This post is also available in: 日本語 (Japanese)
As the threat landscape continues to evolve and organizations embark on a variety of digital transformation projects, high levels of enterprise security have become increasingly elusive. As an industry, we have often responded to each emerging threat with a new tool or technology with many organizations deploying upwards of 100 different security products on average. Recently, there has been a great deal of interest in Zero Trust, however definitions and details vary. This leaves many security professionals seeking clarity on how to make this modern security methodology actionable within their organization. At its core, Zero Trust seeks to eliminate implicit trust throughout the enterprise by continuously validating all digital transactions. This is inherently a much more secure approach and helps deal with some of the most sophisticated and dangerous types of threats, such as ransomware and associated behaviors like lateral movement. Today, organizations can evolve into a Zero Trust enterprise by taking a holistic approach and applying Zero Trust best practices comprehensively across users, applications and infrastructure. This results in higher levels of overall security and a reduction in complexity through the consolidation of capabilities, the unification of security policy and more consistent enforcement.
Securing users through Zero Trust best practices is often a good starting point when starting your journey to becoming a Zero Trust enterprise. This includes focusing on strong identity best practices, such as the deployment of multi-factor authentication (MFA). Implicit trust must also be eliminated for user devices and good endpoint protection should be utilized to mitigate the risks around compromised devices. This is also where you enforce “least access” through role-based access control policies that only provide access to the resources each individual or role requires to perform their job.
Even though many organizations start their Zero Trust journey by focusing on users, applying Zero Trust principles to applications is equally critical. In fact, many organizations hit sticking points in their migration to the cloud due to security issues found late in the project. They are then forced to delay many of their cloud initiatives as a result. Zero Trust should be applied to applications to ensure the security and integrity of code and workloads such as hosts, containers, Kubernetes and serverless functions. This includes best practices, such as applying microsegmentation to cloud workloads to limit lateral movement in the event an individual resource is compromised.
Another area that is often overlooked is supply chain resources and unmanaged infrastructure, such as IoT. Supply chain vendors should be asked to provide the security and Zero Trust guidelines they follow, related to their offering. Organizations should not assume that vendors are handling security. Each solution should be evaluated for security risks and adherence to Zero Trust best practices. With the explosive growth in the Internet of Things (IoT), unmanaged devices continue to present a significant risk due to extensive vulnerabilities, little to no built-in security and a lack of options when it comes to strong authentication and endpoint security.
Organizations should ensure they have full-spectrum visibility into these devices and then apply “least access” privileges to them the way they approach applying Zero Trust to users. In the case of IoT devices, since they serve a very specific purpose within the organization (think security camera or MRI machine), policies can be very restrictive. Security cameras should only be speaking video protocols, communicating with video storage infrastructure and going out to the internet for firmware updates — nothing more.
Once organizations have good visibility and have created good Zero Trust policies, continuous monitoring and ongoing improvement are key to maturing any Zero Trust strategy. The role of the Security Operations Center is key here by providing an ongoing audit function for Zero Trust policies. Telemetry, from the full set of security tools and capabilities, should be consumed to provide ongoing security analytics and correlation of complex, multi-faceted security events. This ensures Zero Trust controls are the correct ones and any potential security gaps in the policy are eliminated.
For many organizations that are just starting their Zero Trust efforts, mapping out a “top down,” strategic plan is critical. Many customers I have spoken with over the years have expressed regret that they started their Zero Trust initiatives by a disparate set of poorly integrated technology projects. Engaging a third-party, such as your trusted partner for security and evolving key stakeholders across the organization, is also key to ensuring a smooth transition to Zero Trust. Finally, even though a holistic approach is outlined, not everything can be accomplished at once, requiring prioritization of execution and realistic time frames. If done correctly, this approach not only produces higher overall levels of security, it has the added benefit of reducing complexity, improving operational efficiency and demonstrating key milestones to stakeholders, such as the board of directors.
Learn more about how Palo Alto Networks can help you become a Zero Trust enterprise.