Moving Towards The Zero Trust Cybersecurity Framework – A Practical Approach
The original Zero Trust model was conceived by Forrester, and leveraged by Google as part of their BeyondCorp initiative. Gartner has their framework called Continuous Adaptive Risk and Trust Assessment (aka. CARTA). These trust-centric approaches shift access decisions based on network topology to authorized users and devices.
The first step towards establishing trust-centric security should be an investigation and analysis of what your sensitive data is, where it lives, who accesses it, and who might like to steal it.
You should leverage the resources and technologies you already have in place to keep changes and costs to a minimum. Cisco Advanced Security Services has the expertise to help you with the analysis, strategy, design, pilot, and implementation. You’ll understand where your gaps exist against any trust-centric approach. We’ll help you address some in the first few weeks and create a 1-3 year plan for the rest leveraging the Cisco Trusted Access portfolio.
Zero Trust is a New Way to Look at Security
The specific use cases that must be addressed will often be different by organization. Before moving to the more complex use cases, consider these capabilities:
– Inventory of your hardware, software, patches, and network flows
– Identify and catalog your sensitive data and map how it flows between assets
– Rank your top 50 pieces of sensitive data and understand where it resides
– Knowing your top risks (e.g. threats, brand image, fines, compliance)
– Who is after your data and how capable they are
– Authentication of your users, devices, and workloads
– Enterprise-wide policy with an automated rule base—as much as possible
– Privilege escalation monitoring
– Continuously monitor and mitigate your trusted ecosystem
Start with the key use cases your organization must address first: contractors, East-West traffic, Continuous Diagnostics Mitigation (CDM), compliance. Prioritizing use cases will help you list the capabilities that will be required, including which products and services you’ll need. Adopting Zero Trust will help you secure your infrastructure, yet provide depth to your existing security architecture. Adhering to standards-based cybersecurity frameworks (CIS 20, NIST 800, ISO 27000 family) with Zero Trust provides a comprehensive safety net.
Be sure to review the Google BeyondCorp implementation of Zero Trust, which Duo Security productized (read their ebook). And how Gartner’s CARTA framework says to start two Zero Trust projects in 2019:  establishing software-defined perimeters for users accessing any app, on any device, in any location; and  implementing app micro-segmentation for workloads running across multicloud and on-premises data center infrastructures. You can download Gartner’s full report “Zero Trust is an Initial Step on the Roadmap to CARTA” here.
A few key steps you need for all of them include privilege escalation monitoring, integrity monitoring, watching out flows, app security, and more (out of scope for a short blog). So, don’t rely on any one of these frameworks to be the answer.
Ideally, after you work on the above, start discussing your plans to get moving to self identification and automation to reach the next Zero Trust maturity level. Realize that cloud-based and containerized workload use cases aren’t going to wait, and thus, several parallel engagements will happen.
We titled this blog “Moving Towards The Zero Trust Cybersecurity Framework”, so, the first move is completing a workshop with Cisco Advanced Services. We’ll help you learn your key use cases, your gaps, and what you already have. Then, how to best address these gaps and prioritize your efforts. This end-to-end approach takes into consideration the core principles that make up Zero Trust to ensure you’ll achieve the desired outcomes:
– Identify and catalog your sensitive data (later, at a metadata repository level)
– Map the data flows of your sensitive data and store them
– Architect your Zero Trust network based on data sources and the way they are used transactionally
– Create your automated rule base and then later move to analyze the metadata and rules
– Continuously monitor your trusted ecosystem by inspecting and logging the traffic, and updating rules based on behavioral analytics
Segmentation is a Key Part of Zero Trust
Cisco’s Security Segmentation advisory services (read this at-a-glance) will help you develop a strong strategy around security, compliance, and threat management. To be able to logically segment your infrastructure you need four key capabilities: (1) trusted identity, (2) isolation, (3) policy enforcement, and (4) visibility.