7 key considerations for adopting zero trust
When we look at Zero Trust, it helps to take a step back. The internet is flooded with articles, hot takes, and it’s all too easy to get caught up in the hype. We run the risk of going too fast and missing important fundamentals. There’s an airplane analogy -- in turbulence, a rookie pilot might be tempted to speed up and get through the storm quickly. That, however, will lead to instability and further risk of peril. The more experienced pilot cuts all that is unnecessary, slows down, and stabilizes the aircraft.
That’s what we need to do with Zero Trust: look before we leap, prioritize alignment and consistency, and avoid the hype. We’re developing the security architecture that will underpin our organizations as they plant their flag in the digital revolution. As threats increase and margins of error decrease, doing it right the first time will make a big competitive difference in the future.
Zero Trust is confusing
Zero Trust can often engender confusion. We struggle to find consensus on what exactly Zero Trust is, whose definition to use, what exactly it entails, or who’s doing it right. It’s a bit of a "throw spaghetti at the wall" deal and we’re hoping things stick.
As security practitioners, we heed the temptation to rush towards the "new new thing" and can forego the necessary internal strategy discussions first. You don’t know how to get where you’re going without a map, so start there. Next there’s the sprawl. No perimeter means boundless options for securing an even more overwhelming number of vectors. And we’re supposed to secure all that to the Nth degree?
If this is possible to any degree, it will require a paradigm shift. And that precipitates a return to basics.
Prepare
To push through an organization-wide initiative that will affect the day-to-day work of all departments in IT, security, and operations, you need to have all the right people on board. That’s why alignment is not an option, it’s a bare minimum. Create a core team of key players that are "restless for better", taken from the ranks of Ops, Red Teams, Blue Teams, and IT infrastructure, among others.
Next, establish a solid understanding of Zero Trust within that group. It’s fine to take a while on this step -- this will lay the groundwork for all the others, so dig into the data. Learn about Zero Trust architecture, the recommendations and frameworks, and establish a plan of how you’re going to apply the data to your organization. Here’s a great set of foundational resources I’d recommend you and your team start with:
- NIST SP 800-207 Zero Trust Architecture
- Department of Defense (DoD) Zero Trust Reference Architecture
- Planning for a Zero Trust Architecture: A Starting Guide for Administrators (NIST)
- NIST Risk Management Framework for Information Systems and Organizations
- NSA Network Infrastructure Security Guidance
- CISA Zero Trust Maturity Model
Once you’ve familiarized yourself with the literature, it’s time to start. Take a methodical approach to Zero Trust adoption, and you’ll find your changes "stick" -- not only in the architecture, but with those who are going to implement, use and maintain it.
Categorize
What would happen if Asset X was compromised? What about from there? That will guide your priorities. And remember, when categorizing your assets and their respective values, simple is best.
Select
It’s the survival of the most important. Once you’ve categorized it into "my business couldn’t live without this" and on downward from there, you establish your protection surface. Draw a line around those key assets and secure them first. Pick your top ten to work on, then start on your top three. Yes -- only the top three.
Implement
This is the ops stage. Look around now and determine what you have in terms of resources, and what you still need. Find a handful of great partners and services then build out your strategy from there. Lean on your core team. Remember when you pulled them from all different parts of IT? This is where they really shine, taking ownership over their own individual specialties and making sure the Zero Trust architecture there is implemented with accuracy, completeness, and compliance. Don’t reinvent the wheel between departments; try to stick with consistent policies across the board.
Assess
Now it’s time for the stress test. How well does your Zero Trust strategy survive contact with the real world? Cybersecurity is fluid and dynamic and it must be able to adapt. So how do you assess Zero Trust performance? Think of it as a parallel path in which you continuously check the performance of your systems, their components, and the processes used to manage those components.
Authorize
This is the "go or no-go" stage when you move your first Zero Trust solutions into production. Everyone from senior leadership down comes together to identify any potential impediments. You want NO surprises at this point.
Monitor
All that’s left to do is refine, improve, and make sure it doesn’t break going forward. Remember, re-use and re-purpose existing policies when possible, and include all stakeholders when considering strategy pivots. This is also the time to examine external threat intelligence and the role it will play in your established Zero Trust structure.
How to make Zero Trust sticky
It’s all about compound gains. A little goes a long way, and while security architects might be tempted to prove their worth by launching the first-ever fully loaded bells-and-whistles Zero Trust infrastructure -- the weight of change would cause the venture to implode in on itself. Instead, slow, and steady improvements win the race. To summarize how to look at your Zero Trust strategy is to quote famed coach and leadership legend John Wooden:
"When you improve a little each day, eventually big things occur... Not tomorrow, not the next day, but eventually a big gain is made. Don’t look for the big, quick improvement. Seek the small improvement one day at a time. That’s the only way it happens -- and when it happens, it lasts."
Image credit: Olivier26/depositphotos.com
John Grancarich is Executive Vice President, Strategy at HelpSystems. He works with cybersecurity and automation customers to develop a full understanding of their needs in light of today’s complex market dynamics and anticipate future trends and technologies. John’s leadership enables the HelpSystems team to conceptualize, develop and implement market leading strategies and deliver continuous value to our customers.