Zero Trust is Not Hard...If You’re Pragmatic

A few weeks ago, Dark Reading’s Rob Lemos discussed reasons why, despite acknowledging the obvious security benefits, organizations and their security practitioners are hesitant to implement a Zero Trust model. The overarching concerns are that ‘brownfield’ environments have too much technical debt that needs to be overcome in order to achieve Zero Trust status, and thus it can only be applied to net new environments (what we often call ‘greenfield’, typically as part of some cloud migration). Further, organisations assume that benefits can only be realied once everything has been “Zero-Trust-ified” (if indeed such a state exists) — that there is no in-between state on the road to Zero Trust that is both beneficial and achievable. 

These are myths that need busting.

Forrester’s Zero Trust Framework extends across seven pillars that, when combined, provide a comprehensive strategy for securing the enterprise

For an organization to consider itself to have achieved a complete Zero Trust posture it must:

1. Implement least privilege across all of its workloads, networks, people, devices and data. 
2. Ensure that these controls are fully driven and maintained through automation.
3. Leverage visibility not as a by-product, but as an enabler for #1 and #2. Monitor continuously, feeding back into the automation to ensure the integrity of the Zero Trust state was maintained. 

That’s seems like quite a task – no wonder some companies may choose to defer putting it into practice. And that’s before they even start sifting through technology offerings that claim to offer complete ‘Zero Trust-ification’ in a single product – they are like the many questionable home-made COVID-19 remedies doing the rounds on social media currently. 

But what if, instead of taking the waterfall approach to delivering Zero Trust security in our environments, we took a more incremental, agile approach? Could we realise benefits while still on this (never-ending?) journey? And could we integrate further capabilities as we progress?

The answer, unsurprisingly, is a resounding ‘Yes’ to all of the above. So how do we go about it? 

Here’s my recommendation. This approach (somewhat simplified) allows for an organization to take small, realistic steps towards achieving a Zero Trust posture. 

1. Identify what to protect: Identify the data, application, or business process that you are focused on protecting in this phase. 
2. Determine which Zero Trust pillar to focus on: Determine which of the Zero Trust pillars you are going to build controls for. Illumio is a segmentation company – we help organizations primarily focus on visibility, workloads, and networks. 
3. Specify the exact control: Now, specify the exact control you are trying to achieve in this phase. Let’s assume you want to segment the workloads that run your critical business process from the rest of the network. So, the Zero Trust outcome you are trying to achieve is least privilege access over the network to workloads running this critical process. 
4. Prescribe what data is needed: You now need the data and visibility (in Illumio’s case, we provide a map) to build the specific policy that will achieve the outcome – this consists of relevant metadata to identify workloads and their associated dependencies, plus traffic data that will determine the nature of those dependencies.
5. Design the policy: Armed with these data points, you can build a Zero Trust segmentation policy for this particular business process and validate it. Test before implementing – you'll get zero thanks otherwise. 
6. Validate, implement and monitor: Once the policy is in place, the available traffic and tamper monitoring allows us to continually monitor the posture of your environment and react to any changes, either manually or through automation. 
7. Rinse and repeat steps 1 to 6. 
    

Each step builds on what has already been done, continuously improving the overall security state, and even allows for brownfield environments to adopt and benefit from Zero Trust. 

Achieving Zero Trust all in one go for your entire environment is hard. That said, building a ZT MVP and iterating to achieve a comprehensive posture for your organization is achievable, and we're here to help.

To learn more, visit our page on how to operationalize your Zero Trust strategy with micro-segmentation.