Nowadays, all kinds of companies are expanding their horizons and pushing their boundaries beyond what can be done in a physical office space. Even before the COVID-19 pandemic and its effects on businesses across the world, mobility and flexibility have been strategic priorities. Now, our new normal has made most businesses at least partially remote.
That changing reality has immeasurable impacts on cybersecurity.
Companies’ cyberdefenses used to be focused on securing a certain “perimeter” comprising boundaries related to geographical proximity. But those perimeters are meaningless in our cloud-centric environment. Now, zero trust architecture (ZTA) is the key to shoring up your cyberdefenses.
This blog will walk through how to implement it in seven simple steps.
7 Steps to Implementing a Zero Trust Architecture
Zero trust is a revolutionary cybersecurity paradigm that shifts our focus away from perimeter defense and onto the point of access for each individual resource a company is trying to protect. Rather than creating a moat outside your castle, it’s time to safeguard each resource inside.
The philosophy behind zero trust has been theorized by cybersecurity experts since at least 1994 and incorporated into Department of Defense schemes since 2006. But its most thorough foundation for current businesses is laid out in the National Institute for Standards and Technology (NIST) Special Publication 800-207 (NIST SP 800-207).
This blog uses the guidelines set out in the publication to explain how your company can implement ZTA by following seven steps.
But first, a note on scale and how context influences implementation:
Understanding the Scope of Implementation
Not all businesses looking to implement ZTA are doing so under the same circumstances.
While ZTA is one of the best ways to secure any kind of cyber assets for most businesses, there are different needs and means to consider.
There are two main varieties of ZTA implementation:
- Pure ZTA creation – This is also known as a “greenfield” approach. New companies with no cybersecurity architecture or those seeking a full rehaul of their existing systems are effectively starting from scratch.
- Hybrid ZTA and perimeter system – This is much more common. Most companies looking to incorporate ZTA into their cyberdefenses will be integrating zero trust concepts into an existing perimeter-focused cybersecurity system.
Being that the second variety is far more common and likely, this guide will focus primarily on strategies for migration. The same principles still apply to a greenfield approach, with the caveat that the scale and scope for each step may differ significantly.
Let’s take a look at the seven steps it takes to get started with ZTA:
How to Migrate from the Perimeter to Zero Trust
Transparency is key.
When transitioning from a purely perimeter-focused system to one that’s focused instead on the zero trust philosophy, the most important thing is knowing all the key elements of your overall system. What assets and users are part of it, and what security measures do they require? Building from inadequate data will most likely cause inefficiencies in the future, like:
- Improper grant of access due to misunderstood privacy needs
- Undue denial of access due to a lack of requisite credentials
- Unreported activity leading to future vulnerabilities
These risks are why information is essential. Of the seven steps enumerated in the SP 800-27, about half of them entail identifying, or producing and analyzing data. The other half then uses that gathered information to create and ultimately deploy solutions.
To that end, implementing ZTA at your organization involves following these seven steps:
Step 1: Identifying Actors
The first step is establishing the “who” of your system.
In any cybersecurity scheme it’s essential to know exactly who the system encompasses—who your users are, who potential threats may be, etc. Identifying the actors in your organization involves a process of detailed recordkeeping and account management.
You need to compile up-to-date information on:
- All individual users and their characteristics
- All nonperson entities (NTE) and their functions
- All attributes and roles associated with every account
Importantly, although this is the first step in your implementation plan, it’s not something you finish first and then never revisit. All information gathering is an ongoing process that spans from the very beginnings of implementation throughout the life of your ZTA.
Step 2: Identifying Assets
Next, you need to establish the “what” of your system.
In order to implement a ZTA properly, you need to develop and maintain a catalog of all individual resources or assets that are part of your system. This list includes but is not limited to:
- Enterprise owned hardware.
- Computers and laptops
- Mobile devices, tablets, etc.
- All IoT devices
- Unowned assets that regularly connect to enterprise resources.
- Employee devices
- Client devices
- Third-party devices
- Digital artifacts.
- All software and applications
- User accounts and relevant data (see above)
- Certificates and other digital or virtual resources
The end goal is creating a database that indexes all assets, as well as their various configurations. One of the main criteria of access authentication is asset status. This includes not just what an asset is, but also many details regarding its cybersecurity specifications, the recency of its updates, and other characteristics liable to change over time.
Because companies may not be able to catalog all of this information, it’s important to set up a system that can efficiently scan a new asset on the fly and index it immediately. That way, your database adapts over time as assets are added, removed, or changed.
Cataloging everything that makes up your system is essential to implementation. But the “what” pertains not only to things per se; it also includes processes.
Step 3: Identifying Processes
Finally, completing the initial inventory means keeping track of all processes in your system.
The process of cataloging all processes means not only identifying them, but also categorizing and ranking them with respect to stakes and cybersecurity needs. Processes to be gauged in this manner include:
- Data flows
- Work flows
- Structured events
Any and all risks involved in the planning and execution of these tasks must be evaluated and carefully monitored. With respect to migration into a ZTA, a company may choose to begin with processes that are “lower stakes.” A process with relatively fewer vulnerabilities or connections to valuable resources is a good place to test out practices you’ll eventually use everywhere.
Rounding out the initial inventory steps enables you to move into the proactive, creative stages of implementation. The next step is the first that involves mobilizing the data you’ve collected.
Step 4: Formulating Policies
This step is where you move from identification of individual items to the establishment of rules and practices governing their relationships to each other. In this step, it’s important to utilize the information gathered over the cataloging stages to gauge the importance of a given actor, asset, or process to the overall ZTA scheme and the broader cybersecurity of the organization.
The ultimate goal of this step? Selection and planning.
This step zeroes in one one or more particular elements to isolate as “candidates” for initial ZTA transition. As noted above, a smaller or lower-stakes process or asset might be a better candidate than a larger, higher-stakes one. For example an application used by a small and defined subset of users is likely preferable for first adoption than one used by all users.
Once the right candidate is chosen, policies regarding specific cybersecurity needs and means can be drafted.
The policies define:
- Which credentials or authenticating factors are appropriate for access.
- What information is eligible for the algorithm calculating access approval.
- How the algorithm for access is to be calculated:
- Logistics of access approval and denial
- Priority and relevance of information
- Special cases and exceptions
These policies govern what your solutions are for each selected candidate. They act as a blueprint guiding what the ultimate ZTA will look like and how it will work.
The next step is actually creating the solutions.
Step 5: Producing Solutions
The fifth step is where all the data collection and policy planning gets put into action.
In this step, you draft actual solutions or deployments of ZTA architecture to be used on one or more candidates identified in the previous step. These solutions are also guided by the policies outlined in the fourth step. The solutions transform abstract policies into executable plans. In a legal analogy, the solution is a law, whereas the policy is its rationale.
The ideal outcome is to create not just one solution, but a list of viable options. Then you must determine which possible solution to implement. A few examples of criteria to consider when choosing from the list of solutions include:
- Does the solution enable data collection and analysis?
- Does it require installation of components?
- Does location impact its efficacy?
These and other criteria are not the only things to consider in the midst of the selection process. Organizations may also elect to generate simulations or pilot programs to give a specific solution a “test run” before applying it more thoroughly to real-world scenarios.
Once a solution has been chosen, all that’s left to do is materialize it through deployment.
Step 6: Beginning Deployment and Monitoring
This step introduces the big payoff from all the preparatory work in the previous five.
The sixth step entails putting your solution in place, deploying it on and through the various components that make up your ZTA architecture for the selected candidate(s). It also involves intense monitoring. This step is unique in that it is the first one where stakes are made real and actual changes are implemented to your cyberdefense framework.
There’s no looking back from here.
Or at least: there isn’t any looking back once this step is finished.
Given the stakes involved in this step, it’s common to hedge or test the waters with one or more trial runs before ultimately deploying the solution in full force. No matter how diligently the deployment is planned, there may be some initial hiccups.
- The system may be overly cautious at first, not granting access where it should.
- The system may be improperly lax, granting more access than it should.
- The system may not properly handle special cases.
This step is not finished until the deployment of ZTA components on the target candidates is in full swing and operating relatively seamlessly. Any and all initial issues should be corrected, and monitoring should be fixed on potential problems and solutions that could arise in the future.
Congratulations are in order. By the time this step is completed you will have successfully implemented ZTA in a portion of your overall cybersecurity system.
Now it’s time to expand, spreading the successful ZTA throughout the rest of your enterprise.
Step 7: Expanding the Framework
The last step is a return to the beginning—or, at least, to the fourth step.
This step begins when you have decided that the initial ZTA deployment on target candidates is functional and stable. In practice that means that the ZTA deployed on the previous step is not only operational, but also that:
- You are monitoring the ZTA and logging all traffic.
- Changes and adjustments are few and minor.
- Operation involves little to no maintenance.
At this point, you can rest assured that your planning apparatus was successful. But that doesn’t mean your work is done; it means that you now have more work to do; identifying a new round of candidates for ZTA deployment, then designing the plan.
Insights from your first run through steps five and six will guide your decisions as you return to step four. For example: any inefficiencies that arose during initial implementation of your deployment for the first round of candidates can help determine which candidates to prioritize next, as well as what kinds of solutions are likely to work best.
Moving forward, the cycle of steps four through seven will continue until your entire cybersecurity framework and enterprise are enveloped in your ZTA.
Cybersecurity Solutions for Your Business
RSI Security is your first and best option for implementing a ZTA.
Our qualified experts have over a decade of experience providing NIST advisory services to businesses of all sizes. Whether you’re looking to migrate to a ZTA, ensure compliance with various regulatory bodies, or generally optimize your cyberdefenses, we’ve got you covered.
Contact RSI Security today to plan and execute the perfect cybersecurity plan for you!