How A Step-By-Step Approach Paves The Way To Zero Trust Architecture

News Room

Vice President of Product Management, Chief Information Security Officer, Intertrust Technologies.

The zero trust architecture network (ZTNA) cybersecurity approach has gained significant attention in recent years amid the rapid growth of digital systems and increasingly sophisticated cyber threats. However, successfully implementing ZTNA can be challenging, particularly when integrating devices that are old or have low storage or computing capacity.

I previously discussed the National Institute of Standards and Technology (NIST)’s security approach that meets tomorrow’s challenges by leveraging practices like least privilege access, microsegmentation and verification of every access request.

While this may have resonated with many, others may have been left thinking, “That’s great, but it may be too demanding of an undertaking for my organization.” This feeling may be particularly pronounced at companies that have been around awhile and have accumulated significant legacy architecture.

In this article, I’ll discuss ideas for implementing a standard-based ZTNA on a practical level, focusing on the concept of incremental adoption and the need for system-level security. More specifically, I’ll examine how this approach can address a range of challenges and fortify against a new, more sophisticated generation of threats.

The Case For Standards-Based, Incremental ZTNA Adoption

To make ZTNA implementation feasible, organizations need a standardized approach that can be incrementally adopted by their many departments and units.

By adopting ZTNA incrementally, organizations can gradually enhance their security infrastructure without sacrificing functionality or incurring excessive costs. Furthermore, it ensures that legacy and low-computing IoT devices—often overlooked by traditional cybersecurity approaches—are secured, paving the way for a more robust architecture.

A standards-based approach to incremental ZTNA adoption starts with:

• Comprehensive Assessment: Organizations should first assess their current security infrastructure, identifying potential vulnerabilities and areas for improvement. This provides the basis of a roadmap for incrementally integrating ZTNA principles into the existing system.

Prioritizing Critical Assets And Applications: Organizations should prioritize the protection of their most critical assets, incorporating ZTNA principles into these areas before moving on to less sensitive systems.

Leveraging Existing Security Tools: To minimize costs and streamline the implementation process, organizations should leverage their existing security tools, such as firewalls and intrusion detection systems, to support the transition to ZTNA.

Incremental Micro-Segmentation: Micro-segmentation, a core principle of ZTNA, which I discussed in my last article, involves dividing the network into smaller segments to isolate potential threats and limit lateral movement within the network. If informed by the prioritization of critical assets and applications, those areas can be micro-segmented first.

• Continuous Monitoring And Evaluation: The initial assessment is just a starting point. Organizations must continually monitor and evaluate their architecture, identifying, prioritizing and addressing potential threats in real time.

As a case in point, one company I observed fell victim to a widely publicized ransomware attack. They should have inventoried their systems long before they were hit. Had they conducted an inventory of IoT assets, they would have understood the critical gaps that were traversed in the attack. They then could have leveraged a standards-based, incremental process to monitor, check and protect those endpoints. They didn’t do this until after the attack, and so their security was compromised with severe and far-reaching effects.

The Need For System-Level Security And Persistent Data Protection

Traditional security measures, such as transport layer security (TLS) and virtual private networks (VPNs), are insufficient in protecting against advanced cyber threats like Stuxnet and its many variations and led to today’s CrashOveride (also called the Industry Destroyer, or Industroyer), which has proven so effective against Ukraine’s energy infrastructure in 2016.

In this new breed of nation-state attacks, all layers of infrastructure are targeted—from the software to the operating system that it runs on to connected devices along with their embedded software. This highlights the urgent need to embrace system-level security as a fundamental aspect of ZTNA implementation.

Whereas previous approaches simply protected the system’s connective pipes, now the systems—down to individual devices—must be able to monitor and protect themselves.

This is similar to how we approach security in a physical system such as a city. On the national level, you have the military. On a local level, you have the police. Regardless of how effective these more general systems are, few would take this as a cue to not adopt at least basic measures to secure their own houses. This need for security at the individual level—the system level—has given rise to locks, burglar alarms, neighborhood watches, etc.

Similarly, ZTNA entails protecting the entire system—not just endpoint connections, but the endpoints themselves—from the single sensor to the overall system.

Because malware like the Mozi botnet and others traverse a network laterally, it is essential that data be protected at rest, in addition to in transit. VPNs and TLS only offer protection in transit because they are session-oriented protocols.

To add to my list of ZTNA fundamentals in my previous article, companies can take a few actions to move in this direction, including:

Secure Coding Practices: This minimizes the risk of vulnerabilities in software and systems. According to UC Berkeley, effective practices include input validation, output encoding, session management, system configuration and file management, among others.

Security Testing And Validation: These should be carried out regularly to ensure that all systems and components are operating securely and effectively.

Hardening Systems And Components: As vulnerabilities are discovered, measures such as disabling unnecessary services and implementing secure configurations can reduce the attack surface, or the number of points on the system where an attacker can enter and inflict harm.

Robust Incident Response Plan: Comprehensive strategies should be created to address potential security breaches the instant they occur.

Conclusion

Implementing ZTNA can be a major undertaking, especially for organizations with extensive legacy architecture—so much so that many organizations may be dissuaded from it. With a flexible, systemized approach based on standard practices, however, companies can incrementally adopt security measures without leaving legacy and low-computing IoT devices behind.

By taking an incremental approach that focuses on system-level security, organizations can fortify infrastructure against increasingly advanced threats and navigate the treacherous landscape of modern cybersecurity.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Read the full article here

Share this Article
Leave a comment