Zero Trust Architecture Best Practices

Zero Trust Architecture (ZTA) holds promise for enhancing the security stance of enterprises, yet uncertainties persist regarding its transformation process and practical implementation.

Best Practice #1 – Inventories

When embarking on a Zero Trust (ZT) transformation, it is crucial to establish a comprehensive inventory of data, applications, assets, and services (DAAS) in accordance with the National Security Telecommunications Advisory Committee (NSTAC) and Department of Defense (DoD) Zero Trust Reference Architecture. This inventory aids in understanding the baseline enterprise architecture and guides the steps required for ZT transformation, aligning with NIST’s perspective that views all data sources and computing services as resources.

Organizations must conduct various inventories before initiating ZT transformation efforts. These encompass inventories of enterprise assets, network subjects, data and its flows, and workflows for user activities. Regular updates to these inventories are essential to ensure ongoing accuracy and effectiveness, forming the foundation for future architectures aligned with ZT principles.

It is recommended conducting inventories within the first 90 days of a ZT transformation effort. This initial period should focus on establishing baselines for assets and device inventory, developing identity provider services, and inventorying and validating practices such as multi-factor authentication (MFA) and patching. These inventories enhance the organization’s understanding of its devices, networks, and interdependencies.

Emphasizing the significance of inventories, Ericom and ZScaler, key vendors in the ZT space, highlighted the need to identify assets, access points, and control points. Ericom specifically mentioned the importance of inventories in defining device inventory and asset interception. Additionally, ZScaler’s experts stressed the importance of participating in CISA’s Continuous Diagnostics and Mitigation (CDM) program to develop reliable asset inventories.

Best Practice #2 – Auditing/Logging

Effective implementation of dynamic Zero Trust (ZT) policies relies heavily on logging and auditing inventories. Maintaining a comprehensive audit trail is crucial for ensuring proper functionality and governance in a ZT network, enhancing integrity, security, and operational availability.

There is a need to focus on collecting data that emphasizes key indicators of compromise, such as user activity and firewall policies. Properly structured and fine-tuned logs should be continually leveraged for real-time monitoring and alerts, especially in the dynamic nature of Zero Trust Architecture (ZTA), where policy decision points (PDPs) and policy enforcement points (PEPs) rely on actionable intelligence from inside and outside the network.

A proper audit trail helps mitigate the risk of malicious actors altering log files to cover their tracks. The threat to logging and auditing should be a central consideration in ZT strategy and implementation, leading some vendors, like 1Kosmos, to adopt distributed ledgers to protect enterprise log files as required by ZTA. Additionally, organizations are advised to adhere to log retention policies, with Zscaler recommending keeping 12 months of active logs and 18 months of logs in cold storage.

Best Practice #3 – Governance and Risk

In the course of a Zero Trust (ZT) transformation, organizations encounter challenges at various stages, often stemming from a lack of a comprehensive understanding of ZT. A realistic grasp of the transformation’s objectives, along with an awareness of the affected organizational areas, is crucial in developing an effective ZT strategy, forming the foundation for the entire process.

Successful ZT initiatives necessitate proper funding, budgeting, a well-defined roadmap, and skilled personnel. A roadmap outlines the envisioned implementation of specific capabilities within a designated timeframe, requiring adequate financial resources and appropriately trained personnel.

Segmenting ZT initiatives into 90-day and yearly increments. The initial 90 days are vital for establishing a robust foundation, with subsequent years focusing on implementation, modification, and operation/optimization. Conducting small-scale pilot inventories during the initiative helps mitigate risks, allowing organizations to refine practices before full-scale ZT implementation.

Personnel allocation and expertise pose challenges during a ZT initiative. Organizations must ensure qualified personnel support the entire lifecycle, identifying competencies, addressing gaps through training or external expertise, and leveraging vendors like 1Kosmos, which offers an intuitive administrative experience backed by extensive documentation and training materials.

The importance of compatibility and interoperability was highlighted at the Zero Trust Industry Day event. Vendors recommended considering these factors throughout the transformation process and emphasized the role of application programming interfaces (APIs) in facilitating integration, supporting the dynamic and continuous nature essential for zero trust.

Best Practice #4 – Cloud and Virtual Solutions

Several solutions are available to transition core functionality services from on-premises resources to cloud and virtual resources. While cloud solutions are not universally considered more efficient or less expensive, cloud service providers assert their effectiveness in handling complex operational capabilities, particularly within the Identity and Device pillars of the CISA Zero Trust Maturity Model. Notably, cloud solutions can be effectively leveraged for implementing authentication and access management across the cloud, onsite infrastructures, and external devices, reducing the prevalence of Shadow IT and increasing asset visibility.

1Kosmos’s Mike Engle and Blair Cohen emphasized that remote access, operating systems, and single sign-on (SSO) gateways constitute 80 percent of the Multi-Factor Authentication (MFA) surface. Vendors at the Zero Trust Industry Day 2022 unanimously highlighted the importance of MFA, offering various services utilizing MFA through cloud/virtual computing.

Some vendor solutions enable organizations to move Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) into the cloud, enhancing visibility into network traffic and activities. These Zero Trust (ZT) edge solutions facilitate real-time access-related decision-making by observing traffic between subjects and cloud or on-premises resources. Certain vendors also provide hardware solutions for integrating resources into the cloud, offering improved perspectives for IT personnel over enterprise resources. These integration solutions contribute to ZT compliance, enhance Data, Applications, Assets, and Services (DAAS) inventories, and generate valuable logging and auditing data.

Best Practice #5 – Automation, Orchestration, and API

An optimal Zero Trust (ZT) maturity level encompasses continuous identity validation, device monitoring, encrypted traffic, and dynamic data policies, including the utilization of machine learning for data tagging. Achieving these practices effectively, such as maintaining inventories, auditing, logging, and implementing security measures, is significantly facilitated by automation and Application Programming Interfaces (APIs). Automation is particularly beneficial in phases two and four of the four-phase ZT journey—Prepare, Plan, Assess, and Implement—enhancing the speed and efficiency of resource inventorying during planning and aiding in operations and change management during implementation.

It is important to automating data categorization using tagging for managing access to sensitive data. Logging is another area where organizations can employ automation and orchestration to bolster cybersecurity detection and response, minimizing the need for extensive user interaction. While certain decisions can be automated, human involvement remains crucial, especially in interpreting data and understanding contextual events during auditing and logging processes.

Efficient automation empowers staff to make accurate policy decisions without constant manual intervention, offering significant benefits in terms of speed, efficiency, and overall effectiveness in various ZT journey phases.