It includes tools and processes necessary to create an environment that requires full validation before granting access to sensitive data.
Thinking About Zero Trust
Tackling zero trust in a pragmatic, step-by-step approach can lead to better success than trying to overhaul your entire infrastructure at once. For example, you can start by establishing:
- What to protect. This can be critical assets, systems, software, and data.
- What to protect it from. Are your trouble spots over-privileged users? Poor password hygiene? External threat actors? Whatever it is, prioritize your areas of weakness before you begin.
- A reasonable starting point. Consider an iterative approach of tackling the problem system by system or in groups.
Zero trust is doing now what we were too naïve to do at the inception of the internet; define what is important and figure out how to properly defend it. Because we’re retrofitting old architectures into a new way of security, a lot of smaller steps and customizations need to be made before something can be considered fully ‘zero trust’.
However, each journey starts with a single step.
Vulnerability Management: The Backbone of a Zero Trust Strategy
The first step of that ‘iterative process’ is to define what the weak spots are. Once organizations have defined the parameters of what needs protecting and what the enemies are, vulnerability management is the logical next step.
This focuses on weaknesses within the infrastructure — not the access points. It identifies and prioritizes vulnerabilities, which require patching and misconfigurations that could be easily exploited. When it comes to vulnerability scanning, most organizations require a flexible solution that can take on the challenges of a hybrid environment without bogging down configuration.
And remember, the right results provide actionable insights to facilitate impactful remediation on the part of the organization.
Applying a Zero Trust Framework
No matter the size of your organization, it is best to move towards zero trust in steady, measurable steps. John Grancarich, Executive Vice President, Fortra, outlines a management process to achieve progress towards zero trust:
- Prepare for the journey towards a zero-trust security framework. Know the principles of zero trust, know the scope of your organization and its assets, and get together a team. You need to know what you’re working with.
- Classify your assets. Organize your areas of protection by the importance of the asset. Once you’ve established low, medium and high impact assets, prioritize from there.
- Select an initial set of assets to address. Protect your highest impact items first, pausing proactive zero trust security work on all the rest until this is done.
- Implement initial security controls. Begin choosing, deploying and testing your new zero trust compatible processes, procedures, technological solutions, and services for your identified subgroup.
- Assess the performance of your controls. Continuously make sure your implementations are running as expected.
- Authorize systems. Senior leadership signs off on security systems, privacy plans, and the whole operation thus far.
- Monitor results and refine as needed. Keep a constant watch on zero trust implementations from day one. Monitor for deviations, trigger actions based on conditions met, and reduce false positives discovered in monitoring.
At this point, you iterate the whole process over with the next highest priority assets on your list, and so on from there. In this way, companies can eat the zero-trust elephant one bite at a time, learning how to implement a zero-trust strategy with more accuracy, insight, and success each time around.
The State of Zero Trust Now and Future Predictions
Research by Cybersecurity Insiders and Fortra reveals how organizations are adopting zero-trust security into daily business flows. Currently, only 15% of respondents indicated zero trust network access (ZTNA) was “already implemented”. Another 9% said they had “no plans” to implement. While far from ubiquitous, it is safe to say that zero trust is a trend that will only increase among business leaders, and one that is garnering a great deal of critical thought.
Preferred ZTNA Tenants
When asked, there were several zero trust tenants that were most compelling to organizations. They ranked:
- Continuous authentication/authorization (66%)
- Trust earned through verification of entities, including users, devices, and infrastructure components (65%)
- Data protection (64%)
- End-to-end access visibility and auditability (61%)
- Least privilege access (60%)
Don’t Forget Devices
In our headlong rush to protect the enterprise, it’s easy to overlook the number of risks, threats, and vulnerabilities mobile devices introduce. While many stated the importance of data protection, mobile device management (MDM) and bring your own device (BYOD) was low on their lists of priorities. Understandably, BYOD is tricky to navigate as it relies on privacy yet can be difficult to control. As it stands, mobile devices continue to be a pain point for intrusion prevention and data loss prevention (DLP) efforts.
Secure Access Priorities
When it comes to achieving ZTNA, respondent companies prioritized in this manner:
- Multi-factor authentication/privileged account management (65%)
- Anomalous activity detection and response (50%)
- Securing access from personal, unmanaged devices (46%)
Securing Public Cloud
Traditional remote access solutions still aren’t up to the task of dynamically securing today’s distributed cloud environments. Consequently, the most mentioned workaround was “hair pinning” remote and mobile users through data centers to access public app clouds (53%). And shockingly, over a third (34%) have to publicly expose cloud apps to enable remote and mobile users, drastically increasing risk to the enterprise.
Benefits of a Zero Trust Security Framework
Adopting a zero-trust approach ultimately reduces the attack surface, statistically lowering the chance of attack. While that remains the most obvious benefit, others include:
- Support for compliance requirements
The closed connection tenant of zero trust helps prevent exposure of private data, helping to keep you in the clear with compliance standards such as the federal government’s NIST 800-207, the payment card industry’s PCI DSS, or the healthcare industry’s HIPAA and HITECH requirements.
- Better cloud access control
Zero trust security policies can be applied to give you more visibility and access control within the cloud. With protection attached to the workload, your data remains safe — even if the environment changes.
- Data breach risk reduction
By assuming all entities are hostile, an organization naturally cuts down on the chances of inadvertently letting in a cybercriminal. Less risky users means less chance of a data breach. And should they manage to get inside the network, zero trust deployments are designed to stop them at every turn.
Even starting on the zero-trust path is more beneficial than waiting on the sidelines. Each sector, each asset category, each system you convert to zero trust protection is one more that is harder to breach. Threat actors go for the low-hanging fruit. While organizations are wanting to fully ‘achieve’ zero trust, an unforeseen number of attacks will be blocked by simply making an entity that much harder to hack than all the rest.
Zero trust is a methodology that starts giving from day one.
How Fortra Supports Your Zero Trust Journey
Fortra is proud to move the needle forward by providing a host of solutions to aid you on your zero-trust journey. While each company’s architecture is their own, we serve as a relentless ally and partner in determining your security needs and identifying the controls that would work best with your particular use case, factoring industry, maturity level and headcount into the process.
Our offerings include:
- Data Classification. Visual and metadata labels to guide how data should be accessed and shared downstream.
- Data Loss Prevention. Learn how your data is being used and block undesirable actions against it.
- Secure File Transfer. Encrypt the automated file transfer process and bundle with DRM to fully protect files in transit.
- Secure Collaboration.Control who can access files — and what they can do with them — even after they’re sent.
- Identity and Access Management. Manage user access to valuable resources and streamline provisioning, PAM, and password management.
- Integrity Management. Identify misconfigurations and indicators of compromise with layered management tools.
- Vulnerability Management. Discover weaknesses in endpoints, servers, applications and security controls before it’s too late.
While enterprise wide zero trust is always the goal, there is no zero trust “finish line”. As long as threat actors continue to improve their craft, there will always be more exploits to defend against and more creative ways to do so. Zero trust is a process rather than a product.
Fortra enables organizations along their zero-trust journey. Our portfolio of extensive solutions works both conjointly and independently to bring you the best answer to your zero-trust challenge — be it with one solution or a bundle.
Source: Fortra