October 4, 2022
Finding Your Path to Zero Trust
In 2020 we wrote a blog post introducing Zero Trust as a concept of modern borderless data security that would help companies looking to support their newly remote workforce long term. That article proved timely as many organizations began their Zero Trust journeys as the pandemic took remote work from “nice to have” to imperative for operations. Since that time, the term Zero Trust has been popping up in marketing materials everywhere! From identity vendors, to traditional VPN providers, to new SASE products, everyone seems to be able to do Zero Trust.
Let’s not be mistaken, an IT infrastructure that embraces a Zero Trust methodology is not something that can be bolted on using a new software product. The implementation of Zero Trust goes beyond technology, to organizational decisions about device posture, user authorization, and data classification. Many organizations will need new or additional software to fully implement Zero Trust for their assets, but those should be part of an organizational assessment of the prioritized needs to migrate to Zero Trust, not a sales pitch.
How do organizations organize and plan their journey to a Zero Trust architecture (ZTA)?
The UK’s National Cyber Security Centre has released their own architecture design document to implement Zero Trust.
This architecture document distills the path to Zero Trust to 8 points:
- Know your architecture, including users, devices, services and data
- Know your User, Service and Device identities
- Assess your user behaviour, devices and services health
- Use policies to authorise requests
- Authenticate & authorise everywhere
- Focus your monitoring on users, devices and services
- Don’t trust any network, including your own
- Choose services designed for zero trust
While these steps detail the overarching process to migrate to a Zero Trust architecture, the journey can be long, especially for those with infrastructure already deployed. The US’s National Institute of Standards and Technology (NIST) recognizes this and states:
“Migrating an existing workflow to a ZTA will likely require (at least) a partial redesign. Enterprises may take this opportunity to adopt secure system engineering [SP800-160v1] practices if they have not already done so for workflows.”
This may leave you wondering, is Zero Trust even worth it? Will your organization ever recover the cost of implementing Zero Trust when you will probably have to redesign your workflows?
While each organization will need to make this decision on their own, consider that the security benefits of operating a borderless (or micro border) architecture vastly outweigh those of traditional moat based perimeter security models. The security offered with a Zero Trust architecture also enables organizations to empower their people to work from any location and have confidence that their data and systems remain secure!
Want to learn more about Johnson Lambert’s journey to Zero Trust? Feel free to contact us here.