With the constantly escalating threat landscape the only clear way to protect your business applications and users is to deploy a Zero Trust Strategy and Architecture. NIST (National Institute of Standards and Technology) 800-207 goes into detail on strategies to build a Zero Trust program. This is the “Bible” for Zero Trust Architecture.
Considering the current and potential future threats, Zero Trust is a “must have” for securing your environment. However, it may not be obvious what is most important to focus on. BTA has successfully helped 100+ customers enforce* over 450 applications. This includes navigating the architecture, deployment, and operationalizing Zero Trust best practices by involving the right people, processes, and tools. Here are some of the best practices we use to get there.
It is important to have a very defined and accurate understanding of exactly what Zero Trust is (and what it is not). One of the most important things to consider is understanding that Zero Trust is an architecture and operating model - not a product, and that it is a business issue first and a technology issue once the business drivers are clear. This is because ransomware and advanced, persistent threats can severely impact businesses from both financial and reputational perspectives.
One of the key elements in starting your Zero Trust journey is to get the right people involved – CISO/Policy, SecOps, App Teams, Network Team. This will vary based on how your teams are organized and who the stakeholders are. This is important because these groups can often be on different pages, due to divergent roles, perspectives, attitudes, and goals. For example, historically, applications teams typically want everything wide open to develop freely and dynamically without being encumbered by what are perceived as “onerous” security policies. Time to value/functionality is a top priority. Security policies are published, dictated by the CISO’s policy team, where SecOps/DevSecOps/NetOps teams have the operational responsibility for implementing policy, monitoring, maintenance, and incident response. Sometimes these are the same team, more often though they are separate. How do we approach this? We typically start with pulling all the stake holders together, establishing a common vocabulary, requirements, and objectives to be met by the project. This includes identifying what the common policies for all should look like and prioritizing which applications to focus on first.
BTA (Business Technology Architects) focuses on solutions that provide and support the most efficient, secure, and operationally sustainable path to Zero Trust enforcement.
When possible, we encourage customers to deploy host-based agents. We start with agents because they give us the most accurate flow data. For example, a tool like Cisco Secure Workload (formerly Tetration) collects all the flow data and accounts for every packet into and out of the Workload (Virtual Machine, Cloud Instance, Bare Metal OS) so that when we build policies from flows, nothing is missing.
You also want a tool that can visualize, so teams can see things the way they want to see them. The key step there is to get all the teams aligned to collaboratively review and agree on the policies that you want to enforce to limit the overall attack surface.
Long term success depends on building a consistent set of processes your teams will follow daily, weekly, monthly, etc... Buy-in from the business, Security, Application, and IT Ops teams are critical. Engaged teams feel ownership. Once that is in place (and we have seen it in several cases) then the process will accelerate. Policy reviews and enforcement move more quickly when the teams are aligned.
When you have that rhythm going, right people on calls, tools visualizing appropriately to make those decisions, and everyone moving in concert, you are at a point where you can segment an application(s) every week or even faster. Then, it is up to the business to determine the appropriate internal resourcing levels, training and operational tools required to meet timelines. Some consider leveraging Managed Service Providers (MSP) like BTA to deliver accelerated policy review and ongoing operations. BTA considers Time-to-value (TTV) a key differentiator and measure of business value.
BTA meets customers where they are. We can Architect, Train, and Mentor your teams through deployments on a path to building internal competence and confidence. Our proven S.I.M.P.L.E. process delivers consistently repeatable results. For customers that would prefer to outsource policy development and ongoing management we offer advisory services and fully managed services to help you meet your business and security objectives.
Interested in a private Zero Trust Strategy Workshop? Register here:
* We use the term “Enforce” to describe the application of a Zero Trust Policy to workloads (aka servers) on premises or in the cloud. Some may think of this as turning on a host-based firewall rule or the marketing term “Micro Segmentation.” We feel Enforce more accurately represents the outcome that is delivered.