It's Not About the Perimeter Anymore: Getting Started with Zero Trust
April 07, 2021

David McKenna
Axway

Organizations need to show agility in the face of ever-changing economic, social, governmental, regulatory, and technology disruptions. Today, in the near post-COVID world, we can work, learn, and socialize from anywhere. The enterprise boundary has been extended beyond the DMZ to the cloud and to your home. This means we can't have a network perimeter-centric view of security anymore; instead, we need to securely enable access for the various users (employees, partners, contractors, etc.) regardless of their location, device, or network.

What is Zero Trust?

Zero Trust is a concept coined by John Kindervag in 2010 during his time as Principal Analyst for Forrester Research. A Zero Trust model replaces perimeter-centric security architecture. It ensures that security and access decisions are dynamically enforced based on identity, device, and user context. Zero Trust starts with a security posture of "deny by default," meaning organizations should not trust any entity inside or outside their network perimeter at any time.

How to Start

How do you go about adopting Zero Trust in your organization? Here are the key steps:

Tie to business

Avoid using "Zero Trust" as a term to justify security investments to business stakeholders. Talk about how adopting Zero Trust will enable new digital business, cloud, and mobile initiatives. You're here to enable the business not hinder it. Talk about the end state where you have established Zero Trust and you're continuously assessing risk and trust that will adapt to the changing context — no business leaders want to be associated with SolarWinds-type headlines.

Choose the right project or initiative

Zero Trust can be difficult and time-consuming to set up. To get started, look for applications or networks that you don't run inside your managed perimeter or data center. For instance, those might be applications that are hosted or supplied by cloud providers. Inside your managed perimeter you will find systems of record that are slow and difficult to change. Outside, you'll find there are systems of innovation not burdened by legacy architecture, making them easier to change.

Start small

Don't expect to Zero Trust your entire enterprise all at once — this is next to impossible and will fail. You'll need time to consider and plan how to segment data and applications, verify devices and users, gain end-to-end visibility of your entire enterprise, and wrangle legacy systems. Start small with an access scenario where the Zero Trust model will generate the biggest value. Do this as quickly as possible. Prove out the model, show some success, and start your stakeholders along the journey.

Learn from others

The security vendors used in your enterprise will offer advice on Zero Trust. There are also federal recommendations: The National Institute of Standards and Technology (NIST) provides a guide with general deployment models and use cases where Zero Trust could improve overall information technology security posture. Analyst firms regularly provide guidance on the concept. Gartner's point of view is called Continuous Adaptive Risk and Trust Assessment (CARTA).

User experience

Consider the user experience as well as security. Workforce habits are changing, and this change accelerated during COVID. People expect ease of access, whether they're using a cloud-based service or "internal" data. Traditional tools like VPNs are clunky and frustrating to use. With many new perimeters to secure, and boundaries that have become ephemeral and nebulous, you should aim to make it easy for users to access with appropriate guardrails.

Technical Steps

After you identify the small project or initiative to start with and have a plan in place, it's time to turn to the technology side of Zero Trust:

■ First and foremost, educate your employees on risk.

■ Avoid punching holes in your perimeter with a VPN. Provide your users with application-only access, not network access. Only grant access to the applications users' need for their role. Base this access on entitlement, user identity, device posture, authentication, and authorization.

■ Figure out the right Identity and Access Management for your organization. MFA is mandatory, and the core technology for Zero Trust.

■ Isolate your network infrastructure from the internet — the safest machine in the world is a disconnected one. Know how to distinguish between managed and unmanaged devices connecting to your network.

■ Enable threat protection on incoming traffic, invest in Layer 7 proxies for establishing trust and verifying content (API Management, WAF, etc.).

■ Proactively monitor network and application access activity logs to detect anomalies.

Prepare and Practice

Breaches happen, and mistakes will be made. How ready is your incident response process? Have you tested it with a game-day scenario? Remember that implementing a Zero Trust approach to security in your organization is not a one-time event: continuously evolve your security posture to meet an ever-changing landscape.

David McKenna is Senior VP Engineering at Axway
Share this

Industry News

March 18, 2024

Kubiya.ai announces the launch of its DevOps Digital Agents.

March 18, 2024

Aviatrix® introduced Aviatrix Distributed Cloud Firewall for Kubernetes, a distributed cloud networking and network security solution for containerized enterprise applications and workloads.

March 18, 2024

Stride announces the general availability of Stride Conductor, its new autonomous coding product that transforms the software development landscape.

March 14, 2024

CircleCI unveiled CircleCI releases, which enables developers to automate the release orchestration process directly from the CircleCI UI.

March 13, 2024

Fermyon™ Technologies announces Fermyon Platform for Kubernetes, a WebAssembly platform for Kubernetes.

March 13, 2024

Akuity announced a new offer targeted at Enterprises and businesses where security and compliance are key.

March 13, 2024

New Relic launched new capabilities for New Relic IAST (Interactive Application Security Testing), including proof-of-exploit reporting for application security testing.

March 12, 2024

OutSystems announced AI Agent Builder, a new solution in the OutSystems Developer Cloud platform that makes it easy for IT leaders to incorporate generative AI (GenAI) powered applications into their digital transformation strategy, as well as govern the use of AI to ensure standardization and security.

March 12, 2024

Mirantis announced significant updates to Lens Desktop that makes working with Kubernetes easier by simplifying operations, improving efficiency, and increasing productivity. Lens 2024 Early Access is now available to Lens users.

March 12, 2024

Codezero announced a $3.5 million seed-funding round led by Ballistic Ventures, the venture capital firm dedicated exclusively to funding entrepreneurs and innovations in cybersecurity.

March 11, 2024

Prismatic launched a code-native integration building experience.

March 07, 2024

Check Point® Software Technologies Ltd. announced its Check Point Infinity Platform has been ranked as the #1 Zero Trust Platform in the latest Miercom Zero Trust Platform Assessment.

March 07, 2024

Tricentis announced the launch and availability of SAP Test Automation by Tricentis as an SAP Solution Extension.

March 07, 2024

Netlify announced the general availability of the AI-enabled deploy assist.

March 07, 2024

DataStax announced a new integration with Airbyte that simplifies the process of building production-ready GenAI applications with structured and unstructured data.