
5 steps towards Zero-Trust
Are we interested in Zero Trust – which, after ten years of proving itself in various organizations, has become one of the best ideas in the history of cybersecurity? How to implement this revolutionary approach to mitigate cyber risks?
To get the inclusive and nuanced dive into Zero Trust that only he could provide, we invited John Kindervag, SVP of Cybersecurity Strategy at ON2IT Cybersecurity and the creator of Zero Trust, to join a recent episode of The Virtual CISO Podcast . John Verry, CISO and Managing Partner of Pivot Point Security, hosts the show as usual.
John outlined five steps common to all organizations implementing Zero Trust. The approach is fundamentally data-driven. That is, it focuses on defining the data, applications, assets, and/or services (DAAS) you most need to protect.
Step 1: Define your protective surface.
“These are real things [that we protect],” John emphasizes. I used to say just set your data. But I realized that there were times when I couldn’t tell, but I knew the application that was using the data. So, secure the request.
“Things like SCADA systems, IoT devices like MRI machines, wireless morphine infusion pumps… They exchange data, but people view them as assets. Then there are services like DNS, DHCP, Active Directory… These are things that need to be protected, and that’s how I tend to talk about them.
“You take a single DAAS element, put it in a single protection surface, and build your network or Zero Trust environment through the remaining steps on that single protection surface,” says John.
Step 2: Map transaction flows.
“I can’t design a network without knowing how it works,” John explains. “So each Zero Trust environment must be adapted to each protected surface. But I can’t know how the protected surface interacts with all these other systems until I map the transaction flows. How does everything work together to define this? »
In other words, you have to understand the system before you begin to determine how you are going to control it. Transaction flow mapping is analogous to creating data flow diagrams, if you are familiar with them. The end result is to validate that what you define inside your protection surface is actually what is happening.
Step 3: Define your architecture.
The third of the five steps of Zero Trust is to design the environment, whether cloud-based, on-premises, or hybrid. Your transaction flow maps will tell you where controls should be.
“Just looking at [the data flow] and saying, ‘I need control here because of the way this is happening and the way I want to write the policy because I want to make sure this thing can’t talk about that thing,” John comments. “It shows you where to put architectural elements. …Whether it’s a next-generation firewall working as a segmentation gateway, container security control and endpoint control, SD-WAN control… Whatever control and location where it is located, you need to understand how everything works as a system before you decide where you are going to put it. »
John shares an anecdote to illustrate the importance of taking Zero Trust steps in sequence: “A lot of times I’m on these calls. They bring a bunch of people, and they’re all trying to position… My product should go here; my product should go there. I’m going to leave that aside for a while, and then I’m going to say, “Hey, guys, what are we protecting in this system.” And they’ll say, “Oh, we haven’t thought about that yet.” » This probably won’t work. You could probably put all these controls in place and it wouldn’t result in the result you want because you don’t even know what you’re protecting first. »
Step 4: Create the zero trust policy.
In this fourth step, you instantiate your Zero Trust architecture as a policy. “Hopefully up to layer 7,” John warns. “The port and protocol no longer work. …Within the confines of TCP/IP, you need to go to layer 7.”
It should be noted that this step involves creating a technical policy “where the rubber lies in the road” that relates to access controls, firewall rules, etc. As opposed to high-level policies regarding, for example, executive promulgation.
For a model of political construction, John favors the Kipling method: asking who, what, when, where, why and how. For example, a “who” statement could be “Who should have access to a resource?” » These questions relate to authentication and identity. A “statement” could be “Through which application should we allow them to access a resource?” » The “when” rules relate to contextual identification and “where” to the location of a resource.
“All you can do is allow or deny, but you can have massive amounts of data and very complex criteria that you use to determine whether something should be allowed or denied,” summarizes John.
Step 5: Monitor and maintain the Zero-Trust environment.
This step involves verifying that your Zero Trust policy is working as you intended and correcting any deviations. Things that come into play here include log management, machine learning, and other ways of understanding the data generated by your environment.
“We have our own engine; we call it Event Flow, John said. “It looks at all the events, all the data that comes into the environments that we manage. We take automated action 99% of the time, and that’s what you’re trying to do. »
“The idea is that a system under load gets stronger and stronger because it responds to that load,” John adds. “So, Zero Trust is an anti-fragile system. “.
Source: https://www.pivotpointsecurity.com/blog/5-steps-to-zero-trust/