Zero trust networking: Defining the right strategy for success
In today’s dynamic, rapidly evolving cybersecurity landscape, traditional network security technologies are incapable of adequately safeguarding against sophisticated modern cyber threats. As businesses embrace digital transformation — often driven by hybrid-cloud, SaaS and agile workforce — a new security paradigm has emerged. Zero Trust Networking (ZTN) is a new approach that does away with the implicit trust granted within an organization’s boundaries. Built on a philosophy of “never trust, always verify,” ZTN assumes that threats come from everywhere, even inside the organization.
ZTN is the target operating model of most organizations looking to improve their security posture while simultaneously enabling modern infrastructure technologies and improving the user experience.
Traditional security models rely on perimeters like firewalls to define what entities are trusted or untrusted — the so-called “castle and moat” approach.
Zero Trust Networking (ZTN) does away with implicit trust granted within an organization, assuming that threats come from everywhere, even inside.
In contrast, the foundation of ZTN is identity and verification. It relies on continuously identifying and verifying all entities (users, devices, applications, things) accessing the network. Zero trust requires deep network-level visibility, robust authentication mechanisms and continuous authorization technologies to ensure only truly trusted entities have access to your corporate assets. Before access to any resource is granted, trust must be established and then continuously validated.
Implementing ZTN is a challenge because it is both a mindset and a methodology — and businesses can struggle to adopt both aspects.
Which zero trust strategy is right for you?
When considering implementing a zero-trust network architecture (ZTNA), technology leaders must carefully evaluate their organization's specific needs, risk profile and operational requirements before deciding on an implementation approach. As with many technology transformations, the different approaches fall within a spectrum — from a systematic, end-to-end approach, to a programmatic, “quick start” approach.
Below, we will look at both ends of this spectrum and consider the strengths of each, as well as what sort of middle ground exists between them.
The systematic, end-to-end approach to zero trust
This zero-trust networking approach takes a strategy-first mindset and requires an up-front investment in a detailed due diligence exercise. Your infrastructure must be clearly mapped, and you need to define a persona for every application, device type, user profile or work style within the organization. This approach often aligns well with enterprises that are already planning to undertake a significant digital transformation and are looking to include Zero Trust Network Access as a component of that wider initiative.
Not every app or device requires the same level of protection, so this approach requires meticulously assigning a risk level for each persona and implementing the appropriate security controls. It’s particularly important to focus on the most problematic entities in the IT landscape and ensure they are accounted for.
The biggest benefit of the systematic approach to zero trust is that your security posture is tightly aligned with your unique business and operational needs, and the required infrastructure transformation is clearly defined. Other benefits include:
- Clear risk picture: Detailed planning and risk assessment are integral to this approach, which reduces the likelihood of oversights and unforeseen vulnerabilities.
- Detailed documentation: The extensive due diligence generates a large amount of documentation that can be used for training and implementation.
- Regulatory compliance: This approach is well suited for organizations with complex regulatory requirements, because adherence to standards can be built-in.
- Long-term stability: Because the target infrastructure is so clearly defined, organizations that choose this route can simply execute against the plan, confident that their critical assets and infrastructure will stay secure.
The obvious drawbacks are the significant length and expense of the due diligence process.
The quick start zero trust approach
Rather than relying on an exhaustive cataloging and profiling of every type of user, app and device within the enterprise, this programmatic approach instead relies on defining and implementing a basic set of zero-trust principles. Like the systematic approach, it requires you to define profiles for users, devices and infrastructure, but the analysis will be far less granular. This approach is preferred by organizations looking to take a more gradual approach towards Zero Trust Network Access, implementing it as part of a phased transformation initiative.
The entities are classified into more generalized groups with similar characteristics, enabling you to move quickly to implementation. From then on, every time you undertake an infrastructure transformation project or update an element of your IT policy, you build it according to the zero-trust principles defined at the outset.
It’s an iterative process rather than a wholesale implementation, and your enterprise gets closer to true zero-trust networking with each successive improvement.
It’s important to keep in mind that there are always outliers or special exceptions that must be accounted for. Accordingly, the programmatic approach allows you to begin immediately and at lower cost, but it requires more flexibility in the long run to properly secure any non-conforming entities.
Aside from a big advantage in terms of implementation speed, the major benefits include:
- Cost efficiency: In addition to taking months there is a cost associated with a systematic zero trust assessment. By simplifying the process, enterprises can start faster and at much lower cost.
- Early value realization: This agile implementation approach helps the organization start realizing the benefits of zero-trust security measures faster, potentially mitigating the follow-on costs of handling policy exceptions.
Other approaches
As with any technology project, implementing ZTNA is not a black-and-white decision. There are hybrid approaches available that combine aspects of the two extremes we have outlined above.
One such methodology would be to identify your most sensitive or mission-critical systems and apply the systematic approach to thoroughly document all users, devices, interfaces and applications that touch them. You can then apply a fast, agile approach to less critical systems, enabling you to find the right balance of precision and speed.
You can also approach your zero-trust implementation in phases, gradually rolling it out across different segments of the enterprise.
Ultimately, the decision on the implementation approach must be based on a thorough understanding of your organization's risk tolerance, regulatory environment, resource availability, and the need for immediate versus long-term security improvements. The technology leadership team should consider the trade-offs between precision and speed, while also exploring hybrid or phased approaches to find the most suitable balance for your enterprise's unique security needs.
If you are interested in exploring which zero-trust approach is right for your organization, click here to learn more or contact one of our experts.
Posted on: March 26, 2024