On April 25 at RSAC 2023 in San Francisco, I presented a playbook for actualizing the National Institute of Standards and Technology (NIST) zero trust architecture (ZTA) framework, as detailed in NIST’s special publication 800-207. I reviewed how and why the security industry trust model evolved from network-centric to zero trust and how organizations can adapt their processes to meet the demands of the modern-day threat landscape.
The evolution of trust and the failure of the network-centric security model
In the 1990s, when AOL was the world’s most visited website, and corporate networks were flat, widely trusted, and considered safe, trust was a simple concept. Either you were on the corporate network, or you weren’t. The internet was nascent and considered unsafe by most organizations.
This trust model was widely adopted to a point where hardware manufacturers delineated firewall network interfaces as either trusted or untrusted. If you were inside the firewall, you were trusted; if you were outside the firewall, you were untrusted. The following decades broadened the concept of trust by adopting wide area networks (WAN) and metropolitan area networks (MAN) in the 2000s.
The 2010s introduced internal network segmentation with virtual local area networks (VLANs) or different subnets with distinct purposes. But the adoption of Software-as-a-Service (SaaS) and cloud computing shook up the trust model. Additionally, more endpoints connected to virtual private networks (VPNs), specifically personal devices (BYOD) used by employees and third parties, further increased complexity and risk. This rudimentary trust model was stretched beyond its capabilities.
Zero trust architecture is built for any-to-any communication
In the 2020s, we were compelled to reimagine the concept of trust. The demands of any-to-any connectivity—workloads talking to workloads over application programming interfaces (APIs), users interacting with applications, and workloads communicating directly with the internet—pushed the network-centric security model past its limit.
The typical enterprise network wasn’t designed to handle complex communication flows, and it reached a breaking point. Performance and agility were sacrificed with backhauling network traffic. Technical debt has become overwhelming and impossible to effectively manage, resulting in ineffective policy enforcement. The culmination of these factors makes network-centric security models obsolete in the current threat landscape.
Enter zero trust, a critical architectural shift in cybersecurity. The idea behind traditional networks is to control everything. On the other hand, a secure and simplified zero trust architecture (ZTA) is designed to support any-to-any communication.
In contrast to routable networks, ZTA frameworks use a policy engine to make access decisions. Notice how inputs and rules feed into the policy engine in the image below. These provide contextual information for more sophisticated decision-making as connections are initiated. The inputs include continuous diagnostics and mitigation (CDM) systems, industry compliance systems, threat intelligence feeds, network and system activity logs, data access policies, enterprise public key infrastructures (PKIs), ID management systems, or security information and event management (SIEM) systems.
Four activities are initiated as traffic flows from inputs into a control plane. First, the traffic is decrypted, and the payload is examined. Second, where the traffic is coming from and where it’s going is determined. Third is enforcement: authenticating the traffic and authorizing it through policy decisions. And the final step is to broker the session, that is, establish, monitor, and ultimately terminate it.
Building your zero trust strategy
With an understanding of the ZTA framework, you can begin charting a course for your own zero trust strategy by breaking the process down into three steps: the why, the what, and the how.
1. The why: the key business and security drivers. It’s imperative to understand what is driving a transformation. Begin by creating two buckets: security drivers and business drivers. Security drivers include risk mitigation, cyber capabilities, orchestration, and technical debt. Business drivers include business objectives, agility, mergers and acquisitions, and revenue targets.
2. The what: define your north star. Once you have identified and parsed out security and business drivers, ask yourself what success looks like. From a security perspective, ask:
- What security outcomes do we hope to achieve?
- How will zero trust materially reduce cyber risk?
- Does zero trust mitigate our key risk drivers?
- What is our plan for cloud, BYOD, and remote work?
To drive business outcomes, ask:
- How is cybersecurity inhibiting business objectives?
- Which business initiatives can cybersecurity accelerate?
- How does zero trust help us meet revenue and corporate goals?
3. The how: developing your roadmap. You can begin outlining an ideal end state with your “why” in mind and desired outcomes defined. The inputs to your strategy will encompass comprehensive, relevant data on your security environment, organizational risk appetite, and overall vision.
Separate inputs into key risks you've identified in your organization, your audit findings and any compliance gaps, the technical maturity of your environment, trends impacting your operations, and the vision for your business.
The inputs ultimately inform your strategy and should be considered holistically in alignment with broader organizational strategies (IT, corporate, privacy, legal, etc.). Processing these inputs will ultimately build the outputs, i.e., your zero trust strategy.
Migrating to a zero trust architecture
Start by building conviction around initial use cases when ready to move from the conceptual zero trust strategy to the implementation plan. The first and simplest area to tackle is threat protection, which includes minimizing the attack surface. VPNs, for instance, extend networks, increasing the risk of a breach and resulting in a poor user experience—an easy target.
The second most common use case is data protection. Inspecting traffic at the packet level is essential. Encrypted traffic hides threats, risking data loss and exposure of sensitive information. A third common starting point is segmenting the network to prevent lateral movement, damage from misconfigurations, and exposed vulnerabilities.
Best practices for getting started with ZTA
I would sum up my keys to getting started with a zero trust implementation with three recommendations:
- Have a bias toward action: Analysis paralysis is real, so it’s best to move with urgency.
- Take the first step: Don’t boil the ocean. Build confidence with smaller, more attainable wins.
- Look for opportunities: Find ways to replace legacy technology throughout regular renewal cycles or as legacy hardware is end-of-lifed.
This doesn’t have to be a painstakingly long journey. In the first week, document the drivers for zero trust, and socialize these outcomes with your board and other stakeholders (the why) to ensure you align on priorities across your business. In the first three months, you should be building your north star architecture based on zero trust principles with a team of cross-functional, multi-disciplinary experts (the what). Within six months, you should be laser-focused on the “how”: develop your zero trust strategy, identify use cases, and implement zero trust to reduce risk, understand execution, and consider the plan holistically.
Moving from a network-centric security model to a ZTA is critical to securing your business and safeguarding it against future threats. Zero trust network access (ZTNA) is designed to get you there.
What to read next
Tailoring your zero trust transformation to your pain points