5 steps to create a zero trust security model

The zero trust approach to enterprise security proposed by analyst firm Forrester Research nearly a decade ago can be challenging to implement. You need a clear understanding of the changes it entails and the impact it can have on the user experience.

The model emphasizes robust user authentication and device validation over network and endpoint security as key to protecting applications and data against new and emergent threats. Instead of having enforcement mechanisms at the network perimeter, zero trust focuses on moving them as close as possible to the actual application or surface that needs to be protected. Users and devices are not automatically trusted simply because they happen to be behind the enterprise perimeter or on a trusted network.

“Zero trust is a thought process and approach about how to create your organization’s cyber security posture,” says Steve Dyer, CTO of Respond Software. “Conceptually, it boils down to ‘don’t trust the network whether inside or outside the perimeter’.”

Implementing the model requires thoughtful planning and recognition that zero trust is a journey and not a destination. “Vendors are jumping all over zero trust as the next big thing they can hang their existing platforms on,” Dyer notes.

In reality a lot of what’s involved in implementing the model is boring, unglamorous work to create and maintain policy around data access and authorizing access to applications that read and write that data. “There are no silver bullets. The heavy lift will be on the internal teams since they understand the business drivers and core assets,” says Dyer.

Here are some of the key steps that Dyer and others believe are necessary for organizations to take when starting on the road to zero trust.

1. Define zero trust

The perfect starting point is for your team to come together and agree on a definition of zero trust, Dyer says. Define goals in terms of policy and develop a roadmap to achieve those goals. “It does not mean throwing away the currently deployed technologies that protect the perimeter,” he says. But it does mean being willing to think differently and making organizational changes when it comes to protecting your core assets.

Don’t get too hung up on the technology yet. Defer decisions on how to implement zero trust and the technologies that can help you there until after you have a clear idea of what zero trust means in your environment.

“You can’t go out and buy a zero trust anything,” Dyer says. “It’s a combination of cross cutting concerns to make it work – and that’s why it won’t be easy. A real commitment and understanding by the senior leadership will be key.”

2. Understand the user experience

When planning a zero trust approach consider the impact the model will have on your user experience. The zero trust approach of never trusting and always verifying can change how users interact with your systems and data. You need to know who your users are, what apps they are accessing how they are connecting to your apps and the controls you have in place for securing that access.

Make sure you understand what the future user experience will look like before going down a path to changing it, says Andy Ellis, CSO of Akamai. Consider how you plan on making zero trust consistent across all of your applications and for all users. What kind of mechanisms do you want for controlling access in a granular and consistent fashion?

Ask yourself if there’s a need for distributed control, for example, by letting application owners define their own security policies. Or, is it better to gate policies through a centralized IT or security group? Consider how you will ensure and maintain compliance with requirements for secure data access.

“Once an organization identifies how they want their users to interact with their systems, they must accept that this transition cannot happen overnight,” Ellis says. Focus instead on implementing a zero trust model for your most at-risk use cases first and take the time you need to implement the model properly. “Over time, more and more of the small immediate wins will eventually coalesce into a complete transformation. Every win counts,” he says.

3. Choose the right architecture

There is no single approach for implementing a zero trust model and neither is there any single technology. At the most basic level, zero trust is about protecting your applications by ensuring that only securely authenticated users and devices have access to them. Where you are on the network matters less than how well authenticated you are and how trustworthy your device is.

Currently, there are three competing approaches to implementing a zero trust model—microsegmentation, software-defined perimeters (SDPs) and zero trust proxies, says Charlie Gero, CTO of the Enterprise and Advanced Projects Group at Akamai.

Microsegmentation has been around in one form or the other for years and basically involves categorizing all network assets, users, applications, data stores, etc., into logical groups. The groups are segmented into their own enclaves, usually through VLANs and often have a firewall to act as a traffic cop between them. Some see zero trust as being about network segmentation, but it is not.

Besides being enormously difficult to implement, segmentation is not very scalable and is riddled with other obstacles. “For example, when an enterprise has shared infrastructure such as an Oracle database, which group should it be in? The answer is that it will probably need to be accessed from most of the other VLANs as it is a shared resource,” Gero says.

With an SDP, organizations can establish on-demand IP tunnels between applications and users through an intervening firewall once the user has been authenticated and passed an authorization policy check for the given application. “Thus, users cannot even view or ping assets for which they are not authorized. In effect, sensitive and off-limit portions of the network go dark.” One limitation is that once the tunnel is established, an SDP does little to ensure the safety and integrity of the transactions.

The third approach—something that Akamai has adopted—is to use zero trust proxies to establish both the on-demand perimeter between the authenticated user and the application and the in-line behavioral and payload analysis, Gero says. “Zero trust proxies effectively combine the very best features of the previous two technologies along with payload analysis into one manageable system that can be incrementally deployed.”

4. Implement strong measures for verifying users and devices

Zero trust requires a complete rethink of how to secure every app, endpoint, infrastructure and user, says Tom Kemp, CEO of Centrify. The fundamental difference with zero trust is that enforcement mechanisms are moved from the network perimeter to the target system and application. Instead of basing security policies on whether someone is accessing an enterprise resource from a trusted or an untrusted network, the major focus instead is on verifying the identity of the user and validating their device.

On the user side that requires enhancing passwords with multifactor authentication (MFA) and additional verification steps to determine the level of access to be granted. Zero trust principles need to apply regardless of user type—end user, privileged user, outsourced IT, partner or customer—or the resource being accessed. Your access decisions need to be adaptive and dynamic, Kemp notes.

Achieving zero trust also means being able to trust the devices that are attempting to access your assets. That means having measures for ensuring that verified users enroll their devices so that they are recognized. “If the user is requesting access from a registered device they use every day, they have a certain level of trust,” Kemp says. “If they’re trying to access services from a workstation in an internet café they’ve never used before, then trust is out the window.”

Device validation also involves setting a minimum set of security requirements for them and ensuring that only devices that meet that threshold gets access to the network. “Have they been jail-broken? Do the device settings conform to company policies like disk encryption, virus protection and up-to-date patches?” Kemp says.

5. Be prepared for the challenges

Don’t underestimate the scale and scope of the work involved in implementing a zero trust framework, especially in large organizations. Moving to a model of permitting only authenticated and authorized access to applications regardless of where you are on the network is not easy.

For many organizations, defining and developing a data access policy that is consistent enterprise-wide will take time and pose a big challenge, says Dyer from Respond Software. Implementing and managing a unified authorization and access control system and identifying all applications that provide access to critical data can be a big task as well.

Figuring out a way to limit user access and privilege is another big challenge. “The biggest change organizations need to make is to grant users just enough privilege they need to do their job and prompt for MFA without unnecessarily impacting user experience,” Kemp says. They need to be able to ensure that any privilege granted to a use is temporary, time-bound and automatically revoked.

For Akamai, the largest implementation challenge was with its non-web applications, many of which did not easily support the ability to do things like MFA. The company spent a significant amount of time building capabilities for handling such applications and eventually had to build a lightweight agent that would allow non-web applications to work better with the zero trust proxy. “We’re deploying lightweight, client-side application tunnels to provide authenticated access to those applications now, but that was an area that we really needed to think about,” Ellis says.

At the most basic level, zero trust means securing user identity and then protecting the application, says Stephen Kovac, vice president of global government and compliance at Zscaler. “This can best be done by providing inside out connectivity, precise access, trust no one encryption, etc.”

This means the network and the endpoints no longer matter. What matters is that users are secured regardless of device or location. “If we secure the user’s identity, understand the applications they use, and secure the application well — then endpoint device and network become irrelevant. This is a mega shift.”