Over the past few years, the concept of zero-trust security has hit a tipping point, where more than 70% of companies, according to a recent Nemertes Research study, support adopting a zero-trust security model. Yet, many enterprises are still perplexed about where in the enterprise to start their zero-trust implementation.
Three distinct on-ramps can lead enterprises through their zero-trust migrations: applications and data; the network; and user and device identity. Each on-ramp features key components, technologies and initiatives cybersecurity professionals should seek to deploy.
While enterprises ultimately will connect zero trust to all three on-ramps, picking the one to start with will be key to success. The on-ramp selection will largely be guided by the organization's current environment and planned zero-trust strategy.
Results of the Nemertes 2019-2020 Cloud and Cybersecurity Research Study are included throughout this article to illustrate the adoption -- or intent to adopt -- of certain technologies associated with zero trust.
On-ramp 1: Applications and data
An environment heavily focused on applications and data protection -- particularly a cloud environment -- may lend itself to starting from the applications and data on-ramp.
Here are the technologies that should be considered with the applications and data on-ramp.
Data classification. Data classification is the practice of associating security levels with specific types of data, regardless of where that data resides -- cloud, endpoints, data centers, etc. Classification provides the critical underpinning for controlling access for zero trust.
Nemertes found that just over 75% of companies deployed data classification in 2019 and another 9% planning to do so by the end of 2020.
Data loss prevention. Data loss prevention (DLP) refers to tools that track and log access to data, whether cloud-based or on premises. They can provide control points for implementing zero-trust policies.
Nemertes found that 71% of companies deployed DLP in 2019, with another 12% planning to deploy it by the end of 2020.
Authentication and authorization of microservices. Microservices authentication is foundational for many advanced security initiatives, particularly zero-trust security, and refers to technologies such as Red Hat's Keycloak or others that follow an advanced authentication framework, e.g., the Open Authorization framework.
Nemertes found that 72% of companies had deployed microservices authorization in 2019, with another 9% planning to deploy it by the end of 2020.
Container security. Container security provides an automated way to manage and secure groups of containers needed to deliver a service, including orchestration, tracking, launching and shutting down containers, and implementing policy across containers.
Nemertes found that, of the 60% of organizations already using containers, 91% are using container security and virtually all anticipate doing so by the end of 2020.
Cross-system integration via APIs. Cross-system integration via APIs refers to integrating various components of a cybersecurity infrastructure. It is foundational for many advanced security initiatives, particularly zero-trust security.
Nemertes found that 67% of companies already have deployed cross-system integration via APIs, with another 9% planning to do so by the end of 2020.
Enterprises that choose the applications and data on-ramp to get to zero-trust security should focus on implementing a mix of initiatives (data classification, API integration, microservices authorization) and critical technologies (DLP, container security) that enable securing applications and data at the most granular possible level.
On-ramp 2: The network
The network on-ramp for zero trust is a good match for enterprises that rely heavily on an established internal network with network-based controls and a substantial number of workloads still processed in an on-premises data center. Also, if the network is the current cybersecurity platform, then upgrading network-based controls to zero trust makes sense.
Here are the technologies that should be considered with the network on-ramp.
Automation. Automating network controls makes them dynamic so it's possible to revoke authorization midsession -- a key principle of zero trust. Technologists can automate network controls by writing their own scripts or by selecting management tools that include embedded automation.
Deep network segmentation. Deep network segmentation is foundational for many advanced security initiatives, particularly for zero trust. The concept refers to the approval of data flows based on user and type of resource instead of port, IP address and traffic type. For example, an approved list can determine that accounting can only have access to system X, regardless of where it is located or its current IP address.
Most advanced network vendors are now implementing deep network segmentation, which is sometimes called microsegmentation.
Nemertes found that 69% of enterprises said they have already adopted deep network segmentation, with another 11% planning to add it by the end of 2020.
Stateful session management. Stateful session management is the ability to manage sessions individually, tracking them by current state. Like deep network segmentation, it's typically a capability found in advanced network vendors' equipment.
Network encryption and secure routing. Network encryption and secure routing are security capabilities provided by networking devices. In these devices, routing should be controlled and validated, and network sessions should be encrypted.
Network virtualization, cloud-based firewalls and centrally managed firewalls. While they aren't inherently linked to zero trust, network virtualization, cloud-based firewalls and centrally managed firewalls make the implementation and management of zero-trust processes much easier. If network components are virtualized or cloud-based, automating controls is simpler, faster and easier than if they were to require physical or hands-on management. That, in turn, makes it faster and easier to deploy zero-trust policies, particularly those that are dynamic. Centralized firewall management enables security teams to manage and configure all firewalls in the organization, regardless of where they're located or whether they are physical or virtual.
Nemertes found that 74% of enterprises have centrally managed firewalls, with another 8% planning to implement them by the end of 2020. The survey also revealed that 71% of enterprises already have cloud-based firewalls, and another 10% are planning to have them by the end of 2020.
Software-defined WAN and Secure Access Service Edge. Emerging technologies, such as software-defined WAN (SD-WAN) and Secure Access Service Edge (SASE), can help enable network-based zero trust by providing network endpoints where zero-trust policies can be instantiated.
On-ramp 3: User and device identity
The user and device identity on-ramp may be most attractive to organizations with a large population of work-from-home users accessing cloud-based applications.
Here are the technologies that should be considered with the user and device identity on-ramp.
Biometrics. Biometrics can serve as a user credential, validating users and tying them to a trust profile. Requiring biometrics as part of the authentication process makes it easier to implement zero trust based on the user identity.
Multifactor authentication. Multifactor authentication (MFA) is another way to tie the user to the device to extend trust.
Identity and access management. Identity and access management (IAM) provides a platform for single-credential and single-login authentication across multiple cloud platforms and possibly internal systems.
Nemertes found that cloud-based IAM as a service was being deployed by 72% of organizations in 2019, with another 8% planning to add it by the end of 2020.
Device certification. Device certification extends trust to devices based on the configuration of the device. Organizations need to check whether applications and OSes are up to date and properly patched and whether all applications are part of the enterprise's portfolio.
Technologists who take a user- and device-centric approach to zero trust will grant access to resources based on who the user is (biometrics and MFA), whether the device poses a threat (certification) and the overall IAM policy. They also can monitor user behavior using technologies to implement the dynamic elements of zero trust, such as user and entity behavioral analytics and behavioral threat analytics, which includes revoking user permissions if users or endpoint devices are behaving in a way that comprises a threat.
Pick a path and pursue it
To sum it up, the process for tackling a zero-trust implementation comes down to three steps:
- Select an on-ramp based on the characteristics of the organization and its future strategy.
- Upgrade existing technology, deploy new technology and launch operational initiatives for the key areas in the on-ramp of choice.
- Once the migration in that on-ramp is complete, revisit the end-to-end architecture to make further changes, and then pick the next on-ramp to tackle.