May 26, 2022
How Zero-Trust Architecture Improves Data Protection
A security architecture that removes implicit trust can help organizations defend against cyberthreats.
IN THIS ARTICLE
Zero Trust Provides Effective Protection
CISA Guidance on Zero Trust
A Changing Cybersecurity Landscape
The world of IT shifted dramatically during the COVID-19 pandemic, with more users working remotely and an increase in the number of devices used by each person. At the same time, organizations moved a large portion of their workloads to applications and data that resides outside their secured network perimeter. This includes both cloud-based services and the adoption of microservices that serve as fundamental building blocks of business processes. Following the path of data through these diverse new technologies is quite complex, creating a challenging environment in which technology leaders must manage users, data and workloads.
The nature of the data being used has also changed significantly. Organizations continue to rely on traditional, structured databases for transactional systems, but those databases are now supplemented by the growth of unstructured data — such as text, photos, video and audio — that is often not stored in systems managed by central IT departments. For many organizations, data also resides in “shadow IT” cloud services that have been adopted by business units without the knowledge or assistance of central IT teams. Data is everywhere, and protecting it poses a significant challenge.
Most business leaders expect that these changes are more than passing responses to pandemic workstyles and that many of these changes will persist as users become accustomed to new, flexible work patterns. This moves organizations toward flexible approaches to technology that shift workloads between in-house data centers and external cloud environments. Moving data and applications outside the traditional perimeter renders perimeter-focused network security controls obsolete.
Attackers have also grown more sophisticated in recent years. Cybercrime is no longer a hobby; it is now a sustainable business model driven by ransomware and advanced persistent threats. Cybercriminals and state actors now identify prime targets and pursue them with sophisticated techniques. Threat actors may also leverage the cloud to gain the same flexibility and cost savings that motivate business cloud migrations.
Organizations seeking to survive and thrive in this evolving environment must deploy dynamic and flexible security controls that protect both users and data wherever they reside.
Drivers for Zero Trust
The modern threat landscape is increasingly diverse and sophisticated, moving organizations toward zero-trust models of network security.
Attackers are now well funded and organized into highly skilled teams of professionals. They operate with the full backing and resources of nation-state military units and intelligence agencies, and organized crime syndicates.
Cybercrime is a highly profitable business. From ransomware to zero-day exploits, talented hackers are able to leverage their skills on the black market, creating strong incentives to continue their work.
Cloud computing provides attackers with the same flexibility, agility and economies of scale that it offers to business customers. Attackers open accounts faster than providers can detect and remove them.
Zero-Trust Adoption Is Underway
100%
The percentage of technology leaders who believe that zero trust is important to reducing their enterprise cyber risk1
84%
The percentage of organizations that are either implementing or have fully implemented a zero-trust strategy2
93%
The percentage of organizations adopting zero trust that found the benefits matched or exceeded their expectations2
68%
The percentage of security decision-makers who say that the need to develop new security controls or practices is the greatest challenge to a zero-trust initiative3
Sources: 1Information Security Media Group, "Zero Trust Strategies for 2022," February 2022; 2fortinet.com, "Survey Reveals Challenges of Zero Trust Implementation," Jan. 12, 2022; 3darkreading.com, "Security Teams Struggle to Get Started with Zero Trust," March 18, 2022
Zero Trust Provides Effective Protection
A zero-trust approach to network security shifts away from approaches that implicitly trust certain users based on their network location. Rather, zero trust ensures that every request for access is validated against security rules that confirm the user’s identity. Instead of building a single perimeter around an organization’s entire network, zero trust uses microsegmentation to build a least-privilege network in which every user and system has its own perimeter. Users gain access to resources only after clearing strong authentication hurdles.
Zero trust brings many significant benefits to an organization:
- Builds on software-defined networking technology to flexibly deploy security policies based on changing requirements
- Standardizes security controls to protect against both known and emerging threats
- Drives culture change toward a security-first mindset
- Provides highly granular and customizable policies that enable least-privilege approaches to security
In addition to these clear security benefits, zero-trust approaches also improve the efficiency of organizations. By implementing seamless user access controls, organizations improve the ability of team members to access and use data, advancing their goals to adopt a DevOps philosophy. IT leaders need to do more than simply secure data and workloads; they also need to enable their use. Zero trust done right serves as an accelerator for progressive organizations.
CISA Guidance on Zero Trust
As organizations begin to adopt a zero-trust philosophy, leaders benefit by measuring their progress against established benchmarks. The federal government’s Cybersecurity and Infrastructure Security Agency (CISA) has published a draft Zero Trust Maturity Model to support organizations in their transition. The model contains five pillars on which a zero-trust strategy can be built.
Identity
Identity forms the core of any zero-trust initiative. Other security controls can make informed, contextual security decisions only if they have confidence in a user’s identity. The technologies that support this pillar include multifactor authentication (MFA), identity management, visibility into user behavior, identity and permit administration, and risk assessment.
Device
A zero-trust approach must also be able to validate the integrity of the devices used by authenticated individuals. Technologies such as configuration management, real-time risk analysis, asset management, and endpoint detection and response platforms are used to manage the security of these devices.
Network/Environment
Zero trust moves the enforcement of security policies away from networks and perimeters and closer to the applications and services themselves. But networks continue to play an important role, and the technologies used to protect them include network segmentation and microsegmentation, encryption, machine learning–based threat protection and infrastructure as code.
Application Workload
Traditional network security controls focus heavily on network traffic flows and leave application security to other disciplines. Zero trust tightly integrates network and application security using technologies such as continuous access authorization, application security testing, and dynamic application health and security monitoring.
Data
Zero trust embraces a data-centric approach to security in which security controls focus on protecting data wherever it resides. The technologies and business processes supporting this pillar include data inventories, least-privilege access controls, end-to-end encryption, event logging, and consistent and validated data backup.
Adaptive Cybersecurity Controls
The cybersecurity threat environment changes constantly. Adaptive cybersecurity controls are designed to flex with these changes by monitoring systems and networks in real time and automatically implementing countermeasures when new threats arise. Here are a few examples of how security operations center (SOC) teams can leverage adaptive controls as part of a zero-trust approach.
EVALUATE the riskiness of user login requests in real time and require additional authentication when warranted. For example, users who suddenly change geographic location might be forced to reauthenticate with MFA.
MONITOR data access requests for behavior that deviates from normal baselines. This technology might quickly detect and block attempts to download large stores of sensitive information, for example.
FLAG suspicious user activity for review by the SOC’s cybersecurity analysts. Artificial intelligence techniques can quickly identify the riskiest behaviors, enabling analysts to focus on what matters most.
OBSERVE network traffic for unusual flows between systems that do not normally communicate. Quickly implement firewall rules to block suspicious traffic pending further investigation.
CDW can help your organization apply this guidance to implement a zero-trust approach to security.
Achieving Zero Trust
The CISA Maturity Model offers a valuable framework for zero-trust initiatives, but organizations may wish to consider other guidance as well.
NIST SP 800-207
In August 2020, the National Institute of Standards and Technology released Special Publication 800-207 covering zero-trust architecture. This document helps organizations gain a better understanding of zero trust and provides a roadmap they can use to implement security controls that support a strong zero-trust program. The publication offers deployment models and use cases describing how zero trust can improve an organization’s security posture.
NIST SP 800-207 includes the following important elements:
- Zero-trust basics
- Logical components of zero-trust architecture
- Deployment scenarios and use cases
- Threats associated with zero-trust architecture
- Interactions with existing guidance
- Migrating to a zero-trust architecture
NCCoE Guidance
More guidance is on the way, as zero-trust architecture continues to be a focus of academic, government and private-sector research. The National Cybersecurity Center of Excellence (NCCoE) is leading a public-private partnership designed to implement NIST SP 800-207 using real-world examples.
The goal of this effort is to reduce the complexity of zero-trust deployments and provide organizations across industries with detailed advice on how they can deploy zero-trust principles. The project will create sample deployments that integrate both commercial and open-source products to serve as practical models for cybersecurity professionals.
The Importance of Assessment
One of the most important ways an organization can prepare for a zero-trust initiative is to assess its current policies and practices for managing identity and access. This type of assessment helps identify the systems and processes that the organization can rightly trust. Without this assessment, it’s very likely that an initiative will fail because it assumes that a process is trustworthy when, in fact, it may not be.
Federated identity management technology helps advance an organization’s zero-trust program by providing a consistent way to govern authentication and authorization for applications and communication between systems. Standards such as OpenID and the Security Assertion Markup Language facilitate this work by enabling interoperability between disparate systems.
Some of the key questions organizations should ask as they conduct this assessment include:
- What data do we have?
- Where is our data located?
- What risks exist that might affect our data?
- How does data move between systems and applications?
- Do we have appropriate monitoring in place where our data resides?
- What patterns exist in how our data moves?
- How well have we incorporated identity information into decisions about data access?
Zero-trust assessments should also consider the organization’s internal culture. These programs are designed to help organizations think more clearly and deliberately about security issues, and that requires breaking down traditional IT silos. It also requires a holistic conversation that treats data and security as an end-to-end issue, involving participation from cybersecurity, networking, endpoint, application and data governance teams. The first step in an organization’s zero-trust journey is to tear down these silos and facilitate interdisciplinary conversations about data and access.
Help with Zero Trust and Data Security
CDW offers a variety of services that can help organizations understand the role of zero trust and accelerate their progress in achieving a security environment aligned with zero-trust principles.
A readiness assessment can help your organization evaluate the current strengths of its zero-trust program and develop a roadmap for improvement. CDW’s networking and security experts will help your organization align with industry best practices and ensure that it has the right technologies in place to support zero-trust principles.
Zero-trust workshops will bring together your organization’s technology leaders with CDW subject matter experts to identify the goals and objectives of your initiative. These workshops will define zero trust in the context of your organization and set expectations for zero-trust efforts.
Penetration testing involves efforts by CDW security experts to validate the results of a vulnerability scan by playing the role of an attacker and attempting to exploit any vulnerabilities detected. This simulated attack provides deep insight into your organization’s security posture and serves as a test of your existing security controls, including those intended to support a zero-trust approach.
In addition to these services, CDW experts can provide support for a wide variety of cybersecurity initiatives including the deployment and use of identity and access management, extended detection and response, and managed detection and response solutions. CDW’s professionals can also assist with business continuity, and governance, risk and compliance efforts.
Story by
Jeremy Weiss
Buck Bell, who leads CDW’s Global Security Strategy Office. He brings 20-plus years of experience in cybersecurity and risk management to the role. Prior to CDW’s acquisition of Focal Point Data Risk, Buck served as executive vice president of Focal Point’s Technology Integration division, leading efforts on identity and access management (IAM), data analytics, SIEM and elements of cloud security. Before joining Focal Point, Buck led IAM Consulting at Optiv Security, where he led a team of 110 across consulting, PMO and India Operations. These experiences have given him insight into all aspects of the risks and opportunities CISOs and security leaders encounter in delivering speed and value to business objectives.
Jeremiah Salzberg