Starter Guide: What is Zero Trust Architecture and Where Do You Start?

In 2009, John Kindervag founded a concept centered around a "Never trust, always verify" philosophy later coined as Zero Trust (ZT). ZT is an approach to security that relies on continuously verifying the trustworthiness of every device, user, and application in an enterprise. Over a decade since this security model was introduced to the world, it has been deemed too hard, time-consuming, or costly to implement by many organizations. 

However, if an organization smartly implements Zero Trust Architecture (ZTA) within its enterprise, then time and money will be saved in the long run. A great ZT strategy will:

• Reduce the risks of ransomware attacks
• Reduce the risks of paying hefty fines
• Reduce the chance of losing customer trust

In this blog, MetroStar has provided basic terminology, a simplified framework to set the stage, and added considerations for security teams to consider while implementing its new ZTA program. 

What is Zero Trust?

Zero Trust (ZT) is a holistic approach to security that spans across everything and everyone in an organization. Bill Harrod, VP of Public Sector at Ivanti, states, "The Zero Trust model enforces that only the right people or resources have the right access to the right data and services, from the right device, under the right circumstances."

The National Institute of Standards and Technology (NIST) defines Zero Trust as "the evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources."

Where Should You Find Zero Trust?

• ZT must be embedded into an organization's culture​
• ZT requires a top-down approach that helps executives and managers make major decisions to support risks and a bottom-up approach that empowers employees' risk identification, analysis, and tracking
• ZT requires security participation from all stakeholders and from anyone who interacts with any of the organization's assets (building, system, data, etc.) 

What is Zero Trust Architecture?

NIST defines Zero Trust Architecture (ZTA) as "an enterprise's cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies." ZTA is designed to prevent data breaches and limit internal lateral movement.

How to Start Your Zero Trust Architecture (ZTA) Journey

When beginning your Zero Trust Architecture (ZTA) journey, there are many factors and requirements to consider. It's important to understand this journey will continuously evolve as your ZTA program matures.

Different from an attack surface, a protect surface is a holistic view of the enterprise data security across its full lifecycle. Your security team will identify the enterprise's critical data, applications, assets, and services and, in turn, identify security controls that can create micro-perimeters around the protect surface.

Your team must ensure every step of the information technology (IT) lifecycle process is secure, including acquiring hardware, software, and services for all steps of the Software Development Life Cycle (SDLC), the DevSecOps process, and in the CI/CD pipeline.

Designing ZTA will require your cyber team to custom blueprint the architecture around the defined protect surface and the mapped transaction flows. This will require considerations of a segmentation gateway enforcing additional layers of inspection and access control.

There should be a collaboration with internal teams to develop detailed policies that help every team implement zero trust, train their employees, and establish secure mechanisms that can interact with stakeholders.

Lastly, monitoring and reviewing all logs surrounding your ZTA program is necessary to maintain and improve the operations of your ZTA. Your cyber team should consider the use of advanced artificial intelligence (AI) AND machine learning (ML) techniques to proactively defend your environment.

Other ZTA Considerations

ZT has not been standardized, leading to misconceptions and misdirection during a ZTA journey. In this blog, many resources like the Zero Trust Concepts for Federal Government Architectures are linked to give you a starting point in plotting your course forward, but here are a few other considerations to keep in mind during your designing phase.

A CDM system gathers information about the enterprise asset's current state and updates configuration and software components. An enterprise CDM system provides the Policy Enforcement (PE) with information about an asset, making an access request and uncovering possible vulnerabilities associated with the asset.

The Industry Compliance System ensures that the enterprise remains compliant with any regulatory regime it falls under (e.g., FISMA, healthcare, or financial industry information security requirements). This system includes reviewing all the policy rules that an enterprise develops to ensure compliance.

Threat Intelligence Feeds provide information from internal or external sources that help the PE make access decisions. This information can come from multiple services that take data from internal or external sources and provide information about newly discovered attacks or vulnerabilities. Threat Intelligence Feeds also include information on newly discovered flaws in software, newly identified malware, and newly reported attacks.

The Security Information and Event Management (SIEM) System collects security-centric information for later analysis. The data the SIEM system collects is used to refine policies and warn of possible attacks against the protect surface. A  log aggregator should consolidate log data from assets, network traffic, resource access actions, and provide real-time (or near real-time) feedback on the security posture of the enterprise's information systems. This approach will ensure your security team is always in the know.

Data Access Policies provide a set of rules that can be encoded in the management interface or be dynamically generated by the PE. These policies are the starting point for authorizing access to a system as they provide the basic access privileges for an enterprise's accounts, applications, and services. These policies should be based on the organization's defined mission, roles, and needs.

The enterprise's Public Key Infrastructure (PKI) is responsible for generating and logging certificates issued by the enterprise to resources, subjects, services, and applications. The PKI includes the global certificate authority ecosystem and the Federal PKI, which may or may not integrate with an organization's enterprise PKI. The cyber team may find their enterprise could also have a PKI not built upon X.509 certificates.

The ID Management System is responsible for creating, storing, and managing enterprise user accounts and identity records (e.g., lightweight directory access protocol (LDAP) server). This system contains the necessary subject information (e.g., name, email address, certificates) and other enterprise-based characteristics of employees such as role, access attributes, and assigned assets. This system often utilizes other systems (such as a PKI) for artifacts associated with user accounts. The organization's ID Management System may be part of a larger federated community and may include non-enterprise employees or links to non-enterprise assets for collaboration.

What's Next? 

Your ZTA journey can lead your organization to discover how vast a project can become in reference to your organization's security culture, the correct technologies to implement, and the security policies to enforce. Having an experienced partner to help with this process will go a long way in developing, implementing, and maintaining your organization's ZTA program.

MetroStar is a leading digital IT company specializing in Zero Trust. Our trusted subject matter experts and cybersecurity professionals are happy to help you secure your data, processes, and people.