Those familiar with the concept of Zero Trust know that it flips traditional enterprise perimeter security on its head. Given that security touches all corners of the enterprise, including physical and digital elements, it is no surprise that moving an organization towards a Zero Trust architecture is a challenging endeavor. Therefore, it is critical to start the Zero Trust journey by setting clear objectives and direction before heading too far down the path of implementation.
A definition-first approach to Zero Trust
Ironically, the key to establishing a Zero Trust environment is clearly defining what “trust” means to the organization. Here are some questions to consider as you develop your definition:
- Who are the trusted parties?
- What roles are those parties trusted to play in securing the enterprise?
- What assets are being protected?
- What are the protection objectives for those assets?
One cross-cutting challenge organizations will face with Zero Trust, is authenticating access requests to enterprise assets. Enterprise security teams must ensure coverage of all access scenarios, given key aspects of an incoming request, such as Identity, Device, Network, and Target Asset. A popular concept for addressing this concern is “Conditional Access” which is the dynamic decision of whether to grant access to an enterprise asset.
When tackling enterprise authentication scenarios, it is easy for an organization to fall into the trap of allowing implementation to drive design. It is important to keep existing security tools from taking the lead in defining the organizational trust strategy. Instead, organizations should consider leading with a definition-first approach, where leaders define trusted access scenarios across aspects of Identity, Device, and Network:
Identity (the “who”)
- Is the Identity Provider trusted to verify and authenticate the Identity?
- Is the Identity Manager trusted to maintain and verify the health of the Identity?
- Is the Identity human or non-human?
Device (the “what”)
- Are the Device and Client Application trusted to issue requests?
- Is the Device Manager trusted to maintain and verify Device health?
Network (the “where”)
- Is the Network Owner and Network Address (IP) trusted to send traffic?
Take a value-oriented approach to Zero Trust
A strategy-driven approach to Zero Trust
One sign that implementation is driving design is when authentication rules are tightly coupled to existing use cases and do not speak clearly to a broader enterprise security posture. The missed opportunity is to establish a clear, structured definition of trust that outlines the enterprise security posture and illuminates the key security decisions. In the short and long term, a strategy-driven approach to Zero Trust will create confidence in an organization’s ability to be flexible to rapidly changing security requirements. Try explaining planned enterprise security policies to a non-technical executive. If that is challenging, confusing to them, or requires many words to communicate, the enterprise security posture may be too focused on the short term.
Taking the first step in a Zero Trust world
Tactically addressing existing security use cases is important, and it is a good incremental step that can be taken to start securing the enterprise now. But there is a better way to think about access control to enable long-term success for the enterprise.
Quality access control is best initiated by composing required trust – which is the minimum level of trust that an organization requires to grant access to enterprise assets. To compose the required trust, the solution thinking must flip from criteria-first policies to criteria-last. The specific criteria for matching and validating access request scenarios will evolve over time as the enterprise Zero Trust security posture matures. Therefore, it is more important to first define the trust structure, to which specific matching criteria and validation tools can then be assigned.
Consider beginning (or renewing) the enterprise Zero Trust journey by first setting clear objectives and direction through the lens of what “trust” means to your enterprise. Seek to compose required trust in a structure that will be flexible to rapidly changing security criteria and advancements in implementation tools. And, in doing so, establish an enforceable enterprise security posture that better stands the test of time.
New to Zero Trust? Check out the following resources for more information:
- How Zero Trust improves security and the user experience (YouTube)
- Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (PDF)
- DoD Zero Trust Strategy (PDF)
Flip the narrative on Zero Trust from fear-based to value-oriented
