Zero Trust Architecture is all about providing a much higher level of security for your users, devices and data, than we've had in the past. The key concept is to only provide access strictly where it is required - hence the Zero Trust. In this blog, we'll take a look at the how you can approach a ZTA deployment.
A ZTA deployment is all about understanding how your network operates, the users and devices connecting and the data (workloads) that those users and devices will be connecting with.
We'll start with the 'three W's' model and then move on to the approach to deploying Zero Trust.
Components of Zero Trust
So, where to you start on your journey with Zero Trust? You need to break up the network - and its uses (and users) into some key components.
There’s three key components of Zero Trust – the three W’s:
- Workforce: Trust allocated to both users and devices:
- Securing local and remote access
- Least privilege control for all users
The workforce combines the people and equipment which connect to your network. Your end users connect with a variety of devices these days and from a variety of locations - especially home offices, where company networks have now become greatly dispersed.
- Workloads: Access from users and devices to workloads (data), based upon their context and business need:
- Secure multi cloud access and cloud security
You next need to consider your users actual access required. Does every user need to access every file, or should data be segmented on a need to know basis? (hint- its the latter one).
Workloads are highly distributed these days - spread across one or more multiple cloud providers is quite typical, to your ZTA architecture needs to take into account the data location and not just how to secure your office network.
- Workplace: Where a user access to and from:
- Network visibility and segmentation
The final 'W' is the Workplace. The concept of a persons workplace has greatly changed over the last year - working from home for some of the week is the norm now and your end users having home and office machines (or laptops that move around) presents an ever greater risk for securing your network and end points.
There you have it - in summary, the key components of your ZTA architecture are:
- Workforce: People and Devices
- Workloads: Data that your staff access
- Workplace: Where and how your end users connect
Approach to deploying Zero Trust
So once you've identified your key elements (your three 'W's), you'll need to form up a plan for your deployment.
It's going to take time and a lot of planning. Some architectural changes in your network (such as SDA Fabric) are big changes and while providing some great new features (Micro Segmentation is a key one), there is effort in bringing these changes to fruition.
Let's take a look at the deployment strategy:
It kind of goes without saying that stage 1, is bound to be to develop the strategy in the first place! You're not going to want to make major network changes without knowing the end game.
At this stage, you want to identify the three 'W's' of your network (Workforce, Workloads and Workplace), as well as the type of technologies you're going to use. This occurs at multiple layers, dictated by the exact set of three W's that you have.
It will certainly include:
- A network architecture strategy
- A cloud strategy
- How your users connect (and from which devices)
- How to secure the end devices
- Monitoring and incident responses
2. Stage 2: Identify sensitive and mission critical workflows
Identifying your critical and sensitive flows are next. Think of this as a diagram showing things like:
- Accounts is allowed to access financial data
- HR can access the payroll data from accounts, as well as personal HR data
- Sales have access to customer data, as well as financial data on job costing
- Engineers are able to see only data on the specific accounts they are working on
These are just examples to get you started on identifying the relevant flows - they're different for every business.
Stage 3: Establish user and device trust
Next up is to decide the trust you want to allocate. This is typically undertaken with end user and device certificates, to be able to uniquely identify each user - this is their Identity. Attached to this identity is the policies for what this user - and device - are allowed to do.
For example, apart from the data they access, how will you secure the end point? Will you let OneDrive be deployed on devices you don't own? Will USB keys be allowed? What end point protection do you need and how will you monitor it?
Stage 4: Implement trust policies and micro segmentation
Finally we get to the implementation. You will of course have to have selected your specific manufacturers and tools that you will be deploying.
Some examples might be:
- Network Architecture: SDA Fabric
- Segmentation Technology: Micro Segmentation
- End Point Protection: Cisco AMP for Endpoints
- DNS and Secure Internet Gateway: Cisco Umbrella
In the Microsoft space, you have a range of tools to assist in security, with Secure Score and Cloud security tools being prevalent.
Stage 5: Embrace automation, orchestration and analytics
This is the interesting stage! There's a ton of new technologies that embrace Artificial Intelligence and Machine Learning - these technologies allow for smart baselining of the network (which is way smarter than 'baseline' based alerting).
Baseline monitoring uses a lot of logic now to determine anything this drifts from the normal baseline, and not just a threshold breach.
Zero Trust Deployment: Summary
The deployment of Zero Trust is all about understanding how your network operates - the devices, users and flows. From here, you can divide up the network and decide what access users and devices have - granted on a need to know basis (hence the Zero Trust) and then move into the baselining and monitoring phases.
The deployment of ZTA follows a process of planning, defining, implementing and monotiling.
In terms of benefits, ZTA ensures that any bad actors who gain access to your network are limited in the scope of what they can do. The segmentation of data ensures that this is the case.