Zero trust has emerged as a key IT security policy that is designed to help organizations be more secure by essentially assuming a breach has already occurred and requiring a user, device, application and transaction to be authenticated and verified each time they access an application, not just at the network perimeter.
However, implementing zero trust can seem like a daunting task given how zero trust is a policy and not a tool or solution that can achieve that level of security all at once. An organization’s zero trust strategy should be constantly evolving and becoming more secure over time. There are a variety of different technologies and solutions that are designed to address zero trust principles, but there is not one solution that achieves them all.
That’s why we spoke to Chalan Aras, managing director of Deloitte’s Cyber and Strategic Risk unit, about where organizations should begin on their zero-trust journey. The interview comes after Deloitte released the results of a survey on challenges of zero trust adoption, which found that compatibility issues with legacy systems is the greatest challenge to zero trust adoption.
Solving those complex issues and implementing zero trust can seem challenging, but IT leaders can begin their organization’s zero trust journey and take first steps in a few key areas, Aras says.
Assess the current infrastructure
According to Aras, organizations should begin by assessing their current IT infrastructure, which has undoubtedly changed and become more complex over the last few years as organizations adopted cloud solutions in response to the pandemic and remote work.
In addition, changes to company structure such as mergers, growth or divestitures can make IT environments even more complex. This mix of legacy systems and cloud technologies makes visibility so much more important, Aras says.
“Not every IT leader has a full picture of what they have,” Aras says. “I think it’s a good investment of time and resources to get a basic landscape of where you are.”
In addition to zero trust considerations, assessing the current IT environment can give IT leaders a better sense of where security gaps exist, which can be addressed before embarking on a zero-trust journey.
Identity and access management
After developing an overview of the current IT infrastructure, a good place to start implementing zero trust policies is identity and access management. According to Aras, zero trust is heavily driven by securing identities, but IT’s first step should be defining those users and assign them profiles and groups based on level of access.
Aras calls that work a “foundational element” of zero trust architecture. Deloitte’s survey also found that identity and access management was the second most important priority when implementing zero trust. First was data security, but Aras calls data insecurity the consequence of insecure identities.
Controlling and securing identities allows for better data security to control access to that data.
“Before the pandemic, you didn’t know who was doing what, and people could be copying and downloading valuable enterprise data,” Aras says. “Data security is the outcome, but to get there, you need identity and access management.”
Identity profiling, role definitions and application mapping should then be implemented on a modern identity system, Aras says.
Virtual private networks (VPNs) were once thought to be a viable secure remote access solution for enterprises, but they can’t scale or provide sufficient security for distributed workforces, experts say. That’s why Aras says eliminating VPNs in favor of zero trust-based access is a common first step in implementing zero trust.
According to Palo Alto Networks, VPNs were designed to grant complete access to a LAN via a private, encrypted tunnel for remote employees to connect to the corporate network. However, this then gives a user access to anything on the network, leading to security gaps and policy enforcement issues, as well as a lack of visibility into a user’s access.
IT analyst firm Gartner, for example, says Zero Trust Network Access (ZTNA) is quickly eliminating the need for VPNs for secure access, with the analyst firm predicting that by 2025, 70% of new remote access deployments will be served by ZTNA compared to VPN services.
“VPN elimination to zero trust-based access tends to be a very high-value first change,” Aras says. “At that moment you gain better visibility and you can apply things like continuous authorization and reviews, and you can apply fine-grained policies.”
Where SASE fits in
Much has been made of secure access service edge (SASE) deployments in recent headlines as tech vendors begin to release all-in-one, single-vendor SASE solutions designed to take the complexity out of the equation.
While zero trust is a strategy or policy designed to eliminate automatic trust from a network by scrutinizing access at a granular level, SASE is the technical framework with which organizations can move closer to zero trust network access (ZTNA), Aras says.
According to Gartner, SASE delivers converged network and security as a service capabilities, including SD-WAN, SWG< CASB, NGFW, and of course, ZTNA.
“SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies,” Gartner says.
From there, organizations can begin to think about application segmentation and other more advanced actions.
Zero trust is a journey
With threat landscapes and IT environments constantly changing, organizations should not be complacent in their current stage of zero trust implementation. However, before they take thier first steps in implementing zero trust, IT leaders need to understand they can’t make these sweeping changes overnight.
“It is a multi-part journey,” Aras says, adding that IT leaders must also consider the end-user impact of zero trust implementations.
Alongside end users, IT leaders must also consider their organizations’ business needs as the organization grows.
For example, a business could begin working with more third parties, service providers or vendors that need some level of access, thus requiring zero trust to be applied to that growing complexity.
“Part of the journey is understanding how your business operates within this next context and applying zero trust to your current needs,” Aras says.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!