March 29, 2023
Getting Zero Trust Architecture Right for Security and Governance
Establishing a zero-trust approach is an incremental process that starts with the right foundation.
IN THIS ARTICLE
The Modern Security Landscape
A zero-trust approach to cybersecurity has become the go-to model for many organizations. As of 2022, 97 percent of companies had implemented a zero-trust initiative or planned to do so within the next 18 months — up from 16 percent in 2019. Zero trust requires all users, inside and outside an organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted access to applications and data.
This momentum stems in part from a 2021 executive order that established a zero-trust strategy for the federal government, requiring agencies to meet specific security standards by the end of fiscal 2024. Government adoption has driven zero-trust implementation in the private sector, particularly in industries that rely on government contracts. Guidance from organizations such as the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency has generated interest as well.
Momentum for zero trust has also increased because it helps address organizations’ most serious threats, such as ransomware. With stolen credentials a frequent factor in breaches and attacks, organizations need identity and access management (IAM) methodologies that are consistent and dynamic. They also need visibility to understand connections within the IT environment and where those could jeopardize critical assets such as data backups. Creating this level of visibility can be challenging in dispersed computing environments defined by cloud services and mobile computing.
Organizations pursuing zero trust should use a guiding framework, such as the CISA Zero Trust Maturity Model, to plan their strategies. It’s also critical to understand that zero trust is a concept, not an end state. IT solutions facilitate the implementation of zero-trust principles, but they do not on their own establish a zero-trust architecture. That said, discerning security leaders may use the momentum around zero trust as a valuable opportunity to catalyze underfunded initiatives and reinforce the value of existing investments.
Through the process of improving visibility, revealing dependencies, and shifting risky activities to a more efficient and secure environment, zero trust can simplify security and reduce risk.
Zero-trust initiatives help organizations derive full value from their existing security tools, identifying gaps and orchestrating deployment so that solutions work in concert as an integrated ecosystem.
By simplifying security, zero-trust architecture can help organizations improve the efficiency and productivity of their operations and thus improve the overall user experience.
Many leaders recognize the value of zero-trust architecture but are unsure how to implement, prioritize and budget for it. Expert partners can help clarify how to create a detailed strategy around established principles, where to begin building a strong foundation and how to incorporate existing security solutions.
DEMONSTRATE FULL IT VALUE
Leaders seeking support for zero-trust initiatives need to communicate their value. Some find this challenging because zero trust is an overarching philosophy rather than a clearly defined endeavor with a limited scope. In addition to stronger security, this approach simplifies network architecture and increases IT visibility, which leads to greater efficiency.
USE BIG-PICTURE BUDGETING
Creating accurate near-term and long-term budgets for zero-trust initiatives can be difficult when organizations are just getting started. The need for an effective foundation may require additional investments but can also reduce technical debt as older technologies are retired. Generally, organizations can use existing tools and increase their efficacy within zero trust.
BUILD MATURITY OVER TIME
Organizations should align zero-trust strategy with established guidance, setting a baseline for maturity and increasing capabilities over time. At the optimal level, organizations have the foundational components with advanced capabilities in place — people, processes and technologies — and know how to apply zero-trust principles consistently to new and changing environments.
FOCUS ON PRIORITY DOMAINS
Organizations may want to start with a specific domain, such as IAM — a prerequisite for zero-trust architecture. Without a solid method for establishing identity, organizations can’t move to the next step, which is configuring who should have access to what. These capabilities are defining features of a zero-trust environment.
FOLLOW THE RIGHT SEQUENCE
It can be difficult to achieve visibility across all data lifecycles, data sprawl and unstructured data, but organizations need a clear picture of the flow: where data lives, who accesses it and which systems talk to each other. Visibility and governance are essential to understanding risk in order to define and enforce the appropriate policies and standards.
Start planning your journey toward a zero-trust approach with a Rapid Zero Trust Maturity Assessment.
For Some Zero-Trust Initiatives, Gaps Persist
The percentage of companies that had implemented a defined zero-trust initiative by 2022, up from 24 percent in 2021
Source: Okta, The State of Zero Trust Security 2022, September 2022
The percentage of organizations that say they have implemented zero trust but still have gaps in ongoing authentication of users and devices
Source: Fortinet, The State of Zero Trust Report, January 2022
The percentage of organizations that say they have implemented zero trust but cannot monitor users after authentication
Source: Fortinet, The State of Zero Trust Report, January 2022
The percentage of companies with mature zero-trust initiatives that had applied privileged access management to cloud infrastructure by 2022
Source: Okta, The State of Zero Trust Security 2022, September 2022
Getting zero trust right requires understanding the relationship between strategic and tactical implementation. A strategic approach is essential; for example, organizations must mature their IAM and data governance capabilities individually before integrating them into a zero-trust approach. As organizations plan for and move through these processes, expert assessments can be extremely useful to evaluate security issues and facilitate conversations about connecting zero trust to business objectives.
CISA identifies five pillars on which to build a zero-trust strategy:
IDENTITY, including multifactor authentication, identity lifecycle management, visibility into user behavior analytics, identity and credential administration, and risk assessment
DEVICE, including configuration management, real-time threat analysis, asset tracking and patching
NETWORK/ENVIRONMENT, including macrosegmentation and microsegmentation, protocol encryption, machine learning–based threat protection, and Infrastructure as Code automation
APPLICATION WORKLOAD, such as continuous access authorization, application security testing, and dynamic application health and security monitoring
DATA, including classification, least-privilege access controls, end-to-end encryption, access logging, and immutable data backup and restore
As organizations establish secure access and integrate security tools, a maturity assessment can add clarity, structure and guidance to a zero-trust strategy.
SECURE ACCESS METHODOLOGY
Zero trust is based on the ability to establish and maintain authorized access to systems or applications, which means an identity-focused process with multifactor authentication is just the first step. Conditional access also reflects the dynamic approach that is key to zero trust. For example, if a user’s device hasn’t updated to the latest operating system, the user would be denied access to certain applications. Likewise, if active threats are triggered from the user’s device or suspicious behavior alerts are tagged with the user’s identity, access could be terminated.
Microsegmentation tools are central, supporting the creation of a least-privilege network by establishing a perimeter around every device. Microsegmentation yields visibility into system-to-system connections so that organizations can begin to build segmentation rules and policies.
Moving to zero trust involves reassessing the existing environment to determine how key technologies and toolsets can be integrated and optimized. Organizations that have moved much of their infrastructure to the cloud generally find it much easier to implement zero trust, assuming that staff have the necessary skills to do so. For example, teams should understand how applications are developed and published in the cloud so they can verify appropriate security before moving workloads into production.
On the other hand, organizations with traditional data center environments or operational technology in Internet of Things solutions will find it more challenging. As organizations move toward maturity with zero trust, there may be areas where it is not currently possible to achieve optimal maturity.
RAPID ASSESSMENT SERVICES
CDW’s Rapid Zero Trust Maturity Assessment is a four-week engagement that measures an organization’s IT environment against CISA’s Zero Trust Maturity Model and five foundational pillars. We collaborate to develop a roadmap that helps drive the organization’s zero-trust strategy and prioritize cybersecurity projects. This includes actionable recommendations to effectively close gaps around people, processes and technology. The assessment also considers future goals and practices to ensure the recommendations have long-term viability and value.
Part of the roadmap is helping organizations determine which tools they can leverage, where tooling gaps exist and how to begin tackling use cases with the tools on hand. To extend governance and visibility across the organization, zero trust requires a blend of the tactical — for example, knowing where sensitive applications live so they can be locked down — and the strategic.
PRIORITIES AND ROADMAP
A maturity assessment can be a valuable way to build consensus among key stakeholders about priorities to target and to instill a cultural view that zero trust is an iterative philosophy that should be included in all future IT planning. Every organization must build a foundation, get the right tools in place and begin implementation where zero trust makes the most sense and will have the most impact. However, each organization’s strategy will be unique, which is why a customized roadmap can shorten the learning curve and save time and money in the long run.
Secure Backup and Recovery
As organizations begin their zero-trust journeys, some find that data backups are a good place to start. In the age of ransomware, backup and recovery processes should be regarded as critical. Unfortunately, organizations may overestimate the level of security they have in place for these resources. This can significantly slow down or even prevent a full, speedy recovery after an attack.
To facilitate operational and business recovery, backups must be reliable, accessible and recoverable. Organizations should implement strict access controls, enabled by zero-trust architecture and supported with thorough logs.
Beyond Immutable Storage
Immutable storage protects backups only against external infiltration. With hackers’ average dwell time up to 277 days, backups also need indelible storage and other measures for protection against internal interference.
Covertly changing Active Directory is a favored tactic of ransomware attackers, impeding its usefulness for recovery. Anomaly detection tools can alert IT personnel to an attack and shorten recovery time.
Zero-trust principles such as multifactor authentication and role-based access control, together with strategies such as air gapping, are essential to ensure that backups are secure and reliable.
The outcomes of a zero-trust initiative — reduced risk, stronger compliance and a better user experience — advance both IT and business objectives.
REDUCE CYBERSECURITY RISKS
In a world where hybrid work, cloud-based computing and dispersed organizational structures have vastly expanded the attack surface, a zero-trust approach can measurably reduce exposure. Zero trust’s granularity allows organizations to develop customizable policies that enable least-privilege access. In addition, standardizing security controls provides stronger protection against known and emerging threats, a critical capability considering the growing sophistication and evolution of cyberattacks. At the same time, building a software-defined perimeter gives organizations the flexibility and agility to apply security policies based on changing business requirements.
MEET COMPLIANCE REQUIREMENTS
As CISA notes, “The path to zero trust is an incremental process that will take years to implement.” Within that process, however, incremental progress can be powerful, particularly when it comes to threat response and compliance objectives. New requirements from the Securities and Exchange Commission, together with court rulings, place more responsibility on boards of directors to disclose their oversight of cybersecurity issues. As directors and executive officers become more accountable for cybersecurity, zero trust is an effective strategy for ensuring systems integrity and data confidentiality. For companies seeking to do business with the government, deep visibility and conditional access control are table stakes.
ENHANCE THE USER EXPERIENCE
The improvements in cybersecurity risk and compliance that zero trust enables deliver significant value for organizations that implement this approach effectively. However, IT teams must also consider the user experience when engaging in zero-trust initiatives. If users are unsatisfied with their experience, organizations may see negative effects on productivity and efficiency. Further, users who work around inconvenient security measures can expose an organization to serious vulnerabilities.
Fortunately, an effectively implemented zero-trust approach can actually enhance the user experience. For example, by automating security functions such as patching and updating configurations, zero trust can reduce delays that frequently frustrate users. To achieve this objective, IT teams should incorporate the user experience into their zero-trust initiatives from the beginning.
Ultimately, zero trust can improve an organization’s ability to achieve its business objectives. While business agility isn’t a primary driver for a zero-trust architecture, it can be a valuable outcome of increased IT efficiency. Mature zero-trust environments have templatized their use of security tools in various environments, developed supporting policies and gained the experience to adapt those processes as needed. If done correctly, a zero-trust architecture can improve the user experience and help ensure that business processes run without unexpected interruptions.
Buck Bell, who leads CDW's Global Security Strategy Office, and brings more than 20 years of experience in cybersecurity and risk management to the role
John Candillo, CDW Field CISO with more than 20 years of security experience, specializing in risk, governance, compliance and IT security strategies
Gary McIntyre, Managing Director for Cyber Defense at Focal Point Data Risk, a CDW company
Jeremiah Salzberg, Chief Security Technologist at CDW
Jeremy Weiss, Executive Security Strategist at CDW