How to Enforce a Zero Trust Policy—Starting With the Basics
Here’s a question you’re likely hearing from at least some of your customers lately, “Can you help our business implement and enforce zero trust security?” Or maybe some customers are simply looking to you, as their managed service provider (MSP), to help them understand what zero trust is and why they should even care about it.
Either way, the bigger question is whether you can give them the answers they need about this rapidly evolving area of security—especially if you are getting up to speed with it yourself. To help you ramp up fast on zero trust, this post provides an overview of some need-to-know basics about this approach to cybersecurity, including what it is and how to enforce a zero trust policy.
What is zero trust security?
First, it’s important to understand that zero trust isn’t a product. (You’ll also need more than one product to support it!) Zero trust is a security framework. More specifically, zero trust is a holistic, strategic approach to security that ensures every user and device that is granted access to a company’s resources is who or what they say they are.
Zero trust is an embodiment of the old saying: “If you can’t trust anyone, it’s best to trust no one.” Under zero trust, no actor can be trusted until they are verified with appropriate controls—and they are also verified continuously.
Why is zero trust relevant now?
The traditional security perimeter barely exists now, and it’s continuing to erode by the minute. In today’s digital world, data is spread across an almost infinite number of services, devices, applications, and people, and that number just keeps growing.
Zero trust assumes that the traditional network edge isn’t there. In the modern enterprise, networks can be local, in the cloud, or part of a hybrid model. Resources can be anywhere—and the workers accessing those resources can be anywhere, too.
If a business is still trying to secure its digital assets with an outdated model of perimeter security, it’s at risk. If this sounds familiar, it’s time to consider a switch.
Even agencies in the federal government are transitioning to zero trust right now. In fact, that’s a key reason that this methodology has been generating so much attention over the past year. In May 2021, the Biden administration issued its Executive Order on Improving the Nation’s Cybersecurity, mandating that federal agencies move to a zero trust security model. Earlier this year, it followed up with the federal zero trust architecture strategy, which outlines specific actions federal agencies need to take to adopt zero trust architecture over the next couple of years.
However, many other organizations in the public and private that don’t need to move to zero trust are still deciding to make this journey because they see it as a way to reduce risk and better secure digital transformation. A ESG Research Report shows that this approach to security can result in 50% fewer breaches. But beyond protecting valuable data by reducing the chance of a breach, there’s also a bottom-line benefit to zero trust: Companies spend 40% less on technology because everything is integrated.
Also, according to a recent Forrester study, companies that adopted zero trust were twice as confident in their ability to bring new business models and customer experiences to market. Preventing attacks and reducing the risk of data loss are great outcomes of a zero trust approach, of course, but making products and experiences that customers love is what makes a company great.
Zero trust security best practices
So, what’s involved in enforcing a zero trust security policy? A lot. It requires the application of an array of security best practices—ones that just make good business sense anyway given the nature of today’s cybersecurity threat landscape. For example, an organization that has adopted a zero trust framework will need to implement practices such as:
- Validating the identities of all users through multi-factor authentication (MFA)
- Keeping all devices updated and in good health through vigilant patch management and software updates
- Conducting thorough observation and monitoring to obtain the most valuable data to inform access control implementation
- Limiting access controls to specific applications, resources, data, and assets, rather than the broader network
Identify what you need to protect most
But what is the real first step toward implementing zero trust other than deciding to make the journey? It’s outlining the “protect surface”—or what is most valuable to your business. What data, applications, assets, and services (DAAS) does the organization need to protect to keep the business up and running normally?
By defining the protect surface, an organization can then focus its resources strategically on defending what really matters to the business, instead of trying to identify and protect the entire attack surface or focusing on just the perimeter (which we already know isn’t effective). Also, because the protect surface is much smaller than the attack surface or the perimeter, it is easier to protect.
Identify all the nooks and crannies in your network
When you’re building a zero trust architecture, it’s extremely important to map out the organization’s network topology so that you know where your assets are located. The goal is to understand who your users are, what devices they are using, and which services and data they are accessing.
Pay special attention to components that use the network. Under zero trust, you need to consider any network as hostile—whether it’s your local network or an unsecured public network. Also, consider existing services that weren’t designed for a zero trust architecture, as they may not be able to defend themselves under the new, stricter methodology.
Once the network topology is mapped, it’s time to determine how your systems work. This will help you understand where you need to create access controls, so you can verify that a user or entity fulfills the correct criteria for gaining access to protected areas. These controls will also help ensure that no communication can occur between a user and application that are unknown to security admins.
Where to look for more guidance on the zero trust framework
To reiterate, when a business adopts a zero trust approach to security, it’s making the choice to require all users, whether they’re inside or outside of the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before they are granted access to applications and data—or allowed to maintain access to those resources.
The zero trust framework uniquely addresses the security challenges that most modern businesses face, such as securing remote workers and hybrid cloud environments and protecting against disruptive, costly cyberthreats like ransomware. Zero trust can help organizations secure their infrastructure and data so they can operate more confidently in today’s complex, digital world, and pursue digital transformation knowing they’re protecting what’s most important to the business all along the way.
Many security vendors have tried to create their own definitions of zero trust, but there are standards from recognized organizations that can help businesses transition to a zero trust security approach. The Cybersecurity and Infrastructure Security Agency (CISA), for example, offers a Zero Trust Maturity Model that includes five pillars—Identity, Device, Network, Application Workload, and Data—and is intended to help support an organization’s zero trust journey.
And really, it is a journey, just like digital transformation itself. It can take several years for an organization to get where it wants to be with zero trust security, and because networks are always evolving, it will be an ongoing process to maintain an effective zero trust architecture.
Also, keep in mind that there is no one-size-fits-all approach to zero trust. Even NIST acknowledges in its recently published zero trust planning guide for federal organizations that “there is no single specific zero trust infrastructure implementation or architecture.”
As an MSP, getting a handle on the basics of zero trust now can help you support your customers well in the future, and it’s likely that many of them are already thinking about transitioning to zero trust. Plus, if you decide to make the journey yourself, it will only help to make your MSP business more secure and resilient.