Security teams responsible for protecting businesses are constantly challenging a rapidly changing threat environment. The value of digital assets continues to grow, but the footprint of vulnerability is also expanding as mobile, cloud and BYOD products break down traditional forms of perimeter protection. Attacks change faster than traditional defenses can repel, and security teams are less staffed with ineffective tools that focus more on silo-based defense methods than analytics-based insights.
Traditionally, organizations have relied on the “castle and moat” principle in perimeter security, but more recently, security strategies have begun to be designed around the concepts of perimeter and zero trust. De-perimeterization originally stems from the work of the Jericho Forum in 2004 and includes, per Wikipedia“Protecting an organization’s systems and data at multiple levels using a mix of encryption, secure computer protocols, secure computer systems, and data-level authentication instead of the organization relying on a network boundary for the Internet.” This changed over time to John Kindervag while working Forrester A study presented to the world with zero confidence.
At a high level, zero trust tenants are fairly simple to understand:
- Target security controls within your organization by reducing trust zones and eliminating the idea of implicit trust based on location
- Identify users, devices, and workloads, and make sure everyone is authenticated and authorized to access resources
- Constantly monitor the environment to detect both advanced attacks and context changes
Or in other words, design your network from the inside out, always check, but never trust and record everything. If we combine these concepts with the idea of ‘assuming a breach’, it is concluded that the company is a hostile environment and trust must be constantly verified and granted or removed as necessary.
But while every network and security vendor today runs a zero-confidence solution, each of these is a point solution that focuses on vendor-focused strengths — whether it’s managing network usage or allowing an application list or workload verification. In order for a company to reset trust concepts holistically throughout the organization, there is no need to evaluate zero trust as a series of silent technologies, but as a new approach to security architecture. At HPE Pointnext Services, we address this by adopting a business-led approach to zero reliability.
A company-driven approach means taking a step back from technology solutions and first understanding better why a company wants to embrace zero trust or what the security team is striving to achieve by providing the company with a zero trust architecture. The business-driven approach begins with an in-depth review of business processes to gain visibility into the current state of operations, and then uses this background information as part of the gap analysis to determine the desired future state of operations. With this information in hand and the concepts of zero trust in mind, it becomes increasingly clear to understand where zero trust can add value and what are the potential for quick gains and business use cases to embrace trust.
It is important to understand that zero trust, just like Rome, is not something that can be built in a day. Typically, there are three deployment models that we see our customers considering. The first is the introduction of a green field – not common, as few organizations are able to start a new security architecture from scratch, although we have seen a few cases where customers are building a new data center and want to apply zero trust principles throughout DC mode. Another model is the cloud-based model, in which an organization uses zero trust to build an in-cloud trust model, which in itself is a very strong driver for zero trust and very important for cloud-based application development. And the last and most common approach is the hybrid model, where the initial deployment aims to create rapid added value and increase momentum for new initiatives.
The concept of zero trust is also much broader than just the network, and to achieve a company-wide approach, five key tenants must be addressed to succeed: device trust, user trust, application trust, data trust, and session trust. While this goes beyond the “traditional” view that zero trust is best addressed at the network level, extending the concept to all levels of the technology stack allows the strategy to address a much more holistic approach.
So the initial assessment of the current situation must take into account a number of things to get a comprehensive picture of the current environment, including business processes, fixed assets inventory, security control and architecture assessment, security management model and IT security strategy, and last but not least future business and growth initiatives. The result of the evaluation is the beginning of the organization’s zero trust strategy, which follows four main pillars:
- Proof of the future – a new way of implementing security policies to provide stability against changes in information technology or business strategy;
- Risk conscious – includes many initiatives and use cases, all of which aim to reduce organizational risk
- Flexible – defined with the right precision and leave room to build and adapt as the business develops
- Proven design – A planned security approach that follows industry best practice, organizational objectives and is supported from the outset by senior stakeholders
HPE Pointnext has already helped customers around the world build enterprise-centric security strategies to zero reliability with our security analysis and roadmap service. To find out how we can help your business, contact your local Pointnext representative or click on any of the resources below.