Many companies are moving to the cloud and, green field environments. Here are 5 steps to implement building Zero Trust strategy that dramatically improves your organization’s security posture:
- Verify trust upon access to any network resource and do it in real-time. Include assets that are ignored today. Be sure to focus on legacy systems, tools and protocols that traditionally are unprotected, do not rely on trust or risk, and are commonly used and abused by adversaries.
- Define trust, especially when it comes to devices. In your organization, what is trust? Theoretically, if we go by the concept at a network level, trust is based on identity, access levels and device risk all wrapped up into a specific point in time, which can be the 4th dimension. But what if you don’t have a device management solution? Or if you’re not utilizing certificates? Does this mean that you need to work on these implementations first? You can define device trust based on other features, which are tied to the device activity while measuring ownership relations between the authenticating user and the device. You can also utilize EDR data or even endpoint protection software. These can be used in a straightforward manner as compensating controls for the perceived traditional device risk.
- Personalize your security posture with a user-centric approach. The empowering end users can take charge of the necessary actions required for accessing resources. End users are expected to be able to remediate their problems, patch their system to the required level to get access, choose which MFA vendor they want to work with, or other measures to meet the organization’s defined trust level.
- Collect use cases. Explore and define the situations that the solution should address. Zero Trust is about managing situations, and a custom policy-based approach is the most realistic option. You must prioritize your use cases. For example, you should at first vet the authentications to the domain, then review access to services and applications, followed by tools. Don’t limit the analysis to web applications just because it is easy to do with a web proxy. Make sure to vet every aspect of where authentication is involved, regardless of the application type.
- Gradually expand. Ditching remote access VPNs immediately is not required. Even for Google, it took years to adopt and practice BeyondCorp, which can be considered one of the well-known implementations of the Zero Trust concept. Once you have prioritized the defined use cases, it is time to build these situations into rules. With time, organizations can move from audit mode to active enforcement mode.
Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may require for your operation or project needs.