A Little About Zero Trust – Part 1

October 13, 2020

Tweet This:
Share on LinkedIn:

By Kevin Prater, Kovarus, Practice Manager Collaboration / Network / Security

The evolution of business, distribution of assets, flexibility of dataflows and workloads, and the distributed nature of today’s workforce itself, demands that enterprises re-evaluate the way they address the securing of their organization’s assets. The adoption of cloud and multi-cloud architectures and technologies have really dissolved the traditional network perimeter, so much so that security in the form of perimeter firewalls and IPS alone really do not even scratch the surface when it comes to a solid enterprise security posture.

Would you do business with a bank that only had a lock on the front door? My guess is no. If I’m parking my hard-earned money in a bank, I want to see armed guards, I want to see security cameras inside and out. I want to see cages, vault doors, alarm panels, and people checking IDs to verify people are who they say they are and are actually authorized to be there. These multiple layers of security and a default posture of never trust and always verify is the essence of the zero-trust methodology.

The Zero-Trust Security Model

So, what are we protecting with a zero-trust model and how are we doing it? The answer is anything and everything an organization considers a valuable asset, with the goal of providing security protections as close to the asset as possible.

Traditional perimeter security provides a secure “gate” into and out of an organization but once that perimeter is passed, users (both good and bad) are typically left to move freely within the network. With zero-trust we move security measures closer to the strategic asset we’re securing against unwanted, unauthorized, or unregulated lateral movement. We are, in essence, creating a secure perimeter around each server, system, application, etc. — never trusting and always verifying.

Never Trust, Always Verify

So, with zero trust we take it beyond just implementing least privilege access. We start off with zero privilege. None. Denied. We start with a default “never trust” and then we selectively add permissions only to the point that the user can perform whatever task or function they are authorized to do. To take it one step further, we always verify. Meaning that even though I’ve already checked your credentials and I trusted you then, doesn’t necessarily mean that I’m going to trust you now or 5 minutes from now. A zero-trust environment requires continuous identification, verification and monitoring.

Now some may think, this is going to bring their organization to a screeching halt and stifle the flow of business. But that’s not true. Zero-trust can actually be a business enabler. A zero-trust model gives you a portable security posture; no matter where your business assets may reside, whether it be on premises, in the cloud, multiple clouds, or any combination thereof. And it can actually decrease complexity for your organization by allowing you to apply a predictable and scalable security strategy as well as allow you to leverage automation technologies for things like configuration management, policy enforcement, and orchestration.

Business Benefits

There are a number of benefits that come along with adopting a zero-trust architecture. A few include:

  • Greater Visibility
    Blind spots within your network are something that organizations struggle with constantly. By its very nature a zero-trust architecture provides protections even in your blind spots in addition to adding increased visibility into user activity.
  • Greater Control in the Cloud
    With the default of never trust, always verify, it doesn’t matter where your applications reside and to retain your enterprise security protections.
  • Speed and Agility
    Scalable security posture and policy enforcement.
  • Compliance and Audits
    Helps to remove any ambiguity into your network’s activities for administrators and auditors.

Where to Begin

“OK great, but it sounds complicated so where do I start?” We really need to begin with a solid understanding of your environment. What systems do you need to protect, what applications are you running, and where is that data stored? Are your applications on-prem or in the cloud? What do your dataflows look like north-south and east-west? What do your user traffic patterns look like? We need to start pulling together a full inventory of what you have and what you want to protect.

With that understanding, we’ll need to start mapping out how are those various pieces work together. How do those applications interact with each other? How do they interact with users? How do users interact with them? These sorts of data points are critical to building a foundation of a good zero-trust architecture.

In part 2 of this article, we’ll dive even deeper into the business challenges and benefits a zero-trust architecture will provide and detailed next steps on how you can start securing your organization.

Let’s continue the conversation!  Connect with me via email or Webex Teams! You can find me at kprater@kovarus.com.

Looking to learn more about modernizing and automating IT? We created the Kovarus Proven Solutions Center (KPSC) to let you see what’s possible and learn how we can help you succeed. To learn more about the KPSC go to the KPSC page.

Also, follow Kovarus on LinkedIn for technology updates from our experts along with updates on Kovarus news and events.