Zero Trust Architecture is all about providing a much higher level of security for your users, devices and data, than we've had in the past. The key concept is to only provide access strictly where it is required - hence the Zero Trust. In this blog, we'll take a look at the how you can approach a ZTA deployment.
A ZTA deployment is all about understanding how your network operates, the users and devices connecting and the data (workloads) that those users and devices will be connecting with.
We'll start with the 'three W's' model and then move on to the approach to deploying Zero Trust.
ASSOCIATED BLOG:
So, where to you start on your journey with Zero Trust? You need to break up the network - and its uses (and users) into some key components.
There’s three key components of Zero Trust – the three W’s:
The workforce combines the people and equipment which connect to your network. Your end users connect with a variety of devices these days and from a variety of locations - especially home offices, where company networks have now become greatly dispersed.
You next need to consider your users actual access required. Does every user need to access every file, or should data be segmented on a need to know basis? (hint- its the latter one).
Workloads are highly distributed these days - spread across one or more multiple cloud providers is quite typical, to your ZTA architecture needs to take into account the data location and not just how to secure your office network.
The final 'W' is the Workplace. The concept of a persons workplace has greatly changed over the last year - working from home for some of the week is the norm now and your end users having home and office machines (or laptops that move around) presents an ever greater risk for securing your network and end points.
There you have it - in summary, the key components of your ZTA architecture are:
ASSOCIATED BLOGS:
So once you've identified your key elements (your three 'W's), you'll need to form up a plan for your deployment.
It's going to take time and a lot of planning. Some architectural changes in your network (such as SDA Fabric) are big changes and while providing some great new features (Micro Segmentation is a key one), there is effort in bringing these changes to fruition.
Let's take a look at the deployment strategy:
It kind of goes without saying that stage 1, is bound to be to develop the strategy in the first place! You're not going to want to make major network changes without knowing the end game.
At this stage, you want to identify the three 'W's' of your network (Workforce, Workloads and Workplace), as well as the type of technologies you're going to use. This occurs at multiple layers, dictated by the exact set of three W's that you have.
It will certainly include:
Identifying your critical and sensitive flows are next. Think of this as a diagram showing things like:
These are just examples to get you started on identifying the relevant flows - they're different for every business.
Stage 3: Establish user and device trust
Next up is to decide the trust you want to allocate. This is typically undertaken with end user and device certificates, to be able to uniquely identify each user - this is their Identity. Attached to this identity is the policies for what this user - and device - are allowed to do.
For example, apart from the data they access, how will you secure the end point? Will you let OneDrive be deployed on devices you don't own? Will USB keys be allowed? What end point protection do you need and how will you monitor it?
Stage 4: Implement trust policies and micro segmentation
Finally we get to the implementation. You will of course have to have selected your specific manufacturers and tools that you will be deploying.
Some examples might be:
In the Microsoft space, you have a range of tools to assist in security, with Secure Score and Cloud security tools being prevalent.
Stage 5: Embrace automation, orchestration and analytics
Cisco DNA Center has an AI engine to allow exactly this type of analytics.
Baseline monitoring uses a lot of logic now to determine anything this drifts from the normal baseline, and not just a threshold breach.
ASSOCIATED BLOGS:
The deployment of Zero Trust is all about understanding how your network operates - the devices, users and flows. From here, you can divide up the network and decide what access users and devices have - granted on a need to know basis (hence the Zero Trust) and then move into the baselining and monitoring phases.
The deployment of ZTA follows a process of planning, defining, implementing and monotiling.
In terms of benefits, ZTA ensures that any bad actors who gain access to your network are limited in the scope of what they can do. The segmentation of data ensures that this is the case.
ASSOCIATED BLOGS: