It's Not About the Perimeter Anymore: Getting Started with Zero Trust
April 07, 2021

David McKenna

Organizations need to show agility in the face of ever-changing economic, social, governmental, regulatory, and technology disruptions. Today, in the near post-COVID world, we can work, learn, and socialize from anywhere. The enterprise boundary has been extended beyond the DMZ to the cloud and to your home. This means we can't have a network perimeter-centric view of security anymore; instead, we need to securely enable access for the various users (employees, partners, contractors, etc.) regardless of their location, device, or network.

What is Zero Trust?

Zero Trust is a concept coined by John Kindervag in 2010 during his time as Principal Analyst for Forrester Research. A Zero Trust model replaces perimeter-centric security architecture. It ensures that security and access decisions are dynamically enforced based on identity, device, and user context. Zero Trust starts with a security posture of "deny by default," meaning organizations should not trust any entity inside or outside their network perimeter at any time.

How to Start

How do you go about adopting Zero Trust in your organization? Here are the key steps:

Tie to business

Avoid using "Zero Trust" as a term to justify security investments to business stakeholders. Talk about how adopting Zero Trust will enable new digital business, cloud, and mobile initiatives. You're here to enable the business not hinder it. Talk about the end state where you have established Zero Trust and you're continuously assessing risk and trust that will adapt to the changing context — no business leaders want to be associated with SolarWinds-type headlines.

Choose the right project or initiative

Zero Trust can be difficult and time-consuming to set up. To get started, look for applications or networks that you don't run inside your managed perimeter or data center. For instance, those might be applications that are hosted or supplied by cloud providers. Inside your managed perimeter you will find systems of record that are slow and difficult to change. Outside, you'll find there are systems of innovation not burdened by legacy architecture, making them easier to change.

Start small

Don't expect to Zero Trust your entire enterprise all at once — this is next to impossible and will fail. You'll need time to consider and plan how to segment data and applications, verify devices and users, gain end-to-end visibility of your entire enterprise, and wrangle legacy systems. Start small with an access scenario where the Zero Trust model will generate the biggest value. Do this as quickly as possible. Prove out the model, show some success, and start your stakeholders along the journey.

Learn from others

The security vendors used in your enterprise will offer advice on Zero Trust. There are also federal recommendations: The National Institute of Standards and Technology (NIST) provides a guide with general deployment models and use cases where Zero Trust could improve overall information technology security posture. Analyst firms regularly provide guidance on the concept. Gartner's point of view is called Continuous Adaptive Risk and Trust Assessment (CARTA).

User experience

Consider the user experience as well as security. Workforce habits are changing, and this change accelerated during COVID. People expect ease of access, whether they're using a cloud-based service or "internal" data. Traditional tools like VPNs are clunky and frustrating to use. With many new perimeters to secure, and boundaries that have become ephemeral and nebulous, you should aim to make it easy for users to access with appropriate guardrails.

Technical Steps

After you identify the small project or initiative to start with and have a plan in place, it's time to turn to the technology side of Zero Trust:

■ First and foremost, educate your employees on risk.

■ Avoid punching holes in your perimeter with a VPN. Provide your users with application-only access, not network access. Only grant access to the applications users' need for their role. Base this access on entitlement, user identity, device posture, authentication, and authorization.

■ Figure out the right Identity and Access Management for your organization. MFA is mandatory, and the core technology for Zero Trust.

■ Isolate your network infrastructure from the internet — the safest machine in the world is a disconnected one. Know how to distinguish between managed and unmanaged devices connecting to your network.

■ Enable threat protection on incoming traffic, invest in Layer 7 proxies for establishing trust and verifying content (API Management, WAF, etc.).

■ Proactively monitor network and application access activity logs to detect anomalies.

Prepare and Practice

Breaches happen, and mistakes will be made. How ready is your incident response process? Have you tested it with a game-day scenario? Remember that implementing a Zero Trust approach to security in your organization is not a one-time event: continuously evolve your security posture to meet an ever-changing landscape.

David McKenna is Senior VP Engineering at Axway
Share this

Industry News

September 27, 2022

DevOps Institute will host SKILup Festival in Singapore on November 15, 2022.

September 27, 2022

Delinea announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams.

September 27, 2022

The Apptainer community announced version 1.1.0 of the popular container system for secure, high-performance computing (HPC). Improvements in the new version provide a smaller attack surface for production deployments while offering features that improve and simplify the user experience.

September 26, 2022

Secure Code Warrior unveiled Coding Labs, a new mechanism that allows developers to more easily move from learning to applying secure coding knowledge, leading to fewer vulnerabilities in code.

September 26, 2022

ActiveState announced the availability of the ActiveState Artifact Repository.

September 26, 2022

Split Software announced the availability of its Feature Data Platform in the Microsoft Azure Marketplace.

September 22, 2022

Katalon announced the launch of the Katalon Platform, a modern and comprehensive software quality management platform that enables teams of any size to easily and efficiently test, launch, and optimize apps, products, and software.

September 22, 2022

StackHawk announced its Deeper API Security Test Coverage release.

September 21, 2022

Platform9 announced the launch of its latest open source project, Arlon.

September 21, 2022

Redpanda Data announced Redpanda Console.

September 21, 2022

mabl announced its availability as a private listing on Google Cloud Marketplace.

September 21, 2022

Zesty announced a $75 million Series B funding round led by B Capital and Series A investor Sapphire Ventures.

September 20, 2022

Opsera, the Continuous Orchestration platform for DevOps, announced a free trial of its no-code Salesforce Release Management platform for fast and secure Salesforce releases.

September 20, 2022

Sysdig announced ToDo and Remediation Guru.

September 20, 2022

AutoRABIT announced CodeScan Shield.