Jason GarbisJune 30, 2022
Getting Down to Brass Tacks: What’s Real Zero Trust?
For the first time in more than two years, RSA Conference 2022, the largest global cybersecurity show, happened in person. Of course, Zero Trust security was the buzzword of the day, but not every vendor that claims Zero Trust is delivering real Zero Trust, so it’s time to call BS on the pretenders.
Many security vendors have slapped Zero Trust onto solutions that truly don’t protect the network or work across any operating environment and every device ... or have a robust, bi-directional and near real-time REST API. This leaves their customers no better off than they were before with point-in-time solutions that can’t integrate. Additionally, many can’t meet the requirement to be used on- and off-premises as a unified solution/policy model. (Not everything is in the cloud or ever will be for many government agencies and commercial companies.) And even more fail to follow the principles laid out in NIST SP 800-207 or the Cloud Security Alliance 2.0 guidance for a software-defined perimeter.
The need for integrated cybersecurity solutions that are part of an organization’s or agency’s Zero Trust architecture is now. Issues and new exploits continue, yet could be prevented with a proper Zero Trust architecture. Some recent examples are:
And, the 2019 Capital One attack is back in the news again after the person who committed it (and bragged about it) was convicted. Whether your resources are on-premises or in the cloud, the time protect them the same is now. Remember, the cloud is a shared security model. Just because you put resources in the cloud does not mean they are protected. In fact, one could argue they are less protected.
To truly begin this journey and gain the advantages of a Zero Trust architecture, we need to divide the Zero Trust security roadmap into sensible buckets and stages within those buckets. The areas we recommend you focus on are:
- Identities: I have mentioned this in previous blogs and podcasts, but identity is the obvious and most important place to start
- Devices: Without attaching the user to a device, a company or agency will lack the ability to truly limit the exposure and tie them to dynamic access controls
- Networks and Environments: You must define what you are trying to protect and where. Zero Trust access solutions should be able to seamlessly operate in cloud environments and across on-premises resources without impacting the user, security posture and solution needed. By having a clear understanding of the networks and environments, you can begin to place users into the right buckets of access
- Application/Workloads: Knowing what you have and marrying that to where, who and what can access are key pillars in this on-going journey
- Data: Ensuring you place proper access controls and integrating those throughout the stack is key to a Zero Trust process
- Overlay Pillars: Appgate views these are analytics, automation, reporting, etc. – with the drive to treat everything as code and create more automation to serve out the integrations, solutions that cannot automatically be deployed as code, read-meta data to provide near real-time actions, manage a policy model as code and provide deal analytics are not helpful in the current cyber world
Once you’ve done this first level of work, the next step is to leverage guidance from Appgate, CISA, NIST, etc. and set your stages. It is expected and normal to not be at “optimal,” or what we call stage three, right out of the gate. Decide what makes up those goals for your organization, ruthlessly select the solutions that help enable those goals and create your plans.
The Zero Trust journey will not be short or simple, but with solutions like Appgate SDP, an industry-leading Zero Trust Network Access solution, you can bring current and future cyber investments together to help protect users, data and systems from attacks and breaches.
Additional Zero Trust Resources:
Podcast: Zero Trust Security: Buzzword or Breakthrough?
Solution brief: Zero Trust Access for Corporate Networks
Blog series: The CISA Zero Trust Maturity Model
Blog: Zero Trust for Critical Infrastructure