Just how hard is it get started with Zero Trust? If its truly a journey then when should an enterprise expect to start seeing the benefits?
What prompted me to write this post was a recent review of NIST Special Publication 800-207 “Zero Trust Architecture” authored in August of 2020. It first nicely lays out the fundamental principles of Zero Trust which I will quickly summarize here.
- Zero Trust is a model which aims to reduce the exposure of resources to attackers and minimize or prevent lateral movement within an enterprise should a host asset be compromised.
- Trust is never granted implicitly and should be continuously verified via authentication and authorization of identity and security posture upon each access request.
- There is no complete end to end Zero Trust product offering. It is instead an ecosystem of component systems that when properly integrated allow for creation of a Zero Trust Architecture.
- Implementing a Zero Trust Architecture is a journey which is all about continuing to reduce risk.
110%, could not agree more with their explanation of the tenets of a Zero Trust model
There is also a really good explanation of all the vital ecosystem components required to interact with each other in order to facilitate translation of Zero Trust principles into an implementation of a Zero Trust Architecture.
However, Section 7, “Migrating to a Zero Trust Architecture”, was a little discouraging for the reader. Reading this section makes it seem like an arduous and daunting task to move towards a Zero Trust Architecture in order to start reducing risk. After some poking around and seeing comments on various public forums I’m apparently not the only individual who had this as a take away. Is it really this hard to get started?
There is an assumption made here in Section 7 that in order to make progress on the zero trust journey an enterprise must first understand where all of the existing enterprise resources are and who needs to have access to these and that if not done prior, any attempt at initial implementation will prevent access to key resources…in other words you will break things and prevent users from getting their work done.
Fortunately since the time of NIST 800-207 was published in August 2020 there have been signficant gains in the maturity of the Zero Trust ecosystem ranging from enhanced functionality of Identity Providers, Integrations with EDR vendors for device context/posturing and even advances in automation of access policy. Thanks in a large part to the COVID-19 pandemic a lot of operational insight has also been gained into how to transition an Enterprise towards Zero Trust.
Most importantly in getting started with Zero Trust, there are commercially available traditional VPN alternative offerings that are a piece of the Zero Trust Architecture ecosystem for which step 1 in their implementation is to actually facilitate this application to end user + user device access patterns discovery. This can be done without concern of inadvertently removing any previously granted ability for a user to access a key required application resource while providing additional risk reduction benefits that are worth mentioning. I will quickly summarize some of these below.
Potential benefits of the initial phase of a Zero Trust Architecture rollout
- This one bears repeating and expanding on slightly – Immediate granular visibility into all of the applications users are requesting access to, at what time, from which device, from where and for how long which can be then fed into your SIEM. Discover exactly which private resource assets exist and where they actually physically reside. Yes, you will inevitably discover Shadow IT and realize that you have way more applications than you had originally thought 😉
- Kick the remote users off the internal private network – Once all users are off the network there is no longer a network-centric implicit trust. Determining trust for whether an individual application access request is approved is now based on a continuously assessed combination of user identity and contextual attributes. Application access, not network access, also reduces the risk of lateral propagation of malware
- Removal of a public facing inbound VPN listener which can be DDOS’d or compromised – This is a huge risk reduction given all of the reported CVE’s in 2020/2021 for RCE vulnerabilities
What’s Next?
So where does one go next after Phase 1? Phase 1+ is about assessing the discovered user to application resource workflows and then selectively removing more and more risk by locking down access via policy to key applications to only required groups and individuals. Think of these as ‘Crown Jewels’ applications and internal infrastructure components where compromise and potential data exfiltration will be the most costly.
Implement device posture profiles which further provide device context and take advantage of any potential endpoint integrations that provide additional risk assessment scoring for the device that can be used in access policy. An enterprise should also immediately start to look to restrict 3rd party access to only the resource(s) that are required. This is really all about continuing to move towards more identity and contextual least privilege access around the things that are most vulnerable in order to continue to reduce risk.
The maybe not so obvious benefits of migrating towards a Zero Trust Architecture
- Improved performance – For applications being served out of an IaaS cloud like Azure or AWS an authorized user on a postured device can now connect more directly to that private resource as opposed to be being backhauled to a centralized location and then connected out over private links to an IaaS Provider whose Data Center is most likely closer to the remote user than the centralized interconnect point. A user can connect directly to private apps in multiple different locations simulataneously
- Improved user experience – “Always on Identity and Contextual based least privilege access”. There is no longer a concept of having to be on or off-VPN, its just in time connectivity to any authorized user on an appropriately postured device to any private application anywhere without any change to the way the user would go about accessing the application.
- Zero Trust isn’t just for remote access – Since Zero Trust is focused on not implicitly trusting the user device’s network location the ability to extend zero trust policy for on-prem users who are already resident on the internal corporate network is a huge plus. To do this the vendor technology must support intelligent interception of client application resource access requests and forward those to an on-prem policy enforcement point as opposed to allowing traditional direct network level access to the requested target resource simply because network reachability exists
Hopefully the reader finds this helpful and if interested in a tailored phased plan for how to get started on your Zero Trust journey feel free to reach out to your local Zscaler Solutions Engineer or attend one our user group events where you can connect with other enterprise customers who have already embarked on their Zero Trust journey
For additional insights into operationalizing Zero Trust check out this timely podcast “Maturing zero trust via an operational mindset” featured on our CXO REvolutionaries site
Disclaimer: The views expressed here are my own and do not necessarily reflect the views of my employer Zscaler, Inc.