2021 Top Action Items on Zero Trust

We’re now in a reality that has bad actors coming in through code updates and then moving laterally. Zero Trust began as hype (as all technology does) and evolved to the plateau of productivity in Q4- also cited in the report– with 20% at least at first step adoption. 2021 is the year that Zero Trust is simply a must for corporate enterprise.

Realize The Promise Of Zero Trust Network Access Through Zero Trust Network Architecture

“The promise is application level access so you don’t need to provide VPN access into your network which says, “This is your permission,” and hope they don’t move laterally. It is truly containment within an application. That means we can eliminate those things that introduce greater risk. We have vendors who connect to technology. And that’s hard to do securely without zero trust technology.”

Per CSHub the 2020 Q4 Cyber Security Spend & Trends Report, 75% of cyber security executives are operating with a VPN as their front door. Supply Chain Partners and/or 3rd Party Vendors connect through that front door. Once through the front door, lateral movement is a cinch. 

Zero Trust Must Not Be A Hurdle For Enablement

“You need a good user experience. So zero trust is actually quite a complex problem once you start digging into that fine granularity and how you actually react to it. There are additional layers and levels you need to get into. And some of it ends up being back in the customer’s journey. You need to ensure that the user can do what the user needs to do.” 

If all they see is hurdles, the business is going to get angry. Before step one- do due diligence. Know how connections of users to their resources occur. Know who needs what. Get your personas straight and get sign off on that perceived reality from the business leaders in the organization. 

Zero Trust Must Not Be A Hurdle For Technology Interoperability 

“To implement it holistically within your environment, you actually might break things such as legacy applications that don’t support these new concepts and principles. You might break business processes that are not necessarily expecting to have these new additional checks and controls prompts throughout the lifecycle of a connection.”

Although most CISOs are extremely familiar with the current tech stack, Zero Trust ‘treats’ technology differently. Know what will happen, fix points of confluence before they break.

Step One of Zero Trust For The Enterprise

“Part of it is dependent upon funding of course. There are things we’d like to do and other things that may not be possible. Some of the things that we know we’re going to pursue are around adaptive authentication. We’re in a more remote work environment. It is imperative to write policies that make it not cumbersome for your users but allow for an appropriate scaling up of the level of authentication based upon behavioral type of analysis, geolocation, etc. We do have some licensing for zero trust application layer access, so we’re going to be dipping our first toe in the water in that technology. We bought a small quantity of licenses just to go through some use cases and justify that with the business.”

Take the Zero Trust step that can be taken with the current budget. Ensure a scale-up of user authentication coupled with ease of use. 

Next Step For Zero Trust For The Enterprise

“If you get Zero Trust matured, it’s going to help you in so many other ways. It’ll eliminate some of your current threats and mitigate others. If access to data is privileged and based on identity, lateral movement becomes much more difficult.”

The next step is closing the doors that are open. And opening only the doors that need opening by the people that need to be opening them. This establishes a perimeter of one, confining lateral movement.

Maturing Zero Trust For The Enterprise

There are different levels of maturity within Zero Trust and Zero Trust solutions. We all should be assuming that a bad is already inside your organization. We all should be understanding that we are operating in an untrusted ecosystem, both inside and outside. So the best solution from a Zero Trust perspective, has to be detecting all anomalies, all signals that are coming from the devices, the assets, the applications, and the users. The chosen solution has to understand the status of the network and gain a very dynamic threat assessment prior to granting access to the data or to the infrastructure.”

The task is not an easy one. Find an overtly dynamic yet light-weight solution which enables business while providing heightened security with current system interoperability within a realistic budget.

Leave a Reply