Zero Trust Implementation is a Marathon, Not a Sprint

Although no one wants to say the quiet part out loud, security isn’t easy. If it were, there wouldn’t be so many successful cyberattacks. Virtually everyone agrees that the concepts behind the zero-trust security model make sense. Instead of assuming anyone or anything that has gained access to the network can be trusted, assume the opposite. Nothing can be trusted anywhere, whether outside or inside the network perimeter.

Zero trust sounds great on paper, but organizations have been slow to implement it. According to a recent ESG report, “The State of Zero trust Security Strategies,” only 13% of organizations have strong adherence to zero-trust principles and 54% have been working on zero trust for less than two years. Although 74% are very familiar with the concepts, 76% expect zero trust to be complex to implement.

It’s easy to get bogged down in the technology and wallow in complexity. How are you supposed to get yet another product or suite of products integrated into an already challenging networking environment?

The key is to take it one step at a time and do what you can do with the resources you have. Most organizations already have some elements of zero trust, such as restricting access to applications or multi-factor authentication. You can start with improving what you have and then add more zero-trust capabilities over time.

Embracing a Zero-Trust Mindset

At its heart, zero trust is a philosophy or a mindset, not a specific product. No matter where you are on the zero-trust journey, you can be doing more to enhance your security posture through zero-trust security approaches and frameworks.

With zero trust, the core idea is that every device on your network is potentially infected, and any user is capable of compromising critical resources. With that new paradigm in mind, your focus is always on knowing exactly who and what is on the network at any given moment. Secondly, you need to ensure that those users and devices are only provided with the minimum level of access for them to do their job. And finally, any resources they need should only be accessed on a “need- to-know” basis, regardless of their person’s location or function.

The first step is to understand what’s on the network by using network access control (NAC) to discover and identify each device that is on or seeking access to the network and ensure that it hasn’t already been compromised.

Microsegmentation is another key component of zero-trust. With network micro-segmentation, each device is assigned to an appropriate network zone based on a number of factors, including device type, function, and purpose within the network. And intent-based segmentation can intelligently segment devices based on specific business objectives, such as compliance requirements like GDPR privacy laws or PCI-DSS transaction protection.

User identity is another cornerstone of zero trust. Like devices, every user needs to be identified along with the role they play within an organization. The zero-trust model focuses on a “least access policy” that only grants a user access to the resources that are necessary for their role or job. And access to additional resources is only provided on a case-by-case basis. 

At this point, every organization should be using multifactor authentication, so if you’re not, this is a key area to improve. Authentication, authorization, and account (AAA) services, access management, and single sign-on (SSO) are used to identify and apply appropriate access policies to users based on their role within the organization. User identity can be further authenticated through user log-in, multi-factor input, or certificates, and then tied to role-based access control (RBAC) to match an authenticated user to specific access rights and services.

Start Where You Are

Authentication, controlling access, and user identity are all elements of zero trust. Beefing up what you already have can be a simple way to get going on your zero-trust journey sooner, rather than later. For example, you can go from authenticating once to authenticating every session. Add a firewall at an edge and one at your data center. Even better, a firewall that can handle both Zero-trust Network Access and SD-WAN at the same time. Or consider deploying more segmentation firewalls to create more zones to control. Take steps to better restrict access to your applications.

No matter where you are, there’s always more you can be doing to enhance your security posture through zero-trust concepts.  But make sure you do it correctly. The last thing you want to do is make it more difficult for people to do their jobs. So implement changes carefully and incrementally to minimize disruption.

Remember zero trust is a marathon, not a sprint. Although it may take a lot of work, it’s worth it in the end.

Learn more about Zero Trust solutions from Fortinet that enable organizations to see and control all devices, users, and applications across the entire network.