The Zero Trust approach to cybersecurity follows an approach of trusting nothing and verifying everything. Zero Trust is growing in popularity for a few key reasons. First, digital tools and devices are continuing to grow. Additionally, much of the workforce is no longer tethered to the office. They’re frequently working remotely, whether some or all of the time.
That renders the old method of cybersecurity obsolete. In this method, the perimeter is secured by tools like firewalls. Everything within the network is considered safe and trusted.
Since there isn’t a traditional perimeter anymore, following this security method will leave organizations wide open to potential threats.
With Zero Trust, on the other hand, nothing inside or outside the network is trusted until it goes through layered verification. Zero Trust facilitates digital transformation through authentication, network segmentation, and lateral movement prevention. It also uses least access policies, so no one has access to anything more than what they need to do their jobs.
If an organization wants to learn more about where they are versus where they need to be, it can use a Zero Trust assessment tool. Zero Trust assessment tools can help establish where you are on the roadmap, and you may be farther along than you initially think.
Assessing Where You Are
As mentioned, an assessment tool helps outline where you are versus where you need to be as far as the implementation of Zero Trust principles.
In an assessment, you might initially focus on identity management and security. You can go over the directory solution you currently use, such as on-prem, cloud-based, or an HR system. As part of your assessment, you’ll detail where you’ve previously focused your security controls, such as perimeter and network only, or where identities are managed.
Then, you’ll move on to device management and security. You might be asked the extent to which you manage devices actively and whether you manage only corporate devices or employee devices.
The third area of focus in assessment is access management and security. For example, do you already use the principle of least privilege, limiting access rights to only what employees and users need to do their jobs? How often are you reviewing admin and user privileges?
How do you distribute privileges, and do you have single sign-on in place to any extent? Are you using segmentation to prevent lateral movement? Are you enforcing conditional access policies?
Once you assess where you are on the Zero Trust journey, you can start to build a strategy. Often, we see four stages defined in this journey. The first, also known as stage 0, is when you’re at a point of fragmented identity.
Just because you find yourself at stage 0 doesn’t mean you aren’t already taking security seriously. Still, it does mean you need to do more than secure your resources in the digital environment as it currently exists.
A lot of companies fall into this stage because they’re still using Microsoft Active Directory for permission and access management.
Unified Identity and Access Management
Stage 1 is when you need a unified identity and access management or IAM solution. Your IAM solution should centralize identity and access storage. This gives your IT team more visibility into what’s happening and is foundational to your overall Zero Trust strategy.
At this stage, you’re unifying the creation and storage of users, and you’re determining how access levels and roles will be provisioned.
When you have users in a central directory, you’re limiting the opportunities available to a cybercriminal. In the directory, you can then go on to implement SSO and multi-factor authentication for your internal and external identities.
Stage 2 is when you’ll start developing and implementing conditional access policies and automated provision and de-provisioning. Contextual access policies are similar to the idea of conditional access. Both are important for your security, and they go beyond just letting users who are logged into the network access various resources.
Instead, the policies are developed to spot strange behaviors or outliers in how users are trying to access resources. If there’s an inconsistency, reauthorization is needed before the user gains access.
Also, stage 2 is when you’ll be automating provisioning and de-provisioning of access, which you’ll do through your IAM solution. This gives you a level of efficiency as you ensure that new users have access to needed resources right away. Then, you’re also making sure access is revoked immediately when someone is leaving.
How you determine this automation will depend on your organizational needs. Some do it based on the type of device, department, or role. The principle of least privilege is relevant, and you should make sure it’s integrated across the entire organization at this point.
You’ve achieved a milestone when you’re beyond manual access management.
Finally, you’re at stage 3 in your journey, which is ongoing rather than one and done. You need a strong foundation to make it to stage 3. You also need an infrastructure that will provide the needed ongoing support to keep up with the inevitable evolution of technology and processes.
Stage 3 includes using adaptive authentication and access policies that are risk-based.
Risk-based authentication policies will look at events and then label them based on their risk. You can then block access entirely for certain high-risk events or lower-risk events, maybe you require reauthorization.
You can continue to monitor the behavior and then further create the context that will help with future attempts at access.
When well-implemented, ongoing verification can create a barrier that doesn’t add to user friction.
Again, if you don’t know which stage you might be in, or you know you’re in the very early stages of Zero Trust, take an assessment as a starting point. You can start to figure out the next steps because otherwise, introducing Zero Trust can seem very overwhelming.
It doesn’t have to be when broken down piece-by-piece in a logical order.