Chris ScheelsDecember 2, 2021
Implementing Your Zero Trust Security Journey
Zero Trust security isn’t a standalone tool that you can install on your network to solve all your cybersecurity needs. It’s guiding principles or an operating philosophy by which you strengthen your organization’s resilience, efficiencies and overall security posture. Here’s how you should think about implementing Zero Trust security.
Strengthening your organization’s cybersecurity posture to keep up with business demands and mounting cyberthreats is a necessary, though often daunting, proposition. Many enterprises are doing so by implementing the principles of Zero Trust security, a rapidly accelerating industry trend that goes far beyond buzzword or marketing hype.
What is Zero Trust security?
At its core, Zero Trust security is an approach that flips the “trust, then verify” strategy of legacy network access tools, like insecure VPNs or ineffective NACs, on its head. It is about invoking a “zero implicit trust” mindset that permits user access to the right resources they need to do their jobs at the right time. The National Institute of Standards and Technology (NIST) defines Zero Trust as “a set of guiding principles for workflow, system design and operations.”
How to get started with Zero Trust security
Where should you start? Instead of getting stalled with analysis paralysis, it’s important to understand there’s a maturity curve and you don’t have to start from scratch. Even baby steps will make a substantial difference. Here is guidance to set you soundly on the Zero Trust security path and harden your organization’s cybersecurity defenses.
1. Take inventory of your network
Before you can implement Zero Trust security, you need to understand what kind of shape you’re in. You can’t protect what you can’t see, which is why auditing your network is an integral part of strengthening your security posture. You likely have a variety of access control and networking mechanisms, as well as a distributed, hybrid ecosystem of IT and security infrastructure elements.
For example, many organizations have multiple VPN solutions to control access to different resources in different locations. Identify what and where those are, who is using them and for what purpose. Take note of vendor names, user numbers, contract expirations and any upcoming hardware refreshes, including the cost of hardware maintenance and software licensing. Knowing when those agreements expire can help you plan an entry point for Zero Trust Network Access (ZTNA)—which applies Zero Trust principles to network security—and the budget you’ll have available.
2. Assess identity and access management (IAM)
Zero Trust at its heart provides an identity-centric approach to security. Therefore, understanding and managing identity is an incredibly important step, but doesn’t require perfection before embarking on your Zero Trust security journey.
Understanding how your organization’s IAM systems work is a natural part of every Zero Trust security initiative since you’ll use them for authentication and identity attributes. Identity management programs (technology, people, and processes) can be valuable for your Zero Trust security initiative, even if they are relatively immature. Your IAM environment doesn’t have to be perfect, but it can’t be “broken,” either.
3. Prepare network infrastructure
A large part of the strength of Zero Trust security is its ability to enforce identity and context-aware policies at the network level, bridging often separate security and network teams. Security and network architects need to collectively plan for the changes that Zero Trust security brings to enterprise network infrastructure, operations and potentially network topology.
Proactively obtain an understanding of your enterprise network and how various security, connectivity, availability and reliability components are deployed. This type of inter-departmental coordination and cooperation is important because many Zero Trust-based security solutions impact the underlying network and topology. You can save significant time in this step with network-agnostic solutions that act as an encrypted overlay on top of your existing network infrastructure.
4. Define and prioritize security policies
Your security policies will define which identities are permitted to access which resources under what circumstances. Within a Zero Trust environment, access can only be obtained through the evaluation and assignment of a policy to an identity, and that access may be enforced at the network or application levels.
However, you don’t need to define policies for every person, resource and application out of the gate. That’s a monumental undertaking that can be achieved over time. Start with policies around critical infrastructure and your organization’s crown jewels, like intellectual property, personally identifiable information (PII), Health Insurance Portability and Accountability Act (HIPAA) or other compliance data.
Zero Trust starts with secure access
Zero Trust Network Access (ZTNA) is a foundational solution many enterprises are using to start their Zero Trust security journeys. With ZTNA, there are two major architectures to consider with downstream options as you build what’s best for your organization.
- Self-hosted deployment: Organizations have complete control of their deployment without any ongoing management from a ZTNA provider. This includes infrastructure instantiation, management and monitoring, software upgrades and security patches, as well as the configuration of policies, integrations and user onboarding.
- As-a-service deployment: This Zero Trust security approach relies on the vendor for hosting and/or managing some of the ZTNA collective components. But all ZTNA solutions require the customer to install a connector-type appliance where resources are hosted. The primary benefit of as-a-service is to offload some responsibility to the vendor such as: infrastructure instantiation, management, monitoring and applying upgrades and security patches.
Next you should choose a user access model. There is a client-based model that must be installed on a server or a user’s device to initiate connections and is required for many enterprise resources. Another is browser-based, allowing users to connect to web applications. Typically, businesses choose a hybrid approach for user access depending on use case.
Rolling out the policies during deployment puts you well on your way to implementing Zero Trust security. While it’s a big task—well, several sets of tasks, really—if you’ve chosen deployment as a service, you’ll have lots of help.
How Appgate SDP supports Zero Trust security implementation
Appgate can help with your Zero Trust security implementation … which, if you’re doing it right, will constantly evolve. And because Appgate SDP, an industry-leading, enterprise-grade ZTNA solution, can be delivered as a service we are with you every step of the way from planning to deployment and beyond.
Appgate is uniquely qualified in the Zero Trust conversation and was named a ZTNA Leader in the 2021 Forrester New Wave report. Appgate is also one of several key industry partners collaborating on the NIST Implementing a Zero Trust Architecture Project with the National Cybersecurity Center of Excellence (NCCoE). More information on Zero Trust security can be found by diving into these additional resources:
Zero Trust Security: An Enterprise Guide, co-authored by Appgate CPO Jason Garbis
Secure network access for your hybrid enterprise
Technical guide to Appgate SDP
Demo Appgate SDP
VPN vs. ZTNA vs. SDP vs. NAC: What’s the difference?