For the past few years I was puzzled by the concept of Zero Trust (ZT). I thought it was this big, nebulous thing that I just could not wrap my mind around. Every time I asked a vendor partner for a definition I received a different one, and each one just lead me to having more questions. I finally sat down with a group of trusted practitioners and vendor partners and forced a meeting that lasted as long as it took for me to understand what is meant by ZT. Here is what I came up with. Hopefully, you will find it to be somewhat useful if you are just now starting your look into ZT for your organization, and if you are not – you should be.
ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve security posture (NIST 800-207). ZT follows three core principles of: assume breach , explicitly verify, and least privilege. Core parts of ZT are privileged access management, placing cybersecurity controls at the perimeter, on the end points, and building out your defense in depth architecture. ZT is having items such as the following in place:
- Mobile Device Security
- EDR/Advanced EDR
- Email Security
- Privileged Access Management
- Clean Admin Workstations
- Tools to protect or secure legacy infrastructure and apps
- Going passwordless should be strongly considered. –
- IPS and AV at the Perimeter level and server host level
- Network segmentation
- Management of Special through their life-cycle
- Removing Admin from the users that don’t need it: removing unnecessary services, ports, protocols or applications (principle of least privilege)
- Just in Time (JIT) – this is providing elevated privileges only when required and then removing them.
In reading through this list, most of you have already put in place most or all of the items on this list. Which means that you are well on your way or have pretty much completed your ZT journey.
Other items of possible interest:
- Continuously communicate and start communications with regional and country counsel as early as possible. Keep them informed of the ZT journey and how/why the environment is changing.
- NIST 800-207 is a short read about ZT