Introduction
Zero trust has become a dominant security model for addressing the changes brought by mobility, consumerization of IT and cloud applications. Attackers that make it past one verification point (such as a firewall or a user login) can exploit inherent trust and move laterally within a network, application or environment to target sensitive data. An insider that starts within a trusted zone can escalate privileges. By always verifying, we can identify and stop these frequent attacks. Yet the adoption of zero trust thinking has brought a new challenge: how do we get there? This guide lays out a practical approach in five phases for implementing Zero Trust for the Workforce, which comprises an organization’s users and their devices, and how they access applications. The approach is iterative. Begin with a specific set of people, expand coverage for their applications and expand coverage for their devices. Once we are always verifying trust within this well-defined scope, apply a set of reasonable policies to enforce trust and protect the organization. Finally, integrate this scope with the broader organization’s IT and security functions and shift to continuous improvement. Following these steps, an organization can incrementally achieve a zero trust transformation.
The Zero Trust Approach
The zero trust principles share much in common with the fundamentals. Like default deny, zero trust begins with no access until trust is demonstrated and established. As with least privilege, zero trust relies on just enough trust and seeks to minimize excessive trust. Zero trust builds upon these fundamentals with following concepts:
Visibility informs policy. Provide as much intelligence and insight as possible to the people administering the technology, in order to produce informed policies.
Trust is neither binary nor permanent. Continually reassess the posture of users, devices and applications and adjust your trust accordingly. Be prepared to respond to events that raise the risk level by containing newly discovered threats and vulnerabilities.
Ownership is not a control. Validate and extend trust to devices, applications and networks that you don’t own or manage, from BYOD (bring your own device) and IoT (Internet of Things) devices to SaaS and public cloud.
The perimeter is any place where you make an access control decision. Choose the layers and process points that work for your environment, whether it’s at the network layer, the application layer, at the point of identity verification or during a transaction workflow.
Access decisions are based on re-establishing trust every time. Membership within a group, an application service within a tier or a device connected to a network location, are not enough on their own to authorize activity.
Containment. Combine least privilege and segmentation with response capabilities to monitor for threat activity and limit its spread by default.
Introducing the Three Pillars of Zero Trust
Zero Trust for the Workforce:
People such as employees, contractors, partners and vendors accessing work applications using their personal or corporate-managed devices. This pillar ensures only the right users and secure devices can access applications.
Zero Trust for Workloads:
Applications running in the cloud, in datacenters and other virtualized environments that interact with one another. This pillar focuses on secure access when an API, a microservice or a container is accessing a database within an application.
Zero Trust for the Workplace:
This pillar focuses on secure access for any and all equipment connecting to enterprise networks; such as user endpoints, physical and virtual servers, printers, cameras, HVAC systems, kiosks, infusion pumps, industrial control systems and more.
Using this Guide to Zero Trust for the Workforce
This guide recommends an iterative approach for the journey to Zero Trust for the Workforce. Tightly scope one aspect of the organization, proceed with that scope through the five phases of the journey and then integrate that scope into the organization’s zero trust architecture. The approach means each initiative is a self-contained project within the larger transformation. To use this guide, within the scope of each initiative, use the following sections for each phase of the journey.
Description and Objectives. For each of the five phases in the journey to zero trust, an overview is provided along with the objectives we must meet to complete this phase. These objectives are scoped to the zero trust initiative, not to the overall organization. For example, establishing user trust and device trust is specific to the people and their devices within the portion of the organization we are moving to the zero trust architecture.
Transformation. The beginning of each phase should include a workshop to gain consensus, support and identify next steps. Suggested attendees are stakeholders from the security function, the IT operations and support function and the business units within the initiative’s scope. Questions are provided along the strategic, management and operational disciplines. By scoring these with a 1 through 5 assessment, the team can determine the organization’s maturity for the given phase.
Components and Challenges. Successful transformations involve integrating technology while managing potential pitfalls. The components section includes recommended technologies for the given phase of the Zero Trust for Workforce initiative. Under challenges, this paper provides frequently seen concerns and potential solutions.
Metrics. Metrics should be implemented for guiding action and tracking success along the transformation. In this section, metrics are suggested for risk management, security, IT support and IT operations. Each specific scoped initiative can use these metrics to progress through the phases. Once the scoped initiative is completed, the metrics can continue to be collected to measure the efficacy of the overall zero trust architecture.
Summary
This guide has laid out the journey for a zero trust transformation. One key to success is specificity. Scope the initiative around a specific activity, that is, a set of applications used by a specific set of users, completed in support of an organization’s function. Be specific in the threat scenarios that we’re avoiding by requiring people and devices to establish trust. Another key to success is iterating. Launch an initiative to transform one activity onto zero trust architecture. Learn along the way, and then repeat.
For two decades, industry have discussed eliminating excess trust. We have debated telemetry and monitoring techniques to continuously evaluate trust. Finally, in recent years, technology has caught up with the philosophy. By following the steps in this guide, your organization can implement these ideas with off-theshelf software at a sustainable pace. The zero trust revolution is well under way.
About Duo Security
Duo Security, now part of Cisco, is the leading multi-factor authentication (MFA) and secure access provider. Duo comprises a key pillar of Cisco Secure’s Zero Trust offering, the most comprehensive approach to securing access across IT applications and environments, from any user, device, and location. Duo is a trusted partner to more than 25,000 customers globally, including Bird, Facebook, Lyft,University of Michigan, Yelp, Zillow and more. Founded in Ann Arbor, Michigan, Duo also has offices in Austin, Texas; San Francisco, California; and London.
No comments:
Post a Comment
What do you think about it