Tufin Software Technologies Ltd.
Tufin Software Technologies Ltd.
05/07/2021 | Press release | Distributed by Public on 05/07/2021 08:15
Steering Towards a Zero Trust Model: A 5-Step Approach
Zero Trust (ZT) is a popular term seen everywhere lately, but it's not a new concept. The Zero Trust Network, or Zero Trust Architecture model was created in 2010 by John Kindervag,who was a Forrester analyst. Eleven years later, CISOs and CIOs are increasingly adopting and implementing the Zero Trust security model into their organizations.
The Zero Trust model suggests we shift security from a perimeter-based model to a model that's based on continuous verification of trust. Actually, this model assumes that a network has already been breached. A key recommendation is to create micro-perimeters or micro-segments to control access to sensitive assets, and limit the potential damage from attackers.
Over the years, Forrester extended the original model beyond its segmentation focus to include other elements to ensure only the right people or resources have the right access to the right data and services, such as:
- Data - Categorize and classify data based on sensitivity; they also mention data encryption
- Workloads and Devices - Apply Zero Trust controls, such as encryption & data security >
- People/Identities - Limit and strictly enforce access controls
- Network - Identify sensitive, valuable assets, and define micro-segmentation around them
- Visibility & Analytics - Log, correlate, and analyze every activity across environments
- Automation & Orchestration - Implement using automation, and integrate with other tools to improve detection and response
As a CISO, I've often been asked how I translate ZT principles into practice. So, here's my take on the Forrester ZT 5-step implementation method.
ZT Implementation: 5-Step Method
The first step is about identifying and prioritizing the most valuable assets, which also require the highest level of protection (aka, the protect surface vs. the attack surface). This is where I involve other business stakeholders to help me identify what and where these assets are. Keep in mind, this process is complete only after management team approval.
Here's how I think and how I'd also present ZT to the board:
- Identify your Sensitive Assets
The first step is about identifying and prioritizing the most valuable assets, which also require the highest level of protection (aka, the protect surface vs. the attack surface). This is where I involve other business stakeholders to help me identify what and where these assets are. Keep in mind, this process is complete only after management team approval.
Here's how I think and how I'd also present ZT to the board:
- What are the sensitive assets? List the mission-critical, valuable assets that could cause the most damage if compromised. Valuable assets can be data, such as credit card data, PII, PHI, financial data, and more. But, it's not limited to data only -- it can be your legacy systems where the primary business transactions take place. By the way, the definition of sensitive, critical, or valuable assets is completely subjective. If you ask your CRO, the answer would likely be customer data, but if you ask the CFO, it may be financial data. At the end of the day, it's ultimately about what can kill you vs. what can harm you.
- Which lines of business or processes is the data used for? Consider the processes use these sensitive assets such as customer relationships, employee experience, revenue generation, regulatory compliance, and others. For example, it is important to understand if a compromised code repository could result in a regulatory violation and litigation.
- Who currently has access? Which users currently have access? Are they privileged users or not? Consider the potential number of affected users in case of a breach.
- Where does the data resides (SaaS or on-premise)?
- What are the current security controls? Which controls are in place, so we can identify the gaps, and take action?
Figure 1: Stored sensitive data within systems and their related security controls for security posture overview
|
Department |
System |
Line of Business/process |
Stored sensitive data |
Users |
SaaS/on-premise |
Security controls |
|
HR |
HR SW |
|
|
|
SaaS |
|
|
Sales |
CRM |
|
|
|
SaaS |
|