The Mindset
One of the current trends in IT security that gets a lot of press and discussion is the idea of zero trust. Zero trust, however, is really a philosophy, not a plan of action. Specifically, zero trust is the philosophy that all IT resources, whether internal or external, should be treated as untrusted or even potentially compromised. While this philosophy is simple, applying it to a live environment can be anything but simple! Adopting a zero trust mindset requires a holistic approach to security and good cooperation between all stakeholders in the organization in order to execute on this philosophy. This even extends beyond the technology infrastructure and onto the employees and even organizational policies themselves.
It’s important to keep in mind that the threat landscape is always changing – what may have been good practice five years ago may not be so today. This is what drove us at Crossconnect to develop a series of posts laying out how to adopt a zero trust philosophy in your organization.
Getting Started
This series will explore various aspects of technology infrastructure with an eye towards how things are built when done so with a zero trust mindset. Before we get into those details, it’s always best to take some time to think about the big picture questions – many of the areas of security that we’ll talk about will have options that range from ‘very simple’ to ‘year-long project.’ Being able to figure out where effort needs to be made will go a long way towards creating an effective security infrastructure for your organization.
Foundations of Zero Trust Philosophy
The first step in planning is to think about the capabilities of your organization and the threats you’re likely to face. Many threats are industry or organization specific, but there are some that are universal. First, of course, is ransomware – probably the biggest general threat most organizations will face. Fraud and theft also rank high in terms of general threats. Sometimes, the organization’s data itself is the target – there are plenty of groups out there who want confidential information for any number of reasons, even just to leak to the public. And finally, compromising your organization may be done so that the bad actors can gain access to a 3rd party’s network via yours – think contractors and other service providers.
Next, look at your internal capabilities. Security is, unfortunately, time-consuming to manage. As such, it gets hard to manage some solutions with limited staff and budget. Consider what your organization is capable of managing and monitoring when looking at security products and services – a simple but well-managed system is going to be more effective than a very capable, yet complex and maintenance-intensive system that gets neglected.
Once you have a good understanding of what your threats and capabilities are, then it’s time to build a plan. The core of a security plan is to look at the applications in use, files/information that needs access, and the infrastructure that they run on, then figure out who/what needs access. The goal is to limit access for any device, user, or application to only the resources it needs.
Zero Trust Philosophy Index
This series will explore the areas of security that need to be addressed in order to make your plan a reality and to discuss specific areas of focus on how to apply a zero trust mindset.
- Datacenter
- Route/switch
- Features that ensure integrity of network operations
- Wireless
- Capabilities for detection and mitigation of RF based attacks
- Endpoint
- Network Access Control (NAC) – Ensuring that endpoint activity is controlled and that security threats are detected and mitigated before an exploit can occur
- Network Security
- Ensuring that all traffic through the network is controlled and monitored for malicious activity
- Cloud Security
- Ensuring that user to cloud access is controlled and that cloud resources are appropriately provisioned and accounted for.
- The Human Factor
- Ensuring that end users are aware of security issues and responsible for their security choices.