Zero Trust Security: A Journey, Not a Destination
Evolving network landscapes have demonstrated that perimeter-based security architectures lack the finesse and control needed to defend against new threats, both internal and external, and a new security methodology is necessary.
As reported in Gartner's "Guide for Zero Trust Network Access" by 2022, 80% of new digital business applications opened up to ecosystem partners will be accessed through Zero Trust (ZT), and by the following year, 60% of enterprises will phase out their remote access virtual private networks (VPN) in favor of Zero Trust Security. As traditional security methods lose steam across the market, Zero Trust is the exemplar model for the next generation of security infrastructures. But a Zero Trust paradigm doesn’t happen overnight. And questions abound:
- How do you create Zero Trust Security?
- What is a zero trust approach?
- Which zero trust solution is right for your business?
- How to achieve zero trust cybersecurity?
In partnership with the global enterprise security company intiGrow, we have developed this guide to answer these essential Zero Trust questions and more. From the benefits and challenges to creating a system design that grows Zero Trust, we’ll also demonstrate how to utilize the Zero Trust Security Model for future-forward, near-total protection against every attack vector.
“The knock-on effect of a data breach can be devastating for a company. When customers start taking their business—and their money—elsewhere, that can be a real body blow.”
- Christopher Graham
UK Information Commissioner
What Is Zero Trust Security?
IT environments have become more fluid, open, and, ultimately, vulnerable. More companies are turning away from conventional methods such as VPN to keep their networks secure. Zero Trust is a security approach that addresses these new network realities by trusting no one.
The basic tenets of Zero Trust Security are:
- Trust nothing
- Secure everything
- Contextually authenticate requestors
- Contextually evaluate access requests
- Assess all requests
- Grant access by the Principle of Least Privilege (PoLP) or allowing users the minimum access privileges necessary to perform a specific job or task and nothing more
Still, with growing networks of users, devices, and applications, threats are just as likely to come from within the boundary: internal threats can be as high as 50% depending on your industry.
Organizations have recognized the reality there are no longer any truly closed systems. Many migrate to Zero Trust to mitigate risk from cyberattacks from multiple entry points (including internal).
The shift isn’t exclusive to new business applications or VPN replacement either. According to Verizon's Data Breach report, by 2023, 40% of enterprises will have adopted Zero Trust for adaptive identity-based access control systems, continuous trust evaluations, and flexible access control across implementations such as privileged access management systems. Across industries, Zero Trust architectures are the way forward as most organizations make further strides in their digital transformations.Back to top
"As we’ve come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided."
- Art Wittmann
Vice President, Business Technology Network
How to implement Zero Trust Security
We know many organizations are utilizing or planning to implement Zero Trust across their organizations. Zero Trust is the ultimate security goal, but getting there can take time.
A layered Reduced Trust approach provides essential stepping stones and is our recommendation for organizations on their way to Zero Trust.
This method can be implemented in any order, laying the groundwork to build your new Zero Trust paradigm. By focusing on these pillars of access management, many enterprise businesses have scaled their Zero Trust initiatives.
- Group Memberships
- New, added, changed, or moved identities
- Non-human (application, service accounts)
- Devices (personal and company owned)
- Federated Single Sign-On (SSO) and Security Assertion Markup Language (SAML)
- Multi-factor, adaptive, authentication (MFA)
“Verify” Governance Essentials
- Regularly repeat the Identity and Privilege steps
- Auto-detection for privilege changes
- Policy-driven privilege processes
- Flexibility to allow secure, temporary access
Organizations cannot begin their Zero Trust journey without these two critical steps to inventory what is in their networks:
Network Security & Inventory Audit
What businesses uncover in these processes will determine next steps.
STEP 1: Ensure each application has its own security and access strategy for:
- Password management
- Federated authentication
- Randomizing administrative accounts
- Just in Time (JIT) access
STEP 2: Enable a federated authentication Zero Trust solution using a protocol such as SAML, OAuth, OpenID Connect, etc. (Security Assertion Markup Language).
STEP 3: Require additional verification, such as MFA Adaptive Authentication, for additional protection against internal and external threats.
- Federated SSO
STEP 1: Implement dynamic security formulas to mitigate risk that may often include exceptions.
STEP 2: Minimize exceptions with automated policies, so only true outliers need additional management.
STEP 3: Track exceptions to monitor your organization’s overall risk trends and fine tune security policies.
Key Steps to Build “Never Trust, Always Verify” Governance:
- Fine Tune
- Repeat Steps 2 and 3 Regularly
STEP 1: Eliminate always-on access and privileges.
STEP 2: Enable policy-driven processes that minimize standing access and privileges while allowing for users who need temporary or shared account access.
STEP 3: Add account lifecycle automation to support zero standing privileges to reduce trust chains and overall risk.
Privilege Success Factors:
- Auto-detection for privilege changes
- Policy-driven privilege processes
- Flexibility to allow secure, temporary access
STEP 1: Create inventory of all identities to be brought into governance.
STEP 2: Review business processes.
STEP 3: Automate collection of entitlement information to significantly reduce the trust that would otherwise underpin your entitlement ecosystem.
Cover Your Assets:
- Group Memberships
- Identities that are new, added, changed, or have moved
The Journey Continues ...
Reduced Trust, is a sustainable stepping stone you can achieve on your Zero Trust journey.
For continued success, you need a Zero Trust security model that leverages the investments you already have (ITSM, SIEM, OT, IoT, etc.) by seamlessly integrating them for both input and output.
Zero Trust Worksheet
Embarking on a journey to build a zero-trust security model for your organization may feel daunting. Take the first step in planning your zero trust journey by using this worksheet to start a conversation with your stakeholders.
"We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyber attack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."
- Dr. Larry Ponemon
Chairman and Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy, data protection and information security practices.
The Challenges of Zero Trust Security
Zero Trust is a program, not a project. While that may sound intimidating at first, you can approach it with small-but-actionable steps (like Reduced Trust) over a reasonable timeframe to achieve it at your own pace. Even so, there are some adversities you might encounter during your Zero Trust program.
Challenges Along Your Zero Trust Journey
Technical hurdles with legacy systems
Political challenges from admins over least privilege and loss of autonomy
Perceived friction in integrations across hybrid cloud, applications, devices, and more
Fear of change moving from silos to a data-centric model
Getting started with so many approaches, solutions, and implementations
What companies say:
“With 70+ systems to integrate, we need an adaptable API that can play nice with our complex environment.”
“We need professional services with a security solution that can be easily integrated into our environment and customized to our specific needs.”
“Moving from VPN to Zero Trust seems like an impossible task when I am not even sure my legacy system is compatible with least privilege.”
“Access management security solutions require so many vendors and program deployments. It can be costly, time-consuming, and hard to manage!”
"The health sector continuously get’s pummeled by malicious actors and hackers because their cyber-kinetic security is being managed by “Participation Trophy” winning wimps!"
- James Scott
Senior Fellow, Institute for Critical Infrastructure Technology
4-Stage Zero Trust Security Assessment
This four-stage Zero Trust maturity pre-assessment will help you identify what stage your organization is in on a journey towards operational Zero Trust Security alignment.
STAGE 1 : Fragmented Identity
- High reliance on the perimeter
- Active directory on-premises
- No cloud integration
- Passwords wherever
STAGE 2 : Unified IAM
- Single sign-on across employees, contractors, and partners
- Contemporary multi-factor authentication
- Cooperative policies across applications and servers
- Vaulting and randomizing of privileged accounts
STAGE 3 : Contextual Access
- Context-based access policies
- Automated joiner/mover/leaver processes de-provisioning for those leaving
- Group Management
- Multiple factors deployed across users
- Secure access to APIs
- Safeguarding services, non-human accounts, containers
STAGE 4 : Adaptive Access
- Risk-based access guidelines
- Adaptive and continuous authorization and authentication
- Frictionless access
- Diminished emphasis on the perimeter
- Just-In-Time (JIT) access
- Centralized provisioning
"Let’s face it: the future is now. We are already living in a cyber society, so we need to stop ignoring it or pretending that is not affecting us."
- Marco Ciappelli
Co-Founder of ITSPmagazine
How to implement Zero Trust Security in 6 steps
This six-step Zero Trust Maturity Model (ZTMM) is adaptable and proven to help you advance toward your new IAM and PAM standard. Start discovering the benefits of a singular, powerful, and layered solution for your evolving Zero Trust paradigm with this strategy.
STEP 1 : Rally a dedicated Zero Trust team.
Zero Trust is one of the most transformative actions that an organization can undertake. You may be tempted to cast a wide net by making Zero Trust an organization-wide strategic initiative, but this can make it less imperative and slow the process as a task that ranks below everyone’s top to-dos.
Instead, elect a small team tasked to plan and implement your Zero Trust migration. This team should Include internal members from:
- Applications and data security
- Network and infrastructure security
- User and device identity
STEP 2 : Assess the environment.
Taking an inventory of all devices that access your network is critical, even if you may not be able to compile a fully comprehensive and complete view of your infrastructure. Your inventory should include devices owned by your organization and those that are not. Moreover, simply cataloging this information is not enough; you must understand these devices’ security status and the controls around them as well.
In addition to devices, your organization should also look beyond hardware across resources to software and users, including:
- Groups and group memberships
- New, added, changed, or moved identities
- Non-human (application and service accounts)
- Virtual machines and containers
STEP 3 : Review the available technology.
The National Institute of Standards and Technology (NIST) identifies three main approaches to implementing a Zero Trust Architecture (ZTA):IAM offers one of the most expedient and cost-effective ways to launch your Zero Trust journey.
STEP 4 : Strategically plan your integral Zero Trust Security activities.
Security Fabric Framework
As no two organizations are the same, we recommend adopting this structure as a planning aide for your Zero Trust program:
- Start with multi-factor, adaptive authentication, and single sign-on (SSO)
With a trending resurgence of de-perimeterization, it’s easy to see the benefits of these implementations early in the process in a world where software-as-a-service (SaaS) adoption by a remote workforce is increasingly prevalent.
- Move to privileged access
In light of recent headlines and strong regulatory obligations, this step is also an early necessity. Hackers are not breaking in--they’re logging in, finding ways to move laterally, and elevate access. Vaulting and randomizing passwords for highly privileged accounts is an effective deterrent against such tactics.
- Build out your identity fabric patchwork, which ideally consists of a set of components like microservices and containers; beyond essential services, other pieces may be necessary to your organization, including:
- Leverage this Security Fabric Framework
This methodology is versatile, collaborative, and driven by use cases, business needs. Furthermore, it establishes your ZTA as a program, not a project with tightly-knit components.
STEP 5 : Define operational changes.
Zero Trust strategy can fundamentally change security operations. For example, as tasks are automated, corresponding manual tasks might need to be modified or automated to keep pace and prevent security gaps. Disciplined change management practices will be important as each piece of the fabric gets stitched together, and the next steps take form.
STEP 6 : Implement, rinse, and repeat.
As your organization deploys new technologies, assess their value according to security key performance indicators (KPIs), including the average total time to contain incidents, which should decrease dramatically the closer an organization moves to Zero Trust.Back to top
"It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it."
- Stephane Nappo
Global Head Information Security
Introducing Hitachi ID Bravura Security Fabric
Hitachi ID Bravura Security Fabric delivers an enterprise-grade solution to identity protection, built-in threat detection, and a singular identity, privileged access, and password platform. This all-in-one platform will bring absolute focus to implementing your Zero Trust approach.
The Hitachi ID Bravura Security Fabric is truly cloud, platform, and security system agnostic. It’s a single open architecture platform and the industry’s most extensive organically grown connector portfolio. Hitachi ID Bravura Security Fabric offers a robust API platform to complete your security strategy — integrating natively with other security systems and implementations at whatever stage of your enterprise Zero Trust journey.
Singular, Powerful, and Layered. That’s Hitachi ID Bravura Security Fabric.
The fabric creates a centralized view to weave the patterns of functionality your organization needs to protect against continual threats and cover all aspects of your identity and access security program. As you uncover new identity and access threats or your roadmap evolves, simply turn services on or off as needed. Improve IT security, support internal controls and regulatory compliance, and lower administration and costs — all without installing other products.
Hitachi ID Bravura Security Fabric meets all of your digital identity and access security needs with industry-leading features and applications enterprises require. It’s packed with future-ready technological and architectural building blocks enhanced by decades of reliability to protect, manage, and govern your entire identity and access infrastructure for the next generation. All of this scalable capability comes bundled with Hitachi ID’s global support.
Zero Trust Benefits
Hitachi ID Bravura Security Fabric
- solves the latest, evolving access management challenges
- delivers the solution with the industry’s only single platform for multi-factor, adaptive authentication, IAM, and PAM
Leverage the industry’s most extensive organically grown ecosystem connector portfolio with seamless two-way integrations, offering a robust API platform to complete your security strategy
Combine freely utilizing the open architecture solution empowered by genuine agnostic integration support for all security platforms, implementations, and Zero Trust targets
Uncover more with Hitachi ID Bravura Discover, which allows you to assess threats and risks across systems, improving your response time and making your Zero Trust strategy more exhaustive
Weave and apply parts of the fabric to your journey over time as you uncover unknown threats, and your roadmap evolves
Use optional automation and detection, governance and compliance, and analytics and reporting. Turn services on or off as needed without installing other products
Manage your access management and integrations — no matter what service created them
Access one platform and framework that brings together all layers of Hitachi ID Bravura Security Fabric, including Identity, Privilege, Pass, and Group plus a threat detection layer: Bravura Discover
Gain visibility and threat intelligence around your entire ecosystem
Work in partnership with Hitachi ID to create a comprehensive program that addresses your specific needs our global support helping you meet challenges at every step of the wayBack to top
Zero Trust Blog Posts
(Not So) Top Secret: The Cybersecurity Bad Practice to Avoid According to the US Government
The recent T-Mobile attack breached the data of over 50 million accounts. It’s an astonishing number, but it’s just the latest in a slew of massive cybersecurity breaches that have garnered national and worldwide attention.Read More
How to Implement Zero Trust: Six Steps to Getting Started
Recent ransomware attacks and data breach events have consistently broken through perimeter-based security architectures. These perimeters become more vulnerable by the day, as workforces continue to be remote or hybrid and businesses increase their ...Read More
Tardy to the Party: IT and Security Leaders Are Embracing Automated IAM Too Late
Ransomware and cyber attacks are surging across the globe, and IT decision-makers have identified IAM automation as a critical component of defense as threats continue to evolve and grow. The problem? Organizations are monitoring identity and access ...Read More