Zero Trust Framework: A Guide to Implementation

Computer hardware: Zero Trust tips for devices

Implementing a Zero Trust framework across an organization requires leading with a “never trust and always verify” mindset to secure your data and resources. Over the years, organizations have increasingly implemented Zero Trust frameworks into their environment because technological advancements and modern-day workforce changes such as SAS applications, cloud-based data centers, mobile devices, remote workforce, and much more, have caused the network perimeter to become challenging to define.

Implementing a Zero Trust security model suggests that enterprises cannot automatically trust any endpoint originating inside or outside its perimeter; therefore, strict privileges, user access, and authentication is required at every level for applications, devices, and users. Depending on your operation, business objectives, and the type of legacy systems you use, there is not a one-size-fits-all solution. Zero Trust can be challenging to implement and even counterproductive in some environments.

Ultimately, it will take time, resources, and team buy-in to create a cohesive and reliable strategy. Before you create a detailed roadmap, first gauge your security maturity with this Forrester assessment to help guide your projects and initiatives.

Where to Start When Implementing a Zero Trust Framework

Where do you begin with your Zero Trust strategy? Forrester’s report, A Practical Guide to a Zero Trust Implementation, explores five components from its Zero Trust Extended (ZTX) framework for you to focus on when developing your strategy, including:

Let’s take a look at each of these areas more in more detail to understand the practical building blocks of a successful Zero Trust implementation.

Zero Trust for People

Humans are often the weakest link in security practices, falling victim to phishing attacks or making mistakes due to bad password management. It’s critical to align your strategy with the people across your entire organization by investing in identity and access management (IAM) throughout your on-premises or cloud environment. With data being accessed by consumers, employees, and third parties, organizations need to develop a process for consistent monitoring of user access and apply least privilege concepts at every level. Essentially, if a user does not need access to an admin function, do not grant them it because overprivileged users lead to more breaches.

You can implement security measures to meet compliance requirements and become more Zero-Trust centric with methods such as:

  • Multifactor authentication (MFA)
  • Single sign-on (SSO)

For example, LogRhythm uses Okta to embrace a Zero Trust security model while integrating applications and visualizing this data within a SIEM solution. This enables a seamless management process for IT, the security operation center (SOC), and all global employees. This also helps to expand services between on-premise and in the cloud. LogRhythm takes this process a bit further by fully automating IAM with the LogRhythm NextGen SIEM Platform so that the SOC and IT team have the tools they need to understand the threat landscape and respond to threats immediately.

Zero Trust for Workloads

As organizations rapidly diversify into cloud environments, securing workloads has become a shared responsibility between the customer and the cloud provider.

According to Forrester, there are three critical steps to take to mature your workload security, including;

  • Establish a cloud governance process and structure: Build a repeatable and ongoing process that has a formal structure to ensure the proper coverage of all your areas and infrastructure components that exist within different environments (e.g., on-prem, private, and public cloud).
  • Conduct inventory and monitor workload configurations: Use cross-cloud workload security solutions to help with formal governance (e.g., CloudPassage, Qualys, or Trend Micro).
  • Focus on cloud-native security and management solutions

You can learn more about Zero Trust for workloads by downloading Forrester’s practical guide here.

Zero Trust for Devices

Internet of Things (IoT) has made securing connected devices more challenging as the entry points on networks have increased tremendously and introduced more opportunities for vulnerabilities with insecure communication protocols and configurations.

To achieve a fully adopted Zero Trust framework, security professionals must isolate, secure, and control every device that is connected to the network. As you develop your roadmap, Forrester has several suggestions, including:

  • Apply Zero Trust network segmentation to managed devices: Create zones or microperimeters to isolate IoT devices from other IT devices or networks.
  • Harden IoT devices
  • Curtail user risk created by bring your own device (BYOD) policies: Minimize issues by negating the complications that endpoints present such as malware or ransomware events.

Tune into this webinar to learn more about how you can use endpoint detection and response solutions (EDR) with advanced analytics and automated response capabilities to respond to threats more efficiently.

Zero Trust for Network

 Forrester advises organizations to create logical segmentation boundaries around network assets and increase isolation between segmentations. Essentially, instead of building layers of security controls from the outside in, you must protect data from the inside out by drawing boundaries around resources instead of networks.

These smaller segments reduce the attack surface for malicious actors within a network by only allowing authorized endpoints to access particular applications and data housed on those segments.

To augment cloud security controls, you can use technology like next-generation firewalls to segment, isolate, and restrict traffic in your network.

Zero Trust for Data

To truly protect data, your organization first needs to discover and classify what sensitive data needs to be protected, determine where it is located, and conceptualize how you can defend that data.

It’s critical to understand the threats your data faces and how that impacts the business and then to apply contextual insights to guide policies and controls. As you build your roadmap, Forrester outlines several questions to contemplate, such as:

  • How does this data flow to produce a business outcome?
  • Who is using this data, how often, and for what purpose?
  • Why does the business have this data, how is it collected, and what is its useful lifecycle?
  • What are the consequences should data integrity be compromised?

Once you understand the risks and identify the priorities, you can defend your data by enabling technologies that best fit the policies and guidelines you defined.

Getting the IT Team Involved with Zero Trust

Whether building a Zero Trust framework from scratch or restructuring your current architecture in small steps, security leaders need to work with the IT team to agree upon a strategy before execution. James Carder, LogRhythm’s CSO, speaks to the importance of getting the IT team on board when implementing Zero Trust:

“As technology practitioners, you must divert away from the old IT model. You and your IT organization must be open to changing the traditional, and still working, IT infrastructure model. Nothing will get an IT team more amped up than saying you’re going to get rid of firewalls, VPNs, and ultimately, active directory. You need to believe that bolt-on, compensating controls are not sufficient in protecting an organization built on a legacy architecture which is the ultimate pitfall (why the breaches occur) and why Zero Trust is the only real way forward. It starts with winning over hearts and minds to see the vision of a secure company.”

Pitching a Zero Trust Solution to the Board

CISOs can struggle to obtain support from stakeholders when it comes to implementing a new security strategy that may cost time, money, and resources, but there are ways to improve executive security awareness and gain board-level support.

Especially amidst the COVID-19 challenges of a remote workforce and recent escalating nation-state attacks, IT and security teams should not be the only ones with security breaches on their mind. The whole business is at stake and executives need to better understand the risks and impact of a breach.

So how can you take Zero Trust to the boardroom? Follow these three tips from Forrester:

  • Be clear that Zero Trust will lead to customer trust: Board members can easily agree on the importance of winning over customers and a Zero Trust architecture is designed to efficiently protect the most valuable assets that your customers will care most about.
  • Build engaging Zero Trust content: Avoid being too technical with your speech and have clear communication that speaks in terms of risk to the business. Use more engaging and visual examples and avoid using fear, uncertainty, and doubt (FUD) language in your presentation.
  • Translate technology needs to business benefits: The last thing board members will want to hear is that you need more money for more technology. You need to focus on how technology advancements will enhance security protections while cutting other process or solutions that no longer work or align with the business needs. Think strategically and demonstrate how your strategy will enable business initiatives (e.g., cloud migration).

Learn More from the Experts

Looking for more information and examples on how to implement a Zero Trust framework? Watch this webinar, to hear directly from the experts! During this session, guest speaker, Forrester senior analyst, David Holmes, and James Carder discuss:

  • How the security community can directly translate Zero Trust components into concrete roadmap items
  • How security elements like automation and visibility tie into the framework
  • Examples of each based on Forrester research

Watch it on-demand to learn more about how to solidify your Zero Trust framework and strategy today! You can also use our package of free resources to help get started on your Zero Trust implementation.