In May 2021, executive order (EO) 14028 sent shock waves through the cybersecurity community as the formerly abstract concept of Zero Trust suddenly became a mandate for federal agencies. On January 26, 2022, the Office of Management and Budget (OMB) signaled its alignment with the EO by releasing plans to implement a Zero Trust Architecture (ZTA). With nearly every industry being business-adjacent to the federal workspace, many executives find themselves Googling “Zero Trust” and its related buzzwords. These moves are a shrill warning that the familiar security practices of creating fortressed cyber perimeters are no longer sufficient.
So what is a Zero Trust Architecture?
Simply put, it’s an approach to cybersecurity requiring continuous user validation. The idea is to protect your environment and sensitive data through network segmentation and robust authentication methods. These measures help prevent malicious—or negligent—actors from moving laterally within your organization to access sensitive data.
Some may have initially thought ZTA would be simply another add-on feature for their legacy security configuration. The framework, however, represents a paradigm shift that promises to drag enterprise operations kicking and screaming into a brave new world. The world has changed, and ZTA acknowledges the realities of modern business ecosystems.
Today, critical business workflows mingle among virtual and containerized architectures, community source code, partner and public clouds, and a distributed workforce and customer base. The notion of establishing trust with a username and password or guarding a static perimeter is no longer realistic.
How does this impact CISOs and their teams?
In this three-part series, we will explore the challenges of implementing a ZTA, how to model its operational impact and how it can benefit your organization.
At the heart of the ZTA framework is the concept that perimeters are not defined by static boundaries but by partitioning workflows. Enumerating the entities (users, assets, applications, data, exchanges, etc.) involved with business workflows has been a daunting task—even for modestly sized businesses with a focused set of workflows. And identifying the exceptional individuals, or unicorns, who have the technical or line-of-business expertise for this undertaking is no easier.
Fortunately for medium and large businesses, there are some technological aids to the process, such as Cisco’s Tetration application, which uses deployed agents to provide telemetry data to define workflows and perform ZTA policy discovery. Whether you utilize traditional collaboration methods or a technology supplement, defining business workflows is an essential starting point for micro-segmentation and establishing micro-perimeters along your ZTA journey.
It’s well established among security professionals that usernames and passwords alone are obsolete. While supplemental processes like multi-factor authentication pose a modest improvement, they still do not bring a satisfactory resolution to user impersonation.
ZTA takes a more comprehensive view of trust, which you can think of as a “trust stack.” The trust stack goes beyond identity management and network privileges by validating the device, connection, application use and interchange as well as rights to data stores.
The initial workflow enumeration process mentioned earlier helps define rule sets that statically validate the trust stack. Still, dynamic and continuous validation processes are required to address other threats like session hijacking. This includes user and entity behavior analytics as well as machine learning and policy orchestration to manage complex rule sets. Palo Alto Networks is one vendor that has introduced new solutions and is working with NIST to refine and document requirements.
The transition from traditional network security practices to a ZTA is a complex undertaking. No business executive would consider implementing a ZTA directly into production—even in a monitoring-only mode. There are too many opportunities to disrupt critical business workflows, and paradoxically, the security gained is questionable until validated within an interactive environment.
That’s why it’s critical to have a high-fidelity environment to model the impact of a ZTA on your unique production environment. Cyber range platforms are ideal for testing ZTA policies, modeling user behavior and accessing analytics.
Read Part II - Validating your Zero Trust Strategy to identify the right tools for the job.
Did you know that SimSpace can help validate your ZTA implementation and compliance posture? To find out more and request a demo of our ZTA validation capabilities, contact us at email@example.com.
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform