ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.
It's Not About the Perimeter Anymore: Getting Started with Zero Trust
April 07, 2021
Organizations need to show agility in the face of ever-changing economic, social, governmental, regulatory, and technology disruptions. Today, in the near post-COVID world, we can work, learn, and socialize from anywhere. The enterprise boundary has been extended beyond the DMZ to the cloud and to your home. This means we can't have a network perimeter-centric view of security anymore; instead, we need to securely enable access for the various users (employees, partners, contractors, etc.) regardless of their location, device, or network.
What is Zero Trust?
Zero Trust is a concept coined by John Kindervag in 2010 during his time as Principal Analyst for Forrester Research. A Zero Trust model replaces perimeter-centric security architecture. It ensures that security and access decisions are dynamically enforced based on identity, device, and user context. Zero Trust starts with a security posture of "deny by default," meaning organizations should not trust any entity inside or outside their network perimeter at any time.
How to Start
How do you go about adopting Zero Trust in your organization? Here are the key steps:
Tie to business
Avoid using "Zero Trust" as a term to justify security investments to business stakeholders. Talk about how adopting Zero Trust will enable new digital business, cloud, and mobile initiatives. You're here to enable the business not hinder it. Talk about the end state where you have established Zero Trust and you're continuously assessing risk and trust that will adapt to the changing context — no business leaders want to be associated with SolarWinds-type headlines.
Choose the right project or initiative
Zero Trust can be difficult and time-consuming to set up. To get started, look for applications or networks that you don't run inside your managed perimeter or data center. For instance, those might be applications that are hosted or supplied by cloud providers. Inside your managed perimeter you will find systems of record that are slow and difficult to change. Outside, you'll find there are systems of innovation not burdened by legacy architecture, making them easier to change.
Start small
Don't expect to Zero Trust your entire enterprise all at once — this is next to impossible and will fail. You'll need time to consider and plan how to segment data and applications, verify devices and users, gain end-to-end visibility of your entire enterprise, and wrangle legacy systems. Start small with an access scenario where the Zero Trust model will generate the biggest value. Do this as quickly as possible. Prove out the model, show some success, and start your stakeholders along the journey.
Learn from others
The security vendors used in your enterprise will offer advice on Zero Trust. There are also federal recommendations: The National Institute of Standards and Technology (NIST) provides a guide with general deployment models and use cases where Zero Trust could improve overall information technology security posture. Analyst firms regularly provide guidance on the concept. Gartner's point of view is called Continuous Adaptive Risk and Trust Assessment (CARTA).
User experience
Consider the user experience as well as security. Workforce habits are changing, and this change accelerated during COVID. People expect ease of access, whether they're using a cloud-based service or "internal" data. Traditional tools like VPNs are clunky and frustrating to use. With many new perimeters to secure, and boundaries that have become ephemeral and nebulous, you should aim to make it easy for users to access with appropriate guardrails.
Technical Steps
After you identify the small project or initiative to start with and have a plan in place, it's time to turn to the technology side of Zero Trust:
■ First and foremost, educate your employees on risk.
■ Avoid punching holes in your perimeter with a VPN. Provide your users with application-only access, not network access. Only grant access to the applications users' need for their role. Base this access on entitlement, user identity, device posture, authentication, and authorization.
■ Figure out the right Identity and Access Management for your organization. MFA is mandatory, and the core technology for Zero Trust.
■ Isolate your network infrastructure from the internet — the safest machine in the world is a disconnected one. Know how to distinguish between managed and unmanaged devices connecting to your network.
■ Enable threat protection on incoming traffic, invest in Layer 7 proxies for establishing trust and verifying content (API Management, WAF, etc.).
■ Proactively monitor network and application access activity logs to detect anomalies.
Prepare and Practice
Breaches happen, and mistakes will be made. How ready is your incident response process? Have you tested it with a game-day scenario? Remember that implementing a Zero Trust approach to security in your organization is not a one-time event: continuously evolve your security posture to meet an ever-changing landscape.
Industry News
May 13, 2024
Security Innovation has added new skills assessments to its Base Camp training platform for software security training.
May 13, 2024
CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.
May 09, 2024
Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.
May 09, 2024
Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.
May 09, 2024
StackHawk announced a new integration with Microsoft Defender for Cloud to help organizations build software more securely.
May 08, 2024
MacStadium announced that it has obtained Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 1, meaning that MacStadium has publicly documented its compliance with CSA’s Cloud Controls Matrix (CCM), and that it joined the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
May 08, 2024
The Cloud Native Computing Foundation® (CNCF®) released the two-day schedule for CloudNativeSecurityCon North America 2024 happening in Seattle, Washington from June 26-27, 2024.
May 08, 2024
Sumo Logic announced new AI and security analytics capabilities that allow security and development teams to align around a single source of truth and collect and act on data insights more quickly.
May 08, 2024
Red Hat is announcing an optional additional 12-month EUS term for OpenShift 4.14 and subsequent even-numbered Red Hat OpenShift releases in the 4.x series.
May 08, 2024
HAProxy Technologies announced the launch of HAProxy Enterprise 2.9.
May 08, 2024
ArmorCode announced the general availability of AI Correlation in the ArmorCode ASPM Platform.
May 08, 2024
Octopus Deploy launched new features to help simplify Kubernetes CD at scale for enterprises.
May 08, 2024
Cequence announced multiple ML-powered advancements to its Unified API Protection (UAP) platform.
May 07, 2024
Oracle announced plans for Oracle Code Assist, an AI code companion, to help developers boost velocity and enhance code consistency.
