Zero Trust is a cybersecurity strategy that recognizes trust as a vulnerability that may potentially allow malicious actors to exploit system environments. Traditionally, systems operated by granting permissions, visibility and trust to a user once they gain access. Rather than minimize trust and opportunity for breaches, Zero Trust eliminates trusted packets, systems and users altogether.
Implementing Zero Trust鈥檚 Fundamental Design Concepts
While breaches are inevitable, agencies can equip themselves with a Zero Trust framework to prevent successful cyber-attacks. Zero Trust encompasses identity, access permissions and micro segmentation, per the National Institute of Standards and Technology (NIST) architecture. All three enforcement points are required to complete the Zero Trust model. While security products are a component of Government agency鈥檚 implementation of Zero Trust, it is a strategy that requires proper planning.
To successfully implement Zero Trust, agencies must understand its fundamental design concepts.
- Focus on business outcomes: Determine key agency objectives and design strategies with those in mind.
- Design security strategies from the 鈥渋nside out鈥: Typically, networks are designed from the 鈥渙utside in,鈥 beginning with the software and moving onto data. This can introduce vulnerabilities. By designing software accessibility around data and assets that need to be protected, agencies can personalize security and minimize vulnerabilities.
- Determine who or what needs to have access: Individuals should default with the least amount of privilege, having additional access granted on a need-to-know basis.
- Inspect and log all traffic: Multiple factors should be considered to determine whether to allow traffic, not just authentication. Understanding what traffic is moving in and out of the network prevents breaches.
Fundamentally, Zero Trust is simple. Trust is a human concept, not a digital concept. Once agencies understand the basics of Zero Trust, they can decide which tactics they will use to help them deploy it across their network.
Breaking Up Breaches with Segmentation
In other security strategies, security is implemented on perimeters or endpoints. This places IT far from the data that needs monitoring. The average time between a breach and its discovery is and is usually discovered by independent third parties. With flat, unsegmented surfaces, once breachers gain access to a network, they can take advantage of the entire system. Zero Trust alleviates this by transforming a system鈥檚 attack surface into a 鈥減rotect surface.鈥 Through proper segmentation, systems make the attack surface as small as possible, then places users adjacent to the attack surface to protect it. This area then becomes a more manageable surface for agencies to monitor and protect, eliminating the time gap between breach and discovery.
Once the strategy method is chosen, agencies must decide which tactics and tools they will use to deploy Zero Trust. Here is a simple, five-step process for deploying Zero Trust.
1. Define the protect surface: It is important to start with knowing what data needs protection. A great first step is to follow the DAAS element鈥攑rotect data, assets, applications and services. Segmentation can help separate these four elements and posit each on its own protect surface, giving IT employees a manageable surface to monitor.
2. Map transaction flows: With a robust protect surface, agencies can begin tailoring their Zero Trust environment. Understanding how the entire system functions together is imperative. With visibility into transaction flow mapping, agencies can build and architecture the environment around the protect surface.
3. Architect a Zero Trust environment: Agencies should personalize their security to best fit their protect surface. That way, Zero Trust can work for the agency and its environment.
4. Create policy: It is important to ask questions when creating policy, as Zero Trust is a set of granular allowance rules. Who should be allowed access and via what application? When should access be enabled? Where is the data located on the protect surface? Why is the agency doing this? These questions help agencies map out their personalized cybersecurity strategy.
5. Monitor and maintain the protect surface: By creating an anti-fragile system, which increases its capability after exposure to shocks and violations, agencies can adapt and strengthen from stressors.
Segmentation is vital to the theory of Zero Trust. Through centralized management, agencies can utilize segmentation to their benefit, positing IT adjacent to the specialized surface they protect. Zero Trust can be a learning curve. By implementing each protect surface individually, agencies can avoid becoming overwhelming. Building from the foundation up allows agencies to control their networks. Additional technologies, such as artificial intelligence (AI) and machine learning (ML), help give defenders the advantage by enabling them to focus on protect surfaces. Through a personalized and carefully planned Zero Trust strategy, agencies can stop breaches and protect their network and data.
Illumio & Zero Trust
Zero Trust often incorporates threat-hunting solutions, to detect a problem and then try to block or remove it. But no solution will ever be 100% and it must be assumed that eventually a threat will slip through, undetected. Undetected threats will eventually move between workloads, further compromising the network. Illumio, a cloud computing security company that specializes in Zero Trust micro segmentation, can future-proof agencies against malware.
While threat-hunting tools focus on the workload, Illumio focuses on the segment, which means that Illumio enforces the Protect Surface via the vectors used by any and all threats that try to breach it. Any complex AI-generated malware which will appear in the near future will also want to move across segments, and Illumio will protect the environment today against threats which will appear tomorrow.
To learn more about Zero Trust and Segmentation, visit Illumio鈥檚 webinar,