As data breaches and cyberattacks have become commonplace, organizations are finding themselves doing more and more to defend themselves and improve their network and cloud security. One such effort includes developing and deploying a zero trust strategy, which, at its core, follows the “never trust, always verify” principle. Implementing a zero trust strategy and architecture can prevent cybersecurity attacks, including data breaches.
Zero trust is an augmentation of your existing architecture, making it simple to deploy, regardless of your technology. Implementing zero trust takes an iterative approach that allows you to learn and reflect before adding any improvements to new iterations—all of which help build a more resilient and secure environment, made up of people, processes, and systems..
Ready to get started? Follow the 5-step method outlined below to deploy a zero trust network within your organization.
Step 1: Define the Protect Surface
As attack surfaces continue to expand, it’s no longer feasible to work endlessly to reduce them. It’s hard to define or defend against, which is why zero trust focuses on a protect surface instead. Identify the data, applications, assets, and services (DAAS) elements you want to protect and encompass them in your protect surface. Each protect surface contains a single DAAS element, and every zero trust environment has multiple protect surfaces.
Your DAAS elements help define the sensitive resources that should go into individual protect surfaces. This includes:
- Data. The sensitive data that can wreak havoc if it’s misused or exfiltrated. Examples include payment card information (PCI), protected health information (PHI), personally identifiable information (PII), and intellectual property (IP).
- Applications. The off-the-shelf or custom software applications that interact with sensitive data or control critical assets and business processes.
- Assets. Often, these include information technology (IT), operational technology (OT), or internet of things (IoT) devices such as point of sale terminals, SCADA controls, manufacturing systems, and networked medical devices.
- Services. Sensitive services that are exceptionally fragile. Examples include DNS, DHCP, ActiveDirectory®, and NTP.
Step 2: Map the Transaction Flows
Mapping the transaction flows to and from the protect surface shows how various DAAS components interact with other resources on your network, helping you determine where to place the proper controls and how to protect data. How traffic moves across the network, specific to the data in the protect surface, determines the design.
As you map your transaction flows, ask yourself:
- Can I do this on my own?
- Do I have the capabilities and technologies to extract the flow of information from my environment?
- Do I have the technology in place that can do data discovery or flow identification?
Next, identify users’ density and privileges, applications, and services and map the transaction flows between your protect surfaces to document which traffic or transaction flows are active between the protect surfaces.
Step 3: Build a Zero Trust Architecture
Because zero trust frameworks are decoupled from technology, they can be completely customized—they are built around protect surfaces. The next step is to define and build a zero trust architecture, including associated security measures. Start with a next-generation firewall that acts as a segmentation gateway, creating a micro-perimeter around your protect surface.
According to Palo Alto Networks, you can enforce additional layers (all the way to Layer 7) of inspection and access control for anyone or anything trying to access the resources defined within your protect surface.
Step 4: Create a Zero Trust Policy
The next step in implementing your zero trust strategy is to create a zero trust policy. You need to instantiate zero trust as a Layer 7 policy statement, which requires Layer 7 controls. Use the Kipling Method of zero trust policy writing to determine who and what can access your protect surface.
The Kipling Method answers the who, what, when, where, why, and how questions, allowing you to define:
- Who should be allowed to access a resource?
- What application is used to access a resource within the protect surface?
- When is the asserted identity allowed to access a resource?
- Where is the resource located?
- Why is the user allowed to access the resource within the protect surface?
- How can a user get access and through which application?
Step 5: Monitor and Maintain the Network
The final step of the 5-step methodology is to monitor and maintain the network. It involves inspecting and logging all traffic, including through Layer 7. The telemetry this process provides doesn’t just help prevent data breaches and other significant cybersecurity events, but also provides valuable security improvement insights. Each protect surface becomes more robust and better protected over time.
Remember, zero trust takes an iterative approach, so inspecting and logging all traffic will provide insights that can help you improve your network, iteration over iteration.
Implement, Learn, and Repeat
After you’ve worked your way through this methodology, you can expand and iterate to fully move your DAAS elements from your existing network to a zero trust architecture that can better protect your data. Use this approach and the Kipling Method to get started and take your learnings from each iteration to improve. And if you need help getting started or maintaining your zero trust strategy and architecture, we’re here to help. Contact us today to get started.
