With the escalation of hostilities in Ukraine, increased activity by cybercriminal groups, and an ever-expanding attack surface caused by enterprises migrating to the cloud and employees moving to home offices, zero trust has become cybersecurity's most valuable player.
The old model of security was that of a castle, with walls, moat and drawbridge, said Michael Salihoglu, cybersecurity managing consultant at Crowe, a public accounting, consulting, and technology firm.
"Once you're inside the castle, you're basically a citizen and can do anything you want," he said. "You've got a hard shell and a soft underbelly."
Zero trust is a major shift in how security is approached, he told Data Center Knowledge.
"Your organization isn't a castle," he said. "But each application and each data store is its own castle. Everyone and everything should be as authenticated as possible and we need to eliminate the inherent trust of the internal network."
In fact, last spring, President Joe Biden made zero trust a cornerstone of his executive order on improving the nation's cybersecurity.
A new priority
It's no surprise that in a survey of 150 cybersecurity leaders by iSMG, sponsored by Palo Alto and Optiv and released earlier this month, every single respondent said that zero trust was "somewhat" to "extremely" critical to reducing their cybersecurity risk, and 46% said that it was their most important security practice in 2022 – ahead of any other cybersecurity project or strategy.
According to a survey of over 300 large global organizations released by Forrester earlier this month, 78 percent of security strategy executives plan to increase their use of zero trust this year.
All the surveys released on the topic in the last few months show that zero trust is a top priority for enterprises. However, when it comes to implementation, companies are just starting to move in this direction.
According to PwC's survey released in December, 52% of more 3,600 global executives said that they have started implementing zero trust, or are planning to do so – but only 11% have begun realizing benefits from zero trust and only 28% have implemented it at scale.
Forrester's survey puts full deployment at just 6%, with another 30% reporting zero trust in partial deployment or production, and 63% saying that their zero trust projects are currently in the assessment, strategy, or pilot phases.
How to do zero trust
NIST's National Cybersecurity Center of Excellence is currently working on a set of how-to guides and example approaches to make implementing zero trust easier in the most common business cases, but the basic NIST zero trust architecture reference guide was released in the summer of 2020.
Last fall, CISA released its Zero Trust Maturity Model, a roadmap for agencies to use to transition to a zero trust architecture.
Meanwhile, just last month, the Office of Management and Budget released the official federal strategy to move ahead to zero trust architecture, which includes a detailed road map that any organization, not just government agencies and contractors, can use as a model.
Both CISA and OMB focus on five main pillars of the zero trust strategy – securing identities, devices, networks, applications, and data.
Here are some best practices to do it right.
#1: Start with clear business objectives
Getting started with zero trust can seem like a daunting task.
“You can’t buy a zero trust product and expect magic to happen overnight," said Den Jones, CSO at Banyan Security. Jones is a former Adobe and Cisco executive and one of the pioneers of the zero trust movement.
The approach can help focus on tangible business outcomes, he said.
"CISOs should focus on investments that improve workforce experience or are tied to a previous breach – if not yours, one that impacted your industry," Jones told Data Center Knowledge.
"Another recommendation is to incrementally deploy zero trust by application or user. Doing this incrementally eases the entire process since you won’t have to rip and replace what you already have working."
You can focus on specific divisions or teams within the organization instead of the entire business all at once, he said.
#2: Prioritize around business risk by understanding the protection surface
Today, many security practitioners start by looking at the potential attack surface. Where is the organization's perimeter? How might attackers try to break through?
Zero trust turns that around.
"Start by assessing the highest value and highest risk users and assets – applications and data," said Jason Garbis, chief product officer at Appgate.
Those are the best places to start applying zero trust principles, he told Data Center Knowledge.
"Even small changes will make an impactful difference."
#3: Beware analysis paralysis
Moving to zero trust is a massive undertaking and data center managers shouldn't try to figure out how to do everything at once.
"Don't boil the ocean," said Jerry Chapman, engineering fellow at Optiv Security. "Zero trust includes a lot of different security controls and a lot of different technologies. Too often, organizations get into analysis paralysis."
Instead of trying to boil the whole ocean, he suggests boiling it one pot at a time.
#4: Realign around identity
One possible place to start, Chapman said, is identity.
"Identity is foundational to zero trust security," he said, adding that it doesn't have to be perfect.
"But it does have to have certain elements that are key, such as identity origination and role-based access controls."
Identity origination means knowing where all the identities come from: "Not just user identities, but service accounts and ephemeral identities that are generated in the cloud as you spin up architecture."
#5: Architect the network using micro-segmentation
Data centers are traditionally very good at managing networks and perimeters, Chapman said.
With zero trust, the principle is the same, except that the networks and perimeters are going to be much smaller.
"Microsegmentation is how you create a micro perimeter in your data center," he said. And only pre-approved traffic can be allowed in.
This is similar to the white lists of old, except that the approved list is based on policy rather than, say, IP addresses.
Maintaining one network, firewalls, and a set of rules is onerous enough with trying to do it across micro-segments. Manual technologies no longer cut it.
That's why modern zero trust network access solutions use machine learning or artificial intelligence to understand what good traffic looks like and help companies create access policies in an automated way, Chapman said.
"Once you have a solution in place in learning mode, you can start tightening the wrenches and start disabling the generic traffic," he added.
#6: Implement policies, conditional security access controls and least privilege principles
In a zero trust world, data center security is based on identity – but not on specific individual identities.
"It's not real," Chapman said. "It's impossible. Instead, you have to start thinking about policy. You have to change the paradigm from 'Joe from accounting needs access to application X' to 'users with these roles can access this data from the accounting server.' It's high level, and it takes away the minutiae of managing all the identities and requests for access."
Here, again, artificial intelligence can help companies generate roles and access policies automatically.
But AI doesn't – yet – understand changing business needs. And rigid roles and policies can prevent users and processes from doing their jobs.
#7: Allow exceptions within reason — and within policy limits
As with any technology, there are good and bad ways to implement zero trust.
"Today, I look at Active Directory environments that are horrible," Chapman said. "They are 20 years old and have 5,000 users and 50,000 groups."
The same thing can happen when policies and access permissions and roles are added to serve business needs and then pile up into an unmanageable mess.
The solution, he said, is to have a governance process in place.
"The premise of zero trust is to provide just in time and just enough access," he said. Sometimes, a kludge may be needed to serve a particular organization's business use case.
"My question to that organization is, how long is that kludged environment necessary? If I’m governing this solution, that access is removed when I no longer need it."
And that temporary access can be policy-dependent as well.
For example, if someone needs to gain access to a production server to solve a problem, a policy might require that a service ticket be in place that says that the server is down, and the access is allowed only while the ticket is open.
#8: Visibility is key
Before organizations can implement zero trust around identities, devices, networks, applications, and data, they need full visibility in their environments and how everything connects to everything else.
"Users, devices, and services are all connecting to data centers," said Tamer Baker, VP of global healthcare at Forescout Technologies. "It’s a complex environment that is only made more complex by the cloud. If organizations try to implement enforcement without understanding how this environment behaves, they could leave themselves blind to security gaps, or they could break workflows."
Once they get full visibility, they can then begin to understand what trust technologies and enforcement policies they need in place, he told Data Center Knowledge.
In fact, many of the necessary technologies might already be in place, he said, and just need updating with orchestration and policy engines.
"This is why it is so important to begin by understanding the business logic of everything connected and the way it all communicates," Baker added.
#9: Eliminate the attack surface
In traditional approaches, applications are published to the Internet.
“This means they can be discovered easily by adversaries,” said Deepen Desai, head of Zscaler’s ThreatLabZ research team.
The attackers can then throw everything they can at them to get through their defense mechanism, such as using brute force, stolen credentials, or exploits.
"A zero trust approach avoids exposing the corporate assets to the internet by concealing source identities and obfuscating IP addresses," he said.
When applications are invisible to adversaries and accessible only by authorized users, the attack surface is reduced, he said. "And it ensures that access to applications – on the internet, in SaaS, or in public or private clouds – is secure."