I’m sure you have heard the saying “trust, but verify” which has been a common theme in the audit world. The new saying for cybersecurity goes “never trust, always verify,” and that is the core of zero trust security. One of our clients was in the process of setting up a new environment for their service offering and they made it a goal to implement zero trust throughout. We talked through the steps they would need to meet that goal and we documented the outline as follows.
Understanding Zero Trust
What exactly is zero trust? Zero trust is driven by the principle of least privilege, which is defined by NIST as “The principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” This establishes an environment where configurations, policies, and access controls are constantly applied in real time, ensuring that only the minimum level of access required for an authorized function is provided.
How to Implement Zero Trust – Getting Started
The process of implementing a zero trust security model involves many key steps that include the investment of time, human, and financial resources. The goal is to make sure all access to your data, applications, and infrastructure is authenticated and authorized. This will require a combination of tools and administration. Here are the key steps to implement zero trust.
- Understand, Identify, and Segment Assets: Know all the assets within your network. This includes devices, data, and applications. Once you’ve identified the assets then you should segment them based on the sensitivity and level of access required.
- Principle of Least Privilege: The principle means giving any user’s account or process only those privileges that are essentially vital to perform its intended functions. For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. Other privileges are blocked for that user account. If the person who owns the user account has been authorized for other job functions such as installing software, then they would need to utilize the account that was authorized for software installations and not the account associated with creating backups.
- Authentication and Authorization Process: Utilize strong authentication mechanisms such as multifactor authentication (MFA) for any account or device. Use Identity and Access Management (IAM) tools to configure and enforce granular access controls based on contextual factors such as user identity, device health, location, etc.
- Micro-Segmentation: Create secure zones or micro-segments within your network to limit lateral movement by isolating workloads and applications from each other.
- Continuous Monitoring: Use system monitoring tools/solutions to monitor user activity and device behavior in real time. Set up alerts/notifications when there is suspicious or anomalous activity that could end up being a security threat.
- Encryption: Ensure encryption of data in transit and at rest which will protect it from unauthorized access. Utilizing encrypting tools and best practices will go a long way to safeguard your sensitive information.
- Network Security Controls: Deploying intrusion detection and prevention systems (IDPS), next-gen firewalls, and other security controls to inspect and filter traffic based on your predefined security policies.
- Endpoint Security: An endpoint detection and response (EDR) or mobile device management (MDM) solution will help you configure and monitor endpoints on your network. These solutions run antivirus scans, provide device encryption, and notify you when devices are no longer in compliance. Setting up immediate notification and alerting will help detect potential threats.
- Zero Trust Architecture: Designing your network and security infrastructure based on the principles of zero trust. This involves the assumption that every user, device, and application is untrusted until proven otherwise. Verifying the identity and security posture prior to granting access to any resource is the theme here.
- Security Awareness Training: Providing security training to your personnel on security best practices and raising awareness about the importance of zero trust security. This training should be at minimum provided to new hires during onboarding and to all personnel periodically throughout the year.
- Incident Response: Document and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Make sure to test the plan regularly through tabletop exercises or simulations for effectiveness.
- Compliance checks: Conduct periodic internal audits and compliance checks on your security control environment and document the gaps. Develop remediation plans for gaps identified and update security policies based on the findings.
Example Tools to Implement Zero Trust
The following list covers the types of tools and example vendors that provide these solutions. When integrated and configured properly, these tools can help your organization effectively implement and enforce a Zero Trust security model.
- Encryption: Bitlocker, NordLocker, Trend Micro, AWS/Google/Azure Key Management Service (KMS)
- IAM Platforms: Okta, Azure, Ping Identity
- EDR: CrowdStrike Falcon, Carbon Black, Microsoft Defender, SentinelOne
- Security Information and Event Management (SIEM): Splunk, Elastic, Datadog, SolarWinds
- Compliance Monitoring: Vanta, Drata, OneTrust, Secureframe, TrustCloud
- Behavioral Analytics and User Entity Behavior Analytics (UEBA): Exabeam, Securonix, Rapid7 InsightIDR
Conclusion
Implementing zero trust is a continuous process that requires cross-collaboration throughout your organization. IT, Security, HR, and Executive Management all should be communicating and be on the same page when it comes to zero trust security. It is essential to review and update your security posture continuously to adapt to evolving threats and technologies. The combination of security architecture, tools, administration, and monitoring will be key to an environment with zero trust.
If you’re seeking more information on Zero Trust, check out our blog. We have a plethora of articles about cybersecurity – including why it’s important and steps your organization can take to meet these requirements and maintain compliance.
Please reach out to our team of IT audit professionals if you have any questions or require auditing services. We will be happy to assist you and your company with any compliance needs.
Umar has over 15 years of experience in internal control-based audit, project management, cybersecurity consulting, attestation, and assurance services; 7 of those years were with the “Big Four” accounting firm, KPMG. He has overseen numerous SOC 1 and SOC 2 audits and other IT Compliance audits, including NIST 800-53. He has vast experience implementing comprehensive IT compliance frameworks for clients both in the public and private sectors. Umar is a certified information systems auditor (CISA) and received his Bachelor of Science degree in Business Information Technology from Virginia Tech.