It's Not About the Perimeter Anymore: Getting Started with Zero Trust
April 07, 2021

David McKenna

Organizations need to show agility in the face of ever-changing economic, social, governmental, regulatory, and technology disruptions. Today, in the near post-COVID world, we can work, learn, and socialize from anywhere. The enterprise boundary has been extended beyond the DMZ to the cloud and to your home. This means we can't have a network perimeter-centric view of security anymore; instead, we need to securely enable access for the various users (employees, partners, contractors, etc.) regardless of their location, device, or network.

What is Zero Trust?

Zero Trust is a concept coined by John Kindervag in 2010 during his time as Principal Analyst for Forrester Research. A Zero Trust model replaces perimeter-centric security architecture. It ensures that security and access decisions are dynamically enforced based on identity, device, and user context. Zero Trust starts with a security posture of "deny by default," meaning organizations should not trust any entity inside or outside their network perimeter at any time.

How to Start

How do you go about adopting Zero Trust in your organization? Here are the key steps:

Tie to business

Avoid using "Zero Trust" as a term to justify security investments to business stakeholders. Talk about how adopting Zero Trust will enable new digital business, cloud, and mobile initiatives. You're here to enable the business not hinder it. Talk about the end state where you have established Zero Trust and you're continuously assessing risk and trust that will adapt to the changing context — no business leaders want to be associated with SolarWinds-type headlines.

Choose the right project or initiative

Zero Trust can be difficult and time-consuming to set up. To get started, look for applications or networks that you don't run inside your managed perimeter or data center. For instance, those might be applications that are hosted or supplied by cloud providers. Inside your managed perimeter you will find systems of record that are slow and difficult to change. Outside, you'll find there are systems of innovation not burdened by legacy architecture, making them easier to change.

Start small

Don't expect to Zero Trust your entire enterprise all at once — this is next to impossible and will fail. You'll need time to consider and plan how to segment data and applications, verify devices and users, gain end-to-end visibility of your entire enterprise, and wrangle legacy systems. Start small with an access scenario where the Zero Trust model will generate the biggest value. Do this as quickly as possible. Prove out the model, show some success, and start your stakeholders along the journey.

Learn from others

The security vendors used in your enterprise will offer advice on Zero Trust. There are also federal recommendations: The National Institute of Standards and Technology (NIST) provides a guide with general deployment models and use cases where Zero Trust could improve overall information technology security posture. Analyst firms regularly provide guidance on the concept. Gartner's point of view is called Continuous Adaptive Risk and Trust Assessment (CARTA).

User experience

Consider the user experience as well as security. Workforce habits are changing, and this change accelerated during COVID. People expect ease of access, whether they're using a cloud-based service or "internal" data. Traditional tools like VPNs are clunky and frustrating to use. With many new perimeters to secure, and boundaries that have become ephemeral and nebulous, you should aim to make it easy for users to access with appropriate guardrails.

Technical Steps

After you identify the small project or initiative to start with and have a plan in place, it's time to turn to the technology side of Zero Trust:

■ First and foremost, educate your employees on risk.

■ Avoid punching holes in your perimeter with a VPN. Provide your users with application-only access, not network access. Only grant access to the applications users' need for their role. Base this access on entitlement, user identity, device posture, authentication, and authorization.

■ Figure out the right Identity and Access Management for your organization. MFA is mandatory, and the core technology for Zero Trust.

■ Isolate your network infrastructure from the internet — the safest machine in the world is a disconnected one. Know how to distinguish between managed and unmanaged devices connecting to your network.

■ Enable threat protection on incoming traffic, invest in Layer 7 proxies for establishing trust and verifying content (API Management, WAF, etc.).

■ Proactively monitor network and application access activity logs to detect anomalies.

Prepare and Practice

Breaches happen, and mistakes will be made. How ready is your incident response process? Have you tested it with a game-day scenario? Remember that implementing a Zero Trust approach to security in your organization is not a one-time event: continuously evolve your security posture to meet an ever-changing landscape.

David McKenna is Senior VP Engineering at Axway
Share this

Industry News

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023 achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.

November 27, 2023

Amazon Web Services (AWS) and Salesforce announced a significant expansion of their long standing, global strategic partnership, deepening product integrations across data and artificial intelligence (AI), and for the first time offering select Salesforce products on the AWS Marketplace.

November 27, 2023

Veracode announced product innovations to enhance the developer experience. The new features integrate security into the software development lifecycle (SDLC) and drive adoption of application security techniques in the environments where developers work.

November 27, 2023

Couchbase announced a new Capella columnar service on Amazon Web Services (AWS), enabling organizations to harness real-time analytics to build adaptive applications.

November 21, 2023

Redgate announced the launch of Redgate Test Data Manager, which simplifies the challenges that come with Test Data Management (TDM) and modern software development across multiple databases.

November 21, 2023

mabl announced an integration with GitLab, the AI-powered DevSecOps platform.

November 21, 2023

FusionAuth announced the availability of new software development kits (SDKs) that support Angular, React and Vue JavaScript front-end frameworks.