top of page

ZERO TRUST

Vivek Jindaniya

Zero trust, a term first coined in the 1990s, is increasingly becoming a mainstay of latest security strategies, taking over from traditional “Fort” analogy network security models in which those outside the network were denied access data, but everyone inside the network could. Zero trust is a cybersecurity architectural philosophy, not an appliance, product or license. The foundation for a zero-trust architecture often consists of existing capabilities and services. 

It is a holistic cybersecurity posture in which the foundational tenet is that users are not implicitly trusted just because they are within the organization or the network. Instead, trust is explicit and granted adaptively, based on user, device, resource and data attributes and behavioural analytics. Zero trust also focuses on data protection and restricts unauthorized lateral movement to guard against unauthorized data exfiltration.

Key components

  • Trust is never granted implicitly.

  • Default is to Deny the access and even if provided it is granted using the “least privilege” model.

  • Aim is to protect the data and resources and restrict unauthorized lateral movement which may need additional perimeters / layers around individual resources and associated (collections of) data.

  • Access-control decisions are more detailed beyond the identity of user, and incorporate multiple factors assessed in real-time.

  • It tailors “fit for purpose” access control policies around the mission criticality of the resources and the sensitivity of the data.

Legacy Security vs Zero Trust Principles

Legacy

Zero Trust

Trust is assumed.

Trust / Authorization is explicit.

Network perimeter focus for Defence.

 

Defence focuses on data and defined perimeters around it.

Security posture is architected from the outside-in.

Architecture is designed from the inside-out.

Access decisions are static-binary.

 

Access decisions are real-time, multifactorial, contextual, session-based, attribute-based, risk-based.

Default is to protect “everything.”

Focus is on protecting critical data, assets, applications and services.

Network perimeter and device patching is primary.

Data is a primary cornerstone

Basic Identity and access management (IAM)

Uses advanced IAM, including privileged access management.

Tends to be manual and reactive.

Promotes automation and proactivity.

Roadmap for zero trust

Some benefits of zero trust may be realized along the way, but scaling zero trust to a large, complex organization is a long-term strategy that requires a clear and deliberate roadmap, like the one illustrated here.

(Source: Gartner)

For the implementation of zero trust principles following actions may give a lead for the detailed roadmap: -


  1. Make your zero-trust policies.

  2. Carry out a comprehensive gap analysis. 

  3. Create your zero-trust architecture design to fill the shortfalls surfaced in the gap analysis in products, services, configuration, architecture, policy, etc.

  4. Define the surfaces zero trust will protect and the related access policies. 

  5. Create your zero-trust strategic plan. 

  6. Develop your roadmap. 

  7. Identify and engage with your internal stakeholders. like the CTO, CISO, CDAO as also SOC and IT workforce.

  8. Identity and engage external stakeholders.

  9. Train and upskill your IT workforce


Challenges

  • Existing infrastructures built on implicit trust will require investment to update systems.

  • Modern cybersecurity practices require agencywide buy-in for common architecture and governance policies.

  • Some Govt agencies are better positioned than others to make these advancements. 

  • New solutions and ideas about how to best achieve zero trust objectives.

Conclusion

Replacing the implicit and static trust models of legacy security architectures with dynamic and explicit trust models obviously will take time as it requires organizational change management, and operations and senior management buy-in. 

While commercial enterprises are fast moving toward zero trust, public sector agencies need to adopt zero trust cybersecurity principles and adjust their network architectures as part of national cybersecurity.

20 views0 comments

Recent Posts

See All

Comments


bottom of page